Sync with trunk head

[reactos.git] / ntoskrnl / se / semgr.c

diff --git a/ntoskrnl/se/semgr.c b/ntoskrnl/se/semgr.c
index fdee097..8ed056b 100644 (file)
--- a/ntoskrnl/se/semgr.c
+++ b/ntoskrnl/se/semgr.c
@@ -279,6 +279,7 @@ SeDefaultObjectMethod(IN PVOID Object,
     return STATUS_SUCCESS;
 }
 
+ULONG SidInTokenCalls = 0;
 
 static BOOLEAN
 SepSidInToken(PACCESS_TOKEN _Token,
@@ -289,6 +290,9 @@ SepSidInToken(PACCESS_TOKEN _Token,
 
     PAGED_CODE();
 
+    SidInTokenCalls++;
+    if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
+    
     if (Token->UserAndGroupCount == 0)
     {
         return FALSE;
@@ -298,7 +302,7 @@ SepSidInToken(PACCESS_TOKEN _Token,
     {
         if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
         {
-            if (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)
+            if ((i == 0)|| (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED))
             {
                 return TRUE;
             }
@@ -470,7 +474,16 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             SeUnlockSubjectContext(SubjectSecurityContext);
         }
 
-        *GrantedAccess = DesiredAccess;
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess & ~MAXIMUM_ALLOWED);
+        }
+        else
+        {
+            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+        }
+        
         *AccessStatus = STATUS_SUCCESS;
         return TRUE;
     }