PISECURITY_DESCRIPTOR SecurityDescriptor,
PULONG BufferLength)
{
- ULONG_PTR Current;
+ ULONG Current;
ULONG SidSize;
ULONG SdSize;
NTSTATUS Status;
return Status;
}
- Current = (ULONG_PTR)(SdRel + 1);
+ Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
if (SecurityInformation & OWNER_SECURITY_INFORMATION)
{
- RtlCopyMemory((PVOID)Current,
- SeWorldSid,
- SidSize);
- SdRel->Owner = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
+ SdRel->Owner = Current;
Current += SidSize;
}
if (SecurityInformation & GROUP_SECURITY_INFORMATION)
{
- RtlCopyMemory((PVOID)Current,
- SeWorldSid,
- SidSize);
- SdRel->Group = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
+ SdRel->Group = Current;
Current += SidSize;
}
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
- PACL Dacl = (PACL)Current;
+ PACL Dacl = (PACL)((PUCHAR)SdRel + Current);
SdRel->Control |= SE_DACL_PRESENT;
Status = RtlCreateAcl(Dacl,
if (!NT_SUCCESS(Status))
return Status;
- SdRel->Dacl = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ SdRel->Dacl = Current;
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)
ProbeForRead(ObjectAttributes->SecurityQualityOfService,
sizeof(SECURITY_QUALITY_OF_SERVICE),
sizeof(ULONG));
-
+
if (((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length ==
sizeof(SECURITY_QUALITY_OF_SERVICE))
{
/* PUBLIC FUNCTIONS ***********************************************************/
-/*
- * @implemented
- */
+static
+ULONG
+DetermineSIDSize(
+ PISID Sid,
+ PULONG OutSAC,
+ KPROCESSOR_MODE ProcessorMode)
+{
+ ULONG Size;
+
+ if (!Sid)
+ {
+ *OutSAC = 0;
+ return 0;
+ }
+
+ if (ProcessorMode != KernelMode)
+ {
+ /* Securely access the buffers! */
+ *OutSAC = ProbeForReadUchar(&Sid->SubAuthorityCount);
+ Size = RtlLengthRequiredSid(*OutSAC);
+ ProbeForRead(Sid, Size, sizeof(ULONG));
+ }
+ else
+ {
+ *OutSAC = Sid->SubAuthorityCount;
+ Size = RtlLengthRequiredSid(*OutSAC);
+ }
+
+ return Size;
+}
+
+static
+ULONG
+DetermineACLSize(
+ PACL Acl,
+ KPROCESSOR_MODE ProcessorMode)
+{
+ ULONG Size;
+
+ if (!Acl) return 0;
+
+ if (ProcessorMode == KernelMode) return Acl->AclSize;
+
+ /* Probe the buffers! */
+ Size = ProbeForReadUshort(&Acl->AclSize);
+ ProbeForRead(Acl, Size, sizeof(ULONG));
+
+ return Size;
+}
+
NTSTATUS
NTAPI
-SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
- IN KPROCESSOR_MODE CurrentMode,
- IN POOL_TYPE PoolType,
- IN BOOLEAN CaptureIfKernel,
- OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
+SeCaptureSecurityDescriptor(
+ IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
+ IN KPROCESSOR_MODE CurrentMode,
+ IN POOL_TYPE PoolType,
+ IN BOOLEAN CaptureIfKernel,
+ OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
{
- PISECURITY_DESCRIPTOR OriginalSecurityDescriptor = _OriginalSecurityDescriptor;
+ PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
SECURITY_DESCRIPTOR DescriptorCopy;
- PISECURITY_DESCRIPTOR NewDescriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE NewDescriptor;
ULONG OwnerSAC = 0, GroupSAC = 0;
ULONG OwnerSize = 0, GroupSize = 0;
ULONG SaclSize = 0, DaclSize = 0;
ULONG DescriptorSize = 0;
- NTSTATUS Status;
+ ULONG Offset;
- if (OriginalSecurityDescriptor != NULL)
+ if (!OriginalDescriptor)
{
- if (CurrentMode != KernelMode)
- {
- RtlZeroMemory(&DescriptorCopy, sizeof(DescriptorCopy));
+ /* Nothing to do... */
+ *CapturedSecurityDescriptor = NULL;
+ return STATUS_SUCCESS;
+ }
- _SEH2_TRY
- {
- /*
- * First only probe and copy until the control field of the descriptor
- * to determine whether it's a self-relative descriptor
- */
- DescriptorSize = FIELD_OFFSET(SECURITY_DESCRIPTOR,
- Owner);
- ProbeForRead(OriginalSecurityDescriptor,
- DescriptorSize,
- sizeof(ULONG));
+ /* Quick path */
+ if (CurrentMode == KernelMode && !CaptureIfKernel)
+ {
+ /* Check descriptor version */
+ if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
+ {
+ return STATUS_UNKNOWN_REVISION;
+ }
- if (OriginalSecurityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
- {
- _SEH2_YIELD(return STATUS_UNKNOWN_REVISION);
- }
+ *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
+ return STATUS_SUCCESS;
+ }
- /* Make a copy on the stack */
- DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
- DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
- DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
- DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ?
- sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR));
-
- /*
- * Probe and copy the entire security descriptor structure. The SIDs
- * and ACLs will be probed and copied later though
- */
- ProbeForRead(OriginalSecurityDescriptor,
- DescriptorSize,
- sizeof(ULONG));
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
- {
- PISECURITY_DESCRIPTOR_RELATIVE RelSD = (PISECURITY_DESCRIPTOR_RELATIVE)OriginalSecurityDescriptor;
+ _SEH2_TRY
+ {
+ if (CurrentMode != KernelMode)
+ {
+ ProbeForRead(OriginalDescriptor,
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE),
+ sizeof(ULONG));
+ }
- DescriptorCopy.Owner = (PSID)RelSD->Owner;
- DescriptorCopy.Group = (PSID)RelSD->Group;
- DescriptorCopy.Sacl = (PACL)RelSD->Sacl;
- DescriptorCopy.Dacl = (PACL)RelSD->Dacl;
- }
- else
- {
- DescriptorCopy.Owner = OriginalSecurityDescriptor->Owner;
- DescriptorCopy.Group = OriginalSecurityDescriptor->Group;
- DescriptorCopy.Sacl = OriginalSecurityDescriptor->Sacl;
- DescriptorCopy.Dacl = OriginalSecurityDescriptor->Dacl;
- }
- }
- _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
- {
- /* Return the exception code */
- _SEH2_YIELD(return _SEH2_GetExceptionCode());
- }
- _SEH2_END;
+ /* Check the descriptor version */
+ if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
+ {
+ _SEH2_YIELD(return STATUS_UNKNOWN_REVISION);
}
- else if (!CaptureIfKernel)
+
+ if (CurrentMode != KernelMode)
{
- if (OriginalSecurityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
- {
- return STATUS_UNKNOWN_REVISION;
- }
+ /* Get the size of the descriptor */
+ DescriptorSize = (OriginalDescriptor->Control & SE_SELF_RELATIVE) ?
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR);
- *CapturedSecurityDescriptor = OriginalSecurityDescriptor;
- return STATUS_SUCCESS;
+ /* Probe the entire security descriptor structure. The SIDs
+ * and ACLs will be probed and copied later though */
+ ProbeForRead(OriginalDescriptor, DescriptorSize, sizeof(ULONG));
}
- else
- {
- if (OriginalSecurityDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
- {
- return STATUS_UNKNOWN_REVISION;
- }
- /* Make a copy on the stack */
- DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
- DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
- DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
- DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ?
- sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR));
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
- {
- PISECURITY_DESCRIPTOR_RELATIVE RelSD = (PISECURITY_DESCRIPTOR_RELATIVE)OriginalSecurityDescriptor;
+ /* Now capture all fields and convert to an absolute descriptor */
+ DescriptorCopy.Revision = OriginalDescriptor->Revision;
+ DescriptorCopy.Sbz1 = OriginalDescriptor->Sbz1;
+ DescriptorCopy.Control = OriginalDescriptor->Control & ~SE_SELF_RELATIVE;
+ DescriptorCopy.Owner = SepGetOwnerFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Group = SepGetGroupFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Sacl = SepGetSaclFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Dacl = SepGetDaclFromDescriptor(OriginalDescriptor);
+ DescriptorSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
+
+ /* Determine owner and group sizes */
+ OwnerSize = DetermineSIDSize(DescriptorCopy.Owner, &OwnerSAC, CurrentMode);
+ DescriptorSize += ROUND_UP(OwnerSize, sizeof(ULONG));
+ GroupSize = DetermineSIDSize(DescriptorCopy.Group, &GroupSAC, CurrentMode);
+ DescriptorSize += ROUND_UP(GroupSize, sizeof(ULONG));
- DescriptorCopy.Owner = (PSID)RelSD->Owner;
- DescriptorCopy.Group = (PSID)RelSD->Group;
- DescriptorCopy.Sacl = (PACL)RelSD->Sacl;
- DescriptorCopy.Dacl = (PACL)RelSD->Dacl;
- }
- else
- {
- DescriptorCopy.Owner = OriginalSecurityDescriptor->Owner;
- DescriptorCopy.Group = OriginalSecurityDescriptor->Group;
- DescriptorCopy.Sacl = OriginalSecurityDescriptor->Sacl;
- DescriptorCopy.Dacl = OriginalSecurityDescriptor->Dacl;
- }
+ /* Determine the size of the ACLs */
+ if (DescriptorCopy.Control & SE_SACL_PRESENT)
+ {
+ /* Get the size and probe if user mode */
+ SaclSize = DetermineACLSize(DescriptorCopy.Sacl, CurrentMode);
+ DescriptorSize += ROUND_UP(SaclSize, sizeof(ULONG));
}
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
+ if (DescriptorCopy.Control & SE_DACL_PRESENT)
{
- /*
- * In case we're dealing with a self-relative descriptor, do a basic convert
- * to an absolute descriptor. We do this so we can simply access the data
- * using the pointers without calculating them again.
- */
- DescriptorCopy.Control &= ~SE_SELF_RELATIVE;
- if (DescriptorCopy.Owner != NULL)
- {
- DescriptorCopy.Owner = (PSID)((ULONG_PTR)OriginalSecurityDescriptor + (ULONG_PTR)DescriptorCopy.Owner);
- }
- if (DescriptorCopy.Group != NULL)
- {
- DescriptorCopy.Group = (PSID)((ULONG_PTR)OriginalSecurityDescriptor + (ULONG_PTR)DescriptorCopy.Group);
- }
- if (DescriptorCopy.Dacl != NULL)
- {
- DescriptorCopy.Dacl = (PACL)((ULONG_PTR)OriginalSecurityDescriptor + (ULONG_PTR)DescriptorCopy.Dacl);
- }
- if (DescriptorCopy.Sacl != NULL)
- {
- DescriptorCopy.Sacl = (PACL)((ULONG_PTR)OriginalSecurityDescriptor + (ULONG_PTR)DescriptorCopy.Sacl);
- }
+ /* Get the size and probe if user mode */
+ DaclSize = DetermineACLSize(DescriptorCopy.Dacl, CurrentMode);
+ DescriptorSize += ROUND_UP(DaclSize, sizeof(ULONG));
}
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END
- /* Determine the size of the SIDs */
-#define DetermineSIDSize(SidType) \
-do { \
-if(DescriptorCopy.SidType != NULL) \
-{ \
-SID *SidType = (SID*)DescriptorCopy.SidType; \
-\
-if(CurrentMode != KernelMode) \
-{ \
-/* Securely access the buffers! */ \
-_SEH2_TRY \
-{ \
-SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount); \
-SidType##Size = RtlLengthRequiredSid(SidType##SAC); \
-DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG)); \
-ProbeForRead(SidType, \
-SidType##Size, \
-sizeof(ULONG)); \
-} \
-_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) \
-{ \
-_SEH2_YIELD(return _SEH2_GetExceptionCode()); \
-} \
-_SEH2_END; \
-\
-} \
-else \
-{ \
-SidType##SAC = SidType->SubAuthorityCount; \
-SidType##Size = RtlLengthRequiredSid(SidType##SAC); \
-DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG)); \
-} \
-} \
-} while(0)
-
- DetermineSIDSize(Owner);
- DetermineSIDSize(Group);
-
-#undef DetermineSIDSize
+ /*
+ * Allocate enough memory to store a complete copy of a self-relative
+ * security descriptor
+ */
+ NewDescriptor = ExAllocatePoolWithTag(PoolType,
+ DescriptorSize,
+ TAG_SD);
+ if (!NewDescriptor) return STATUS_INSUFFICIENT_RESOURCES;
- /* Determine the size of the ACLs */
-#define DetermineACLSize(AclType, AclFlag) \
-do { \
-if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) && \
-DescriptorCopy.AclType != NULL) \
-{ \
-PACL AclType = (PACL)DescriptorCopy.AclType; \
-\
-if(CurrentMode != KernelMode) \
-{ \
-/* Securely access the buffers! */ \
-_SEH2_TRY \
-{ \
-AclType##Size = ProbeForReadUshort(&AclType->AclSize); \
-DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG)); \
-ProbeForRead(AclType, \
-AclType##Size, \
-sizeof(ULONG)); \
-} \
-_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) \
-{ \
-_SEH2_YIELD(return _SEH2_GetExceptionCode()); \
-} \
-_SEH2_END; \
-\
-} \
-else \
-{ \
-AclType##Size = AclType->AclSize; \
-DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG)); \
-} \
-} \
-else \
-{ \
-DescriptorCopy.AclType = NULL; \
-} \
-} while(0)
-
- DetermineACLSize(Sacl, SACL);
- DetermineACLSize(Dacl, DACL);
-
-#undef DetermineACLSize
+ RtlZeroMemory(NewDescriptor, DescriptorSize);
+ NewDescriptor->Revision = DescriptorCopy.Revision;
+ NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
+ NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
+ _SEH2_TRY
+ {
/*
- * Allocate enough memory to store a complete copy of a self-relative
- * security descriptor
+ * Setup the offsets and copy the SIDs and ACLs to the new
+ * self-relative security descriptor. Probing the pointers is not
+ * neccessary anymore as we did that when collecting the sizes!
+ * Make sure to validate the SIDs and ACLs *again* as they could have
+ * been modified in the meanwhile!
*/
- NewDescriptor = ExAllocatePoolWithTag(PoolType,
- DescriptorSize,
- TAG_SD);
- if (NewDescriptor != NULL)
- {
- ULONG_PTR Offset = sizeof(SECURITY_DESCRIPTOR);
+ Offset = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
- RtlZeroMemory(NewDescriptor, DescriptorSize);
- NewDescriptor->Revision = DescriptorCopy.Revision;
- NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
- NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
+ if (DescriptorCopy.Owner)
+ {
+ if (!RtlValidSid(DescriptorCopy.Owner)) RtlRaiseStatus(STATUS_INVALID_SID);
+ NewDescriptor->Owner = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Owner,
+ OwnerSize);
+ Offset += ROUND_UP(OwnerSize, sizeof(ULONG));
+ }
- _SEH2_TRY
- {
- /*
- * Setup the offsets and copy the SIDs and ACLs to the new
- * self-relative security descriptor. Probing the pointers is not
- * neccessary anymore as we did that when collecting the sizes!
- * Make sure to validate the SIDs and ACLs *again* as they could have
- * been modified in the meanwhile!
- */
-#define CopySID(Type) \
-do { \
-if(DescriptorCopy.Type != NULL) \
-{ \
-NewDescriptor->Type = (PVOID)Offset; \
-RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type), \
-DescriptorCopy.Type, \
-Type##Size); \
-if (!RtlValidSid((PSID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type))) \
-{ \
-RtlRaiseStatus(STATUS_INVALID_SID); \
-} \
-Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
-} \
-} while(0)
-
- CopySID(Owner);
- CopySID(Group);
-
-#undef CopySID
-
-#define CopyACL(Type) \
-do { \
-if(DescriptorCopy.Type != NULL) \
-{ \
-NewDescriptor->Type = (PVOID)Offset; \
-RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type), \
-DescriptorCopy.Type, \
-Type##Size); \
-if (!RtlValidAcl((PACL)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type))) \
-{ \
-RtlRaiseStatus(STATUS_INVALID_ACL); \
-} \
-Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
-} \
-} while(0)
-
- CopyACL(Sacl);
- CopyACL(Dacl);
-
-#undef CopyACL
- }
- _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
- {
- /* We failed to copy the data to the new descriptor */
- ExFreePoolWithTag(NewDescriptor, TAG_SD);
- _SEH2_YIELD(return _SEH2_GetExceptionCode());
- }
- _SEH2_END;
+ if (DescriptorCopy.Group)
+ {
+ if (!RtlValidSid(DescriptorCopy.Group)) RtlRaiseStatus(STATUS_INVALID_SID);
+ NewDescriptor->Group = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Group,
+ GroupSize);
+ Offset += ROUND_UP(GroupSize, sizeof(ULONG));
+ }
- /*
- * We're finally done!
- * Copy the pointer to the captured descriptor to to the caller.
- */
- *CapturedSecurityDescriptor = NewDescriptor;
- return STATUS_SUCCESS;
+ if (DescriptorCopy.Sacl)
+ {
+ if (!RtlValidAcl(DescriptorCopy.Sacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
+ NewDescriptor->Sacl = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Sacl,
+ SaclSize);
+ Offset += ROUND_UP(SaclSize, sizeof(ULONG));
}
- else
+
+ if (DescriptorCopy.Dacl)
{
- Status = STATUS_INSUFFICIENT_RESOURCES;
+ if (!RtlValidAcl(DescriptorCopy.Dacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
+ NewDescriptor->Dacl = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Dacl,
+ DaclSize);
+ Offset += ROUND_UP(DaclSize, sizeof(ULONG));
}
+
+ /* Make sure the size was correct */
+ ASSERT(Offset == DescriptorSize);
}
- else
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
- /* Nothing to do... */
- *CapturedSecurityDescriptor = NULL;
+ /* We failed to copy the data to the new descriptor */
+ ExFreePoolWithTag(NewDescriptor, TAG_SD);
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
}
+ _SEH2_END;
- return Status;
+ /*
+ * We're finally done!
+ * Copy the pointer to the captured descriptor to to the caller.
+ */
+ *CapturedSecurityDescriptor = NewDescriptor;
+ return STATUS_SUCCESS;
}
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeQuerySecurityDescriptorInfo(IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG Length,
- IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor OPTIONAL)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeQuerySecurityDescriptorInfo(
+ _In_ PSECURITY_INFORMATION SecurityInformation,
+ _Out_writes_bytes_(*Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Inout_ PULONG Length,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
{
PISECURITY_DESCRIPTOR ObjectSd;
PISECURITY_DESCRIPTOR_RELATIVE RelSD;
ULONG GroupLength = 0;
ULONG DaclLength = 0;
ULONG SaclLength = 0;
- ULONG Control = 0;
+ SECURITY_DESCRIPTOR_CONTROL Control = 0;
ULONG_PTR Current;
ULONG SdLength;
+ PAGED_CODE();
+
RelSD = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor;
if (*ObjectsSecurityDescriptor == NULL)
/* Build the new security descrtiptor */
RtlCreateSecurityDescriptorRelative(RelSD,
SECURITY_DESCRIPTOR_REVISION);
- RelSD->Control = (USHORT)Control;
+ RelSD->Control = Control;
Current = (ULONG_PTR)(RelSD + 1);
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeSetSecurityDescriptorInfo(IN PVOID Object OPTIONAL,
- IN PSECURITY_INFORMATION _SecurityInformation,
- IN PSECURITY_DESCRIPTOR _SecurityDescriptor,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeSetSecurityDescriptorInfo(
+ _In_opt_ PVOID Object,
+ _In_ PSECURITY_INFORMATION SecurityInformation,
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+ _In_ POOL_TYPE PoolType,
+ _In_ PGENERIC_MAPPING GenericMapping)
{
- PISECURITY_DESCRIPTOR ObjectSd;
- PISECURITY_DESCRIPTOR NewSd;
+ PAGED_CODE();
+
+ return SeSetSecurityDescriptorInfoEx(Object,
+ SecurityInformation,
+ SecurityDescriptor,
+ ObjectsSecurityDescriptor,
+ 0,
+ PoolType,
+ GenericMapping);
+}
+
+/*
+ * @implemented
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeSetSecurityDescriptorInfoEx(
+ _In_opt_ PVOID Object,
+ _In_ PSECURITY_INFORMATION _SecurityInformation,
+ _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+ _In_ ULONG AutoInheritFlags,
+ _In_ POOL_TYPE PoolType,
+ _In_ PGENERIC_MAPPING GenericMapping)
+{
+ PISECURITY_DESCRIPTOR_RELATIVE ObjectSd;
+ PISECURITY_DESCRIPTOR_RELATIVE NewSd;
PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
- PSID Owner = 0;
- PSID Group = 0;
- PACL Dacl = 0;
- PACL Sacl = 0;
- ULONG OwnerLength = 0;
- ULONG GroupLength = 0;
- ULONG DaclLength = 0;
- ULONG SaclLength = 0;
- ULONG Control = 0;
- ULONG_PTR Current;
+ PSID Owner;
+ PSID Group;
+ PACL Dacl;
+ PACL Sacl;
+ ULONG OwnerLength;
+ ULONG GroupLength;
+ ULONG DaclLength;
+ ULONG SaclLength;
+ SECURITY_DESCRIPTOR_CONTROL Control = 0;
+ ULONG Current;
SECURITY_INFORMATION SecurityInformation;
+ PAGED_CODE();
+
ObjectSd = *ObjectsSecurityDescriptor;
/* The object does not have a security descriptor. */
if (!ObjectSd)
return STATUS_NO_SECURITY_ON_OBJECT;
+ ASSERT(ObjectSd->Control & SE_SELF_RELATIVE);
+
SecurityInformation = *_SecurityInformation;
/* Get owner and owner size */
if (SecurityInformation & OWNER_SECURITY_INFORMATION)
{
- if (SecurityDescriptor->Owner != NULL)
- {
- if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
- Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
- (ULONG_PTR)SecurityDescriptor);
- else
- Owner = (PSID)SecurityDescriptor->Owner;
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
- }
-
+ Owner = SepGetOwnerFromDescriptor(SecurityDescriptor);
Control |= (SecurityDescriptor->Control & SE_OWNER_DEFAULTED);
}
else
{
- if (ObjectSd->Owner != NULL)
- {
- Owner = (PSID)((ULONG_PTR)ObjectSd->Owner + (ULONG_PTR)ObjectSd);
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
- }
-
+ Owner = SepGetOwnerFromDescriptor(ObjectSd);
Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
}
-
+ OwnerLength = Owner ? RtlLengthSid(Owner) : 0;
+ NT_ASSERT(OwnerLength % sizeof(ULONG) == 0);
+
/* Get group and group size */
if (SecurityInformation & GROUP_SECURITY_INFORMATION)
{
- if (SecurityDescriptor->Group != NULL)
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
- (ULONG_PTR)SecurityDescriptor);
- else
- Group = (PSID)SecurityDescriptor->Group;
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
- }
-
+ Group = SepGetGroupFromDescriptor(SecurityDescriptor);
Control |= (SecurityDescriptor->Control & SE_GROUP_DEFAULTED);
}
else
{
- if (ObjectSd->Group != NULL)
- {
- Group = (PSID)((ULONG_PTR)ObjectSd->Group + (ULONG_PTR)ObjectSd);
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
- }
-
+ Group = SepGetGroupFromDescriptor(ObjectSd);
Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
}
+ GroupLength = Group ? RtlLengthSid(Group) : 0;
+ NT_ASSERT(GroupLength % sizeof(ULONG) == 0);
/* Get DACL and DACL size */
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
- if ((SecurityDescriptor->Control & SE_DACL_PRESENT) &&
- (SecurityDescriptor->Dacl != NULL))
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Dacl = (PACL)((ULONG_PTR)SecurityDescriptor->Dacl +
- (ULONG_PTR)SecurityDescriptor);
- else
- Dacl = (PACL)SecurityDescriptor->Dacl;
-
- DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
- }
-
+ Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
Control |= (SecurityDescriptor->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
}
else
{
- if ((ObjectSd->Control & SE_DACL_PRESENT) &&
- (ObjectSd->Dacl != NULL))
- {
- Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd);
- DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
- }
-
+ Dacl = SepGetDaclFromDescriptor(ObjectSd);
Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
}
-
+ DaclLength = Dacl ? ROUND_UP((ULONG)Dacl->AclSize, 4) : 0;
+
/* Get SACL and SACL size */
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
- if ((SecurityDescriptor->Control & SE_SACL_PRESENT) &&
- (SecurityDescriptor->Sacl != NULL))
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Sacl = (PACL)((ULONG_PTR)SecurityDescriptor->Sacl +
- (ULONG_PTR)SecurityDescriptor);
- else
- Sacl = (PACL)SecurityDescriptor->Sacl;
- SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
- }
-
+ Sacl = SepGetSaclFromDescriptor(SecurityDescriptor);
Control |= (SecurityDescriptor->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
}
else
{
- if ((ObjectSd->Control & SE_SACL_PRESENT) &&
- (ObjectSd->Sacl != NULL))
- {
- Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd);
- SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
- }
-
+ Sacl = SepGetSaclFromDescriptor(ObjectSd);
Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
}
+ SaclLength = Sacl ? ROUND_UP((ULONG)Sacl->AclSize, 4) : 0;
NewSd = ExAllocatePool(NonPagedPool,
- sizeof(SECURITY_DESCRIPTOR) + OwnerLength + GroupLength +
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE) + OwnerLength + GroupLength +
DaclLength + SaclLength);
if (NewSd == NULL)
{
- ObDereferenceObject(Object);
return STATUS_INSUFFICIENT_RESOURCES;
}
SECURITY_DESCRIPTOR_REVISION1);
/* We always build a self-relative descriptor */
- NewSd->Control = (USHORT)Control | SE_SELF_RELATIVE;
+ NewSd->Control = Control | SE_SELF_RELATIVE;
- Current = (ULONG_PTR)NewSd + sizeof(SECURITY_DESCRIPTOR);
+ Current = sizeof(SECURITY_DESCRIPTOR);
if (OwnerLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- NewSd->Owner = (PSID)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Owner, OwnerLength);
+ NewSd->Owner = Current;
Current += OwnerLength;
}
if (GroupLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Group,
- GroupLength);
- NewSd->Group = (PSID)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Group, GroupLength);
+ NewSd->Group = Current;
Current += GroupLength;
}
if (DaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- NewSd->Dacl = (PACL)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Dacl, DaclLength);
+ NewSd->Dacl = Current;
Current += DaclLength;
}
if (SaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- NewSd->Sacl = (PACL)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Sacl, SaclLength);
+ NewSd->Sacl = Current;
Current += SaclLength;
}
return STATUS_SUCCESS;
}
-/*
- * @unimplemented
- */
-NTSTATUS
-NTAPI
-SeSetSecurityDescriptorInfoEx(IN PVOID Object OPTIONAL,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN PSECURITY_DESCRIPTOR ModificationDescriptor,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN ULONG AutoInheritFlags,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping)
-{
- PISECURITY_DESCRIPTOR ObjectSd = *ObjectsSecurityDescriptor;
-
- /* The object does not have a security descriptor. */
- if (!ObjectSd)
- return STATUS_NO_SECURITY_ON_OBJECT;
-
- UNIMPLEMENTED;
- return STATUS_NOT_IMPLEMENTED;
-}
-
/*
* @implemented
ULONG SdLength;
PISID Sid;
PACL Acl;
- PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor = _SecurityDescriptor;
if (Length < SECURITY_DESCRIPTOR_MIN_LENGTH)
{
SdLength = sizeof(SECURITY_DESCRIPTOR);
/* Check Owner SID */
- if (SecurityDescriptor->Owner == NULL)
+ if (SecurityDescriptor->Owner)
{
DPRINT1("No Owner SID\n");
return FALSE;
}
- if ((ULONG_PTR)SecurityDescriptor->Owner % sizeof(ULONG))
+ if (SecurityDescriptor->Owner % sizeof(ULONG))
{
DPRINT1("Invalid Owner SID alignment\n");
return FALSE;
}
- Sid = (PISID)((ULONG_PTR)SecurityDescriptor + (ULONG_PTR)SecurityDescriptor->Owner);
+ Sid = (PISID)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Owner);
if (Sid->Revision != SID_REVISION)
{
DPRINT1("Invalid Owner SID revision\n");
}
/* Check Group SID */
- if (SecurityDescriptor->Group != NULL)
+ if (SecurityDescriptor->Group)
{
- if ((ULONG_PTR)SecurityDescriptor->Group % sizeof(ULONG))
+ if (SecurityDescriptor->Group % sizeof(ULONG))
{
DPRINT1("Invalid Group SID alignment\n");
return FALSE;
}
- Sid = (PSID)((ULONG_PTR)SecurityDescriptor + (ULONG_PTR)SecurityDescriptor->Group);
+ Sid = (PSID)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Group);
if (Sid->Revision != SID_REVISION)
{
DPRINT1("Invalid Group SID revision\n");
}
/* Check DACL */
- if (SecurityDescriptor->Dacl != NULL)
+ if (SecurityDescriptor->Dacl)
{
- if ((ULONG_PTR)SecurityDescriptor->Dacl % sizeof(ULONG))
+ if (SecurityDescriptor->Dacl % sizeof(ULONG))
{
DPRINT1("Invalid DACL alignment\n");
return FALSE;
}
- Acl = (PACL)((ULONG_PTR)SecurityDescriptor + (ULONG_PTR)SecurityDescriptor->Dacl);
- if ((Acl->AclRevision < MIN_ACL_REVISION) &&
+ Acl = (PACL)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Dacl);
+ if ((Acl->AclRevision < MIN_ACL_REVISION) ||
(Acl->AclRevision > MAX_ACL_REVISION))
{
DPRINT1("Invalid DACL revision\n");
}
/* Check SACL */
- if (SecurityDescriptor->Sacl != NULL)
+ if (SecurityDescriptor->Sacl)
{
- if ((ULONG_PTR)SecurityDescriptor->Sacl % sizeof(ULONG))
+ if (SecurityDescriptor->Sacl % sizeof(ULONG))
{
DPRINT1("Invalid SACL alignment\n");
return FALSE;
}
- Acl = (PACL)((ULONG_PTR)SecurityDescriptor + (ULONG_PTR)SecurityDescriptor->Sacl);
+ Acl = (PACL)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Sacl);
if ((Acl->AclRevision < MIN_ACL_REVISION) ||
(Acl->AclRevision > MAX_ACL_REVISION))
{
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeDeassignSecurity(
+ _Inout_ PSECURITY_DESCRIPTOR *SecurityDescriptor)
{
PAGED_CODE();
return STATUS_SUCCESS;
}
-
-/*
- * @unimplemented
- */
-NTSTATUS NTAPI
-SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
- IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
- OUT PSECURITY_DESCRIPTOR *NewDescriptor,
- IN GUID *ObjectType OPTIONAL,
- IN BOOLEAN IsDirectoryObject,
- IN ULONG AutoInheritFlags,
- IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
- IN PGENERIC_MAPPING GenericMapping,
- IN POOL_TYPE PoolType)
-{
- UNIMPLEMENTED;
- return STATUS_NOT_IMPLEMENTED;
-}
-
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR *NewDescriptor,
- BOOLEAN IsDirectoryObject,
- PSECURITY_SUBJECT_CONTEXT SubjectContext,
- PGENERIC_MAPPING GenericMapping,
- POOL_TYPE PoolType)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeAssignSecurityEx(
+ _In_opt_ PSECURITY_DESCRIPTOR _ParentDescriptor,
+ _In_opt_ PSECURITY_DESCRIPTOR _ExplicitDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
+ _In_opt_ GUID *ObjectType,
+ _In_ BOOLEAN IsDirectoryObject,
+ _In_ ULONG AutoInheritFlags,
+ _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _In_ POOL_TYPE PoolType)
{
PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
- PISECURITY_DESCRIPTOR Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE Descriptor;
PTOKEN Token;
- ULONG OwnerLength = 0;
- ULONG GroupLength = 0;
- ULONG DaclLength = 0;
- ULONG SaclLength = 0;
- ULONG Length = 0;
- ULONG Control = 0;
- ULONG_PTR Current;
+ ULONG OwnerLength;
+ ULONG GroupLength;
+ ULONG DaclLength;
+ ULONG SaclLength;
+ ULONG Length;
+ SECURITY_DESCRIPTOR_CONTROL Control = 0;
+ ULONG Current;
PSID Owner = NULL;
PSID Group = NULL;
+ PACL ExplicitAcl;
+ BOOLEAN ExplicitPresent;
+ BOOLEAN ExplicitDefaulted;
+ PACL ParentAcl;
PACL Dacl = NULL;
PACL Sacl = NULL;
+ BOOLEAN DaclIsInherited;
+ BOOLEAN SaclIsInherited;
+ BOOLEAN DaclPresent;
+ BOOLEAN SaclPresent;
+ NTSTATUS Status;
+
+ DBG_UNREFERENCED_PARAMETER(ObjectType);
+ DBG_UNREFERENCED_PARAMETER(AutoInheritFlags);
+ UNREFERENCED_PARAMETER(PoolType);
PAGED_CODE();
+ *NewDescriptor = NULL;
+
+ if (!ARGUMENT_PRESENT(SubjectContext))
+ {
+ return STATUS_NO_TOKEN;
+ }
+
/* Lock subject context */
SeLockSubjectContext(SubjectContext);
}
/* Inherit the Owner SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
+ if (ExplicitDescriptor != NULL)
{
DPRINT("Use explicit owner sid!\n");
- Owner = ExplicitDescriptor->Owner;
-
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
- }
+ Owner = SepGetOwnerFromDescriptor(ExplicitDescriptor);
}
- else
+ if (!Owner)
{
- if (Token != NULL)
- {
- DPRINT("Use token owner sid!\n");
- Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
- }
- else
- {
- DPRINT("Use default owner sid!\n");
- Owner = SeLocalSystemSid;
- }
-
- Control |= SE_OWNER_DEFAULTED;
+ DPRINT("Use token owner sid!\n");
+ Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
}
-
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
+ OwnerLength = RtlLengthSid(Owner);
+ NT_ASSERT(OwnerLength % sizeof(ULONG) == 0);
/* Inherit the Group SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
+ if (ExplicitDescriptor != NULL)
{
- DPRINT("Use explicit group sid!\n");
- Group = ExplicitDescriptor->Group;
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
- }
+ Group = SepGetGroupFromDescriptor(ExplicitDescriptor);
}
- else
+ if (!Group)
{
- if (Token != NULL)
- {
- DPRINT("Use token group sid!\n");
- Group = Token->PrimaryGroup;
- }
- else
- {
- DPRINT("Use default group sid!\n");
- Group = SeLocalSystemSid;
- }
-
- Control |= SE_OWNER_DEFAULTED;
+ DPRINT("Use token group sid!\n");
+ Group = Token->PrimaryGroup;
}
-
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
+ if (!Group)
+ {
+ SeUnlockSubjectContext(SubjectContext);
+ return STATUS_INVALID_PRIMARY_GROUP;
+ }
+ GroupLength = RtlLengthSid(Group);
+ NT_ASSERT(GroupLength % sizeof(ULONG) == 0);
/* Inherit the DACL */
+ DaclLength = 0;
+ ExplicitAcl = NULL;
+ ExplicitPresent = FALSE;
+ ExplicitDefaulted = FALSE;
if (ExplicitDescriptor != NULL &&
- (ExplicitDescriptor->Control & SE_DACL_PRESENT) &&
- !(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
- {
- DPRINT("Use explicit DACL!\n");
- Dacl = ExplicitDescriptor->Dacl;
- if (Dacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
- {
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
- }
-
+ (ExplicitDescriptor->Control & SE_DACL_PRESENT))
+ {
+ ExplicitAcl = SepGetDaclFromDescriptor(ExplicitDescriptor);
+ ExplicitPresent = TRUE;
+ if (ExplicitDescriptor->Control & SE_DACL_DEFAULTED)
+ ExplicitDefaulted = TRUE;
+ }
+ ParentAcl = NULL;
+ if (ParentDescriptor != NULL &&
+ (ParentDescriptor->Control & SE_DACL_PRESENT))
+ {
+ ParentAcl = SepGetDaclFromDescriptor(ParentDescriptor);
+ }
+ Dacl = SepSelectAcl(ExplicitAcl,
+ ExplicitPresent,
+ ExplicitDefaulted,
+ ParentAcl,
+ Token->DefaultDacl,
+ &DaclLength,
+ Owner,
+ Group,
+ &DaclPresent,
+ &DaclIsInherited,
+ IsDirectoryObject,
+ GenericMapping);
+ if (DaclPresent)
Control |= SE_DACL_PRESENT;
- }
- else if (ParentDescriptor != NULL &&
- (ParentDescriptor->Control & SE_DACL_PRESENT))
- {
- DPRINT("Use parent DACL!\n");
- /* FIXME: Inherit */
- Dacl = ParentDescriptor->Dacl;
- if (Dacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
- {
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
- }
-
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
- }
- else if (Token != NULL && Token->DefaultDacl != NULL)
- {
- DPRINT("Use token default DACL!\n");
- /* FIXME: Inherit */
- Dacl = Token->DefaultDacl;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
- }
- else
- {
- DPRINT("Use NULL DACL!\n");
- Dacl = NULL;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
- }
-
- DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
+ NT_ASSERT(DaclLength % sizeof(ULONG) == 0);
/* Inherit the SACL */
+ SaclLength = 0;
+ ExplicitAcl = NULL;
+ ExplicitPresent = FALSE;
+ ExplicitDefaulted = FALSE;
if (ExplicitDescriptor != NULL &&
- (ExplicitDescriptor->Control & SE_SACL_PRESENT) &&
- !(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
- {
- DPRINT("Use explicit SACL!\n");
- Sacl = ExplicitDescriptor->Sacl;
- if (Sacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
- {
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
- }
-
+ (ExplicitDescriptor->Control & SE_SACL_PRESENT))
+ {
+ ExplicitAcl = SepGetSaclFromDescriptor(ExplicitDescriptor);
+ ExplicitPresent = TRUE;
+ if (ExplicitDescriptor->Control & SE_SACL_DEFAULTED)
+ ExplicitDefaulted = TRUE;
+ }
+ ParentAcl = NULL;
+ if (ParentDescriptor != NULL &&
+ (ParentDescriptor->Control & SE_SACL_PRESENT))
+ {
+ ParentAcl = SepGetSaclFromDescriptor(ParentDescriptor);
+ }
+ Sacl = SepSelectAcl(ExplicitAcl,
+ ExplicitPresent,
+ ExplicitDefaulted,
+ ParentAcl,
+ NULL,
+ &SaclLength,
+ Owner,
+ Group,
+ &SaclPresent,
+ &SaclIsInherited,
+ IsDirectoryObject,
+ GenericMapping);
+ if (SaclPresent)
Control |= SE_SACL_PRESENT;
- }
- else if (ParentDescriptor != NULL &&
- (ParentDescriptor->Control & SE_SACL_PRESENT))
- {
- DPRINT("Use parent SACL!\n");
- /* FIXME: Inherit */
- Sacl = ParentDescriptor->Sacl;
- if (Sacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
- {
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
- }
-
- Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
- }
-
- SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
+ NT_ASSERT(SaclLength % sizeof(ULONG) == 0);
/* Allocate and initialize the new security descriptor */
- Length = sizeof(SECURITY_DESCRIPTOR) +
- OwnerLength + GroupLength + DaclLength + SaclLength;
+ Length = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
+ OwnerLength + GroupLength + DaclLength + SaclLength;
- DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
+ DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %u OwnerLength %lu GroupLength %lu DaclLength %lu SaclLength %lu\n",
sizeof(SECURITY_DESCRIPTOR),
OwnerLength,
GroupLength,
DaclLength,
SaclLength);
- Descriptor = ExAllocatePoolWithTag(PagedPool,
- Length,
- TAG_SD);
+ Descriptor = ExAllocatePoolWithTag(PagedPool, Length, TAG_SD);
if (Descriptor == NULL)
{
DPRINT1("ExAlloctePool() failed\n");
- /* FIXME: Unlock subject context */
+ SeUnlockSubjectContext(SubjectContext);
return STATUS_INSUFFICIENT_RESOURCES;
}
- RtlZeroMemory( Descriptor, Length );
- RtlCreateSecurityDescriptor(Descriptor,
- SECURITY_DESCRIPTOR_REVISION);
+ RtlZeroMemory(Descriptor, Length);
+ RtlCreateSecurityDescriptor(Descriptor, SECURITY_DESCRIPTOR_REVISION);
- Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
+ Descriptor->Control = Control | SE_SELF_RELATIVE;
- Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
+ Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
if (SaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
+ &SaclLength,
+ Sacl,
+ Owner,
+ Group,
+ SaclIsInherited,
+ IsDirectoryObject,
+ GenericMapping);
+ NT_ASSERT(Status == STATUS_SUCCESS);
+ Descriptor->Sacl = Current;
Current += SaclLength;
}
if (DaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
+ &DaclLength,
+ Dacl,
+ Owner,
+ Group,
+ DaclIsInherited,
+ IsDirectoryObject,
+ GenericMapping);
+ NT_ASSERT(Status == STATUS_SUCCESS);
+ Descriptor->Dacl = Current;
Current += DaclLength;
}
if (OwnerLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Owner, OwnerLength);
+ Descriptor->Owner = Current;
Current += OwnerLength;
- DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
+ DPRINT("Owner of %p at %x\n", Descriptor, Descriptor->Owner);
}
else
{
- DPRINT("Owner of %x is zero length\n", Descriptor);
+ DPRINT("Owner of %p is zero length\n", Descriptor);
}
if (GroupLength != 0)
{
- memmove((PVOID)Current,
- Group,
- GroupLength);
- Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Group, GroupLength);
+ Descriptor->Group = Current;
}
/* Unlock subject context */
*NewDescriptor = Descriptor;
- DPRINT("Descrptor %x\n", Descriptor);
+ DPRINT("Descriptor %p\n", Descriptor);
ASSERT(RtlLengthSecurityDescriptor(Descriptor));
return STATUS_SUCCESS;
}
+/*
+ * @implemented
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeAssignSecurity(
+ _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
+ _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
+ _In_ BOOLEAN IsDirectoryObject,
+ _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _In_ POOL_TYPE PoolType)
+{
+ PAGED_CODE();
+
+ return SeAssignSecurityEx(ParentDescriptor,
+ ExplicitDescriptor,
+ NewDescriptor,
+ NULL,
+ IsDirectoryObject,
+ 0,
+ SubjectContext,
+ GenericMapping,
+ PoolType);
+}
+
/* EOF */
projects / reactos.git / blobdiff