projects / reactos.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[NTOSKRNL]
[reactos.git] / reactos / ntoskrnl / se / semgr.c
diff --git a/reactos/ntoskrnl/se/semgr.c b/reactos/ntoskrnl/se/semgr.c
index 1f52a26..d9d7eb1 100644 (file)
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@@ -1,5 +1,4 @@
-/* $Id$
- *
+/*
  * COPYRIGHT:       See COPYING in the top level directory
  * PROJECT:         ReactOS kernel
  * FILE:            ntoskrnl/se/semgr.c
@@ -8,1145 +7,878 @@
  * PROGRAMMERS:     No programmer listed.
  */
 
-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/
 
 #include <ntoskrnl.h>
 #define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>
 
-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/
 
 PSE_EXPORTS SeExports = NULL;
 SE_EXPORTS SepExports;
 
-static ERESOURCE SepSubjectContextLock;
-
-
-/* PROTOTYPES ***************************************************************/
+extern ULONG ExpInitializationPhase;
+extern ERESOURCE SepSubjectContextLock;
 
-static BOOLEAN SepInitExports(VOID);
+/* PRIVATE FUNCTIONS **********************************************************/
 
-#if defined (ALLOC_PRAGMA)
-#pragma alloc_text(INIT, SeInit1)
-#pragma alloc_text(INIT, SeInit2)
-#pragma alloc_text(INIT, SepInitExports)
-#endif
+static BOOLEAN INIT_FUNCTION
+SepInitExports(VOID)
+{
+    SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
+    SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
+    SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
+    SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
+    SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
+    SepExports.SeTcbPrivilege = SeTcbPrivilege;
+    SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
+    SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
+    SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
+    SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
+    SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
+    SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
+    SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
+    SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
+    SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
+    SepExports.SeBackupPrivilege = SeBackupPrivilege;
+    SepExports.SeRestorePrivilege = SeRestorePrivilege;
+    SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
+    SepExports.SeDebugPrivilege = SeDebugPrivilege;
+    SepExports.SeAuditPrivilege = SeAuditPrivilege;
+    SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
+    SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
+    SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
+
+    SepExports.SeNullSid = SeNullSid;
+    SepExports.SeWorldSid = SeWorldSid;
+    SepExports.SeLocalSid = SeLocalSid;
+    SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
+    SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
+    SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
+    SepExports.SeDialupSid = SeDialupSid;
+    SepExports.SeNetworkSid = SeNetworkSid;
+    SepExports.SeBatchSid = SeBatchSid;
+    SepExports.SeInteractiveSid = SeInteractiveSid;
+    SepExports.SeLocalSystemSid = SeLocalSystemSid;
+    SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
+    SepExports.SeAliasUsersSid = SeAliasUsersSid;
+    SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
+    SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
+    SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
+    SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
+    SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
+    SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
+    SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
+    SepExports.SeRestrictedSid = SeRestrictedSid;
+    SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
+
+    SepExports.SeUndockPrivilege = SeUndockPrivilege;
+    SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
+    SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
+
+    SeExports = &SepExports;
+    return TRUE;
+}
 
-/* FUNCTIONS ****************************************************************/
 
-BOOLEAN 
-INIT_FUNCTION
+BOOLEAN
 NTAPI
-SeInit1(VOID)
+SepInitializationPhase0(VOID)
 {
-  SepInitLuid();
-
-  if (!SepInitSecurityIDs())
-    return FALSE;
-
-  if (!SepInitDACLs())
-    return FALSE;
-
-  if (!SepInitSDs())
-    return FALSE;
-
-  SepInitPrivileges();
-
-  if (!SepInitExports())
-    return FALSE;
-
-  /* Initialize the subject context lock */
-  ExInitializeResource(&SepSubjectContextLock);
-
-  return TRUE;
+    PAGED_CODE();
+
+    ExpInitLuid();
+    if (!SepInitSecurityIDs()) return FALSE;
+    if (!SepInitDACLs()) return FALSE;
+    if (!SepInitSDs()) return FALSE;
+    SepInitPrivileges();
+    if (!SepInitExports()) return FALSE;
+
+    /* Initialize the subject context lock */
+    ExInitializeResource(&SepSubjectContextLock);
+
+    /* Initialize token objects */
+    SepInitializeTokenImplementation();
+
+    /* Clear impersonation info for the idle thread */
+    PsGetCurrentThread()->ImpersonationInfo = NULL;
+    PspClearCrossThreadFlag(PsGetCurrentThread(),
+                            CT_ACTIVE_IMPERSONATION_INFO_BIT);
+
+    /* Initialize the boot token */
+    ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
+    ObInitializeFastReference(&PsGetCurrentProcess()->Token,
+                              SepCreateSystemProcessToken());
+    return TRUE;
 }
 
-
 BOOLEAN
-INIT_FUNCTION
 NTAPI
-SeInit2(VOID)
+SepInitializationPhase1(VOID)
 {
-  SepInitializeTokenImplementation();
-
-  return TRUE;
+    NTSTATUS Status;
+    PAGED_CODE();
+
+    /* Insert the system token into the tree */
+    Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
+                                    ~MAX_FAST_REFS),
+                            NULL,
+                            0,
+                            0,
+                            NULL,
+                            NULL);
+    ASSERT(NT_SUCCESS(Status));
+
+    /* FIXME: TODO \\ Security directory */
+    return TRUE;
 }
 
-
 BOOLEAN
 NTAPI
-SeInitSRM(VOID)
+SeInitSystem(VOID)
 {
-  OBJECT_ATTRIBUTES ObjectAttributes;
-  UNICODE_STRING Name;
-  HANDLE DirectoryHandle;
-  HANDLE EventHandle;
-  NTSTATUS Status;
-
-  /* Create '\Security' directory */
-  RtlInitUnicodeString(&Name,
-                      L"\\Security");
-  InitializeObjectAttributes(&ObjectAttributes,
-                            &Name,
-                            OBJ_PERMANENT,
-                            0,
-                            NULL);
-  Status = ZwCreateDirectoryObject(&DirectoryHandle,
-                                  DIRECTORY_ALL_ACCESS,
-                                  &ObjectAttributes);
-  if (!NT_SUCCESS(Status))
+    /* Check the initialization phase */
+    switch (ExpInitializationPhase)
     {
-      DPRINT1("Failed to create 'Security' directory!\n");
-      return FALSE;
-    }
-
-  /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
-  RtlInitUnicodeString(&Name,
-                      L"\\LSA_AUTHENTICATION_INITALIZED");
-  InitializeObjectAttributes(&ObjectAttributes,
-                            &Name,
-                            OBJ_PERMANENT,
-                            DirectoryHandle,
-                            SePublicDefaultSd);
-  Status = ZwCreateEvent(&EventHandle,
-                        EVENT_ALL_ACCESS,
-                        &ObjectAttributes,
-                        SynchronizationEvent,
-                        FALSE);
-  if (!NT_SUCCESS(Status))
-    {
-      DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
-      NtClose(DirectoryHandle);
-      return FALSE;
-    }
+        case 0:
 
-  ZwClose(EventHandle);
-  ZwClose(DirectoryHandle);
+            /* Do Phase 0 */
+            return SepInitializationPhase0();
 
-  /* FIXME: Create SRM port and listener thread */
+        case 1:
 
-  return TRUE;
-}
-
-
-static BOOLEAN INIT_FUNCTION
-SepInitExports(VOID)
-{
-  SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
-  SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
-  SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
-  SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
-  SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
-  SepExports.SeTcbPrivilege = SeTcbPrivilege;
-  SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
-  SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
-  SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
-  SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
-  SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
-  SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
-  SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
-  SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
-  SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
-  SepExports.SeBackupPrivilege = SeBackupPrivilege;
-  SepExports.SeRestorePrivilege = SeRestorePrivilege;
-  SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
-  SepExports.SeDebugPrivilege = SeDebugPrivilege;
-  SepExports.SeAuditPrivilege = SeAuditPrivilege;
-  SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
-  SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
-  SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
-
-  SepExports.SeNullSid = SeNullSid;
-  SepExports.SeWorldSid = SeWorldSid;
-  SepExports.SeLocalSid = SeLocalSid;
-  SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
-  SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
-  SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
-  SepExports.SeDialupSid = SeDialupSid;
-  SepExports.SeNetworkSid = SeNetworkSid;
-  SepExports.SeBatchSid = SeBatchSid;
-  SepExports.SeInteractiveSid = SeInteractiveSid;
-  SepExports.SeLocalSystemSid = SeLocalSystemSid;
-  SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
-  SepExports.SeAliasUsersSid = SeAliasUsersSid;
-  SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
-  SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
-  SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
-  SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
-  SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
-  SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
-  SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
-  SepExports.SeRestrictedSid = SeRestrictedSid;
-  SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
-
-  SepExports.SeUndockPrivilege = SeUndockPrivilege;
-  SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
-  SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
-  
-  SeExports = &SepExports;
-  return TRUE;
-}
+            /* Do Phase 1 */
+            return SepInitializationPhase1();
 
+        default:
 
-VOID SepReferenceLogonSession(PLUID AuthenticationId)
-{
-   UNIMPLEMENTED;
+            /* Don't know any other phase! Bugcheck! */
+            KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
+                         0,
+                         ExpInitializationPhase,
+                         0,
+                         0);
+            return FALSE;
+    }
 }
 
-VOID SepDeReferenceLogonSession(PLUID AuthenticationId)
+BOOLEAN
+NTAPI
+SeInitSRM(VOID)
 {
-   UNIMPLEMENTED;
+    OBJECT_ATTRIBUTES ObjectAttributes;
+    UNICODE_STRING Name;
+    HANDLE DirectoryHandle;
+    HANDLE EventHandle;
+    NTSTATUS Status;
+
+    /* Create '\Security' directory */
+    RtlInitUnicodeString(&Name,
+                         L"\\Security");
+    InitializeObjectAttributes(&ObjectAttributes,
+                               &Name,
+                               OBJ_PERMANENT,
+                               0,
+                               NULL);
+    Status = ZwCreateDirectoryObject(&DirectoryHandle,
+                                     DIRECTORY_ALL_ACCESS,
+                                     &ObjectAttributes);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to create 'Security' directory!\n");
+        return FALSE;
+    }
+
+    /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
+    RtlInitUnicodeString(&Name,
+                         L"\\LSA_AUTHENTICATION_INITALIZED");
+    InitializeObjectAttributes(&ObjectAttributes,
+                               &Name,
+                               OBJ_PERMANENT,
+                               DirectoryHandle,
+                               SePublicDefaultSd);
+    Status = ZwCreateEvent(&EventHandle,
+                           EVENT_ALL_ACCESS,
+                           &ObjectAttributes,
+                           SynchronizationEvent,
+                           FALSE);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
+        NtClose(DirectoryHandle);
+        return FALSE;
+    }
+
+    ZwClose(EventHandle);
+    ZwClose(DirectoryHandle);
+
+    /* FIXME: Create SRM port and listener thread */
+
+    return TRUE;
 }
 
 NTSTATUS
-STDCALL
-SeDefaultObjectMethod(PVOID Object,
-                      SECURITY_OPERATION_CODE OperationType,
-                      SECURITY_INFORMATION SecurityInformation,
-                      PSECURITY_DESCRIPTOR _SecurityDescriptor,
-                      PULONG ReturnLength,
-                      PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
-                      POOL_TYPE PoolType,
-                      PGENERIC_MAPPING GenericMapping)
+NTAPI
+SeDefaultObjectMethod(IN PVOID Object,
+                      IN SECURITY_OPERATION_CODE OperationType,
+                      IN PSECURITY_INFORMATION SecurityInformation,
+                      IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
+                      IN OUT PULONG ReturnLength OPTIONAL,
+                      IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
+                      IN POOL_TYPE PoolType,
+                      IN PGENERIC_MAPPING GenericMapping)
 {
-  PISECURITY_DESCRIPTOR ObjectSd;
-  PISECURITY_DESCRIPTOR NewSd;
-  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
-  POBJECT_HEADER Header = BODY_TO_HEADER(Object);
-  PSID Owner = 0;
-  PSID Group = 0;
-  PACL Dacl = 0;
-  PACL Sacl = 0;
-  ULONG OwnerLength = 0;
-  ULONG GroupLength = 0;
-  ULONG DaclLength = 0;
-  ULONG SaclLength = 0;
-  ULONG Control = 0;
-  ULONG_PTR Current;
-  NTSTATUS Status;
-
-    if (OperationType == SetSecurityDescriptor)
-    {
-        ObjectSd = Header->SecurityDescriptor;
-
-      /* Get owner and owner size */
-      if (SecurityInformation & OWNER_SECURITY_INFORMATION)
-       {
-         if (SecurityDescriptor->Owner != NULL)
-           {
-               if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
-                   Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
-                                  (ULONG_PTR)SecurityDescriptor);
-               else
-                   Owner = (PSID)SecurityDescriptor->Owner;
-               OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
-           }
-         Control |= (SecurityDescriptor->Control & SE_OWNER_DEFAULTED);
-       }
-      else
-       {
-         if (ObjectSd->Owner != NULL)
-         {
-             Owner = (PSID)((ULONG_PTR)ObjectSd->Owner + (ULONG_PTR)ObjectSd);
-             OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
-         }
-         Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
-       }
-
-      /* Get group and group size */
-      if (SecurityInformation & GROUP_SECURITY_INFORMATION)
-       {
-         if (SecurityDescriptor->Group != NULL)
-           {
-               if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
-                   Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
-                                  (ULONG_PTR)SecurityDescriptor);
-               else
-                   Group = (PSID)SecurityDescriptor->Group;
-               GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
-           }
-         Control |= (SecurityDescriptor->Control & SE_GROUP_DEFAULTED);
-       }
-      else
-       {
-         if (ObjectSd->Group != NULL)
-           {
-             Group = (PSID)((ULONG_PTR)ObjectSd->Group + (ULONG_PTR)ObjectSd);
-             GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
-           }
-         Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
-       }
-
-      /* Get DACL and DACL size */
-      if (SecurityInformation & DACL_SECURITY_INFORMATION)
-       {
-         if ((SecurityDescriptor->Control & SE_DACL_PRESENT) &&
-             (SecurityDescriptor->Dacl != NULL))
-           {
-               if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
-                   Dacl = (PACL)((ULONG_PTR)SecurityDescriptor->Dacl +
-                                 (ULONG_PTR)SecurityDescriptor);
-               else
-                   Dacl = (PACL)SecurityDescriptor->Dacl;
-
-             DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
-           }
-         Control |= (SecurityDescriptor->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
-       }
-      else
-       {
-         if ((ObjectSd->Control & SE_DACL_PRESENT) &&
-             (ObjectSd->Dacl != NULL))
-           {
-             Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd);
-             DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
-           }
-         Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
-       }
-
-      /* Get SACL and SACL size */
-      if (SecurityInformation & SACL_SECURITY_INFORMATION)
-       {
-         if ((SecurityDescriptor->Control & SE_SACL_PRESENT) &&
-             (SecurityDescriptor->Sacl != NULL))
-           {
-               if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
-                   Sacl = (PACL)((ULONG_PTR)SecurityDescriptor->Sacl +
-                                 (ULONG_PTR)SecurityDescriptor);
-               else
-                   Sacl = (PACL)SecurityDescriptor->Sacl;
-               SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
-           }
-         Control |= (SecurityDescriptor->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
-       }
-      else
-       {
-         if ((ObjectSd->Control & SE_SACL_PRESENT) &&
-             (ObjectSd->Sacl != NULL))
-           {
-             Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd);
-             SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
-           }
-         Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
-       }
-
-      NewSd = ExAllocatePool(NonPagedPool,
-                            sizeof(SECURITY_DESCRIPTOR) + OwnerLength + GroupLength +
-                            DaclLength + SaclLength);
-      if (NewSd == NULL)
-       {
-         ObDereferenceObject(Object);
-         return STATUS_INSUFFICIENT_RESOURCES;
-       }
-
-      RtlCreateSecurityDescriptor(NewSd,
-                                 SECURITY_DESCRIPTOR_REVISION1);
-      /* We always build a self-relative descriptor */
-      NewSd->Control = Control | SE_SELF_RELATIVE;
-
-      Current = (ULONG_PTR)NewSd + sizeof(SECURITY_DESCRIPTOR);
-
-      if (OwnerLength != 0)
-       {
-         RtlCopyMemory((PVOID)Current,
-                       Owner,
-                       OwnerLength);
-         NewSd->Owner = (PSID)(Current - (ULONG_PTR)NewSd);
-         Current += OwnerLength;
-       }
-
-      if (GroupLength != 0)
-       {
-         RtlCopyMemory((PVOID)Current,
-                       Group,
-                       GroupLength);
-         NewSd->Group = (PSID)(Current - (ULONG_PTR)NewSd);
-         Current += GroupLength;
-       }
-
-      if (DaclLength != 0)
-       {
-         RtlCopyMemory((PVOID)Current,
-                       Dacl,
-                       DaclLength);
-         NewSd->Dacl = (PACL)(Current - (ULONG_PTR)NewSd);
-         Current += DaclLength;
-       }
-
-      if (SaclLength != 0)
-       {
-         RtlCopyMemory((PVOID)Current,
-                       Sacl,
-                       SaclLength);
-         NewSd->Sacl = (PACL)(Current - (ULONG_PTR)NewSd);
-         Current += SaclLength;
-       }
-
-      /* Add the new SD */
-      Status = ObpAddSecurityDescriptor(NewSd,
-                                       &Header->SecurityDescriptor);
-      if (NT_SUCCESS(Status))
-       {
-         /* Remove the old security descriptor */
-         ObpRemoveSecurityDescriptor(ObjectSd);
-       }
-      else
-       {
-         /* Restore the old security descriptor */
-         Header->SecurityDescriptor = ObjectSd;
-       }
-
-      ExFreePool(NewSd);
-    }
-    else if (OperationType == QuerySecurityDescriptor)
-    {
-        Status = SeQuerySecurityDescriptorInfo(&SecurityInformation,
-                                               SecurityDescriptor,
-                                               ReturnLength,
-                                               &Header->SecurityDescriptor);
-    }
-    else if (OperationType == AssignSecurityDescriptor)
+    PAGED_CODE();
+
+    /* Select the operation type */
+    switch (OperationType)
     {
-      /* Assign the security descriptor to the object header */
-      Status = ObpAddSecurityDescriptor(SecurityDescriptor,
-                                                       &Header->SecurityDescriptor);
-    }
+            /* Setting a new descriptor */
+        case SetSecurityDescriptor:
 
+            /* Sanity check */
+            ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
 
-    return STATUS_SUCCESS;
-}
+            /* Set the information */
+            return ObSetSecurityDescriptorInfo(Object,
+                                               SecurityInformation,
+                                               SecurityDescriptor,
+                                               OldSecurityDescriptor,
+                                               PoolType,
+                                               GenericMapping);
 
-/*
- * @implemented
- */
-VOID STDCALL
-SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PETHREAD Thread;
-  BOOLEAN CopyOnOpen;
-  BOOLEAN EffectiveOnly;
+        case QuerySecurityDescriptor:
 
-  PAGED_CODE();
+            /* Query the information */
+            return ObQuerySecurityDescriptorInfo(Object,
+                                                 SecurityInformation,
+                                                 SecurityDescriptor,
+                                                 ReturnLength,
+                                                 OldSecurityDescriptor);
 
-  Thread = PsGetCurrentThread();
-  if (Thread == NULL)
-    {
-      SubjectContext->ProcessAuditId = 0;
-      SubjectContext->PrimaryToken = NULL;
-      SubjectContext->ClientToken = NULL;
-      SubjectContext->ImpersonationLevel = 0;
-    }
-  else
-    {
-      SubjectContext->ProcessAuditId = Thread->ThreadsProcess;
-      SubjectContext->ClientToken =
-       PsReferenceImpersonationToken(Thread,
-                                     &CopyOnOpen,
-                                     &EffectiveOnly,
-                                     &SubjectContext->ImpersonationLevel);
-      SubjectContext->PrimaryToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
-    }
-}
+        case DeleteSecurityDescriptor:
 
+            /* De-assign it */
+            return ObDeassignSecurity(OldSecurityDescriptor);
 
-/*
- * @implemented
- */
-VOID STDCALL
-SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PAGED_CODE();
+        case AssignSecurityDescriptor:
 
-  KeEnterCriticalRegion();
-  ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
-}
+            /* Assign it */
+            ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
+            return STATUS_SUCCESS;
 
+        default:
 
-/*
- * @implemented
- */
-VOID STDCALL
-SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
-  PAGED_CODE();
+            /* Bug check */
+            KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
+    }
 
-  ExReleaseResourceLite(&SepSubjectContextLock);
-  KeLeaveCriticalRegion();
+    /* Should never reach here */
+    ASSERT(FALSE);
+    return STATUS_SUCCESS;
 }
 
+ULONG SidInTokenCalls = 0;
 
-/*
- * @implemented
- */
-VOID STDCALL
-SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+static BOOLEAN
+SepSidInToken(PACCESS_TOKEN _Token,
+              PSID Sid)
 {
-  PAGED_CODE();
+    ULONG i;
+    PTOKEN Token = (PTOKEN)_Token;
 
-  if (SubjectContext->PrimaryToken != NULL)
-    {
-      ObDereferenceObject(SubjectContext->PrimaryToken);
-    }
+    PAGED_CODE();
 
-  if (SubjectContext->ClientToken != NULL)
+    SidInTokenCalls++;
+    if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
+    
+    if (Token->UserAndGroupCount == 0)
     {
-      ObDereferenceObject(SubjectContext->ClientToken);
+        return FALSE;
     }
-}
-
 
-/*
- * @implemented
- */
-NTSTATUS STDCALL
-SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
-{
-  PAGED_CODE();
-
-  if (*SecurityDescriptor != NULL)
+    for (i=0; i<Token->UserAndGroupCount; i++)
     {
-      ExFreePool(*SecurityDescriptor);
-      *SecurityDescriptor = NULL;
+        if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
+        {
+            if ((i == 0)|| (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED))
+            {
+                return TRUE;
+            }
+
+            return FALSE;
+        }
     }
 
-  return STATUS_SUCCESS;
+    return FALSE;
 }
 
 
-/*
- * @unimplemented
- */
-NTSTATUS STDCALL
-SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
-                  IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
-                  OUT PSECURITY_DESCRIPTOR *NewDescriptor,
-                  IN GUID *ObjectType OPTIONAL,
-                  IN BOOLEAN IsDirectoryObject,
-                  IN ULONG AutoInheritFlags,
-                  IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
-                  IN PGENERIC_MAPPING GenericMapping,
-                  IN POOL_TYPE PoolType)
+VOID NTAPI
+SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+                          OUT PACCESS_MASK DesiredAccess)
 {
-  UNIMPLEMENTED;
-  return STATUS_NOT_IMPLEMENTED;
-}
+    *DesiredAccess = 0;
 
-
-/*
- * FUNCTION: Creates a security descriptor for a new object.
- * ARGUMENTS:
- *         ParentDescriptor =
- *         ExplicitDescriptor =
- *         NewDescriptor =
- *         IsDirectoryObject =
- *         SubjectContext =
- *         GeneralMapping =
- *         PoolType =
- * RETURNS: Status
- *
- * @implemented
- */
-NTSTATUS STDCALL
-SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
-                PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
-                PSECURITY_DESCRIPTOR *NewDescriptor,
-                BOOLEAN IsDirectoryObject,
-                PSECURITY_SUBJECT_CONTEXT SubjectContext,
-                PGENERIC_MAPPING GenericMapping,
-                POOL_TYPE PoolType)
-{
-  PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
-  PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
-  PISECURITY_DESCRIPTOR Descriptor;
-  PTOKEN Token;
-  ULONG OwnerLength = 0;
-  ULONG GroupLength = 0;
-  ULONG DaclLength = 0;
-  ULONG SaclLength = 0;
-  ULONG Length = 0;
-  ULONG Control = 0;
-  ULONG_PTR Current;
-  PSID Owner = NULL;
-  PSID Group = NULL;
-  PACL Dacl = NULL;
-  PACL Sacl = NULL;
-
-  PAGED_CODE();
-
-  /* Lock subject context */
-  SeLockSubjectContext(SubjectContext);
-
-  if (SubjectContext->ClientToken != NULL)
+    if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
+                               GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
     {
-      Token = SubjectContext->ClientToken;
+        *DesiredAccess |= READ_CONTROL;
     }
-  else
+    if (SecurityInformation & SACL_SECURITY_INFORMATION)
     {
-      Token = SubjectContext->PrimaryToken;
+        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
     }
+}
 
+VOID NTAPI
+SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+                        OUT PACCESS_MASK DesiredAccess)
+{
+    *DesiredAccess = 0;
 
-  /* Inherit the Owner SID */
-  if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
-    {
-      DPRINT("Use explicit owner sid!\n");
-      Owner = ExplicitDescriptor->Owner;
-      
-      if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
-       {
-         Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
-
-       }
-    }
-  else
+    if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
     {
-      if (Token != NULL)
-       {
-         DPRINT("Use token owner sid!\n");
-         Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
-       }
-      else
-       {
-         DPRINT("Use default owner sid!\n");
-         Owner = SeLocalSystemSid;
-       }
-
-      Control |= SE_OWNER_DEFAULTED;
+        *DesiredAccess |= WRITE_OWNER;
     }
-
-  OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
-
-
-  /* Inherit the Group SID */
-  if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
+    if (SecurityInformation & DACL_SECURITY_INFORMATION)
     {
-      DPRINT("Use explicit group sid!\n");
-      Group = ExplicitDescriptor->Group;
-      if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
-       {
-         Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
-       }
+        *DesiredAccess |= WRITE_DAC;
     }
-  else
+    if (SecurityInformation & SACL_SECURITY_INFORMATION)
     {
-      if (Token != NULL)
-       {
-         DPRINT("Use token group sid!\n");
-         Group = Token->PrimaryGroup;
-       }
-      else
-       {
-         DPRINT("Use default group sid!\n");
-         Group = SeLocalSystemSid;
-       }
-
-      Control |= SE_OWNER_DEFAULTED;
+        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
     }
+}
 
-  GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
-
-
-  /* Inherit the DACL */
-  if (ExplicitDescriptor != NULL &&
-      (ExplicitDescriptor->Control & SE_DACL_PRESENT) &&
-      !(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
-    {
-      DPRINT("Use explicit DACL!\n");
-      Dacl = ExplicitDescriptor->Dacl;
-      if (Dacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
-       {
-         Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
-       }
-
-      Control |= SE_DACL_PRESENT;
-    }
-  else if (ParentDescriptor != NULL &&
-          (ParentDescriptor->Control & SE_DACL_PRESENT))
-    {
-      DPRINT("Use parent DACL!\n");
-      /* FIXME: Inherit */
-      Dacl = ParentDescriptor->Dacl;
-      if (Dacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
-       {
-         Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
-       }
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
-    }
-  else if (Token != NULL && Token->DefaultDacl != NULL)
-    {
-      DPRINT("Use token default DACL!\n");
-      /* FIXME: Inherit */
-      Dacl = Token->DefaultDacl;
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
-    }
-  else
-    {
-      DPRINT("Use NULL DACL!\n");
-      Dacl = NULL;
-      Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+BOOLEAN NTAPI
+SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+               IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+               IN BOOLEAN SubjectContextLocked,
+               IN ACCESS_MASK DesiredAccess,
+               IN ACCESS_MASK PreviouslyGrantedAccess,
+               OUT PPRIVILEGE_SET* Privileges,
+               IN PGENERIC_MAPPING GenericMapping,
+               IN KPROCESSOR_MODE AccessMode,
+               OUT PACCESS_MASK GrantedAccess,
+               OUT PNTSTATUS AccessStatus,
+               SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
+{
+    LUID_AND_ATTRIBUTES Privilege;
+    ACCESS_MASK CurrentAccess, AccessMask;
+    PACCESS_TOKEN Token;
+    ULONG i;
+    PACL Dacl;
+    BOOLEAN Present;
+    BOOLEAN Defaulted;
+    PACE CurrentAce;
+    PSID Sid;
+    NTSTATUS Status;
+    PAGED_CODE();
+
+    /* Check if this is kernel mode */
+    if (AccessMode == KernelMode)
+    {
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+            *GrantedAccess |= PreviouslyGrantedAccess;
+        }
+        else
+        {
+            /* Give the desired and previous access */
+            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+        }
+
+        /* Success */
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
     }
 
-  DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
-
-
-  /* Inherit the SACL */
-  if (ExplicitDescriptor != NULL &&
-      (ExplicitDescriptor->Control & SE_SACL_PRESENT) &&
-      !(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
-    {
-      DPRINT("Use explicit SACL!\n");
-      Sacl = ExplicitDescriptor->Sacl;
-      if (Sacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
-       {
-         Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
-       }
-
-      Control |= SE_SACL_PRESENT;
-    }
-  else if (ParentDescriptor != NULL &&
-          (ParentDescriptor->Control & SE_SACL_PRESENT))
+    /* Check if we didn't get an SD */
+    if (!SecurityDescriptor)
     {
-      DPRINT("Use parent SACL!\n");
-      /* FIXME: Inherit */
-      Sacl = ParentDescriptor->Sacl;
-      if (Sacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
-       {
-         Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
-       }
-      Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
+        /* Automatic failure */
+        *AccessStatus = STATUS_ACCESS_DENIED;
+        return FALSE;
     }
 
-  SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
-
-
-  /* Allocate and initialize the new security descriptor */
-  Length = sizeof(SECURITY_DESCRIPTOR) +
-      OwnerLength + GroupLength + DaclLength + SaclLength;
-
-  DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
-        sizeof(SECURITY_DESCRIPTOR),
-        OwnerLength,
-        GroupLength,
-        DaclLength,
-        SaclLength);
-
-  Descriptor = ExAllocatePool(PagedPool,
-                             Length);
-  if (Descriptor == NULL)
+    /* Check for invalid impersonation */
+    if ((SubjectSecurityContext->ClientToken) &&
+        (SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
     {
-      DPRINT1("ExAlloctePool() failed\n");
-      /* FIXME: Unlock subject context */
-      return STATUS_INSUFFICIENT_RESOURCES;
+        *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
+        return FALSE;
     }
 
-  RtlZeroMemory( Descriptor, Length );
-  RtlCreateSecurityDescriptor(Descriptor,
-                             SECURITY_DESCRIPTOR_REVISION);
-
-  Descriptor->Control = Control | SE_SELF_RELATIVE;
-
-  Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
-
-  if (SaclLength != 0)
+    /* Check for no access desired */
+    if (!DesiredAccess)
     {
-      RtlCopyMemory((PVOID)Current,
-                   Sacl,
-                   SaclLength);
-      Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += SaclLength;
-    }
+        /* Check if we had no previous access */
+        if (!PreviouslyGrantedAccess)
+        {
+            /* Then there's nothing to give */
+            *AccessStatus = STATUS_ACCESS_DENIED;
+            return FALSE;
+        }
 
-  if (DaclLength != 0)
-    {
-      RtlCopyMemory((PVOID)Current,
-                   Dacl,
-                   DaclLength);
-      Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += DaclLength;
+        /* Return the previous access only */
+        *GrantedAccess = PreviouslyGrantedAccess;
+        *AccessStatus = STATUS_SUCCESS;
+        *Privileges = NULL;
+        return TRUE;
     }
 
-  if (OwnerLength != 0)
-    {
-      RtlCopyMemory((PVOID)Current,
-                   Owner,
-                   OwnerLength);
-      Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-      Current += OwnerLength;
-      DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
-    }
-  else
-      DPRINT("Owner of %x is zero length\n", Descriptor);
+    /* Acquire the lock if needed */
+    if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
 
-  if (GroupLength != 0)
-    {
-      memmove((PVOID)Current,
-              Group,
-              GroupLength);
-      Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
-    }
+    /* Map given accesses */
+    RtlMapGenericMask(&DesiredAccess, GenericMapping);
+    if (PreviouslyGrantedAccess)
+        RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
 
-  /* Unlock subject context */
-  SeUnlockSubjectContext(SubjectContext);
 
-  *NewDescriptor = Descriptor;
 
-  DPRINT("Descrptor %x\n", Descriptor);
-  ASSERT(RtlLengthSecurityDescriptor(Descriptor));
+    CurrentAccess = PreviouslyGrantedAccess;
 
-  return STATUS_SUCCESS;
-}
 
 
-static BOOLEAN
-SepSidInToken(PACCESS_TOKEN _Token,
-             PSID Sid)
-{
-  ULONG i;
-  PTOKEN Token = (PTOKEN)_Token;
+    Token = SubjectSecurityContext->ClientToken ?
+    SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
 
-  PAGED_CODE();
+    /* Get the DACL */
+    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+                                          &Present,
+                                          &Dacl,
+                                          &Defaulted);
+    if (!NT_SUCCESS(Status))
+    {
+        if (SubjectContextLocked == FALSE)
+        {
+            SeUnlockSubjectContext(SubjectSecurityContext);
+        }
 
-  if (Token->UserAndGroupCount == 0)
-  {
-    return FALSE;
-  }
+        *AccessStatus = Status;
+        return FALSE;
+    }
 
-  for (i=0; i<Token->UserAndGroupCount; i++)
-  {
-    if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
+    /* RULE 1: Grant desired access if the object is unprotected */
+    if (Present == TRUE && Dacl == NULL)
     {
-      if (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)
-      {
-        return TRUE;
-      }
+        if (SubjectContextLocked == FALSE)
+        {
+            SeUnlockSubjectContext(SubjectSecurityContext);
+        }
 
-      return FALSE;
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess & ~MAXIMUM_ALLOWED);
+        }
+        else
+        {
+            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+        }
+        
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
     }
-  }
-
-  return FALSE;
-}
 
+    CurrentAccess = PreviouslyGrantedAccess;
+
+    /* RULE 2: Check token for 'take ownership' privilege */
+    Privilege.Luid = SeTakeOwnershipPrivilege;
+    Privilege.Attributes = SE_PRIVILEGE_ENABLED;
+
+    if (SepPrivilegeCheck(Token,
+                          &Privilege,
+                          1,
+                          PRIVILEGE_SET_ALL_NECESSARY,
+                          AccessMode))
+    {
+        CurrentAccess |= WRITE_OWNER;
+        if ((DesiredAccess & ~VALID_INHERIT_FLAGS) == 
+            (CurrentAccess & ~VALID_INHERIT_FLAGS))
+        {
+            if (SubjectContextLocked == FALSE)
+            {
+                SeUnlockSubjectContext(SubjectSecurityContext);
+            }
 
-/*
- * FUNCTION: Determines whether the requested access rights can be granted
- * to an object protected by a security descriptor and an object owner
- * ARGUMENTS:
- *      SecurityDescriptor = Security descriptor protecting the object
- *      SubjectSecurityContext = Subject's captured security context
- *      SubjectContextLocked = Indicates the user's subject context is locked
- *      DesiredAccess = Access rights the caller is trying to acquire
- *      PreviouslyGrantedAccess = Specified the access rights already granted
- *      Privileges = ?
- *      GenericMapping = Generic mapping associated with the object
- *      AccessMode = Access mode used for the check
- *      GrantedAccess (OUT) = On return specifies the access granted
- *      AccessStatus (OUT) = Status indicating why access was denied
- * RETURNS: If access was granted, returns TRUE
- *
- * @implemented
- */
-BOOLEAN STDCALL
-SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-             IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
-             IN BOOLEAN SubjectContextLocked,
-             IN ACCESS_MASK DesiredAccess,
-             IN ACCESS_MASK PreviouslyGrantedAccess,
-             OUT PPRIVILEGE_SET* Privileges,
-             IN PGENERIC_MAPPING GenericMapping,
-             IN KPROCESSOR_MODE AccessMode,
-             OUT PACCESS_MASK GrantedAccess,
-             OUT PNTSTATUS AccessStatus)
-{
-  LUID_AND_ATTRIBUTES Privilege;
-  ACCESS_MASK CurrentAccess;
-  PACCESS_TOKEN Token;
-  ULONG i;
-  PACL Dacl;
-  BOOLEAN Present;
-  BOOLEAN Defaulted;
-  PACE CurrentAce;
-  PSID Sid;
-  NTSTATUS Status;
-
-  PAGED_CODE();
-
-  CurrentAccess = PreviouslyGrantedAccess;
-
-  if (SubjectContextLocked == FALSE)
-    {
-      SeLockSubjectContext(SubjectSecurityContext);
+            *GrantedAccess = CurrentAccess;
+            *AccessStatus = STATUS_SUCCESS;
+            return TRUE;
+        }
     }
 
-  Token = SubjectSecurityContext->ClientToken ?
-           SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
-
-  /* Get the DACL */
-  Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
-                                       &Present,
-                                       &Dacl,
-                                       &Defaulted);
-  if (!NT_SUCCESS(Status))
+    /* RULE 3: Check whether the token is the owner */
+    Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+                                           &Sid,
+                                           &Defaulted);
+    if (!NT_SUCCESS(Status))
     {
-      if (SubjectContextLocked == FALSE)
-       {
-         SeUnlockSubjectContext(SubjectSecurityContext);
-       }
+        DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
+        if (SubjectContextLocked == FALSE)
+        {
+            SeUnlockSubjectContext(SubjectSecurityContext);
+        }
 
-      *AccessStatus = Status;
-      return FALSE;
+        *AccessStatus = Status;
+        return FALSE;
     }
 
-  /* RULE 1: Grant desired access if the object is unprotected */
-  if (Present == TRUE && Dacl == NULL)
+    if (Sid && SepSidInToken(Token, Sid))
     {
-      if (SubjectContextLocked == FALSE)
-       {
-         SeUnlockSubjectContext(SubjectSecurityContext);
-       }
-
-      *GrantedAccess = DesiredAccess;
-      *AccessStatus = STATUS_SUCCESS;
-      return TRUE;
-    }
-
-  CurrentAccess = PreviouslyGrantedAccess;
+        CurrentAccess |= (READ_CONTROL | WRITE_DAC);
+        if ((DesiredAccess & ~VALID_INHERIT_FLAGS) == 
+            (CurrentAccess & ~VALID_INHERIT_FLAGS))
+        {
+            if (SubjectContextLocked == FALSE)
+            {
+                SeUnlockSubjectContext(SubjectSecurityContext);
+            }
 
-  /* RULE 2: Check token for 'take ownership' privilege */
-  Privilege.Luid = SeTakeOwnershipPrivilege;
-  Privilege.Attributes = SE_PRIVILEGE_ENABLED;
+            *GrantedAccess = CurrentAccess;
+            *AccessStatus = STATUS_SUCCESS;
+            return TRUE;
+        }
+    }
 
-  if (SepPrivilegeCheck(Token,
-                       &Privilege,
-                       1,
-                       PRIVILEGE_SET_ALL_NECESSARY,
-                       AccessMode))
+    /* Fail if DACL is absent */
+    if (Present == FALSE)
     {
-      CurrentAccess |= WRITE_OWNER;
-      if (DesiredAccess == CurrentAccess)
-       {
-         if (SubjectContextLocked == FALSE)
-           {
-             SeUnlockSubjectContext(SubjectSecurityContext);
-           }
-
-         *GrantedAccess = CurrentAccess;
-         *AccessStatus = STATUS_SUCCESS;
-         return TRUE;
-       }
+        if (SubjectContextLocked == FALSE)
+        {
+            SeUnlockSubjectContext(SubjectSecurityContext);
+        }
+
+        *GrantedAccess = 0;
+        *AccessStatus = STATUS_ACCESS_DENIED;
+        return FALSE;
     }
 
-  /* RULE 3: Check whether the token is the owner */
-  Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
-                                        &Sid,
-                                        &Defaulted);
-  if (!NT_SUCCESS(Status))
+    /* RULE 4: Grant rights according to the DACL */
+    CurrentAce = (PACE)(Dacl + 1);
+    for (i = 0; i < Dacl->AceCount; i++)
     {
-      DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
-      if (SubjectContextLocked == FALSE)
-       {
-         SeUnlockSubjectContext(SubjectSecurityContext);
-       }
+        Sid = (PSID)(CurrentAce + 1);
+        if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
+        {
+            if (SepSidInToken(Token, Sid))
+            {
+                if (SubjectContextLocked == FALSE)
+                {
+                    SeUnlockSubjectContext(SubjectSecurityContext);
+                }
 
-      *AccessStatus = Status;
-      return FALSE;
-   }
+                *GrantedAccess = 0;
+                *AccessStatus = STATUS_ACCESS_DENIED;
+                return FALSE;
+            }
+        }
 
-  if (SepSidInToken(Token, Sid))
-    {
-      CurrentAccess |= (READ_CONTROL | WRITE_DAC);
-      if (DesiredAccess == CurrentAccess)
-       {
-         if (SubjectContextLocked == FALSE)
-           {
-             SeUnlockSubjectContext(SubjectSecurityContext);
-           }
-
-         *GrantedAccess = CurrentAccess;
-         *AccessStatus = STATUS_SUCCESS;
-         return TRUE;
-       }
-    }
+        else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
+        {
+            if (SepSidInToken(Token, Sid))
+            {
+                AccessMask = CurrentAce->AccessMask;
+                RtlMapGenericMask(&AccessMask, GenericMapping);
+                CurrentAccess |= AccessMask;
+            }
+        }
+        else
+        {
+            DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+        }
+        CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
+    }
+
+    if (SubjectContextLocked == FALSE)
+    {
+        SeUnlockSubjectContext(SubjectSecurityContext);
+    }
+
+    DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
+           CurrentAccess, DesiredAccess);
 
-  /* Fail if DACL is absent */
-  if (Present == FALSE)
+    *GrantedAccess = CurrentAccess & DesiredAccess;
+
+    if (DesiredAccess & MAXIMUM_ALLOWED)
     {
-      if (SubjectContextLocked == FALSE)
-       {
-         SeUnlockSubjectContext(SubjectSecurityContext);
-       }
-
-      *GrantedAccess = 0;
-      *AccessStatus = STATUS_ACCESS_DENIED;
-      return TRUE;
+        *GrantedAccess = CurrentAccess;
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
     }
-
-  /* RULE 4: Grant rights according to the DACL */
-  CurrentAce = (PACE)(Dacl + 1);
-  for (i = 0; i < Dacl->AceCount; i++)
+    else if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) == 
+             (DesiredAccess & ~VALID_INHERIT_FLAGS))
     {
-      Sid = (PSID)(CurrentAce + 1);
-      if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
-       {
-         if (SepSidInToken(Token, Sid))
-           {
-             if (SubjectContextLocked == FALSE)
-               {
-                 SeUnlockSubjectContext(SubjectSecurityContext);
-               }
-
-             *GrantedAccess = 0;
-             *AccessStatus = STATUS_ACCESS_DENIED;
-             return TRUE;
-           }
-       }
-
-      if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
-       {
-         if (SepSidInToken(Token, Sid))
-           {
-             CurrentAccess |= CurrentAce->AccessMask;
-           }
-       }
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
     }
-
-  if (SubjectContextLocked == FALSE)
+    else
     {
-      SeUnlockSubjectContext(SubjectSecurityContext);
+        DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
+                *GrantedAccess, DesiredAccess, GenericMapping);
+        //*AccessStatus = STATUS_ACCESS_DENIED;
+        //return FALSE;
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
     }
+}
 
-  DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
-         CurrentAccess, DesiredAccess);
-
-  *GrantedAccess = CurrentAccess & DesiredAccess;
-
-  *AccessStatus =
-    (*GrantedAccess == DesiredAccess) ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;
+/* PUBLIC FUNCTIONS ***********************************************************/
 
-  return TRUE;
+/*
+ * @implemented
+ */
+BOOLEAN NTAPI
+SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+              IN BOOLEAN SubjectContextLocked,
+              IN ACCESS_MASK DesiredAccess,
+              IN ACCESS_MASK PreviouslyGrantedAccess,
+              OUT PPRIVILEGE_SET* Privileges,
+              IN PGENERIC_MAPPING GenericMapping,
+              IN KPROCESSOR_MODE AccessMode,
+              OUT PACCESS_MASK GrantedAccess,
+              OUT PNTSTATUS AccessStatus)
+{
+    /* Call the internal function */
+    return SepAccessCheck(SecurityDescriptor,
+                          SubjectSecurityContext,
+                          SubjectContextLocked,
+                          DesiredAccess,
+                          PreviouslyGrantedAccess,
+                          Privileges,
+                          GenericMapping,
+                          AccessMode,
+                          GrantedAccess,
+                          AccessStatus,
+                          SecurityImpersonation);
 }
 
+/* SYSTEM CALLS ***************************************************************/
 
-NTSTATUS STDCALL
+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-             IN HANDLE TokenHandle,
-             IN ACCESS_MASK DesiredAccess,
-             IN PGENERIC_MAPPING GenericMapping,
-             OUT PPRIVILEGE_SET PrivilegeSet,
-             OUT PULONG ReturnLength,
-             OUT PACCESS_MASK GrantedAccess,
-             OUT PNTSTATUS AccessStatus)
+              IN HANDLE TokenHandle,
+              IN ACCESS_MASK DesiredAccess,
+              IN PGENERIC_MAPPING GenericMapping,
+              OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
+              IN OUT PULONG PrivilegeSetLength,
+              OUT PACCESS_MASK GrantedAccess,
+              OUT PNTSTATUS AccessStatus)
 {
-  SECURITY_SUBJECT_CONTEXT SubjectSecurityContext = {0};
-  KPROCESSOR_MODE PreviousMode;
-  PTOKEN Token;
-  NTSTATUS Status;
-
-  PAGED_CODE();
-
-  DPRINT("NtAccessCheck() called\n");
-
-  PreviousMode = KeGetPreviousMode();
-  if (PreviousMode == KernelMode)
-    {
-      *GrantedAccess = DesiredAccess;
-      *AccessStatus = STATUS_SUCCESS;
-      return STATUS_SUCCESS;
-    }
-
-  Status = ObReferenceObjectByHandle(TokenHandle,
-                                    TOKEN_QUERY,
-                                    SepTokenObjectType,
-                                    PreviousMode,
-                                    (PVOID*)&Token,
-                                    NULL);
-  if (!NT_SUCCESS(Status))
-    {
-      DPRINT1("Failed to reference token (Status %lx)\n", Status);
-      return Status;
-    }
-
-  /* Check token type */
-  if (Token->TokenType != TokenImpersonation)
-    {
-      DPRINT1("No impersonation token\n");
-      ObDereferenceObject(Token);
-      return STATUS_ACCESS_VIOLATION;
-    }
-
-  /* Check impersonation level */
-  if (Token->ImpersonationLevel < SecurityAnonymous)
-    {
-      DPRINT1("Invalid impersonation level\n");
-      ObDereferenceObject(Token);
-      return STATUS_ACCESS_VIOLATION;
-    }
-
-  SubjectSecurityContext.ClientToken = Token;
-  SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
-
-  /* Lock subject context */
-  SeLockSubjectContext(&SubjectSecurityContext);
-
-  if (SeAccessCheck(SecurityDescriptor,
-                   &SubjectSecurityContext,
-                   TRUE,
-                   DesiredAccess,
-                   0,
-                   &PrivilegeSet,
-                   GenericMapping,
-                   PreviousMode,
-                   GrantedAccess,
-                   AccessStatus))
-    {
-      Status = *AccessStatus;
-    }
-  else
-    {
-      Status = STATUS_ACCESS_DENIED;
-    }
+    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
+    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
+    PTOKEN Token;
+    NTSTATUS Status;
+    PAGED_CODE();
+
+    /* Check if this is kernel mode */
+    if (PreviousMode == KernelMode)
+    {
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+        }
+        else
+        {
+            /* Just give the desired access */
+            *GrantedAccess = DesiredAccess;
+        }
+
+        /* Success */
+        *AccessStatus = STATUS_SUCCESS;
+        return STATUS_SUCCESS;
+    }
+
+    /* Protect probe in SEH */
+    _SEH2_TRY
+    {
+        /* Probe all pointers */
+        ProbeForRead(GenericMapping, sizeof(GENERIC_MAPPING), sizeof(ULONG));
+        ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
+        ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
+        ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
+        ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
+    }
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        /* Return the exception code */
+        _SEH2_YIELD(return _SEH2_GetExceptionCode());
+    }
+    _SEH2_END;
+
+    /* Check for unmapped access rights */
+    if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
+        return STATUS_GENERIC_NOT_MAPPED;
+
+    /* Reference the token */
+    Status = ObReferenceObjectByHandle(TokenHandle,
+                                       TOKEN_QUERY,
+                                       SepTokenObjectType,
+                                       PreviousMode,
+                                       (PVOID*)&Token,
+                                       NULL);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to reference token (Status %lx)\n", Status);
+        return Status;
+    }
+
+    /* Check token type */
+    if (Token->TokenType != TokenImpersonation)
+    {
+        DPRINT1("No impersonation token\n");
+        ObDereferenceObject(Token);
+        return STATUS_ACCESS_DENIED;
+    }
+
+    /* Set up the subject context, and lock it */
+    SubjectSecurityContext.ClientToken = Token;
+    SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
+    SubjectSecurityContext.PrimaryToken = NULL;
+    SubjectSecurityContext.ProcessAuditId = NULL;
+    SeLockSubjectContext(&SubjectSecurityContext);
+
+    /* Now perform the access check */
+    SepAccessCheck(SecurityDescriptor,
+                   &SubjectSecurityContext,
+                   TRUE,
+                   DesiredAccess,
+                   0,
+                   &PrivilegeSet, //FIXME
+                   GenericMapping,
+                   PreviousMode,
+                   GrantedAccess,
+                   AccessStatus,
+                   SecurityIdentification);
+
+    /* Unlock subject context and dereference the token */
+    SeUnlockSubjectContext(&SubjectSecurityContext);
+    ObDereferenceObject(Token);
+
+    /* Check succeeded */
+    return STATUS_SUCCESS;
+}
 
-  /* Unlock subject context */
-  SeUnlockSubjectContext(&SubjectSecurityContext);
 
-  ObDereferenceObject(Token);
+NTSTATUS
+NTAPI
+NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                    IN PSID PrincipalSelfSid,
+                    IN HANDLE ClientToken,
+                    IN ACCESS_MASK DesiredAccess,
+                    IN POBJECT_TYPE_LIST ObjectTypeList,
+                    IN ULONG ObjectTypeLength,
+                    IN PGENERIC_MAPPING GenericMapping,
+                    IN PPRIVILEGE_SET PrivilegeSet,
+                    IN ULONG PrivilegeSetLength,
+                    OUT PACCESS_MASK GrantedAccess,
+                    OUT PNTSTATUS AccessStatus)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
 
-  DPRINT("NtAccessCheck() done\n");
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
+                                 IN HANDLE HandleId,
+                                 IN PUNICODE_STRING ObjectTypeName,
+                                 IN PUNICODE_STRING ObjectName,
+                                 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                 IN PSID PrincipalSelfSid,
+                                 IN ACCESS_MASK DesiredAccess,
+                                 IN AUDIT_EVENT_TYPE AuditType,
+                                 IN ULONG Flags,
+                                 IN POBJECT_TYPE_LIST ObjectTypeList,
+                                 IN ULONG ObjectTypeLength,
+                                 IN PGENERIC_MAPPING GenericMapping,
+                                 IN BOOLEAN ObjectCreation,
+                                 OUT PACCESS_MASK GrantedAccess,
+                                 OUT PNTSTATUS AccessStatus,
+                                 OUT PBOOLEAN GenerateOnClose)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
+}
 
-  return Status;
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultList(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                              IN PSID PrincipalSelfSid,
+                              IN HANDLE ClientToken,
+                              IN ACCESS_MASK DesiredAccess,
+                              IN POBJECT_TYPE_LIST ObjectTypeList,
+                              IN ULONG ObjectTypeLength,
+                              IN PGENERIC_MAPPING GenericMapping,
+                              IN PPRIVILEGE_SET PrivilegeSet,
+                              IN ULONG PrivilegeSetLength,
+                              OUT PACCESS_MASK GrantedAccess,
+                              OUT PNTSTATUS AccessStatus)
+{
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
 }
 
-VOID STDCALL
-SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
-                          OUT PACCESS_MASK DesiredAccess)
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultListAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
+                                           IN HANDLE HandleId,
+                                           IN PUNICODE_STRING ObjectTypeName,
+                                           IN PUNICODE_STRING ObjectName,
+                                           IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                           IN PSID PrincipalSelfSid,
+                                           IN ACCESS_MASK DesiredAccess,
+                                           IN AUDIT_EVENT_TYPE AuditType,
+                                           IN ULONG Flags,
+                                           IN POBJECT_TYPE_LIST ObjectTypeList,
+                                           IN ULONG ObjectTypeLength,
+                                           IN PGENERIC_MAPPING GenericMapping,
+                                           IN BOOLEAN ObjectCreation,
+                                           OUT PACCESS_MASK GrantedAccess,
+                                           OUT PNTSTATUS AccessStatus,
+                                           OUT PBOOLEAN GenerateOnClose)
 {
-    if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
-                               GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
-    {
-        *DesiredAccess |= READ_CONTROL;
-    }
-    if (SecurityInformation & SACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
-    }
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
 }
 
-VOID STDCALL
-SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
-                        OUT PACCESS_MASK DesiredAccess)
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultListAndAuditAlarmByHandle(IN PUNICODE_STRING SubsystemName,
+                                                   IN HANDLE HandleId,
+                                                   IN HANDLE ClientToken,
+                                                   IN PUNICODE_STRING ObjectTypeName,
+                                                   IN PUNICODE_STRING ObjectName,
+                                                   IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                                   IN PSID PrincipalSelfSid,
+                                                   IN ACCESS_MASK DesiredAccess,
+                                                   IN AUDIT_EVENT_TYPE AuditType,
+                                                   IN ULONG Flags,
+                                                   IN POBJECT_TYPE_LIST ObjectTypeList,
+                                                   IN ULONG ObjectTypeLength,
+                                                   IN PGENERIC_MAPPING GenericMapping,
+                                                   IN BOOLEAN ObjectCreation,
+                                                   OUT PACCESS_MASK GrantedAccess,
+                                                   OUT PNTSTATUS AccessStatus,
+                                                   OUT PBOOLEAN GenerateOnClose)
 {
-    if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
-    {
-        *DesiredAccess |= WRITE_OWNER;
-    }
-    if (SecurityInformation & DACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= WRITE_DAC;
-    }
-    if (SecurityInformation & SACL_SECURITY_INFORMATION)
-    {
-        *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
-    }
+    UNIMPLEMENTED;
+    return STATUS_NOT_IMPLEMENTED;
 }
 
 /* EOF */
A free Windows-compatible Operating System