Enable old access check code until the bug that keeps the device installer from worki...
[reactos.git] / reactos / ntoskrnl / se / semgr.c
index 0cb0da4..de37447 100644 (file)
@@ -377,6 +377,9 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
     }
 }
 
+
+#define OLD_ACCESS_CHECK
+
 BOOLEAN NTAPI
 SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
@@ -389,6 +392,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                OUT PNTSTATUS AccessStatus)
 {
     LUID_AND_ATTRIBUTES Privilege;
+#ifdef OLD_ACCESS_CHECK
+    ACCESS_MASK CurrentAccess, AccessMask;
+#endif
     ACCESS_MASK RemainingAccess;
     ACCESS_MASK TempAccess;
     ACCESS_MASK TempGrantedAccess = 0;
@@ -426,6 +432,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
     if (PreviouslyGrantedAccess)
         RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
 
+#ifdef OLD_ACCESS_CHECK
+    CurrentAccess = PreviouslyGrantedAccess;
+#endif
     /* Initialize remaining access rights */
     RemainingAccess = DesiredAccess;
 
@@ -490,6 +499,10 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         return TRUE;
     }
 
+#ifdef OLD_ACCESS_CHECK
+    CurrentAccess = PreviouslyGrantedAccess;
+#endif
+
     /* RULE 2: Check token for 'take ownership' privilege */
     if (DesiredAccess & WRITE_OWNER)
     {
@@ -505,6 +518,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             /* Adjust access rights */
             RemainingAccess &= ~WRITE_OWNER;
             PreviouslyGrantedAccess |= WRITE_OWNER;
+#ifdef OLD_ACCESS_CHECK
+            CurrentAccess |= WRITE_OWNER;
+#endif
 
             /* Succeed if there are no more rights to grant */
             if (RemainingAccess == 0)
@@ -618,6 +634,11 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             {
                 if (SepSidInToken(Token, Sid))
                 {
+#ifdef OLD_ACCESS_CHECK
+                    *GrantedAccess = 0;
+                    *AccessStatus = STATUS_ACCESS_DENIED;
+                    return FALSE;
+#else
                     /* Map access rights from the ACE */
                     TempAccess = CurrentAce->AccessMask;
                     RtlMapGenericMask(&TempAccess, GenericMapping);
@@ -625,18 +646,25 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                     /* Leave if a remaining right must be denied */
                     if (RemainingAccess & TempAccess)
                         break;
+#endif
                 }
             }
             else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
             {
                 if (SepSidInToken(Token, Sid))
                 {
+#ifdef OLD_ACCESS_CHECK
+                    AccessMask = CurrentAce->AccessMask;
+                    RtlMapGenericMask(&AccessMask, GenericMapping);
+                    CurrentAccess |= AccessMask;
+#else
                     /* Map access rights from the ACE */
                     TempAccess = CurrentAce->AccessMask;
                     RtlMapGenericMask(&TempAccess, GenericMapping);
 
                     /* Remove granted rights */
                     RemainingAccess &= ~TempAccess;
+#endif
                 }
             }
             else
@@ -649,6 +677,28 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
     }
 
+#ifdef OLD_ACCESS_CHECK
+    DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
+           CurrentAccess, DesiredAccess);
+
+    *GrantedAccess = CurrentAccess & DesiredAccess;
+
+    if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) == 
+        (DesiredAccess & ~VALID_INHERIT_FLAGS))
+    {
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
+    }
+    else
+    {
+        DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
+                *GrantedAccess, DesiredAccess, GenericMapping);
+        //*AccessStatus = STATUS_ACCESS_DENIED;
+        //return FALSE;
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
+    }
+#else
     DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
            DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
 
@@ -674,6 +724,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
 
     *AccessStatus = STATUS_SUCCESS;
     return TRUE;
+#endif
 }
 
 static PSID