return TRUE;
}
-NTSTATUS NTAPI
-SepCreateImpersonationTokenDacl(PTOKEN Token,
- PTOKEN PrimaryToken,
- PACL *Dacl)
+NTSTATUS
+NTAPI
+SepCreateImpersonationTokenDacl(
+ _In_ PTOKEN Token,
+ _In_ PTOKEN PrimaryToken,
+ _Out_ PACL* Dacl)
{
ULONG AclLength;
- PVOID TokenDacl;
+ PACL TokenDacl;
PAGED_CODE();
+ *Dacl = NULL;
+
AclLength = sizeof(ACL) +
- (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
- (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
- (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
- (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
- (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
+ (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
+ (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
if (TokenDacl == NULL)
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeLocalSystemSid);
- /* FIXME */
-#if 0
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
{
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeRestrictedCodeSid);
}
-#endif
+
+ *Dacl = TokenDacl;
return STATUS_SUCCESS;
}
/*
* At first open the thread token for information access and verify
- * that the token associated with thread is valid. */
+ * that the token associated with thread is valid.
+ */
Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION,
PsThreadType, PreviousMode, (PVOID*)&Thread,
InitializeObjectAttributes(&ObjectAttributes, NULL, HandleAttributes,
NULL, Dacl ? &SecurityDescriptor : NULL);
-
Status = SepDuplicateToken(Token, &ObjectAttributes, EffectiveOnly,
TokenImpersonation, ImpersonationLevel,
KernelMode, &NewToken);
PreviousMode, &hToken);
}
- if (Dacl) ExFreePoolWithTag(Dacl, TAG_TOKEN_ACL);
+ if (Dacl) ExFreePoolWithTag(Dacl, TAG_ACL);
if (RestoreImpersonation)
{