[NTOS:SE] Finish SepCreateImpersonationTokenDacl() implementation.

- Re-enable a commented-out block;
- Return the allocated Dacl.
- Use the correct pool tag when freeing the allocated Dacl.

diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h
index 125055f..040d23c 100644 (file)
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@@ -317,9 +317,9 @@ SeIsTokenChild(
 NTSTATUS
 NTAPI
 SepCreateImpersonationTokenDacl(
-    PTOKEN Token,
-    PTOKEN PrimaryToken,
-    PACL *Dacl
+    _In_ PTOKEN Token,
+    _In_ PTOKEN PrimaryToken,
+    _Out_ PACL* Dacl
 );
 
 VOID

diff --git a/ntoskrnl/se/acl.c b/ntoskrnl/se/acl.c
index 392f2a9..3829684 100644 (file)
--- a/ntoskrnl/se/acl.c
+++ b/ntoskrnl/se/acl.c
@@ -224,22 +224,26 @@ SepInitDACLs(VOID)
     return TRUE;
 }
 
-NTSTATUS NTAPI
-SepCreateImpersonationTokenDacl(PTOKEN Token,
-                                PTOKEN PrimaryToken,
-                                PACL *Dacl)
+NTSTATUS
+NTAPI
+SepCreateImpersonationTokenDacl(
+    _In_ PTOKEN Token,
+    _In_ PTOKEN PrimaryToken,
+    _Out_ PACL* Dacl)
 {
     ULONG AclLength;
-    PVOID TokenDacl;
+    PACL TokenDacl;
 
     PAGED_CODE();
 
+    *Dacl = NULL;
+
     AclLength = sizeof(ACL) +
-    (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
-    (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
-    (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
-    (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
-    (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
+        (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
+        (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+        (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
+        (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
+        (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
 
     TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
     if (TokenDacl == NULL)
@@ -257,14 +261,13 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
     RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
                            SeLocalSystemSid);
 
-    /* FIXME */
-#if 0
     if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
     {
         RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
                                SeRestrictedCodeSid);
     }
-#endif
+
+    *Dacl = TokenDacl;
 
     return STATUS_SUCCESS;
 }

diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index 46ab29b..b9c4e6f 100644 (file)
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -3325,7 +3325,8 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
 
     /*
      * At first open the thread token for information access and verify
-     * that the token associated with thread is valid.     */
+     * that the token associated with thread is valid.
+     */
 
     Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION,
                                        PsThreadType, PreviousMode, (PVOID*)&Thread,
@@ -3386,7 +3387,6 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
                 InitializeObjectAttributes(&ObjectAttributes, NULL, HandleAttributes,
                                            NULL, Dacl ? &SecurityDescriptor : NULL);
 
-
                 Status = SepDuplicateToken(Token, &ObjectAttributes, EffectiveOnly,
                                            TokenImpersonation, ImpersonationLevel,
                                            KernelMode, &NewToken);
@@ -3406,7 +3406,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
                                        PreviousMode, &hToken);
     }
 
-    if (Dacl) ExFreePoolWithTag(Dacl, TAG_TOKEN_ACL);
+    if (Dacl) ExFreePoolWithTag(Dacl, TAG_ACL);
 
     if (RestoreImpersonation)
     {