[ntoskrnl/se]
authorAleksey Bragin <aleksey@reactos.org>
Sat, 21 Nov 2009 17:58:33 +0000 (17:58 +0000)
committerAleksey Bragin <aleksey@reactos.org>
Sat, 21 Nov 2009 17:58:33 +0000 (17:58 +0000)
- Factor out working code from SeAccessCheck into SepAccessCheck, taking out addition parameter - LowerImpersonationLevel. The lowest level for SeAccessCheck remains SecurityImpersonation, but for NtAccessCheck it's lowered to SecurityIdentification. Name of this patch's author has been lost.
See issue #4169 for more details.

svn path=/trunk/; revision=44260

reactos/ntoskrnl/se/semgr.c

index 4ceaa19..85cbead 100644 (file)
@@ -348,22 +348,18 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
     }
 }
 
     }
 }
 
-/* PUBLIC FUNCTIONS ***********************************************************/
-
-/*
- * @implemented
- */
 BOOLEAN NTAPI
 BOOLEAN NTAPI
-SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
-              IN BOOLEAN SubjectContextLocked,
-              IN ACCESS_MASK DesiredAccess,
-              IN ACCESS_MASK PreviouslyGrantedAccess,
-              OUT PPRIVILEGE_SET* Privileges,
-              IN PGENERIC_MAPPING GenericMapping,
-              IN KPROCESSOR_MODE AccessMode,
-              OUT PACCESS_MASK GrantedAccess,
-              OUT PNTSTATUS AccessStatus)
+SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+               IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+               IN BOOLEAN SubjectContextLocked,
+               IN ACCESS_MASK DesiredAccess,
+               IN ACCESS_MASK PreviouslyGrantedAccess,
+               OUT PPRIVILEGE_SET* Privileges,
+               IN PGENERIC_MAPPING GenericMapping,
+               IN KPROCESSOR_MODE AccessMode,
+               OUT PACCESS_MASK GrantedAccess,
+               OUT PNTSTATUS AccessStatus,
+               SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
 {
     LUID_AND_ATTRIBUTES Privilege;
     ACCESS_MASK CurrentAccess, AccessMask;
 {
     LUID_AND_ATTRIBUTES Privilege;
     ACCESS_MASK CurrentAccess, AccessMask;
@@ -409,7 +405,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
 
     /* Check for invalid impersonation */
     if ((SubjectSecurityContext->ClientToken) &&
 
     /* Check for invalid impersonation */
     if ((SubjectSecurityContext->ClientToken) &&
-        (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
+        (SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
     {
         *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
         return FALSE;
     {
         *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
         return FALSE;
@@ -619,6 +615,37 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
     }
 }
 
     }
 }
 
+/* PUBLIC FUNCTIONS ***********************************************************/
+
+/*
+ * @implemented
+ */
+BOOLEAN NTAPI
+SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+              IN BOOLEAN SubjectContextLocked,
+              IN ACCESS_MASK DesiredAccess,
+              IN ACCESS_MASK PreviouslyGrantedAccess,
+              OUT PPRIVILEGE_SET* Privileges,
+              IN PGENERIC_MAPPING GenericMapping,
+              IN KPROCESSOR_MODE AccessMode,
+              OUT PACCESS_MASK GrantedAccess,
+              OUT PNTSTATUS AccessStatus)
+{
+    /* Call the internal function */
+    return SepAccessCheck(SecurityDescriptor,
+                          SubjectSecurityContext,
+                          SubjectContextLocked,
+                          DesiredAccess,
+                          PreviouslyGrantedAccess,
+                          Privileges,
+                          GenericMapping,
+                          AccessMode,
+                          GrantedAccess,
+                          AccessStatus,
+                          SecurityImpersonation);
+}
+
 /* SYSTEM CALLS ***************************************************************/
 
 /*
 /* SYSTEM CALLS ***************************************************************/
 
 /*
@@ -691,16 +718,17 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
     SeLockSubjectContext(&SubjectSecurityContext);
 
     /* Now perform the access check */
     SeLockSubjectContext(&SubjectSecurityContext);
 
     /* Now perform the access check */
-    SeAccessCheck(SecurityDescriptor,
-                  &SubjectSecurityContext,
-                  TRUE,
-                  DesiredAccess,
-                  0,
-                  &PrivilegeSet, //FIXME
-                  GenericMapping,
-                  PreviousMode,
-                  GrantedAccess,
-                  AccessStatus);
+    SepAccessCheck(SecurityDescriptor,
+                   &SubjectSecurityContext,
+                   TRUE,
+                   DesiredAccess,
+                   0,
+                   &PrivilegeSet, //FIXME
+                   GenericMapping,
+                   PreviousMode,
+                   GrantedAccess,
+                   AccessStatus,
+                   SecurityIdentification);
 
     /* Unlock subject context and dereference the token */
     SeUnlockSubjectContext(&SubjectSecurityContext);
 
     /* Unlock subject context and dereference the token */
     SeUnlockSubjectContext(&SubjectSecurityContext);