}
}
+
+#define OLD_ACCESS_CHECK
+
BOOLEAN NTAPI
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
OUT PNTSTATUS AccessStatus)
{
LUID_AND_ATTRIBUTES Privilege;
+#ifdef OLD_ACCESS_CHECK
+ ACCESS_MASK CurrentAccess, AccessMask;
+#endif
ACCESS_MASK RemainingAccess;
ACCESS_MASK TempAccess;
ACCESS_MASK TempGrantedAccess = 0;
if (PreviouslyGrantedAccess)
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess = PreviouslyGrantedAccess;
+#endif
/* Initialize remaining access rights */
RemainingAccess = DesiredAccess;
return TRUE;
}
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess = PreviouslyGrantedAccess;
+#endif
+
/* RULE 2: Check token for 'take ownership' privilege */
if (DesiredAccess & WRITE_OWNER)
{
/* Adjust access rights */
RemainingAccess &= ~WRITE_OWNER;
PreviouslyGrantedAccess |= WRITE_OWNER;
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess |= WRITE_OWNER;
+#endif
/* Succeed if there are no more rights to grant */
if (RemainingAccess == 0)
{
if (SepSidInToken(Token, Sid))
{
+#ifdef OLD_ACCESS_CHECK
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
/* Leave if a remaining right must be denied */
if (RemainingAccess & TempAccess)
break;
+#endif
}
}
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
+#ifdef OLD_ACCESS_CHECK
+ AccessMask = CurrentAce->AccessMask;
+ RtlMapGenericMask(&AccessMask, GenericMapping);
+ CurrentAccess |= AccessMask;
+#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */
RemainingAccess &= ~TempAccess;
+#endif
}
}
else
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
+#ifdef OLD_ACCESS_CHECK
+ DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
+ CurrentAccess, DesiredAccess);
+
+ *GrantedAccess = CurrentAccess & DesiredAccess;
+
+ if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
+ (DesiredAccess & ~VALID_INHERIT_FLAGS))
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
+ *GrantedAccess, DesiredAccess, GenericMapping);
+ //*AccessStatus = STATUS_ACCESS_DENIED;
+ //return FALSE;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+#else
DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
*AccessStatus = STATUS_SUCCESS;
return TRUE;
+#endif
}
static PSID