From 33f524c6259078191f5de66a19eefb4ea7e27adf Mon Sep 17 00:00:00 2001 From: Pierre Schweitzer Date: Tue, 21 May 2019 08:37:36 +0200 Subject: [PATCH] [NTOSKRNL] Use relaxed ACLs in ObpCreateGlobalDosDevicesSD when protection mode is not set --- ntoskrnl/ob/obname.c | 163 ++++++++++++++++++++++++++++--------------- 1 file changed, 105 insertions(+), 58 deletions(-) diff --git a/ntoskrnl/ob/obname.c b/ntoskrnl/ob/obname.c index b1e541eeb4b..5baa4b1a50d 100644 --- a/ntoskrnl/ob/obname.c +++ b/ntoskrnl/ob/obname.c @@ -44,68 +44,115 @@ ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor) ULONG AclSize, SdSize; NTSTATUS Status; - AclSize = sizeof(ACL) + - sizeof(ACE) + RtlLengthSid(SeWorldSid) + - sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + - sizeof(ACE) + RtlLengthSid(SeWorldSid) + - sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) + - sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + - sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid); - - SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize; - - /* Allocate the SD and ACL */ - Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD); - if (Sd == NULL) + if (ObpProtectionMode & 1) { - return STATUS_INSUFFICIENT_RESOURCES; + AclSize = sizeof(ACL) + + sizeof(ACE) + RtlLengthSid(SeWorldSid) + + sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + + sizeof(ACE) + RtlLengthSid(SeWorldSid) + + sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) + + sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + + sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid); + + SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize; + + /* Allocate the SD and ACL */ + Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD); + if (Sd == NULL) + { + return STATUS_INSUFFICIENT_RESOURCES; + } + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(Sd, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR)); + + /* Initialize the DACL */ + RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + + /* Add the ACEs */ + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_READ | GENERIC_EXECUTE, + SeWorldSid); + + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeLocalSystemSid); + + RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_EXECUTE, + SeWorldSid); + + RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeAliasAdminsSid); + + RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeLocalSystemSid); + + RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeCreatorOwnerSid); } + else + { + AclSize = sizeof(ACL) + + sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + + sizeof(ACE) + RtlLengthSid(SeWorldSid) + + sizeof(ACE) + RtlLengthSid(SeLocalSystemSid); - /* Initialize the SD */ - Status = RtlCreateSecurityDescriptor(Sd, - SECURITY_DESCRIPTOR_REVISION); - if (!NT_SUCCESS(Status)) - return Status; + SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize; - Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR)); - - /* Initialize the DACL */ - RtlCreateAcl(Dacl, AclSize, ACL_REVISION); - - /* Add the ACEs */ - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_READ | GENERIC_EXECUTE, - SeWorldSid); - - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_ALL, - SeLocalSystemSid); - - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_EXECUTE, - SeWorldSid); - - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeAliasAdminsSid); - - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeLocalSystemSid); - - RtlAddAccessAllowedAceEx(Dacl, - ACL_REVISION, - INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, - GENERIC_ALL, - SeCreatorOwnerSid); + /* Allocate the SD and ACL */ + Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD); + if (Sd == NULL) + { + return STATUS_INSUFFICIENT_RESOURCES; + } + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(Sd, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR)); + + /* Initialize the DACL */ + RtlCreateAcl(Dacl, AclSize, ACL_REVISION); + + /* Add the ACEs */ + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE, + SeWorldSid); + + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeLocalSystemSid); + + RtlAddAccessAllowedAceEx(Dacl, + ACL_REVISION, + INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, + GENERIC_ALL, + SeWorldSid); + } /* Attach the DACL to the SD */ Status = RtlSetDaclSecurityDescriptor(Sd, -- 2.17.1