From c2cc2ba3be5b3be31b56615dfa8699e4a44cbfed Mon Sep 17 00:00:00 2001 From: Thomas Faber Date: Mon, 9 May 2016 08:49:18 +0000 Subject: [PATCH] [NTOS:SE] - In SepPropagateAcl, gracefully handle unknown ACE types by simply copying them. CORE-10694 #resolve svn path=/trunk/; revision=71296 --- reactos/ntoskrnl/se/acl.c | 21 ++++++- rostests/kmtests/ntos_se/SeHelpers.c | 36 ++++++++++++ rostests/kmtests/ntos_se/SeInheritance.c | 75 ++++++++++++++++++++++++ rostests/kmtests/ntos_se/se.h | 8 +++ 4 files changed, 138 insertions(+), 2 deletions(-) diff --git a/reactos/ntoskrnl/se/acl.c b/reactos/ntoskrnl/se/acl.c index 35a239c7e63..a29a85e861c 100644 --- a/reactos/ntoskrnl/se/acl.c +++ b/reactos/ntoskrnl/se/acl.c @@ -462,10 +462,27 @@ SepPropagateAcl( AceDest = (PACCESS_ALLOWED_ACE)CurrentDest; AceSource = (PACCESS_ALLOWED_ACE)CurrentSource; + if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE) + { + /* FIXME: handle object & compound ACEs */ + AceSize = AceSource->Header.AceSize; + + if (*AclLength >= Written + AceSize) + { + RtlCopyMemory(AceDest, AceSource, AceSize); + } + CurrentDest += AceSize; + CurrentSource += AceSize; + Written += AceSize; + AceCount++; + continue; + } + /* These all have the same structure */ ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE || - AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE || - AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE); + AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE || + AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE || + AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE); ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0); ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource)); diff --git a/rostests/kmtests/ntos_se/SeHelpers.c b/rostests/kmtests/ntos_se/SeHelpers.c index c6575a891be..2a81d5f9997 100644 --- a/rostests/kmtests/ntos_se/SeHelpers.c +++ b/rostests/kmtests/ntos_se/SeHelpers.c @@ -49,6 +49,42 @@ RtlxAddAuditAccessAceEx( return Status; } +NTSTATUS +RtlxAddMandatoryLabelAceEx( + _Inout_ PACL Acl, + _In_ ULONG Revision, + _In_ ULONG Flags, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid) +{ + NTSTATUS Status; + USHORT AceSize; + PSYSTEM_MANDATORY_LABEL_ACE Ace; + + AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + RtlLengthSid(Sid); + Ace = ExAllocatePoolWithTag(PagedPool, AceSize, 'cAmK'); + if (!Ace) + return STATUS_INSUFFICIENT_RESOURCES; + Ace->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE; + Ace->Header.AceFlags = Flags; + Ace->Header.AceSize = AceSize; + Ace->Mask = AccessMask; + Status = RtlCopySid(AceSize - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart), + (PSID)&Ace->SidStart, + Sid); + ASSERT(NT_SUCCESS(Status)); + if (NT_SUCCESS(Status)) + { + Status = RtlAddAce(Acl, + Revision, + MAXULONG, + Ace, + AceSize); + } + ExFreePoolWithTag(Ace, 'cAmK'); + return Status; +} + VOID CheckSid__( _In_ PSID Sid, diff --git a/rostests/kmtests/ntos_se/SeInheritance.c b/rostests/kmtests/ntos_se/SeInheritance.c index 773311925c3..99e24d1114d 100644 --- a/rostests/kmtests/ntos_se/SeInheritance.c +++ b/rostests/kmtests/ntos_se/SeInheritance.c @@ -780,6 +780,81 @@ TestSeAssignSecurity( EndTestAssign() } + /* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */ + for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++) + { + Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeWorldSid); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor, + TRUE, + Acl, + BooleanFlagOn(UsingDefault, 1)); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor, + TRUE, + Acl, + BooleanFlagOn(UsingDefault, 2)); + ok_eq_hex(Status, STATUS_SUCCESS); + + TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE) + TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE) + StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE) + ok_eq_uint(DaclDefaulted, FALSE); + CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); + ok_eq_uint(SaclDefaulted, FALSE); + CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, SeExports->SeWorldSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP); + ok_eq_uint(OwnerDefaulted, FALSE); + CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); + ok_eq_uint(GroupDefaulted, FALSE); + CheckSid(Group, NO_SIZE, Token->PrimaryGroup); + EndTestAssign() + } + + for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++) + { + Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeCreatorOwnerSid); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor, + TRUE, + Acl, + BooleanFlagOn(UsingDefault, 1)); + ok_eq_hex(Status, STATUS_SUCCESS); + Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor, + TRUE, + Acl, + BooleanFlagOn(UsingDefault, 2)); + ok_eq_hex(Status, STATUS_SUCCESS); + + StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE) + ok_eq_uint(DaclDefaulted, FALSE); + CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); + ok_eq_uint(SaclDefaulted, FALSE); + CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP); + ok_eq_uint(OwnerDefaulted, FALSE); + CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); + ok_eq_uint(GroupDefaulted, FALSE); + CheckSid(Group, NO_SIZE, Token->PrimaryGroup); + EndTestAssign() + StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE) + ok_eq_uint(DaclDefaulted, FALSE); + CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F, + ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005); + ok_eq_uint(SaclDefaulted, FALSE); + CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP); + ok_eq_uint(OwnerDefaulted, FALSE); + CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); + ok_eq_uint(GroupDefaulted, FALSE); + CheckSid(Group, NO_SIZE, Token->PrimaryGroup); + EndTestAssign() + } + + /* TODO: Test object/compound ACEs */ /* TODO: Test duplicate ACEs */ /* TODO: Test INHERITED_ACE flag */ /* TODO: Test invalid ACE flags */ diff --git a/rostests/kmtests/ntos_se/se.h b/rostests/kmtests/ntos_se/se.h index 758c4bc0266..e4e83e792ac 100644 --- a/rostests/kmtests/ntos_se/se.h +++ b/rostests/kmtests/ntos_se/se.h @@ -33,6 +33,14 @@ RtlxAddAuditAccessAceEx( _In_ BOOLEAN Success, _In_ BOOLEAN Failure); +NTSTATUS +RtlxAddMandatoryLabelAceEx( + _Inout_ PACL Acl, + _In_ ULONG Revision, + _In_ ULONG Flags, + _In_ ACCESS_MASK AccessMask, + _In_ PSID Sid); + #define NO_SIZE ((ULONG)-1) #define CheckSid(Sid, SidSize, ExpectedSid) CheckSid_(Sid, SidSize, ExpectedSid, __FILE__, __LINE__) -- 2.17.1