5 Feb
2012
5 Feb
'12
5:57 p.m.
Author: tkreuzer
Date: Sun Feb 5 17:57:34 2012
New Revision: 55437
URL: http://svn.reactos.org/svn/reactos?rev=55437&view=rev
Log:
[NTOSKRNL]
- Rewrite SeCaptureSecurityDescriptor. The old code was mess and totally broken for 64
bit.
- Many fixes to security descriptor code that was making wrong assumptions about the
SECURITY_DESCRIPTOR structures
Modified:
trunk/reactos/ntoskrnl/se/sd.c
Modified: trunk/reactos/ntoskrnl/se/sd.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/sd.c?rev=55437…
==============================================================================
--- trunk/reactos/ntoskrnl/se/sd.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/sd.c [iso-8859-1] Sun Feb 5 17:57:34 2012
@@ -28,6 +28,78 @@
/* PRIVATE FUNCTIONS **********************************************************/
+PSID
+FORCEINLINE
+SepGetGroupFromDescriptor(PVOID _Descriptor)
+{
+ PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SdRel;
+
+ if (Descriptor->Control & SE_SELF_RELATIVE)
+ {
+ SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
+ return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
+ }
+ else
+ {
+ return Descriptor->Group;
+ }
+}
+
+PSID
+FORCEINLINE
+SepGetOwnerFromDescriptor(PVOID _Descriptor)
+{
+ PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SdRel;
+
+ if (Descriptor->Control & SE_SELF_RELATIVE)
+ {
+ SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
+ return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
+ }
+ else
+ {
+ return Descriptor->Owner;
+ }
+}
+
+PACL
+FORCEINLINE
+SepGetDaclFromDescriptor(PVOID _Descriptor)
+{
+ PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SdRel;
+
+ if (Descriptor->Control & SE_SELF_RELATIVE)
+ {
+ SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
+ return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
+ }
+ else
+ {
+ return Descriptor->Dacl;
+ }
+}
+
+PACL
+FORCEINLINE
+SepGetSaclFromDescriptor(PVOID _Descriptor)
+{
+ PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SdRel;
+
+ if (Descriptor->Control & SE_SELF_RELATIVE)
+ {
+ SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
+ return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
+ }
+ else
+ {
+ return Descriptor->Sacl;
+ }
+}
+
BOOLEAN
INIT_FUNCTION
NTAPI
@@ -120,7 +192,7 @@
PISECURITY_DESCRIPTOR SecurityDescriptor,
PULONG BufferLength)
{
- ULONG_PTR Current;
+ ULONG Current;
ULONG SidSize;
ULONG SdSize;
NTSTATUS Status;
@@ -160,29 +232,25 @@
return Status;
}
- Current = (ULONG_PTR)(SdRel + 1);
+ Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
if (SecurityInformation & OWNER_SECURITY_INFORMATION)
{
- RtlCopyMemory((PVOID)Current,
- SeWorldSid,
- SidSize);
- SdRel->Owner = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
+ SdRel->Owner = Current;
Current += SidSize;
}
if (SecurityInformation & GROUP_SECURITY_INFORMATION)
{
- RtlCopyMemory((PVOID)Current,
- SeWorldSid,
- SidSize);
- SdRel->Group = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
+ SdRel->Group = Current;
Current += SidSize;
}
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
- PACL Dacl = (PACL)Current;
+ PACL Dacl = (PACL)((PUCHAR)SdRel + Current);
SdRel->Control |= SE_DACL_PRESENT;
Status = RtlCreateAcl(Dacl,
@@ -198,7 +266,7 @@
if (!NT_SUCCESS(Status))
return Status;
- SdRel->Dacl = (ULONG)((ULONG_PTR)Current - (ULONG_PTR)SdRel);
+ SdRel->Dacl = Current;
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)
@@ -245,7 +313,7 @@
ProbeForRead(ObjectAttributes->SecurityQualityOfService,
sizeof(SECURITY_QUALITY_OF_SERVICE),
sizeof(ULONG));
-
+
if
(((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length
==
sizeof(SECURITY_QUALITY_OF_SERVICE))
{
@@ -381,335 +449,239 @@
/* PUBLIC FUNCTIONS ***********************************************************/
-/*
- * @implemented
- */
+static
+ULONG
+DetermineSIDSize(
+ PISID Sid,
+ PULONG OutSAC,
+ KPROCESSOR_MODE ProcessorMode)
+{
+ ULONG Size;
+
+ if (!Sid)
+ {
+ *OutSAC = 0;
+ return 0;
+ }
+
+ if (ProcessorMode != KernelMode)
+ {
+ /* Securely access the buffers! */
+ *OutSAC = ProbeForReadUchar(&Sid->SubAuthorityCount);
+ Size = RtlLengthRequiredSid(*OutSAC);
+ ProbeForRead(Sid, Size, sizeof(ULONG));
+ }
+ else
+ {
+ *OutSAC = Sid->SubAuthorityCount;
+ Size = RtlLengthRequiredSid(*OutSAC);
+ }
+
+ return Size;
+}
+
+static
+ULONG
+DetermineACLSize(
+ PACL Acl,
+ KPROCESSOR_MODE ProcessorMode)
+{
+ ULONG Size;
+
+ if (!Acl) return 0;
+
+ if (ProcessorMode == KernelMode) return Acl->AclSize;
+
+ /* Probe the buffers! */
+ Size = ProbeForReadUshort(&Acl->AclSize);
+ ProbeForRead(Acl, Size, sizeof(ULONG));
+
+ return Size;
+}
+
NTSTATUS
NTAPI
-SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
- IN KPROCESSOR_MODE CurrentMode,
- IN POOL_TYPE PoolType,
- IN BOOLEAN CaptureIfKernel,
- OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
-{
- PISECURITY_DESCRIPTOR OriginalSecurityDescriptor = _OriginalSecurityDescriptor;
+SeCaptureSecurityDescriptor(
+ IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
+ IN KPROCESSOR_MODE CurrentMode,
+ IN POOL_TYPE PoolType,
+ IN BOOLEAN CaptureIfKernel,
+ OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
+{
+ PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
SECURITY_DESCRIPTOR DescriptorCopy;
- PISECURITY_DESCRIPTOR NewDescriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE NewDescriptor;
ULONG OwnerSAC = 0, GroupSAC = 0;
ULONG OwnerSize = 0, GroupSize = 0;
ULONG SaclSize = 0, DaclSize = 0;
ULONG DescriptorSize = 0;
- NTSTATUS Status;
-
- if (OriginalSecurityDescriptor != NULL)
- {
- if (CurrentMode != KernelMode)
- {
- RtlZeroMemory(&DescriptorCopy, sizeof(DescriptorCopy));
-
- _SEH2_TRY
- {
- /*
- * First only probe and copy until the control field of the descriptor
- * to determine whether it's a self-relative descriptor
- */
- DescriptorSize = FIELD_OFFSET(SECURITY_DESCRIPTOR,
- Owner);
- ProbeForRead(OriginalSecurityDescriptor,
- DescriptorSize,
- sizeof(ULONG));
-
- if (OriginalSecurityDescriptor->Revision !=
SECURITY_DESCRIPTOR_REVISION1)
- {
- _SEH2_YIELD(return STATUS_UNKNOWN_REVISION);
- }
-
- /* Make a copy on the stack */
- DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
- DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
- DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
- DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ?
- sizeof(SECURITY_DESCRIPTOR_RELATIVE) :
sizeof(SECURITY_DESCRIPTOR));
-
- /*
- * Probe and copy the entire security descriptor structure. The SIDs
- * and ACLs will be probed and copied later though
- */
- ProbeForRead(OriginalSecurityDescriptor,
- DescriptorSize,
- sizeof(ULONG));
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
- {
- PISECURITY_DESCRIPTOR_RELATIVE RelSD =
(PISECURITY_DESCRIPTOR_RELATIVE)OriginalSecurityDescriptor;
-
- DescriptorCopy.Owner = (PSID)RelSD->Owner;
- DescriptorCopy.Group = (PSID)RelSD->Group;
- DescriptorCopy.Sacl = (PACL)RelSD->Sacl;
- DescriptorCopy.Dacl = (PACL)RelSD->Dacl;
- }
- else
- {
- DescriptorCopy.Owner = OriginalSecurityDescriptor->Owner;
- DescriptorCopy.Group = OriginalSecurityDescriptor->Group;
- DescriptorCopy.Sacl = OriginalSecurityDescriptor->Sacl;
- DescriptorCopy.Dacl = OriginalSecurityDescriptor->Dacl;
- }
- }
- _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
- {
- /* Return the exception code */
- _SEH2_YIELD(return _SEH2_GetExceptionCode());
- }
- _SEH2_END;
- }
- else if (!CaptureIfKernel)
- {
- if (OriginalSecurityDescriptor->Revision !=
SECURITY_DESCRIPTOR_REVISION1)
- {
- return STATUS_UNKNOWN_REVISION;
- }
-
- *CapturedSecurityDescriptor = OriginalSecurityDescriptor;
- return STATUS_SUCCESS;
- }
- else
- {
- if (OriginalSecurityDescriptor->Revision !=
SECURITY_DESCRIPTOR_REVISION1)
- {
- return STATUS_UNKNOWN_REVISION;
- }
-
- /* Make a copy on the stack */
- DescriptorCopy.Revision = OriginalSecurityDescriptor->Revision;
- DescriptorCopy.Sbz1 = OriginalSecurityDescriptor->Sbz1;
- DescriptorCopy.Control = OriginalSecurityDescriptor->Control;
- DescriptorSize = ((DescriptorCopy.Control & SE_SELF_RELATIVE) ?
- sizeof(SECURITY_DESCRIPTOR_RELATIVE) :
sizeof(SECURITY_DESCRIPTOR));
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
- {
- PISECURITY_DESCRIPTOR_RELATIVE RelSD =
(PISECURITY_DESCRIPTOR_RELATIVE)OriginalSecurityDescriptor;
-
- DescriptorCopy.Owner = (PSID)RelSD->Owner;
- DescriptorCopy.Group = (PSID)RelSD->Group;
- DescriptorCopy.Sacl = (PACL)RelSD->Sacl;
- DescriptorCopy.Dacl = (PACL)RelSD->Dacl;
- }
- else
- {
- DescriptorCopy.Owner = OriginalSecurityDescriptor->Owner;
- DescriptorCopy.Group = OriginalSecurityDescriptor->Group;
- DescriptorCopy.Sacl = OriginalSecurityDescriptor->Sacl;
- DescriptorCopy.Dacl = OriginalSecurityDescriptor->Dacl;
- }
- }
-
- if (DescriptorCopy.Control & SE_SELF_RELATIVE)
- {
- /*
- * In case we're dealing with a self-relative descriptor, do a basic
convert
- * to an absolute descriptor. We do this so we can simply access the data
- * using the pointers without calculating them again.
- */
- DescriptorCopy.Control &= ~SE_SELF_RELATIVE;
- if (DescriptorCopy.Owner != NULL)
- {
- DescriptorCopy.Owner = (PSID)((ULONG_PTR)OriginalSecurityDescriptor +
(ULONG_PTR)DescriptorCopy.Owner);
- }
- if (DescriptorCopy.Group != NULL)
- {
- DescriptorCopy.Group = (PSID)((ULONG_PTR)OriginalSecurityDescriptor +
(ULONG_PTR)DescriptorCopy.Group);
- }
- if (DescriptorCopy.Dacl != NULL)
- {
- DescriptorCopy.Dacl = (PACL)((ULONG_PTR)OriginalSecurityDescriptor +
(ULONG_PTR)DescriptorCopy.Dacl);
- }
- if (DescriptorCopy.Sacl != NULL)
- {
- DescriptorCopy.Sacl = (PACL)((ULONG_PTR)OriginalSecurityDescriptor +
(ULONG_PTR)DescriptorCopy.Sacl);
- }
- }
-
- /* Determine the size of the SIDs */
-#define DetermineSIDSize(SidType) \
-do { \
-if(DescriptorCopy.SidType != NULL) \
-{ \
-SID *SidType = (SID*)DescriptorCopy.SidType; \
-\
-if(CurrentMode != KernelMode) \
-{ \
-/* Securely access the buffers! */ \
-_SEH2_TRY \
-{ \
-SidType##SAC = ProbeForReadUchar(&SidType->SubAuthorityCount); \
-SidType##Size = RtlLengthRequiredSid(SidType##SAC); \
-DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG)); \
-ProbeForRead(SidType, \
-SidType##Size, \
-sizeof(ULONG)); \
-} \
-_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
\
-{ \
-_SEH2_YIELD(return _SEH2_GetExceptionCode()); \
-} \
-_SEH2_END; \
-\
-} \
-else \
-{ \
-SidType##SAC = SidType->SubAuthorityCount; \
-SidType##Size = RtlLengthRequiredSid(SidType##SAC); \
-DescriptorSize += ROUND_UP(SidType##Size, sizeof(ULONG)); \
-} \
-} \
-} while(0)
-
- DetermineSIDSize(Owner);
- DetermineSIDSize(Group);
-
-#undef DetermineSIDSize
-
- /* Determine the size of the ACLs */
-#define DetermineACLSize(AclType, AclFlag) \
-do { \
-if((DescriptorCopy.Control & SE_##AclFlag##_PRESENT) && \
-DescriptorCopy.AclType != NULL) \
-{ \
-PACL AclType = (PACL)DescriptorCopy.AclType; \
-\
-if(CurrentMode != KernelMode) \
-{ \
-/* Securely access the buffers! */ \
-_SEH2_TRY \
-{ \
-AclType##Size = ProbeForReadUshort(&AclType->AclSize); \
-DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG)); \
-ProbeForRead(AclType, \
-AclType##Size, \
-sizeof(ULONG)); \
-} \
-_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
\
-{ \
-_SEH2_YIELD(return _SEH2_GetExceptionCode()); \
-} \
-_SEH2_END; \
-\
-} \
-else \
-{ \
-AclType##Size = AclType->AclSize; \
-DescriptorSize += ROUND_UP(AclType##Size, sizeof(ULONG)); \
-} \
-} \
-else \
-{ \
-DescriptorCopy.AclType = NULL; \
-} \
-} while(0)
-
- DetermineACLSize(Sacl, SACL);
- DetermineACLSize(Dacl, DACL);
-
-#undef DetermineACLSize
-
- /*
- * Allocate enough memory to store a complete copy of a self-relative
- * security descriptor
- */
- NewDescriptor = ExAllocatePoolWithTag(PoolType,
- DescriptorSize,
- TAG_SD);
- if (NewDescriptor != NULL)
- {
- ULONG_PTR Offset = sizeof(SECURITY_DESCRIPTOR);
-
- RtlZeroMemory(NewDescriptor, DescriptorSize);
- NewDescriptor->Revision = DescriptorCopy.Revision;
- NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
- NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
-
- _SEH2_TRY
- {
- /*
- * Setup the offsets and copy the SIDs and ACLs to the new
- * self-relative security descriptor. Probing the pointers is not
- * neccessary anymore as we did that when collecting the sizes!
- * Make sure to validate the SIDs and ACLs *again* as they could have
- * been modified in the meanwhile!
- */
-#define CopySID(Type) \
-do { \
-if(DescriptorCopy.Type != NULL) \
-{ \
-NewDescriptor->Type = (PVOID)Offset; \
-RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type), \
-DescriptorCopy.Type, \
-Type##Size); \
-if (!RtlValidSid((PSID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type))) \
-{ \
-RtlRaiseStatus(STATUS_INVALID_SID); \
-} \
-Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
-} \
-} while(0)
-
- CopySID(Owner);
- CopySID(Group);
-
-#undef CopySID
-
-#define CopyACL(Type) \
-do { \
-if(DescriptorCopy.Type != NULL) \
-{ \
-NewDescriptor->Type = (PVOID)Offset; \
-RtlCopyMemory((PVOID)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type), \
-DescriptorCopy.Type, \
-Type##Size); \
-if (!RtlValidAcl((PACL)((ULONG_PTR)NewDescriptor + \
-(ULONG_PTR)NewDescriptor->Type))) \
-{ \
-RtlRaiseStatus(STATUS_INVALID_ACL); \
-} \
-Offset += ROUND_UP(Type##Size, sizeof(ULONG)); \
-} \
-} while(0)
-
- CopyACL(Sacl);
- CopyACL(Dacl);
-
-#undef CopyACL
- }
- _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
- {
- /* We failed to copy the data to the new descriptor */
- ExFreePoolWithTag(NewDescriptor, TAG_SD);
- _SEH2_YIELD(return _SEH2_GetExceptionCode());
- }
- _SEH2_END;
-
- /*
- * We're finally done!
- * Copy the pointer to the captured descriptor to to the caller.
- */
- *CapturedSecurityDescriptor = NewDescriptor;
- return STATUS_SUCCESS;
- }
- else
- {
- Status = STATUS_INSUFFICIENT_RESOURCES;
- }
- }
- else
+ ULONG Offset;
+
+ if (!OriginalDescriptor)
{
/* Nothing to do... */
*CapturedSecurityDescriptor = NULL;
- }
-
- return Status;
+ return STATUS_SUCCESS;
+ }
+
+ /* Quick path */
+ if (CurrentMode == KernelMode && !CaptureIfKernel)
+ {
+ /* Check descriptor version */
+ if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
+ {
+ return STATUS_UNKNOWN_REVISION;
+ }
+
+ *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
+ return STATUS_SUCCESS;
+ }
+
+ _SEH2_TRY
+ {
+ if (CurrentMode != KernelMode)
+ {
+ ProbeForRead(OriginalDescriptor,
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE),
+ sizeof(ULONG));
+ }
+
+ /* Check the descriptor version */
+ if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
+ {
+ _SEH2_YIELD(return STATUS_UNKNOWN_REVISION);
+ }
+
+ if (CurrentMode != KernelMode)
+ {
+ /* Get the size of the descriptor */
+ DescriptorSize = (OriginalDescriptor->Control & SE_SELF_RELATIVE) ?
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE) : sizeof(SECURITY_DESCRIPTOR);
+
+ /* Probe the entire security descriptor structure. The SIDs
+ * and ACLs will be probed and copied later though */
+ ProbeForRead(OriginalDescriptor, DescriptorSize, sizeof(ULONG));
+ }
+
+ /* Now capture all fields and convert to an absolute descriptor */
+ DescriptorCopy.Revision = OriginalDescriptor->Revision;
+ DescriptorCopy.Sbz1 = OriginalDescriptor->Sbz1;
+ DescriptorCopy.Control = OriginalDescriptor->Control & ~SE_SELF_RELATIVE;
+ DescriptorCopy.Owner = SepGetOwnerFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Group = SepGetGroupFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Sacl = SepGetSaclFromDescriptor(OriginalDescriptor);
+ DescriptorCopy.Dacl = SepGetDaclFromDescriptor(OriginalDescriptor);
+ DescriptorSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
+
+ /* Determine owner and group sizes */
+ OwnerSize = DetermineSIDSize(DescriptorCopy.Owner, &OwnerSAC, CurrentMode);
+ DescriptorSize += ROUND_UP(OwnerSize, sizeof(ULONG));
+ GroupSize = DetermineSIDSize(DescriptorCopy.Group, &GroupSAC, CurrentMode);
+ DescriptorSize += ROUND_UP(GroupSize, sizeof(ULONG));
+
+ /* Determine the size of the ACLs */
+ if (DescriptorCopy.Control & SE_SACL_PRESENT)
+ {
+ /* Get the size and probe if user mode */
+ SaclSize = DetermineACLSize(DescriptorCopy.Sacl, CurrentMode);
+ DescriptorSize += ROUND_UP(SaclSize, sizeof(ULONG));
+ }
+
+ if (DescriptorCopy.Control & SE_DACL_PRESENT)
+ {
+ /* Get the size and probe if user mode */
+ DaclSize = DetermineACLSize(DescriptorCopy.Dacl, CurrentMode);
+ DescriptorSize += ROUND_UP(DaclSize, sizeof(ULONG));
+ }
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END
+
+ /*
+ * Allocate enough memory to store a complete copy of a self-relative
+ * security descriptor
+ */
+ NewDescriptor = ExAllocatePoolWithTag(PoolType,
+ DescriptorSize,
+ TAG_SD);
+ if (!NewDescriptor) return STATUS_INSUFFICIENT_RESOURCES;
+
+ RtlZeroMemory(NewDescriptor, DescriptorSize);
+ NewDescriptor->Revision = DescriptorCopy.Revision;
+ NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
+ NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
+
+ _SEH2_TRY
+ {
+ /*
+ * Setup the offsets and copy the SIDs and ACLs to the new
+ * self-relative security descriptor. Probing the pointers is not
+ * neccessary anymore as we did that when collecting the sizes!
+ * Make sure to validate the SIDs and ACLs *again* as they could have
+ * been modified in the meanwhile!
+ */
+ Offset = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
+
+ if (DescriptorCopy.Owner)
+ {
+ if (!RtlValidSid(DescriptorCopy.Owner)) RtlRaiseStatus(STATUS_INVALID_SID);
+ NewDescriptor->Owner = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Owner,
+ OwnerSize);
+ Offset += ROUND_UP(OwnerSize, sizeof(ULONG));
+ }
+
+ if (DescriptorCopy.Group)
+ {
+ if (!RtlValidSid(DescriptorCopy.Group)) RtlRaiseStatus(STATUS_INVALID_SID);
+ NewDescriptor->Group = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Group,
+ GroupSize);
+ Offset += ROUND_UP(GroupSize, sizeof(ULONG));
+ }
+
+ if (DescriptorCopy.Sacl)
+ {
+ if (!RtlValidAcl(DescriptorCopy.Sacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
+ NewDescriptor->Sacl = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Sacl,
+ SaclSize);
+ Offset += ROUND_UP(SaclSize, sizeof(ULONG));
+ }
+
+ if (DescriptorCopy.Dacl)
+ {
+ if (!RtlValidAcl(DescriptorCopy.Dacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
+ NewDescriptor->Dacl = Offset;
+ RtlCopyMemory((PUCHAR)NewDescriptor + Offset,
+ DescriptorCopy.Dacl,
+ DaclSize);
+ Offset += ROUND_UP(DaclSize, sizeof(ULONG));
+ }
+
+ /* Make sure the size was correct */
+ ASSERT(Offset == DescriptorSize);
+ }
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+ {
+ /* We failed to copy the data to the new descriptor */
+ ExFreePoolWithTag(NewDescriptor, TAG_SD);
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
+
+ /*
+ * We're finally done!
+ * Copy the pointer to the captured descriptor to to the caller.
+ */
+ *CapturedSecurityDescriptor = NewDescriptor;
+ return STATUS_SUCCESS;
}
/*
@@ -889,9 +861,10 @@
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping)
{
- PISECURITY_DESCRIPTOR ObjectSd;
- PISECURITY_DESCRIPTOR NewSd;
+ PISECURITY_DESCRIPTOR_RELATIVE ObjectSd;
+ PISECURITY_DESCRIPTOR_RELATIVE NewSd;
PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE RelSD =
(PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor;
PSID Owner = 0;
PSID Group = 0;
PACL Dacl = 0;
@@ -901,10 +874,11 @@
ULONG DaclLength = 0;
ULONG SaclLength = 0;
ULONG Control = 0;
- ULONG_PTR Current;
+ ULONG Current;
SECURITY_INFORMATION SecurityInformation;
ObjectSd = *ObjectsSecurityDescriptor;
+ ASSERT(ObjectSd->Control & SE_SELF_RELATIVE);
/* The object does not have a security descriptor. */
if (!ObjectSd)
@@ -918,7 +892,7 @@
if (SecurityDescriptor->Owner != NULL)
{
if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
- Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
+ Owner = (PSID)((ULONG_PTR)RelSD->Owner +
(ULONG_PTR)SecurityDescriptor);
else
Owner = (PSID)SecurityDescriptor->Owner;
@@ -929,7 +903,7 @@
}
else
{
- if (ObjectSd->Owner != NULL)
+ if (ObjectSd->Owner)
{
Owner = (PSID)((ULONG_PTR)ObjectSd->Owner + (ULONG_PTR)ObjectSd);
OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
@@ -937,7 +911,7 @@
Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
}
-
+
/* Get group and group size */
if (SecurityInformation & GROUP_SECURITY_INFORMATION)
{
@@ -955,7 +929,7 @@
}
else
{
- if (ObjectSd->Group != NULL)
+ if (ObjectSd->Group)
{
Group = (PSID)((ULONG_PTR)ObjectSd->Group + (ULONG_PTR)ObjectSd);
GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
@@ -983,8 +957,7 @@
}
else
{
- if ((ObjectSd->Control & SE_DACL_PRESENT) &&
- (ObjectSd->Dacl != NULL))
+ if ((ObjectSd->Control & SE_DACL_PRESENT) && (ObjectSd->Dacl))
{
Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd);
DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
@@ -992,7 +965,7 @@
Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
}
-
+
/* Get SACL and SACL size */
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
@@ -1011,8 +984,7 @@
}
else
{
- if ((ObjectSd->Control & SE_SACL_PRESENT) &&
- (ObjectSd->Sacl != NULL))
+ if ((ObjectSd->Control & SE_SACL_PRESENT) && (ObjectSd->Sacl))
{
Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd);
SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
@@ -1022,7 +994,7 @@
}
NewSd = ExAllocatePool(NonPagedPool,
- sizeof(SECURITY_DESCRIPTOR) + OwnerLength + GroupLength +
+ sizeof(SECURITY_DESCRIPTOR_RELATIVE) + OwnerLength +
GroupLength +
DaclLength + SaclLength);
if (NewSd == NULL)
{
@@ -1036,41 +1008,33 @@
/* We always build a self-relative descriptor */
NewSd->Control = (USHORT)Control | SE_SELF_RELATIVE;
- Current = (ULONG_PTR)NewSd + sizeof(SECURITY_DESCRIPTOR);
+ Current = sizeof(SECURITY_DESCRIPTOR);
if (OwnerLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- NewSd->Owner = (PSID)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Owner, OwnerLength);
+ NewSd->Owner = Current;
Current += OwnerLength;
}
if (GroupLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Group,
- GroupLength);
- NewSd->Group = (PSID)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Group, GroupLength);
+ NewSd->Group = Current;
Current += GroupLength;
}
if (DaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- NewSd->Dacl = (PACL)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Dacl, DaclLength);
+ NewSd->Dacl = Current;
Current += DaclLength;
}
if (SaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- NewSd->Sacl = (PACL)(Current - (ULONG_PTR)NewSd);
+ RtlCopyMemory((PUCHAR)NewSd + Current, Sacl, SaclLength);
+ NewSd->Sacl = Current;
Current += SaclLength;
}
@@ -1112,7 +1076,7 @@
ULONG SdLength;
PISID Sid;
PACL Acl;
- PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor = _SecurityDescriptor;
if (Length < SECURITY_DESCRIPTOR_MIN_LENGTH)
{
@@ -1135,19 +1099,19 @@
SdLength = sizeof(SECURITY_DESCRIPTOR);
/* Check Owner SID */
- if (SecurityDescriptor->Owner == NULL)
+ if (SecurityDescriptor->Owner)
{
DPRINT1("No Owner SID\n");
return FALSE;
}
- if ((ULONG_PTR)SecurityDescriptor->Owner % sizeof(ULONG))
+ if (SecurityDescriptor->Owner % sizeof(ULONG))
{
DPRINT1("Invalid Owner SID alignment\n");
return FALSE;
}
- Sid = (PISID)((ULONG_PTR)SecurityDescriptor +
(ULONG_PTR)SecurityDescriptor->Owner);
+ Sid = (PISID)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Owner);
if (Sid->Revision != SID_REVISION)
{
DPRINT1("Invalid Owner SID revision\n");
@@ -1162,15 +1126,15 @@
}
/* Check Group SID */
- if (SecurityDescriptor->Group != NULL)
- {
- if ((ULONG_PTR)SecurityDescriptor->Group % sizeof(ULONG))
+ if (SecurityDescriptor->Group)
+ {
+ if (SecurityDescriptor->Group % sizeof(ULONG))
{
DPRINT1("Invalid Group SID alignment\n");
return FALSE;
}
- Sid = (PSID)((ULONG_PTR)SecurityDescriptor +
(ULONG_PTR)SecurityDescriptor->Group);
+ Sid = (PSID)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Group);
if (Sid->Revision != SID_REVISION)
{
DPRINT1("Invalid Group SID revision\n");
@@ -1186,15 +1150,15 @@
}
/* Check DACL */
- if (SecurityDescriptor->Dacl != NULL)
- {
- if ((ULONG_PTR)SecurityDescriptor->Dacl % sizeof(ULONG))
+ if (SecurityDescriptor->Dacl)
+ {
+ if (SecurityDescriptor->Dacl % sizeof(ULONG))
{
DPRINT1("Invalid DACL alignment\n");
return FALSE;
}
- Acl = (PACL)((ULONG_PTR)SecurityDescriptor +
(ULONG_PTR)SecurityDescriptor->Dacl);
+ Acl = (PACL)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Dacl);
if ((Acl->AclRevision < MIN_ACL_REVISION) &&
(Acl->AclRevision > MAX_ACL_REVISION))
{
@@ -1211,15 +1175,15 @@
}
/* Check SACL */
- if (SecurityDescriptor->Sacl != NULL)
- {
- if ((ULONG_PTR)SecurityDescriptor->Sacl % sizeof(ULONG))
+ if (SecurityDescriptor->Sacl)
+ {
+ if (SecurityDescriptor->Sacl % sizeof(ULONG))
{
DPRINT1("Invalid SACL alignment\n");
return FALSE;
}
- Acl = (PACL)((ULONG_PTR)SecurityDescriptor +
(ULONG_PTR)SecurityDescriptor->Sacl);
+ Acl = (PACL)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Sacl);
if ((Acl->AclRevision < MIN_ACL_REVISION) ||
(Acl->AclRevision > MAX_ACL_REVISION))
{
@@ -1254,6 +1218,7 @@
return STATUS_SUCCESS;
}
+
/*
@@ -1288,7 +1253,7 @@
{
PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
- PISECURITY_DESCRIPTOR Descriptor;
+ PISECURITY_DESCRIPTOR_RELATIVE Descriptor;
PTOKEN Token;
ULONG OwnerLength = 0;
ULONG GroupLength = 0;
@@ -1296,7 +1261,7 @@
ULONG SaclLength = 0;
ULONG Length = 0;
ULONG Control = 0;
- ULONG_PTR Current;
+ ULONG Current;
PSID Owner = NULL;
PSID Group = NULL;
PACL Dacl = NULL;
@@ -1317,17 +1282,13 @@
}
/* Inherit the Owner SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
+ if (ExplicitDescriptor != NULL)
{
DPRINT("Use explicit owner sid!\n");
- Owner = ExplicitDescriptor->Owner;
-
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
- }
- }
- else
+ Owner = SepGetOwnerFromDescriptor(ExplicitDescriptor);
+ }
+
+ if (!Owner)
{
if (Token != NULL)
{
@@ -1346,16 +1307,12 @@
OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
/* Inherit the Group SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
- {
- DPRINT("Use explicit group sid!\n");
- Group = ExplicitDescriptor->Group;
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
- }
- }
- else
+ if (ExplicitDescriptor != NULL)
+ {
+ Group = SepGetGroupFromDescriptor(ExplicitDescriptor);
+ }
+
+ if (!Group)
{
if (Token != NULL)
{
@@ -1368,7 +1325,7 @@
Group = SeLocalSystemSid;
}
- Control |= SE_OWNER_DEFAULTED;
+ Control |= SE_GROUP_DEFAULTED;
}
GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
@@ -1379,12 +1336,7 @@
!(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
{
DPRINT("Use explicit DACL!\n");
- Dacl = ExplicitDescriptor->Dacl;
- if (Dacl != NULL && (ExplicitDescriptor->Control &
SE_SELF_RELATIVE))
- {
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
- }
-
+ Dacl = SepGetDaclFromDescriptor(ExplicitDescriptor);
Control |= SE_DACL_PRESENT;
}
else if (ParentDescriptor != NULL &&
@@ -1392,12 +1344,7 @@
{
DPRINT("Use parent DACL!\n");
/* FIXME: Inherit */
- Dacl = ParentDescriptor->Dacl;
- if (Dacl != NULL && (ParentDescriptor->Control &
SE_SELF_RELATIVE))
- {
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
- }
-
+ Dacl = SepGetDaclFromDescriptor(ParentDescriptor);
Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
}
else if (Token != NULL && Token->DefaultDacl != NULL)
@@ -1422,12 +1369,7 @@
!(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
{
DPRINT("Use explicit SACL!\n");
- Sacl = ExplicitDescriptor->Sacl;
- if (Sacl != NULL && (ExplicitDescriptor->Control &
SE_SELF_RELATIVE))
- {
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
- }
-
+ Sacl = SepGetSaclFromDescriptor(ExplicitDescriptor);
Control |= SE_SACL_PRESENT;
}
else if (ParentDescriptor != NULL &&
@@ -1435,20 +1377,15 @@
{
DPRINT("Use parent SACL!\n");
/* FIXME: Inherit */
- Sacl = ParentDescriptor->Sacl;
- if (Sacl != NULL && (ParentDescriptor->Control &
SE_SELF_RELATIVE))
- {
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
- }
-
+ Sacl = SepGetSaclFromDescriptor(ParentDescriptor);
Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
}
SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
/* Allocate and initialize the new security descriptor */
- Length = sizeof(SECURITY_DESCRIPTOR) +
- OwnerLength + GroupLength + DaclLength + SaclLength;
+ Length = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
+ OwnerLength + GroupLength + DaclLength + SaclLength;
DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d
DaclLength %d SaclLength %d\n",
sizeof(SECURITY_DESCRIPTOR),
@@ -1457,9 +1394,7 @@
DaclLength,
SaclLength);
- Descriptor = ExAllocatePoolWithTag(PagedPool,
- Length,
- TAG_SD);
+ Descriptor = ExAllocatePoolWithTag(PagedPool, Length, TAG_SD);
if (Descriptor == NULL)
{
DPRINT1("ExAlloctePool() failed\n");
@@ -1467,38 +1402,31 @@
return STATUS_INSUFFICIENT_RESOURCES;
}
- RtlZeroMemory( Descriptor, Length );
- RtlCreateSecurityDescriptor(Descriptor,
- SECURITY_DESCRIPTOR_REVISION);
+ RtlZeroMemory(Descriptor, Length);
+ RtlCreateSecurityDescriptor(Descriptor, SECURITY_DESCRIPTOR_REVISION);
Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
- Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
+ Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
if (SaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Sacl, SaclLength);
+ Descriptor->Sacl = Current;
Current += SaclLength;
}
if (DaclLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Dacl, DaclLength);
+ Descriptor->Dacl = Current;
Current += DaclLength;
}
if (OwnerLength != 0)
{
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Owner, OwnerLength);
+ Descriptor->Owner = Current;
Current += OwnerLength;
DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
}
@@ -1509,10 +1437,8 @@
if (GroupLength != 0)
{
- memmove((PVOID)Current,
- Group,
- GroupLength);
- Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ RtlCopyMemory((PUCHAR)Descriptor + Current, Group, GroupLength);
+ Descriptor->Group = Current;
}
/* Unlock subject context */