Author: tkreuzer Date: Sun Feb 9 16:57:42 2014 New Revision: 62074
URL: http://svn.reactos.org/svn/reactos?rev=62074&view=rev Log: [NTOSKRNL] - Rename SepAccessCheck to SepAccessCheckEx, start adding support for ObjectType and result lists, call SepAccessCheckEx from SepAccessCheck
Modified: trunk/reactos/ntoskrnl/se/accesschk.c
Modified: trunk/reactos/ntoskrnl/se/accesschk.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/accesschk.c?rev... ============================================================================== --- trunk/reactos/ntoskrnl/se/accesschk.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/accesschk.c [iso-8859-1] Sun Feb 9 16:57:42 2014 @@ -21,22 +21,25 @@ #define OLD_ACCESS_CHECK
BOOLEAN NTAPI -SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, +SepAccessCheckEx(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET* Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, - OUT PACCESS_MASK GrantedAccess, - OUT PNTSTATUS AccessStatus) + OUT PACCESS_MASK GrantedAccessList, + OUT PNTSTATUS AccessStatusList, + IN BOOLEAN UseResultList) { ACCESS_MASK RemainingAccess; ACCESS_MASK TempAccess; ACCESS_MASK TempGrantedAccess = 0; ACCESS_MASK TempDeniedAccess = 0; PACCESS_TOKEN Token; - ULONG i; + ULONG i, ResultListLength; PACL Dacl; BOOLEAN Present; BOOLEAN Defaulted; @@ -52,15 +55,14 @@ if (!PreviouslyGrantedAccess) { /* Then there's nothing to give */ - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; + Status = STATUS_ACCESS_DENIED; + goto ReturnCommonStatus; }
/* Return the previous access only */ - *GrantedAccess = PreviouslyGrantedAccess; - *AccessStatus = STATUS_SUCCESS; + Status = STATUS_SUCCESS; *Privileges = NULL; - return TRUE; + goto ReturnCommonStatus; }
/* Map given accesses */ @@ -83,16 +85,14 @@ UserMode); if (!NT_SUCCESS(Status)) { - *AccessStatus = Status; - return FALSE; + goto ReturnCommonStatus; }
/* Succeed if there are no more rights to grant */ if (RemainingAccess == 0) { - *GrantedAccess = PreviouslyGrantedAccess; - *AccessStatus = STATUS_SUCCESS; - return TRUE; + Status = STATUS_SUCCESS; + goto ReturnCommonStatus; }
/* Get the DACL */ @@ -102,25 +102,21 @@ &Defaulted); if (!NT_SUCCESS(Status)) { - *AccessStatus = Status; - return FALSE; + goto ReturnCommonStatus; }
/* RULE 1: Grant desired access if the object is unprotected */ if (Present == FALSE || Dacl == NULL) { - if (DesiredAccess & MAXIMUM_ALLOWED) - { - *GrantedAccess = GenericMapping->GenericAll; - *GrantedAccess |= (DesiredAccess | PreviouslyGrantedAccess) & ~MAXIMUM_ALLOWED; - } - else - { - *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess; - } - - *AccessStatus = STATUS_SUCCESS; - return TRUE; + PreviouslyGrantedAccess |= RemainingAccess; + if (RemainingAccess & MAXIMUM_ALLOWED) + { + PreviouslyGrantedAccess &= ~MAXIMUM_ALLOWED; + PreviouslyGrantedAccess |= GenericMapping->GenericAll; + } + + Status = STATUS_SUCCESS; + goto ReturnCommonStatus; }
/* Deny access if the DACL is empty */ @@ -128,24 +124,14 @@ { if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0) { - *GrantedAccess = PreviouslyGrantedAccess; - *AccessStatus = STATUS_SUCCESS; - return TRUE; + Status = STATUS_SUCCESS; } else { - *GrantedAccess = 0; - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; - } - } - - /* Fail if DACL is absent */ - if (Present == FALSE) - { - *GrantedAccess = 0; - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; + PreviouslyGrantedAccess = 0; + Status = STATUS_ACCESS_DENIED; + } + goto ReturnCommonStatus; }
/* Determine the MAXIMUM_ALLOWED access rights according to the DACL */ @@ -195,23 +181,22 @@ RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess); if (RemainingAccess != 0) { - *GrantedAccess = 0; - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; + PreviouslyGrantedAccess = 0; + Status = STATUS_ACCESS_DENIED; + goto ReturnCommonStatus; }
/* Set granted access right and access status */ - *GrantedAccess = TempGrantedAccess | PreviouslyGrantedAccess; - if (*GrantedAccess != 0) - { - *AccessStatus = STATUS_SUCCESS; - return TRUE; + PreviouslyGrantedAccess |= TempGrantedAccess; + if (PreviouslyGrantedAccess != 0) + { + Status = STATUS_SUCCESS; } else { - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; - } + Status = STATUS_ACCESS_DENIED; + } + goto ReturnCommonStatus; }
/* RULE 4: Grant rights according to the DACL */ @@ -226,9 +211,9 @@ if (SepSidInToken(Token, Sid)) { #ifdef OLD_ACCESS_CHECK - *GrantedAccess = 0; - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; + PreviouslyGrantedAccess = 0; + Status = STATUS_ACCESS_DENIED; + goto ReturnCommonStatus; #else /* Map access rights from the ACE */ TempAccess = CurrentAce->AccessMask; @@ -272,23 +257,23 @@ DPRINT("PreviouslyGrantedAccess %08lx\n DesiredAccess %08lx\n", PreviouslyGrantedAccess, DesiredAccess);
- *GrantedAccess = PreviouslyGrantedAccess & DesiredAccess; - - if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) == + PreviouslyGrantedAccess &= DesiredAccess; + + if ((PreviouslyGrantedAccess & ~VALID_INHERIT_FLAGS) == (DesiredAccess & ~VALID_INHERIT_FLAGS)) { - *AccessStatus = STATUS_SUCCESS; - return TRUE; + Status = STATUS_SUCCESS; + goto ReturnCommonStatus; } else { DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n", - *GrantedAccess, DesiredAccess, GenericMapping); + PreviouslyGrantedAccess, DesiredAccess, GenericMapping); //*AccessStatus = STATUS_ACCESS_DENIED; //return FALSE; - *GrantedAccess = DesiredAccess; - *AccessStatus = STATUS_SUCCESS; - return TRUE; + PreviouslyGrantedAccess = DesiredAccess; + Status = STATUS_SUCCESS; + goto ReturnCommonStatus; } #else DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n", @@ -298,25 +283,61 @@ if (RemainingAccess != 0) { *GrantedAccess = 0; - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; + Status = STATUS_ACCESS_DENIED; + goto ReturnCommonStatus; }
/* Set granted access rights */ - *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess; + PreviouslyGrantedAccess |= DesiredAccess;
DPRINT("GrantedAccess %08lx\n", *GrantedAccess);
/* Fail if no rights have been granted */ - if (*GrantedAccess == 0) - { - *AccessStatus = STATUS_ACCESS_DENIED; - return FALSE; - } - - *AccessStatus = STATUS_SUCCESS; - return TRUE; + if (PreviouslyGrantedAccess == 0) + { + Status = STATUS_ACCESS_DENIED; + goto ReturnCommonStatus; + } + + Status = STATUS_SUCCESS; + goto ReturnCommonStatus; #endif + +ReturnCommonStatus: + + ResultListLength = UseResultList ? ObjectTypeListLength : 1; + for (i = 0; i < ResultListLength; i++) + { + GrantedAccessList[i] = PreviouslyGrantedAccess; + AccessStatusList[i] = Status; + } + + return NT_SUCCESS(Status); +} + +BOOLEAN NTAPI +SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK PreviouslyGrantedAccess, + OUT PPRIVILEGE_SET* Privileges, + IN PGENERIC_MAPPING GenericMapping, + IN KPROCESSOR_MODE AccessMode, + OUT PACCESS_MASK GrantedAccess, + OUT PNTSTATUS AccessStatus) +{ + return SepAccessCheckEx(SecurityDescriptor, + SubjectSecurityContext, + DesiredAccess, + NULL, + 0, + PreviouslyGrantedAccess, + Privileges, + GenericMapping, + AccessMode, + GrantedAccess, + AccessStatus, + FALSE); }
static PSID