[ros-diffs] [ekohl] 46602: [NTOSKRNL] - Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck. - Fix a wrong check for security descriptors with a NULL-DACL.

30 Mar 2010

Author: ekohl
Date: Tue Mar 30 19:01:23 2010
New Revision: 46602
URL: http://svn.reactos.org/svn/reactos?rev=46602&view=rev
Log:
[NTOSKRNL]
- Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck.
- Fix a wrong check for security descriptors with a NULL-DACL.
Modified:
    trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=466...
==============================================================================

--- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Tue Mar 30 19:01:23 2010
@@ -377,28 +377,6 @@
     NTSTATUS Status;
     PAGED_CODE();
-    /* Check if this is kernel mode */
-    if (AccessMode == KernelMode)
-    {
-        /* Check if kernel wants everything */
-        if (DesiredAccess & MAXIMUM_ALLOWED)
-        {
-            /* Give it */
-            *GrantedAccess = GenericMapping->GenericAll;
-            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
-            *GrantedAccess |= PreviouslyGrantedAccess;
-        }
-        else
-        {
-            /* Give the desired and previous access */
-            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
-        }
-
-        /* Success */
-        *AccessStatus = STATUS_SUCCESS;
-        return TRUE;
-    }
-
     /* Check if we didn't get an SD */
     if (!SecurityDescriptor)
     {
@@ -467,7 +445,7 @@
     }
/* RULE 1: Grant desired access if the object is unprotected */
-    if (Present == TRUE && Dacl == NULL)
+    if (Present == FALSE || Dacl == NULL)
     {
         if (SubjectContextLocked == FALSE)
         {
@@ -678,6 +656,30 @@
               OUT PACCESS_MASK GrantedAccess,
               OUT PNTSTATUS AccessStatus)
 {
+    PAGED_CODE();
+
+    /* Check if this is kernel mode */
+    if (AccessMode == KernelMode)
+    {
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+            *GrantedAccess |= PreviouslyGrantedAccess;
+        }
+        else
+        {
+            /* Give the desired and previous access */
+            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+        }
+
+        /* Success */
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
+    }
+
     /* Call the internal function */
     return SepAccessCheck(SecurityDescriptor,
                           SubjectSecurityContext,

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [ekohl] 46602: [NTOSKRNL] - Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck. - Fix a wrong check for security descriptors with a NULL-DACL.