[ros-diffs] [gedmurphy] 71636: [NTOS] - Properly implement ObpValidateAccessMask - If the security descriptor has a system acl, the caller will need access to it

Author: gedmurphy Date: Tue Jun 14 18:01:02 2016 New Revision: 71636 URL: http://svn.reactos.org/svn/reactos?rev=71636&view=rev Log: [NTOS] - Properly implement ObpValidateAccessMask - If the security descriptor has a system acl, the caller will need access to it Modified: trunk/reactos/ntoskrnl/ob/obhandle.c Modified: trunk/reactos/ntoskrnl/ob/obhandle.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obhandle.c?rev… ============================================================================== --- trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] Tue Jun 14 18:01:02 2016 @@ -484,7 +484,22 @@ NTAPI ObpValidateAccessMask(IN PACCESS_STATE AccessState) { - /* TODO */ + PISECURITY_DESCRIPTOR SecurityDescriptor; + + /* We're only interested if the object for this access state has an SD */ + SecurityDescriptor = AccessState->SecurityDescriptor; + if (SecurityDescriptor) + { + /* Check if the SD has a system ACL but hasn't been granted access to get/set it */ + if ((SecurityDescriptor->Control & SE_SACL_PRESENT) && + !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY)) + { + /* We're gonna need access */ + AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY; + } + } + + /* This can't fail */ return STATUS_SUCCESS; }