[ros-diffs] [reactos] 06/10: [NTOS:SE] Cast the ACE to known ACE type variants on SepGetSidFromAce

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=8289de6ef784e19920f60… commit 8289de6ef784e19920f6011ecfcd0533647ab1c1 Author: George Bișoc <george.bisoc(a)reactos.org> AuthorDate: Sun Jul 16 20:45:13 2023 +0200 Commit: unknown <george.bisoc(a)reactos.org> CommitDate: Tue Aug 22 17:54:18 2023 +0200 [NTOS:SE] Cast the ACE to known ACE type variants on SepGetSidFromAce ACCESS_DENIED_ACE_TYPE, ACCESS_ALLOWED_ACE_TYPE, SYSTEM_AUDIT_ACE_TYPE and SYSTEM_ALARM_ACE_TYPE belong to the same commonly internal ACE type, aka KNOWN_ACE, as each of these ACEs have the same structure field offsets. The only difference are ACCESS_DENIED_OBJECT_ACE_TYPE and ACCESS_ALLOWED_OBJECT_ACE_TYPE as they have their own internal ACE type variant, the KNOWN_OBJECT_ACE structure. The general guideline is that public ACE structure variants have to be used elsehwere such as in UM whilst the kernel has to use the internal known ACE type variants when possible. --- ntoskrnl/se/sid.c | 42 ++++++++++++++++-------------------------- sdk/include/xdk/setypes.h | 4 ++++ 2 files changed, 20 insertions(+), 26 deletions(-) diff --git a/ntoskrnl/se/sid.c b/ntoskrnl/se/sid.c index 557447f539f..033d322d708 100644 --- a/ntoskrnl/se/sid.c +++ b/ntoskrnl/se/sid.c @@ -580,51 +580,41 @@ SepGetSidFromAce( _In_ UCHAR AceType, _In_ PACE Ace) { - PSID Sid; + PULONG Flags; + ULONG GuidSize = 0; + PSID Sid = NULL; PAGED_CODE(); /* Sanity check */ ASSERT(Ace); - /* Initialize the SID */ - Sid = NULL; - /* Obtain the SID based upon ACE type */ switch (AceType) { case ACCESS_DENIED_ACE_TYPE: - { - Sid = (PSID)&((PACCESS_DENIED_ACE)Ace)->SidStart; - break; - } - case ACCESS_ALLOWED_ACE_TYPE: + case SYSTEM_AUDIT_ACE_TYPE: + case SYSTEM_ALARM_ACE_TYPE: { - Sid = (PSID)&((PACCESS_ALLOWED_ACE)Ace)->SidStart; + Sid = (PSID)&((PKNOWN_ACE)Ace)->SidStart; break; } case ACCESS_DENIED_OBJECT_ACE_TYPE: - { - Sid = (PSID)&((PACCESS_DENIED_OBJECT_ACE)Ace)->SidStart; - break; - } - case ACCESS_ALLOWED_OBJECT_ACE_TYPE: { - Sid = (PSID)&((PACCESS_ALLOWED_OBJECT_ACE)Ace)->SidStart; - break; - } + Flags = (PULONG)&((PKNOWN_OBJECT_ACE)Ace)->Flags; + if (*Flags & ACE_OBJECT_TYPE_PRESENT) + { + GuidSize += sizeof(GUID); + } - case SYSTEM_AUDIT_ACE_TYPE: - { - Sid = (PSID)&((PSYSTEM_AUDIT_ACE)Ace)->SidStart; - break; - } + if (*Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT) + { + GuidSize += sizeof(GUID); + } - case SYSTEM_ALARM_ACE_TYPE: - { - Sid = (PSID)&((PSYSTEM_ALARM_ACE)Ace)->SidStart; + Sid = (PSID)((ULONG_PTR)&((PKNOWN_OBJECT_ACE)Ace)->SidStart + GuidSize); break; } diff --git a/sdk/include/xdk/setypes.h b/sdk/include/xdk/setypes.h index a46e4295274..0a538747bda 100644 --- a/sdk/include/xdk/setypes.h +++ b/sdk/include/xdk/setypes.h @@ -801,6 +801,10 @@ typedef struct _SYSTEM_MANDATORY_LABEL_ACE { $ULONG SidStart; } SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE; +/* Object ACE flags */ +#define ACE_OBJECT_TYPE_PRESENT 0x00000001 +#define ACE_INHERITED_OBJECT_TYPE_PRESENT 0x00000002 + #define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP 0x1 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4