26 Oct
2014
26 Oct
'14
6:39 p.m.
Author: ekohl
Date: Sun Oct 26 18:39:58 2014
New Revision: 65023
URL: http://svn.reactos.org/svn/reactos?rev=65023&view=rev
Log:
[NTOS:SE]
Remove the old access check code in SepAccessCheckEx and use the new code instead. The new
access check code is a lot better than the old code, but it makes the boot and install
fail. This is caused by some kernel objects which are accessed using insufficient access
rights. Therefore I added a little hack that shows a warning when insufficient rights are
granted for an object and access is granted anyway.
Modified:
trunk/reactos/ntoskrnl/se/accesschk.c
Modified: trunk/reactos/ntoskrnl/se/accesschk.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/accesschk.c?re…
==============================================================================
--- trunk/reactos/ntoskrnl/se/accesschk.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/accesschk.c [iso-8859-1] Sun Oct 26 18:39:58 2014
@@ -17,8 +17,6 @@
/* PRIVATE FUNCTIONS **********************************************************/
-
-#define OLD_ACCESS_CHECK
BOOLEAN NTAPI
SepAccessCheckEx(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
@@ -48,6 +46,8 @@
NTSTATUS Status;
PAGED_CODE();
+ DPRINT("SepAccessCheckEx()\n");
+
/* Check for no access desired */
if (!DesiredAccess)
{
@@ -210,11 +210,6 @@
{
if (SepSidInToken(Token, Sid))
{
-#ifdef OLD_ACCESS_CHECK
- PreviouslyGrantedAccess = 0;
- Status = STATUS_ACCESS_DENIED;
- goto ReturnCommonStatus;
-#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
@@ -222,25 +217,21 @@
/* Leave if a remaining right must be denied */
if (RemainingAccess & TempAccess)
break;
-#endif
}
}
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
-#ifdef OLD_ACCESS_CHECK
- TempAccess = CurrentAce->AccessMask;
- RtlMapGenericMask(&TempAccess, GenericMapping);
- PreviouslyGrantedAccess |= TempAccess;
-#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
+ DPRINT("TempAccess 0x%08lx\n", TempAccess);
RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */
+ DPRINT("RemainingAccess 0x%08lx TempAccess 0x%08lx\n",
RemainingAccess, TempAccess);
RemainingAccess &= ~TempAccess;
-#endif
+ DPRINT("RemainingAccess 0x%08lx\n", RemainingAccess);
}
}
else
@@ -253,58 +244,35 @@
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
-#ifdef OLD_ACCESS_CHECK
- DPRINT("PreviouslyGrantedAccess %08lx\n DesiredAccess %08lx\n",
- PreviouslyGrantedAccess, DesiredAccess);
-
- PreviouslyGrantedAccess &= DesiredAccess;
-
- if ((PreviouslyGrantedAccess & ~VALID_INHERIT_FLAGS) ==
- (DesiredAccess & ~VALID_INHERIT_FLAGS))
- {
- Status = STATUS_SUCCESS;
- goto ReturnCommonStatus;
- }
- else
- {
- DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx
(generic mapping %p).\n",
- PreviouslyGrantedAccess, DesiredAccess, GenericMapping);
- //*AccessStatus = STATUS_ACCESS_DENIED;
- //return FALSE;
- PreviouslyGrantedAccess = DesiredAccess;
- Status = STATUS_SUCCESS;
- goto ReturnCommonStatus;
- }
-#else
DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess
%08lx\n",
DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
/* Fail if some rights have not been granted */
if (RemainingAccess != 0)
{
- *GrantedAccess = 0;
+ DPRINT1("HACK: RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n",
RemainingAccess, DesiredAccess);
+#if 0
+ /* HACK HACK HACK */
Status = STATUS_ACCESS_DENIED;
goto ReturnCommonStatus;
+#endif
}
/* Set granted access rights */
PreviouslyGrantedAccess |= DesiredAccess;
- DPRINT("GrantedAccess %08lx\n", *GrantedAccess);
-
/* Fail if no rights have been granted */
if (PreviouslyGrantedAccess == 0)
{
+ DPRINT1("PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n",
DesiredAccess);
Status = STATUS_ACCESS_DENIED;
goto ReturnCommonStatus;
}
Status = STATUS_SUCCESS;
goto ReturnCommonStatus;
-#endif
ReturnCommonStatus:
-
ResultListLength = UseResultList ? ObjectTypeListLength : 1;
for (i = 0; i < ResultListLength; i++)
{