Author: pschweitzer Date: Sat Jan 26 19:33:54 2013 New Revision: 58230
URL: http://svn.reactos.org/svn/reactos?rev=58230&view=rev Log: [NTOSKRNL] Implement SeFastTraverseCheck(). For more information, see: - http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).as... - http://msdn.microsoft.com/en-us/library/windows/desktop/aa446683(v=vs.85).as...
Modified: trunk/reactos/ntoskrnl/include/internal/se.h trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/include/internal/se.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/s... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/se.h [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/include/internal/se.h [iso-8859-1] Sat Jan 26 19:33:54 2013 @@ -490,6 +490,13 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, OUT PACCESS_MASK DesiredAccess);
+BOOLEAN +NTAPI +SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PACCESS_STATE AccessState, + IN ACCESS_MASK DesiredAccess, + IN KPROCESSOR_MODE AccessMode); + #endif
/* EOF */
Modified: trunk/reactos/ntoskrnl/se/semgr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=582... ============================================================================== --- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Jan 26 19:33:54 2013 @@ -820,6 +820,73 @@ return ret; }
+/* + * @implemented + */ +BOOLEAN +NTAPI +SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PACCESS_STATE AccessState, + IN ACCESS_MASK DesiredAccess, + IN KPROCESSOR_MODE AccessMode) +{ + PACL Dacl; + ULONG AceIndex; + PKNOWN_ACE Ace; + + PAGED_CODE(); + + NT_ASSERT(AccessMode != KernelMode); + + if (SecurityDescriptor == NULL) + return FALSE; + + /* Get DACL */ + Dacl = SepGetDaclFromDescriptor(SecurityDescriptor); + /* If no DACL, grant access */ + if (Dacl == NULL) + return TRUE; + + /* No ACE -> Deny */ + if (!Dacl->AceCount) + return FALSE; + + /* Can't perform the check on restricted token */ + if (AccessState->Flags & TOKEN_IS_RESTRICTED) + return FALSE; + + /* Browse the ACEs */ + for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL)); + AceIndex < Dacl->AceCount; + AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize)) + { + if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) + continue; + + /* If access-allowed ACE */ + if (Ace->Header.AceType & ACCESS_ALLOWED_ACE_TYPE) + { + /* Check if all accesses are granted */ + if (!(Ace->Mask & DesiredAccess)) + continue; + + /* Check SID and grant access if matching */ + if (RtlEqualSid(SeWorldSid, &(Ace->SidStart))) + return TRUE; + } + /* If access-denied ACE */ + else if (Ace->Header.AceType & ACCESS_DENIED_ACE_TYPE) + { + /* Here, only check if it denies all the access wanted and deny if so */ + if (Ace->Mask & DesiredAccess) + return FALSE; + } + } + + /* Faulty, deny */ + return FALSE; +} + /* SYSTEM CALLS ***************************************************************/
/*