Author: pschweitzer
Date: Sat Jan 26 19:33:54 2013
New Revision: 58230
URL:
http://svn.reactos.org/svn/reactos?rev=58230&view=rev
Log:
[NTOSKRNL]
Implement SeFastTraverseCheck().
For more information, see:
-
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).a…
-
http://msdn.microsoft.com/en-us/library/windows/desktop/aa446683(v=vs.85).a…
Modified:
trunk/reactos/ntoskrnl/include/internal/se.h
trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/include/internal/se.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/…
==============================================================================
--- trunk/reactos/ntoskrnl/include/internal/se.h [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/include/internal/se.h [iso-8859-1] Sat Jan 26 19:33:54 2013
@@ -490,6 +490,13 @@
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess);
+BOOLEAN
+NTAPI
+SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+ IN PACCESS_STATE AccessState,
+ IN ACCESS_MASK DesiredAccess,
+ IN KPROCESSOR_MODE AccessMode);
+
#endif
/* EOF */
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=58…
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Jan 26 19:33:54 2013
@@ -820,6 +820,73 @@
return ret;
}
+/*
+ * @implemented
+ */
+BOOLEAN
+NTAPI
+SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+ IN PACCESS_STATE AccessState,
+ IN ACCESS_MASK DesiredAccess,
+ IN KPROCESSOR_MODE AccessMode)
+{
+ PACL Dacl;
+ ULONG AceIndex;
+ PKNOWN_ACE Ace;
+
+ PAGED_CODE();
+
+ NT_ASSERT(AccessMode != KernelMode);
+
+ if (SecurityDescriptor == NULL)
+ return FALSE;
+
+ /* Get DACL */
+ Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
+ /* If no DACL, grant access */
+ if (Dacl == NULL)
+ return TRUE;
+
+ /* No ACE -> Deny */
+ if (!Dacl->AceCount)
+ return FALSE;
+
+ /* Can't perform the check on restricted token */
+ if (AccessState->Flags & TOKEN_IS_RESTRICTED)
+ return FALSE;
+
+ /* Browse the ACEs */
+ for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
+ AceIndex < Dacl->AceCount;
+ AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
+ {
+ if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
+ continue;
+
+ /* If access-allowed ACE */
+ if (Ace->Header.AceType & ACCESS_ALLOWED_ACE_TYPE)
+ {
+ /* Check if all accesses are granted */
+ if (!(Ace->Mask & DesiredAccess))
+ continue;
+
+ /* Check SID and grant access if matching */
+ if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
+ return TRUE;
+ }
+ /* If access-denied ACE */
+ else if (Ace->Header.AceType & ACCESS_DENIED_ACE_TYPE)
+ {
+ /* Here, only check if it denies all the access wanted and deny if so */
+ if (Ace->Mask & DesiredAccess)
+ return FALSE;
+ }
+ }
+
+ /* Faulty, deny */
+ return FALSE;
+}
+
/* SYSTEM CALLS ***************************************************************/
/*