[ekohl] 74157: [NTOS:OB] - Allocate all of the kernel objects security descriptor and the dos devices security descriptor from the paged pool, instead of just the ACLs. - Replace special security d... - Ros-diffs

13 Mar 2017

Author: ekohl
Date: Mon Mar 13 00:10:23 2017
New Revision: 74157
URL: http://svn.reactos.org/svn/reactos?rev=74157&view=rev
Log:
[NTOS:OB]
- Allocate all of the kernel objects security descriptor and the dos devices security descriptor from the paged pool, instead of just the ACLs.
- Replace special security descriptor free routines by calls to ExFreePoolWithTag.
- Replace the TAG_OB_DIR_SD by TAG_SD.
Modified:
    trunk/reactos/ntoskrnl/include/internal/tag.h
    trunk/reactos/ntoskrnl/ob/obinit.c
    trunk/reactos/ntoskrnl/ob/obname.c
Modified: trunk/reactos/ntoskrnl/include/internal/tag.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/t...
==============================================================================

--- trunk/reactos/ntoskrnl/include/internal/tag.h	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/include/internal/tag.h	[iso-8859-1] Mon Mar 13 00:10:23 2017
@@ -150,7 +150,6 @@
 /* Object Manager Tags */
 #define OB_NAME_TAG             'mNbO'
 #define OB_DIR_TAG              'iDbO'
-#define TAG_OB_DIR_SD           'sDbO'
/* formerly located in ps/cid.c */
Modified: trunk/reactos/ntoskrnl/ob/obinit.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obinit.c?rev=74...
==============================================================================
--- trunk/reactos/ntoskrnl/ob/obinit.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ob/obinit.c	[iso-8859-1] Mon Mar 13 00:10:23 2017
@@ -58,32 +58,37 @@
 NTSTATUS
 NTAPI
 INIT_FUNCTION
-ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
-{
-    ULONG AclLength;
+ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
+{
+    PSECURITY_DESCRIPTOR Sd = NULL;
     PACL Dacl;
+    ULONG AclSize, SdSize;
     NTSTATUS Status;
-    /* Initialize the SD */
-    Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
-                                         SECURITY_DESCRIPTOR_REVISION);
-    if (!NT_SUCCESS(Status))
-        return Status;
-
-    /* Allocate the DACL */
-    AclLength = sizeof(ACL) +
-                sizeof(ACE) + RtlLengthSid(SeWorldSid) +
-                sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
-                sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
-
-    Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
-    if (Dacl == NULL)
+    AclSize = sizeof(ACL) +
+              sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+              sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
+              sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
+
+    SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
+
+    /* Allocate the SD and ACL */
+    Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
+    if (Sd == NULL)
     {
         return STATUS_INSUFFICIENT_RESOURCES;
     }
+    /* Initialize the SD */
+    Status = RtlCreateSecurityDescriptor(Sd,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
+
     /* Initialize the DACL */
-    RtlCreateAcl(Dacl, AclLength, ACL_REVISION);
+    RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
/* Add the ACEs */
     RtlAddAccessAllowedAce(Dacl,
@@ -102,32 +107,23 @@
                            SeLocalSystemSid);
/* Attach the DACL to the SD */
-    Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
+    Status = RtlSetDaclSecurityDescriptor(Sd,
                                           TRUE,
                                           Dacl,
                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    *SecurityDescriptor = Sd;
+
+done:
+    if (!NT_SUCCESS(Status))
+    {
+        if (Sd != NULL)
+            ExFreePoolWithTag(Sd, TAG_SD);
+    }
return Status;
-}
-
-static
-VOID
-NTAPI
-INIT_FUNCTION
-ObpFreeKernelObjectsSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
-{
-    PACL Dacl = NULL;
-    BOOLEAN DaclPresent, Defaulted;
-    NTSTATUS Status;
-
-    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
-                                          &DaclPresent,
-                                          &Dacl,
-                                          &Defaulted);
-    if (NT_SUCCESS(Status) && Dacl != NULL)
-    {
-        ExFreePoolWithTag(Dacl, TAG_OB_DIR_SD);
-    }
 }
BOOLEAN
@@ -212,7 +208,7 @@
     POBJECT_HEADER Header;
     POBJECT_HEADER_CREATOR_INFO CreatorInfo;
     POBJECT_HEADER_NAME_INFO NameInfo;
-    SECURITY_DESCRIPTOR KernelObjectsSD;
+    PSECURITY_DESCRIPTOR KernelObjectsSD = NULL;
     NTSTATUS Status;
/* Check if this is actually Phase 1 initialization */
@@ -346,13 +342,13 @@
                                &Name,
                                OBJ_CASE_INSENSITIVE | OBJ_PERMANENT,
                                NULL,
-                               &KernelObjectsSD);
+                               KernelObjectsSD);
/* Create the directory */
     Status = NtCreateDirectoryObject(&Handle,
                                      DIRECTORY_ALL_ACCESS,
                                      &ObjectAttributes);
-    ObpFreeKernelObjectsSD(&KernelObjectsSD);
+    ExFreePoolWithTag(KernelObjectsSD, TAG_SD);
     if (!NT_SUCCESS(Status)) return FALSE;
/* Close the extra handle */
Modified: trunk/reactos/ntoskrnl/ob/obname.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obname.c?rev=74...
==============================================================================
--- trunk/reactos/ntoskrnl/ob/obname.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ob/obname.c	[iso-8859-1] Mon Mar 13 00:10:23 2017
@@ -34,35 +34,40 @@
 NTSTATUS
 NTAPI
 INIT_FUNCTION
-ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
+ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
 {
-    ULONG AclLength;
+    PSECURITY_DESCRIPTOR Sd = NULL;
     PACL Dacl;
+    ULONG AclSize, SdSize;
     NTSTATUS Status;
+    AclSize = sizeof(ACL) +
+              sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+              sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+              sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+              sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
+              sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+              sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
+
+    SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
+
+    /* Allocate the SD and ACL */
+    Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
+    if (Sd == NULL)
+    {
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
     /* Initialize the SD */
-    Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
+    Status = RtlCreateSecurityDescriptor(Sd,
                                          SECURITY_DESCRIPTOR_REVISION);
     if (!NT_SUCCESS(Status))
         return Status;
-    /* Allocate the DACL */
-    AclLength = sizeof(ACL) +
-                sizeof(ACE) + RtlLengthSid(SeWorldSid) +
-                sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
-                sizeof(ACE) + RtlLengthSid(SeWorldSid) +
-                sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
-                sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
-                sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
-
-    Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
-    if (Dacl == NULL)
-    {
-        return STATUS_INSUFFICIENT_RESOURCES;
-    }
+    Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
/* Initialize the DACL */
-    RtlCreateAcl(Dacl, AclLength, ACL_REVISION);
+    RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
/* Add the ACEs */
     RtlAddAccessAllowedAce(Dacl,
@@ -100,31 +105,23 @@
                              SeCreatorOwnerSid);
/* Attach the DACL to the SD */
-    Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
+    Status = RtlSetDaclSecurityDescriptor(Sd,
                                           TRUE,
                                           Dacl,
                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    *SecurityDescriptor = Sd;
+
+done:
+    if (!NT_SUCCESS(Status))
+    {
+        if (Sd != NULL)
+            ExFreePoolWithTag(Sd, TAG_SD);
+    }
return Status;
-}
-
-VOID
-NTAPI
-INIT_FUNCTION
-ObpFreeGlobalDosDevicesSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
-{
-    PACL Dacl = NULL;
-    BOOLEAN DaclPresent, Defaulted;
-    NTSTATUS Status;
-
-    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
-                                          &DaclPresent,
-                                          &Dacl,
-                                          &Defaulted);
-    if (NT_SUCCESS(Status) && Dacl != NULL)
-    {
-        ExFreePoolWithTag(Dacl, TAG_OB_DIR_SD);
-    }
 }
NTSTATUS
@@ -135,7 +132,7 @@
     OBJECT_ATTRIBUTES ObjectAttributes;
     UNICODE_STRING RootName, TargetName, LinkName;
     HANDLE Handle, SymHandle;
-    SECURITY_DESCRIPTOR DosDevicesSD;
+    PSECURITY_DESCRIPTOR DosDevicesSD = NULL;
     NTSTATUS Status;
/* Create a custom security descriptor for the global DosDevices directory */
@@ -149,11 +146,11 @@
                                &RootName,
                                OBJ_PERMANENT,
                                NULL,
-                               &DosDevicesSD);
+                               DosDevicesSD);
     Status = NtCreateDirectoryObject(&Handle,
                                      DIRECTORY_ALL_ACCESS,
                                      &ObjectAttributes);
-    ObpFreeGlobalDosDevicesSD(&DosDevicesSD);
+    ExFreePoolWithTag(DosDevicesSD, TAG_SD);
     if (!NT_SUCCESS(Status)) return Status;
/*********************************************\

    