01/01: [NTOSKRNL] Create a security descriptor for the \security directory object - Ros-diffs

10 Nov 2018

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=6747dacf108f75e93f0160...
commit 6747dacf108f75e93f01608aa63fee8e19502c51
Author:     Pierre Schweitzer pierre@reactos.org
AuthorDate: Sat Nov 10 23:23:59 2018 +0100
Commit:     Pierre Schweitzer pierre@reactos.org
CommitDate: Sat Nov 10 23:25:10 2018 +0100
[NTOSKRNL] Create a security descriptor for the \security directory object
---
 ntoskrnl/se/semgr.c | 47 +++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/se/semgr.c b/ntoskrnl/se/semgr.c
index 090b761810..4bf89b6b94 100644
--- a/ntoskrnl/se/semgr.c
+++ b/ntoskrnl/se/semgr.c
@@ -134,6 +134,9 @@ SepInitializationPhase1(VOID)
     HANDLE SecurityHandle;
     HANDLE EventHandle;
     NTSTATUS Status;
+    SECURITY_DESCRIPTOR SecurityDescriptor;
+    PACL Dacl;
+    ULONG DaclLength;
PAGED_CODE();
@@ -147,7 +150,47 @@ SepInitializationPhase1(VOID)
                             NULL);
     ASSERT(NT_SUCCESS(Status));
-    /* TODO: Create a security desscriptor for the directory */
+    /* Create a security descriptor for the directory */
+    RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+
+    /* Setup the ACL */
+    DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
+                 RtlLengthSid(SeLocalSystemSid) +
+                 RtlLengthSid(SeAliasAdminsSid) +
+                 RtlLengthSid(SeWorldSid);
+    Dacl = ExAllocatePoolWithTag(NonPagedPool, DaclLength, TAG_SE);
+    if (Dacl == NULL)
+    {
+        return FALSE;
+    }
+
+    Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+
+    /* Grant full access to SYSTEM */
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DIRECTORY_ALL_ACCESS,
+                                    SeLocalSystemSid);
+    ASSERT(NT_SUCCESS(Status));
+
+    /* Allow admins to traverse and query */
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
+                                    SeAliasAdminsSid);
+    ASSERT(NT_SUCCESS(Status));
+
+    /* Allow anyone to traverse */
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DIRECTORY_TRAVERSE,
+                                    SeWorldSid);
+    ASSERT(NT_SUCCESS(Status));
+
+    /* And link ACL and SD */
+    Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl, FALSE);
+    ASSERT(NT_SUCCESS(Status));
/* Create '\Security' directory */
     RtlInitUnicodeString(&Name, L"\Security");
@@ -155,7 +198,7 @@ SepInitializationPhase1(VOID)
                                &Name,
                                OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
                                0,
-                               NULL);
+                               &SecurityDescriptor);
Status = ZwCreateDirectoryObject(&SecurityHandle,
                                      DIRECTORY_ALL_ACCESS,

    