[hpoussin] 26130: Fix SeAccessCheck to perform correct checks. When returning STATUS_ACCESS_DENIED when required (currently disabled), ReactOS boots up to login screen on 3rd boot. Now, we just need to fix callers. - Ros-diffs

18 Mar 2007

Author: hpoussin
Date: Sun Mar 18 15:47:27 2007
New Revision: 26130
URL: http://svn.reactos.org/svn/reactos?rev=26130&view=rev
Log:
Fix SeAccessCheck to perform correct checks.
When returning STATUS_ACCESS_DENIED when required (currently disabled), ReactOS boots up to login screen on 3rd boot.
Now, we just need to fix callers.
Modified:
    trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=261...
==============================================================================

--- trunk/reactos/ntoskrnl/se/semgr.c (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c Sun Mar 18 15:47:27 2007
@@ -912,7 +912,7 @@
          OUT PNTSTATUS AccessStatus)
 {
   LUID_AND_ATTRIBUTES Privilege;
-  ACCESS_MASK CurrentAccess;
+  ACCESS_MASK CurrentAccess, AccessMask;
   PACCESS_TOKEN Token;
   ULONG i;
   PACL Dacl;
@@ -924,6 +924,11 @@
PAGED_CODE();
+  /* Map given accesses */
+  RtlMapGenericMask(&DesiredAccess, GenericMapping);
+  if (PreviouslyGrantedAccess)
+    RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+
   /* Check if we didn't get an SD */
   if (!SecurityDescriptor)
   {
@@ -1048,30 +1053,32 @@
     {
       Sid = (PSID)(CurrentAce + 1);
       if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
-	{
-	  if (SepSidInToken(Token, Sid))
-	    {
-	      if (SubjectContextLocked == FALSE)
-		{
-		  SeUnlockSubjectContext(SubjectSecurityContext);
-		}
-
-	      *GrantedAccess = 0;
-	      *AccessStatus = STATUS_ACCESS_DENIED;
-	      return FALSE;
-	    }
-	}
+        {
+          if (SepSidInToken(Token, Sid))
+            {
+              if (SubjectContextLocked == FALSE)
+                {
+                  SeUnlockSubjectContext(SubjectSecurityContext);
+                }
+
+              *GrantedAccess = 0;
+              *AccessStatus = STATUS_ACCESS_DENIED;
+              return FALSE;
+            }
+        }
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
-	{
-	  if (SepSidInToken(Token, Sid))
-	    {
-	      CurrentAccess |= CurrentAce->AccessMask;
-	    }
-	}
-	else
-	  DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
-	CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
+        {
+          if (SepSidInToken(Token, Sid))
+            {
+              AccessMask = CurrentAce->AccessMask;
+              RtlMapGenericMask(&AccessMask, GenericMapping);
+              CurrentAccess |= AccessMask;
+            }
+        }
+        else
+          DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+        CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
     }
if (SubjectContextLocked == FALSE)
@@ -1084,17 +1091,30 @@
*GrantedAccess = CurrentAccess & DesiredAccess;
-  if (*GrantedAccess == DesiredAccess)
-    {
+  if (DesiredAccess & MAXIMUM_ALLOWED)
+    {
+      *GrantedAccess = CurrentAccess;
       *AccessStatus = STATUS_SUCCESS;
       return TRUE;
     }
+  else if (*GrantedAccess == DesiredAccess)
+    {
+      *AccessStatus = STATUS_SUCCESS;
+      return TRUE;
+    }
   else
     {
+#if 1
       *AccessStatus = STATUS_SUCCESS;
-      DPRINT("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
-        *GrantedAccess, DesiredAccess);
-      return TRUE; /* FIXME: should be FALSE */
+      DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx, generic mapping %p)!\n",
+        *GrantedAccess, DesiredAccess, GenericMapping);
+      return TRUE;
+#else
+      DPRINT1("Denying access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p)\n",
+        *GrantedAccess, DesiredAccess, GenericMapping);
+      *AccessStatus = STATUS_ACCESS_DENIED;
+      return FALSE;
+#endif
     }
 }

    