[hpoussin] 26130: Fix SeAccessCheck to perform correct checks. When returning STATUS_ACCESS_DENIED when required (currently disabled), ReactOS boots up to login screen on 3rd boot. Now, we just need to fix callers.
18 Mar
2007
18 Mar
'07
12:47 p.m.
Author: hpoussin
Date: Sun Mar 18 15:47:27 2007
New Revision: 26130
URL: http://svn.reactos.org/svn/reactos?rev=26130&view=rev
Log:
Fix SeAccessCheck to perform correct checks.
When returning STATUS_ACCESS_DENIED when required (currently disabled), ReactOS boots up
to login screen on 3rd boot.
Now, we just need to fix callers.
Modified:
trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=26…
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c Sun Mar 18 15:47:27 2007
@@ -912,7 +912,7 @@
OUT PNTSTATUS AccessStatus)
{
LUID_AND_ATTRIBUTES Privilege;
- ACCESS_MASK CurrentAccess;
+ ACCESS_MASK CurrentAccess, AccessMask;
PACCESS_TOKEN Token;
ULONG i;
PACL Dacl;
@@ -924,6 +924,11 @@
PAGED_CODE();
+ /* Map given accesses */
+ RtlMapGenericMask(&DesiredAccess, GenericMapping);
+ if (PreviouslyGrantedAccess)
+ RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+
/* Check if we didn't get an SD */
if (!SecurityDescriptor)
{
@@ -1048,30 +1053,32 @@
{
Sid = (PSID)(CurrentAce + 1);
if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
- }
- }
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ if (SubjectContextLocked == FALSE)
+ {
+ SeUnlockSubjectContext(SubjectSecurityContext);
+ }
+
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+ }
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- CurrentAccess |= CurrentAce->AccessMask;
- }
- }
- else
- DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
- CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ AccessMask = CurrentAce->AccessMask;
+ RtlMapGenericMask(&AccessMask, GenericMapping);
+ CurrentAccess |= AccessMask;
+ }
+ }
+ else
+ DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
if (SubjectContextLocked == FALSE)
@@ -1084,17 +1091,30 @@
*GrantedAccess = CurrentAccess & DesiredAccess;
- if (*GrantedAccess == DesiredAccess)
- {
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ {
+ *GrantedAccess = CurrentAccess;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
+ else if (*GrantedAccess == DesiredAccess)
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
else
{
+#if 1
*AccessStatus = STATUS_SUCCESS;
- DPRINT("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
- *GrantedAccess, DesiredAccess);
- return TRUE; /* FIXME: should be FALSE */
+ DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx, generic mapping
%p)!\n",
+ *GrantedAccess, DesiredAccess, GenericMapping);
+ return TRUE;
+#else
+ DPRINT1("Denying access for caller: granted 0x%lx, desired 0x%lx (generic
mapping %p)\n",
+ *GrantedAccess, DesiredAccess, GenericMapping);
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+#endif
}
}
6706
days inactive
6706
days old
0 comments
1 participants
participants (1)
-
hpoussin@svn.reactos.org