[ekohl] 46811: Enable old access check code until the bug that keeps the device installer from working has been fixed.
Author: ekohl Date: Sat Apr 10 13:44:57 2010 New Revision: 46811
URL: http://svn.reactos.org/svn/reactos?rev=46811&view=rev Log: Enable old access check code until the bug that keeps the device installer from working has been fixed.
Modified: trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=468... ============================================================================== --- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Apr 10 13:44:57 2010 @@ -377,6 +377,9 @@ } }
+ +#define OLD_ACCESS_CHECK + BOOLEAN NTAPI SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, @@ -389,6 +392,9 @@ OUT PNTSTATUS AccessStatus) { LUID_AND_ATTRIBUTES Privilege; +#ifdef OLD_ACCESS_CHECK + ACCESS_MASK CurrentAccess, AccessMask; +#endif ACCESS_MASK RemainingAccess; ACCESS_MASK TempAccess; ACCESS_MASK TempGrantedAccess = 0; @@ -426,6 +432,9 @@ if (PreviouslyGrantedAccess) RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+#ifdef OLD_ACCESS_CHECK + CurrentAccess = PreviouslyGrantedAccess; +#endif /* Initialize remaining access rights */ RemainingAccess = DesiredAccess;
@@ -490,6 +499,10 @@ return TRUE; }
+#ifdef OLD_ACCESS_CHECK + CurrentAccess = PreviouslyGrantedAccess; +#endif + /* RULE 2: Check token for 'take ownership' privilege */ if (DesiredAccess & WRITE_OWNER) { @@ -505,6 +518,9 @@ /* Adjust access rights */ RemainingAccess &= ~WRITE_OWNER; PreviouslyGrantedAccess |= WRITE_OWNER; +#ifdef OLD_ACCESS_CHECK + CurrentAccess |= WRITE_OWNER; +#endif
/* Succeed if there are no more rights to grant */ if (RemainingAccess == 0) @@ -618,6 +634,11 @@ { if (SepSidInToken(Token, Sid)) { +#ifdef OLD_ACCESS_CHECK + *GrantedAccess = 0; + *AccessStatus = STATUS_ACCESS_DENIED; + return FALSE; +#else /* Map access rights from the ACE */ TempAccess = CurrentAce->AccessMask; RtlMapGenericMask(&TempAccess, GenericMapping); @@ -625,18 +646,25 @@ /* Leave if a remaining right must be denied */ if (RemainingAccess & TempAccess) break; +#endif } } else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { if (SepSidInToken(Token, Sid)) { +#ifdef OLD_ACCESS_CHECK + AccessMask = CurrentAce->AccessMask; + RtlMapGenericMask(&AccessMask, GenericMapping); + CurrentAccess |= AccessMask; +#else /* Map access rights from the ACE */ TempAccess = CurrentAce->AccessMask; RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */ RemainingAccess &= ~TempAccess; +#endif } } else @@ -649,6 +677,28 @@ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize); }
+#ifdef OLD_ACCESS_CHECK + DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n", + CurrentAccess, DesiredAccess); + + *GrantedAccess = CurrentAccess & DesiredAccess; + + if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) == + (DesiredAccess & ~VALID_INHERIT_FLAGS)) + { + *AccessStatus = STATUS_SUCCESS; + return TRUE; + } + else + { + DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n", + *GrantedAccess, DesiredAccess, GenericMapping); + //*AccessStatus = STATUS_ACCESS_DENIED; + //return FALSE; + *AccessStatus = STATUS_SUCCESS; + return TRUE; + } +#else DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n", DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
@@ -674,6 +724,7 @@
*AccessStatus = STATUS_SUCCESS; return TRUE; +#endif }
static PSID
-
ekohl@svn.reactos.org