[akhaldi] 71297: [0.4.1] Merge the SepPropagateAcl() unknown ACE types handling by Thomas in r71296. CORE-10694 - Ros-diffs

9 May 2016

Author: akhaldi
Date: Mon May  9 08:56:51 2016
New Revision: 71297
URL: http://svn.reactos.org/svn/reactos?rev=71297&view=rev
Log:
[0.4.1] Merge the SepPropagateAcl() unknown ACE types handling by Thomas in r71296. CORE-10694
Modified:
    branches/ros-branch-0_4_1/   (props changed)
    branches/ros-branch-0_4_1/reactos/   (props changed)
    branches/ros-branch-0_4_1/reactos/ntoskrnl/se/acl.c
    branches/ros-branch-0_4_1/rostests/   (props changed)
    branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeHelpers.c
    branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeInheritance.c
    branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/se.h
Propchange: branches/ros-branch-0_4_1/
------------------------------------------------------------------------------

--- svn:mergeinfo	(original)
+++ svn:mergeinfo	Mon May  9 08:56:51 2016
@@ -1 +1 @@
-/trunk:71217,71231,71245,71252,71255
+/trunk:71217,71231,71245,71252,71255,71296
Propchange: branches/ros-branch-0_4_1/reactos/
------------------------------------------------------------------------------
--- svn:mergeinfo	(original)
+++ svn:mergeinfo	Mon May  9 08:56:51 2016
@@ -20,4 +20,4 @@
 /branches/usb-bringup:51335,51337,51341-51343,51348,51350,51353,51355,51365-51369,51372,51384-54388,54396-54398,54736-54737,54752-54754,54756-54760,54762,54764-54765,54767-54768,54772,54774-54777,54781,54787,54790-54792,54797-54798,54806,54808,54834-54838,54843,54850,54852,54856,54858-54859
 /branches/usb-bringup-trunk:55019-55543,55548-55554,55556-55567
 /branches/wlan-bringup:54809-54998
-/trunk/reactos:71217,71231-71232,71245,71252,71262,71279
+/trunk/reactos:71217,71231-71232,71245,71252,71262,71279,71296
Modified: branches/ros-branch-0_4_1/reactos/ntoskrnl/se/acl.c
URL: http://svn.reactos.org/svn/reactos/branches/ros-branch-0_4_1/reactos/ntoskrn...
==============================================================================
--- branches/ros-branch-0_4_1/reactos/ntoskrnl/se/acl.c	[iso-8859-1] (original)
+++ branches/ros-branch-0_4_1/reactos/ntoskrnl/se/acl.c	[iso-8859-1] Mon May  9 08:56:51 2016
@@ -462,10 +462,27 @@
         AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
         AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
+        if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
+        {
+            /* FIXME: handle object & compound ACEs */
+            AceSize = AceSource->Header.AceSize;
+
+            if (*AclLength >= Written + AceSize)
+            {
+                RtlCopyMemory(AceDest, AceSource, AceSize);
+            }
+            CurrentDest += AceSize;
+            CurrentSource += AceSize;
+            Written += AceSize;
+            AceCount++;
+            continue;
+        }
+
         /* These all have the same structure */
         ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
-                  AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
-                  AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE);
+               AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
+               AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
+               AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
         ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
Propchange: branches/ros-branch-0_4_1/rostests/
------------------------------------------------------------------------------
--- svn:mergeinfo	(original)
+++ svn:mergeinfo	Mon May  9 08:56:51 2016
@@ -1,3 +1,3 @@
 /branches/GSoC_2011/KMTestSuite:51165-53670
 /branches/ros-amd64-bringup/rostests:44459,44462,44537
-/trunk/rostests:71232,71236,71278
+/trunk/rostests:71232,71236,71278,71296
Modified: branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeHelpers.c
URL: http://svn.reactos.org/svn/reactos/branches/ros-branch-0_4_1/rostests/kmtest...
==============================================================================
--- branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeHelpers.c	[iso-8859-1] (original)
+++ branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeHelpers.c	[iso-8859-1] Mon May  9 08:56:51 2016
@@ -34,6 +34,42 @@
     Ace->Header.AceSize = AceSize;
     Ace->Mask = AccessMask;
     Status = RtlCopySid(AceSize - FIELD_OFFSET(SYSTEM_AUDIT_ACE, SidStart),
+                        (PSID)&Ace->SidStart,
+                        Sid);
+    ASSERT(NT_SUCCESS(Status));
+    if (NT_SUCCESS(Status))
+    {
+        Status = RtlAddAce(Acl,
+                           Revision,
+                           MAXULONG,
+                           Ace,
+                           AceSize);
+    }
+    ExFreePoolWithTag(Ace, 'cAmK');
+    return Status;
+}
+
+NTSTATUS
+RtlxAddMandatoryLabelAceEx(
+    _Inout_ PACL Acl,
+    _In_ ULONG Revision,
+    _In_ ULONG Flags,
+    _In_ ACCESS_MASK AccessMask,
+    _In_ PSID Sid)
+{
+    NTSTATUS Status;
+    USHORT AceSize;
+    PSYSTEM_MANDATORY_LABEL_ACE Ace;
+
+    AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + RtlLengthSid(Sid);
+    Ace = ExAllocatePoolWithTag(PagedPool, AceSize, 'cAmK');
+    if (!Ace)
+        return STATUS_INSUFFICIENT_RESOURCES;
+    Ace->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
+    Ace->Header.AceFlags = Flags;
+    Ace->Header.AceSize = AceSize;
+    Ace->Mask = AccessMask;
+    Status = RtlCopySid(AceSize - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart),
                         (PSID)&Ace->SidStart,
                         Sid);
     ASSERT(NT_SUCCESS(Status));
Modified: branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeInheritance.c
URL: http://svn.reactos.org/svn/reactos/branches/ros-branch-0_4_1/rostests/kmtest...
==============================================================================
--- branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeInheritance.c	[iso-8859-1] (original)
+++ branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/SeInheritance.c	[iso-8859-1] Mon May  9 08:56:51 2016
@@ -780,6 +780,81 @@
         EndTestAssign()
     }
+    /* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */
+    for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
+    {
+        Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeWorldSid);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
+                                              TRUE,
+                                              Acl,
+                                              BooleanFlagOn(UsingDefault, 1));
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
+                                              TRUE,
+                                              Acl,
+                                              BooleanFlagOn(UsingDefault, 2));
+        ok_eq_hex(Status, STATUS_SUCCESS);
+
+        TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
+        TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
+        StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
+            ok_eq_uint(DaclDefaulted, FALSE);
+            CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,    STANDARD_RIGHTS_ALL | 0x800F,
+                              ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,    STANDARD_RIGHTS_READ | 0x0005);
+            ok_eq_uint(SaclDefaulted, FALSE);
+            CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, SeExports->SeWorldSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
+            ok_eq_uint(OwnerDefaulted, FALSE);
+            CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
+            ok_eq_uint(GroupDefaulted, FALSE);
+            CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
+        EndTestAssign()
+    }
+
+    for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
+    {
+        Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeCreatorOwnerSid);
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
+                                              TRUE,
+                                              Acl,
+                                              BooleanFlagOn(UsingDefault, 1));
+        ok_eq_hex(Status, STATUS_SUCCESS);
+        Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
+                                              TRUE,
+                                              Acl,
+                                              BooleanFlagOn(UsingDefault, 2));
+        ok_eq_hex(Status, STATUS_SUCCESS);
+
+        StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE)
+            ok_eq_uint(DaclDefaulted, FALSE);
+            CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,    STANDARD_RIGHTS_ALL | 0x800F,
+                              ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,    STANDARD_RIGHTS_READ | 0x0005);
+            ok_eq_uint(SaclDefaulted, FALSE);
+            CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
+            ok_eq_uint(OwnerDefaulted, FALSE);
+            CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
+            ok_eq_uint(GroupDefaulted, FALSE);
+            CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
+        EndTestAssign()
+        StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
+            ok_eq_uint(DaclDefaulted, FALSE);
+            CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid,    STANDARD_RIGHTS_ALL | 0x800F,
+                              ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid,    STANDARD_RIGHTS_READ | 0x0005);
+            ok_eq_uint(SaclDefaulted, FALSE);
+            CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
+            ok_eq_uint(OwnerDefaulted, FALSE);
+            CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
+            ok_eq_uint(GroupDefaulted, FALSE);
+            CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
+        EndTestAssign()
+    }
+
+    /* TODO: Test object/compound ACEs */
     /* TODO: Test duplicate ACEs */
     /* TODO: Test INHERITED_ACE flag */
     /* TODO: Test invalid ACE flags */
Modified: branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/se.h
URL: http://svn.reactos.org/svn/reactos/branches/ros-branch-0_4_1/rostests/kmtest...
==============================================================================
--- branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/se.h	[iso-8859-1] (original)
+++ branches/ros-branch-0_4_1/rostests/kmtests/ntos_se/se.h	[iso-8859-1] Mon May  9 08:56:51 2016
@@ -33,6 +33,14 @@
     _In_ BOOLEAN Success,
     _In_ BOOLEAN Failure);
+NTSTATUS
+RtlxAddMandatoryLabelAceEx(
+    _Inout_ PACL Acl,
+    _In_ ULONG Revision,
+    _In_ ULONG Flags,
+    _In_ ACCESS_MASK AccessMask,
+    _In_ PSID Sid);
+
 #define NO_SIZE ((ULONG)-1)
#define CheckSid(Sid, SidSize, ExpectedSid) CheckSid_(Sid, SidSize, ExpectedSid, __FILE__, __LINE__)

    