[ekohl] 65023: [NTOS:SE] Remove the old access check code in SepAccessCheckEx and use the new code instead. The new access check code is a lot better than the old code, but it makes the boot and in... - Ros-diffs

26 Oct 2014

Author: ekohl
Date: Sun Oct 26 18:39:58 2014
New Revision: 65023
URL: http://svn.reactos.org/svn/reactos?rev=65023&view=rev
Log:
[NTOS:SE]
Remove the old access check code in SepAccessCheckEx and use the new code instead. The new access check code is a lot better than the old code, but it makes the boot and install fail. This is caused by some kernel objects which are accessed using insufficient access rights. Therefore I added a little hack that shows a warning when insufficient rights are granted for an object and access is granted anyway.
Modified:
    trunk/reactos/ntoskrnl/se/accesschk.c
Modified: trunk/reactos/ntoskrnl/se/accesschk.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/accesschk.c?rev...
==============================================================================

--- trunk/reactos/ntoskrnl/se/accesschk.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/accesschk.c	[iso-8859-1] Sun Oct 26 18:39:58 2014
@@ -17,8 +17,6 @@
/* PRIVATE FUNCTIONS **********************************************************/
-
-#define OLD_ACCESS_CHECK
BOOLEAN NTAPI
 SepAccessCheckEx(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
@@ -48,6 +46,8 @@
     NTSTATUS Status;
     PAGED_CODE();
+    DPRINT("SepAccessCheckEx()\n");
+
     /* Check for no access desired */
     if (!DesiredAccess)
     {
@@ -210,11 +210,6 @@
             {
                 if (SepSidInToken(Token, Sid))
                 {
-#ifdef OLD_ACCESS_CHECK
-                    PreviouslyGrantedAccess = 0;
-                    Status = STATUS_ACCESS_DENIED;
-                    goto ReturnCommonStatus;
-#else
                     /* Map access rights from the ACE */
                     TempAccess = CurrentAce->AccessMask;
                     RtlMapGenericMask(&TempAccess, GenericMapping);
@@ -222,25 +217,21 @@
                     /* Leave if a remaining right must be denied */
                     if (RemainingAccess & TempAccess)
                         break;
-#endif
                 }
             }
             else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
             {
                 if (SepSidInToken(Token, Sid))
                 {
-#ifdef OLD_ACCESS_CHECK
-                    TempAccess = CurrentAce->AccessMask;
-                    RtlMapGenericMask(&TempAccess, GenericMapping);
-                    PreviouslyGrantedAccess |= TempAccess;
-#else
                     /* Map access rights from the ACE */
                     TempAccess = CurrentAce->AccessMask;
+                    DPRINT("TempAccess 0x%08lx\n", TempAccess);
                     RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */
+                    DPRINT("RemainingAccess 0x%08lx  TempAccess 0x%08lx\n", RemainingAccess, TempAccess);
                     RemainingAccess &= ~TempAccess;
-#endif
+                    DPRINT("RemainingAccess 0x%08lx\n", RemainingAccess);
                 }
             }
             else
@@ -253,58 +244,35 @@
         CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
     }
-#ifdef OLD_ACCESS_CHECK
-    DPRINT("PreviouslyGrantedAccess %08lx\n DesiredAccess %08lx\n",
-           PreviouslyGrantedAccess, DesiredAccess);
-
-    PreviouslyGrantedAccess &= DesiredAccess;
-
-    if ((PreviouslyGrantedAccess & ~VALID_INHERIT_FLAGS) ==
-        (DesiredAccess & ~VALID_INHERIT_FLAGS))
-    {
-        Status = STATUS_SUCCESS;
-        goto ReturnCommonStatus;
-    }
-    else
-    {
-        DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
-                PreviouslyGrantedAccess, DesiredAccess, GenericMapping);
-        //*AccessStatus = STATUS_ACCESS_DENIED;
-        //return FALSE;
-        PreviouslyGrantedAccess = DesiredAccess;
-        Status = STATUS_SUCCESS;
-        goto ReturnCommonStatus;
-    }
-#else
     DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
            DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
/* Fail if some rights have not been granted */
     if (RemainingAccess != 0)
     {
-        *GrantedAccess = 0;
+        DPRINT1("HACK: RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n", RemainingAccess, DesiredAccess);
+#if 0
+        /* HACK HACK HACK */
         Status = STATUS_ACCESS_DENIED;
         goto ReturnCommonStatus;
+#endif
     }
/* Set granted access rights */
     PreviouslyGrantedAccess |= DesiredAccess;
-    DPRINT("GrantedAccess %08lx\n", *GrantedAccess);
-
     /* Fail if no rights have been granted */
     if (PreviouslyGrantedAccess == 0)
     {
+        DPRINT1("PreviouslyGrantedAccess == 0  DesiredAccess = %08lx\n", DesiredAccess);
         Status = STATUS_ACCESS_DENIED;
         goto ReturnCommonStatus;
     }
Status = STATUS_SUCCESS;
     goto ReturnCommonStatus;
-#endif
ReturnCommonStatus:
-
     ResultListLength = UseResultList ? ObjectTypeListLength : 1;
     for (i = 0; i < ResultListLength; i++)
     {

    