[reactos] 02/04: [NTOSKRNL] Use relaxed ACLs in ObpCreateGlobalDosDevicesSD when protection mode is not set
21 May
2019
21 May
'19
6:09 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=33f524c6259078191f5de…
commit 33f524c6259078191f5de66a19eefb4ea7e27adf
Author: Pierre Schweitzer <pierre(a)reactos.org>
AuthorDate: Tue May 21 08:37:36 2019 +0200
Commit: Pierre Schweitzer <pierre(a)reactos.org>
CommitDate: Tue May 21 19:28:16 2019 +0200
[NTOSKRNL] Use relaxed ACLs in ObpCreateGlobalDosDevicesSD when protection mode is not
set
---
ntoskrnl/ob/obname.c | 163 +++++++++++++++++++++++++++++++++------------------
1 file changed, 105 insertions(+), 58 deletions(-)
diff --git a/ntoskrnl/ob/obname.c b/ntoskrnl/ob/obname.c
index b1e541eeb4b..5baa4b1a50d 100644
--- a/ntoskrnl/ob/obname.c
+++ b/ntoskrnl/ob/obname.c
@@ -44,68 +44,115 @@ ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR
*SecurityDescriptor)
ULONG AclSize, SdSize;
NTSTATUS Status;
- AclSize = sizeof(ACL) +
- sizeof(ACE) + RtlLengthSid(SeWorldSid) +
- sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
- sizeof(ACE) + RtlLengthSid(SeWorldSid) +
- sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
- sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
- sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
-
- SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
-
- /* Allocate the SD and ACL */
- Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
- if (Sd == NULL)
+ if (ObpProtectionMode & 1)
{
- return STATUS_INSUFFICIENT_RESOURCES;
+ AclSize = sizeof(ACL) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
+
+ SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
+
+ /* Allocate the SD and ACL */
+ Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
+ if (Sd == NULL)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(Sd,
+ SECURITY_DESCRIPTOR_REVISION);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
+
+ /* Initialize the DACL */
+ RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+
+ /* Add the ACEs */
+ RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE,
+ SeWorldSid);
+
+ RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+
+ RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
+ GENERIC_EXECUTE,
+ SeWorldSid);
+
+ RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeAliasAdminsSid);
+
+ RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+
+ RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeCreatorOwnerSid);
}
+ else
+ {
+ AclSize = sizeof(ACL) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
- /* Initialize the SD */
- Status = RtlCreateSecurityDescriptor(Sd,
- SECURITY_DESCRIPTOR_REVISION);
- if (!NT_SUCCESS(Status))
- return Status;
+ SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
- Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
-
- /* Initialize the DACL */
- RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
-
- /* Add the ACEs */
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_READ | GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
- GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeAliasAdminsSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeCreatorOwnerSid);
+ /* Allocate the SD and ACL */
+ Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
+ if (Sd == NULL)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(Sd,
+ SECURITY_DESCRIPTOR_REVISION);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
+
+ /* Initialize the DACL */
+ RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+
+ /* Add the ACEs */
+ RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
+ SeWorldSid);
+
+ RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+
+ RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE |
OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeWorldSid);
+ }
/* Attach the DACL to the SD */
Status = RtlSetDaclSecurityDescriptor(Sd,
2004
days inactive
2004
days old
0 comments
1 participants
participants (1)
-
Pierre Schweitzer