4 Apr
2010
4 Apr
'10
12:34 p.m.
Author: ekohl
Date: Sun Apr 4 14:34:53 2010
New Revision: 46714
URL: http://svn.reactos.org/svn/reactos?rev=46714&view=rev
Log:
[NTOSKRNL]
Ignore inherit only ACEs in a DACL.
Modified:
trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=46…
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sun Apr 4 14:34:53 2010
@@ -485,7 +485,7 @@
{
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
}
-
+
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
@@ -546,6 +546,72 @@
{
CurrentAce = (PACE)(Dacl + 1);
for (i = 0; i < Dacl->AceCount; i++)
+ {
+ if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
+ {
+ Sid = (PSID)(CurrentAce + 1);
+ if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Deny access rights that have not been granted yet */
+ TempDeniedAccess |= (TempAccess & ~TempGrantedAccess);
+ }
+ }
+ else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
+ {
+ if (SepSidInToken(Token, Sid))
+ {
+ /* Map access rights from the ACE */
+ TempAccess = CurrentAce->AccessMask;
+ RtlMapGenericMask(&TempAccess, GenericMapping);
+
+ /* Grant access rights that have not been denied yet */
+ TempGrantedAccess |= (TempAccess & ~TempDeniedAccess);
+ }
+ }
+ else
+ {
+ DPRINT1("Unsupported ACE type 0x%lx\n",
CurrentAce->Header.AceType);
+ }
+ }
+
+ /* Get the next ACE */
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
+ }
+
+ /* Fail if some rights have not been granted */
+ RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess);
+ if (RemainingAccess != 0)
+ {
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+
+ /* Set granted access right and access status */
+ *GrantedAccess = TempGrantedAccess | PreviouslyGrantedAccess;
+ if (*GrantedAccess != 0)
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
+ }
+
+ /* RULE 4: Grant rights according to the DACL */
+ CurrentAce = (PACE)(Dacl + 1);
+ for (i = 0; i < Dacl->AceCount; i++)
+ {
+ if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
{
Sid = (PSID)(CurrentAce + 1);
if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
@@ -556,8 +622,9 @@
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
- /* Deny access rights that have not been granted yet */
- TempDeniedAccess |= (TempAccess & ~TempGrantedAccess);
+ /* Leave if a remaining right must be denied */
+ if (RemainingAccess & TempAccess)
+ break;
}
}
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
@@ -568,75 +635,14 @@
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
- /* Grant access rights that have not been denied yet */
- TempGrantedAccess |= (TempAccess & ~TempDeniedAccess);
+ /* Remove granted rights */
+ RemainingAccess &= ~TempAccess;
}
}
else
{
DPRINT1("Unsupported ACE type 0x%lx\n",
CurrentAce->Header.AceType);
}
-
- /* Get the next ACE */
- CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
- }
-
- /* Fail if some rights have not been granted */
- RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess);
- if (RemainingAccess != 0)
- {
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
- }
-
- /* Set granted access right and access status */
- *GrantedAccess = TempGrantedAccess | PreviouslyGrantedAccess;
- if (*GrantedAccess != 0)
- {
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
- else
- {
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
- }
- }
-
- /* RULE 4: Grant rights according to the DACL */
- CurrentAce = (PACE)(Dacl + 1);
- for (i = 0; i < Dacl->AceCount; i++)
- {
- Sid = (PSID)(CurrentAce + 1);
- if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- /* Map access rights from the ACE */
- TempAccess = CurrentAce->AccessMask;
- RtlMapGenericMask(&TempAccess, GenericMapping);
-
- /* Leave if a remaining right must be denied */
- if (RemainingAccess & TempAccess)
- break;
- }
- }
- else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- /* Map access rights from the ACE */
- TempAccess = CurrentAce->AccessMask;
- RtlMapGenericMask(&TempAccess, GenericMapping);
-
- /* Remove granted rights */
- RemainingAccess &= ~TempAccess;
- }
- }
- else
- {
- DPRINT1("Unsupported ACE type 0x%lx\n",
CurrentAce->Header.AceType);
}
/* Get the next ACE */
5336
days inactive
5336
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org