Author: weiden Date: Sun Oct 15 20:52:25 2006 New Revision: 24526 URL: http://svn.reactos.org/svn/reactos?rev=24526&view=rev Log: Implemented AddMandatoryAce Modified: trunk/reactos/dll/ntdll/def/ntdll.def trunk/reactos/dll/win32/advapi32/advapi32.def trunk/reactos/dll/win32/advapi32/sec/ac.c trunk/reactos/include/ndk/rtlfuncs.h trunk/reactos/include/psdk/winnt.h trunk/reactos/lib/rtl/acl.c Modified: trunk/reactos/dll/ntdll/def/ntdll.def URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/ntdll/def/ntdll.def?re… ============================================================================== --- trunk/reactos/dll/ntdll/def/ntdll.def (original) +++ trunk/reactos/dll/ntdll/def/ntdll.def Sun Oct 15 20:52:25 2006 @@ -314,6 +314,7 @@ RtlAddAuditAccessAceEx@28 RtlAddAuditAccessObjectAce@36 ;RtlAddCompoundAce +RtlAddMandatoryAce@24 RtlAddRange@36 RtlAddVectoredExceptionHandler@8 RtlAdjustPrivilege@16 Modified: trunk/reactos/dll/win32/advapi32/advapi32.def URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/advapi32/advapi3… ============================================================================== --- trunk/reactos/dll/win32/advapi32/advapi32.def (original) +++ trunk/reactos/dll/win32/advapi32/advapi32.def Sun Oct 15 20:52:25 2006 @@ -32,6 +32,7 @@ AddAuditAccessAce@24 AddAuditAccessAceEx@28 AddAuditAccessObjectAce@36 +AddMandatoryAce@20 AddUsersToEncryptedFile@8 AdjustTokenGroups@24 AdjustTokenPrivileges@24 Modified: trunk/reactos/dll/win32/advapi32/sec/ac.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/advapi32/sec/ac.… ============================================================================== --- trunk/reactos/dll/win32/advapi32/sec/ac.c (original) +++ trunk/reactos/dll/win32/advapi32/sec/ac.c Sun Oct 15 20:52:25 2006 @@ -413,6 +413,35 @@ } return TRUE; +} + + +/* + * @implemented + */ +BOOL +WINAPI +AddMandatoryAce(IN OUT PACL pAcl, + IN DWORD dwAceRevision, + IN DWORD AceFlags, + IN DWORD MandatoryPolicy, + IN PSID pLabelSid) +{ + NTSTATUS Status; + + Status = RtlAddMandatoryAce(pAcl, + dwAceRevision, + AceFlags, + MandatoryPolicy, + SYSTEM_MANDATORY_LABEL_ACE_TYPE, + pLabelSid); + if (!NT_SUCCESS(Status)) + { + SetLastError(RtlNtStatusToDosError(Status)); + return FALSE; + } + + return TRUE; } Modified: trunk/reactos/include/ndk/rtlfuncs.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/ndk/rtlfuncs.h?rev… ============================================================================== --- trunk/reactos/include/ndk/rtlfuncs.h (original) +++ trunk/reactos/include/ndk/rtlfuncs.h Sun Oct 15 20:52:25 2006 @@ -762,6 +762,17 @@ NTSYSAPI NTSTATUS NTAPI +RtlAddMandatoryAce( + IN OUT PACL Acl, + IN ULONG Revision, + IN ULONG Flags, + IN ULONG MandatoryFlags, + IN ULONG AceType, + IN PSID LabelSid); + +NTSYSAPI +NTSTATUS +NTAPI RtlAdjustPrivilege( IN ULONG Privilege, IN BOOLEAN NewValue, Modified: trunk/reactos/include/psdk/winnt.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/winnt.h?rev=2… ============================================================================== --- trunk/reactos/include/psdk/winnt.h (original) +++ trunk/reactos/include/psdk/winnt.h Sun Oct 15 20:52:25 2006 @@ -571,6 +571,8 @@ #define DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS 0x00000230L #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS 0x00000231L #define DOMAIN_ALIAS_RID_DCOM_USERS 0x00000232L + +#define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16} typedef enum { @@ -1622,7 +1624,8 @@ #define SYSTEM_ALARM_CALLBACK_ACE_TYPE (0xE) #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE (0xF) #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE (0x10) -#define ACCESS_MAX_MS_V5_ACE_TYPE (0x10) +#define SYSTEM_MANDATORY_LABEL_ACE_TYPE (0x11) +#define ACCESS_MAX_MS_V5_ACE_TYPE (0x11) /* end ntifs.h */ typedef struct _GENERIC_MAPPING { ACCESS_MASK GenericRead; @@ -1659,6 +1662,15 @@ ACCESS_MASK Mask; DWORD SidStart; } SYSTEM_ALARM_ACE,*PSYSTEM_ALARM_ACE; +typedef struct _SYSTEM_MANDATORY_LABEL_ACE { + ACE_HEADER Header; + ACCESS_MASK Mask; + DWORD SidStart; +} SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE; +#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP 0x1 +#define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2 +#define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4 +#define SYSTEM_MANDATORY_LABEL_VALID_MASK (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP) typedef struct _ACCESS_ALLOWED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; Modified: trunk/reactos/lib/rtl/acl.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/lib/rtl/acl.c?rev=24526&am… ============================================================================== --- trunk/reactos/lib/rtl/acl.c (original) +++ trunk/reactos/lib/rtl/acl.c Sun Oct 15 20:52:25 2006 @@ -141,6 +141,20 @@ { return(STATUS_INVALID_SID); } + + if (Type == SYSTEM_MANDATORY_LABEL_ACE_TYPE) + { + static const SID_IDENTIFIER_AUTHORITY MandatoryLabelAuthority = {SECURITY_MANDATORY_LABEL_AUTHORITY}; + + /* The SID's identifier authority must be SECURITY_MANDATORY_LABEL_AUTHORITY! */ + if (RtlCompareMemory(&((PISID)Sid)->IdentifierAuthority, + &MandatoryLabelAuthority, + sizeof(MandatoryLabelAuthority)) != sizeof(MandatoryLabelAuthority)) + { + return STATUS_INVALID_PARAMETER; + } + } + if (Acl->AclRevision > MAX_ACL_REVISION || Revision > MAX_ACL_REVISION) { @@ -602,6 +616,34 @@ InheritedObjectTypeGuid, Sid, Type); +} + + +/* + * @implemented + */ +NTSTATUS NTAPI +RtlAddMandatoryAce(IN OUT PACL Acl, + IN ULONG Revision, + IN ULONG Flags, + IN ULONG MandatoryFlags, + IN ULONG AceType, + IN PSID LabelSid) +{ + if (MandatoryFlags & ~SYSTEM_MANDATORY_LABEL_VALID_MASK) + return STATUS_INVALID_PARAMETER; + + if (AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) + return STATUS_INVALID_PARAMETER; + + return RtlpAddKnownAce (Acl, + Revision, + Flags, + (ACCESS_MASK)MandatoryFlags, + NULL, + NULL, + LabelSid, + AceType); }