Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-12-27 09:34:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:SE] Dump security debug info in case no every right has been granted in SepAccessCheck

Browse source 
The "failed to grant access rights" message isn't enough to understand what kind of access rights haven't been granted and why. Dumping information of the captured security descriptor, the ACL and its ACEs with mask rights and token SIDs should be enough to understand the reason of the failure in question.
This commit is contained in:
George Bișoc 2022-11-06 17:47:30 +01:00
parent e2ee126c23
commit 2fef8be892
No known key found for this signature in database
GPG key ID: 688C4FBE25D7DEF6
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
ntoskrnl/se/accesschk.c
View file

@ -479,23 +479,20 @@ SepAccessCheck(
_Out_ PNTSTATUS AccessStatusList)
{
ACCESS_MASK RemainingAccess;
PACCESS_CHECK_RIGHTS AccessCheckRights;
PACCESS_TOKEN Token;
ULONG ResultListLength;
ULONG ResultListIndex;
PACL Dacl;
BOOLEAN Present;
BOOLEAN Defaulted;
NTSTATUS Status;
PACCESS_TOKEN Token = NULL;
PACCESS_CHECK_RIGHTS AccessCheckRights = NULL;
PAGED_CODE();
/* A security descriptor must be expected for access checks */
ASSERT(SecurityDescriptor);
/* Assume no access check rights first */
AccessCheckRights = NULL;
/* Check for no access desired */
if (!DesiredAccess)
{
@ -767,6 +764,16 @@ ReturnCommonStatus:
AccessStatusList[ResultListIndex] = Status;
}
#if DBG
/* Dump security debug info on access denied case */
if (Status == STATUS_ACCESS_DENIED)
{
SepDumpSdDebugInfo(SecurityDescriptor);
SepDumpTokenDebugInfo(Token);
SepDumpAccessRightsStats(AccessCheckRights);
}
#endif
/* Free the allocated access check rights */
SepFreeAccessCheckRights(AccessCheckRights);
AccessCheckRights = NULL;