From 2fef8be89206b7b0589d3c05e5cc94587ceed9bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?George=20Bi=C8=99oc?= Date: Sun, 6 Nov 2022 17:47:30 +0100 Subject: [PATCH] [NTOS:SE] Dump security debug info in case no every right has been granted in SepAccessCheck The "failed to grant access rights" message isn't enough to understand what kind of access rights haven't been granted and why. Dumping information of the captured security descriptor, the ACL and its ACEs with mask rights and token SIDs should be enough to understand the reason of the failure in question. --- ntoskrnl/se/accesschk.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/ntoskrnl/se/accesschk.c b/ntoskrnl/se/accesschk.c index 2a92a0ef247..0796dc8db78 100644 --- a/ntoskrnl/se/accesschk.c +++ b/ntoskrnl/se/accesschk.c @@ -479,23 +479,20 @@ SepAccessCheck( _Out_ PNTSTATUS AccessStatusList) { ACCESS_MASK RemainingAccess; - PACCESS_CHECK_RIGHTS AccessCheckRights; - PACCESS_TOKEN Token; ULONG ResultListLength; ULONG ResultListIndex; PACL Dacl; BOOLEAN Present; BOOLEAN Defaulted; NTSTATUS Status; + PACCESS_TOKEN Token = NULL; + PACCESS_CHECK_RIGHTS AccessCheckRights = NULL; PAGED_CODE(); /* A security descriptor must be expected for access checks */ ASSERT(SecurityDescriptor); - /* Assume no access check rights first */ - AccessCheckRights = NULL; - /* Check for no access desired */ if (!DesiredAccess) { @@ -767,6 +764,16 @@ ReturnCommonStatus: AccessStatusList[ResultListIndex] = Status; } +#if DBG + /* Dump security debug info on access denied case */ + if (Status == STATUS_ACCESS_DENIED) + { + SepDumpSdDebugInfo(SecurityDescriptor); + SepDumpTokenDebugInfo(Token); + SepDumpAccessRightsStats(AccessCheckRights); + } +#endif + /* Free the allocated access check rights */ SepFreeAccessCheckRights(AccessCheckRights); AccessCheckRights = NULL;