Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-09-28 21:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS:SE] Let SepGetSidFromAce figure out the ACE type

Browse source 
As the commit title says. Instead of having the caller figuring out what
the ACE type should be of the ACE.
This commit is contained in:
unknown 2023-08-22 22:21:13 +02:00
parent a4b0899ca1
commit 310563aece
No known key found for this signature in database
GPG key ID: 688C4FBE25D7DEF6
4 changed files with 11 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ntoskrnl/include/internal/se.h
View file

@ -634,7 +634,6 @@ SepSidInTokenEx(
PSID PSID
NTAPI NTAPI
SepGetSidFromAce( SepGetSidFromAce(
_In_ UCHAR AceType,
_In_ PACE Ace); _In_ PACE Ace);
NTSTATUS NTSTATUS

16
ntoskrnl/se/accesschk.c
View file

@ -517,7 +517,7 @@ SepAnalyzeAcesFromDacl(
if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
{ {
/* Get the SID from this ACE */ /* Get the SID from this ACE */
Sid = SepGetSidFromAce(ACCESS_DENIED_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ASSERT(Sid); ASSERT(Sid);
if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted)) if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
@ -539,7 +539,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{ {
/* Get the SID from this ACE */ /* Get the SID from this ACE */
Sid = SepGetSidFromAce(ACCESS_ALLOWED_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ASSERT(Sid); ASSERT(Sid);
if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted)) if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
@ -561,7 +561,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE)
{ {
/* Get the SID and object type from this ACE */ /* Get the SID and object type from this ACE */
Sid = SepGetSidFromAce(ACCESS_DENIED_OBJECT_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE); ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE);
ASSERT(Sid); ASSERT(Sid);
@ -610,7 +610,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE)
{ {
/* Get the SID and object type from this ACE */ /* Get the SID and object type from this ACE */
Sid = SepGetSidFromAce(ACCESS_ALLOWED_OBJECT_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE); ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE);
ASSERT(Sid); ASSERT(Sid);
@ -705,7 +705,7 @@ SepAnalyzeAcesFromDacl(
if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
{ {
/* Get the SID from this ACE */ /* Get the SID from this ACE */
Sid = SepGetSidFromAce(ACCESS_DENIED_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ASSERT(Sid); ASSERT(Sid);
if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted)) if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
@ -735,7 +735,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{ {
/* Get the SID from this ACE */ /* Get the SID from this ACE */
Sid = SepGetSidFromAce(ACCESS_ALLOWED_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ASSERT(Sid); ASSERT(Sid);
if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted)) if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
@ -761,7 +761,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE)
{ {
/* Get the SID and object type from this ACE */ /* Get the SID and object type from this ACE */
Sid = SepGetSidFromAce(ACCESS_DENIED_OBJECT_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE); ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE);
ASSERT(Sid); ASSERT(Sid);
@ -811,7 +811,7 @@ SepAnalyzeAcesFromDacl(
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE)
{ {
/* Get the SID and object type from this ACE */ /* Get the SID and object type from this ACE */
Sid = SepGetSidFromAce(ACCESS_ALLOWED_OBJECT_ACE_TYPE, CurrentAce); Sid = SepGetSidFromAce(CurrentAce);
ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE); ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE);
ASSERT(Sid); ASSERT(Sid);

2
ntoskrnl/se/debug.c
View file

@ -118,7 +118,7 @@ SepDumpAces(
DbgPrint("Ace->Header.AceType -> %s\n", SepGetAceTypeString(Ace->Header.AceType)); DbgPrint("Ace->Header.AceType -> %s\n", SepGetAceTypeString(Ace->Header.AceType));
DbgPrint("Ace->AccessMask -> 0x%08lx\n", Ace->AccessMask); DbgPrint("Ace->AccessMask -> 0x%08lx\n", Ace->AccessMask);
Sid = SepGetSidFromAce(Ace->Header.AceType, Ace); Sid = SepGetSidFromAce(Ace);
ASSERT(Sid); ASSERT(Sid);
RtlConvertSidToUnicodeString(&SidString, Sid, TRUE); RtlConvertSidToUnicodeString(&SidString, Sid, TRUE);
DbgPrint("Ace SID -> %wZ\n", &SidString); DbgPrint("Ace SID -> %wZ\n", &SidString);

12
ntoskrnl/se/sid.c
View file

@ -558,13 +558,6 @@ SepSidInToken(
* given access control entry. This identifier * given access control entry. This identifier
* is valid for the whole of its lifetime. * is valid for the whole of its lifetime.
* *
* @param[in] AceType
* The type of an access control entry. This
* type that is given by the calling thread
* must coincide with the actual ACE that is
* given in the second parameter otherwise this
* can potentially lead to UNDEFINED behavior!
*
* @param[in] Ace * @param[in] Ace
* A pointer to an access control entry, which * A pointer to an access control entry, which
* can be obtained from a DACL. * can be obtained from a DACL.
@ -577,7 +570,6 @@ SepSidInToken(
PSID PSID
NTAPI NTAPI
SepGetSidFromAce( SepGetSidFromAce(
_In_ UCHAR AceType,
_In_ PACE Ace) _In_ PACE Ace)
{ {
PULONG Flags; PULONG Flags;
@ -589,7 +581,7 @@ SepGetSidFromAce(
ASSERT(Ace); ASSERT(Ace);
/* Obtain the SID based upon ACE type */ /* Obtain the SID based upon ACE type */
switch (AceType) switch (Ace->Header.AceType)
{ {
case ACCESS_DENIED_ACE_TYPE: case ACCESS_DENIED_ACE_TYPE:
case ACCESS_ALLOWED_ACE_TYPE: case ACCESS_ALLOWED_ACE_TYPE:
@ -620,7 +612,7 @@ SepGetSidFromAce(
default: default:
{ {
DPRINT1("SepGetSidFromAce(): Unknown ACE type (Ace 0x%p, Type %u)\n", Ace, AceType); DPRINT1("SepGetSidFromAce(): Unknown ACE type (Ace 0x%p, Type %u)\n", Ace, Ace->Header.AceType);
break; break;
} }
} }