Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement SeLockSubjectContext and SeUnlockSubjectContext.

Browse source 
svn path=/trunk/; revision=10855
This commit is contained in:
Eric Kohl 2004-09-14 11:04:48 +00:00
parent 2da90fee73
commit 4a4dcb92cf
1 changed files with 81 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

100
reactos/ntoskrnl/se/semgr.c
View file

@ -1,4 +1,4 @@
/* $Id: semgr.c,v 1.43 2004/09/08 11:39:59 ekohl Exp $ /* $Id: semgr.c,v 1.44 2004/09/14 11:04:48 ekohl Exp $
* *
* COPYRIGHT: See COPYING in the top level directory * COPYRIGHT: See COPYING in the top level directory
* PROJECT: ReactOS kernel * PROJECT: ReactOS kernel
@ -22,13 +22,15 @@
PSE_EXPORTS EXPORTED SeExports = NULL; PSE_EXPORTS EXPORTED SeExports = NULL;
static ERESOURCE SepSubjectContextLock;
/* PROTOTYPES ***************************************************************/ /* PROTOTYPES ***************************************************************/
static BOOLEAN SepInitExports(VOID); static BOOLEAN SepInitExports(VOID);
/* FUNCTIONS ****************************************************************/
/* FUNCTIONS ****************************************************************/
BOOLEAN INIT_FUNCTION BOOLEAN INIT_FUNCTION
SeInit1(VOID) SeInit1(VOID)
@ -49,6 +51,9 @@ SeInit1(VOID)
if (!SepInitExports()) if (!SepInitExports())
return FALSE; return FALSE;
/* Initialize the subject context lock */
ExInitializeResource(&SepSubjectContextLock);
return TRUE; return TRUE;
} }
@ -231,12 +236,22 @@ SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
/* /*
* @unimplemented * @implemented
*/ */
VOID STDCALL VOID STDCALL
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext) SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
UNIMPLEMENTED; ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
}
/*
* @implemented
*/
VOID STDCALL
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
ExReleaseResourceLite(&SepSubjectContextLock);
} }
@ -258,16 +273,6 @@ SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
} }
/*
* @unimplemented
*/
VOID STDCALL
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
UNIMPLEMENTED;
}
/* /*
* @implemented * @implemented
*/ */
@ -340,7 +345,8 @@ SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
PACL Dacl = NULL; PACL Dacl = NULL;
PACL Sacl = NULL; PACL Sacl = NULL;
/* FIXME: Lock subject context */ /* Lock subject context */
SeLockSubjectContext(SubjectContext);
if (SubjectContext->ClientToken != NULL) if (SubjectContext->ClientToken != NULL)
{ {
@ -537,7 +543,8 @@ SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor); Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
} }
/* FIXME: Unlock subject context */ /* Unlock subject context */
SeUnlockSubjectContext(SubjectContext);
*NewDescriptor = Descriptor; *NewDescriptor = Descriptor;
@ -616,6 +623,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
CurrentAccess = PreviouslyGrantedAccess; CurrentAccess = PreviouslyGrantedAccess;
if (SubjectContextLocked == FALSE)
{
SeLockSubjectContext(SubjectSecurityContext);
}
Token = SubjectSecurityContext->ClientToken ? Token = SubjectSecurityContext->ClientToken ?
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken; SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
@ -626,13 +638,23 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
&Defaulted); &Defaulted);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*AccessStatus = Status; *AccessStatus = Status;
return FALSE; return FALSE;
} }
/* RULE 1: Grant desired access if the object is unprotected */ /* RULE 1: Grant desired access if the object is unprotected */
if (Dacl == NULL) if (Present == TRUE && Dacl == NULL)
{ {
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*GrantedAccess = DesiredAccess; *GrantedAccess = DesiredAccess;
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
@ -653,6 +675,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
CurrentAccess |= WRITE_OWNER; CurrentAccess |= WRITE_OWNER;
if (DesiredAccess == CurrentAccess) if (DesiredAccess == CurrentAccess)
{ {
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*GrantedAccess = CurrentAccess; *GrantedAccess = CurrentAccess;
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
@ -666,6 +693,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status); DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*AccessStatus = Status; *AccessStatus = Status;
return FALSE; return FALSE;
} }
@ -675,12 +707,30 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
CurrentAccess |= (READ_CONTROL | WRITE_DAC); CurrentAccess |= (READ_CONTROL | WRITE_DAC);
if (DesiredAccess == CurrentAccess) if (DesiredAccess == CurrentAccess)
{ {
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*GrantedAccess = CurrentAccess; *GrantedAccess = CurrentAccess;
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
} }
} }
/* Fail if DACL is absent */
if (Present == FALSE)
{
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return TRUE;
}
/* RULE 4: Grant rights according to the DACL */ /* RULE 4: Grant rights according to the DACL */
CurrentAce = (PACE)(Dacl + 1); CurrentAce = (PACE)(Dacl + 1);
for (i = 0; i < Dacl->AceCount; i++) for (i = 0; i < Dacl->AceCount; i++)
@ -690,6 +740,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{ {
if (SepSidInToken(Token, Sid)) if (SepSidInToken(Token, Sid))
{ {
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
*GrantedAccess = 0; *GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED; *AccessStatus = STATUS_ACCESS_DENIED;
return TRUE; return TRUE;
@ -705,6 +760,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
} }
} }
if (SubjectContextLocked == FALSE)
{
SeUnlockSubjectContext(SubjectSecurityContext);
}
DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n", DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
CurrentAccess, DesiredAccess); CurrentAccess, DesiredAccess);
@ -775,7 +835,8 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
SubjectSecurityContext.ClientToken = Token; SubjectSecurityContext.ClientToken = Token;
SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel; SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
/* FIXME: Lock subject context */ /* Lock subject context */
SeLockSubjectContext(&SubjectSecurityContext);
if (!SeAccessCheck(SecurityDescriptor, if (!SeAccessCheck(SecurityDescriptor,
&SubjectSecurityContext, &SubjectSecurityContext,
@ -795,7 +856,8 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
Status = STATUS_ACCESS_DENIED; Status = STATUS_ACCESS_DENIED;
} }
/* FIXME: Unlock subject context */ /* Unlock subject context */
SeUnlockSubjectContext(&SubjectSecurityContext);
ObDereferenceObject(Token); ObDereferenceObject(Token);