[NTOS:SE] Finish SepCreateImpersonationTokenDacl() implementation.

- Re-enable a commented-out block; - Return the allocated Dacl. - Use the correct pool tag when freeing the allocated Dacl.
2025-04-29 18:48:53 +00:00 · 2018-06-25 15:24:44 +02:00 · 2018-06-25 15:24:44 +02:00 · 5b2dda9134
commit 5b2dda9134
parent 813879f02f
3 changed files with 22 additions and 19 deletions
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@ -317,9 +317,9 @@ SeIsTokenChild(
 NTSTATUS
 NTAPI
 SepCreateImpersonationTokenDacl(
-    PTOKEN Token,
-    PTOKEN PrimaryToken,
-    PACL *Dacl
+    _In_ PTOKEN Token,
+    _In_ PTOKEN PrimaryToken,
+    _Out_ PACL* Dacl
 );

 VOID
--- a/ntoskrnl/se/acl.c
+++ b/ntoskrnl/se/acl.c
@ -224,20 +224,24 @@ SepInitDACLs(VOID)
    return TRUE;
 }

-NTSTATUS NTAPI
-SepCreateImpersonationTokenDacl(PTOKEN Token,
-                                PTOKEN PrimaryToken,
-                                PACL *Dacl)
+NTSTATUS
+NTAPI
+SepCreateImpersonationTokenDacl(
+    _In_ PTOKEN Token,
+    _In_ PTOKEN PrimaryToken,
+    _Out_ PACL* Dacl)
 {
    ULONG AclLength;
-    PVOID TokenDacl;
+    PACL TokenDacl;

    PAGED_CODE();

+    *Dacl = NULL;
+
    AclLength = sizeof(ACL) +
        (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
-    (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
        (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+        (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
        (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
        (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));

@ -257,14 +261,13 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
    RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
                           SeLocalSystemSid);

-    /* FIXME */
-#if 0
    if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
    {
        RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
                               SeRestrictedCodeSid);
    }
-#endif
+
+    *Dacl = TokenDacl;

    return STATUS_SUCCESS;
 }
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@ -3325,7 +3325,8 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,

    /*
     * At first open the thread token for information access and verify
-     * that the token associated with thread is valid.     */
+     * that the token associated with thread is valid.
+     */

    Status = ObReferenceObjectByHandle(ThreadHandle, THREAD_QUERY_INFORMATION,
                                       PsThreadType, PreviousMode, (PVOID*)&Thread,
@ -3386,7 +3387,6 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
                InitializeObjectAttributes(&ObjectAttributes, NULL, HandleAttributes,
                                           NULL, Dacl ? &SecurityDescriptor : NULL);

-
                Status = SepDuplicateToken(Token, &ObjectAttributes, EffectiveOnly,
                                           TokenImpersonation, ImpersonationLevel,
                                           KernelMode, &NewToken);
@ -3406,7 +3406,7 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
                                       PreviousMode, &hToken);
    }

-    if (Dacl) ExFreePoolWithTag(Dacl, TAG_TOKEN_ACL);
+    if (Dacl) ExFreePoolWithTag(Dacl, TAG_ACL);

    if (RestoreImpersonation)
    {