mirror of
https://github.com/reactos/reactos.git
synced 2024-06-29 01:12:06 +00:00
[NTOSKRNL]
- Add the check for ACESSS_SYSTEM_SECURITY. - Keep the desired access rights that have not been granted yet in the variable RemainingAccess. - Handle the MAXIMUM_ALLOWED case if the DACL is empty. svn path=/trunk/; revision=46689
This commit is contained in:
parent
809944b668
commit
74e30b9093
|
@ -390,6 +390,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
{
|
||||
LUID_AND_ATTRIBUTES Privilege;
|
||||
ACCESS_MASK CurrentAccess, AccessMask;
|
||||
ACCESS_MASK RemainingAccess;
|
||||
PACCESS_TOKEN Token;
|
||||
ULONG i;
|
||||
PACL Dacl;
|
||||
|
@ -424,14 +425,43 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
|
||||
|
||||
|
||||
|
||||
CurrentAccess = PreviouslyGrantedAccess;
|
||||
|
||||
RemainingAccess = DesiredAccess;
|
||||
|
||||
|
||||
Token = SubjectSecurityContext->ClientToken ?
|
||||
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
|
||||
|
||||
/* Check for system security access */
|
||||
if (RemainingAccess & ACCESS_SYSTEM_SECURITY)
|
||||
{
|
||||
Privilege.Luid = SeSecurityPrivilege;
|
||||
Privilege.Attributes = SE_PRIVILEGE_ENABLED;
|
||||
|
||||
/* Fail if we do not the SeSecurityPrivilege */
|
||||
if (!SepPrivilegeCheck(Token,
|
||||
&Privilege,
|
||||
1,
|
||||
PRIVILEGE_SET_ALL_NECESSARY,
|
||||
AccessMode))
|
||||
{
|
||||
*AccessStatus = STATUS_PRIVILEGE_NOT_HELD;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* Adjust access rights */
|
||||
RemainingAccess &= ~ACCESS_SYSTEM_SECURITY;
|
||||
PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY;
|
||||
|
||||
/* Succeed if there are no more rights to grant */
|
||||
if (RemainingAccess == 0)
|
||||
{
|
||||
*GrantedAccess = PreviouslyGrantedAccess;
|
||||
*AccessStatus = STATUS_SUCCESS;
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
/* Get the DACL */
|
||||
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
||||
&Present,
|
||||
|
@ -474,11 +504,15 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
PRIVILEGE_SET_ALL_NECESSARY,
|
||||
AccessMode))
|
||||
{
|
||||
/* Adjust access rights */
|
||||
RemainingAccess &= ~WRITE_OWNER;
|
||||
PreviouslyGrantedAccess |= WRITE_OWNER;
|
||||
CurrentAccess |= WRITE_OWNER;
|
||||
if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
|
||||
(CurrentAccess & ~VALID_INHERIT_FLAGS))
|
||||
|
||||
/* Succeed if there are no more rights to grant */
|
||||
if (RemainingAccess == 0)
|
||||
{
|
||||
*GrantedAccess = CurrentAccess;
|
||||
*GrantedAccess = PreviouslyGrantedAccess;
|
||||
*AccessStatus = STATUS_SUCCESS;
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -488,9 +522,18 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
/* Deny access if the DACL is empty */
|
||||
if (Dacl->AceCount == 0)
|
||||
{
|
||||
*GrantedAccess = 0;
|
||||
*AccessStatus = STATUS_ACCESS_DENIED;
|
||||
return FALSE;
|
||||
if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
|
||||
{
|
||||
*GrantedAccess = PreviouslyGrantedAccess;
|
||||
*AccessStatus = STATUS_SUCCESS;
|
||||
return TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
*GrantedAccess = 0;
|
||||
*AccessStatus = STATUS_ACCESS_DENIED;
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/* Fail if DACL is absent */
|
||||
|
|
Loading…
Reference in a new issue