mirror of
https://github.com/reactos/reactos.git
synced 2024-10-01 15:07:53 +00:00
[NTOSKRNL]
- Add the check for ACESSS_SYSTEM_SECURITY. - Keep the desired access rights that have not been granted yet in the variable RemainingAccess. - Handle the MAXIMUM_ALLOWED case if the DACL is empty. svn path=/trunk/; revision=46689
This commit is contained in:
parent
809944b668
commit
74e30b9093
|
@ -390,6 +390,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
{
|
{
|
||||||
LUID_AND_ATTRIBUTES Privilege;
|
LUID_AND_ATTRIBUTES Privilege;
|
||||||
ACCESS_MASK CurrentAccess, AccessMask;
|
ACCESS_MASK CurrentAccess, AccessMask;
|
||||||
|
ACCESS_MASK RemainingAccess;
|
||||||
PACCESS_TOKEN Token;
|
PACCESS_TOKEN Token;
|
||||||
ULONG i;
|
ULONG i;
|
||||||
PACL Dacl;
|
PACL Dacl;
|
||||||
|
@ -424,14 +425,43 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
|
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
CurrentAccess = PreviouslyGrantedAccess;
|
CurrentAccess = PreviouslyGrantedAccess;
|
||||||
|
RemainingAccess = DesiredAccess;
|
||||||
|
|
||||||
|
|
||||||
Token = SubjectSecurityContext->ClientToken ?
|
Token = SubjectSecurityContext->ClientToken ?
|
||||||
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
|
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
|
||||||
|
|
||||||
|
/* Check for system security access */
|
||||||
|
if (RemainingAccess & ACCESS_SYSTEM_SECURITY)
|
||||||
|
{
|
||||||
|
Privilege.Luid = SeSecurityPrivilege;
|
||||||
|
Privilege.Attributes = SE_PRIVILEGE_ENABLED;
|
||||||
|
|
||||||
|
/* Fail if we do not the SeSecurityPrivilege */
|
||||||
|
if (!SepPrivilegeCheck(Token,
|
||||||
|
&Privilege,
|
||||||
|
1,
|
||||||
|
PRIVILEGE_SET_ALL_NECESSARY,
|
||||||
|
AccessMode))
|
||||||
|
{
|
||||||
|
*AccessStatus = STATUS_PRIVILEGE_NOT_HELD;
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Adjust access rights */
|
||||||
|
RemainingAccess &= ~ACCESS_SYSTEM_SECURITY;
|
||||||
|
PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY;
|
||||||
|
|
||||||
|
/* Succeed if there are no more rights to grant */
|
||||||
|
if (RemainingAccess == 0)
|
||||||
|
{
|
||||||
|
*GrantedAccess = PreviouslyGrantedAccess;
|
||||||
|
*AccessStatus = STATUS_SUCCESS;
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Get the DACL */
|
/* Get the DACL */
|
||||||
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
||||||
&Present,
|
&Present,
|
||||||
|
@ -474,11 +504,15 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
PRIVILEGE_SET_ALL_NECESSARY,
|
PRIVILEGE_SET_ALL_NECESSARY,
|
||||||
AccessMode))
|
AccessMode))
|
||||||
{
|
{
|
||||||
|
/* Adjust access rights */
|
||||||
|
RemainingAccess &= ~WRITE_OWNER;
|
||||||
|
PreviouslyGrantedAccess |= WRITE_OWNER;
|
||||||
CurrentAccess |= WRITE_OWNER;
|
CurrentAccess |= WRITE_OWNER;
|
||||||
if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
|
|
||||||
(CurrentAccess & ~VALID_INHERIT_FLAGS))
|
/* Succeed if there are no more rights to grant */
|
||||||
|
if (RemainingAccess == 0)
|
||||||
{
|
{
|
||||||
*GrantedAccess = CurrentAccess;
|
*GrantedAccess = PreviouslyGrantedAccess;
|
||||||
*AccessStatus = STATUS_SUCCESS;
|
*AccessStatus = STATUS_SUCCESS;
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
@ -488,9 +522,18 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
/* Deny access if the DACL is empty */
|
/* Deny access if the DACL is empty */
|
||||||
if (Dacl->AceCount == 0)
|
if (Dacl->AceCount == 0)
|
||||||
{
|
{
|
||||||
*GrantedAccess = 0;
|
if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
|
||||||
*AccessStatus = STATUS_ACCESS_DENIED;
|
{
|
||||||
return FALSE;
|
*GrantedAccess = PreviouslyGrantedAccess;
|
||||||
|
*AccessStatus = STATUS_SUCCESS;
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
*GrantedAccess = 0;
|
||||||
|
*AccessStatus = STATUS_ACCESS_DENIED;
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Fail if DACL is absent */
|
/* Fail if DACL is absent */
|
||||||
|
|
Loading…
Reference in a new issue