Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-04-26 08:30:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ntoskrnl/se]

Browse source 
- Factor out working code from SeAccessCheck into SepAccessCheck, taking out addition parameter - LowerImpersonationLevel. The lowest level for SeAccessCheck remains SecurityImpersonation, but for NtAccessCheck it's lowered to SecurityIdentification. Name of this patch's author has been lost.
See issue #4169 for more details.

svn path=/trunk/; revision=44260
This commit is contained in:
Aleksey Bragin 2009-11-21 17:58:33 +00:00
parent c71cdeb49d
commit 78b292be2c
1 changed files with 54 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
reactos/ntoskrnl/se/semgr.c
View file

@ -348,22 +348,18 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
}
}
/* PUBLIC FUNCTIONS ***********************************************************/
/*
* @implemented
*/
BOOLEAN NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET* Privileges,
IN PGENERIC_MAPPING GenericMapping,
IN KPROCESSOR_MODE AccessMode,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET* Privileges,
IN PGENERIC_MAPPING GenericMapping,
IN KPROCESSOR_MODE AccessMode,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus,
SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
{
LUID_AND_ATTRIBUTES Privilege;
ACCESS_MASK CurrentAccess, AccessMask;
@ -409,7 +405,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Check for invalid impersonation */
if ((SubjectSecurityContext->ClientToken) &&
(SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
(SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
{
*AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
return FALSE;
@ -619,6 +615,37 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
}
}
/* PUBLIC FUNCTIONS ***********************************************************/
/*
* @implemented
*/
BOOLEAN NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET* Privileges,
IN PGENERIC_MAPPING GenericMapping,
IN KPROCESSOR_MODE AccessMode,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
/* Call the internal function */
return SepAccessCheck(SecurityDescriptor,
SubjectSecurityContext,
SubjectContextLocked,
DesiredAccess,
PreviouslyGrantedAccess,
Privileges,
GenericMapping,
AccessMode,
GrantedAccess,
AccessStatus,
SecurityImpersonation);
}
/* SYSTEM CALLS ***************************************************************/
/*
@ -691,16 +718,17 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
SeLockSubjectContext(&SubjectSecurityContext);
/* Now perform the access check */
SeAccessCheck(SecurityDescriptor,
&SubjectSecurityContext,
TRUE,
DesiredAccess,
0,
&PrivilegeSet, //FIXME
GenericMapping,
PreviousMode,
GrantedAccess,
AccessStatus);
SepAccessCheck(SecurityDescriptor,
&SubjectSecurityContext,
TRUE,
DesiredAccess,
0,
&PrivilegeSet, //FIXME
GenericMapping,
PreviousMode,
GrantedAccess,
AccessStatus,
SecurityIdentification);
/* Unlock subject context and dereference the token */
SeUnlockSubjectContext(&SubjectSecurityContext);