[ntoskrnl/se]

- Factor out working code from SeAccessCheck into SepAccessCheck, taking out addition parameter - LowerImpersonationLevel. The lowest level for SeAccessCheck remains SecurityImpersonation, but for NtAccessCheck it's lowered to SecurityIdentification. Name of this patch's author has been lost. See issue #4169 for more details. svn path=/trunk/; revision=44260
2025-04-26 16:40:27 +00:00 · 2009-11-21 17:58:33 +00:00 · 2009-11-21 17:58:33 +00:00 · 78b292be2c
commit 78b292be2c
parent c71cdeb49d
1 changed files with 54 additions and 26 deletions
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@ -348,22 +348,18 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
    }
 }
 /* PUBLIC FUNCTIONS ***********************************************************/
 /*
 * @implemented
 */
 BOOLEAN NTAPI
-SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+               IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
-              IN BOOLEAN SubjectContextLocked,
+               IN BOOLEAN SubjectContextLocked,
-              IN ACCESS_MASK DesiredAccess,
+               IN ACCESS_MASK DesiredAccess,
-              IN ACCESS_MASK PreviouslyGrantedAccess,
+               IN ACCESS_MASK PreviouslyGrantedAccess,
-              OUT PPRIVILEGE_SET* Privileges,
+               OUT PPRIVILEGE_SET* Privileges,
-              IN PGENERIC_MAPPING GenericMapping,
+               IN PGENERIC_MAPPING GenericMapping,
-              IN KPROCESSOR_MODE AccessMode,
+               IN KPROCESSOR_MODE AccessMode,
-              OUT PACCESS_MASK GrantedAccess,
+               OUT PACCESS_MASK GrantedAccess,
-              OUT PNTSTATUS AccessStatus)
+               OUT PNTSTATUS AccessStatus,
               SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
 {
    LUID_AND_ATTRIBUTES Privilege;
    ACCESS_MASK CurrentAccess, AccessMask;
@ -409,7 +405,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    /* Check for invalid impersonation */
    if ((SubjectSecurityContext->ClientToken) &&
-        (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
+        (SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
    {
        *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
        return FALSE;
@ -619,6 +615,37 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    }
 }
 /* PUBLIC FUNCTIONS ***********************************************************/
 /*
 * @implemented
 */
 BOOLEAN NTAPI
 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
              IN BOOLEAN SubjectContextLocked,
              IN ACCESS_MASK DesiredAccess,
              IN ACCESS_MASK PreviouslyGrantedAccess,
              OUT PPRIVILEGE_SET* Privileges,
              IN PGENERIC_MAPPING GenericMapping,
              IN KPROCESSOR_MODE AccessMode,
              OUT PACCESS_MASK GrantedAccess,
              OUT PNTSTATUS AccessStatus)
 {
    /* Call the internal function */
    return SepAccessCheck(SecurityDescriptor,
                          SubjectSecurityContext,
                          SubjectContextLocked,
                          DesiredAccess,
                          PreviouslyGrantedAccess,
                          Privileges,
                          GenericMapping,
                          AccessMode,
                          GrantedAccess,
                          AccessStatus,
                          SecurityImpersonation);
 }
 /* SYSTEM CALLS ***************************************************************/
 /*
@ -691,16 +718,17 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    SeLockSubjectContext(&SubjectSecurityContext);
    /* Now perform the access check */
-    SeAccessCheck(SecurityDescriptor,
+    SepAccessCheck(SecurityDescriptor,
-                  &SubjectSecurityContext,
+                   &SubjectSecurityContext,
-                  TRUE,
+                   TRUE,
-                  DesiredAccess,
+                   DesiredAccess,
-                  0,
+                   0,
-                  &PrivilegeSet, //FIXME
+                   &PrivilegeSet, //FIXME
-                  GenericMapping,
+                   GenericMapping,
-                  PreviousMode,
+                   PreviousMode,
-                  GrantedAccess,
+                   GrantedAccess,
-                  AccessStatus);
+                   AccessStatus,
                   SecurityIdentification);
    /* Unlock subject context and dereference the token */
    SeUnlockSubjectContext(&SubjectSecurityContext);