- Make use of PsChangeQuantumTable on system startup to setup the raw priority separation.

- Call PspComputeQuantumAndPriority in PspCreateProcess to calculate process base priority and quantum for child threads.
- Add security code to calculate process's access rights to itself, as documented in WI II.

svn path=/trunk/; revision=23248

reactos/ntoskrnl/KrnlFun.c

@@ -27,7 +27,7 @@
 // Ps:
 //  - Figure out why processes don't die.
 //  - Generate process cookie for user-more thread.
-//  - Add security calls where necessary.
+//  - Add security calls where necessary for thread creation.
 //  - Add tracing.
 //  - Add failure/race checks for thread creation.
 //

reactos/ntoskrnl/include/internal/ps.h

@@ -151,6 +151,13 @@ PspGetSystemDllEntryPoints(
     VOID
 );
 
+VOID
+NTAPI
+PsChangeQuantumTable(
+    IN BOOLEAN Immediate,
+    IN ULONG PrioritySeparation
+);
+
 //
 // Security Routines
 //
@@ -343,6 +350,7 @@ extern PVOID PspSystemDllEntryPoint;
 extern PVOID PspSystemDllBase;
 extern BOOLEAN PspUseJobSchedulingClasses;
 extern CHAR PspJobSchedulingClasses[PSP_JOB_SCHEDULING_CLASSES];
+extern ULONG PsRawPrioritySeparation;
 
 //
 // Inlined Functions

reactos/ntoskrnl/ps/process.c

@@ -27,6 +27,7 @@ KGUARDED_MUTEX PspActiveProcessMutex;
 
 LARGE_INTEGER ShortPsLockDelay;
 
+ULONG PsRawPrioritySeparation = 0;
 ULONG PsPrioritySeparation;
 CHAR PspForegroundQuantum[3];
 
@@ -360,7 +361,7 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     PEPORT ExceptionPortObject;
     PDBGK_DEBUG_OBJECT DebugObject;
     PSECTION_OBJECT SectionObject;
-    NTSTATUS Status;
+    NTSTATUS Status, AccessStatus;
     KPROCESSOR_MODE PreviousMode;
     PHYSICAL_ADDRESS DirectoryTableBase;
     KAFFINITY Affinity;
@@ -371,6 +372,10 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     ACCESS_STATE LocalAccessState;
     PACCESS_STATE AccessState = &LocalAccessState;
     AUX_DATA AuxData;
+    UCHAR Quantum;
+    BOOLEAN Result, SdAllocated;
+    PSECURITY_DESCRIPTOR SecurityDescriptor;
+    SECURITY_SUBJECT_CONTEXT SubjectContext;
     PAGED_CODE();
     DirectoryTableBase.QuadPart = 0;
 
@@ -687,12 +692,68 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     /* Cleanup on failure */
     if (!NT_SUCCESS(Status)) goto Cleanup;
 
-    /* FIXME: Compute Quantum and Priority */
+    /* Compute Quantum and Priority */
+    Process->Pcb.BasePriority = PspComputeQuantumAndPriority(Process,
+                                                             0,
+                                                             &Quantum);
+    Process->Pcb.QuantumReset = Quantum;
 
-    /* 
-     * FIXME: ObGetObjectSecurity(Process, &SecurityDescriptor)
-     *        SeAccessCheck
-     */
+    /* Check if we have a parent other then the initial system process */
+    if ((Parent) && (Parent != PsInitialSystemProcess))
+    {
+        /* Get the process's SD */
+        Status = ObGetObjectSecurity(Process,
+                                     &SecurityDescriptor,
+                                     &SdAllocated);
+        if (!NT_SUCCESS(Status))
+        {
+            /* We failed, close the handle and clean up */
+            ObCloseHandle(hProcess, PreviousMode);
+            goto CleanupWithRef;
+        }
+
+        /* Create the subject context */
+        SubjectContext.ProcessAuditId = Process;
+        SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
+        SubjectContext.ClientToken = NULL;
+
+        /* Do the access check */
+        if (!SecurityDescriptor) DPRINT1("FIX PS SDs!!\n");
+        Result = SeAccessCheck(SecurityDescriptor,
+                               &SubjectContext,
+                               FALSE,
+                               MAXIMUM_ALLOWED,
+                               0,
+                               NULL,
+                               &PsProcessType->TypeInfo.GenericMapping,
+                               PreviousMode,
+                               &Process->GrantedAccess,
+                               &AccessStatus);
+
+        /* Dereference the token and let go the SD */
+        ObFastDereferenceObject(&Process->Token,
+                                SubjectContext.PrimaryToken);
+        ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
+
+        /* Remove access if it failed */
+        if (!Result) Process->GrantedAccess = 0;
+
+        /* Give the process some basic access */
+        Process->GrantedAccess |= (PROCESS_VM_OPERATION |
+                                   PROCESS_VM_READ |
+                                   PROCESS_VM_WRITE |
+                                   PROCESS_QUERY_INFORMATION |
+                                   PROCESS_TERMINATE |
+                                   PROCESS_CREATE_THREAD |
+                                   PROCESS_DUP_HANDLE |
+                                   PROCESS_CREATE_PROCESS |
+                                   PROCESS_SET_INFORMATION);
+    }
+    else
+    {
+        /* Set full granted access */
+        Process->GrantedAccess = PROCESS_ALL_ACCESS;
+    }
 
     /* Sanity check */
     ASSERT(IsListEmpty(&Process->ThreadListHead));
@@ -700,9 +761,6 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
     /* Set the Creation Time */
     KeQuerySystemTime(&Process->CreateTime);
 
-    /* Set the granted access */
-    Process->GrantedAccess = PROCESS_ALL_ACCESS;
-
     /* Protect against bad user-mode pointer */
     _SEH_TRY
     {

reactos/ntoskrnl/ps/psmgr.c

@@ -159,6 +159,9 @@ PsInitProcessManagment(VOID)
    InitializeListHead(&PsActiveProcessHead);
    KeInitializeGuardedMutex(&PspActiveProcessMutex);
 
+   /* Setup the quantum table */
+   PsChangeQuantumTable(FALSE, PsRawPrioritySeparation);
+
    /*
     * Initialize the default quota block.
     */