mirror of
https://github.com/reactos/reactos.git
synced 2025-04-21 04:37:15 +00:00
[NTOS:OB]
- Allocate all of the kernel objects security descriptor and the dos devices security descriptor from the paged pool, instead of just the ACLs. - Replace special security descriptor free routines by calls to ExFreePoolWithTag. - Replace the TAG_OB_DIR_SD by TAG_SD. svn path=/trunk/; revision=74157
This commit is contained in:
Eric Kohl
parent
89e9101a9b
commit
7fee8ebabe
3 changed files with 73 additions and 81 deletions
|
|
@ -150,7 +150,6 @@
|
||||||
/* Object Manager Tags */
|
/* Object Manager Tags */
|
||||||
#define OB_NAME_TAG 'mNbO'
|
#define OB_NAME_TAG 'mNbO'
|
||||||
#define OB_DIR_TAG 'iDbO'
|
#define OB_DIR_TAG 'iDbO'
|
||||||
#define TAG_OB_DIR_SD 'sDbO'
|
|
||||||
|
|
||||||
|
|
||||||
/* formerly located in ps/cid.c */
|
/* formerly located in ps/cid.c */
|
||||||
|
|
|
||||||
|
|
@ -58,32 +58,37 @@ static
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
INIT_FUNCTION
|
INIT_FUNCTION
|
||||||
ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
|
||||||
{
|
{
|
||||||
ULONG AclLength;
|
PSECURITY_DESCRIPTOR Sd = NULL;
|
||||||
PACL Dacl;
|
PACL Dacl;
|
||||||
|
ULONG AclSize, SdSize;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
/* Initialize the SD */
|
AclSize = sizeof(ACL) +
|
||||||
Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
|
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
||||||
SECURITY_DESCRIPTOR_REVISION);
|
sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
|
||||||
if (!NT_SUCCESS(Status))
|
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
|
||||||
return Status;
|
|
||||||
|
|
||||||
/* Allocate the DACL */
|
SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
|
||||||
AclLength = sizeof(ACL) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
|
|
||||||
|
|
||||||
Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
|
/* Allocate the SD and ACL */
|
||||||
if (Dacl == NULL)
|
Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
|
||||||
|
if (Sd == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Initialize the SD */
|
||||||
|
Status = RtlCreateSecurityDescriptor(Sd,
|
||||||
|
SECURITY_DESCRIPTOR_REVISION);
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
|
||||||
|
|
||||||
/* Initialize the DACL */
|
/* Initialize the DACL */
|
||||||
RtlCreateAcl(Dacl, AclLength, ACL_REVISION);
|
RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
|
||||||
|
|
||||||
/* Add the ACEs */
|
/* Add the ACEs */
|
||||||
RtlAddAccessAllowedAce(Dacl,
|
RtlAddAccessAllowedAce(Dacl,
|
||||||
|
|
@ -102,34 +107,25 @@ ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
/* Attach the DACL to the SD */
|
/* Attach the DACL to the SD */
|
||||||
Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
|
Status = RtlSetDaclSecurityDescriptor(Sd,
|
||||||
TRUE,
|
TRUE,
|
||||||
Dacl,
|
Dacl,
|
||||||
FALSE);
|
FALSE);
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
*SecurityDescriptor = Sd;
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
{
|
||||||
|
if (Sd != NULL)
|
||||||
|
ExFreePoolWithTag(Sd, TAG_SD);
|
||||||
|
}
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
static
|
|
||||||
VOID
|
|
||||||
NTAPI
|
|
||||||
INIT_FUNCTION
|
|
||||||
ObpFreeKernelObjectsSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
|
||||||
{
|
|
||||||
PACL Dacl = NULL;
|
|
||||||
BOOLEAN DaclPresent, Defaulted;
|
|
||||||
NTSTATUS Status;
|
|
||||||
|
|
||||||
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
|
||||||
&DaclPresent,
|
|
||||||
&Dacl,
|
|
||||||
&Defaulted);
|
|
||||||
if (NT_SUCCESS(Status) && Dacl != NULL)
|
|
||||||
{
|
|
||||||
ExFreePoolWithTag(Dacl, TAG_OB_DIR_SD);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
BOOLEAN
|
BOOLEAN
|
||||||
INIT_FUNCTION
|
INIT_FUNCTION
|
||||||
NTAPI
|
NTAPI
|
||||||
|
|
@ -212,7 +208,7 @@ ObInitSystem(VOID)
|
||||||
POBJECT_HEADER Header;
|
POBJECT_HEADER Header;
|
||||||
POBJECT_HEADER_CREATOR_INFO CreatorInfo;
|
POBJECT_HEADER_CREATOR_INFO CreatorInfo;
|
||||||
POBJECT_HEADER_NAME_INFO NameInfo;
|
POBJECT_HEADER_NAME_INFO NameInfo;
|
||||||
SECURITY_DESCRIPTOR KernelObjectsSD;
|
PSECURITY_DESCRIPTOR KernelObjectsSD = NULL;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
/* Check if this is actually Phase 1 initialization */
|
/* Check if this is actually Phase 1 initialization */
|
||||||
|
|
@ -346,13 +342,13 @@ ObPostPhase0:
|
||||||
&Name,
|
&Name,
|
||||||
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT,
|
OBJ_CASE_INSENSITIVE | OBJ_PERMANENT,
|
||||||
NULL,
|
NULL,
|
||||||
&KernelObjectsSD);
|
KernelObjectsSD);
|
||||||
|
|
||||||
/* Create the directory */
|
/* Create the directory */
|
||||||
Status = NtCreateDirectoryObject(&Handle,
|
Status = NtCreateDirectoryObject(&Handle,
|
||||||
DIRECTORY_ALL_ACCESS,
|
DIRECTORY_ALL_ACCESS,
|
||||||
&ObjectAttributes);
|
&ObjectAttributes);
|
||||||
ObpFreeKernelObjectsSD(&KernelObjectsSD);
|
ExFreePoolWithTag(KernelObjectsSD, TAG_SD);
|
||||||
if (!NT_SUCCESS(Status)) return FALSE;
|
if (!NT_SUCCESS(Status)) return FALSE;
|
||||||
|
|
||||||
/* Close the extra handle */
|
/* Close the extra handle */
|
||||||
|
|
|
||||||
|
|
@ -34,35 +34,40 @@ UNICODE_STRING ObpDosDevicesShortName =
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
INIT_FUNCTION
|
INIT_FUNCTION
|
||||||
ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
|
||||||
{
|
{
|
||||||
ULONG AclLength;
|
PSECURITY_DESCRIPTOR Sd = NULL;
|
||||||
PACL Dacl;
|
PACL Dacl;
|
||||||
|
ULONG AclSize, SdSize;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
/* Initialize the SD */
|
AclSize = sizeof(ACL) +
|
||||||
Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
|
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
||||||
SECURITY_DESCRIPTOR_REVISION);
|
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
|
||||||
if (!NT_SUCCESS(Status))
|
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
||||||
return Status;
|
sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
|
||||||
|
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
|
||||||
|
sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
|
||||||
|
|
||||||
/* Allocate the DACL */
|
SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
|
||||||
AclLength = sizeof(ACL) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeWorldSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
|
|
||||||
sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
|
|
||||||
|
|
||||||
Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
|
/* Allocate the SD and ACL */
|
||||||
if (Dacl == NULL)
|
Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
|
||||||
|
if (Sd == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Initialize the SD */
|
||||||
|
Status = RtlCreateSecurityDescriptor(Sd,
|
||||||
|
SECURITY_DESCRIPTOR_REVISION);
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
return Status;
|
||||||
|
|
||||||
|
Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
|
||||||
|
|
||||||
/* Initialize the DACL */
|
/* Initialize the DACL */
|
||||||
RtlCreateAcl(Dacl, AclLength, ACL_REVISION);
|
RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
|
||||||
|
|
||||||
/* Add the ACEs */
|
/* Add the ACEs */
|
||||||
RtlAddAccessAllowedAce(Dacl,
|
RtlAddAccessAllowedAce(Dacl,
|
||||||
|
|
@ -100,33 +105,25 @@ ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
||||||
SeCreatorOwnerSid);
|
SeCreatorOwnerSid);
|
||||||
|
|
||||||
/* Attach the DACL to the SD */
|
/* Attach the DACL to the SD */
|
||||||
Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
|
Status = RtlSetDaclSecurityDescriptor(Sd,
|
||||||
TRUE,
|
TRUE,
|
||||||
Dacl,
|
Dacl,
|
||||||
FALSE);
|
FALSE);
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
*SecurityDescriptor = Sd;
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
{
|
||||||
|
if (Sd != NULL)
|
||||||
|
ExFreePoolWithTag(Sd, TAG_SD);
|
||||||
|
}
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID
|
|
||||||
NTAPI
|
|
||||||
INIT_FUNCTION
|
|
||||||
ObpFreeGlobalDosDevicesSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
|
|
||||||
{
|
|
||||||
PACL Dacl = NULL;
|
|
||||||
BOOLEAN DaclPresent, Defaulted;
|
|
||||||
NTSTATUS Status;
|
|
||||||
|
|
||||||
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
|
||||||
&DaclPresent,
|
|
||||||
&Dacl,
|
|
||||||
&Defaulted);
|
|
||||||
if (NT_SUCCESS(Status) && Dacl != NULL)
|
|
||||||
{
|
|
||||||
ExFreePoolWithTag(Dacl, TAG_OB_DIR_SD);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
INIT_FUNCTION
|
INIT_FUNCTION
|
||||||
|
|
@ -135,7 +132,7 @@ ObpCreateDosDevicesDirectory(VOID)
|
||||||
OBJECT_ATTRIBUTES ObjectAttributes;
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
||||||
UNICODE_STRING RootName, TargetName, LinkName;
|
UNICODE_STRING RootName, TargetName, LinkName;
|
||||||
HANDLE Handle, SymHandle;
|
HANDLE Handle, SymHandle;
|
||||||
SECURITY_DESCRIPTOR DosDevicesSD;
|
PSECURITY_DESCRIPTOR DosDevicesSD = NULL;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
/* Create a custom security descriptor for the global DosDevices directory */
|
/* Create a custom security descriptor for the global DosDevices directory */
|
||||||
|
|
@ -149,11 +146,11 @@ ObpCreateDosDevicesDirectory(VOID)
|
||||||
&RootName,
|
&RootName,
|
||||||
OBJ_PERMANENT,
|
OBJ_PERMANENT,
|
||||||
NULL,
|
NULL,
|
||||||
&DosDevicesSD);
|
DosDevicesSD);
|
||||||
Status = NtCreateDirectoryObject(&Handle,
|
Status = NtCreateDirectoryObject(&Handle,
|
||||||
DIRECTORY_ALL_ACCESS,
|
DIRECTORY_ALL_ACCESS,
|
||||||
&ObjectAttributes);
|
&ObjectAttributes);
|
||||||
ObpFreeGlobalDosDevicesSD(&DosDevicesSD);
|
ExFreePoolWithTag(DosDevicesSD, TAG_SD);
|
||||||
if (!NT_SUCCESS(Status)) return Status;
|
if (!NT_SUCCESS(Status)) return Status;
|
||||||
|
|
||||||
/*********************************************\
|
/*********************************************\
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue