[NTOS:SE] Implement access security checks by type

Browse source

- Implement SepDenyAccessObjectTypeResultList, SepAllowAccessObjectTypeResultList,
SepDenyAccessObjectTypeList and SepAllowAccessObjectTypeList. These routines will
be used to grant or deny access to sub-objects of an object in the list.

- Refactor SepAnalyzeAcesFromDacl and SepAccessCheck to accomodate the newly
implemented access check by type mechanism.

- SepAccessCheck will now be SepAccessCheckWorker, a worker helper function that further
abstracts the access check mechanism in the kernel. Whereas the SepAccessCheck name will be
used as a centralized function used by the access check NT system calls.

- Deprecate SepGetSDOwner and SepGetSDGroup in favor of SepGetOwnerFromDescriptor and
SepGetGroupFromDescriptor. The former functions were buggy as they might potentially
return garbage data if either the owner or group were passed as NULL to a security
descriptor, hence a second chance exception fault. This was caught when writing tests
for NtAccessCheckByType.

- Shorten the debug prints by removing the name of the functions, the person who reads
the debugger output has to look at the source code anyway.

...

This commit is contained in:

George Bișoc 2023-06-21 17:55:19 +02:00 committed by unknown

parent e38f4c2b36

commit a42f642ea1

No known key found for this signature in database

GPG key ID: 688C4FBE25D7DEF6

1 changed files with 1381 additions and 491 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Show stats Download patch file Download diff file Expand all files Collapse all files

1872

ntoskrnl/se/accesschk.c

View file

File diff suppressed because it is too large Load diff