Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable old access check code until the bug that keeps the device installer from working has been fixed.

Browse source 
svn path=/trunk/; revision=46811
This commit is contained in:
Eric Kohl 2010-04-10 11:44:57 +00:00
parent 109f0d331a
commit c1a9403d49
1 changed files with 51 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
reactos/ntoskrnl/se/semgr.c
View file

@ -377,6 +377,9 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
}
}
#define OLD_ACCESS_CHECK
BOOLEAN NTAPI
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
@ -389,6 +392,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
OUT PNTSTATUS AccessStatus)
{
LUID_AND_ATTRIBUTES Privilege;
#ifdef OLD_ACCESS_CHECK
ACCESS_MASK CurrentAccess, AccessMask;
#endif
ACCESS_MASK RemainingAccess;
ACCESS_MASK TempAccess;
ACCESS_MASK TempGrantedAccess = 0;
@ -426,6 +432,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
if (PreviouslyGrantedAccess)
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
#endif
/* Initialize remaining access rights */
RemainingAccess = DesiredAccess;
@ -490,6 +499,10 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
return TRUE;
}
#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
#endif
/* RULE 2: Check token for 'take ownership' privilege */
if (DesiredAccess & WRITE_OWNER)
{
@ -505,6 +518,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Adjust access rights */
RemainingAccess &= ~WRITE_OWNER;
PreviouslyGrantedAccess |= WRITE_OWNER;
#ifdef OLD_ACCESS_CHECK
CurrentAccess |= WRITE_OWNER;
#endif
/* Succeed if there are no more rights to grant */
if (RemainingAccess == 0)
@ -618,6 +634,11 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{
if (SepSidInToken(Token, Sid))
{
#ifdef OLD_ACCESS_CHECK
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return FALSE;
#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
@ -625,18 +646,25 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Leave if a remaining right must be denied */
if (RemainingAccess & TempAccess)
break;
#endif
}
}
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
#ifdef OLD_ACCESS_CHECK
AccessMask = CurrentAce->AccessMask;
RtlMapGenericMask(&AccessMask, GenericMapping);
CurrentAccess |= AccessMask;
#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */
RemainingAccess &= ~TempAccess;
#endif
}
}
else
@ -649,6 +677,28 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
#ifdef OLD_ACCESS_CHECK
DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
CurrentAccess, DesiredAccess);
*GrantedAccess = CurrentAccess & DesiredAccess;
if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
(DesiredAccess & ~VALID_INHERIT_FLAGS))
{
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
else
{
DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
*GrantedAccess, DesiredAccess, GenericMapping);
//*AccessStatus = STATUS_ACCESS_DENIED;
//return FALSE;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
#else
DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
@ -674,6 +724,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*AccessStatus = STATUS_SUCCESS;
return TRUE;
#endif
}
static PSID