Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-02-24 09:25:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Enable old access check code until the bug that keeps the device installer from working has been fixed.

Browse source 
svn path=/trunk/; revision=46811
This commit is contained in:
Eric Kohl 2010-04-10 11:44:57 +00:00
parent 109f0d331a
commit c1a9403d49
1 changed files with 51 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
reactos/ntoskrnl/se/semgr.c
View file

@ -377,6 +377,9 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
} }
} }
#define OLD_ACCESS_CHECK
BOOLEAN NTAPI BOOLEAN NTAPI
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
@ -389,6 +392,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
OUT PNTSTATUS AccessStatus) OUT PNTSTATUS AccessStatus)
{ {
LUID_AND_ATTRIBUTES Privilege; LUID_AND_ATTRIBUTES Privilege;
#ifdef OLD_ACCESS_CHECK
ACCESS_MASK CurrentAccess, AccessMask;
#endif
ACCESS_MASK RemainingAccess; ACCESS_MASK RemainingAccess;
ACCESS_MASK TempAccess; ACCESS_MASK TempAccess;
ACCESS_MASK TempGrantedAccess = 0; ACCESS_MASK TempGrantedAccess = 0;
@ -426,6 +432,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
if (PreviouslyGrantedAccess) if (PreviouslyGrantedAccess)
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping); RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
#endif
/* Initialize remaining access rights */ /* Initialize remaining access rights */
RemainingAccess = DesiredAccess; RemainingAccess = DesiredAccess;
@ -490,6 +499,10 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
return TRUE; return TRUE;
} }
#ifdef OLD_ACCESS_CHECK
CurrentAccess = PreviouslyGrantedAccess;
#endif
/* RULE 2: Check token for 'take ownership' privilege */ /* RULE 2: Check token for 'take ownership' privilege */
if (DesiredAccess & WRITE_OWNER) if (DesiredAccess & WRITE_OWNER)
{ {
@ -505,6 +518,9 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Adjust access rights */ /* Adjust access rights */
RemainingAccess &= ~WRITE_OWNER; RemainingAccess &= ~WRITE_OWNER;
PreviouslyGrantedAccess |= WRITE_OWNER; PreviouslyGrantedAccess |= WRITE_OWNER;
#ifdef OLD_ACCESS_CHECK
CurrentAccess |= WRITE_OWNER;
#endif
/* Succeed if there are no more rights to grant */ /* Succeed if there are no more rights to grant */
if (RemainingAccess == 0) if (RemainingAccess == 0)
@ -618,6 +634,11 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{ {
if (SepSidInToken(Token, Sid)) if (SepSidInToken(Token, Sid))
{ {
#ifdef OLD_ACCESS_CHECK
*GrantedAccess = 0;
*AccessStatus = STATUS_ACCESS_DENIED;
return FALSE;
#else
/* Map access rights from the ACE */ /* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask; TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping); RtlMapGenericMask(&TempAccess, GenericMapping);
@ -625,18 +646,25 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
/* Leave if a remaining right must be denied */ /* Leave if a remaining right must be denied */
if (RemainingAccess & TempAccess) if (RemainingAccess & TempAccess)
break; break;
#endif
} }
} }
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{ {
if (SepSidInToken(Token, Sid)) if (SepSidInToken(Token, Sid))
{ {
#ifdef OLD_ACCESS_CHECK
AccessMask = CurrentAce->AccessMask;
RtlMapGenericMask(&AccessMask, GenericMapping);
CurrentAccess |= AccessMask;
#else
/* Map access rights from the ACE */ /* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask; TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping); RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */ /* Remove granted rights */
RemainingAccess &= ~TempAccess; RemainingAccess &= ~TempAccess;
#endif
} }
} }
else else
@ -649,6 +677,28 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize); CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
} }
#ifdef OLD_ACCESS_CHECK
DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
CurrentAccess, DesiredAccess);
*GrantedAccess = CurrentAccess & DesiredAccess;
if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
(DesiredAccess & ~VALID_INHERIT_FLAGS))
{
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
else
{
DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
*GrantedAccess, DesiredAccess, GenericMapping);
//*AccessStatus = STATUS_ACCESS_DENIED;
//return FALSE;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
#else
DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n", DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
DesiredAccess, PreviouslyGrantedAccess, RemainingAccess); DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
@ -674,6 +724,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
#endif
} }
static PSID static PSID