mirror of
https://github.com/reactos/reactos.git
synced 2025-04-22 05:00:27 +00:00
[NTOS:SE]
- In SepPropagateAcl, gracefully handle unknown ACE types by simply copying them. CORE-10694 #resolve svn path=/trunk/; revision=71296
This commit is contained in:
Thomas Faber
parent
d9217570cb
commit
c2cc2ba3be
4 changed files with 138 additions and 2 deletions
|
|
@ -462,10 +462,27 @@ SepPropagateAcl(
|
|||
AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
|
||||
AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
|
||||
|
||||
if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
|
||||
{
|
||||
/* FIXME: handle object & compound ACEs */
|
||||
AceSize = AceSource->Header.AceSize;
|
||||
|
||||
if (*AclLength >= Written + AceSize)
|
||||
{
|
||||
RtlCopyMemory(AceDest, AceSource, AceSize);
|
||||
}
|
||||
CurrentDest += AceSize;
|
||||
CurrentSource += AceSize;
|
||||
Written += AceSize;
|
||||
AceCount++;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* These all have the same structure */
|
||||
ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
|
||||
AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
|
||||
AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE);
|
||||
AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
|
||||
AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
|
||||
AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
|
||||
|
||||
ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
|
||||
ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
|
||||
|
|
|
|||
|
|
@ -49,6 +49,42 @@ RtlxAddAuditAccessAceEx(
|
|||
return Status;
|
||||
}
|
||||
|
||||
NTSTATUS
|
||||
RtlxAddMandatoryLabelAceEx(
|
||||
_Inout_ PACL Acl,
|
||||
_In_ ULONG Revision,
|
||||
_In_ ULONG Flags,
|
||||
_In_ ACCESS_MASK AccessMask,
|
||||
_In_ PSID Sid)
|
||||
{
|
||||
NTSTATUS Status;
|
||||
USHORT AceSize;
|
||||
PSYSTEM_MANDATORY_LABEL_ACE Ace;
|
||||
|
||||
AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + RtlLengthSid(Sid);
|
||||
Ace = ExAllocatePoolWithTag(PagedPool, AceSize, 'cAmK');
|
||||
if (!Ace)
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
Ace->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
|
||||
Ace->Header.AceFlags = Flags;
|
||||
Ace->Header.AceSize = AceSize;
|
||||
Ace->Mask = AccessMask;
|
||||
Status = RtlCopySid(AceSize - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart),
|
||||
(PSID)&Ace->SidStart,
|
||||
Sid);
|
||||
ASSERT(NT_SUCCESS(Status));
|
||||
if (NT_SUCCESS(Status))
|
||||
{
|
||||
Status = RtlAddAce(Acl,
|
||||
Revision,
|
||||
MAXULONG,
|
||||
Ace,
|
||||
AceSize);
|
||||
}
|
||||
ExFreePoolWithTag(Ace, 'cAmK');
|
||||
return Status;
|
||||
}
|
||||
|
||||
VOID
|
||||
CheckSid__(
|
||||
_In_ PSID Sid,
|
||||
|
|
|
|||
|
|
@ -780,6 +780,81 @@ TestSeAssignSecurity(
|
|||
EndTestAssign()
|
||||
}
|
||||
|
||||
/* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */
|
||||
for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
|
||||
{
|
||||
Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeWorldSid);
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
|
||||
TRUE,
|
||||
Acl,
|
||||
BooleanFlagOn(UsingDefault, 1));
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
|
||||
TRUE,
|
||||
Acl,
|
||||
BooleanFlagOn(UsingDefault, 2));
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
|
||||
TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
|
||||
TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
|
||||
StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
|
||||
ok_eq_uint(DaclDefaulted, FALSE);
|
||||
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
|
||||
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
|
||||
ok_eq_uint(SaclDefaulted, FALSE);
|
||||
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, SeExports->SeWorldSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
|
||||
ok_eq_uint(OwnerDefaulted, FALSE);
|
||||
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
|
||||
ok_eq_uint(GroupDefaulted, FALSE);
|
||||
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
|
||||
EndTestAssign()
|
||||
}
|
||||
|
||||
for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
|
||||
{
|
||||
Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeCreatorOwnerSid);
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
|
||||
TRUE,
|
||||
Acl,
|
||||
BooleanFlagOn(UsingDefault, 1));
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
|
||||
TRUE,
|
||||
Acl,
|
||||
BooleanFlagOn(UsingDefault, 2));
|
||||
ok_eq_hex(Status, STATUS_SUCCESS);
|
||||
|
||||
StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE)
|
||||
ok_eq_uint(DaclDefaulted, FALSE);
|
||||
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
|
||||
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
|
||||
ok_eq_uint(SaclDefaulted, FALSE);
|
||||
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
|
||||
ok_eq_uint(OwnerDefaulted, FALSE);
|
||||
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
|
||||
ok_eq_uint(GroupDefaulted, FALSE);
|
||||
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
|
||||
EndTestAssign()
|
||||
StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
|
||||
ok_eq_uint(DaclDefaulted, FALSE);
|
||||
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
|
||||
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
|
||||
ok_eq_uint(SaclDefaulted, FALSE);
|
||||
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
|
||||
ok_eq_uint(OwnerDefaulted, FALSE);
|
||||
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
|
||||
ok_eq_uint(GroupDefaulted, FALSE);
|
||||
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
|
||||
EndTestAssign()
|
||||
}
|
||||
|
||||
/* TODO: Test object/compound ACEs */
|
||||
/* TODO: Test duplicate ACEs */
|
||||
/* TODO: Test INHERITED_ACE flag */
|
||||
/* TODO: Test invalid ACE flags */
|
||||
|
|
|
|||
|
|
@ -33,6 +33,14 @@ RtlxAddAuditAccessAceEx(
|
|||
_In_ BOOLEAN Success,
|
||||
_In_ BOOLEAN Failure);
|
||||
|
||||
NTSTATUS
|
||||
RtlxAddMandatoryLabelAceEx(
|
||||
_Inout_ PACL Acl,
|
||||
_In_ ULONG Revision,
|
||||
_In_ ULONG Flags,
|
||||
_In_ ACCESS_MASK AccessMask,
|
||||
_In_ PSID Sid);
|
||||
|
||||
#define NO_SIZE ((ULONG)-1)
|
||||
|
||||
#define CheckSid(Sid, SidSize, ExpectedSid) CheckSid_(Sid, SidSize, ExpectedSid, __FILE__, __LINE__)
|
||||
|
|
|
|||
Loading…
Reference in a new issue