Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-04-22 13:10:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:SE]

Browse source 
- In SepPropagateAcl, gracefully handle unknown ACE types by simply copying them.
CORE-10694 #resolve

svn path=/trunk/; revision=71296
This commit is contained in:
Thomas Faber 2016-05-09 08:49:18 +00:00
parent d9217570cb
commit c2cc2ba3be
4 changed files with 138 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
reactos/ntoskrnl/se/acl.c
View file

@ -462,10 +462,27 @@ SepPropagateAcl(
AceDest = (PACCESS_ALLOWED_ACE)CurrentDest; AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
AceSource = (PACCESS_ALLOWED_ACE)CurrentSource; AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
{
/* FIXME: handle object & compound ACEs */
AceSize = AceSource->Header.AceSize;
if (*AclLength >= Written + AceSize)
{
RtlCopyMemory(AceDest, AceSource, AceSize);
}
CurrentDest += AceSize;
CurrentSource += AceSize;
Written += AceSize;
AceCount++;
continue;
}
/* These all have the same structure */ /* These all have the same structure */
ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE || ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE || AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE); AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0); ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource)); ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));

36
rostests/kmtests/ntos_se/SeHelpers.c
View file

@ -49,6 +49,42 @@ RtlxAddAuditAccessAceEx(
return Status; return Status;
} }
NTSTATUS
RtlxAddMandatoryLabelAceEx(
_Inout_ PACL Acl,
_In_ ULONG Revision,
_In_ ULONG Flags,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid)
{
NTSTATUS Status;
USHORT AceSize;
PSYSTEM_MANDATORY_LABEL_ACE Ace;
AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + RtlLengthSid(Sid);
Ace = ExAllocatePoolWithTag(PagedPool, AceSize, 'cAmK');
if (!Ace)
return STATUS_INSUFFICIENT_RESOURCES;
Ace->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
Ace->Header.AceFlags = Flags;
Ace->Header.AceSize = AceSize;
Ace->Mask = AccessMask;
Status = RtlCopySid(AceSize - FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart),
(PSID)&Ace->SidStart,
Sid);
ASSERT(NT_SUCCESS(Status));
if (NT_SUCCESS(Status))
{
Status = RtlAddAce(Acl,
Revision,
MAXULONG,
Ace,
AceSize);
}
ExFreePoolWithTag(Ace, 'cAmK');
return Status;
}
VOID VOID
CheckSid__( CheckSid__(
_In_ PSID Sid, _In_ PSID Sid,

75
rostests/kmtests/ntos_se/SeInheritance.c
View file

@ -780,6 +780,81 @@ TestSeAssignSecurity(
EndTestAssign() EndTestAssign()
} }
/* ACE type that Win2003 doesn't know about (> ACCESS_MAX_MS_ACE_TYPE) */
for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
{
Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeWorldSid);
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
TRUE,
Acl,
BooleanFlagOn(UsingDefault, 1));
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
TRUE,
Acl,
BooleanFlagOn(UsingDefault, 2));
ok_eq_hex(Status, STATUS_SUCCESS);
TestAssignExpectDefault(&ParentDescriptor, NULL, FALSE)
TestAssignExpectDefault(&ParentDescriptor, NULL, TRUE)
StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
ok_eq_uint(DaclDefaulted, FALSE);
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
ok_eq_uint(SaclDefaulted, FALSE);
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, SeExports->SeWorldSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
ok_eq_uint(OwnerDefaulted, FALSE);
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
ok_eq_uint(GroupDefaulted, FALSE);
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
EndTestAssign()
}
for (UsingDefault = 0; UsingDefault <= 3; UsingDefault++)
{
Status = RtlCreateAcl(Acl, AclSize, ACL_REVISION);
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlxAddMandatoryLabelAceEx(Acl, ACL_REVISION, OBJECT_INHERIT_ACE, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, SeExports->SeCreatorOwnerSid);
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlSetSaclSecurityDescriptor(&ParentDescriptor,
TRUE,
Acl,
BooleanFlagOn(UsingDefault, 1));
ok_eq_hex(Status, STATUS_SUCCESS);
Status = RtlSetSaclSecurityDescriptor(&ExplicitDescriptor,
TRUE,
Acl,
BooleanFlagOn(UsingDefault, 2));
ok_eq_hex(Status, STATUS_SUCCESS);
StartTestAssign(&ParentDescriptor, NULL, FALSE, TRUE, TRUE)
ok_eq_uint(DaclDefaulted, FALSE);
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
ok_eq_uint(SaclDefaulted, FALSE);
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, 0, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
ok_eq_uint(OwnerDefaulted, FALSE);
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
ok_eq_uint(GroupDefaulted, FALSE);
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
EndTestAssign()
StartTestAssign(NULL, &ExplicitDescriptor, FALSE, TRUE, TRUE)
ok_eq_uint(DaclDefaulted, FALSE);
CheckAcl(Dacl, 2, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, STANDARD_RIGHTS_ALL | 0x800F,
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, STANDARD_RIGHTS_READ | 0x0005);
ok_eq_uint(SaclDefaulted, FALSE);
CheckAcl(Sacl, 1, SYSTEM_MANDATORY_LABEL_ACE_TYPE, OBJECT_INHERIT_ACE, SeExports->SeCreatorOwnerSid, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP);
ok_eq_uint(OwnerDefaulted, FALSE);
CheckSid(Owner, NO_SIZE, Token->UserAndGroups[Token->DefaultOwnerIndex].Sid);
ok_eq_uint(GroupDefaulted, FALSE);
CheckSid(Group, NO_SIZE, Token->PrimaryGroup);
EndTestAssign()
}
/* TODO: Test object/compound ACEs */
/* TODO: Test duplicate ACEs */ /* TODO: Test duplicate ACEs */
/* TODO: Test INHERITED_ACE flag */ /* TODO: Test INHERITED_ACE flag */
/* TODO: Test invalid ACE flags */ /* TODO: Test invalid ACE flags */

8
rostests/kmtests/ntos_se/se.h
View file

@ -33,6 +33,14 @@ RtlxAddAuditAccessAceEx(
_In_ BOOLEAN Success, _In_ BOOLEAN Success,
_In_ BOOLEAN Failure); _In_ BOOLEAN Failure);
NTSTATUS
RtlxAddMandatoryLabelAceEx(
_Inout_ PACL Acl,
_In_ ULONG Revision,
_In_ ULONG Flags,
_In_ ACCESS_MASK AccessMask,
_In_ PSID Sid);
#define NO_SIZE ((ULONG)-1) #define NO_SIZE ((ULONG)-1)
#define CheckSid(Sid, SidSize, ExpectedSid) CheckSid_(Sid, SidSize, ExpectedSid, __FILE__, __LINE__) #define CheckSid(Sid, SidSize, ExpectedSid) CheckSid_(Sid, SidSize, ExpectedSid, __FILE__, __LINE__)