[NTOSKRNL]

- Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck. - Fix a wrong check for security descriptors with a NULL-DACL. svn path=/trunk/; revision=46602
2024-06-29 01:12:06 +00:00 · 2010-03-30 17:01:23 +00:00 · 2010-03-30 17:01:23 +00:00 · e3949430d7
parent 4c530b8f2a
commit e3949430d7
1 changed files with 25 additions and 23 deletions
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@ -377,28 +377,6 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    NTSTATUS Status;
    PAGED_CODE();

-    /* Check if this is kernel mode */
-    if (AccessMode == KernelMode)
-    {
-        /* Check if kernel wants everything */
-        if (DesiredAccess & MAXIMUM_ALLOWED)
-        {
-            /* Give it */
-            *GrantedAccess = GenericMapping->GenericAll;
-            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
-            *GrantedAccess |= PreviouslyGrantedAccess;
-        }
-        else
-        {
-            /* Give the desired and previous access */
-            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
-        }
-
-        /* Success */
-        *AccessStatus = STATUS_SUCCESS;
-        return TRUE;
-    }
-
    /* Check if we didn't get an SD */
    if (!SecurityDescriptor)
    {
@ -467,7 +445,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    }

    /* RULE 1: Grant desired access if the object is unprotected */
-    if (Present == TRUE && Dacl == NULL)
+    if (Present == FALSE || Dacl == NULL)
    {
        if (SubjectContextLocked == FALSE)
        {
@ -678,6 +656,30 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
              OUT PACCESS_MASK GrantedAccess,
              OUT PNTSTATUS AccessStatus)
 {
+    PAGED_CODE();
+
+    /* Check if this is kernel mode */
+    if (AccessMode == KernelMode)
+    {
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+            *GrantedAccess |= PreviouslyGrantedAccess;
+        }
+        else
+        {
+            /* Give the desired and previous access */
+            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
+        }
+
+        /* Success */
+        *AccessStatus = STATUS_SUCCESS;
+        return TRUE;
+    }
+
    /* Call the internal function */
    return SepAccessCheck(SecurityDescriptor,
                          SubjectSecurityContext,