mirror of
https://github.com/reactos/reactos.git
synced 2024-06-29 01:12:06 +00:00
[NTOSKRNL]
- Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck. - Fix a wrong check for security descriptors with a NULL-DACL. svn path=/trunk/; revision=46602
This commit is contained in:
parent
4c530b8f2a
commit
e3949430d7
|
@ -377,28 +377,6 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
NTSTATUS Status;
|
||||
PAGED_CODE();
|
||||
|
||||
/* Check if this is kernel mode */
|
||||
if (AccessMode == KernelMode)
|
||||
{
|
||||
/* Check if kernel wants everything */
|
||||
if (DesiredAccess & MAXIMUM_ALLOWED)
|
||||
{
|
||||
/* Give it */
|
||||
*GrantedAccess = GenericMapping->GenericAll;
|
||||
*GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
|
||||
*GrantedAccess |= PreviouslyGrantedAccess;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Give the desired and previous access */
|
||||
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
|
||||
}
|
||||
|
||||
/* Success */
|
||||
*AccessStatus = STATUS_SUCCESS;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/* Check if we didn't get an SD */
|
||||
if (!SecurityDescriptor)
|
||||
{
|
||||
|
@ -467,7 +445,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
}
|
||||
|
||||
/* RULE 1: Grant desired access if the object is unprotected */
|
||||
if (Present == TRUE && Dacl == NULL)
|
||||
if (Present == FALSE || Dacl == NULL)
|
||||
{
|
||||
if (SubjectContextLocked == FALSE)
|
||||
{
|
||||
|
@ -678,6 +656,30 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|||
OUT PACCESS_MASK GrantedAccess,
|
||||
OUT PNTSTATUS AccessStatus)
|
||||
{
|
||||
PAGED_CODE();
|
||||
|
||||
/* Check if this is kernel mode */
|
||||
if (AccessMode == KernelMode)
|
||||
{
|
||||
/* Check if kernel wants everything */
|
||||
if (DesiredAccess & MAXIMUM_ALLOWED)
|
||||
{
|
||||
/* Give it */
|
||||
*GrantedAccess = GenericMapping->GenericAll;
|
||||
*GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
|
||||
*GrantedAccess |= PreviouslyGrantedAccess;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Give the desired and previous access */
|
||||
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
|
||||
}
|
||||
|
||||
/* Success */
|
||||
*AccessStatus = STATUS_SUCCESS;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/* Call the internal function */
|
||||
return SepAccessCheck(SecurityDescriptor,
|
||||
SubjectSecurityContext,
|
||||
|
|
Loading…
Reference in a new issue