[NTOSKRNL]

Implement SeFastTraverseCheck(). For more information, see: - aa374872(v=vs.85).aspx - aa446683(v=vs.85).aspx svn path=/trunk/; revision=58230
2025-08-05 19:52:56 +00:00 · 2013-01-26 19:33:54 +00:00 · 2013-01-26 19:33:54 +00:00 · e6f8602d9d
commit e6f8602d9d
parent 073f350f87
2 changed files with 74 additions and 0 deletions
--- a/reactos/ntoskrnl/include/internal/se.h
+++ b/reactos/ntoskrnl/include/internal/se.h
@ -490,6 +490,13 @@ VOID NTAPI
 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
                        OUT PACCESS_MASK DesiredAccess);
 BOOLEAN
 NTAPI
 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                    IN PACCESS_STATE AccessState,
                    IN ACCESS_MASK DesiredAccess,
                    IN KPROCESSOR_MODE AccessMode);
 #endif
 /* EOF */
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@ -820,6 +820,73 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    return ret;
 }
 /*
 * @implemented
 */
 BOOLEAN
 NTAPI
 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                    IN PACCESS_STATE AccessState,
                    IN ACCESS_MASK DesiredAccess,
                    IN KPROCESSOR_MODE AccessMode)
 {
    PACL Dacl;
    ULONG AceIndex;
    PKNOWN_ACE Ace;
    PAGED_CODE();
    NT_ASSERT(AccessMode != KernelMode);
    if (SecurityDescriptor == NULL)
        return FALSE;
    /* Get DACL */
    Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
    /* If no DACL, grant access */
    if (Dacl == NULL)
        return TRUE;
    /* No ACE -> Deny */
    if (!Dacl->AceCount)
        return FALSE;
    /* Can't perform the check on restricted token */
    if (AccessState->Flags & TOKEN_IS_RESTRICTED)
        return FALSE;
    /* Browse the ACEs */
    for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
         AceIndex < Dacl->AceCount;
         AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
    {
        if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
            continue;
        /* If access-allowed ACE */
        if (Ace->Header.AceType & ACCESS_ALLOWED_ACE_TYPE)
        {
            /* Check if all accesses are granted */
            if (!(Ace->Mask & DesiredAccess))
                continue;
            /* Check SID and grant access if matching */
            if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
                return TRUE;
        }
        /* If access-denied ACE */
        else if (Ace->Header.AceType & ACCESS_DENIED_ACE_TYPE)
        {
            /* Here, only check if it denies all the access wanted and deny if so */
            if (Ace->Mask & DesiredAccess)
                return FALSE;
        }
    }
    /* Faulty, deny */
    return FALSE;
 }
 /* SYSTEM CALLS ***************************************************************/
 /*