[NTOSKRNL]

Implement SeFastTraverseCheck(). For more information, see: - http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx - http://msdn.microsoft.com/en-us/library/windows/desktop/aa446683(v=vs.85).aspx svn path=/trunk/; revision=58230
2025-02-25 01:39:30 +00:00 · 2013-01-26 19:33:54 +00:00 · 2013-01-26 19:33:54 +00:00 · e6f8602d9d
commit e6f8602d9d
parent 073f350f87
2 changed files with 74 additions and 0 deletions
--- a/reactos/ntoskrnl/include/internal/se.h
+++ b/reactos/ntoskrnl/include/internal/se.h
@ -490,6 +490,13 @@ VOID NTAPI
 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
                        OUT PACCESS_MASK DesiredAccess);

+BOOLEAN
+NTAPI
+SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                    IN PACCESS_STATE AccessState,
+                    IN ACCESS_MASK DesiredAccess,
+                    IN KPROCESSOR_MODE AccessMode);
+
 #endif

 /* EOF */
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@ -820,6 +820,73 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    return ret;
 }

+/*
+ * @implemented
+ */
+BOOLEAN
+NTAPI
+SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+                    IN PACCESS_STATE AccessState,
+                    IN ACCESS_MASK DesiredAccess,
+                    IN KPROCESSOR_MODE AccessMode)
+{
+    PACL Dacl;
+    ULONG AceIndex;
+    PKNOWN_ACE Ace;
+
+    PAGED_CODE();
+
+    NT_ASSERT(AccessMode != KernelMode);
+
+    if (SecurityDescriptor == NULL)
+        return FALSE;
+
+    /* Get DACL */
+    Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
+    /* If no DACL, grant access */
+    if (Dacl == NULL)
+        return TRUE;
+
+    /* No ACE -> Deny */
+    if (!Dacl->AceCount)
+        return FALSE;
+
+    /* Can't perform the check on restricted token */
+    if (AccessState->Flags & TOKEN_IS_RESTRICTED)
+        return FALSE;
+
+    /* Browse the ACEs */
+    for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
+         AceIndex < Dacl->AceCount;
+         AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
+    {
+        if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
+            continue;
+
+        /* If access-allowed ACE */
+        if (Ace->Header.AceType & ACCESS_ALLOWED_ACE_TYPE)
+        {
+            /* Check if all accesses are granted */
+            if (!(Ace->Mask & DesiredAccess))
+                continue;
+
+            /* Check SID and grant access if matching */
+            if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
+                return TRUE;
+        }
+        /* If access-denied ACE */
+        else if (Ace->Header.AceType & ACCESS_DENIED_ACE_TYPE)
+        {
+            /* Here, only check if it denies all the access wanted and deny if so */
+            if (Ace->Mask & DesiredAccess)
+                return FALSE;
+        }
+    }
+
+    /* Faulty, deny */
+    return FALSE;
+}
+
 /* SYSTEM CALLS ***************************************************************/

 /*