Implemented AddMandatoryAce

svn path=/trunk/; revision=24526
2024-10-04 16:36:11 +00:00 · 2006-10-15 16:52:25 +00:00 · 2006-10-15 16:52:25 +00:00 · ef9ac412e7
parent 0414f87d02
commit ef9ac412e7
6 changed files with 97 additions and 1 deletions
--- a/reactos/dll/ntdll/def/ntdll.def
+++ b/reactos/dll/ntdll/def/ntdll.def
@ -314,6 +314,7 @@ RtlAddAuditAccessAce@24
 RtlAddAuditAccessAceEx@28
 RtlAddAuditAccessObjectAce@36
 ;RtlAddCompoundAce
+RtlAddMandatoryAce@24
 RtlAddRange@36
 RtlAddVectoredExceptionHandler@8
 RtlAdjustPrivilege@16
--- a/reactos/dll/win32/advapi32/advapi32.def
+++ b/reactos/dll/win32/advapi32/advapi32.def
@ -32,6 +32,7 @@ AddAce@20
 AddAuditAccessAce@24
 AddAuditAccessAceEx@28
 AddAuditAccessObjectAce@36
+AddMandatoryAce@20
 AddUsersToEncryptedFile@8
 AdjustTokenGroups@24
 AdjustTokenPrivileges@24
--- a/reactos/dll/win32/advapi32/sec/ac.c
+++ b/reactos/dll/win32/advapi32/sec/ac.c
@ -416,6 +416,35 @@ AddAuditAccessObjectAce(
 }


+/*
+ * @implemented
+ */
+BOOL
+WINAPI
+AddMandatoryAce(IN OUT PACL pAcl,
+                IN DWORD dwAceRevision,
+                IN DWORD AceFlags,
+                IN DWORD MandatoryPolicy,
+                IN PSID pLabelSid)
+{
+    NTSTATUS Status;
+
+    Status = RtlAddMandatoryAce(pAcl,
+                                dwAceRevision,
+                                AceFlags,
+                                MandatoryPolicy,
+                                SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+                                pLabelSid);
+    if (!NT_SUCCESS(Status))
+    {
+        SetLastError(RtlNtStatusToDosError(Status));
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
+
 /*
 * @implemented
 */
--- a/reactos/include/ndk/rtlfuncs.h
+++ b/reactos/include/ndk/rtlfuncs.h
@ -759,6 +759,17 @@ RtlAddAuditAccessObjectAce(
    IN BOOLEAN Failure
 );

+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddMandatoryAce(
+    IN OUT PACL Acl,
+    IN ULONG Revision,
+    IN ULONG Flags,
+    IN ULONG MandatoryFlags,
+    IN ULONG AceType,
+    IN PSID LabelSid);
+
 NTSYSAPI
 NTSTATUS
 NTAPI
--- a/reactos/include/psdk/winnt.h
+++ b/reactos/include/psdk/winnt.h
@ -572,6 +572,8 @@ typedef DWORD FLONG;
 #define DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS     0x00000231L
 #define DOMAIN_ALIAS_RID_DCOM_USERS             0x00000232L

+#define SECURITY_MANDATORY_LABEL_AUTHORITY  {0,0,0,0,0,16}
+
 typedef enum
 {
    WinNullSid = 0,
@ -1622,7 +1624,8 @@ typedef struct _GUID {
 #define SYSTEM_ALARM_CALLBACK_ACE_TYPE          (0xE)
 #define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE   (0xF)
 #define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE   (0x10)
-#define ACCESS_MAX_MS_V5_ACE_TYPE               (0x10)
+#define SYSTEM_MANDATORY_LABEL_ACE_TYPE         (0x11)
+#define ACCESS_MAX_MS_V5_ACE_TYPE               (0x11)
 /* end ntifs.h */
 typedef struct _GENERIC_MAPPING {
 	ACCESS_MASK GenericRead;
@ -1659,6 +1662,15 @@ typedef struct _SYSTEM_ALARM_ACE {
 	ACCESS_MASK Mask;
 	DWORD SidStart;
 } SYSTEM_ALARM_ACE,*PSYSTEM_ALARM_ACE;
+typedef struct _SYSTEM_MANDATORY_LABEL_ACE {
+	ACE_HEADER Header;
+	ACCESS_MASK Mask;
+	DWORD SidStart;
+} SYSTEM_MANDATORY_LABEL_ACE, *PSYSTEM_MANDATORY_LABEL_ACE;
+#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP  0x1
+#define SYSTEM_MANDATORY_LABEL_NO_READ_UP   0x2
+#define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP    0x4
+#define SYSTEM_MANDATORY_LABEL_VALID_MASK (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)
 typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
 	ACE_HEADER Header;
 	ACCESS_MASK Mask;
--- a/reactos/lib/rtl/acl.c
+++ b/reactos/lib/rtl/acl.c
@ -141,6 +141,20 @@ RtlpAddKnownAce (PACL Acl,
   {
      return(STATUS_INVALID_SID);
   }
+
+   if (Type == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+   {
+       static const SID_IDENTIFIER_AUTHORITY MandatoryLabelAuthority = {SECURITY_MANDATORY_LABEL_AUTHORITY};
+
+       /* The SID's identifier authority must be SECURITY_MANDATORY_LABEL_AUTHORITY! */
+       if (RtlCompareMemory(&((PISID)Sid)->IdentifierAuthority,
+                            &MandatoryLabelAuthority,
+                            sizeof(MandatoryLabelAuthority)) != sizeof(MandatoryLabelAuthority))
+       {
+           return STATUS_INVALID_PARAMETER;
+       }
+   }
+
   if (Acl->AclRevision > MAX_ACL_REVISION ||
       Revision > MAX_ACL_REVISION)
   {
@ -605,6 +619,34 @@ RtlAddAuditAccessObjectAce(PACL Acl,
 }


+/*
+ * @implemented
+ */
+NTSTATUS NTAPI
+RtlAddMandatoryAce(IN OUT PACL Acl,
+                   IN ULONG Revision,
+                   IN ULONG Flags,
+                   IN ULONG MandatoryFlags,
+                   IN ULONG AceType,
+                   IN PSID LabelSid)
+{
+    if (MandatoryFlags & ~SYSTEM_MANDATORY_LABEL_VALID_MASK)
+        return STATUS_INVALID_PARAMETER;
+
+    if (AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+        return STATUS_INVALID_PARAMETER;
+
+    return RtlpAddKnownAce (Acl,
+                            Revision,
+                            Flags,
+                            (ACCESS_MASK)MandatoryFlags,
+                            NULL,
+                            NULL,
+                            LabelSid,
+                            AceType);
+}
+
+
 static VOID
 RtlpDeleteData(PVOID Ace,
               ULONG AceSize,