- Cleanup AccessCheck, and set the correct last error in the case where the check succeeds but access is denied

- Cleanup NtAccessCheck, properly set desired access when previous mode is kernel, remove a duplicate check that is performed in SeAccessCheck, and don't fail with STATUS_ACCESS_DENIED when the check succeeds but denies access -- the result of the access check is returned in the 'AccessStatus' parameter

svn path=/trunk/; revision=38510

reactos/dll/win32/advapi32/token/token.c

@@ -135,19 +135,21 @@ SetTokenInformation(HANDLE TokenHandle,
 /*
  * @implemented
  */
-BOOL WINAPI
+BOOL
-AccessCheck(PSECURITY_DESCRIPTOR pSecurityDescriptor,
+WINAPI
-            HANDLE ClientToken,
+AccessCheck(IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
-            DWORD DesiredAccess,
+            IN HANDLE ClientToken,
-            PGENERIC_MAPPING GenericMapping,
+            IN DWORD DesiredAccess,
-            PPRIVILEGE_SET PrivilegeSet,
+            IN PGENERIC_MAPPING GenericMapping,
-            LPDWORD PrivilegeSetLength,
+            OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
-            LPDWORD GrantedAccess,
+            IN OUT LPDWORD PrivilegeSetLength,
-            LPBOOL AccessStatus)
+            OUT LPDWORD GrantedAccess,
+            OUT LPBOOL AccessStatus)
 {
     NTSTATUS Status;
-    NTSTATUS AccessStat;
+    NTSTATUS NtAccessStatus;
 
+    /* Do the access check */
     Status = NtAccessCheck(pSecurityDescriptor,
                            ClientToken,
                            DesiredAccess,
@@ -155,22 +157,30 @@ AccessCheck(PSECURITY_DESCRIPTOR pSecurityDescriptor,
                            PrivilegeSet,
                            (PULONG)PrivilegeSetLength,
                            (PACCESS_MASK)GrantedAccess,
-                           &AccessStat);
+                           &NtAccessStatus);
+
+    /* See if the access check operation succeeded */
     if (!NT_SUCCESS(Status))
     {
+        /* Check failed */
         SetLastError(RtlNtStatusToDosError(Status));
         return FALSE;
     }
 
-    if (!NT_SUCCESS(AccessStat))
+    /* Now check the access status  */
+    if (!NT_SUCCESS(NtAccessStatus))
     {
-        SetLastError(RtlNtStatusToDosError(Status));
+        /* Access denied */
+        SetLastError(RtlNtStatusToDosError(NtAccessStatus));
         *AccessStatus = FALSE;
-        return TRUE;
+    }
+    else
+    {
+        /* Access granted */
+        *AccessStatus = TRUE;
     }
 
-    *AccessStatus = TRUE;
+    /* Check succeeded */
-
     return TRUE;
 }
 

reactos/ntoskrnl/se/semgr.c

@@ -619,33 +619,48 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
 
 /* SYSTEM CALLS ***************************************************************/
 
-NTSTATUS NTAPI
+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
               IN HANDLE TokenHandle,
               IN ACCESS_MASK DesiredAccess,
               IN PGENERIC_MAPPING GenericMapping,
-              OUT PPRIVILEGE_SET PrivilegeSet,
+              OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
-              OUT PULONG ReturnLength,
+              IN OUT PULONG PrivilegeSetLength,
               OUT PACCESS_MASK GrantedAccess,
               OUT PNTSTATUS AccessStatus)
 {
-    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext = { NULL, 0, NULL, NULL };
+    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
-    KPROCESSOR_MODE PreviousMode;
+    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
     PTOKEN Token;
     NTSTATUS Status;
-    
     PAGED_CODE();
     
-    DPRINT("NtAccessCheck() called\n");
+    /* Check if this is kernel mode */
-    
-    PreviousMode = KeGetPreviousMode();
     if (PreviousMode == KernelMode)
     {
-        *GrantedAccess = DesiredAccess;
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+        }
+        else
+        {
+            /* Just give the desired access */
+            *GrantedAccess = DesiredAccess;
+        }
+        
+        /* Success */
         *AccessStatus = STATUS_SUCCESS;
         return STATUS_SUCCESS;
     }
-    
+
+    /* Reference the token */
     Status = ObReferenceObjectByHandle(TokenHandle,
                                        TOKEN_QUERY,
                                        SepTokenObjectType,
@@ -657,57 +672,43 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         DPRINT1("Failed to reference token (Status %lx)\n", Status);
         return Status;
     }
-    
+
     /* Check token type */
     if (Token->TokenType != TokenImpersonation)
     {
         DPRINT1("No impersonation token\n");
         ObDereferenceObject(Token);
-        return STATUS_ACCESS_VIOLATION;
+        return STATUS_ACCESS_DENIED;
     }
-    
+
-    /* Check impersonation level */
+    /* Set up the subject context, and lock it */
-    if (Token->ImpersonationLevel < SecurityIdentification)
-    {
-        DPRINT1("Invalid impersonation level\n");
-        ObDereferenceObject(Token);
-        return STATUS_ACCESS_VIOLATION;
-    }
-    
     SubjectSecurityContext.ClientToken = Token;
     SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
-    
+    SubjectSecurityContext.PrimaryToken = NULL;
-    /* Lock subject context */
+    SubjectSecurityContext.ProcessAuditId = NULL;
     SeLockSubjectContext(&SubjectSecurityContext);
-    
+
-    if (SeAccessCheck(SecurityDescriptor,
+    /* Now perform the access check */
-                      &SubjectSecurityContext,
+    SeAccessCheck(SecurityDescriptor,
-                      TRUE,
+                  &SubjectSecurityContext,
-                      DesiredAccess,
+                  TRUE,
-                      0,
+                  DesiredAccess,
-                      &PrivilegeSet,
+                  0,
-                      GenericMapping,
+                  &PrivilegeSet, //FIXME
-                      PreviousMode,
+                  GenericMapping,
-                      GrantedAccess,
+                  PreviousMode,
-                      AccessStatus))
+                  GrantedAccess,
-    {
+                  AccessStatus);
-        Status = *AccessStatus;
+
-    }
+    /* Unlock subject context and dereference the token */
-    else
-    {
-        Status = STATUS_ACCESS_DENIED;
-    }
-    
-    /* Unlock subject context */
     SeUnlockSubjectContext(&SubjectSecurityContext);
-    
     ObDereferenceObject(Token);
-    
+
-    DPRINT("NtAccessCheck() done\n");
+    /* Check succeeded */
-    
+    return STATUS_SUCCESS;
-    return Status;
 }
 
+
 NTSTATUS
 NTAPI
 NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,