2019-06-26 12:57:43 +10:00
|
|
|
From 3c1f5962482e7acf531f57f49d923d9c4e5278b1 Mon Sep 17 00:00:00 2001
|
2017-08-06 04:34:06 +02:00
|
|
|
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
|
|
|
|
Date: Fri, 4 Aug 2017 02:51:57 +0200
|
2019-06-26 12:57:43 +10:00
|
|
|
Subject: [PATCH] advapi32: Implement CreateRestrictedToken.
|
2017-08-06 04:34:06 +02:00
|
|
|
|
|
|
|
---
|
2019-06-26 12:57:43 +10:00
|
|
|
dlls/kernelbase/security.c | 103 ++++++++++++++++++++++++++++++-------
|
|
|
|
1 file changed, 84 insertions(+), 19 deletions(-)
|
2017-08-06 04:34:06 +02:00
|
|
|
|
2019-06-26 12:57:43 +10:00
|
|
|
diff --git a/dlls/kernelbase/security.c b/dlls/kernelbase/security.c
|
|
|
|
index 2e75e81ed77..97f6ee6a2fd 100644
|
|
|
|
--- a/dlls/kernelbase/security.c
|
|
|
|
+++ b/dlls/kernelbase/security.c
|
|
|
|
@@ -592,31 +592,96 @@ exit:
|
|
|
|
return ret;
|
2017-08-06 04:34:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
+static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
|
|
|
|
+{
|
|
|
|
+ TOKEN_GROUPS *groups;
|
|
|
|
+ DWORD i;
|
|
|
|
+
|
|
|
|
+ if (!count)
|
|
|
|
+ {
|
|
|
|
+ *groups_ret = NULL;
|
|
|
|
+ return TRUE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
|
|
|
|
+ count * sizeof(SID_AND_ATTRIBUTES));
|
|
|
|
+ if (!groups)
|
|
|
|
+ {
|
|
|
|
+ SetLastError(ERROR_OUTOFMEMORY);
|
|
|
|
+ return FALSE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ groups->GroupCount = count;
|
|
|
|
+ for (i = 0; i < count; i++)
|
|
|
|
+ groups->Groups[i] = sids[i];
|
|
|
|
+
|
|
|
|
+ *groups_ret = groups;
|
|
|
|
+ return TRUE;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
|
|
|
|
+{
|
|
|
|
+ TOKEN_PRIVILEGES *privileges;
|
|
|
|
+ DWORD i;
|
|
|
|
+
|
|
|
|
+ if (!count)
|
|
|
|
+ {
|
|
|
|
+ *privileges_ret = NULL;
|
|
|
|
+ return TRUE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
|
|
|
|
+ count * sizeof(LUID_AND_ATTRIBUTES));
|
|
|
|
+ if (!privileges)
|
|
|
|
+ {
|
|
|
|
+ SetLastError(ERROR_OUTOFMEMORY);
|
|
|
|
+ return FALSE;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ privileges->PrivilegeCount = count;
|
|
|
|
+ for (i = 0; i < count; i++)
|
|
|
|
+ privileges->Privileges[i] = privs[i];
|
|
|
|
+
|
|
|
|
+ *privileges_ret = privileges;
|
|
|
|
+ return TRUE;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
/*************************************************************************
|
2019-06-26 12:57:43 +10:00
|
|
|
* CreateRestrictedToken (kernelbase.@)
|
|
|
|
*/
|
|
|
|
-BOOL WINAPI CreateRestrictedToken( HANDLE token, DWORD flags,
|
|
|
|
- DWORD disable_count, PSID_AND_ATTRIBUTES disable_sids,
|
|
|
|
- DWORD delete_count, PLUID_AND_ATTRIBUTES delete_privs,
|
|
|
|
- DWORD restrict_count, PSID_AND_ATTRIBUTES restrict_sids, PHANDLE ret )
|
|
|
|
+BOOL WINAPI CreateRestrictedToken( HANDLE baseToken, DWORD flags,
|
|
|
|
+ DWORD nDisableSids, PSID_AND_ATTRIBUTES disableSids,
|
|
|
|
+ DWORD nDeletePrivs, PLUID_AND_ATTRIBUTES deletePrivs,
|
|
|
|
+ DWORD nRestrictSids, PSID_AND_ATTRIBUTES restrictSids, PHANDLE newToken )
|
2017-08-06 04:34:06 +02:00
|
|
|
{
|
|
|
|
- TOKEN_TYPE type;
|
|
|
|
- SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
|
|
|
|
- DWORD size;
|
|
|
|
+ TOKEN_PRIVILEGES *delete_privs = NULL;
|
|
|
|
+ TOKEN_GROUPS *disable_groups = NULL;
|
|
|
|
+ TOKEN_GROUPS *restrict_sids = NULL;
|
|
|
|
+ BOOL ret = FALSE;
|
|
|
|
|
|
|
|
- FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
|
2019-06-26 12:57:43 +10:00
|
|
|
- token, flags, disable_count, disable_sids, delete_count, delete_privs,
|
|
|
|
- restrict_count, restrict_sids, ret );
|
2017-08-06 04:34:06 +02:00
|
|
|
+ TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
|
2019-06-26 12:57:43 +10:00
|
|
|
+ baseToken, flags, nDisableSids, disableSids,
|
|
|
|
+ nDeletePrivs, deletePrivs,
|
|
|
|
+ nRestrictSids, restrictSids,
|
|
|
|
+ newToken);
|
|
|
|
+
|
2017-08-06 04:34:06 +02:00
|
|
|
+ if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
|
|
|
|
+ goto done;
|
|
|
|
+
|
|
|
|
+ if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
|
|
|
|
+ goto done;
|
|
|
|
+
|
|
|
|
+ if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
|
|
|
|
+ goto done;
|
|
|
|
+
|
|
|
|
+ ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
|
|
|
|
+
|
|
|
|
+done:
|
|
|
|
+ heap_free(disable_groups);
|
|
|
|
+ heap_free(delete_privs);
|
|
|
|
+ heap_free(restrict_sids);
|
|
|
|
+ return ret;
|
|
|
|
|
2019-06-26 12:57:43 +10:00
|
|
|
- size = sizeof(type);
|
|
|
|
- if (!GetTokenInformation( token, TokenType, &type, size, &size )) return FALSE;
|
|
|
|
- if (type == TokenImpersonation)
|
|
|
|
- {
|
|
|
|
- size = sizeof(level);
|
|
|
|
- if (!GetTokenInformation( token, TokenImpersonationLevel, &level, size, &size ))
|
|
|
|
- return FALSE;
|
|
|
|
- }
|
|
|
|
- return DuplicateTokenEx( token, MAXIMUM_ALLOWED, NULL, level, type, ret );
|
2017-08-06 04:34:06 +02:00
|
|
|
}
|
2019-06-26 12:57:43 +10:00
|
|
|
|
|
|
|
/******************************************************************************
|
2017-08-06 04:34:06 +02:00
|
|
|
--
|
2019-06-26 12:57:43 +10:00
|
|
|
2.20.1
|
2017-08-06 04:34:06 +02:00
|
|
|
|