Added patch to implement advapi32.AddMandatoryAce.

2025-01-28 22:04:43 -08:00 · 2016-12-21 03:47:27 +01:00 · 2016-12-21 03:47:27 +01:00 · 533032bd79
commit 533032bd79
parent 8f67fbfbc3
3 changed files with 203 additions and 0 deletions
--- a/patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch
+++ b/patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch
@ -0,0 +1,185 @@
+From 9904ee15d00d0809c12759446c09adc1981e3cf9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Mon, 29 Aug 2016 19:45:47 +0200
+Subject: advapi32: Implement AddMandatoryAce.
+
+---
+ dlls/advapi32/security.c       |  6 ++++--
+ dlls/advapi32/tests/security.c | 45 ++++++++++++++++++++++++++++++++++++++++++
+ dlls/ntdll/ntdll.spec          |  1 +
+ dlls/ntdll/sec.c               | 25 +++++++++++++++++++++++
+ include/winbase.h              |  1 +
+ include/winternl.h             |  1 +
+ 6 files changed, 77 insertions(+), 2 deletions(-)
+
+diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
+index 28331df..45c0f7e 100644
+--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
+@@ -1711,10 +1711,12 @@ BOOL WINAPI AddAce(
+     return set_ntstatus(RtlAddAce(pAcl, dwAceRevision, dwStartingAceIndex, pAceList, nAceListLength));
+ }
+ 
+/******************************************************************************
+ *  AddMandatoryAce [ADVAPI32.@]
+ */
+ BOOL WINAPI AddMandatoryAce(ACL *acl, DWORD ace_revision, DWORD ace_flags, DWORD mandatory_policy, PSID label_sid)
+ {
+-    FIXME("%p %x %x %x %p - stub\n", acl, ace_revision, ace_flags, mandatory_policy, label_sid);
+-    return FALSE;
+    return set_ntstatus(RtlAddMandatoryAce(acl, ace_revision, ace_flags, mandatory_policy, SYSTEM_MANDATORY_LABEL_ACE_TYPE, label_sid));
+ }
+ 
+ /******************************************************************************
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index 18f4e04..cdbe4f8 100644
+--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
+@@ -65,6 +65,7 @@
+ static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
+ static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
+ static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
+static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
+ static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
+ static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
+ static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
+@@ -199,6 +200,7 @@ static void init(void)
+     pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
+     pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
+     pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
+    pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
+     pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
+     pConvertStringSecurityDescriptorToSecurityDescriptorA =
+         (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
+@@ -6064,6 +6066,48 @@ static void test_default_dacl_owner_sid(void)
+     CloseHandle( handle );
+ }
+ 
+static void test_integrity(void)
+{
+    static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+                                                    {SECURITY_MANDATORY_LOW_RID}};
+    SYSTEM_MANDATORY_LABEL_ACE *ace;
+    char buffer_acl[256];
+    ACL *pAcl = (ACL*)&buffer_acl;
+    BOOL ret, found;
+    DWORD index;
+
+    if (!pAddMandatoryAce)
+    {
+        win_skip("Mandatory integrity labels not supported, skipping test\n");
+        return;
+    }
+
+    ret = InitializeAcl(pAcl, 256, ACL_REVISION);
+    ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+
+    ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, 0x1234, &low_level);
+    ok(!ret, "AddMandatoryAce succeeded\n");
+    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
+
+    ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
+    ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+
+    index = 0;
+    found = FALSE;
+    while (pGetAce( pAcl, index++, (void **)&ace ))
+    {
+        if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+        {
+            found = TRUE;
+            ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+            ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
+               "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
+            ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
+        }
+    }
+    ok(found, "Could not find mandatory label\n");
+}
+
+ static void test_AdjustTokenPrivileges(void)
+ {
+     TOKEN_PRIVILEGES tp, prev;
+@@ -6444,6 +6488,7 @@ START_TEST(security)
+     test_CreateRestrictedToken();
+     test_TokenIntegrityLevel();
+     test_default_dacl_owner_sid();
+    test_integrity();
+     test_AdjustTokenPrivileges();
+     test_AddAce();
+     test_system_security_access();
+diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
+index 28aa2df..f6f8eba 100644
+--- a/dlls/ntdll/ntdll.spec
+++ b/dlls/ntdll/ntdll.spec
+@@ -422,6 +422,7 @@
+ @ stdcall RtlAddAuditAccessAceEx(ptr long long long ptr long long)
+ @ stdcall RtlAddAuditAccessObjectAce(ptr long long long ptr ptr ptr long long)
+ # @ stub RtlAddCompoundAce
+@ stdcall RtlAddMandatoryAce(ptr long long long long ptr)
+ # @ stub RtlAddRange
+ @ cdecl -arch=arm,x86_64 RtlAddFunctionTable(ptr long long)
+ @ stdcall RtlAddRefActivationContext(ptr)
+diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c
+index 3bc52ac..daa2cae 100644
+--- a/dlls/ntdll/sec.c
+++ b/dlls/ntdll/sec.c
+@@ -1379,6 +1379,31 @@ NTSTATUS WINAPI RtlAddAuditAccessObjectAce(
+     return STATUS_NOT_IMPLEMENTED;
+ }
+ 
+/**************************************************************************
+ *  RtlAddMandatoryAce     [NTDLL.@]
+ */
+NTSTATUS WINAPI RtlAddMandatoryAce(
+    IN OUT PACL pAcl,
+    IN DWORD dwAceRevision,
+    IN DWORD dwAceFlags,
+    IN DWORD dwMandatoryFlags,
+    IN DWORD dwAceType,
+    IN PSID pSid)
+{
+    static DWORD valid_flags = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP |
+                               SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
+
+    TRACE("(%p,%d,0x%08x,0x%08x,%u,%p)\n",pAcl,dwAceRevision,dwAceFlags,dwMandatoryFlags, dwAceType, pSid);
+
+    if (dwAceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+        return STATUS_INVALID_PARAMETER;
+
+    if (dwMandatoryFlags & ~valid_flags)
+        return STATUS_INVALID_PARAMETER;
+
+    return add_access_ace(pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, pSid, dwAceType);
+}
+
+ /******************************************************************************
+  *  RtlValidAcl		[NTDLL.@]
+  */
+diff --git a/include/winbase.h b/include/winbase.h
+index eff5972..42c826d 100644
+--- a/include/winbase.h
+++ b/include/winbase.h
+@@ -1693,6 +1693,7 @@ WINBASEAPI ATOM        WINAPI AddAtomW(LPCWSTR);
+ #define                       AddAtom WINELIB_NAME_AW(AddAtom)
+ WINADVAPI  BOOL        WINAPI AddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL);
+ WINADVAPI  BOOL        WINAPI AddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL);
+WINADVAPI  BOOL        WINAPI AddMandatoryAce(PACL,DWORD,DWORD,DWORD,PSID);
+ WINBASEAPI VOID        WINAPI AddRefActCtx(HANDLE);
+ WINBASEAPI PVOID       WINAPI AddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER);
+ WINADVAPI  BOOL        WINAPI AdjustTokenGroups(HANDLE,BOOL,PTOKEN_GROUPS,DWORD,PTOKEN_GROUPS,PDWORD);
+diff --git a/include/winternl.h b/include/winternl.h
+index f35091c..c104e6f 100644
+--- a/include/winternl.h
+++ b/include/winternl.h
+@@ -2405,6 +2405,7 @@ NTSYSAPI NTSTATUS  WINAPI RtlAddAtomToAtomTable(RTL_ATOM_TABLE,const WCHAR*,RTL_
+ NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL);
+ NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL);
+ NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessObjectAce(PACL,DWORD,DWORD,DWORD,GUID*,GUID*,PSID,BOOL,BOOL);
+NTSYSAPI NTSTATUS  WINAPI RtlAddMandatoryAce(PACL,DWORD,DWORD,DWORD,DWORD,PSID);
+ NTSYSAPI void      WINAPI RtlAddRefActivationContext(HANDLE);
+ NTSYSAPI PVOID     WINAPI RtlAddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER);
+ NTSYSAPI NTSTATUS  WINAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
+-- 
+2.9.0
+
--- a/patches/advapi32-AddMandatoryAce/definition
+++ b/patches/advapi32-AddMandatoryAce/definition
@ -0,0 +1 @@
+Fixes: Implement advapi32.AddMandatoryAce
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -86,6 +86,7 @@ patch_enable_all ()
 	enable_Coverity="$1"
 	enable_Pipelight="$1"
 	enable_Staging="$1"
+	enable_advapi32_AddMandatoryAce="$1"
 	enable_advapi32_GetExplicitEntriesFromAclW="$1"
 	enable_advapi32_LsaLookupSids="$1"
 	enable_advapi32_SetSecurityInfo="$1"
@ -443,6 +444,9 @@ patch_enable ()
 		Staging)
 			enable_Staging="$2"
 			;;
+		advapi32-AddMandatoryAce)
+			enable_advapi32_AddMandatoryAce="$2"
+			;;
 		advapi32-GetExplicitEntriesFromAclW)
 			enable_advapi32_GetExplicitEntriesFromAclW="$2"
 			;;
@ -2531,6 +2535,19 @@ if test "$enable_Staging" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset advapi32-AddMandatoryAce
+# |
+# | Modified files:
+# |   *	dlls/advapi32/security.c, dlls/advapi32/tests/security.c, dlls/ntdll/ntdll.spec, dlls/ntdll/sec.c, include/winbase.h,
+# | 	include/winternl.h
+# |
+if test "$enable_advapi32_AddMandatoryAce" -eq 1; then
+	patch_apply advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch
+	(
+		echo '+    { "Michael Müller", "advapi32: Implement AddMandatoryAce.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset advapi32-GetExplicitEntriesFromAclW
 # |
 # | Modified files: