diff --git a/patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch b/patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch new file mode 100644 index 00000000..202e1ef1 --- /dev/null +++ b/patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch @@ -0,0 +1,185 @@ +From 9904ee15d00d0809c12759446c09adc1981e3cf9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20M=C3=BCller?= +Date: Mon, 29 Aug 2016 19:45:47 +0200 +Subject: advapi32: Implement AddMandatoryAce. + +--- + dlls/advapi32/security.c | 6 ++++-- + dlls/advapi32/tests/security.c | 45 ++++++++++++++++++++++++++++++++++++++++++ + dlls/ntdll/ntdll.spec | 1 + + dlls/ntdll/sec.c | 25 +++++++++++++++++++++++ + include/winbase.h | 1 + + include/winternl.h | 1 + + 6 files changed, 77 insertions(+), 2 deletions(-) + +diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c +index 28331df..45c0f7e 100644 +--- a/dlls/advapi32/security.c ++++ b/dlls/advapi32/security.c +@@ -1711,10 +1711,12 @@ BOOL WINAPI AddAce( + return set_ntstatus(RtlAddAce(pAcl, dwAceRevision, dwStartingAceIndex, pAceList, nAceListLength)); + } + ++/****************************************************************************** ++ * AddMandatoryAce [ADVAPI32.@] ++ */ + BOOL WINAPI AddMandatoryAce(ACL *acl, DWORD ace_revision, DWORD ace_flags, DWORD mandatory_policy, PSID label_sid) + { +- FIXME("%p %x %x %x %p - stub\n", acl, ace_revision, ace_flags, mandatory_policy, label_sid); +- return FALSE; ++ return set_ntstatus(RtlAddMandatoryAce(acl, ace_revision, ace_flags, mandatory_policy, SYSTEM_MANDATORY_LABEL_ACE_TYPE, label_sid)); + } + + /****************************************************************************** +diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c +index 18f4e04..cdbe4f8 100644 +--- a/dlls/advapi32/tests/security.c ++++ b/dlls/advapi32/tests/security.c +@@ -65,6 +65,7 @@ + static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID); + static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID); + static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL); ++static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID); + static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid ); + static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName ); + static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee, +@@ -199,6 +200,7 @@ static void init(void) + pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx"); + pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx"); + pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx"); ++ pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce"); + pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership"); + pConvertStringSecurityDescriptorToSecurityDescriptorA = + (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" ); +@@ -6064,6 +6066,48 @@ static void test_default_dacl_owner_sid(void) + CloseHandle( handle ); + } + ++static void test_integrity(void) ++{ ++ static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY}, ++ {SECURITY_MANDATORY_LOW_RID}}; ++ SYSTEM_MANDATORY_LABEL_ACE *ace; ++ char buffer_acl[256]; ++ ACL *pAcl = (ACL*)&buffer_acl; ++ BOOL ret, found; ++ DWORD index; ++ ++ if (!pAddMandatoryAce) ++ { ++ win_skip("Mandatory integrity labels not supported, skipping test\n"); ++ return; ++ } ++ ++ ret = InitializeAcl(pAcl, 256, ACL_REVISION); ++ ok(ret, "InitializeAcl failed with %u\n", GetLastError()); ++ ++ ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, 0x1234, &low_level); ++ ok(!ret, "AddMandatoryAce succeeded\n"); ++ ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError()); ++ ++ ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level); ++ ok(ret, "AddMandatoryAce failed with %u\n", GetLastError()); ++ ++ index = 0; ++ found = FALSE; ++ while (pGetAce( pAcl, index++, (void **)&ace )) ++ { ++ if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) ++ { ++ found = TRUE; ++ ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags); ++ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, ++ "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask); ++ ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n"); ++ } ++ } ++ ok(found, "Could not find mandatory label\n"); ++} ++ + static void test_AdjustTokenPrivileges(void) + { + TOKEN_PRIVILEGES tp, prev; +@@ -6444,6 +6488,7 @@ START_TEST(security) + test_CreateRestrictedToken(); + test_TokenIntegrityLevel(); + test_default_dacl_owner_sid(); ++ test_integrity(); + test_AdjustTokenPrivileges(); + test_AddAce(); + test_system_security_access(); +diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec +index 28aa2df..f6f8eba 100644 +--- a/dlls/ntdll/ntdll.spec ++++ b/dlls/ntdll/ntdll.spec +@@ -422,6 +422,7 @@ + @ stdcall RtlAddAuditAccessAceEx(ptr long long long ptr long long) + @ stdcall RtlAddAuditAccessObjectAce(ptr long long long ptr ptr ptr long long) + # @ stub RtlAddCompoundAce ++@ stdcall RtlAddMandatoryAce(ptr long long long long ptr) + # @ stub RtlAddRange + @ cdecl -arch=arm,x86_64 RtlAddFunctionTable(ptr long long) + @ stdcall RtlAddRefActivationContext(ptr) +diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c +index 3bc52ac..daa2cae 100644 +--- a/dlls/ntdll/sec.c ++++ b/dlls/ntdll/sec.c +@@ -1379,6 +1379,31 @@ NTSTATUS WINAPI RtlAddAuditAccessObjectAce( + return STATUS_NOT_IMPLEMENTED; + } + ++/************************************************************************** ++ * RtlAddMandatoryAce [NTDLL.@] ++ */ ++NTSTATUS WINAPI RtlAddMandatoryAce( ++ IN OUT PACL pAcl, ++ IN DWORD dwAceRevision, ++ IN DWORD dwAceFlags, ++ IN DWORD dwMandatoryFlags, ++ IN DWORD dwAceType, ++ IN PSID pSid) ++{ ++ static DWORD valid_flags = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP | ++ SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP; ++ ++ TRACE("(%p,%d,0x%08x,0x%08x,%u,%p)\n",pAcl,dwAceRevision,dwAceFlags,dwMandatoryFlags, dwAceType, pSid); ++ ++ if (dwAceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) ++ return STATUS_INVALID_PARAMETER; ++ ++ if (dwMandatoryFlags & ~valid_flags) ++ return STATUS_INVALID_PARAMETER; ++ ++ return add_access_ace(pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, pSid, dwAceType); ++} ++ + /****************************************************************************** + * RtlValidAcl [NTDLL.@] + */ +diff --git a/include/winbase.h b/include/winbase.h +index eff5972..42c826d 100644 +--- a/include/winbase.h ++++ b/include/winbase.h +@@ -1693,6 +1693,7 @@ WINBASEAPI ATOM WINAPI AddAtomW(LPCWSTR); + #define AddAtom WINELIB_NAME_AW(AddAtom) + WINADVAPI BOOL WINAPI AddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL); + WINADVAPI BOOL WINAPI AddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL); ++WINADVAPI BOOL WINAPI AddMandatoryAce(PACL,DWORD,DWORD,DWORD,PSID); + WINBASEAPI VOID WINAPI AddRefActCtx(HANDLE); + WINBASEAPI PVOID WINAPI AddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER); + WINADVAPI BOOL WINAPI AdjustTokenGroups(HANDLE,BOOL,PTOKEN_GROUPS,DWORD,PTOKEN_GROUPS,PDWORD); +diff --git a/include/winternl.h b/include/winternl.h +index f35091c..c104e6f 100644 +--- a/include/winternl.h ++++ b/include/winternl.h +@@ -2405,6 +2405,7 @@ NTSYSAPI NTSTATUS WINAPI RtlAddAtomToAtomTable(RTL_ATOM_TABLE,const WCHAR*,RTL_ + NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL); + NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL); + NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessObjectAce(PACL,DWORD,DWORD,DWORD,GUID*,GUID*,PSID,BOOL,BOOL); ++NTSYSAPI NTSTATUS WINAPI RtlAddMandatoryAce(PACL,DWORD,DWORD,DWORD,DWORD,PSID); + NTSYSAPI void WINAPI RtlAddRefActivationContext(HANDLE); + NTSYSAPI PVOID WINAPI RtlAddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER); + NTSYSAPI NTSTATUS WINAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN); +-- +2.9.0 + diff --git a/patches/advapi32-AddMandatoryAce/definition b/patches/advapi32-AddMandatoryAce/definition new file mode 100644 index 00000000..0dec69e0 --- /dev/null +++ b/patches/advapi32-AddMandatoryAce/definition @@ -0,0 +1 @@ +Fixes: Implement advapi32.AddMandatoryAce diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 34ca45ae..3f18f73f 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -86,6 +86,7 @@ patch_enable_all () enable_Coverity="$1" enable_Pipelight="$1" enable_Staging="$1" + enable_advapi32_AddMandatoryAce="$1" enable_advapi32_GetExplicitEntriesFromAclW="$1" enable_advapi32_LsaLookupSids="$1" enable_advapi32_SetSecurityInfo="$1" @@ -443,6 +444,9 @@ patch_enable () Staging) enable_Staging="$2" ;; + advapi32-AddMandatoryAce) + enable_advapi32_AddMandatoryAce="$2" + ;; advapi32-GetExplicitEntriesFromAclW) enable_advapi32_GetExplicitEntriesFromAclW="$2" ;; @@ -2531,6 +2535,19 @@ if test "$enable_Staging" -eq 1; then ) >> "$patchlist" fi +# Patchset advapi32-AddMandatoryAce +# | +# | Modified files: +# | * dlls/advapi32/security.c, dlls/advapi32/tests/security.c, dlls/ntdll/ntdll.spec, dlls/ntdll/sec.c, include/winbase.h, +# | include/winternl.h +# | +if test "$enable_advapi32_AddMandatoryAce" -eq 1; then + patch_apply advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch + ( + echo '+ { "Michael Müller", "advapi32: Implement AddMandatoryAce.", 1 },'; + ) >> "$patchlist" +fi + # Patchset advapi32-GetExplicitEntriesFromAclW # | # | Modified files: