server-Stored_ACLs: Fix some bugs related to mapping of MAXIMUM_ALLOWED.

2024-11-21 16:46:54 -08:00 · 2016-10-16 02:25:44 +02:00 · 2016-10-16 02:25:44 +02:00 · 8521ab33ad
commit 8521ab33ad
parent dd324a1b34
3 changed files with 76 additions and 2 deletions
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -5985,8 +5985,8 @@ fi
 # |   *	[#33576] Support for stored file ACLs
 # |
 # | Modified files:
-# |   *	dlls/advapi32/tests/security.c, include/wine/port.h, server/change.c, server/file.c, server/file.h, server/object.c,
-# | 	server/object.h
+# |   *	dlls/advapi32/tests/security.c, include/wine/port.h, server/change.c, server/file.c, server/file.h, server/handle.c,
+# | 	server/object.c, server/object.h, server/token.c
 # |
 if test "$enable_server_Stored_ACLs" -eq 1; then
 	patch_apply server-Stored_ACLs/0001-server-Unify-the-storage-of-security-attributes-for-.patch
@ -5996,6 +5996,8 @@ if test "$enable_server_Stored_ACLs" -eq 1; then
 	patch_apply server-Stored_ACLs/0005-server-Store-file-security-attributes-with-extended-.patch
 	patch_apply server-Stored_ACLs/0006-server-Convert-return-of-file-security-masks-with-ge.patch
 	patch_apply server-Stored_ACLs/0007-server-Retrieve-file-security-attributes-with-extend.patch
+	patch_apply server-Stored_ACLs/0008-server-Fix-handling-of-MAXIMUM_ALLOWED-in-token_acce.patch
+	patch_apply server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
 	(
 		echo '+    { "Erich E. Hoover", "server: Unify the storage of security attributes for files and directories.", 7 },';
 		echo '+    { "Erich E. Hoover", "server: Unify the retrieval of security attributes for files and directories.", 7 },';
@ -6004,6 +6006,8 @@ if test "$enable_server_Stored_ACLs" -eq 1; then
 		echo '+    { "Erich E. Hoover", "server: Store file security attributes with extended file attributes.", 8 },';
 		echo '+    { "Erich E. Hoover", "server: Convert return of file security masks with generic access mappings.", 7 },';
 		echo '+    { "Erich E. Hoover", "server: Retrieve file security attributes with extended file attributes.", 7 },';
+		echo '+    { "Sebastian Lackner", "server: Fix handling of MAXIMUM_ALLOWED in token_access_check.", 1 },';
+		echo '+    { "Sebastian Lackner", "server: Map MAXIMUM_ALLOWED even if skipping access check.", 1 },';
 	) >> "$patchlist"
 fi

--- a/patches/server-Stored_ACLs/0008-server-Fix-handling-of-MAXIMUM_ALLOWED-in-token_acce.patch
+++ b/patches/server-Stored_ACLs/0008-server-Fix-handling-of-MAXIMUM_ALLOWED-in-token_acce.patch
@ -0,0 +1,46 @@
+From f85560693bd9a615e9c1b1ff2eabda967389dd32 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 16 Oct 2016 01:50:17 +0200
+Subject: server: Fix handling of MAXIMUM_ALLOWED in token_access_check.
+
+---
+ dlls/advapi32/tests/security.c | 6 ++++++
+ server/token.c                 | 5 ++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index 403c04a..9fbe33e 100644
+--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
+@@ -1378,6 +1378,12 @@ static void test_AccessCheck(void)
+     ok(AccessStatus && (Access == KEY_READ),
+         "AccessCheck failed to grant access with error %d\n",
+         GetLastError());
+    ret = AccessCheck(SecurityDescriptor, Token, MAXIMUM_ALLOWED, &Mapping,
+                      PrivSet, &PrivSetLen, &Access, &AccessStatus);
+    ok(ret, "AccessCheck failed with error %d\n", GetLastError());
+    ok(AccessStatus && (Access == KEY_ALL_ACCESS),
+        "AccessCheck failed to grant access with error %d\n",
+        GetLastError());
+ 
+     /* sd with blank dacl */
+     ret = SetSecurityDescriptorDacl(SecurityDescriptor, TRUE, Acl, FALSE);
+diff --git a/server/token.c b/server/token.c
+index f77ca2c..b903420 100644
+--- a/server/token.c
+++ b/server/token.c
+@@ -854,7 +854,10 @@ static unsigned int token_access_check( struct token *token,
+     if (!dacl_present || !dacl)
+     {
+         if (priv_count) *priv_count = 0;
+-        *granted_access = desired_access;
+        if (desired_access & MAXIMUM_ALLOWED)
+            *granted_access = mapping->GenericAll;
+        else
+            *granted_access = desired_access;
+         return *status = STATUS_SUCCESS;
+     }
+ 
+-- 
+2.9.0
+
--- a/patches/server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
+++ b/patches/server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
@ -0,0 +1,24 @@
+From cfe794189edc600ca60308be5ba9e4a965c5112a Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 16 Oct 2016 02:01:16 +0200
+Subject: server: Map MAXIMUM_ALLOWED even if skipping access check.
+
+---
+ server/handle.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/server/handle.c b/server/handle.c
+index 6b68ff4..b4114ef 100644
+--- a/server/handle.c
+++ b/server/handle.c
+@@ -278,6 +278,7 @@ obj_handle_t alloc_handle_no_access_check( struct process *process, void *ptr, u
+ {
+     struct object *obj = ptr;
+     access = obj->ops->map_access( obj, access ) & ~RESERVED_ALL;
+    if ((access & MAXIMUM_ALLOWED) && !check_object_access( obj, &access )) return 0;
+     return alloc_handle_entry( process, ptr, access, attr );
+ }
+ 
+-- 
+2.9.0
+