server-Stored_ACLs: Update patch and fix handling of MAXIMUM_ALLOWED.

2024-11-21 16:46:54 -08:00 · 2017-01-12 02:31:31 +01:00 · 2017-01-12 02:31:31 +01:00 · 8c909daf10
commit 8c909daf10
parent 51fd657cdb
3 changed files with 75 additions and 26 deletions
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -6299,7 +6299,7 @@ if test "$enable_server_Stored_ACLs" -eq 1; then
 	patch_apply server-Stored_ACLs/0006-server-Convert-return-of-file-security-masks-with-ge.patch
 	patch_apply server-Stored_ACLs/0007-server-Retrieve-file-security-attributes-with-extend.patch
 	patch_apply server-Stored_ACLs/0008-server-Fix-handling-of-MAXIMUM_ALLOWED-in-token_acce.patch
-	patch_apply server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
+	patch_apply server-Stored_ACLs/0009-server-Give-all-access-rights-when-opening-an-object.patch
 	(
 		echo '+    { "Erich E. Hoover", "server: Unify the storage of security attributes for files and directories.", 7 },';
 		echo '+    { "Erich E. Hoover", "server: Unify the retrieval of security attributes for files and directories.", 7 },';
@ -6309,7 +6309,7 @@ if test "$enable_server_Stored_ACLs" -eq 1; then
 		echo '+    { "Erich E. Hoover", "server: Convert return of file security masks with generic access mappings.", 7 },';
 		echo '+    { "Erich E. Hoover", "server: Retrieve file security attributes with extended file attributes.", 7 },';
 		echo '+    { "Sebastian Lackner", "server: Fix handling of MAXIMUM_ALLOWED in token_access_check.", 1 },';
-		echo '+    { "Sebastian Lackner", "server: Map MAXIMUM_ALLOWED even if skipping access check.", 1 },';
+		echo '+    { "Michael Müller", "server: Give all access rights when opening an object with MAXIMUM_ALLOWED.", 1 },';
 	) >> "$patchlist"
 fi

--- a/patches/server-Stored_ACLs/0009-server-Give-all-access-rights-when-opening-an-object.patch
+++ b/patches/server-Stored_ACLs/0009-server-Give-all-access-rights-when-opening-an-object.patch
@ -0,0 +1,73 @@
+From 32c244368e3a3d5dd4fe642af6f5c6409bea7065 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Sun, 16 Oct 2016 02:01:16 +0200
+Subject: server: Give all access rights when opening an object with
+ MAXIMUM_ALLOWED.
+
+---
+ dlls/advapi32/tests/security.c | 29 +++++++++++++++++++++++++++++
+ server/handle.c                |  1 +
+ 2 files changed, 30 insertions(+)
+
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index 3c6c0ab02be..f8aa49e04ed 100644
+--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
+@@ -6016,6 +6016,34 @@ static void test_process_access(void)
+     CloseHandle(process);
+ }
+ 
+static void test_maximum_allowed(void)
+{
+    char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH], buffer_acl[256];
+    SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
+    SECURITY_ATTRIBUTES sa;
+    ACL *acl = (ACL *)&buffer_acl;
+    ACCESS_MASK mask;
+    HANDLE handle;
+    BOOL ret;
+
+    ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+    ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+    ret = InitializeAcl(acl, 256, ACL_REVISION);
+    ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+    ret = SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
+    ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
+
+    sa.nLength              = sizeof(SECURITY_ATTRIBUTES);
+    sa.lpSecurityDescriptor = sd;
+    sa.bInheritHandle       = FALSE;
+
+    handle = CreateEventExA(&sa, NULL, 0, MAXIMUM_ALLOWED | 0x4);
+    ok(handle != NULL, "CreateEventExA failed with error %u\n", GetLastError());
+    mask = get_obj_access(handle);
+    ok(mask == EVENT_ALL_ACCESS, "Expected %x, got %x\n", EVENT_ALL_ACCESS, mask);
+    CloseHandle(handle);
+}
+
+ static BOOL validate_impersonation_token(HANDLE token, DWORD *token_type)
+ {
+     DWORD ret, needed;
+@@ -6094,6 +6122,7 @@ static void test_kernel_objects_security(void)
+     test_filemap_security();
+     test_thread_security();
+     test_process_access();
+    test_maximum_allowed();
+     /* FIXME: test other kernel object types */
+ 
+     CloseHandle(process_token);
+diff --git a/server/handle.c b/server/handle.c
+index 37fba69eac3..4d8d03a494c 100644
+--- a/server/handle.c
+++ b/server/handle.c
+@@ -273,6 +273,7 @@ obj_handle_t alloc_handle_no_access_check( struct process *process, void *ptr, u
+ {
+     struct object *obj = ptr;
+     access = obj->ops->map_access( obj, access ) & ~RESERVED_ALL;
+    if (access & MAXIMUM_ALLOWED) access = obj->ops->map_access( obj, GENERIC_ALL );
+     return alloc_handle_entry( process, ptr, access, attr );
+ }
+ 
+-- 
+2.11.0
+
--- a/patches/server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
+++ b/patches/server-Stored_ACLs/0009-server-Map-MAXIMUM_ALLOWED-even-if-skipping-access-c.patch
@ -1,24 +0,0 @@
-From cfe794189edc600ca60308be5ba9e4a965c5112a Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 16 Oct 2016 02:01:16 +0200
-Subject: server: Map MAXIMUM_ALLOWED even if skipping access check.
-
---
- server/handle.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/server/handle.c b/server/handle.c
-index 6b68ff4..b4114ef 100644
--- a/server/handle.c
-+++ b/server/handle.c
-@@ -278,6 +278,7 @@ obj_handle_t alloc_handle_no_access_check( struct process *process, void *ptr, u
- {
-     struct object *obj = ptr;
-     access = obj->ops->map_access( obj, access ) & ~RESERVED_ALL;
-+    if ((access & MAXIMUM_ALLOWED) && !check_object_access( obj, &access )) return 0;
-     return alloc_handle_entry( process, ptr, access, attr );
- }
- 
-- 
-2.9.0
-