diff --git a/patches/advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch b/patches/advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch new file mode 100644 index 00000000..0074e46b --- /dev/null +++ b/patches/advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch @@ -0,0 +1,268 @@ +From 994fe46f1b68d851d285a29cce904bd9f22540ea Mon Sep 17 00:00:00 2001 +From: Andrew Wesie +Date: Tue, 2 May 2017 00:59:49 -0500 +Subject: advapi32: Implement BuildSecurityDescriptorW. + +--- + dlls/advapi32/security.c | 218 +++++++++++++++++++++++++++++++++++------------ + 1 file changed, 164 insertions(+), 54 deletions(-) + +diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c +index 24ec3099713..82bb6689d43 100644 +--- a/dlls/advapi32/security.c ++++ b/dlls/advapi32/security.c +@@ -58,6 +58,7 @@ static BOOL ParseStringSecurityDescriptorToSecurityDescriptor( + SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor, + LPDWORD cBytes); + static DWORD ParseAclStringFlags(LPCWSTR* StringAcl); ++static DWORD trustee_to_sid(DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee); + + typedef struct _ACEFLAG + { +@@ -1264,16 +1265,122 @@ DWORD WINAPI BuildSecurityDescriptorW( + IN ULONG cCountOfAccessEntries, + IN PEXPLICIT_ACCESSW pListOfAccessEntries, + IN ULONG cCountOfAuditEntries, +- IN PEXPLICIT_ACCESSW pListofAuditEntries, ++ IN PEXPLICIT_ACCESSW pListOfAuditEntries, + IN PSECURITY_DESCRIPTOR pOldSD, + IN OUT PULONG lpdwBufferLength, + OUT PSECURITY_DESCRIPTOR* pNewSD) + { +- FIXME("(%p,%p,%d,%p,%d,%p,%p,%p,%p) stub!\n",pOwner,pGroup, +- cCountOfAccessEntries,pListOfAccessEntries,cCountOfAuditEntries, +- pListofAuditEntries,pOldSD,lpdwBufferLength,pNewSD); ++ SECURITY_DESCRIPTOR desc; ++ NTSTATUS status; ++ DWORD ret = ERROR_SUCCESS; ++ ++ TRACE("(%p,%p,%d,%p,%d,%p,%p,%p,%p)\n", pOwner, pGroup, ++ cCountOfAccessEntries, pListOfAccessEntries, cCountOfAuditEntries, ++ pListOfAuditEntries, pOldSD, lpdwBufferLength, pNewSD); + +- return ERROR_CALL_NOT_IMPLEMENTED; ++ if (pOldSD) ++ { ++ SECURITY_DESCRIPTOR_CONTROL control; ++ DWORD desc_size, dacl_size = 0, sacl_size = 0, owner_size = 0, group_size = 0; ++ PACL dacl = NULL, sacl = NULL; ++ PSID owner = NULL, group = NULL; ++ DWORD revision; ++ ++ if ((status = RtlGetControlSecurityDescriptor( pOldSD, &control, &revision )) != STATUS_SUCCESS) ++ return RtlNtStatusToDosError( status ); ++ if (!(control & SE_SELF_RELATIVE)) ++ return ERROR_INVALID_SECURITY_DESCR; ++ ++ desc_size = sizeof(desc); ++ status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size, ++ owner, &owner_size, group, &group_size ); ++ if (status == STATUS_BUFFER_TOO_SMALL) ++ { ++ if (dacl_size) ++ dacl = LocalAlloc( LMEM_FIXED, dacl_size ); ++ if (sacl_size) ++ sacl = LocalAlloc( LMEM_FIXED, sacl_size ); ++ if (owner_size) ++ owner = LocalAlloc( LMEM_FIXED, owner_size ); ++ if (group_size) ++ group = LocalAlloc( LMEM_FIXED, group_size ); ++ ++ desc_size = sizeof(desc); ++ status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size, ++ owner, &owner_size, group, &group_size ); ++ } ++ if (status != STATUS_SUCCESS) ++ { ++ LocalFree( dacl ); ++ LocalFree( sacl ); ++ LocalFree( owner ); ++ LocalFree( group ); ++ return RtlNtStatusToDosError( status ); ++ } ++ } ++ else ++ { ++ if ((status = RtlCreateSecurityDescriptor( &desc, SECURITY_DESCRIPTOR_REVISION )) != STATUS_SUCCESS) ++ return RtlNtStatusToDosError( status ); ++ } ++ ++ if (pOwner) ++ { ++ LocalFree( desc.Owner ); ++ desc.Owner = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) ); ++ if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Owner, pOwner ))) ++ goto done; ++ } ++ ++ if (pGroup) ++ { ++ LocalFree( desc.Group ); ++ desc.Group = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) ); ++ if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Group, pGroup ))) ++ goto done; ++ } ++ ++ if (pListOfAccessEntries) ++ { ++ PACL new_dacl; ++ ++ if ((ret = SetEntriesInAclW( cCountOfAccessEntries, pListOfAccessEntries, desc.Dacl, &new_dacl ))) ++ goto done; ++ ++ LocalFree( desc.Dacl ); ++ desc.Dacl = new_dacl; ++ desc.Control |= SE_DACL_PRESENT; ++ } ++ ++ if (pListOfAuditEntries) ++ { ++ PACL new_sacl; ++ ++ if ((ret = SetEntriesInAclW( cCountOfAuditEntries, pListOfAuditEntries, desc.Sacl, &new_sacl ))) ++ goto done; ++ ++ LocalFree( desc.Sacl ); ++ desc.Sacl = new_sacl; ++ desc.Control |= SE_SACL_PRESENT; ++ } ++ ++ *lpdwBufferLength = RtlLengthSecurityDescriptor( &desc ); ++ *pNewSD = LocalAlloc( LMEM_FIXED, *lpdwBufferLength ); ++ ++ if ((status = RtlMakeSelfRelativeSD( &desc, *pNewSD, lpdwBufferLength )) != STATUS_SUCCESS) ++ { ++ ret = RtlNtStatusToDosError( status ); ++ LocalFree( *pNewSD ); ++ *pNewSD = NULL; ++ } ++ ++done: ++ /* free absolute descriptor */ ++ LocalFree( desc.Owner ); ++ LocalFree( desc.Group ); ++ LocalFree( desc.Sacl ); ++ LocalFree( desc.Dacl ); ++ return ret; + } + + /****************************************************************************** +@@ -3766,6 +3873,56 @@ static void free_trustee_name(TRUSTEE_FORM form, WCHAR *trustee_nameW) + } + } + ++static DWORD trustee_to_sid( DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee ) ++{ ++ if (pTrustee->MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE) ++ { ++ WARN("bad multiple trustee operation %d\n", pTrustee->MultipleTrusteeOperation); ++ return ERROR_INVALID_PARAMETER; ++ } ++ ++ switch (pTrustee->TrusteeForm) ++ { ++ case TRUSTEE_IS_SID: ++ if (!CopySid(nDestinationSidLength, pDestinationSid, pTrustee->ptstrName)) ++ { ++ WARN("bad sid %p\n", pTrustee->ptstrName); ++ return ERROR_INVALID_PARAMETER; ++ } ++ break; ++ case TRUSTEE_IS_NAME: ++ { ++ DWORD sid_size = nDestinationSidLength; ++ DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1; ++ SID_NAME_USE use; ++ if (!strcmpW( pTrustee->ptstrName, CURRENT_USER )) ++ { ++ if (!lookup_user_account_name( pDestinationSid, &sid_size, NULL, &domain_size, &use )) ++ { ++ return GetLastError(); ++ } ++ } ++ else if (!LookupAccountNameW(NULL, pTrustee->ptstrName, pDestinationSid, &sid_size, NULL, &domain_size, &use)) ++ { ++ WARN("bad user name %s\n", debugstr_w(pTrustee->ptstrName)); ++ return ERROR_INVALID_PARAMETER; ++ } ++ break; ++ } ++ case TRUSTEE_IS_OBJECTS_AND_SID: ++ FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n"); ++ break; ++ case TRUSTEE_IS_OBJECTS_AND_NAME: ++ FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n"); ++ break; ++ default: ++ WARN("bad trustee form %d\n", pTrustee->TrusteeForm); ++ return ERROR_INVALID_PARAMETER; ++ } ++ ++ return ERROR_SUCCESS; ++} ++ + /****************************************************************************** + * SetEntriesInAclA [ADVAPI32.@] + */ +@@ -3861,56 +4018,9 @@ DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries, + pEntries[i].Trustee.TrusteeForm, pEntries[i].Trustee.TrusteeType, + pEntries[i].Trustee.ptstrName); + +- if (pEntries[i].Trustee.MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE) +- { +- WARN("bad multiple trustee operation %d for trustee %d\n", pEntries[i].Trustee.MultipleTrusteeOperation, i); +- ret = ERROR_INVALID_PARAMETER; +- goto exit; +- } +- +- switch (pEntries[i].Trustee.TrusteeForm) +- { +- case TRUSTEE_IS_SID: +- if (!CopySid(FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]), +- ppsid[i], pEntries[i].Trustee.ptstrName)) +- { +- WARN("bad sid %p for trustee %d\n", pEntries[i].Trustee.ptstrName, i); +- ret = ERROR_INVALID_PARAMETER; +- goto exit; +- } +- break; +- case TRUSTEE_IS_NAME: +- { +- DWORD sid_size = FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]); +- DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1; +- SID_NAME_USE use; +- if (!strcmpW( pEntries[i].Trustee.ptstrName, CURRENT_USER )) +- { +- if (!lookup_user_account_name( ppsid[i], &sid_size, NULL, &domain_size, &use )) +- { +- ret = GetLastError(); +- goto exit; +- } +- } +- else if (!LookupAccountNameW(NULL, pEntries[i].Trustee.ptstrName, ppsid[i], &sid_size, NULL, &domain_size, &use)) +- { +- WARN("bad user name %s for trustee %d\n", debugstr_w(pEntries[i].Trustee.ptstrName), i); +- ret = ERROR_INVALID_PARAMETER; +- goto exit; +- } +- break; +- } +- case TRUSTEE_IS_OBJECTS_AND_SID: +- FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n"); +- break; +- case TRUSTEE_IS_OBJECTS_AND_NAME: +- FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n"); +- break; +- default: +- WARN("bad trustee form %d for trustee %d\n", pEntries[i].Trustee.TrusteeForm, i); +- ret = ERROR_INVALID_PARAMETER; ++ ret = trustee_to_sid( FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]), ppsid[i], &pEntries[i].Trustee); ++ if (ret) + goto exit; +- } + + /* Note: we overestimate the ACL size here as a tradeoff between + * instructions (simplicity) and memory */ +-- +2.12.2 + diff --git a/patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch b/patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch new file mode 100644 index 00000000..6c5a850d --- /dev/null +++ b/patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch @@ -0,0 +1,69 @@ +From 63082c3863d8be466ed14f532653ddf35e40328a Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Fri, 5 May 2017 00:18:50 +0200 +Subject: advapi32/tests: Add basic tests for BuildSecurityDescriptor. + +--- + dlls/advapi32/tests/security.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c +index d6ea3a19fad..c591f7b6e5f 100644 +--- a/dlls/advapi32/tests/security.c ++++ b/dlls/advapi32/tests/security.c +@@ -7489,6 +7489,44 @@ static void test_child_token_sd(void) + HeapFree(GetProcessHeap(), 0, sd); + } + ++static void test_BuildSecurityDescriptorW(void) ++{ ++ SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd; ++ ULONG new_sd_size; ++ DWORD buf_size; ++ char buf[1024]; ++ BOOL success; ++ DWORD ret; ++ ++ InitializeSecurityDescriptor(&old_sd, SECURITY_DESCRIPTOR_REVISION); ++ ++ buf_size = sizeof(buf); ++ rel_sd = (SECURITY_DESCRIPTOR *)buf; ++ success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size); ++ ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError()); ++ ++ new_sd = NULL; ++ new_sd_size = 0; ++ ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd); ++ ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret); ++ ok(new_sd != NULL, "expected new_sd != NULL\n"); ++ ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size); ++ LocalFree(new_sd); ++ ++ new_sd = (void *)0xdeadbeef; ++ ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd); ++ ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret); ++ ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd); ++ ++ new_sd = NULL; ++ new_sd_size = 0; ++ ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd); ++ ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret); ++ ok(new_sd != NULL, "expected new_sd != NULL\n"); ++ ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size); ++ LocalFree(new_sd); ++} ++ + START_TEST(security) + { + init(); +@@ -7542,6 +7580,7 @@ START_TEST(security) + test_pseudo_tokens(); + test_maximum_allowed(); + test_GetExplicitEntriesFromAclW(); ++ test_BuildSecurityDescriptorW(); + + /* must be the last test, modifies process token */ + test_token_security_descriptor(); +-- +2.12.2 + diff --git a/patches/advapi32-BuildSecurityDescriptor/definition b/patches/advapi32-BuildSecurityDescriptor/definition new file mode 100644 index 00000000..bbfe49d3 --- /dev/null +++ b/patches/advapi32-BuildSecurityDescriptor/definition @@ -0,0 +1,2 @@ +Fixes: Initial implementation of advapi32.BuildSecurityDescriptorW +Depends: server-LABEL_SECURITY_INFORMATION diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 44d1e9a7..bba7474e 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -87,6 +87,7 @@ patch_enable_all () enable_Pipelight="$1" enable_Staging="$1" enable_advapi_LsaLookupPrivilegeName="$1" + enable_advapi32_BuildSecurityDescriptor="$1" enable_advapi32_GetExplicitEntriesFromAclW="$1" enable_advapi32_LsaLookupSids="$1" enable_advapi32_SetSecurityInfo="$1" @@ -489,6 +490,9 @@ patch_enable () advapi-LsaLookupPrivilegeName) enable_advapi_LsaLookupPrivilegeName="$2" ;; + advapi32-BuildSecurityDescriptor) + enable_advapi32_BuildSecurityDescriptor="$2" + ;; advapi32-GetExplicitEntriesFromAclW) enable_advapi32_GetExplicitEntriesFromAclW="$2" ;; @@ -2220,21 +2224,6 @@ if test "$enable_server_Shared_Memory" -eq 1; then enable_server_Signal_Thread=1 fi -if test "$enable_server_LABEL_SECURITY_INFORMATION" -eq 1; then - if test "$enable_advapi32_GetExplicitEntriesFromAclW" -gt 1; then - abort "Patchset advapi32-GetExplicitEntriesFromAclW disabled, but server-LABEL_SECURITY_INFORMATION depends on that." - fi - if test "$enable_server_Misc_ACL" -gt 1; then - abort "Patchset server-Misc_ACL disabled, but server-LABEL_SECURITY_INFORMATION depends on that." - fi - if test "$enable_server_Stored_ACLs" -gt 1; then - abort "Patchset server-Stored_ACLs disabled, but server-LABEL_SECURITY_INFORMATION depends on that." - fi - enable_advapi32_GetExplicitEntriesFromAclW=1 - enable_server_Misc_ACL=1 - enable_server_Stored_ACLs=1 -fi - if test "$enable_server_Inherited_ACLs" -eq 1; then if test "$enable_server_Stored_ACLs" -gt 1; then abort "Patchset server-Stored_ACLs disabled, but server-Inherited_ACLs depends on that." @@ -2242,17 +2231,6 @@ if test "$enable_server_Inherited_ACLs" -eq 1; then enable_server_Stored_ACLs=1 fi -if test "$enable_server_Stored_ACLs" -eq 1; then - if test "$enable_ntdll_DOS_Attributes" -gt 1; then - abort "Patchset ntdll-DOS_Attributes disabled, but server-Stored_ACLs depends on that." - fi - if test "$enable_server_File_Permissions" -gt 1; then - abort "Patchset server-File_Permissions disabled, but server-Stored_ACLs depends on that." - fi - enable_ntdll_DOS_Attributes=1 - enable_server_File_Permissions=1 -fi - if test "$enable_oleaut32_OLEPictureImpl_SaveAsFile" -eq 1; then if test "$enable_oleaut32_Load_Save_EMF" -gt 1; then abort "Patchset oleaut32-Load_Save_EMF disabled, but oleaut32-OLEPictureImpl_SaveAsFile depends on that." @@ -2516,6 +2494,39 @@ if test "$enable_advapi32_LsaLookupSids" -eq 1; then enable_server_Misc_ACL=1 fi +if test "$enable_advapi32_BuildSecurityDescriptor" -eq 1; then + if test "$enable_server_LABEL_SECURITY_INFORMATION" -gt 1; then + abort "Patchset server-LABEL_SECURITY_INFORMATION disabled, but advapi32-BuildSecurityDescriptor depends on that." + fi + enable_server_LABEL_SECURITY_INFORMATION=1 +fi + +if test "$enable_server_LABEL_SECURITY_INFORMATION" -eq 1; then + if test "$enable_advapi32_GetExplicitEntriesFromAclW" -gt 1; then + abort "Patchset advapi32-GetExplicitEntriesFromAclW disabled, but server-LABEL_SECURITY_INFORMATION depends on that." + fi + if test "$enable_server_Misc_ACL" -gt 1; then + abort "Patchset server-Misc_ACL disabled, but server-LABEL_SECURITY_INFORMATION depends on that." + fi + if test "$enable_server_Stored_ACLs" -gt 1; then + abort "Patchset server-Stored_ACLs disabled, but server-LABEL_SECURITY_INFORMATION depends on that." + fi + enable_advapi32_GetExplicitEntriesFromAclW=1 + enable_server_Misc_ACL=1 + enable_server_Stored_ACLs=1 +fi + +if test "$enable_server_Stored_ACLs" -eq 1; then + if test "$enable_ntdll_DOS_Attributes" -gt 1; then + abort "Patchset ntdll-DOS_Attributes disabled, but server-Stored_ACLs depends on that." + fi + if test "$enable_server_File_Permissions" -gt 1; then + abort "Patchset server-File_Permissions disabled, but server-Stored_ACLs depends on that." + fi + enable_ntdll_DOS_Attributes=1 + enable_server_File_Permissions=1 +fi + # If autoupdate is enabled then create a tempfile to keep track of all patches if test "$enable_patchlist" -eq 1; then @@ -2660,6 +2671,166 @@ if test "$enable_advapi32_GetExplicitEntriesFromAclW" -eq 1; then ) >> "$patchlist" fi +# Patchset server-Misc_ACL +# | +# | This patchset fixes the following Wine bugs: +# | * [#15980] GetSecurityInfo returns NULL DACL for process object +# | +# | Modified files: +# | * dlls/advapi32/tests/security.c, server/process.c, server/security.h, server/token.c +# | +if test "$enable_server_Misc_ACL" -eq 1; then + patch_apply server-Misc_ACL/0001-server-Add-default-security-descriptor-ownership-for.patch + patch_apply server-Misc_ACL/0002-server-Add-default-security-descriptor-DACL-for-proc.patch + ( + printf '%s\n' '+ { "Erich E. Hoover", "server: Add default security descriptor ownership for processes.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "server: Add default security descriptor DACL for processes.", 1 },'; + ) >> "$patchlist" +fi + +# Patchset ntdll-DOS_Attributes +# | +# | This patchset fixes the following Wine bugs: +# | * [#9158] Support for DOS hidden/system file attributes +# | +# | Modified files: +# | * configure.ac, dlls/ntdll/directory.c, dlls/ntdll/file.c, dlls/ntdll/ntdll_misc.h, dlls/ntdll/tests/directory.c, +# | dlls/ntdll/tests/file.c, include/wine/port.h, libs/port/Makefile.in, libs/port/xattr.c +# | +if test "$enable_ntdll_DOS_Attributes" -eq 1; then + patch_apply ntdll-DOS_Attributes/0001-ntdll-Implement-retrieving-DOS-attributes-in-NtQuery.patch + patch_apply ntdll-DOS_Attributes/0002-ntdll-Implement-retrieving-DOS-attributes-in-NtQuery.patch + patch_apply ntdll-DOS_Attributes/0003-ntdll-Implement-storing-DOS-attributes-in-NtSetInfor.patch + patch_apply ntdll-DOS_Attributes/0004-ntdll-Implement-storing-DOS-attributes-in-NtCreateFi.patch + patch_apply ntdll-DOS_Attributes/0005-libport-Add-support-for-Mac-OS-X-style-extended-attr.patch + patch_apply ntdll-DOS_Attributes/0006-libport-Add-support-for-FreeBSD-style-extended-attri.patch + patch_apply ntdll-DOS_Attributes/0007-ntdll-Perform-the-Unix-style-hidden-file-check-withi.patch + patch_apply ntdll-DOS_Attributes/0008-ntdll-Always-store-SAMBA_XATTR_DOS_ATTRIB-when-path-.patch + ( + printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement retrieving DOS attributes in NtQueryInformationFile.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement retrieving DOS attributes in NtQuery[Full]AttributesFile and NtQueryDirectoryFile.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement storing DOS attributes in NtSetInformationFile.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement storing DOS attributes in NtCreateFile.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "libport: Add support for Mac OS X style extended attributes.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "libport: Add support for FreeBSD style extended attributes.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Perform the Unix-style hidden file check within the unified file info grabbing routine.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "ntdll: Always store SAMBA_XATTR_DOS_ATTRIB when path could be interpreted as hidden.", 1 },'; + ) >> "$patchlist" +fi + +# Patchset server-File_Permissions +# | +# | This patchset fixes the following Wine bugs: +# | * [#38970] Improve mapping of DACL to file permissions +# | +# | Modified files: +# | * dlls/advapi32/tests/security.c, dlls/ntdll/tests/file.c, server/fd.c, server/file.c +# | +if test "$enable_server_File_Permissions" -eq 1; then + patch_apply server-File_Permissions/0001-server-Improve-STATUS_CANNOT_DELETE-checks-for-direc.patch + patch_apply server-File_Permissions/0002-server-Allow-to-open-files-without-any-permission-bi.patch + patch_apply server-File_Permissions/0003-server-When-creating-new-directories-temporarily-giv.patch + patch_apply server-File_Permissions/0004-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch + patch_apply server-File_Permissions/0005-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch + patch_apply server-File_Permissions/0006-ntdll-tests-Added-tests-for-open-behaviour-on-readon.patch + patch_apply server-File_Permissions/0007-server-FILE_WRITE_ATTRIBUTES-should-succeed-for-read.patch + patch_apply server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch + ( + printf '%s\n' '+ { "Sebastian Lackner", "server: Improve STATUS_CANNOT_DELETE checks for directory case.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: Allow to open files without any permission bits.", 2 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: When creating new directories temporarily give read-permissions until they are opened.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add tests for ACL inheritance in CreateDirectoryA.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add ACL inheritance tests for creating subdirectories with NtCreateFile.", 1 },'; + printf '%s\n' '+ { "Qian Hong", "ntdll/tests: Added tests for open behaviour on readonly files.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: FILE_WRITE_ATTRIBUTES should succeed for readonly files.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: Improve mapping of DACL to file permissions.", 1 },'; + ) >> "$patchlist" +fi + +# Patchset server-Stored_ACLs +# | +# | This patchset has the following (direct or indirect) dependencies: +# | * ntdll-DOS_Attributes, server-File_Permissions +# | +# | This patchset fixes the following Wine bugs: +# | * [#33576] Support for stored file ACLs +# | +# | Modified files: +# | * dlls/advapi32/tests/security.c, include/wine/port.h, server/change.c, server/file.c, server/file.h, server/object.c, +# | server/object.h +# | +if test "$enable_server_Stored_ACLs" -eq 1; then + patch_apply server-Stored_ACLs/0001-server-Unify-the-storage-of-security-attributes-for-.patch + patch_apply server-Stored_ACLs/0002-server-Unify-the-retrieval-of-security-attributes-fo.patch + patch_apply server-Stored_ACLs/0003-server-Add-a-helper-function-set_sd_from_token_inter.patch + patch_apply server-Stored_ACLs/0004-server-Temporarily-store-the-full-security-descripto.patch + patch_apply server-Stored_ACLs/0005-server-Store-file-security-attributes-with-extended-.patch + patch_apply server-Stored_ACLs/0006-server-Convert-return-of-file-security-masks-with-ge.patch + patch_apply server-Stored_ACLs/0007-server-Retrieve-file-security-attributes-with-extend.patch + ( + printf '%s\n' '+ { "Erich E. Hoover", "server: Unify the storage of security attributes for files and directories.", 7 },'; + printf '%s\n' '+ { "Erich E. Hoover", "server: Unify the retrieval of security attributes for files and directories.", 7 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: Add a helper function set_sd_from_token_internal to merge two security descriptors.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "server: Temporarily store the full security descriptor for file objects.", 1 },'; + printf '%s\n' '+ { "Erich E. Hoover", "server: Store file security attributes with extended file attributes.", 8 },'; + printf '%s\n' '+ { "Erich E. Hoover", "server: Convert return of file security masks with generic access mappings.", 7 },'; + printf '%s\n' '+ { "Erich E. Hoover", "server: Retrieve file security attributes with extended file attributes.", 7 },'; + ) >> "$patchlist" +fi + +# Patchset server-LABEL_SECURITY_INFORMATION +# | +# | This patchset has the following (direct or indirect) dependencies: +# | * advapi32-GetExplicitEntriesFromAclW, server-Misc_ACL, ntdll-DOS_Attributes, server-File_Permissions, server-Stored_ACLs +# | +# | This patchset fixes the following Wine bugs: +# | * [#42014] Implement support for LABEL_SECURITY_INFORMATION +# | +# | Modified files: +# | * dlls/advapi32/tests/security.c, dlls/ntdll/nt.c, dlls/ntdll/sec.c, include/winnt.h, server/handle.c, server/object.c, +# | server/process.c, server/protocol.def, server/security.h, server/token.c +# | +if test "$enable_server_LABEL_SECURITY_INFORMATION" -eq 1; then + patch_apply server-LABEL_SECURITY_INFORMATION/0001-server-Implement-querying-the-security-label-of-a-se.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0002-server-Implement-changing-the-label-of-a-security-de.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0003-server-Do-not-set-SE_-D-S-ACL_PRESENT-if-no-D-S-ACL-.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0004-server-Implement-setting-a-security-descriptor-when-.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0005-advapi32-tests-Add-basic-tests-for-token-security-de.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0006-advapi32-tests-Show-that-tokens-do-not-inherit-secur.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0007-advapi32-tests-Show-that-tokens-do-not-inherit-dacls.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0008-advapi32-tests-Show-that-tokens-do-not-inherit-sacls.patch + patch_apply server-LABEL_SECURITY_INFORMATION/0009-server-Assign-a-default-label-high-to-all-tokens.patch + ( + printf '%s\n' '+ { "Michael Müller", "server: Implement querying the security label of a security descriptor.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "server: Implement changing the label of a security descriptor.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "server: Do not set SE_{D,S}ACL_PRESENT if no {D,S}ACL was set.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "server: Implement setting a security descriptor when duplicating tokens.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Add basic tests for token security descriptors.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit security descriptors during duplication.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit dacls while creating child processes.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit sacls / mandatory labels while creating child processes.", 1 },'; + printf '%s\n' '+ { "Michael Müller", "server: Assign a default label (high) to all tokens.", 1 },'; + ) >> "$patchlist" +fi + +# Patchset advapi32-BuildSecurityDescriptor +# | +# | This patchset has the following (direct or indirect) dependencies: +# | * advapi32-GetExplicitEntriesFromAclW, server-Misc_ACL, ntdll-DOS_Attributes, server-File_Permissions, server-Stored_ACLs, +# | server-LABEL_SECURITY_INFORMATION +# | +# | Modified files: +# | * dlls/advapi32/security.c, dlls/advapi32/tests/security.c +# | +if test "$enable_advapi32_BuildSecurityDescriptor" -eq 1; then + patch_apply advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch + patch_apply advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch + ( + printf '%s\n' '+ { "Andrew Wesie", "advapi32: Implement BuildSecurityDescriptorW.", 1 },'; + printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add basic tests for BuildSecurityDescriptor.", 1 },'; + ) >> "$patchlist" +fi + # Patchset server-CreateProcess_ACLs # | # | This patchset fixes the following Wine bugs: @@ -2679,23 +2850,6 @@ if test "$enable_server_CreateProcess_ACLs" -eq 1; then ) >> "$patchlist" fi -# Patchset server-Misc_ACL -# | -# | This patchset fixes the following Wine bugs: -# | * [#15980] GetSecurityInfo returns NULL DACL for process object -# | -# | Modified files: -# | * dlls/advapi32/tests/security.c, server/process.c, server/security.h, server/token.c -# | -if test "$enable_server_Misc_ACL" -eq 1; then - patch_apply server-Misc_ACL/0001-server-Add-default-security-descriptor-ownership-for.patch - patch_apply server-Misc_ACL/0002-server-Add-default-security-descriptor-DACL-for-proc.patch - ( - printf '%s\n' '+ { "Erich E. Hoover", "server: Add default security descriptor ownership for processes.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "server: Add default security descriptor DACL for processes.", 1 },'; - ) >> "$patchlist" -fi - # Patchset advapi32-LsaLookupSids # | # | This patchset has the following (direct or indirect) dependencies: @@ -4419,35 +4573,6 @@ if test "$enable_kernel32_COMSPEC" -eq 1; then ) >> "$patchlist" fi -# Patchset server-File_Permissions -# | -# | This patchset fixes the following Wine bugs: -# | * [#38970] Improve mapping of DACL to file permissions -# | -# | Modified files: -# | * dlls/advapi32/tests/security.c, dlls/ntdll/tests/file.c, server/fd.c, server/file.c -# | -if test "$enable_server_File_Permissions" -eq 1; then - patch_apply server-File_Permissions/0001-server-Improve-STATUS_CANNOT_DELETE-checks-for-direc.patch - patch_apply server-File_Permissions/0002-server-Allow-to-open-files-without-any-permission-bi.patch - patch_apply server-File_Permissions/0003-server-When-creating-new-directories-temporarily-giv.patch - patch_apply server-File_Permissions/0004-advapi32-tests-Add-tests-for-ACL-inheritance-in-Crea.patch - patch_apply server-File_Permissions/0005-advapi32-tests-Add-ACL-inheritance-tests-for-creatin.patch - patch_apply server-File_Permissions/0006-ntdll-tests-Added-tests-for-open-behaviour-on-readon.patch - patch_apply server-File_Permissions/0007-server-FILE_WRITE_ATTRIBUTES-should-succeed-for-read.patch - patch_apply server-File_Permissions/0008-server-Improve-mapping-of-DACL-to-file-permissions.patch - ( - printf '%s\n' '+ { "Sebastian Lackner", "server: Improve STATUS_CANNOT_DELETE checks for directory case.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: Allow to open files without any permission bits.", 2 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: When creating new directories temporarily give read-permissions until they are opened.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add tests for ACL inheritance in CreateDirectoryA.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add ACL inheritance tests for creating subdirectories with NtCreateFile.", 1 },'; - printf '%s\n' '+ { "Qian Hong", "ntdll/tests: Added tests for open behaviour on readonly files.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: FILE_WRITE_ATTRIBUTES should succeed for readonly files.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: Improve mapping of DACL to file permissions.", 1 },'; - ) >> "$patchlist" -fi - # Patchset ntdll-FileDispositionInformation # | # | This patchset has the following (direct or indirect) dependencies: @@ -5202,36 +5327,6 @@ if test "$enable_ntdll_CLI_Images" -eq 1; then ) >> "$patchlist" fi -# Patchset ntdll-DOS_Attributes -# | -# | This patchset fixes the following Wine bugs: -# | * [#9158] Support for DOS hidden/system file attributes -# | -# | Modified files: -# | * configure.ac, dlls/ntdll/directory.c, dlls/ntdll/file.c, dlls/ntdll/ntdll_misc.h, dlls/ntdll/tests/directory.c, -# | dlls/ntdll/tests/file.c, include/wine/port.h, libs/port/Makefile.in, libs/port/xattr.c -# | -if test "$enable_ntdll_DOS_Attributes" -eq 1; then - patch_apply ntdll-DOS_Attributes/0001-ntdll-Implement-retrieving-DOS-attributes-in-NtQuery.patch - patch_apply ntdll-DOS_Attributes/0002-ntdll-Implement-retrieving-DOS-attributes-in-NtQuery.patch - patch_apply ntdll-DOS_Attributes/0003-ntdll-Implement-storing-DOS-attributes-in-NtSetInfor.patch - patch_apply ntdll-DOS_Attributes/0004-ntdll-Implement-storing-DOS-attributes-in-NtCreateFi.patch - patch_apply ntdll-DOS_Attributes/0005-libport-Add-support-for-Mac-OS-X-style-extended-attr.patch - patch_apply ntdll-DOS_Attributes/0006-libport-Add-support-for-FreeBSD-style-extended-attri.patch - patch_apply ntdll-DOS_Attributes/0007-ntdll-Perform-the-Unix-style-hidden-file-check-withi.patch - patch_apply ntdll-DOS_Attributes/0008-ntdll-Always-store-SAMBA_XATTR_DOS_ATTRIB-when-path-.patch - ( - printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement retrieving DOS attributes in NtQueryInformationFile.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement retrieving DOS attributes in NtQuery[Full]AttributesFile and NtQueryDirectoryFile.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement storing DOS attributes in NtSetInformationFile.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Implement storing DOS attributes in NtCreateFile.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "libport: Add support for Mac OS X style extended attributes.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "libport: Add support for FreeBSD style extended attributes.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "ntdll: Perform the Unix-style hidden file check within the unified file info grabbing routine.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "ntdll: Always store SAMBA_XATTR_DOS_ATTRIB when path could be interpreted as hidden.", 1 },'; - ) >> "$patchlist" -fi - # Patchset ntdll-Dealloc_Thread_Stack # | # | Modified files: @@ -6637,37 +6732,6 @@ if test "$enable_server_FileEndOfFileInformation" -eq 1; then ) >> "$patchlist" fi -# Patchset server-Stored_ACLs -# | -# | This patchset has the following (direct or indirect) dependencies: -# | * ntdll-DOS_Attributes, server-File_Permissions -# | -# | This patchset fixes the following Wine bugs: -# | * [#33576] Support for stored file ACLs -# | -# | Modified files: -# | * dlls/advapi32/tests/security.c, include/wine/port.h, server/change.c, server/file.c, server/file.h, server/object.c, -# | server/object.h -# | -if test "$enable_server_Stored_ACLs" -eq 1; then - patch_apply server-Stored_ACLs/0001-server-Unify-the-storage-of-security-attributes-for-.patch - patch_apply server-Stored_ACLs/0002-server-Unify-the-retrieval-of-security-attributes-fo.patch - patch_apply server-Stored_ACLs/0003-server-Add-a-helper-function-set_sd_from_token_inter.patch - patch_apply server-Stored_ACLs/0004-server-Temporarily-store-the-full-security-descripto.patch - patch_apply server-Stored_ACLs/0005-server-Store-file-security-attributes-with-extended-.patch - patch_apply server-Stored_ACLs/0006-server-Convert-return-of-file-security-masks-with-ge.patch - patch_apply server-Stored_ACLs/0007-server-Retrieve-file-security-attributes-with-extend.patch - ( - printf '%s\n' '+ { "Erich E. Hoover", "server: Unify the storage of security attributes for files and directories.", 7 },'; - printf '%s\n' '+ { "Erich E. Hoover", "server: Unify the retrieval of security attributes for files and directories.", 7 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: Add a helper function set_sd_from_token_internal to merge two security descriptors.", 1 },'; - printf '%s\n' '+ { "Sebastian Lackner", "server: Temporarily store the full security descriptor for file objects.", 1 },'; - printf '%s\n' '+ { "Erich E. Hoover", "server: Store file security attributes with extended file attributes.", 8 },'; - printf '%s\n' '+ { "Erich E. Hoover", "server: Convert return of file security masks with generic access mappings.", 7 },'; - printf '%s\n' '+ { "Erich E. Hoover", "server: Retrieve file security attributes with extended file attributes.", 7 },'; - ) >> "$patchlist" -fi - # Patchset server-Inherited_ACLs # | # | This patchset has the following (direct or indirect) dependencies: @@ -6701,41 +6765,6 @@ if test "$enable_server_Key_State" -eq 1; then ) >> "$patchlist" fi -# Patchset server-LABEL_SECURITY_INFORMATION -# | -# | This patchset has the following (direct or indirect) dependencies: -# | * advapi32-GetExplicitEntriesFromAclW, server-Misc_ACL, ntdll-DOS_Attributes, server-File_Permissions, server-Stored_ACLs -# | -# | This patchset fixes the following Wine bugs: -# | * [#42014] Implement support for LABEL_SECURITY_INFORMATION -# | -# | Modified files: -# | * dlls/advapi32/tests/security.c, dlls/ntdll/nt.c, dlls/ntdll/sec.c, include/winnt.h, server/handle.c, server/object.c, -# | server/process.c, server/protocol.def, server/security.h, server/token.c -# | -if test "$enable_server_LABEL_SECURITY_INFORMATION" -eq 1; then - patch_apply server-LABEL_SECURITY_INFORMATION/0001-server-Implement-querying-the-security-label-of-a-se.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0002-server-Implement-changing-the-label-of-a-security-de.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0003-server-Do-not-set-SE_-D-S-ACL_PRESENT-if-no-D-S-ACL-.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0004-server-Implement-setting-a-security-descriptor-when-.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0005-advapi32-tests-Add-basic-tests-for-token-security-de.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0006-advapi32-tests-Show-that-tokens-do-not-inherit-secur.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0007-advapi32-tests-Show-that-tokens-do-not-inherit-dacls.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0008-advapi32-tests-Show-that-tokens-do-not-inherit-sacls.patch - patch_apply server-LABEL_SECURITY_INFORMATION/0009-server-Assign-a-default-label-high-to-all-tokens.patch - ( - printf '%s\n' '+ { "Michael Müller", "server: Implement querying the security label of a security descriptor.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "server: Implement changing the label of a security descriptor.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "server: Do not set SE_{D,S}ACL_PRESENT if no {D,S}ACL was set.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "server: Implement setting a security descriptor when duplicating tokens.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Add basic tests for token security descriptors.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit security descriptors during duplication.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit dacls while creating child processes.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit sacls / mandatory labels while creating child processes.", 1 },'; - printf '%s\n' '+ { "Michael Müller", "server: Assign a default label (high) to all tokens.", 1 },'; - ) >> "$patchlist" -fi - # Patchset server-Map_EXDEV_Error # | # | Modified files: