wine/wine-staging
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-staging.git synced 2024-11-21 16:46:54 -08:00
Code Issues Packages Projects Releases Wiki Activity

server-CreateProcess_ACLs: Remove whitespace issues, remove duplicate subject line.

Browse Source
This commit is contained in:
Sebastian Lackner 2014-08-23 03:29:30 +02:00
parent 0bc7ba983c
commit bba9e118d9
4 changed files with 43 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
patches/server-CreateProcess_ACLs/0001-server-A-new-function-set_sd_defaults_from_token-tha.patch
View File

@ -1,14 +1,10 @@
From 30c44423ffde37855f0fd468096aa5fc6aa14912 Mon Sep 17 00:00:00 2001
From 99fa68f60166b3064371eb8ef68fcb3d733a28dc Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Sun, 3 Aug 2014 12:52:06 +0200
Subject: server: A new function "set_sd_defaults_from_token" that sets the
security descriptor along with a token that will be used to gather
defaults, instead of always using the primary token. (try 4)
server: A new function "set_sd_defaults_from_token" that sets the
security descriptor along with a token that will be used to gather defaults,
instead of always using the primary token.
Some objects take their defaults not from a primary token but from a
different one (such as from the impersonation token or the process
token).
@ -23,7 +19,7 @@ defaults _only_ upon creation.
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/server/object.c b/server/object.c
index 133c6b5..ec196c1 100644
index 11ef0ce..6389409 100644
--- a/server/object.c
+++ b/server/object.c
@@ -423,8 +423,8 @@ struct security_descriptor *default_get_sd( struct object *obj )
@ -88,14 +84,14 @@ index 133c6b5..ec196c1 100644
unsigned int attr )
{
diff --git a/server/object.h b/server/object.h
index bb3ff21..7201ff9 100644
index bb3ff21..dd93b76e 100644
--- a/server/object.h
+++ b/server/object.h
@@ -139,6 +139,8 @@ extern struct fd *no_get_fd( struct object *obj );
extern unsigned int no_map_access( struct object *obj, unsigned int access );
extern struct security_descriptor *default_get_sd( struct object *obj );
extern int default_set_sd( struct object *obj, const struct security_descriptor *sd, unsigned int set_info );
+extern int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd,
+extern int set_sd_defaults_from_token( struct object *obj, const struct security_descriptor *sd,
+ unsigned int set_info, struct token *token );
extern struct object *no_lookup_name( struct object *obj, struct unicode_str *name, unsigned int attributes );
extern struct object *no_open_file( struct object *obj, unsigned int access, unsigned int sharing,

21
patches/server-CreateProcess_ACLs/0002-server-Support-sending-process-and-thread-security-d.patch
View File

@ -1,19 +1,17 @@
From 7c1b44caf023c4120b48a2792a442ca5ac1e3166 Mon Sep 17 00:00:00 2001
From 38c3a1a50ca4bdef0b5ec0cf120fd5da889954dd Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Sun, 3 Aug 2014 12:52:14 +0200
Subject: server: Support sending process and thread security descriptors for
the "new_process" request in the protocol
server: Support sending process and thread security descriptors for
the "new_process" request in the protocol.
---
dlls/kernel32/process.c | 2 ++
server/process.c | 44 ++++++++++++++++++++++++++++++--------------
server/process.c | 42 +++++++++++++++++++++++++++++-------------
server/protocol.def | 4 ++++
3 files changed, 36 insertions(+), 14 deletions(-)
3 files changed, 35 insertions(+), 13 deletions(-)
diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
index 2566ac4..efd0e84 100644
index 301c64a..66e4a31 100644
--- a/dlls/kernel32/process.c
+++ b/dlls/kernel32/process.c
@@ -2034,6 +2034,8 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
@ -26,7 +24,7 @@ index 2566ac4..efd0e84 100644
wine_server_add_data( req, startup_info, startup_info_size );
diff --git a/server/process.c b/server/process.c
index 7b9a3b2..110a38f 100644
index 7b9a3b2..d7220e1 100644
--- a/server/process.c
+++ b/server/process.c
@@ -880,6 +880,24 @@ DECL_HANDLER(new_process)
@ -75,7 +73,7 @@ index 7b9a3b2..110a38f 100644
- info->data_size = info->info_size + env_size;
+ info->info_size = sizeof(*info->data);
+ info->data_size = sizeof(*info->data) + req_env_size;
+
+
+ req_info_size = min( req->info_size, FIELD_OFFSET( startup_info_t, curdir_len ));
+ if (!(info->data = mem_alloc( info->data_size ))) goto done;
+ memset( info->data, 0, info->data_size );
@ -85,17 +83,16 @@ index 7b9a3b2..110a38f 100644
else
{
data_size_t pos = sizeof(*info->data);
-
- if (!(info->data = memdup( get_req_data(), info->data_size ))) goto done;
+ info->info_size = req->info_size;
+ info->data_size = req->info_size + req_env_size;
+
- if (!(info->data = memdup( get_req_data(), info->data_size ))) goto done;
+ if (!(info->data = memdup( req_info, info->data_size ))) goto done;
#define FIXUP_LEN(len) do { (len) = min( (len), info->info_size - pos ); pos += (len); } while(0)
FIXUP_LEN( info->data->curdir_len );
FIXUP_LEN( info->data->dllpath_len );
diff --git a/server/protocol.def b/server/protocol.def
index a8c1fb9..d2cfd71 100644
index c9270ea..dca98a4 100644
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -670,7 +670,11 @@ struct rawinput_device

36
patches/server-CreateProcess_ACLs/0003-server-implement-passing-a-process-security-descript.patch
View File

@ -1,11 +1,9 @@
From 43eb6734382c298997573522244de3daf3a52a78 Mon Sep 17 00:00:00 2001
From 31d68ddd963e008e73e31c661556cd76b78da17e Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Sun, 3 Aug 2014 12:52:32 +0200
Subject: server: implement passing a process security descriptor to
CreateProcess
server: implement passing a process security descriptor to CreateProcess.
For now the function "NTDLL_create_struct_sd" has been duplicated in
kernel32. This is needed because kernel32 makes the server call.
Kernel32 currently makes the server call because NtCreateProcess(Ex)
@ -43,7 +41,7 @@ index b44496a..b1b35aa 100644
/* Documented privilege elevation */
diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
index efd0e84..44e7711 100644
index 66e4a31..65e6978 100644
--- a/dlls/kernel32/process.c
+++ b/dlls/kernel32/process.c
@@ -1916,6 +1916,70 @@ static pid_t exec_loader( LPCWSTR cmd_line, unsigned int flags, int socketfd,
@ -117,7 +115,7 @@ index efd0e84..44e7711 100644
/***********************************************************************
* create_process
*
@@ -1939,17 +2003,31 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
@@ -1939,6 +2003,8 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
int socketfd[2], stdin_fd = -1, stdout_fd = -1;
pid_t pid;
int err, cpu;
@ -126,10 +124,10 @@ index efd0e84..44e7711 100644
if ((cpu = get_process_cpu( filename, binary_info )) == -1)
{
SetLastError( ERROR_BAD_EXE_FORMAT );
@@ -1946,10 +2012,22 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
return FALSE;
}
+
+ if (psa && (psa->nLength >= sizeof(*psa)) && psa->lpSecurityDescriptor)
+ {
+ status = create_struct_sd( psa->lpSecurityDescriptor, &psd, &psd_len );
@ -140,7 +138,7 @@ index efd0e84..44e7711 100644
+ return FALSE;
+ }
+ }
+
/* create the socket for the new process */
if (socketpair( PF_UNIX, SOCK_STREAM, 0, socketfd ) == -1)
@ -188,7 +186,7 @@ index efd0e84..44e7711 100644
if (status)
{
diff --git a/server/process.c b/server/process.c
index 110a38f..571f05a 100644
index d7220e1..2119a08 100644
--- a/server/process.c
+++ b/server/process.c
@@ -880,6 +880,7 @@ DECL_HANDLER(new_process)
@ -199,37 +197,37 @@ index 110a38f..571f05a 100644
const startup_info_t *req_info;
data_size_t req_info_size;
const WCHAR *req_env;
@@ -892,6 +893,16 @@ DECL_HANDLER(new_process)
close( socket_fd );
@@ -893,6 +894,16 @@ DECL_HANDLER(new_process)
return;
}
+
+ if (req->process_sd_size)
+ {
+ req_psd = get_req_data();
+ req_psd = get_req_data();
+ if (!sd_is_valid( req_psd, req->process_sd_size ))
+ {
+ set_error( STATUS_INVALID_SECURITY_DESCR );
+ return;
+ }
+ }
+
req_info = (const startup_info_t *)
((char*)get_req_data() + req->process_sd_size + req->thread_sd_size);
req_env = (const WCHAR *)
@@ -1020,6 +1031,19 @@ DECL_HANDLER(new_process)
reply->phandle = alloc_handle( parent, process, req->process_access, req->process_attr );
reply->thandle = alloc_handle( parent, thread, req->thread_access, req->thread_attr );
+ /* note: alloc_handle might fail with access denied
+ /* note: alloc_handle might fail with access denied
+ * if the security descriptor is set before that call */
+
+
+ if (req_psd)
+ {
+ default_set_sd( &process->obj,
+ req_psd,
+ OWNER_SECURITY_INFORMATION|
+ GROUP_SECURITY_INFORMATION|
+ DACL_SECURITY_INFORMATION|
+ OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION |
+ SACL_SECURITY_INFORMATION );
+ }
+

27
patches/server-CreateProcess_ACLs/0004-server-implement-passing-a-thread-security-descripto.patch
View File

@ -1,10 +1,9 @@
From 649ce4e95f5ea671857d5c62eb220c95a6af35d7 Mon Sep 17 00:00:00 2001
From c4b089e56ea5ace923a69428c1a96c838e94a2aa Mon Sep 17 00:00:00 2001
From: Joris van der Wel <joris@jorisvanderwel.com>
Date: Sun, 3 Aug 2014 12:52:44 +0200
Subject: server: implement passing a thread security descriptor to
CreateProcess
server: implement passing a thread security descriptor to CreateProcess
---
dlls/advapi32/tests/security.c | 44 ++++++++++++++++++++++++++++++++++++----
dlls/kernel32/process.c | 24 +++++++++++++++++++---
@ -12,7 +11,7 @@ server: implement passing a thread security descriptor to CreateProcess
3 files changed, 84 insertions(+), 9 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index b1b35aa..244844f 100644
index b1b35aa..eb9b8cb 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -2532,12 +2532,12 @@ static void test_process_security(void)
@ -38,7 +37,7 @@ index b1b35aa..244844f 100644
+ ThreadSecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
+ res = InitializeSecurityDescriptor(ThreadSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+ ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
+
+
+ ThreadAcl = HeapAlloc(GetProcessHeap(), 0, 256);
+ res = InitializeAcl(ThreadAcl, 256, ACL_REVISION);
+ ok(res, "InitializeAcl failed with error %d\n", GetLastError());
@ -46,14 +45,14 @@ index b1b35aa..244844f 100644
+ ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError());
+ res = AddAccessAllowedAce(ThreadAcl, ACL_REVISION, THREAD_ALL_ACCESS, AdminSid);
+ ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError());
+
+
+ res = SetSecurityDescriptorOwner(ThreadSecurityDescriptor, AdminSid, FALSE);
+ ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError());
+ res = SetSecurityDescriptorGroup(ThreadSecurityDescriptor, UsersSid, FALSE);
+ ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError());
+ res = SetSecurityDescriptorDacl(ThreadSecurityDescriptor, TRUE, ThreadAcl, FALSE);
+ ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
+
+
+ tsa.nLength = sizeof(tsa);
+ tsa.lpSecurityDescriptor = ThreadSecurityDescriptor;
+ tsa.bInheritHandle = TRUE;
@ -95,7 +94,7 @@ index b1b35aa..244844f 100644
static void test_impersonation_level(void)
diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
index 44e7711..dd21100 100644
index 65e6978..f2d11ba 100644
--- a/dlls/kernel32/process.c
+++ b/dlls/kernel32/process.c
@@ -2003,8 +2003,8 @@ static BOOL create_process( HANDLE hFile, LPCWSTR filename, LPWSTR cmd_line, LPW
@ -116,7 +115,7 @@ index 44e7711..dd21100 100644
+ if (tsa && (tsa->nLength >= sizeof(*tsa)) && tsa->lpSecurityDescriptor)
+ {
+ status = create_struct_sd( tsa->lpSecurityDescriptor, &tsd, &tsd_len );
+
+
+ if (status != STATUS_SUCCESS)
+ {
+ RtlFreeHeap(GetProcessHeap(), 0, psd);
@ -174,7 +173,7 @@ index 44e7711..dd21100 100644
RtlReleasePebLock();
if (status)
diff --git a/server/process.c b/server/process.c
index 571f05a..52c04f7 100644
index 2119a08..c0b82d1 100644
--- a/server/process.c
+++ b/server/process.c
@@ -880,7 +880,7 @@ DECL_HANDLER(new_process)
@ -205,7 +204,7 @@ index 571f05a..52c04f7 100644
((char*)get_req_data() + req->process_sd_size + req->thread_sd_size);
req_env = (const WCHAR *)
@@ -1043,7 +1053,18 @@ DECL_HANDLER(new_process)
DACL_SECURITY_INFORMATION|
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION );
}
-
@ -214,10 +213,10 @@ index 571f05a..52c04f7 100644
+ /* In CreateProcess the thread defaults come from the process token,
+ * (this is not the case during CreateThread however) */
+ set_sd_defaults_from_token( &thread->obj,
+ req_tsd,
+ OWNER_SECURITY_INFORMATION|
+ GROUP_SECURITY_INFORMATION|
+ DACL_SECURITY_INFORMATION|
+ req_tsd,
+ OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION |
+ SACL_SECURITY_INFORMATION,
+ process->token );
+ }