wine/wine-staging
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-staging.git synced 2024-11-21 16:46:54 -08:00
Code Issues Packages Projects Releases Wiki Activity

Rebase against c7f0777fc55229d910461a7a38e21f1e17c8913a.

Browse Source
This commit is contained in:
Sebastian Lackner 2017-06-16 05:16:10 +02:00
parent 8ebf6f58e5
commit e24fc5fec1
13 changed files with 179 additions and 1068 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
patches/advapi32-GetExplicitEntriesFromAclW/0001-advapi32-Implement-GetExplicitEntriesFromAclW.patch
View File

@ -1,4 +1,4 @@
From b4469d7a12637ef2b57df3f6aebbe65c9b52ef57 Mon Sep 17 00:00:00 2001
From cd5f99efd824965d92bd8491afd0c6e6d7bdc118 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Sun, 28 Aug 2016 21:56:41 +0200
Subject: advapi32: Implement GetExplicitEntriesFromAclW.
@ -9,10 +9,10 @@ Subject: advapi32: Implement GetExplicitEntriesFromAclW.
2 files changed, 221 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
index 7e41c0a7361..ccd0bf64cab 100644
index e36792cff4..b305947347 100644
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -4202,8 +4202,85 @@ DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntr
@@ -4205,8 +4205,85 @@ DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntr
DWORD WINAPI GetExplicitEntriesFromAclW( PACL pacl, PULONG pcCountOfExplicitEntries,
PEXPLICIT_ACCESSW* pListOfExplicitEntries)
{
@ -101,10 +101,10 @@ index 7e41c0a7361..ccd0bf64cab 100644
/******************************************************************************
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index c31dfbeace3..23cbff58117 100644
index 09c6a721cc..286d236e4b 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -133,6 +133,7 @@ static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
@@ -134,6 +134,7 @@ static BOOL (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
static void (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
@ -112,16 +112,16 @@ index c31dfbeace3..23cbff58117 100644
static HMODULE hmod;
static int myARGC;
@@ -227,6 +228,7 @@ static void init(void)
pGetAce = (void *)GetProcAddress(hmod, "GetAce");
@@ -230,6 +231,7 @@ static void init(void)
pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
+ pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
myARGC = winetest_get_mainargs( &myARGV );
}
@@ -6451,6 +6453,145 @@ static void test_maximum_allowed(void)
CloseHandle(handle);
@@ -6795,6 +6797,145 @@ static void test_token_security_descriptor(void)
CloseHandle(token);
}
+static void test_GetExplicitEntriesFromAclW(void)
@ -266,12 +266,12 @@ index c31dfbeace3..23cbff58117 100644
START_TEST(security)
{
init();
@@ -6499,4 +6640,5 @@ START_TEST(security)
test_GetSidIdentifierAuthority();
@@ -6845,4 +6986,5 @@ START_TEST(security)
test_pseudo_tokens();
test_maximum_allowed();
test_token_security_descriptor();
+ test_GetExplicitEntriesFromAclW();
}
--
2.11.0
2.13.1

17
patches/patchinstall.sh
View File

@ -52,7 +52,7 @@ usage()
# Get the upstream commit sha
upstream_commit()
{
echo "538e46adea88a3d6bdadd7f762eb620cd11cbeef"
echo "c7f0777fc55229d910461a7a38e21f1e17c8913a"
}
# Show version information
@ -2962,25 +2962,16 @@ fi
# | * [#42014] Implement support for LABEL_SECURITY_INFORMATION
# |
# | Modified files:
# | * dlls/advapi32/tests/security.c, dlls/ntdll/nt.c, dlls/ntdll/sec.c, include/winnt.h, server/handle.c, server/object.c,
# | server/process.c, server/protocol.def, server/security.h, server/token.c
# | * dlls/advapi32/tests/security.c, server/process.c, server/security.h, server/token.c
# |
if test "$enable_server_LABEL_SECURITY_INFORMATION" -eq 1; then
patch_apply server-LABEL_SECURITY_INFORMATION/0001-server-Implement-querying-the-security-label-of-a-se.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0002-server-Implement-changing-the-label-of-a-security-de.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0003-server-Do-not-set-SE_-D-S-ACL_PRESENT-if-no-D-S-ACL-.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0004-server-Implement-setting-a-security-descriptor-when-.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0005-advapi32-tests-Add-basic-tests-for-token-security-de.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0001-advapi32-tests-Add-back-a-dropped-test.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0006-advapi32-tests-Show-that-tokens-do-not-inherit-secur.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0007-advapi32-tests-Show-that-tokens-do-not-inherit-dacls.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0008-advapi32-tests-Show-that-tokens-do-not-inherit-sacls.patch
patch_apply server-LABEL_SECURITY_INFORMATION/0009-server-Assign-a-default-label-high-to-all-tokens.patch
(
printf '%s\n' '+ { "Michael Müller", "server: Implement querying the security label of a security descriptor.", 1 },';
printf '%s\n' '+ { "Michael Müller", "server: Implement changing the label of a security descriptor.", 1 },';
printf '%s\n' '+ { "Michael Müller", "server: Do not set SE_{D,S}ACL_PRESENT if no {D,S}ACL was set.", 1 },';
printf '%s\n' '+ { "Michael Müller", "server: Implement setting a security descriptor when duplicating tokens.", 1 },';
printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Add basic tests for token security descriptors.", 1 },';
printf '%s\n' '+ { "Sebastian Lackner", "advapi32/tests: Add back a dropped test.", 1 },';
printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit security descriptors during duplication.", 1 },';
printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit dacls while creating child processes.", 1 },';
printf '%s\n' '+ { "Michael Müller", "advapi32/tests: Show that tokens do not inherit sacls / mandatory labels while creating child processes.", 1 },';

29
patches/server-LABEL_SECURITY_INFORMATION/0001-advapi32-tests-Add-back-a-dropped-test.patch Normal file
View File

@ -0,0 +1,29 @@
From 47f4a0e0cb0e90695cb863306475e7ac11ef3e4a Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Fri, 16 Jun 2017 04:53:19 +0200
Subject: advapi32/tests: Add back a dropped test.
---
dlls/advapi32/tests/security.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index de511af32f..eca83765af 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6426,10 +6426,12 @@ static void test_AddMandatoryAce(void)
sacl = (void *)0xdeadbeef;
present = TRUE;
+ defaulted = TRUE;
ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
ok(!present, "SACL is present\n");
ok(sacl == (void *)0xdeadbeef, "SACL is set\n");
+ todo_wine ok(!defaulted, "SACL defaulted\n");
HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
--
2.13.1

222
patches/server-LABEL_SECURITY_INFORMATION/0001-server-Implement-querying-the-security-label-of-a-se.patch
View File

@ -1,222 +0,0 @@
From d5ba417b0a446d5c6fccfec1d44999c32fb106c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Mon, 29 Aug 2016 20:35:51 +0200
Subject: server: Implement querying the security label of a security
descriptor.
---
dlls/advapi32/tests/security.c | 80 ++++++++++++++++++++++++++++++++++++++++--
include/winnt.h | 1 +
server/handle.c | 55 +++++++++++++++++++++++++++++
3 files changed, 134 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 90b8392313d..57297760832 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6383,10 +6383,15 @@ static void test_AddMandatoryAce(void)
static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
{SECURITY_MANDATORY_LOW_RID}};
SYSTEM_MANDATORY_LABEL_ACE *ace;
+ char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
+ SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
+ SECURITY_ATTRIBUTES sa;
char buffer_acl[256];
ACL *pAcl = (ACL *)&buffer_acl;
- BOOL ret, found;
- DWORD index;
+ ACL *sAcl;
+ BOOL defaulted, present, ret, found;
+ HANDLE handle;
+ DWORD index, size;
if (!pAddMandatoryAce)
{
@@ -6394,6 +6399,36 @@ static void test_AddMandatoryAce(void)
return;
}
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.lpSecurityDescriptor = sd;
+ sa.bInheritHandle = FALSE;
+
+ handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
+ ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ present = TRUE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ todo_wine ok(!present, "sAcl is present\n");
+ todo_wine ok(sAcl == (void *)0xdeadbeef, "sAcl is set\n");
+ ok(!defaulted, "sAcl defaulted\n");
+
+ HeapFree(GetProcessHeap(), 0, sd2);
+ CloseHandle(handle);
+
ret = InitializeAcl(pAcl, 256, ACL_REVISION);
ok(ret, "InitializeAcl failed with %u\n", GetLastError());
@@ -6418,6 +6453,47 @@ static void test_AddMandatoryAce(void)
found = TRUE;
}
ok(found, "Could not find mandatory label ace\n");
+
+ ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+
+ handle = CreateEventA(&sa, TRUE, TRUE, "test_event");
+ ok(handle != NULL, "CreateEventA failed with error %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(present, "sAcl not present\n");
+ ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
+ ok(!defaulted, "sAcl defaulted\n");
+
+ index = 0;
+ found = FALSE;
+ while (pGetAce( sAcl, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+ {
+ found = TRUE;
+ ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
+ "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
+ ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
+ }
+ }
+ ok(found, "Could not find mandatory label\n");
+
+ HeapFree(GetProcessHeap(), 0, sd2);
+ CloseHandle(handle);
}
static void test_system_security_access(void)
diff --git a/include/winnt.h b/include/winnt.h
index de7622fbe6f..0af83dcbcb7 100644
--- a/include/winnt.h
+++ b/include/winnt.h
@@ -5276,6 +5276,7 @@ typedef struct _TAPE_GET_MEDIA_PARAMETERS {
#define GROUP_SECURITY_INFORMATION 0x00000002
#define DACL_SECURITY_INFORMATION 0x00000004
#define SACL_SECURITY_INFORMATION 0x00000008
+#define LABEL_SECURITY_INFORMATION 0x00000010
#define REG_OPTION_RESERVED 0x00000000
#define REG_OPTION_NON_VOLATILE 0x00000000
diff --git a/server/handle.c b/server/handle.c
index 3f42352bceb..5ffcd74e464 100644
--- a/server/handle.c
+++ b/server/handle.c
@@ -700,6 +700,52 @@ DECL_HANDLER(set_security_object)
release_object( obj );
}
+/* extract security labels from SACL */
+static int extract_security_label( ACL **out, const ACL *sacl )
+{
+ const ACE_HEADER *ace;
+ ACE_HEADER *label_ace;
+ size_t size = sizeof(ACL);
+ int i, count = 0;
+ ACL *label_acl;
+
+ *out = NULL;
+ if (!sacl) return 1;
+
+ ace = (const ACE_HEADER *)(sacl + 1);
+ for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+ {
+ size += ace->AceSize;
+ count++;
+ }
+ }
+
+ label_acl = mem_alloc( size );
+ if (!label_acl) return 0;
+
+ label_acl->AclRevision = sacl->AclRevision;
+ label_acl->Sbz1 = 0;
+ label_acl->AclSize = size;
+ label_acl->AceCount = count;
+ label_acl->Sbz2 = 0;
+ label_ace = (ACE_HEADER *)(label_acl + 1);
+
+ ace = (const ACE_HEADER *)(sacl + 1);
+ for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+ {
+ memcpy( label_ace, ace, ace->AceSize );
+ label_ace = (ACE_HEADER *)ace_next( label_ace );
+ }
+ }
+
+ *out = label_acl;
+ return 1;
+}
+
DECL_HANDLER(get_security_object)
{
const struct security_descriptor *sd;
@@ -709,6 +755,7 @@ DECL_HANDLER(get_security_object)
int present;
const SID *owner, *group;
const ACL *sacl, *dacl;
+ ACL *label_acl = NULL;
if (req->security_info & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
@@ -736,6 +783,12 @@ DECL_HANDLER(get_security_object)
sacl = sd_get_sacl( sd, &present );
if (req->security_info & SACL_SECURITY_INFORMATION && present)
req_sd.sacl_len = sd->sacl_len;
+ else if (req->security_info & LABEL_SECURITY_INFORMATION && present)
+ {
+ if (!extract_security_label( &label_acl, sacl )) goto error;
+ req_sd.sacl_len = label_acl ? label_acl->AclSize : 0;
+ sacl = label_acl;
+ }
else
req_sd.sacl_len = 0;
@@ -766,7 +819,9 @@ DECL_HANDLER(get_security_object)
set_error(STATUS_BUFFER_TOO_SMALL);
}
+error:
release_object( obj );
+ free( label_acl );
}
struct enum_handle_info
--
2.11.0

329
patches/server-LABEL_SECURITY_INFORMATION/0002-server-Implement-changing-the-label-of-a-security-de.patch
View File

@ -1,329 +0,0 @@
From 8147386e251ecad87d6df713d0396c2d097ab83a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Tue, 30 Aug 2016 01:15:44 +0200
Subject: server: Implement changing the label of a security descriptor.
---
dlls/advapi32/tests/security.c | 113 ++++++++++++++++++++++++++++++++++-
dlls/ntdll/sec.c | 3 +-
server/handle.c | 131 ++++++++++++++++++++++++++++++++++++++++-
3 files changed, 243 insertions(+), 4 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 57297760832..685ab1c2b5f 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6382,6 +6382,8 @@ static void test_AddMandatoryAce(void)
{
static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
{SECURITY_MANDATORY_LOW_RID}};
+ static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_MEDIUM_RID}};
SYSTEM_MANDATORY_LABEL_ACE *ace;
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
@@ -6389,7 +6391,7 @@ static void test_AddMandatoryAce(void)
char buffer_acl[256];
ACL *pAcl = (ACL *)&buffer_acl;
ACL *sAcl;
- BOOL defaulted, present, ret, found;
+ BOOL defaulted, present, ret, found, found2;
HANDLE handle;
DWORD index, size;
@@ -6493,6 +6495,115 @@ static void test_AddMandatoryAce(void)
ok(found, "Could not find mandatory label\n");
HeapFree(GetProcessHeap(), 0, sd2);
+
+ ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
+ ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(present, "sAcl not present\n");
+ ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
+ ok(sAcl->AceCount == 2, "Expected 2 ACEs, got %d\n", sAcl->AceCount);
+ ok(!defaulted, "sAcl defaulted\n");
+
+ index = 0;
+ found = found2 = FALSE;
+ while (pGetAce( sAcl, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+ {
+ if (EqualSid(&ace->SidStart, &low_level))
+ {
+ found = TRUE;
+ ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
+ "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
+ }
+ if (EqualSid(&ace->SidStart, &medium_level))
+ {
+ found2 = TRUE;
+ ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
+ ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP,
+ "Expected SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP as flag, got %x\n", ace->Mask);
+ }
+ }
+ }
+ ok(found, "Could not find low mandatory label\n");
+ ok(found2, "Could not find medium mandatory label\n");
+
+ HeapFree( GetProcessHeap(), 0, sd2);
+
+ ret = SetSecurityDescriptorSacl(sd, FALSE, NULL, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(present, "sAcl not present\n");
+ ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
+ ok(sAcl->AceCount == 0, "Expected 0 ACEs, got %d\n", sAcl->AceCount);
+ ok(!defaulted, "sAcl defaulted\n");
+
+ HeapFree(GetProcessHeap(), 0, sd2);
+
+ ret = InitializeAcl(pAcl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+
+ ret = pAddMandatoryAce(pAcl, ACL_REVISION3, 0, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP, &medium_level);
+ ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(present, "sAcl not present\n");
+ ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
+ ok(sAcl->AclRevision == ACL_REVISION3, "Expected revision 3, got %d\n", sAcl->AclRevision);
+ ok(!defaulted, "sAcl defaulted\n");
+
+ HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
}
diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c
index 3f7aa793236..5c858b5bcbb 100644
--- a/dlls/ntdll/sec.c
+++ b/dlls/ntdll/sec.c
@@ -1775,7 +1775,8 @@ NTSTATUS WINAPI NtSetSecurityObject(HANDLE Handle,
return STATUS_INVALID_SECURITY_DESCR;
}
- if (SecurityInformation & SACL_SECURITY_INFORMATION)
+ if (SecurityInformation & SACL_SECURITY_INFORMATION ||
+ SecurityInformation & LABEL_SECURITY_INFORMATION)
{
status = RtlGetSaclSecurityDescriptor( SecurityDescriptor, &present, &sacl, &defaulted );
if (status != STATUS_SUCCESS) return status;
diff --git a/server/handle.c b/server/handle.c
index 5ffcd74e464..3a216702026 100644
--- a/server/handle.c
+++ b/server/handle.c
@@ -673,12 +673,89 @@ DECL_HANDLER(get_object_info)
release_object( obj );
}
+/* merge security labels into an existing SACL */
+static int merge_security_labels( ACL **out, const ACL *old_sacl, const ACL *new_sacl )
+{
+ const ACE_HEADER *ace;
+ ACE_HEADER *merged_ace;
+ size_t size = sizeof(ACL);
+ int i, count = 0;
+ BYTE revision = ACL_REVISION;
+ ACL *merged_acl;
+
+ *out = NULL;
+ if (!old_sacl && !new_sacl) return 1;
+
+ if (old_sacl)
+ {
+ revision = max( revision, old_sacl->AclRevision );
+ ace = (const ACE_HEADER *)(old_sacl + 1);
+ for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+ size += ace->AceSize;
+ count++;
+ }
+ }
+
+ if (new_sacl)
+ {
+ revision = max( revision, new_sacl->AclRevision );
+ ace = (const ACE_HEADER *)(new_sacl + 1);
+ for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ /* FIXME: Should this be handled as error? */
+ if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+ size += ace->AceSize;
+ count++;
+ }
+ }
+
+ merged_acl = mem_alloc( size );
+ if (!merged_acl) return 0;
+
+ merged_acl->AclRevision = revision;
+ merged_acl->Sbz1 = 0;
+ merged_acl->AclSize = size;
+ merged_acl->AceCount = count;
+ merged_acl->Sbz2 = 0;
+ merged_ace = (ACE_HEADER *)(merged_acl + 1);
+
+ if (old_sacl)
+ {
+ ace = (const ACE_HEADER *)(old_sacl + 1);
+ for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+ memcpy( merged_ace, ace, ace->AceSize );
+ merged_ace = (ACE_HEADER *)ace_next( merged_ace );
+ }
+ }
+
+ if (new_sacl)
+ {
+ ace = (const ACE_HEADER *)(new_sacl + 1);
+ for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace ))
+ {
+ if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+ memcpy( merged_ace, ace, ace->AceSize );
+ merged_ace = (ACE_HEADER *)ace_next( merged_ace );
+ }
+ }
+
+ *out = merged_acl;
+ return 1;
+}
+
DECL_HANDLER(set_security_object)
{
data_size_t sd_size = get_req_data_size();
const struct security_descriptor *sd = get_req_data();
+ struct security_descriptor *merged_sd = NULL;
+ ACL *merged_sacl = NULL;
struct object *obj;
unsigned int access = 0;
+ unsigned int security_info = req->security_info;
if (!sd_is_valid( sd, sd_size ))
{
@@ -687,7 +764,8 @@ DECL_HANDLER(set_security_object)
}
if (req->security_info & OWNER_SECURITY_INFORMATION ||
- req->security_info & GROUP_SECURITY_INFORMATION)
+ req->security_info & GROUP_SECURITY_INFORMATION ||
+ req->security_info & LABEL_SECURITY_INFORMATION)
access |= WRITE_OWNER;
if (req->security_info & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
@@ -696,8 +774,57 @@ DECL_HANDLER(set_security_object)
if (!(obj = get_handle_obj( current->process, req->handle, access, NULL ))) return;
- obj->ops->set_sd( obj, sd, req->security_info );
+ /* check if we need to merge the security labels with the existing SACLs */
+ if ((security_info & LABEL_SECURITY_INFORMATION) &&
+ !(security_info & SACL_SECURITY_INFORMATION) &&
+ (sd->control & SE_SACL_PRESENT))
+ {
+ const struct security_descriptor *old_sd;
+ const ACL *old_sacl = NULL;
+ int present;
+ char *ptr;
+
+ if ((old_sd = obj->ops->get_sd( obj )))
+ {
+ old_sacl = sd_get_sacl( old_sd, &present );
+ if (!present) old_sacl = NULL;
+ }
+
+ if (!merge_security_labels( &merged_sacl, old_sacl, sd_get_sacl( sd, &present ) )) goto error;
+
+ /* allocate a new SD and replace SACL with merged version */
+ merged_sd = mem_alloc( sizeof(*merged_sd) + sd->owner_len + sd->group_len +
+ (merged_sacl ? merged_sacl->AclSize : 0) + sd->dacl_len );
+ if (!merged_sd) goto error;
+
+ merged_sd->control = sd->control;
+ merged_sd->owner_len = sd->owner_len;
+ merged_sd->group_len = sd->group_len;
+ merged_sd->sacl_len = merged_sacl ? merged_sacl->AclSize : 0;
+ merged_sd->dacl_len = sd->dacl_len;
+
+ ptr = (char *)(merged_sd + 1);
+ memcpy( ptr, sd_get_owner( sd ), sd->owner_len );
+ ptr += sd->owner_len;
+ memcpy( ptr, sd_get_group( sd ), sd->group_len );
+ ptr += sd->group_len;
+ if (merged_sacl)
+ {
+ memcpy( ptr, merged_sacl, merged_sacl->AclSize );
+ ptr += merged_sacl->AclSize;
+ }
+ memcpy( ptr, sd_get_dacl( sd, &present ), sd->dacl_len );
+
+ security_info |= SACL_SECURITY_INFORMATION;
+ sd = merged_sd;
+ }
+
+ obj->ops->set_sd( obj, sd, security_info );
+
+error:
release_object( obj );
+ free( merged_sacl );
+ free( merged_sd );
}
/* extract security labels from SACL */
--
2.11.0

102
patches/server-LABEL_SECURITY_INFORMATION/0003-server-Do-not-set-SE_-D-S-ACL_PRESENT-if-no-D-S-ACL-.patch
View File

@ -1,102 +0,0 @@
From 048c4e74b36eacac239ab61997f756ed956ab7f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Tue, 30 Aug 2016 02:10:32 +0200
Subject: server: Do not set SE_{D,S}ACL_PRESENT if no {D,S}ACL was set.
---
dlls/advapi32/tests/security.c | 6 +++---
server/handle.c | 2 --
server/object.c | 15 +++++++++++++--
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 84a451eb834..263d2f11544 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6476,9 +6476,9 @@ static void test_integrity(void)
defaulted = TRUE;
ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
- todo_wine ok(!present, "sAcl is present\n");
- todo_wine ok(sAcl == (void *)0xdeadbeef, "sAcl is set\n");
- ok(!defaulted, "sAcl defaulted\n");
+ ok(!present, "sAcl is present\n");
+ ok(sAcl == (void *)0xdeadbeef, "sAcl is set\n");
+ todo_wine ok(!defaulted, "sAcl defaulted\n");
HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
diff --git a/server/handle.c b/server/handle.c
index a0e27b9507e..57e0c060e03 100644
--- a/server/handle.c
+++ b/server/handle.c
@@ -916,7 +916,6 @@ DECL_HANDLER(get_security_object)
else
req_sd.group_len = 0;
- req_sd.control |= SE_SACL_PRESENT;
sacl = sd_get_sacl( sd, &present );
if (req->security_info & SACL_SECURITY_INFORMATION && present)
req_sd.sacl_len = sd->sacl_len;
@@ -929,7 +928,6 @@ DECL_HANDLER(get_security_object)
else
req_sd.sacl_len = 0;
- req_sd.control |= SE_DACL_PRESENT;
dacl = sd_get_dacl( sd, &present );
if (req->security_info & DACL_SECURITY_INFORMATION && present)
req_sd.dacl_len = sd->dacl_len;
diff --git a/server/object.c b/server/object.c
index b4af10e811c..703875db248 100644
--- a/server/object.c
+++ b/server/object.c
@@ -573,33 +573,44 @@ struct security_descriptor *set_sd_from_token_internal( const struct security_de
}
else new_sd.group_len = 0;
- new_sd.control |= SE_SACL_PRESENT;
sacl = sd_get_sacl( sd, &present );
if (set_info & SACL_SECURITY_INFORMATION && present)
+ {
+ new_sd.control |= SE_SACL_PRESENT;
new_sd.sacl_len = sd->sacl_len;
+ }
else
{
if (old_sd) sacl = sd_get_sacl( old_sd, &present );
if (old_sd && present)
+ {
+ new_sd.control |= SE_SACL_PRESENT;
new_sd.sacl_len = old_sd->sacl_len;
+ }
else
new_sd.sacl_len = 0;
}
- new_sd.control |= SE_DACL_PRESENT;
dacl = sd_get_dacl( sd, &present );
if (set_info & DACL_SECURITY_INFORMATION && present)
+ {
+ new_sd.control |= SE_DACL_PRESENT;
new_sd.dacl_len = sd->dacl_len;
+ }
else
{
if (old_sd) dacl = sd_get_dacl( old_sd, &present );
if (old_sd && present)
+ {
+ new_sd.control |= SE_DACL_PRESENT;
new_sd.dacl_len = old_sd->dacl_len;
+ }
else if (token)
{
dacl = token_get_default_dacl( token );
+ new_sd.control |= SE_DACL_PRESENT;
new_sd.dacl_len = dacl->AclSize;
}
else new_sd.dacl_len = 0;
--
2.11.0

147
patches/server-LABEL_SECURITY_INFORMATION/0004-server-Implement-setting-a-security-descriptor-when-.patch
View File

@ -1,147 +0,0 @@
From 402dca4fe8a333c8d76035c6b81c549be07882c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:23:57 +0100
Subject: server: Implement setting a security descriptor when duplicating
tokens.
---
dlls/ntdll/nt.c | 7 ++++++-
server/process.c | 2 +-
server/protocol.def | 2 +-
server/security.h | 2 +-
server/token.c | 20 +++++++++++++++++---
5 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
index 9347170a593..cc5c653d23e 100644
--- a/dlls/ntdll/nt.c
+++ b/dlls/ntdll/nt.c
@@ -87,11 +87,15 @@ NTSTATUS WINAPI NtDuplicateToken(
OUT PHANDLE NewToken)
{
NTSTATUS status;
+ data_size_t len;
+ struct object_attributes *objattr;
TRACE("(%p,0x%08x,%s,0x%08x,0x%08x,%p)\n",
ExistingToken, DesiredAccess, debugstr_ObjectAttributes(ObjectAttributes),
ImpersonationLevel, TokenType, NewToken);
+ if ((status = alloc_object_attributes( ObjectAttributes, &objattr, &len ))) return status;
+
if (ObjectAttributes && ObjectAttributes->SecurityQualityOfService)
{
SECURITY_QUALITY_OF_SERVICE *SecurityQOS = ObjectAttributes->SecurityQualityOfService;
@@ -106,14 +110,15 @@ NTSTATUS WINAPI NtDuplicateToken(
{
req->handle = wine_server_obj_handle( ExistingToken );
req->access = DesiredAccess;
- req->attributes = ObjectAttributes ? ObjectAttributes->Attributes : 0;
req->primary = (TokenType == TokenPrimary);
req->impersonation_level = ImpersonationLevel;
+ wine_server_add_data( req, objattr, len );
status = wine_server_call( req );
if (!status) *NewToken = wine_server_ptr_handle( reply->new_handle );
}
SERVER_END_REQ;
+ RtlFreeHeap( GetProcessHeap(), 0, objattr );
return status;
}
diff --git a/server/process.c b/server/process.c
index ca5982fe061..f476cfaf0fe 100644
--- a/server/process.c
+++ b/server/process.c
@@ -569,7 +569,7 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
: alloc_handle_table( process, 0 );
/* Note: for security reasons, starting a new process does not attempt
* to use the current impersonation token for the new process */
- process->token = token_duplicate( parent->token, TRUE, 0 );
+ process->token = token_duplicate( parent->token, TRUE, 0, NULL );
process->affinity = parent->affinity;
}
if (!process->handles || !process->token) goto error;
diff --git a/server/protocol.def b/server/protocol.def
index 97cf5adf298..3da579650fa 100644
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -3361,9 +3361,9 @@ enum caret_state
@REQ(duplicate_token)
obj_handle_t handle; /* handle to the token to duplicate */
unsigned int access; /* access rights to the new token */
- unsigned int attributes; /* object attributes */
int primary; /* is the new token to be a primary one? */
int impersonation_level; /* impersonation level of the new token */
+ VARARG(objattr,object_attributes); /* object attributes */
@REPLY
obj_handle_t new_handle; /* duplicated handle */
@END
diff --git a/server/security.h b/server/security.h
index bdb7d42f09d..0342f643187 100644
--- a/server/security.h
+++ b/server/security.h
@@ -54,7 +54,7 @@ extern const PSID security_domain_users_sid;
extern struct token *token_create_admin(void);
extern struct token *token_duplicate( struct token *src_token, unsigned primary,
- int impersonation_level );
+ int impersonation_level, const struct security_descriptor *sd );
extern int token_check_privileges( struct token *token, int all_required,
const LUID_AND_ATTRIBUTES *reqprivs,
unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
diff --git a/server/token.c b/server/token.c
index b903420bbe3..74a97bb1319 100644
--- a/server/token.c
+++ b/server/token.c
@@ -521,7 +521,7 @@ static struct token *create_token( unsigned primary, const SID *user,
}
struct token *token_duplicate( struct token *src_token, unsigned primary,
- int impersonation_level )
+ int impersonation_level, const struct security_descriptor *sd )
{
const luid_t *modified_id =
primary || (impersonation_level == src_token->impersonation_level) ?
@@ -571,6 +571,15 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
return NULL;
}
+ if (sd)
+ {
+ default_set_sd( &token->obj, sd,
+ OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION |
+ DACL_SECURITY_INFORMATION |
+ SACL_SECURITY_INFORMATION );
+ }
+
return token;
}
@@ -1141,15 +1150,20 @@ DECL_HANDLER(get_token_privileges)
DECL_HANDLER(duplicate_token)
{
struct token *src_token;
+ struct unicode_str name;
+ const struct security_descriptor *sd;
+ const struct object_attributes *objattr = get_req_object_attributes( &sd, &name, NULL );
+
+ if (!objattr) return;
if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
TOKEN_DUPLICATE,
&token_ops )))
{
- struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level );
+ struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
if (token)
{
- reply->new_handle = alloc_handle( current->process, token, req->access, req->attributes);
+ reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
release_object( token );
}
release_object( src_token );
--
2.11.0

129
patches/server-LABEL_SECURITY_INFORMATION/0005-advapi32-tests-Add-basic-tests-for-token-security-de.patch
View File

@ -1,129 +0,0 @@
From c70143ce52b1043b440c966bab08dbf8f3e0e98f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:28:30 +0100
Subject: advapi32/tests: Add basic tests for token security descriptors.
---
dlls/advapi32/tests/security.c | 87 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 86 insertions(+), 1 deletion(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 89816d37665..3faf8574856 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -231,6 +231,7 @@ static void init(void)
pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
+ pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
myARGC = winetest_get_mainargs( &myARGV );
}
@@ -3014,7 +3015,6 @@ static void test_impersonation_level(void)
HKEY hkey;
DWORD error;
- pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
if( !pDuplicateTokenEx ) {
win_skip("DuplicateTokenEx is not available\n");
return;
@@ -7041,6 +7041,90 @@ static void test_GetExplicitEntriesFromAclW(void)
HeapFree(GetProcessHeap(), 0, old_acl);
}
+static void test_token_security_descriptor(void)
+{
+ ACCESS_ALLOWED_ACE *ace;
+ char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
+ SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
+ char buffer_acl[256];
+ ACL *pAcl = (ACL *)&buffer_acl, *pAcl2;
+ BOOL defaulted, present, ret, found;
+ HANDLE token, token2;
+ SECURITY_ATTRIBUTES sa;
+ DWORD size, index;
+ PSID psid;
+
+ if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce || !pSetEntriesInAclW)
+ {
+ win_skip("Some functions not available\n");
+ return;
+ }
+
+ /* Test whether we can create tokens with security descriptors */
+ ret = OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &token);
+ ok(ret, "OpenProcessToken failed with error %u\n", GetLastError());
+
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+
+ ret = InitializeAcl(pAcl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+
+ ret = pConvertStringSidToSidA("S-1-5-6", &psid);
+ ok(ret, "ConvertStringSidToSidA failed with %u\n", GetLastError());
+
+ ret = pAddAccessAllowedAceEx(pAcl, ACL_REVISION, NO_PROPAGATE_INHERIT_ACE, GENERIC_ALL, psid);
+ ok(ret, "AddAccessAllowedAceEx failed with %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorDacl(sd, TRUE, pAcl, FALSE);
+ ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
+
+ sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+ sa.lpSecurityDescriptor = sd;
+ sa.bInheritHandle = FALSE;
+
+ ret = pDuplicateTokenEx(token, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenImpersonation, &token2);
+ ok(ret, "DuplicateTokenEx failed with %u\n", GetLastError());
+
+ ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, NULL, 0, &size);
+ ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
+ "GetKernelObjectSecurity failed with %u\n", GetLastError());
+
+ sd2 = HeapAlloc(GetProcessHeap(), 0, size);
+ ret = GetKernelObjectSecurity(token2, DACL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ pAcl2 = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
+ ok(present, "pAcl2 not present\n");
+ ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
+ ok(pAcl2->AceCount == 1, "Expected 1 ACEs, got %d\n", pAcl2->AceCount);
+ ok(!defaulted, "pAcl2 defaulted\n");
+
+ index = 0;
+ found = FALSE;
+ while (pGetAce( pAcl2, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+ {
+ found = TRUE;
+ ok(ace->Header.AceFlags == NO_PROPAGATE_INHERIT_ACE,
+ "Expected NO_PROPAGATE_INHERIT_ACE as flags, got %x\n", ace->Header.AceFlags);
+ }
+ }
+ ok(found, "Could not find access allowed ace\n");
+
+ HeapFree( GetProcessHeap(), 0, sd2);
+
+ LocalFree(psid);
+
+ CloseHandle(token2);
+ CloseHandle(token);
+}
+
START_TEST(security)
{
init();
@@ -7091,4 +7175,5 @@ START_TEST(security)
test_pseudo_tokens();
test_maximum_allowed();
test_GetExplicitEntriesFromAclW();
+ test_token_security_descriptor();
}
--
2.11.0

45
patches/server-LABEL_SECURITY_INFORMATION/0006-advapi32-tests-Show-that-tokens-do-not-inherit-secur.patch
View File

@ -1,29 +1,32 @@
From a4cefc05b12f5461daf5dcaaeaa144dc15db8b39 Mon Sep 17 00:00:00 2001
From afc6af7ffafd30c8830d2085e32505dd87d866ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:31:31 +0100
Subject: advapi32/tests: Show that tokens do not inherit security descriptors
during duplication.
---
dlls/advapi32/tests/security.c | 42 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
dlls/advapi32/tests/security.c | 45 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 43 insertions(+), 2 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 8af1d0604a4..a2d0538b491 100644
index eca83765af..f4f2519a04 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7144,7 +7144,7 @@ static void test_token_security_descriptor(void)
char buffer_acl[256];
ACL *pAcl = (ACL *)&buffer_acl, *pAcl2;
BOOL defaulted, present, ret, found;
- HANDLE token, token2;
+ HANDLE token, token2, token3;
@@ -6947,8 +6947,9 @@ static void test_token_security_descriptor(void)
BOOL defaulted, present, ret;
ACCESS_ALLOWED_ACE *ace;
SECURITY_ATTRIBUTES sa;
DWORD size, index;
- HANDLE token, token2;
- DWORD size;
+ HANDLE token, token2, token3;
+ DWORD size, index;
+ BOOL found;
PSID psid;
@@ -7214,8 +7214,48 @@ static void test_token_security_descriptor(void)
HeapFree( GetProcessHeap(), 0, sd2);
if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce
@@ -7011,8 +7012,48 @@ static void test_token_security_descriptor(void)
HeapFree(GetProcessHeap(), 0, sd2);
+ /* Duplicate token without security attributes.
+ * Tokens do not inherit the security descriptor when calling DuplicateToken,
@ -40,21 +43,21 @@ index 8af1d0604a4..a2d0538b491 100644
+ ret = GetKernelObjectSecurity(token3, DACL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ pAcl2 = (void *)0xdeadbeef;
+ acl2 = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
+ todo_wine
+ ok(present, "pAcl2 not present\n");
+ ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
+ ok(!defaulted, "pAcl2 defaulted\n");
+ ok(present, "acl2 not present\n");
+ ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
+ ok(!defaulted, "acl2 defaulted\n");
+
+ if (pAcl2)
+ if (acl2)
+ {
+ index = 0;
+ found = FALSE;
+ while (pGetAce( pAcl2, index++, (void **)&ace ))
+ while (pGetAce( acl2, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+ found = TRUE;
@ -71,5 +74,5 @@ index 8af1d0604a4..a2d0538b491 100644
CloseHandle(token);
}
--
2.11.0
2.13.1

63
patches/server-LABEL_SECURITY_INFORMATION/0007-advapi32-tests-Show-that-tokens-do-not-inherit-dacls.patch
View File

@ -1,37 +1,38 @@
From e47cea1eefd5287c7bf08b86419e43a7f54c718e Mon Sep 17 00:00:00 2001
From 21b2087eb06737076d603559bc7ba9059f8414d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:37:42 +0100
Subject: advapi32/tests: Show that tokens do not inherit dacls while creating
child processes.
---
dlls/advapi32/tests/security.c | 133 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 129 insertions(+), 4 deletions(-)
dlls/advapi32/tests/security.c | 135 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 130 insertions(+), 5 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 027bef76b00..d0fc463d008 100644
index f4f2519a04..8316de84d7 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7046,12 +7046,15 @@ static void test_token_security_descriptor(void)
ACCESS_ALLOWED_ACE *ace;
@@ -6942,13 +6942,16 @@ static void test_token_security_descriptor(void)
{
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
- char buffer_acl[256];
- ACL *pAcl = (ACL *)&buffer_acl, *pAcl2;
- ACL *acl = (ACL *)&buffer_acl, *acl2;
+ char buffer_acl[256], buffer[MAX_PATH];
+ ACL *pAcl = (ACL *)&buffer_acl, *pAcl2, *pAclChild;
BOOL defaulted, present, ret, found;
+ ACL *acl = (ACL *)&buffer_acl, *acl2, *acl_child;
BOOL defaulted, present, ret;
ACCESS_ALLOWED_ACE *ace;
SECURITY_ATTRIBUTES sa;
HANDLE token, token2, token3;
- DWORD size, index;
+ EXPLICIT_ACCESSW exp_access;
+ PROCESS_INFORMATION info;
SECURITY_ATTRIBUTES sa;
- DWORD size, index;
+ DWORD size, index, retd;
+ STARTUPINFOA startup;
+ DWORD size, index, retd;
BOOL found;
PSID psid;
if (!pDuplicateTokenEx || !pConvertStringSidToSidA || !pAddAccessAllowedAceEx || !pGetAce || !pSetEntriesInAclW)
@@ -7158,6 +7161,76 @@ static void test_token_security_descriptor(void)
@@ -7051,6 +7054,76 @@ static void test_token_security_descriptor(void)
HeapFree(GetProcessHeap(), 0, sd2);
@ -46,22 +47,22 @@ index 027bef76b00..d0fc463d008 100644
+ ret = GetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ pAcl2 = (void *)0xdeadbeef;
+ acl2 = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
+ ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
+ ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
+ todo_wine
+ ok(present, "pAcl2 not present\n");
+ ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
+ ok(!defaulted, "pAcl2 defaulted\n");
+ ok(present, "acl2 not present\n");
+ ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
+ ok(!defaulted, "acl2 defaulted\n");
+
+ /* check that the ace we add for testing does not already exist! */
+ if (pAcl2)
+ if (acl2)
+ {
+ index = 0;
+ found = FALSE;
+ while (pGetAce( pAcl2, index++, (void **)&ace ))
+ while (pGetAce( acl2, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+ found = TRUE;
@ -78,14 +79,14 @@ index 027bef76b00..d0fc463d008 100644
+ exp_access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+ exp_access.Trustee.ptstrName = (void*)psid;
+
+ retd = pSetEntriesInAclW(1, &exp_access, pAcl2, &pAclChild);
+ retd = pSetEntriesInAclW(1, &exp_access, acl2, &acl_child);
+ ok(retd == ERROR_SUCCESS, "Expected ERROR_SUCCESS, got %u\n", retd);
+
+ memset(sd, 0, sizeof(buffer_sd));
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorDacl(sd, TRUE, pAclChild, FALSE);
+ ret = SetSecurityDescriptorDacl(sd, TRUE, acl_child, FALSE);
+ ok(ret, "SetSecurityDescriptorDacl failed with %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
@ -104,12 +105,12 @@ index 027bef76b00..d0fc463d008 100644
+ CloseHandle(info.hProcess);
+ CloseHandle(info.hThread);
+
+ LocalFree(pAclChild);
+ LocalFree(acl_child);
LocalFree(psid);
CloseHandle(token3);
@@ -7165,6 +7238,53 @@ static void test_token_security_descriptor(void)
CloseHandle(token);
@@ -7197,6 +7270,53 @@ static void test_GetExplicitEntriesFromAclW(void)
HeapFree(GetProcessHeap(), 0, old_acl);
}
+static void test_child_token_sd(void)
@ -162,7 +163,7 @@ index 027bef76b00..d0fc463d008 100644
START_TEST(security)
{
init();
@@ -7172,7 +7292,10 @@ START_TEST(security)
@@ -7204,7 +7324,10 @@ START_TEST(security)
if (myARGC >= 3)
{
@ -174,14 +175,16 @@ index 027bef76b00..d0fc463d008 100644
return;
}
test_kernel_objects_security();
@@ -7215,5 +7338,7 @@ START_TEST(security)
@@ -7246,6 +7369,8 @@ START_TEST(security)
test_GetSidIdentifierAuthority();
test_pseudo_tokens();
test_maximum_allowed();
- test_token_security_descriptor();
test_GetExplicitEntriesFromAclW();
+
+ /* must be the last test, modifies process token */
test_token_security_descriptor();
+ test_token_security_descriptor();
}
--
2.11.0
2.13.1

22
patches/server-LABEL_SECURITY_INFORMATION/0008-advapi32-tests-Show-that-tokens-do-not-inherit-sacls.patch
View File

@ -1,4 +1,4 @@
From cbb1140c5de91c1e82414729b72918fb1a9ffd90 Mon Sep 17 00:00:00 2001
From 3ba5029a2aef625586559621bdcd457d686a9424 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:45:33 +0100
Subject: advapi32/tests: Show that tokens do not inherit sacls / mandatory
@ -9,36 +9,36 @@ Subject: advapi32/tests: Show that tokens do not inherit sacls / mandatory
1 file changed, 61 insertions(+)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 05b0c73edd6..8f0cff78695 100644
index 8316de84d7..0ed683103a 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7138,6 +7138,8 @@ static void test_GetExplicitEntriesFromAclW(void)
@@ -6940,6 +6940,8 @@ static void test_maximum_allowed(void)
static void test_token_security_descriptor(void)
{
+ static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_LOW_RID}};
ACCESS_ALLOWED_ACE *ace;
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_DESCRIPTOR *sd = (SECURITY_DESCRIPTOR *)&buffer_sd, *sd2;
@@ -7312,6 +7314,28 @@ static void test_token_security_descriptor(void)
char buffer_acl[256], buffer[MAX_PATH];
@@ -7110,6 +7112,28 @@ static void test_token_security_descriptor(void)
ret = SetKernelObjectSecurity(token, DACL_SECURITY_INFORMATION, sd);
ok(ret, "SetKernelObjectSecurity failed with %u\n", GetLastError());
+ /* The security label is also not inherited */
+ if (pAddMandatoryAce)
+ {
+ ret = InitializeAcl(pAcl, 256, ACL_REVISION);
+ ret = InitializeAcl(acl, 256, ACL_REVISION);
+ ok(ret, "InitializeAcl failed with %u\n", GetLastError());
+
+ ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
+ ret = pAddMandatoryAce(acl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
+ ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
+
+ memset(sd, 0, sizeof(buffer_sd));
+ ret = InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+ ok(ret, "InitializeSecurityDescriptor failed with %u\n", GetLastError());
+
+ ret = SetSecurityDescriptorSacl(sd, TRUE, pAcl, FALSE);
+ ret = SetSecurityDescriptorSacl(sd, TRUE, acl, FALSE);
+ ok(ret, "SetSecurityDescriptorSacl failed with %u\n", GetLastError());
+
+ ret = SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, sd);
@ -50,7 +50,7 @@ index 05b0c73edd6..8f0cff78695 100644
/* start child process with our modified token */
memset(&startup, 0, sizeof(startup));
startup.cb = sizeof(startup);
@@ -7335,6 +7359,9 @@ static void test_token_security_descriptor(void)
@@ -7272,6 +7296,9 @@ static void test_GetExplicitEntriesFromAclW(void)
static void test_child_token_sd(void)
{
@ -60,7 +60,7 @@ index 05b0c73edd6..8f0cff78695 100644
BOOL ret, present, defaulted, found;
ACCESS_ALLOWED_ACE *ace_acc;
SECURITY_DESCRIPTOR *sd;
@@ -7378,6 +7405,40 @@ static void test_child_token_sd(void)
@@ -7315,6 +7342,40 @@ static void test_child_token_sd(void)
LocalFree(psid);
HeapFree(GetProcessHeap(), 0, sd);
@ -102,5 +102,5 @@ index 05b0c73edd6..8f0cff78695 100644
START_TEST(security)
--
2.11.0
2.13.1

48
patches/server-LABEL_SECURITY_INFORMATION/0009-server-Assign-a-default-label-high-to-all-tokens.patch
View File

@ -1,4 +1,4 @@
From f7d7038841ba9db93e50fee369e3e8c2b595c74b Mon Sep 17 00:00:00 2001
From c58ae1d5ffa3fa25798833d84edfc56ae0394753 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
Date: Thu, 12 Jan 2017 05:58:02 +0100
Subject: server: Assign a default label (high) to all tokens.
@ -11,20 +11,20 @@ Subject: server: Assign a default label (high) to all tokens.
4 files changed, 103 insertions(+), 1 deletion(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 579b444a560..d6ea3a19fad 100644
index 0ed683103a..bc33a623cb 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6487,6 +6487,8 @@ static void test_AddMandatoryAce(void)
@@ -6386,6 +6386,8 @@ static void test_AddMandatoryAce(void)
{SECURITY_MANDATORY_LOW_RID}};
static SID medium_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
{SECURITY_MANDATORY_MEDIUM_RID}};
+ static SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
+ {SECURITY_MANDATORY_HIGH_RID}};
SYSTEM_MANDATORY_LABEL_ACE *ace;
static SID_IDENTIFIER_AUTHORITY sia_world = {SECURITY_WORLD_SID_AUTHORITY};
char buffer_sd[SECURITY_DESCRIPTOR_MIN_LENGTH];
SECURITY_DESCRIPTOR *sd2, *sd = (SECURITY_DESCRIPTOR *)&buffer_sd;
@@ -6708,6 +6710,45 @@ static void test_AddMandatoryAce(void)
@@ -6641,6 +6643,45 @@ static void test_AddMandatoryAce(void)
FreeSid(everyone);
HeapFree(GetProcessHeap(), 0, sd2);
CloseHandle(handle);
+
@ -39,19 +39,19 @@ index 579b444a560..d6ea3a19fad 100644
+ ret = GetKernelObjectSecurity(handle, LABEL_SECURITY_INFORMATION, sd2, size, &size);
+ ok(ret, "GetKernelObjectSecurity failed %u\n", GetLastError());
+
+ sAcl = (void *)0xdeadbeef;
+ sacl = (void *)0xdeadbeef;
+ present = FALSE;
+ defaulted = TRUE;
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sAcl, &defaulted);
+ ret = GetSecurityDescriptorSacl(sd2, &present, &sacl, &defaulted);
+ ok(ret, "GetSecurityDescriptorSacl failed with %u\n", GetLastError());
+ ok(present, "sAcl not present\n");
+ ok(sAcl != (void *)0xdeadbeef, "sAcl not set\n");
+ ok(sAcl->AceCount == 1, "Expected 1 ACEs, got %d\n", sAcl->AceCount);
+ ok(!defaulted, "sAcl defaulted\n");
+ ok(present, "sacl not present\n");
+ ok(sacl != (void *)0xdeadbeef, "sacl not set\n");
+ ok(sacl->AceCount == 1, "Expected 1 ACEs, got %d\n", sacl->AceCount);
+ ok(!defaulted, "sacl defaulted\n");
+
+ index = 0;
+ found = FALSE;
+ while (pGetAce( sAcl, index++, (void **)&ace ))
+ while (pGetAce( sacl, index++, (void **)&ace ))
+ {
+ if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE &&
+ (EqualSid(&ace->SidStart, &medium_level) || EqualSid(&ace->SidStart, &high_level)))
@ -69,19 +69,19 @@ index 579b444a560..d6ea3a19fad 100644
}
static void test_system_security_access(void)
@@ -7282,7 +7323,6 @@ static void test_token_security_descriptor(void)
@@ -7072,7 +7113,6 @@ static void test_token_security_descriptor(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd2, &present, &pAcl2, &defaulted);
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with %u\n", GetLastError());
- todo_wine
ok(present, "pAcl2 not present\n");
ok(pAcl2 != (void *)0xdeadbeef, "pAcl2 not set\n");
ok(!defaulted, "pAcl2 defaulted\n");
ok(present, "acl2 not present\n");
ok(acl2 != (void *)0xdeadbeef, "acl2 not set\n");
ok(!defaulted, "acl2 defaulted\n");
diff --git a/server/process.c b/server/process.c
index f476cfaf0fe..eaf61eaea99 100644
index 5b1860df14..98dcb21f1a 100644
--- a/server/process.c
+++ b/server/process.c
@@ -574,6 +574,13 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
@@ -571,6 +571,13 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
}
if (!process->handles || !process->token) goto error;
@ -96,7 +96,7 @@ index f476cfaf0fe..eaf61eaea99 100644
if (pipe( request_pipe ) == -1)
{
diff --git a/server/security.h b/server/security.h
index 0342f643187..ee927f91a3d 100644
index 4d9db9ae41..606dbb2ab2 100644
--- a/server/security.h
+++ b/server/security.h
@@ -48,11 +48,13 @@ extern const PSID security_local_system_sid;
@ -114,7 +114,7 @@ index 0342f643187..ee927f91a3d 100644
int impersonation_level, const struct security_descriptor *sd );
extern int token_check_privileges( struct token *token, int all_required,
diff --git a/server/token.c b/server/token.c
index 85e931b2876..3b5c498147d 100644
index dc3887967c..a1c615eec3 100644
--- a/server/token.c
+++ b/server/token.c
@@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
@ -133,7 +133,7 @@ index 85e931b2876..3b5c498147d 100644
static luid_t prev_luid_value = { 1000, 0 };
@@ -631,6 +633,57 @@ struct sid_data
@@ -734,6 +736,57 @@ struct sid_data
unsigned int subauth[MAX_SUBAUTH_COUNT];
};
@ -192,5 +192,5 @@ index 85e931b2876..3b5c498147d 100644
{
struct token *token = NULL;
--
2.11.0
2.13.1

70
patches/server-Stored_ACLs/0003-server-Add-a-helper-function-set_sd_from_token_inter.patch
View File

@ -1,19 +1,19 @@
From 2703d701d65a588700494de3e36978ef12a3abe4 Mon Sep 17 00:00:00 2001
From d294da0642e0fafe103120915f835d529840d233 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner <sebastian@fds-team.de>
Date: Mon, 30 Mar 2015 12:32:34 +0200
Subject: server: Add a helper function set_sd_from_token_internal to merge two
security descriptors.
---
server/object.c | 55 +++++++++++++++++++++++++++++++++++--------------------
server/object.c | 59 ++++++++++++++++++++++++++++++++++++---------------------
server/object.h | 3 +++
2 files changed, 38 insertions(+), 20 deletions(-)
2 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/server/object.c b/server/object.c
index 965c11c..d04fdb9 100644
index 4455718aac..522035bcb8 100644
--- a/server/object.c
+++ b/server/object.c
@@ -425,8 +425,9 @@ struct security_descriptor *default_get_sd( struct object *obj )
@@ -535,8 +535,9 @@ struct security_descriptor *default_get_sd( struct object *obj )
return obj->sd;
}
@ -25,8 +25,8 @@ index 965c11c..d04fdb9 100644
{
struct security_descriptor new_sd, *new_sd_ptr;
int present;
@@ -434,8 +435,6 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
const ACL *sacl, *dacl;
@@ -545,8 +546,6 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
ACL *replaced_sacl = NULL;
char *ptr;
- if (!set_info) return 1;
@ -34,7 +34,7 @@ index 965c11c..d04fdb9 100644
new_sd.control = sd->control & ~SE_SELF_RELATIVE;
if (set_info & OWNER_SECURITY_INFORMATION && sd->owner_len)
@@ -443,10 +442,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
@@ -554,10 +553,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
owner = sd_get_owner( sd );
new_sd.owner_len = sd->owner_len;
}
@ -48,7 +48,7 @@ index 965c11c..d04fdb9 100644
}
else if (token)
{
@@ -460,10 +459,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
@@ -571,10 +570,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
group = sd_get_group( sd );
new_sd.group_len = sd->group_len;
}
@ -62,47 +62,61 @@ index 965c11c..d04fdb9 100644
}
else if (token)
{
@@ -478,10 +477,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
new_sd.sacl_len = sd->sacl_len;
@@ -592,20 +591,20 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
else if (set_info & LABEL_SECURITY_INFORMATION && present)
{
const ACL *old_sacl = NULL;
- if (obj->sd && obj->sd->control & SE_SACL_PRESENT) old_sacl = sd_get_sacl( obj->sd, &present );
- if (!(replaced_sacl = replace_security_labels( old_sacl, sacl ))) return 0;
+ if (old_sd && old_sd->control & SE_SACL_PRESENT) old_sacl = sd_get_sacl( old_sd, &present );
+ if (!(replaced_sacl = replace_security_labels( old_sacl, sacl ))) return NULL;
new_sd.control |= SE_SACL_PRESENT;
new_sd.sacl_len = replaced_sacl->AclSize;
sacl = replaced_sacl;
}
else
{
- if (obj->sd) sacl = sd_get_sacl( obj->sd, &present );
+ if (old_sd) sacl = sd_get_sacl( old_sd, &present );
- if (obj->sd && present)
- new_sd.sacl_len = obj->sd->sacl_len;
+ if (old_sd && present)
{
new_sd.control |= SE_SACL_PRESENT;
- new_sd.sacl_len = obj->sd->sacl_len;
+ new_sd.sacl_len = old_sd->sacl_len;
}
else
new_sd.sacl_len = 0;
@@ -619,12 +618,12 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
}
@@ -492,10 +491,10 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
new_sd.dacl_len = sd->dacl_len;
else
{
- if (obj->sd) dacl = sd_get_dacl( obj->sd, &present );
+ if (old_sd) dacl = sd_get_dacl( old_sd, &present );
- if (obj->sd && present)
- new_sd.dacl_len = obj->sd->dacl_len;
+ if (old_sd && present)
{
new_sd.control |= SE_DACL_PRESENT;
- new_sd.dacl_len = obj->sd->dacl_len;
+ new_sd.dacl_len = old_sd->dacl_len;
}
else if (token)
{
dacl = token_get_default_dacl( token );
@@ -506,7 +505,7 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
ptr = mem_alloc( sizeof(new_sd) + new_sd.owner_len + new_sd.group_len +
new_sd.sacl_len + new_sd.dacl_len );
- if (!ptr) return 0;
+ if (!ptr) return NULL;
@@ -640,7 +639,7 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
if (!ptr)
{
free( replaced_sacl );
- return 0;
+ return NULL;
}
new_sd_ptr = (struct security_descriptor*)ptr;
memcpy( ptr, &new_sd, sizeof(new_sd) );
@@ -519,9 +518,25 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
ptr += new_sd.sacl_len;
@@ -655,9 +654,25 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
memcpy( ptr, dacl, new_sd.dacl_len );
free( replaced_sacl );
- free( obj->sd );
- obj->sd = new_sd_ptr;
- return 1;
@ -129,10 +143,10 @@ index 965c11c..d04fdb9 100644
/** Set the security descriptor using the current primary token for defaults. */
diff --git a/server/object.h b/server/object.h
index 72b52ee..1444d74 100644
index b5c50e1cee..cfbd5e06bc 100644
--- a/server/object.h
+++ b/server/object.h
@@ -140,6 +140,9 @@ extern struct fd *no_get_fd( struct object *obj );
@@ -156,6 +156,9 @@ extern struct fd *no_get_fd( struct object *obj );
extern unsigned int no_map_access( struct object *obj, unsigned int access );
extern struct security_descriptor *default_get_sd( struct object *obj );
extern int default_set_sd( struct object *obj, const struct security_descriptor *sd, unsigned int set_info );
@ -143,5 +157,5 @@ index 72b52ee..1444d74 100644
unsigned int set_info, struct token *token );
extern struct object *no_lookup_name( struct object *obj, struct unicode_str *name, unsigned int attributes );
--
2.3.5
2.13.1