diff --git a/patches/Makefile b/patches/Makefile index 6cfe0e35..aa12782d 100644 --- a/patches/Makefile +++ b/patches/Makefile @@ -1063,8 +1063,8 @@ server-Address_Change_Notification.ok: # | .INTERMEDIATE: server-CreateProcess_ACLs.ok server-CreateProcess_ACLs.ok: - $(call APPLY_FILE,server-CreateProcess_ACLs/0001-server-Support-sending-thread-and-process-security-d.patch) - $(call APPLY_FILE,server-CreateProcess_ACLs/0002-kernel32-Implement-passing-a-process-security-descri.patch) + $(call APPLY_FILE,server-CreateProcess_ACLs/0001-server-Support-for-thread-and-process-security-descr.patch) + $(call APPLY_FILE,server-CreateProcess_ACLs/0002-kernel32-Implement-passing-security-descriptors-from.patch) $(call APPLY_FILE,server-CreateProcess_ACLs/0003-advapi32-tests-Add-additional-tests-for-passing-a-th.patch) @( \ echo '+ { "server-CreateProcess_ACLs", "Joris van der Wel / Sebastian Lackner", "Implement passing ACLs to CreateProcess. [rev 2]" },'; \ diff --git a/patches/server-CreateProcess_ACLs/0001-server-Support-sending-thread-and-process-security-d.patch b/patches/server-CreateProcess_ACLs/0001-server-Support-for-thread-and-process-security-descr.patch similarity index 80% rename from patches/server-CreateProcess_ACLs/0001-server-Support-sending-thread-and-process-security-d.patch rename to patches/server-CreateProcess_ACLs/0001-server-Support-for-thread-and-process-security-descr.patch index 51048201..39f01e66 100644 --- a/patches/server-CreateProcess_ACLs/0001-server-Support-sending-thread-and-process-security-d.patch +++ b/patches/server-CreateProcess_ACLs/0001-server-Support-for-thread-and-process-security-descr.patch @@ -1,15 +1,17 @@ -From 9a9b0d8a21af0e88e1a0af4f32bcf10fabad3e5a Mon Sep 17 00:00:00 2001 +From d1b9346061b979dfa089e690f29618d67aff1c3d Mon Sep 17 00:00:00 2001 From: Sebastian Lackner -Date: Sat, 23 Aug 2014 05:58:30 +0200 -Subject: server: Support sending thread and process security descriptors in +Date: Wed, 15 Oct 2014 10:02:22 +0200 +Subject: server: Support for thread and process security descriptors in new_process wineserver call. -Based on a patch by Joris van der Wel. The original patch was removed since it contained several mistakes in validating untrusted length arguments. +Based on a patch by Joris van der Wel. + +Needs ./tools/make_requests --- - dlls/kernel32/process.c | 2 ++ - server/process.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++- - server/protocol.def | 6 +++++- - 3 files changed, 55 insertions(+), 2 deletions(-) + dlls/kernel32/process.c | 2 ++ + server/process.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- + server/protocol.def | 6 +++++- + 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c index 301c64a..5de8b59 100644 @@ -25,7 +27,7 @@ index 301c64a..5de8b59 100644 wine_server_add_data( req, startup_info, startup_info_size ); wine_server_add_data( req, env, (env_end - env) * sizeof(WCHAR) ); diff --git a/server/process.c b/server/process.c -index 7b9a3b2..426bcca 100644 +index 7b9a3b2..6020ca0 100644 --- a/server/process.c +++ b/server/process.c @@ -880,6 +880,7 @@ DECL_HANDLER(new_process) @@ -45,14 +47,15 @@ index 7b9a3b2..426bcca 100644 info->info_size = min( req->info_size, info->data_size ); if (req->info_size < sizeof(*info->data)) -@@ -953,6 +954,31 @@ DECL_HANDLER(new_process) +@@ -953,6 +954,34 @@ DECL_HANDLER(new_process) #undef FIXUP_LEN } -+ /* validate security descriptors (if any) */ + if (get_req_data_size() > req->info_size + req->env_size) + { + data_size_t sd_size, pos = req->info_size + req->env_size; ++ ++ /* verify process sd */ + if ((sd_size = min( get_req_data_size() - pos, req->process_sd_size ))) + { + process_sd = (const struct security_descriptor *)((const char *)get_req_data() + pos); @@ -63,6 +66,8 @@ index 7b9a3b2..426bcca 100644 + } + pos += sd_size; + } ++ ++ /* verify thread sd */ + if ((sd_size = get_req_data_size() - pos)) + { + thread_sd = (const struct security_descriptor *)((const char *)get_req_data() + pos); @@ -77,14 +82,13 @@ index 7b9a3b2..426bcca 100644 if (!(thread = create_process( socket_fd, current, req->inherit_all ))) goto done; process = thread->process; process->debug_children = (req->create_flags & DEBUG_PROCESS) -@@ -1004,6 +1030,27 @@ DECL_HANDLER(new_process) +@@ -1004,6 +1033,25 @@ DECL_HANDLER(new_process) reply->phandle = alloc_handle( parent, process, req->process_access, req->process_attr ); reply->thandle = alloc_handle( parent, thread, req->thread_access, req->thread_attr ); + if (process_sd) + { -+ default_set_sd( &process->obj, -+ process_sd, ++ default_set_sd( &process->obj, process_sd, + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION | @@ -93,8 +97,7 @@ index 7b9a3b2..426bcca 100644 + + if (thread_sd) + { -+ set_sd_defaults_from_token( &thread->obj, -+ thread_sd, ++ set_sd_defaults_from_token( &thread->obj, thread_sd, + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION | @@ -106,7 +109,7 @@ index 7b9a3b2..426bcca 100644 release_object( info ); } diff --git a/server/protocol.def b/server/protocol.def -index c9270ea..3f75375 100644 +index 4854e3d..97f0623 100644 --- a/server/protocol.def +++ b/server/protocol.def @@ -671,8 +671,12 @@ struct rawinput_device @@ -117,12 +120,12 @@ index c9270ea..3f75375 100644 + data_size_t process_sd_size;/* size of the process security descriptor */ VARARG(info,startup_info,info_size); /* startup information */ - VARARG(env,unicode_str); /* environment for new process */ -+ VARARG(env,unicode_str,env_size); /* environment for new process */ ++ VARARG(env,unicode_str,env_size); /* environment for new process */ + VARARG(process_sd,security_descriptor,process_sd_size); /* security descriptor to set on the process */ -+ VARARG(thread_sd,security_descriptor); /* security descriptor to set on the thread */ ++ VARARG(thread_sd,security_descriptor); /* security descriptor to set on the thread */ @REPLY obj_handle_t info; /* new process info handle */ process_id_t pid; /* process id */ -- -1.7.9.5 +2.1.2 diff --git a/patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-a-process-security-descri.patch b/patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-security-descriptors-from.patch similarity index 87% rename from patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-a-process-security-descri.patch rename to patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-security-descriptors-from.patch index 13843792..3ff16971 100644 --- a/patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-a-process-security-descri.patch +++ b/patches/server-CreateProcess_ACLs/0002-kernel32-Implement-passing-security-descriptors-from.patch @@ -1,13 +1,15 @@ -From bcf14e35900209c3177b76ae9b1e368aa12d58e6 Mon Sep 17 00:00:00 2001 +From 116bf59039367e09f1409e5a4df5f64d9667749f Mon Sep 17 00:00:00 2001 From: Sebastian Lackner -Date: Sat, 23 Aug 2014 06:27:28 +0200 -Subject: kernel32: Implement passing a process security descriptor from - CreateProcess to the wineserver. +Date: Wed, 15 Oct 2014 10:02:27 +0200 +Subject: kernel32: Implement passing security descriptors from CreateProcess + to the wineserver. Based on a patch by Joris van der Wel. + +Unfortunately we have to duplicate create_struct_sd from ntdll, but thats the easiest solution right now. In long term we should probably think about moving process creation logic to ntdll. --- - dlls/advapi32/tests/security.c | 3 -- - dlls/kernel32/process.c | 102 +++++++++++++++++++++++++++++++++++++++- + dlls/advapi32/tests/security.c | 3 -- + dlls/kernel32/process.c | 102 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 101 insertions(+), 4 deletions(-) diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c @@ -34,7 +36,7 @@ index b44496a..b1b35aa 100644 /* Documented privilege elevation */ diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c -index 5de8b59..7d28140 100644 +index 5de8b59..d1746a5 100644 --- a/dlls/kernel32/process.c +++ b/dlls/kernel32/process.c @@ -1916,6 +1916,70 @@ static pid_t exec_loader( LPCWSTR cmd_line, unsigned int flags, int socketfd, @@ -128,7 +130,7 @@ index 5de8b59..7d28140 100644 + { + close( socketfd[0] ); + close( socketfd[1] ); -+ WARN("Invalid process security descriptor: Status %x\n", status); ++ WARN( "Invalid process security descriptor: Status %x\n", status ); + SetLastError( RtlNtStatusToDosError(status) ); + return FALSE; + } @@ -139,10 +141,10 @@ index 5de8b59..7d28140 100644 + status = create_struct_sd( tsa->lpSecurityDescriptor, &thread_sd, &thread_sd_size ); + if (status != STATUS_SUCCESS) + { -+ RtlFreeHeap(GetProcessHeap(), 0, process_sd); ++ RtlFreeHeap( GetProcessHeap(), 0, process_sd ); + close( socketfd[0] ); + close( socketfd[1] ); -+ WARN("Invalid thread security descriptor: Status %x\n", status); ++ WARN( "Invalid thread security descriptor: Status %x\n", status ); + SetLastError( RtlNtStatusToDosError(status) ); + return FALSE; + } @@ -154,8 +156,8 @@ index 5de8b59..7d28140 100644 &startup_info_size ))) { RtlReleasePebLock(); -+ RtlFreeHeap(GetProcessHeap(), 0, process_sd); -+ RtlFreeHeap(GetProcessHeap(), 0, thread_sd); ++ RtlFreeHeap( GetProcessHeap(), 0, process_sd ); ++ RtlFreeHeap( GetProcessHeap(), 0, thread_sd ); close( socketfd[0] ); close( socketfd[1] ); return FALSE; @@ -177,12 +179,12 @@ index 5de8b59..7d28140 100644 SERVER_END_REQ; RtlReleasePebLock(); -+ RtlFreeHeap(GetProcessHeap(), 0, process_sd); -+ RtlFreeHeap(GetProcessHeap(), 0, thread_sd); ++ RtlFreeHeap( GetProcessHeap(), 0, process_sd ); ++ RtlFreeHeap( GetProcessHeap(), 0, thread_sd ); + if (status) { switch (status) -- -1.7.9.5 +2.1.2 diff --git a/patches/server-CreateProcess_ACLs/0003-advapi32-tests-Add-additional-tests-for-passing-a-th.patch b/patches/server-CreateProcess_ACLs/0003-advapi32-tests-Add-additional-tests-for-passing-a-th.patch index 0f164280..49948e8c 100644 --- a/patches/server-CreateProcess_ACLs/0003-advapi32-tests-Add-additional-tests-for-passing-a-th.patch +++ b/patches/server-CreateProcess_ACLs/0003-advapi32-tests-Add-additional-tests-for-passing-a-th.patch @@ -1,15 +1,15 @@ -From 3c5ee362799eef25543ef8a9787d97fcf8cef304 Mon Sep 17 00:00:00 2001 +From 2024b3a2a4d0db56c15d96b05f1be146b1f37fb9 Mon Sep 17 00:00:00 2001 From: Joris van der Wel -Date: Sun, 3 Aug 2014 12:52:44 +0200 +Date: Wed, 15 Oct 2014 10:02:33 +0200 Subject: advapi32/tests: Add additional tests for passing a thread sd to CreateProcess. --- - dlls/advapi32/tests/security.c | 44 ++++++++++++++++++++++++++++++++++++---- + dlls/advapi32/tests/security.c | 44 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c -index b1b35aa..eb9b8cb 100644 +index b1b35aa..09fb7fa 100644 --- a/dlls/advapi32/tests/security.c +++ b/dlls/advapi32/tests/security.c @@ -2532,12 +2532,12 @@ static void test_process_security(void) @@ -32,23 +32,23 @@ index b1b35aa..eb9b8cb 100644 psa.lpSecurityDescriptor = SecurityDescriptor; psa.bInheritHandle = TRUE; -+ ThreadSecurityDescriptor = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH); -+ res = InitializeSecurityDescriptor(ThreadSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION); ++ ThreadSecurityDescriptor = HeapAlloc( GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH ); ++ res = InitializeSecurityDescriptor( ThreadSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); + ok(res, "InitializeSecurityDescriptor failed with error %d\n", GetLastError()); + -+ ThreadAcl = HeapAlloc(GetProcessHeap(), 0, 256); -+ res = InitializeAcl(ThreadAcl, 256, ACL_REVISION); ++ ThreadAcl = HeapAlloc( GetProcessHeap(), 0, 256 ); ++ res = InitializeAcl( ThreadAcl, 256, ACL_REVISION ); + ok(res, "InitializeAcl failed with error %d\n", GetLastError()); -+ res = AddAccessDeniedAce(ThreadAcl, ACL_REVISION, THREAD_SET_THREAD_TOKEN, AdminSid); -+ ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError()); -+ res = AddAccessAllowedAce(ThreadAcl, ACL_REVISION, THREAD_ALL_ACCESS, AdminSid); ++ res = AddAccessDeniedAce( ThreadAcl, ACL_REVISION, THREAD_SET_THREAD_TOKEN, AdminSid ); ++ ok(res, "AddAccessDeniedAce failed with error %d\n", GetLastError() ); ++ res = AddAccessAllowedAce( ThreadAcl, ACL_REVISION, THREAD_ALL_ACCESS, AdminSid ); + ok(res, "AddAccessAllowedAce failed with error %d\n", GetLastError()); + -+ res = SetSecurityDescriptorOwner(ThreadSecurityDescriptor, AdminSid, FALSE); ++ res = SetSecurityDescriptorOwner( ThreadSecurityDescriptor, AdminSid, FALSE ); + ok(res, "SetSecurityDescriptorOwner failed with error %d\n", GetLastError()); -+ res = SetSecurityDescriptorGroup(ThreadSecurityDescriptor, UsersSid, FALSE); ++ res = SetSecurityDescriptorGroup( ThreadSecurityDescriptor, UsersSid, FALSE ); + ok(res, "SetSecurityDescriptorGroup failed with error %d\n", GetLastError()); -+ res = SetSecurityDescriptorDacl(ThreadSecurityDescriptor, TRUE, ThreadAcl, FALSE); ++ res = SetSecurityDescriptorDacl( ThreadSecurityDescriptor, TRUE, ThreadAcl, FALSE ); + ok(res, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError()); + + tsa.nLength = sizeof(tsa); @@ -80,7 +80,7 @@ index b1b35aa..eb9b8cb 100644 CloseHandle( handle1 ); CloseHandle( handle ); + -+ ++ /* Test thread security */ + handle = OpenThread( THREAD_TERMINATE, FALSE, GetCurrentThreadId() ); + ok(handle != NULL, "OpenThread(THREAD_TERMINATE) with err:%d\n", GetLastError()); + TEST_GRANTED_ACCESS( handle, PROCESS_TERMINATE ); @@ -92,5 +92,5 @@ index b1b35aa..eb9b8cb 100644 static void test_impersonation_level(void) -- -1.7.9.5 +2.1.2