Release 2.8.

The issue is mentioned in bug 32515, but Steam cache
validation still fails with this patch applied.

README.md

@@ -13,7 +13,7 @@ Installation
 
 Ready-to-use packages for Wine Staging are available for a variety of Linux
 distributions and for Mac OS X. Just follow the
-[installation instructions](https://github.com/wine-compholio/wine-staging/wiki/Installation)
+[installation instructions](https://wine-staging.com/installation.html)
 for your operating system.
 
 On most distributions the `wine-staging` package is installed to

patches/Compiler_Warnings/0001-ole32-Fix-compilation-with-recent-versions-of-gcc.patch

@@ -0,0 +1,26 @@
+From 43628d9b1905396ff6442e4f1e07c9dd48739b19 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Fri, 14 Apr 2017 15:57:18 +0200
+Subject: ole32: Fix compilation with recent versions of gcc.
+
+---
+ dlls/ole32/storage32.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dlls/ole32/storage32.h b/dlls/ole32/storage32.h
+index 4fcfd9c362..2b23ab8eb8 100644
+--- a/dlls/ole32/storage32.h
++++ b/dlls/ole32/storage32.h
+@@ -526,6 +526,9 @@ StgStreamImpl* StgStreamImpl_Construct(
+ /******************************************************************************
+  * Endian conversion macros
+  */
++#undef htole32
++#undef htole16
++
+ #ifdef WORDS_BIGENDIAN
+ 
+ #define htole32(x) RtlUlongByteSwap(x)
+-- 
+2.12.2
+

patches/Exagear/0001-ntdll-Implement-emulation-of-SIDT-instruction-when-u.patch

@@ -1,287 +0,0 @@
-From 472184e5801de5d1fb92d275d9c0c7e840c9a0bf Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Tue, 11 Nov 2014 03:11:33 +0100
-Subject: ntdll: Implement emulation of SIDT instruction when using Exagear.
-
----
- configure.ac             |   8 ++
- dlls/ntdll/signal_i386.c | 223 +++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 231 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 1e6bba3..43bf0db 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -32,6 +32,7 @@ AC_ARG_ENABLE(win16, AS_HELP_STRING([--disable-win16],[do not include Win16 supp
- AC_ARG_ENABLE(win64, AS_HELP_STRING([--enable-win64],[build a Win64 emulator on AMD64 (won't run Win32 binaries)]))
- AC_ARG_ENABLE(tests, AS_HELP_STRING([--disable-tests],[do not build the regression tests]))
- AC_ARG_ENABLE(maintainer-mode, AS_HELP_STRING([--enable-maintainer-mode],[enable maintainer-specific build rules]))
-+AC_ARG_ENABLE(exagear-compat, AS_HELP_STRING([--enable-exagear-compat],[use workarounds for known problems in the Exagear emulator]))
- 
- AC_ARG_WITH(alsa,      AS_HELP_STRING([--without-alsa],[do not use the Alsa sound support]),
-             [if test "x$withval" = "xno"; then ac_cv_header_sys_asoundlib_h=no; ac_cv_header_alsa_asoundlib_h=no; fi])
-@@ -364,6 +365,13 @@ WINE_WARNING_WITH(gettext,[test "$MSGFMT" = false],
-                   [gettext tools not found (or too old), translations won't be built.],
-                   [enable_po])
- 
-+dnl **** Enable Exagear workarounds ****
-+
-+if test "x$enable_exagear_compat" = "xyes"
-+then
-+  AC_DEFINE(EXAGEAR_COMPAT, 1, [Define if you want to enable Exagear emulator workarounds])
-+fi
-+
- dnl **** Check for some libraries ****
- 
- dnl Check for -li386 for NetBSD and OpenBSD
-diff --git a/dlls/ntdll/signal_i386.c b/dlls/ntdll/signal_i386.c
-index ee8855a..4269329 100644
---- a/dlls/ntdll/signal_i386.c
-+++ b/dlls/ntdll/signal_i386.c
-@@ -96,6 +96,14 @@ typedef struct
-     BYTE Reserved4[96];
- } XMM_SAVE_AREA32;
- 
-+#include "pshpack1.h"
-+struct idtr
-+{
-+    WORD  limit;
-+    BYTE *base;
-+};
-+#include "poppack.h"
-+
- /***********************************************************************
-  * signal context platform-specific definitions
-  */
-@@ -1898,6 +1906,213 @@ static inline DWORD get_fpu_code( const CONTEXT *context )
- }
- 
- 
-+#ifdef EXAGEAR_COMPAT
-+
-+/***********************************************************************
-+ *           INSTR_GetOperandAddr
-+ *
-+ * Return the address of an instruction operand (from the mod/rm byte).
-+ */
-+static BYTE *INSTR_GetOperandAddr( CONTEXT *context, const BYTE *instr,
-+                                   int long_addr, int segprefix, int *len )
-+{
-+    int mod, rm, base = 0, index = 0, ss = 0, off;
-+
-+#define GET_VAL(val,type) \
-+    { *val = *(type *)instr; instr += sizeof(type); *len += sizeof(type); }
-+
-+    *len = 0;
-+    GET_VAL( &mod, BYTE );
-+    rm = mod & 7;
-+    mod >>= 6;
-+
-+    if (mod == 3)
-+    {
-+        switch(rm)
-+        {
-+        case 0: return (BYTE *)&context->Eax;
-+        case 1: return (BYTE *)&context->Ecx;
-+        case 2: return (BYTE *)&context->Edx;
-+        case 3: return (BYTE *)&context->Ebx;
-+        case 4: return (BYTE *)&context->Esp;
-+        case 5: return (BYTE *)&context->Ebp;
-+        case 6: return (BYTE *)&context->Esi;
-+        case 7: return (BYTE *)&context->Edi;
-+        }
-+    }
-+
-+    if (long_addr)
-+    {
-+        if (rm == 4)
-+        {
-+            BYTE sib;
-+            GET_VAL( &sib, BYTE );
-+            rm = sib & 7;
-+            ss = sib >> 6;
-+            switch((sib >> 3) & 7)
-+            {
-+            case 0: index = context->Eax; break;
-+            case 1: index = context->Ecx; break;
-+            case 2: index = context->Edx; break;
-+            case 3: index = context->Ebx; break;
-+            case 4: index = 0; break;
-+            case 5: index = context->Ebp; break;
-+            case 6: index = context->Esi; break;
-+            case 7: index = context->Edi; break;
-+            }
-+        }
-+
-+        switch(rm)
-+        {
-+        case 0: base = context->Eax; break;
-+        case 1: base = context->Ecx; break;
-+        case 2: base = context->Edx; break;
-+        case 3: base = context->Ebx; break;
-+        case 4: base = context->Esp; break;
-+        case 5: base = context->Ebp; break;
-+        case 6: base = context->Esi; break;
-+        case 7: base = context->Edi; break;
-+        }
-+        switch (mod)
-+        {
-+        case 0:
-+            if (rm == 5)  /* special case: ds:(disp32) */
-+            {
-+                GET_VAL( &base, DWORD );
-+            }
-+            break;
-+
-+        case 1:  /* 8-bit disp */
-+            GET_VAL( &off, BYTE );
-+            base += (signed char)off;
-+            break;
-+
-+        case 2:  /* 32-bit disp */
-+            GET_VAL( &off, DWORD );
-+            base += (signed long)off;
-+            break;
-+        }
-+    }
-+    else  /* short address */
-+    {
-+        switch(rm)
-+        {
-+        case 0:  /* ds:(bx,si) */
-+            base = LOWORD(context->Ebx) + LOWORD(context->Esi);
-+            break;
-+        case 1:  /* ds:(bx,di) */
-+            base = LOWORD(context->Ebx) + LOWORD(context->Edi);
-+            break;
-+        case 2:  /* ss:(bp,si) */
-+            base = LOWORD(context->Ebp) + LOWORD(context->Esi);
-+            break;
-+        case 3:  /* ss:(bp,di) */
-+            base = LOWORD(context->Ebp) + LOWORD(context->Edi);
-+            break;
-+        case 4:  /* ds:(si) */
-+            base = LOWORD(context->Esi);
-+            break;
-+        case 5:  /* ds:(di) */
-+            base = LOWORD(context->Edi);
-+            break;
-+        case 6:  /* ss:(bp) */
-+            base = LOWORD(context->Ebp);
-+            break;
-+        case 7:  /* ds:(bx) */
-+            base = LOWORD(context->Ebx);
-+            break;
-+        }
-+
-+        switch(mod)
-+        {
-+        case 0:
-+            if (rm == 6)  /* special case: ds:(disp16) */
-+            {
-+                GET_VAL( &base, WORD );
-+            }
-+            break;
-+
-+        case 1:  /* 8-bit disp */
-+            GET_VAL( &off, BYTE );
-+            base += (signed char)off;
-+            break;
-+
-+        case 2:  /* 16-bit disp */
-+            GET_VAL( &off, WORD );
-+            base += (signed short)off;
-+            break;
-+        }
-+        base &= 0xffff;
-+    }
-+    /* FIXME: we assume that all segments have a base of 0 */
-+    return (BYTE *)(base + (index << ss));
-+#undef GET_VAL
-+}
-+
-+
-+/***********************************************************************
-+ *           check_invalid_instr
-+ *
-+ * Support for instructions not implemented by Exagear.
-+ */
-+static inline BOOL check_invalid_instr( CONTEXT *context )
-+{
-+    const BYTE *instr;
-+    unsigned int prefix_count = 0;
-+    int len, long_addr = 1;
-+
-+    if (!wine_ldt_is_system( context->SegCs )) return FALSE;
-+    instr = (BYTE *)context->Eip;
-+
-+    for (;;) switch (*instr)
-+    {
-+    /* instruction prefixes */
-+    case 0x2e:  /* %cs: */
-+    case 0x36:  /* %ss: */
-+    case 0x3e:  /* %ds: */
-+    case 0x26:  /* %es: */
-+    case 0x64:  /* %fs: */
-+    case 0x65:  /* %gs: */
-+    case 0x66:  /* opcode size */
-+    case 0x67:  /* addr size */
-+    case 0xf0:  /* lock */
-+    case 0xf2:  /* repne */
-+    case 0xf3:  /* repe */
-+        if (++prefix_count >= 15) return FALSE;
-+        if (*instr == 0x67) long_addr = !long_addr; /* addr size */
-+        instr++;
-+        continue;
-+    case 0x0f: /* extended instruction */
-+        switch (instr[1])
-+        {
-+        case 0x01:
-+            if (((instr[2] >> 3) & 7) == 1) /* sidt m */
-+            {
-+                struct idtr ret;
-+                BYTE *addr;
-+
-+                if ((instr[2] >> 6) == 3) return FALSE; /* loading to register not allowed */
-+                addr = INSTR_GetOperandAddr( context, instr + 2, long_addr, 0, &len );
-+
-+                /* fake IDT structure */
-+                ret.limit = 0xfff;
-+                ret.base  = (void *)0xff000000;
-+                memcpy(addr, &ret, sizeof(ret));
-+
-+                context->Eip += prefix_count + len + 2;
-+                return TRUE;
-+            }
-+            break;
-+        }
-+        return FALSE;
-+    default:
-+        return FALSE;
-+    }
-+}
-+
-+#endif /* EXAGEAR_COMPAT */
-+
-+
- /**********************************************************************
-  *		raise_segv_exception
-  */
-@@ -1907,6 +2122,14 @@ static void WINAPI raise_segv_exception( EXCEPTION_RECORD *rec, CONTEXT *context
- 
-     switch(rec->ExceptionCode)
-     {
-+#ifdef EXAGEAR_COMPAT
-+    case EXCEPTION_ILLEGAL_INSTRUCTION:
-+        {
-+            if (check_invalid_instr( context ))
-+                goto done;
-+        }
-+        break;
-+#endif
-     case EXCEPTION_ACCESS_VIOLATION:
-         if (rec->NumberParameters == 2)
-         {
--- 
-2.7.1
-

patches/Exagear/0002-ntdll-Fix-issues-with-write-watches-when-using-Exage.patch

@@ -1,51 +0,0 @@
-From 5a4827d5c16aefd82029583710b9032a2356917b Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sat, 22 Nov 2014 05:49:30 +0100
-Subject: ntdll: Fix issues with write watches when using Exagear.
-
----
- dlls/ntdll/virtual.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
-index f7aae0b..3fa2027 100644
---- a/dlls/ntdll/virtual.c
-+++ b/dlls/ntdll/virtual.c
-@@ -1558,6 +1558,26 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack )
-     {
-         void *page = ROUND_ADDR( addr, page_mask );
-         BYTE *vprot = &view->prot[((const char *)page - (const char *)view->base) >> page_shift];
-+#ifdef EXAGEAR_COMPAT
-+        /* Exagear doesn't correctly set err, so always check for write watches, and
-+         * retry after removing the VPROT_WRITEWATCH or VPROT_WRITECOPY flag. In
-+         * contrary to the general implementation below this is not completely race-
-+         * condition safe. When multiple threads trigger the write watch at the same
-+         * time only the first thread will properly continue the execution, the rest
-+         * will crash. */
-+        if ((view->protect & VPROT_WRITEWATCH) && (*vprot & VPROT_WRITEWATCH))
-+        {
-+            *vprot &= ~VPROT_WRITEWATCH;
-+            VIRTUAL_SetProt( view, page, page_size, *vprot );
-+            if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-+        }
-+        if (*vprot & VPROT_WRITECOPY)
-+        {
-+            *vprot = (*vprot & ~VPROT_WRITECOPY) | VPROT_WRITE;
-+            VIRTUAL_SetProt( view, page, page_size, *vprot );
-+            if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-+        }
-+#else
-         if (err & EXCEPTION_WRITE_FAULT)
-         {
-             if ((view->protect & VPROT_WRITEWATCH) && (*vprot & VPROT_WRITEWATCH))
-@@ -1573,6 +1593,7 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack )
-             /* ignore fault if page is writable now */
-             if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-         }
-+#endif
-         if (!on_signal_stack && (*vprot & VPROT_GUARD))
-         {
-             VIRTUAL_SetProt( view, page, page_size, *vprot & ~VPROT_GUARD );
--- 
-2.2.2
-

patches/Exagear/0003-server-Don-t-attempt-to-use-ptrace-when-running-with.patch

@@ -1,25 +0,0 @@
-From 67cc0e23b26d5d9abda7eb771dc2bec309cb8650 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 23 Nov 2014 22:33:51 +0100
-Subject: server: Don't attempt to use ptrace when running with Exagear.
-
----
- server/ptrace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/server/ptrace.c b/server/ptrace.c
-index cb436b6..fb29b5a 100644
---- a/server/ptrace.c
-+++ b/server/ptrace.c
-@@ -531,7 +531,7 @@ void get_selector_entry( struct thread *thread, int entry, unsigned int *base,
- 
- 
- #if defined(linux) && (defined(HAVE_SYS_USER_H) || defined(HAVE_ASM_USER_H)) \
--    && (defined(__i386__) || defined(__x86_64__))
-+    && (defined(__i386__) || defined(__x86_64__)) && !defined(EXAGEAR_COMPAT)
- 
- #ifdef HAVE_SYS_USER_H
- #include <sys/user.h>
--- 
-2.1.3
-

patches/Exagear/definition

@@ -1,2 +0,0 @@
-Depends: ntdll-WRITECOPY
-Disabled: true

patches/Staging/definition

@@ -1 +0,0 @@
-Depends: kernel32-BeingDebugged

patches/advapi-LsaLookupPrivilegeName/0001-advapi32-Fix-error-code-when-calling-LsaOpenPolicy-f.patch

@@ -0,0 +1,55 @@
+From ce0ab0ccd6e4953a9673d15e00cf602668469c2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Sun, 5 Mar 2017 23:04:36 +0100
+Subject: advapi32: Fix error code when calling LsaOpenPolicy for non existing
+ remote machine.
+
+---
+ dlls/advapi32/lsa.c       |  2 +-
+ dlls/advapi32/tests/lsa.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
+index b8dedbd6d58..e5e3b1649c0 100644
+--- a/dlls/advapi32/lsa.c
++++ b/dlls/advapi32/lsa.c
+@@ -692,7 +692,7 @@ NTSTATUS WINAPI LsaOpenPolicy(
+           ObjectAttributes, DesiredAccess, PolicyHandle);
+ 
+     ADVAPI_ForceLocalComputer(SystemName ? SystemName->Buffer : NULL,
+-                              STATUS_ACCESS_VIOLATION);
++                              RPC_NT_SERVER_UNAVAILABLE);
+     dumpLsaAttributes(ObjectAttributes);
+ 
+     if(PolicyHandle) *PolicyHandle = (LSA_HANDLE)0xcafe;
+diff --git a/dlls/advapi32/tests/lsa.c b/dlls/advapi32/tests/lsa.c
+index 4daf75f58d1..7ddda731be2 100644
+--- a/dlls/advapi32/tests/lsa.c
++++ b/dlls/advapi32/tests/lsa.c
+@@ -70,6 +70,8 @@ static BOOL init(void)
+ 
+ static void test_lsa(void)
+ {
++    static WCHAR machineW[] = {'W','i','n','e','N','o','M','a','c','h','i','n','e',0};
++    LSA_UNICODE_STRING machine;
+     NTSTATUS status;
+     LSA_HANDLE handle;
+     LSA_OBJECT_ATTRIBUTES object_attributes;
+@@ -77,6 +79,14 @@ static void test_lsa(void)
+     ZeroMemory(&object_attributes, sizeof(object_attributes));
+     object_attributes.Length = sizeof(object_attributes);
+ 
++    machine.Buffer = machineW;
++    machine.Length = sizeof(machineW) - 2;
++    machine.MaximumLength = sizeof(machineW);
++
++    status = pLsaOpenPolicy( &machine, &object_attributes, POLICY_LOOKUP_NAMES, &handle);
++    ok(status == RPC_NT_SERVER_UNAVAILABLE,
++       "LsaOpenPolicy(POLICY_LOOKUP_NAMES) for invalid machine returned 0x%08x\n", status);
++
+     status = pLsaOpenPolicy( NULL, &object_attributes, POLICY_ALL_ACCESS, &handle);
+     ok(status == STATUS_SUCCESS || status == STATUS_ACCESS_DENIED,
+        "LsaOpenPolicy(POLICY_ALL_ACCESS) returned 0x%08x\n", status);
+-- 
+2.11.0
+

patches/advapi-LsaLookupPrivilegeName/0002-advapi32-Use-TRACE-for-LsaOpenPolicy-LsaClose.patch

@@ -0,0 +1,34 @@
+From 1941137bff72a2297812bbd05fb6f6a1578426b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Sun, 5 Mar 2017 23:05:54 +0100
+Subject: advapi32: Use TRACE for LsaOpenPolicy/LsaClose.
+
+---
+ dlls/advapi32/lsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
+index e5e3b1649c0..0f2167d19ab 100644
+--- a/dlls/advapi32/lsa.c
++++ b/dlls/advapi32/lsa.c
+@@ -136,7 +136,7 @@ NTSTATUS WINAPI LsaAddAccountRights(
+  */
+ NTSTATUS WINAPI LsaClose(IN LSA_HANDLE ObjectHandle)
+ {
+-    FIXME("(%p) stub\n", ObjectHandle);
++    TRACE("(%p) semi-stub\n", ObjectHandle);
+     return STATUS_SUCCESS;
+ }
+ 
+@@ -687,7 +687,7 @@ NTSTATUS WINAPI LsaOpenPolicy(
+     IN ACCESS_MASK DesiredAccess,
+     IN OUT PLSA_HANDLE PolicyHandle)
+ {
+-    FIXME("(%s,%p,0x%08x,%p) stub\n",
++    TRACE("(%s,%p,0x%08x,%p) semi-stub\n",
+           SystemName?debugstr_w(SystemName->Buffer):"(null)",
+           ObjectAttributes, DesiredAccess, PolicyHandle);
+ 
+-- 
+2.11.0
+

patches/advapi-LsaLookupPrivilegeName/0003-advapi32-Implement-LsaLookupPrivilegeName.patch

@@ -0,0 +1,162 @@
+From bee5e0baac722c66ad8c1034a65a2cecfe74716e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Sun, 5 Mar 2017 23:50:06 +0100
+Subject: advapi32: Implement LsaLookupPrivilegeName.
+
+---
+ dlls/advapi32/advapi32.spec   |  2 +-
+ dlls/advapi32/advapi32_misc.h |  2 ++
+ dlls/advapi32/lsa.c           | 38 ++++++++++++++++++++++++++++++++++++++
+ dlls/advapi32/security.c      | 27 ++++++++++++++++++---------
+ include/ntsecapi.h            |  1 +
+ 5 files changed, 60 insertions(+), 10 deletions(-)
+
+diff --git a/dlls/advapi32/advapi32.spec b/dlls/advapi32/advapi32.spec
+index 078bb8fc25..124f527282 100644
+--- a/dlls/advapi32/advapi32.spec
++++ b/dlls/advapi32/advapi32.spec
+@@ -469,7 +469,7 @@
+ @ stdcall LsaLookupNames(long long ptr ptr ptr)
+ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
+ @ stub LsaLookupPrivilegeDisplayName
+-# @ stub LsaLookupPrivilegeName
++@ stdcall LsaLookupPrivilegeName(long ptr ptr)
+ # @ stub LsaLookupPrivilegeValue
+ @ stdcall LsaLookupSids(ptr long ptr ptr ptr)
+ # @ stub LsaLookupSids2
+diff --git a/dlls/advapi32/advapi32_misc.h b/dlls/advapi32/advapi32_misc.h
+index d116ecb836..ecb07f635a 100644
+--- a/dlls/advapi32/advapi32_misc.h
++++ b/dlls/advapi32/advapi32_misc.h
+@@ -68,4 +68,6 @@ static inline WCHAR *strdupAW( const char *src )
+     return dst;
+ }
+ 
++const WCHAR * const WellKnownPrivNames[SE_MAX_WELL_KNOWN_PRIVILEGE + 1];
++
+ #endif /* __WINE_ADVAPI32MISC_H */
+diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
+index 479201bfc1..ceb3b05c05 100644
+--- a/dlls/advapi32/lsa.c
++++ b/dlls/advapi32/lsa.c
+@@ -973,3 +973,41 @@ NTSTATUS WINAPI LsaUnregisterPolicyChangeNotification(
+     FIXME("(%d,%p) stub\n", class, event);
+     return STATUS_SUCCESS;
+ }
++
++/******************************************************************************
++ * LsaLookupPrivilegeName [ADVAPI32.@]
++ *
++ */
++NTSTATUS WINAPI LsaLookupPrivilegeName(
++    LSA_HANDLE handle,
++    PLUID lpLuid,
++    PUNICODE_STRING *name)
++{
++    UNICODE_STRING *priv_unicode;
++    size_t priv_size;
++    WCHAR *strW;
++
++    TRACE("(%p, %p, %p)\n", handle, lpLuid, name);
++
++    if (!handle)
++        return STATUS_INVALID_HANDLE;
++
++    if (!name)
++        return STATUS_INVALID_PARAMETER;
++
++    if (lpLuid->HighPart ||
++        (lpLuid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
++         lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
++        return STATUS_NO_SUCH_PRIVILEGE;
++
++    priv_size = (strlenW(WellKnownPrivNames[lpLuid->LowPart]) + 1) * sizeof(WCHAR);
++    priv_unicode = heap_alloc(sizeof(*priv_unicode) + priv_size);
++    if (!priv_unicode) return STATUS_NO_MEMORY;
++
++    strW = (WCHAR *)(priv_unicode + 1);
++    strcpyW(strW, WellKnownPrivNames[lpLuid->LowPart]);
++    RtlInitUnicodeString(priv_unicode, strW);
++
++    *name = priv_unicode;
++    return STATUS_SUCCESS;
++}
+diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
+index e36792cff4..3bc8f48b19 100644
+--- a/dlls/advapi32/security.c
++++ b/dlls/advapi32/security.c
+@@ -1840,7 +1840,7 @@ static const WCHAR SE_IMPERSONATE_NAME_W[] =
+ static const WCHAR SE_CREATE_GLOBAL_NAME_W[] =
+  { 'S','e','C','r','e','a','t','e','G','l','o','b','a','l','P','r','i','v','i','l','e','g','e',0 };
+ 
+-static const WCHAR * const WellKnownPrivNames[SE_MAX_WELL_KNOWN_PRIVILEGE + 1] =
++const WCHAR * const WellKnownPrivNames[SE_MAX_WELL_KNOWN_PRIVILEGE + 1] =
+ {
+     NULL,
+     NULL,
+@@ -2043,33 +2043,42 @@ BOOL WINAPI
+ LookupPrivilegeNameW( LPCWSTR lpSystemName, PLUID lpLuid, LPWSTR lpName,
+  LPDWORD cchName)
+ {
++    UNICODE_STRING system_name, *priv;
++    LSA_HANDLE lsa;
++    NTSTATUS status;
+     size_t privNameLen;
+ 
+     TRACE("%s,%p,%p,%p\n",debugstr_w(lpSystemName), lpLuid, lpName, cchName);
+ 
+-    if (!ADVAPI_IsLocalComputer(lpSystemName))
++    RtlInitUnicodeString(&system_name, lpSystemName);
++    status = LsaOpenPolicy(&system_name, NULL, POLICY_LOOKUP_NAMES, &lsa);
++    if (status)
+     {
+-        SetLastError(RPC_S_SERVER_UNAVAILABLE);
++        SetLastError(LsaNtStatusToWinError(status));
+         return FALSE;
+     }
+-    if (lpLuid->HighPart || (lpLuid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
+-     lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
++
++    status = LsaLookupPrivilegeName(&lsa, lpLuid, &priv);
++    LsaClose(lsa);
++    if (status)
+     {
+-        SetLastError(ERROR_NO_SUCH_PRIVILEGE);
++        SetLastError(LsaNtStatusToWinError(status));
+         return FALSE;
+     }
+-    privNameLen = strlenW(WellKnownPrivNames[lpLuid->LowPart]);
+-    /* Windows crashes if cchName is NULL, so will I */
++
++    privNameLen = priv->Length / sizeof(WCHAR);
+     if (*cchName <= privNameLen)
+     {
+         *cchName = privNameLen + 1;
++        LsaFreeMemory(priv);
+         SetLastError(ERROR_INSUFFICIENT_BUFFER);
+         return FALSE;
+     }
+     else
+     {
+-        strcpyW(lpName, WellKnownPrivNames[lpLuid->LowPart]);
++        strcpyW(lpName, priv->Buffer);
+         *cchName = privNameLen;
++        LsaFreeMemory(priv);
+         return TRUE;
+     }
+ }
+diff --git a/include/ntsecapi.h b/include/ntsecapi.h
+index 2bb3d312e4..0bf0eca43e 100644
+--- a/include/ntsecapi.h
++++ b/include/ntsecapi.h
+@@ -370,6 +370,7 @@ NTSTATUS WINAPI LsaLookupNames(LSA_HANDLE,ULONG,PLSA_UNICODE_STRING,PLSA_REFEREN
+                                PLSA_TRANSLATED_SID*);
+ NTSTATUS WINAPI LsaLookupNames2(LSA_HANDLE,ULONG,ULONG,PLSA_UNICODE_STRING,PLSA_REFERENCED_DOMAIN_LIST*,
+                                 PLSA_TRANSLATED_SID2*);
++NTSTATUS WINAPI LsaLookupPrivilegeName(LSA_HANDLE,PLUID,PUNICODE_STRING*);
+ NTSTATUS WINAPI LsaLookupSids(LSA_HANDLE,ULONG,PSID *,PLSA_REFERENCED_DOMAIN_LIST *,PLSA_TRANSLATED_NAME *);
+ ULONG WINAPI LsaNtStatusToWinError(NTSTATUS);
+ NTSTATUS WINAPI LsaOpenPolicy(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
+-- 
+2.11.0
+

patches/advapi-LsaLookupPrivilegeName/0004-advapi32-Add-stub-for-LsaLookupPrivilegeDisplayName.patch

@@ -0,0 +1,62 @@
+From 63d642a1af3ccc579123cb8fd13959ab5e9136dd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Mon, 6 Mar 2017 00:01:53 +0100
+Subject: advapi32: Add stub for LsaLookupPrivilegeDisplayName.
+
+---
+ dlls/advapi32/advapi32.spec |  2 +-
+ dlls/advapi32/lsa.c         | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/advapi32/advapi32.spec b/dlls/advapi32/advapi32.spec
+index 124f527282..0b03cec3f5 100644
+--- a/dlls/advapi32/advapi32.spec
++++ b/dlls/advapi32/advapi32.spec
+@@ -468,7 +468,7 @@
+ # @ stub LsaICLookupSidsWithCreds
+ @ stdcall LsaLookupNames(long long ptr ptr ptr)
+ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
+-@ stub LsaLookupPrivilegeDisplayName
++@ stdcall LsaLookupPrivilegeDisplayName(long ptr ptr ptr)
+ @ stdcall LsaLookupPrivilegeName(long ptr ptr)
+ # @ stub LsaLookupPrivilegeValue
+ @ stdcall LsaLookupSids(ptr long ptr ptr ptr)
+diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
+index ceb3b05c05..c2e02fb462 100644
+--- a/dlls/advapi32/lsa.c
++++ b/dlls/advapi32/lsa.c
+@@ -44,6 +44,12 @@ WINE_DEFAULT_DEBUG_CHANNEL(advapi);
+         return FailureCode; \
+ }
+ 
++static LPCSTR debugstr_us( const UNICODE_STRING *us )
++{
++    if (!us) return "(null)";
++    return debugstr_wn(us->Buffer, us->Length / sizeof(WCHAR));
++}
++
+ static void dumpLsaAttributes(const LSA_OBJECT_ATTRIBUTES *oa)
+ {
+     if (oa)
+@@ -1011,3 +1017,18 @@ NTSTATUS WINAPI LsaLookupPrivilegeName(
+     *name = priv_unicode;
+     return STATUS_SUCCESS;
+ }
++
++/******************************************************************************
++ * LsaLookupPrivilegeDisplayName [ADVAPI32.@]
++ *
++ */
++NTSTATUS WINAPI LsaLookupPrivilegeDisplayName(
++    LSA_HANDLE handle,
++    PLSA_UNICODE_STRING name,
++    PLSA_UNICODE_STRING *dispname,
++    SHORT *language)
++{
++    FIXME("(%p, %s, %p, %p)\n", handle, debugstr_us(name), dispname, language);
++
++    return STATUS_NO_SUCH_PRIVILEGE;
++}
+-- 
+2.11.0
+

patches/advapi-LsaLookupPrivilegeName/definition

@@ -0,0 +1 @@
+Fixes: Add LsaLookupPrivilege[Display]Name stubs

patches/advapi32-AddMandatoryAce/0001-advapi32-Implement-AddMandatoryAce.patch

@@ -1,185 +0,0 @@
-From 9904ee15d00d0809c12759446c09adc1981e3cf9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Mon, 29 Aug 2016 19:45:47 +0200
-Subject: advapi32: Implement AddMandatoryAce.
-
----
- dlls/advapi32/security.c       |  6 ++++--
- dlls/advapi32/tests/security.c | 45 ++++++++++++++++++++++++++++++++++++++++++
- dlls/ntdll/ntdll.spec          |  1 +
- dlls/ntdll/sec.c               | 25 +++++++++++++++++++++++
- include/winbase.h              |  1 +
- include/winternl.h             |  1 +
- 6 files changed, 77 insertions(+), 2 deletions(-)
-
-diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
-index 28331df..45c0f7e 100644
---- a/dlls/advapi32/security.c
-+++ b/dlls/advapi32/security.c
-@@ -1711,10 +1711,12 @@ BOOL WINAPI AddAce(
-     return set_ntstatus(RtlAddAce(pAcl, dwAceRevision, dwStartingAceIndex, pAceList, nAceListLength));
- }
- 
-+/******************************************************************************
-+ *  AddMandatoryAce [ADVAPI32.@]
-+ */
- BOOL WINAPI AddMandatoryAce(ACL *acl, DWORD ace_revision, DWORD ace_flags, DWORD mandatory_policy, PSID label_sid)
- {
--    FIXME("%p %x %x %x %p - stub\n", acl, ace_revision, ace_flags, mandatory_policy, label_sid);
--    return FALSE;
-+    return set_ntstatus(RtlAddMandatoryAce(acl, ace_revision, ace_flags, mandatory_policy, SYSTEM_MANDATORY_LABEL_ACE_TYPE, label_sid));
- }
- 
- /******************************************************************************
-diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index 18f4e04..cdbe4f8 100644
---- a/dlls/advapi32/tests/security.c
-+++ b/dlls/advapi32/tests/security.c
-@@ -65,6 +65,7 @@
- static BOOL (WINAPI *pAddAccessAllowedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
- static BOOL (WINAPI *pAddAccessDeniedAceEx)(PACL, DWORD, DWORD, DWORD, PSID);
- static BOOL (WINAPI *pAddAuditAccessAceEx)(PACL, DWORD, DWORD, DWORD, PSID, BOOL, BOOL);
-+static BOOL (WINAPI *pAddMandatoryAce)(PACL,DWORD,DWORD,DWORD,PSID);
- static VOID (WINAPI *pBuildTrusteeWithSidA)( PTRUSTEEA pTrustee, PSID pSid );
- static VOID (WINAPI *pBuildTrusteeWithNameA)( PTRUSTEEA pTrustee, LPSTR pName );
- static VOID (WINAPI *pBuildTrusteeWithObjectsAndNameA)( PTRUSTEEA pTrustee,
-@@ -199,6 +200,7 @@ static void init(void)
-     pAddAccessAllowedAceEx = (void *)GetProcAddress(hmod, "AddAccessAllowedAceEx");
-     pAddAccessDeniedAceEx = (void *)GetProcAddress(hmod, "AddAccessDeniedAceEx");
-     pAddAuditAccessAceEx = (void *)GetProcAddress(hmod, "AddAuditAccessAceEx");
-+    pAddMandatoryAce = (void *)GetProcAddress(hmod, "AddMandatoryAce");
-     pCheckTokenMembership = (void *)GetProcAddress(hmod, "CheckTokenMembership");
-     pConvertStringSecurityDescriptorToSecurityDescriptorA =
-         (void *)GetProcAddress(hmod, "ConvertStringSecurityDescriptorToSecurityDescriptorA" );
-@@ -6064,6 +6066,48 @@ static void test_default_dacl_owner_sid(void)
-     CloseHandle( handle );
- }
- 
-+static void test_integrity(void)
-+{
-+    static SID low_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
-+                                                    {SECURITY_MANDATORY_LOW_RID}};
-+    SYSTEM_MANDATORY_LABEL_ACE *ace;
-+    char buffer_acl[256];
-+    ACL *pAcl = (ACL*)&buffer_acl;
-+    BOOL ret, found;
-+    DWORD index;
-+
-+    if (!pAddMandatoryAce)
-+    {
-+        win_skip("Mandatory integrity labels not supported, skipping test\n");
-+        return;
-+    }
-+
-+    ret = InitializeAcl(pAcl, 256, ACL_REVISION);
-+    ok(ret, "InitializeAcl failed with %u\n", GetLastError());
-+
-+    ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, 0x1234, &low_level);
-+    ok(!ret, "AddMandatoryAce succeeded\n");
-+    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER got %u\n", GetLastError());
-+
-+    ret = pAddMandatoryAce(pAcl, ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, &low_level);
-+    ok(ret, "AddMandatoryAce failed with %u\n", GetLastError());
-+
-+    index = 0;
-+    found = FALSE;
-+    while (pGetAce( pAcl, index++, (void **)&ace ))
-+    {
-+        if (ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
-+        {
-+            found = TRUE;
-+            ok(ace->Header.AceFlags == 0, "Expected 0 as flags, got %x\n", ace->Header.AceFlags);
-+            ok(ace->Mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
-+               "Expected SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as flag, got %x\n", ace->Mask);
-+            ok(EqualSid(&ace->SidStart, &low_level), "Expected low integrity level\n");
-+        }
-+    }
-+    ok(found, "Could not find mandatory label\n");
-+}
-+
- static void test_AdjustTokenPrivileges(void)
- {
-     TOKEN_PRIVILEGES tp, prev;
-@@ -6444,6 +6488,7 @@ START_TEST(security)
-     test_CreateRestrictedToken();
-     test_TokenIntegrityLevel();
-     test_default_dacl_owner_sid();
-+    test_integrity();
-     test_AdjustTokenPrivileges();
-     test_AddAce();
-     test_system_security_access();
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index 28aa2df..f6f8eba 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -422,6 +422,7 @@
- @ stdcall RtlAddAuditAccessAceEx(ptr long long long ptr long long)
- @ stdcall RtlAddAuditAccessObjectAce(ptr long long long ptr ptr ptr long long)
- # @ stub RtlAddCompoundAce
-+@ stdcall RtlAddMandatoryAce(ptr long long long long ptr)
- # @ stub RtlAddRange
- @ cdecl -arch=arm,x86_64 RtlAddFunctionTable(ptr long long)
- @ stdcall RtlAddRefActivationContext(ptr)
-diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c
-index 3bc52ac..daa2cae 100644
---- a/dlls/ntdll/sec.c
-+++ b/dlls/ntdll/sec.c
-@@ -1379,6 +1379,31 @@ NTSTATUS WINAPI RtlAddAuditAccessObjectAce(
-     return STATUS_NOT_IMPLEMENTED;
- }
- 
-+/**************************************************************************
-+ *  RtlAddMandatoryAce     [NTDLL.@]
-+ */
-+NTSTATUS WINAPI RtlAddMandatoryAce(
-+    IN OUT PACL pAcl,
-+    IN DWORD dwAceRevision,
-+    IN DWORD dwAceFlags,
-+    IN DWORD dwMandatoryFlags,
-+    IN DWORD dwAceType,
-+    IN PSID pSid)
-+{
-+    static DWORD valid_flags = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | SYSTEM_MANDATORY_LABEL_NO_READ_UP |
-+                               SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
-+
-+    TRACE("(%p,%d,0x%08x,0x%08x,%u,%p)\n",pAcl,dwAceRevision,dwAceFlags,dwMandatoryFlags, dwAceType, pSid);
-+
-+    if (dwAceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE)
-+        return STATUS_INVALID_PARAMETER;
-+
-+    if (dwMandatoryFlags & ~valid_flags)
-+        return STATUS_INVALID_PARAMETER;
-+
-+    return add_access_ace(pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, pSid, dwAceType);
-+}
-+
- /******************************************************************************
-  *  RtlValidAcl		[NTDLL.@]
-  */
-diff --git a/include/winbase.h b/include/winbase.h
-index eff5972..42c826d 100644
---- a/include/winbase.h
-+++ b/include/winbase.h
-@@ -1693,6 +1693,7 @@ WINBASEAPI ATOM        WINAPI AddAtomW(LPCWSTR);
- #define                       AddAtom WINELIB_NAME_AW(AddAtom)
- WINADVAPI  BOOL        WINAPI AddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL);
- WINADVAPI  BOOL        WINAPI AddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL);
-+WINADVAPI  BOOL        WINAPI AddMandatoryAce(PACL,DWORD,DWORD,DWORD,PSID);
- WINBASEAPI VOID        WINAPI AddRefActCtx(HANDLE);
- WINBASEAPI PVOID       WINAPI AddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER);
- WINADVAPI  BOOL        WINAPI AdjustTokenGroups(HANDLE,BOOL,PTOKEN_GROUPS,DWORD,PTOKEN_GROUPS,PDWORD);
-diff --git a/include/winternl.h b/include/winternl.h
-index f35091c..c104e6f 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2405,6 +2405,7 @@ NTSYSAPI NTSTATUS  WINAPI RtlAddAtomToAtomTable(RTL_ATOM_TABLE,const WCHAR*,RTL_
- NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL);
- NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL);
- NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessObjectAce(PACL,DWORD,DWORD,DWORD,GUID*,GUID*,PSID,BOOL,BOOL);
-+NTSYSAPI NTSTATUS  WINAPI RtlAddMandatoryAce(PACL,DWORD,DWORD,DWORD,DWORD,PSID);
- NTSYSAPI void      WINAPI RtlAddRefActivationContext(HANDLE);
- NTSYSAPI PVOID     WINAPI RtlAddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER);
- NTSYSAPI NTSTATUS  WINAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
--- 
-2.9.0
-

patches/advapi32-AddMandatoryAce/definition

@@ -1 +0,0 @@
-Fixes: Implement advapi32.AddMandatoryAce

patches/advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch

@@ -0,0 +1,268 @@
+From 994fe46f1b68d851d285a29cce904bd9f22540ea Mon Sep 17 00:00:00 2001
+From: Andrew Wesie <awesie@gmail.com>
+Date: Tue, 2 May 2017 00:59:49 -0500
+Subject: advapi32: Implement BuildSecurityDescriptorW.
+
+---
+ dlls/advapi32/security.c | 218 +++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 164 insertions(+), 54 deletions(-)
+
+diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
+index 24ec3099713..82bb6689d43 100644
+--- a/dlls/advapi32/security.c
++++ b/dlls/advapi32/security.c
+@@ -58,6 +58,7 @@ static BOOL ParseStringSecurityDescriptorToSecurityDescriptor(
+     SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
+     LPDWORD cBytes);
+ static DWORD ParseAclStringFlags(LPCWSTR* StringAcl);
++static DWORD trustee_to_sid(DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee);
+ 
+ typedef struct _ACEFLAG
+ {
+@@ -1264,16 +1265,122 @@ DWORD WINAPI BuildSecurityDescriptorW(
+     IN ULONG cCountOfAccessEntries,
+     IN PEXPLICIT_ACCESSW pListOfAccessEntries,
+     IN ULONG cCountOfAuditEntries,
+-    IN PEXPLICIT_ACCESSW pListofAuditEntries,
++    IN PEXPLICIT_ACCESSW pListOfAuditEntries,
+     IN PSECURITY_DESCRIPTOR pOldSD,
+     IN OUT PULONG lpdwBufferLength,
+     OUT PSECURITY_DESCRIPTOR* pNewSD)
+ { 
+-    FIXME("(%p,%p,%d,%p,%d,%p,%p,%p,%p) stub!\n",pOwner,pGroup,
+-          cCountOfAccessEntries,pListOfAccessEntries,cCountOfAuditEntries,
+-          pListofAuditEntries,pOldSD,lpdwBufferLength,pNewSD);
++    SECURITY_DESCRIPTOR desc;
++    NTSTATUS status;
++    DWORD ret = ERROR_SUCCESS;
++
++    TRACE("(%p,%p,%d,%p,%d,%p,%p,%p,%p)\n", pOwner, pGroup,
++          cCountOfAccessEntries, pListOfAccessEntries, cCountOfAuditEntries,
++          pListOfAuditEntries, pOldSD, lpdwBufferLength, pNewSD);
+  
+-    return ERROR_CALL_NOT_IMPLEMENTED;
++    if (pOldSD)
++    {
++        SECURITY_DESCRIPTOR_CONTROL control;
++        DWORD desc_size, dacl_size = 0, sacl_size = 0, owner_size = 0, group_size = 0;
++        PACL dacl = NULL, sacl = NULL;
++        PSID owner = NULL, group = NULL;
++        DWORD revision;
++
++        if ((status = RtlGetControlSecurityDescriptor( pOldSD, &control, &revision )) != STATUS_SUCCESS)
++            return RtlNtStatusToDosError( status );
++        if (!(control & SE_SELF_RELATIVE))
++            return ERROR_INVALID_SECURITY_DESCR;
++
++        desc_size = sizeof(desc);
++        status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
++                                              owner, &owner_size, group, &group_size );
++        if (status == STATUS_BUFFER_TOO_SMALL)
++        {
++            if (dacl_size)
++                dacl = LocalAlloc( LMEM_FIXED, dacl_size );
++            if (sacl_size)
++                sacl = LocalAlloc( LMEM_FIXED, sacl_size );
++            if (owner_size)
++                owner = LocalAlloc( LMEM_FIXED, owner_size );
++            if (group_size)
++                group = LocalAlloc( LMEM_FIXED, group_size );
++
++            desc_size = sizeof(desc);
++            status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
++                                                  owner, &owner_size, group, &group_size );
++        }
++        if (status != STATUS_SUCCESS)
++        {
++            LocalFree( dacl );
++            LocalFree( sacl );
++            LocalFree( owner );
++            LocalFree( group );
++            return RtlNtStatusToDosError( status );
++        }
++    }
++    else
++    {
++        if ((status = RtlCreateSecurityDescriptor( &desc, SECURITY_DESCRIPTOR_REVISION )) != STATUS_SUCCESS)
++            return RtlNtStatusToDosError( status );
++    }
++
++    if (pOwner)
++    {
++        LocalFree( desc.Owner );
++        desc.Owner = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
++        if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Owner, pOwner )))
++            goto done;
++    }
++
++    if (pGroup)
++    {
++        LocalFree( desc.Group );
++        desc.Group = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
++        if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Group, pGroup )))
++            goto done;
++    }
++
++    if (pListOfAccessEntries)
++    {
++        PACL new_dacl;
++
++        if ((ret = SetEntriesInAclW( cCountOfAccessEntries, pListOfAccessEntries, desc.Dacl, &new_dacl )))
++            goto done;
++
++        LocalFree( desc.Dacl );
++        desc.Dacl = new_dacl;
++        desc.Control |= SE_DACL_PRESENT;
++    }
++
++    if (pListOfAuditEntries)
++    {
++        PACL new_sacl;
++
++        if ((ret = SetEntriesInAclW( cCountOfAuditEntries, pListOfAuditEntries, desc.Sacl, &new_sacl )))
++            goto done;
++
++        LocalFree( desc.Sacl );
++        desc.Sacl = new_sacl;
++        desc.Control |= SE_SACL_PRESENT;
++    }
++
++    *lpdwBufferLength = RtlLengthSecurityDescriptor( &desc );
++    *pNewSD = LocalAlloc( LMEM_FIXED, *lpdwBufferLength );
++
++    if ((status = RtlMakeSelfRelativeSD( &desc, *pNewSD, lpdwBufferLength )) != STATUS_SUCCESS)
++    {
++        ret = RtlNtStatusToDosError( status );
++        LocalFree( *pNewSD );
++        *pNewSD = NULL;
++    }
++
++done:
++    /* free absolute descriptor */
++    LocalFree( desc.Owner );
++    LocalFree( desc.Group );
++    LocalFree( desc.Sacl );
++    LocalFree( desc.Dacl );
++    return ret;
+ } 
+ 
+ /******************************************************************************
+@@ -3766,6 +3873,56 @@ static void free_trustee_name(TRUSTEE_FORM form, WCHAR *trustee_nameW)
+     }
+ }
+ 
++static DWORD trustee_to_sid( DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee )
++{
++    if (pTrustee->MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE)
++    {
++        WARN("bad multiple trustee operation %d\n", pTrustee->MultipleTrusteeOperation);
++        return ERROR_INVALID_PARAMETER;
++    }
++
++    switch (pTrustee->TrusteeForm)
++    {
++    case TRUSTEE_IS_SID:
++        if (!CopySid(nDestinationSidLength, pDestinationSid, pTrustee->ptstrName))
++        {
++            WARN("bad sid %p\n", pTrustee->ptstrName);
++            return ERROR_INVALID_PARAMETER;
++        }
++        break;
++    case TRUSTEE_IS_NAME:
++    {
++        DWORD sid_size = nDestinationSidLength;
++        DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1;
++        SID_NAME_USE use;
++        if (!strcmpW( pTrustee->ptstrName, CURRENT_USER ))
++        {
++            if (!lookup_user_account_name( pDestinationSid, &sid_size, NULL, &domain_size, &use ))
++            {
++                return GetLastError();
++            }
++        }
++        else if (!LookupAccountNameW(NULL, pTrustee->ptstrName, pDestinationSid, &sid_size, NULL, &domain_size, &use))
++        {
++            WARN("bad user name %s\n", debugstr_w(pTrustee->ptstrName));
++            return ERROR_INVALID_PARAMETER;
++        }
++        break;
++    }
++    case TRUSTEE_IS_OBJECTS_AND_SID:
++        FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n");
++        break;
++    case TRUSTEE_IS_OBJECTS_AND_NAME:
++        FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n");
++        break;
++    default:
++        WARN("bad trustee form %d\n", pTrustee->TrusteeForm);
++        return ERROR_INVALID_PARAMETER;
++    }
++
++    return ERROR_SUCCESS;
++}
++
+ /******************************************************************************
+  * SetEntriesInAclA [ADVAPI32.@]
+  */
+@@ -3861,56 +4018,9 @@ DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries,
+               pEntries[i].Trustee.TrusteeForm, pEntries[i].Trustee.TrusteeType,
+               pEntries[i].Trustee.ptstrName);
+ 
+-        if (pEntries[i].Trustee.MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE)
+-        {
+-            WARN("bad multiple trustee operation %d for trustee %d\n", pEntries[i].Trustee.MultipleTrusteeOperation, i);
+-            ret = ERROR_INVALID_PARAMETER;
+-            goto exit;
+-        }
+-
+-        switch (pEntries[i].Trustee.TrusteeForm)
+-        {
+-        case TRUSTEE_IS_SID:
+-            if (!CopySid(FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]),
+-                         ppsid[i], pEntries[i].Trustee.ptstrName))
+-            {
+-                WARN("bad sid %p for trustee %d\n", pEntries[i].Trustee.ptstrName, i);
+-                ret = ERROR_INVALID_PARAMETER;
+-                goto exit;
+-            }
+-            break;
+-        case TRUSTEE_IS_NAME:
+-        {
+-            DWORD sid_size = FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]);
+-            DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1;
+-            SID_NAME_USE use;
+-            if (!strcmpW( pEntries[i].Trustee.ptstrName, CURRENT_USER ))
+-            {
+-                if (!lookup_user_account_name( ppsid[i], &sid_size, NULL, &domain_size, &use ))
+-                {
+-                    ret = GetLastError();
+-                    goto exit;
+-                }
+-            }
+-            else if (!LookupAccountNameW(NULL, pEntries[i].Trustee.ptstrName, ppsid[i], &sid_size, NULL, &domain_size, &use))
+-            {
+-                WARN("bad user name %s for trustee %d\n", debugstr_w(pEntries[i].Trustee.ptstrName), i);
+-                ret = ERROR_INVALID_PARAMETER;
+-                goto exit;
+-            }
+-            break;
+-        }
+-        case TRUSTEE_IS_OBJECTS_AND_SID:
+-            FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n");
+-            break;
+-        case TRUSTEE_IS_OBJECTS_AND_NAME:
+-            FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n");
+-            break;
+-        default:
+-            WARN("bad trustee form %d for trustee %d\n", pEntries[i].Trustee.TrusteeForm, i);
+-            ret = ERROR_INVALID_PARAMETER;
++        ret = trustee_to_sid( FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]), ppsid[i], &pEntries[i].Trustee);
++        if (ret)
+             goto exit;
+-        }
+ 
+         /* Note: we overestimate the ACL size here as a tradeoff between
+          * instructions (simplicity) and memory */
+-- 
+2.12.2
+

patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch

@@ -0,0 +1,69 @@
+From 63082c3863d8be466ed14f532653ddf35e40328a Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Fri, 5 May 2017 00:18:50 +0200
+Subject: advapi32/tests: Add basic tests for BuildSecurityDescriptor.
+
+---
+ dlls/advapi32/tests/security.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index d6ea3a19fad..c591f7b6e5f 100644
+--- a/dlls/advapi32/tests/security.c
++++ b/dlls/advapi32/tests/security.c
+@@ -7489,6 +7489,44 @@ static void test_child_token_sd(void)
+     HeapFree(GetProcessHeap(), 0, sd);
+ }
+ 
++static void test_BuildSecurityDescriptorW(void)
++{
++    SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
++    ULONG new_sd_size;
++    DWORD buf_size;
++    char buf[1024];
++    BOOL success;
++    DWORD ret;
++
++    InitializeSecurityDescriptor(&old_sd, SECURITY_DESCRIPTOR_REVISION);
++
++    buf_size = sizeof(buf);
++    rel_sd = (SECURITY_DESCRIPTOR *)buf;
++    success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size);
++    ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError());
++
++    new_sd = NULL;
++    new_sd_size = 0;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
++    ok(new_sd != NULL, "expected new_sd != NULL\n");
++    ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
++    LocalFree(new_sd);
++
++    new_sd = (void *)0xdeadbeef;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
++    ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd);
++
++    new_sd = NULL;
++    new_sd_size = 0;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
++    ok(new_sd != NULL, "expected new_sd != NULL\n");
++    ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
++    LocalFree(new_sd);
++}
++
+ START_TEST(security)
+ {
+     init();
+@@ -7542,6 +7580,7 @@ START_TEST(security)
+     test_pseudo_tokens();
+     test_maximum_allowed();
+     test_GetExplicitEntriesFromAclW();
++    test_BuildSecurityDescriptorW();
+ 
+     /* must be the last test, modifies process token */
+     test_token_security_descriptor();
+-- 
+2.12.2
+

patches/advapi32-BuildSecurityDescriptor/definition

@@ -0,0 +1,2 @@
+Fixes: Initial implementation of advapi32.BuildSecurityDescriptorW
+Depends: server-LABEL_SECURITY_INFORMATION

patches/advapi32-GetExplicitEntriesFromAclW/0001-advapi32-Implement-GetExplicitEntriesFromAclW.patch

@@ -1,4 +1,4 @@
-From cb383abcb7d36d739092a93c1f276895622b6806 Mon Sep 17 00:00:00 2001
+From b4469d7a12637ef2b57df3f6aebbe65c9b52ef57 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sun, 28 Aug 2016 21:56:41 +0200
 Subject: advapi32: Implement GetExplicitEntriesFromAclW.
@@ -9,7 +9,7 @@ Subject: advapi32: Implement GetExplicitEntriesFromAclW.
  2 files changed, 221 insertions(+), 2 deletions(-)
 
 diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
-index 92a1789..c60aa4e 100644
+index 7e41c0a7361..ccd0bf64cab 100644
 --- a/dlls/advapi32/security.c
 +++ b/dlls/advapi32/security.c
 @@ -4202,8 +4202,85 @@ DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntr
@@ -101,7 +101,7 @@ index 92a1789..c60aa4e 100644
  
  /******************************************************************************
 diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index cf104ab..2bcb108 100644
+index c31dfbeace3..23cbff58117 100644
 --- a/dlls/advapi32/tests/security.c
 +++ b/dlls/advapi32/tests/security.c
 @@ -133,6 +133,7 @@ static BOOL     (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
@@ -120,8 +120,8 @@ index cf104ab..2bcb108 100644
  
      myARGC = winetest_get_mainargs( &myARGV );
  }
-@@ -6378,6 +6380,145 @@ static void test_pseudo_tokens(void)
-                  "Expected ERROR_NO_TOKEN, got %u\n", GetLastError());
+@@ -6451,6 +6453,145 @@ static void test_maximum_allowed(void)
+     CloseHandle(handle);
  }
  
 +static void test_GetExplicitEntriesFromAclW(void)
@@ -266,12 +266,12 @@ index cf104ab..2bcb108 100644
  START_TEST(security)
  {
      init();
-@@ -6424,4 +6565,5 @@ START_TEST(security)
-     test_system_security_access();
+@@ -6499,4 +6640,5 @@ START_TEST(security)
      test_GetSidIdentifierAuthority();
      test_pseudo_tokens();
+     test_maximum_allowed();
 +    test_GetExplicitEntriesFromAclW();
  }
 -- 
-2.9.0
+2.11.0
 

patches/advapi32-LsaLookupSids/0004-advapi32-Fallback-to-Sid-string-when-LookupAccountSi.patch

@@ -1,4 +1,4 @@
-From 616c17cc58a4943d3a367704943e737d5713740d Mon Sep 17 00:00:00 2001
+From 77d43d721793edda9b419f7426442a35f0cb5918 Mon Sep 17 00:00:00 2001
 From: Qian Hong <qhong@codeweavers.com>
 Date: Tue, 7 Apr 2015 11:23:34 +0800
 Subject: advapi32: Fallback to Sid string when LookupAccountSid fails.
@@ -8,7 +8,7 @@ Subject: advapi32: Fallback to Sid string when LookupAccountSid fails.
  1 file changed, 31 insertions(+)
 
 diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
-index 258b8ca..93afa20 100644
+index 1b270a80829..b8dedbd6d58 100644
 --- a/dlls/advapi32/lsa.c
 +++ b/dlls/advapi32/lsa.c
 @@ -29,6 +29,7 @@
@@ -19,8 +19,8 @@ index 258b8ca..93afa20 100644
  #include "advapi32_misc.h"
  
  #include "wine/debug.h"
-@@ -554,6 +555,21 @@ NTSTATUS WINAPI LsaLookupSids(
-                 heap_free(name);
+@@ -562,6 +563,21 @@ NTSTATUS WINAPI LsaLookupSids(
+                 domain.MaximumLength = sizeof(WCHAR);
              }
          }
 +        else
@@ -41,9 +41,9 @@ index 258b8ca..93afa20 100644
      }
  
      /* now we have full length needed for both */
-@@ -593,6 +609,21 @@ NTSTATUS WINAPI LsaLookupSids(
-                 heap_free(domain.Buffer);
-             }
+@@ -605,6 +621,21 @@ NTSTATUS WINAPI LsaLookupSids(
+             (*Names)[i].DomainIndex = lsa_reflist_add_domain(*ReferencedDomains, &domain, &domain_data);
+             heap_free(domain.Buffer);
          }
 +        else
 +        {
@@ -64,5 +64,5 @@ index 258b8ca..93afa20 100644
          name_buffer += name_size;
      }
 -- 
-2.3.5
+2.11.0