Release 2.16.

The patch causes a regression because applications start using
other mfplat functions.

CONTRIBUTING.md

@@ -0,0 +1,30 @@
+Contributing to Wine Staging
+----------------------------
+
+First of all, thank you for taking the time to contribute to this project.
+
+### Reporting bugs
+
+Since WineConf 2015 Wine Staging is an official part of WineHQ, which means you
+can report problems directly at [bugs.winehq.org](https://bugs.winehq.org/).
+Most of the time bugs found in Wine Staging also turn out to be present in the
+development branch, so its recommended to open your bug in the "Wine" product,
+unless you are sure its really "Wine Staging" specific. For bugs related to our
+binary packages, please open a bug report in the "Packaging" product.
+
+### Submitting patches
+
+**IMPORTANT:** Please use [dev.wine-staging.com](https://dev.wine-staging.com/patches)
+for patch submissions, we currently do not accept Pull requests on GitHub.
+
+Wine Staging mainly concentrates on experimental features and patches which are
+difficult to get into the development branch. If you have a very simple bug fix
+including tests, there is usually no need to send it to Wine Staging. You can
+directly contribute it to the
+[development branch](http://wiki.winehq.org/SubmittingPatches). However, if you
+already tried that without success, or are working on such a complex area that
+you do not really think its ready for inclusion, you might want to submit it to
+our Staging tree. Please open a patch submission request on
+[dev.wine-staging.com](https://dev.wine-staging.com/patches) including the patch.
+More information is also available in our
+[Wiki](https://wiki.winehq.org/Wine-Staging_Patches).

README.md

@@ -13,7 +13,7 @@ Installation
 
 Ready-to-use packages for Wine Staging are available for a variety of Linux
 distributions and for Mac OS X. Just follow the
-[installation instructions](https://github.com/wine-compholio/wine-staging/wiki/Installation)
+[installation instructions](https://wine-staging.com/installation.html)
 for your operating system.
 
 On most distributions the `wine-staging` package is installed to
@@ -24,16 +24,6 @@ other wine-specific programs like `winecfg`. To learn more about how to use
 Wine Staging, please take a look at the
 [usage instructions](https://github.com/wine-compholio/wine-staging/wiki/Usage).
 
-Reporting bugs
---------------
-
-Since WineConf 2015 Wine Staging is an official part of WineHQ, which means you
-can report problems directly at https://bugs.winehq.org/. Most of the time bugs
-found in Wine Staging also turn out to be present in the development branch, so
-its recommended to open your bug in the "Wine" product, unless you are sure its
-really "Wine Staging" specific. For problems with our binary packages, please
-also open a bug report there.
-
 Building
 --------
 
@@ -88,14 +78,5 @@ in our [Wiki](https://github.com/wine-compholio/wine-staging/wiki/Packaging).
 Contributing
 ------------
 
-Wine Staging mainly concentrates on experimental features and patches which are
-difficult to get into the development branch. If you have a very simple bug fix
-including tests, there is usually no need to send it to Wine Staging. You can
-directly contribute it to the
-[development branch](http://wiki.winehq.org/SubmittingPatches). However, if you
-already tried that without success, or are working on such a complex area that
-you do not really think its ready for inclusion, you might want to submit it to
-our Staging tree. Please open a patch submission request on
-[bugs.wine-staging.com](https://bugs.wine-staging.com/) including the patch.
-More information is also available in our
-[Wiki](https://github.com/wine-compholio/wine-staging/wiki/Contributing).
+Please see CONTRIBUTING.md for more information about contributing to Wine
+Staging.

patches/Compiler_Warnings/0001-ole32-Fix-compilation-with-recent-versions-of-gcc.patch

@@ -0,0 +1,26 @@
+From 43628d9b1905396ff6442e4f1e07c9dd48739b19 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Fri, 14 Apr 2017 15:57:18 +0200
+Subject: ole32: Fix compilation with recent versions of gcc.
+
+---
+ dlls/ole32/storage32.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dlls/ole32/storage32.h b/dlls/ole32/storage32.h
+index 4fcfd9c362..2b23ab8eb8 100644
+--- a/dlls/ole32/storage32.h
++++ b/dlls/ole32/storage32.h
+@@ -526,6 +526,9 @@ StgStreamImpl* StgStreamImpl_Construct(
+ /******************************************************************************
+  * Endian conversion macros
+  */
++#undef htole32
++#undef htole16
++
+ #ifdef WORDS_BIGENDIAN
+ 
+ #define htole32(x) RtlUlongByteSwap(x)
+-- 
+2.12.2
+

patches/Compiler_Warnings/0009-ws2_32-tests-Work-around-an-incorrect-detection-in-G.patch

@@ -0,0 +1,24 @@
+From 560a25c662f7b56d2b895759be1ea65c64d0f5af Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 4 Jun 2017 12:57:17 +0200
+Subject: ws2_32/tests: Work around an incorrect detection in GCC 7.
+
+---
+ dlls/ws2_32/tests/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dlls/ws2_32/tests/sock.c b/dlls/ws2_32/tests/sock.c
+index 677a750ec6b..65c82e36524 100644
+--- a/dlls/ws2_32/tests/sock.c
++++ b/dlls/ws2_32/tests/sock.c
+@@ -3601,6 +3601,7 @@ static DWORD WINAPI SelectReadThread(void *param)
+     struct sockaddr_in addr;
+     struct timeval select_timeout;
+ 
++    memset(&readfds, 0, sizeof(readfds));
+     FD_ZERO(&readfds);
+     FD_SET(par->s, &readfds);
+     select_timeout.tv_sec=5;
+-- 
+2.13.0
+

patches/Compiler_Warnings/0018-Appease-the-blessed-version-of-gcc-4.5-when-Werror-i.patch

@@ -1,21 +1,20 @@
-From 35e7be609df3c37eded9a3fd117ba0cef02f24c7 Mon Sep 17 00:00:00 2001
+From cd34de81164087b3593d0ec9416e2f157a5df40d Mon Sep 17 00:00:00 2001
 From: "Erich E. Hoover" <erich.e.hoover@gmail.com>
 Date: Fri, 8 Aug 2014 19:33:14 -0600
 Subject: Appease the blessed version of gcc (4.5) when -Werror is enabled.
 
 ---
- dlls/d3d9/tests/visual.c     | 2 +-
- dlls/netapi32/netapi32.c     | 2 +-
- dlls/winealsa.drv/mmdevdrv.c | 2 +-
- dlls/wined3d/glsl_shader.c   | 2 +-
- tools/makedep.c              | 2 +-
- 5 files changed, 5 insertions(+), 5 deletions(-)
+ dlls/d3d9/tests/visual.c   | 2 +-
+ dlls/netapi32/netapi32.c   | 2 +-
+ dlls/wined3d/glsl_shader.c | 2 +-
+ tools/makedep.c            | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/dlls/d3d9/tests/visual.c b/dlls/d3d9/tests/visual.c
-index 55140c6..2facbfb 100644
+index c8a6a1fa5a8..0261d3708e6 100644
 --- a/dlls/d3d9/tests/visual.c
 +++ b/dlls/d3d9/tests/visual.c
-@@ -12034,7 +12034,7 @@ static void yuv_layout_test(void)
+@@ -12304,7 +12304,7 @@ static void yuv_layout_test(void)
      IDirect3D9 *d3d;
      D3DCOLOR color;
      DWORD ref_color;
@@ -25,7 +24,7 @@ index 55140c6..2facbfb 100644
      IDirect3DDevice9 *device;
      ULONG refcount;
 diff --git a/dlls/netapi32/netapi32.c b/dlls/netapi32/netapi32.c
-index bb61e7f..cf4c466 100644
+index 278d4528b01..1c5f110b828 100644
 --- a/dlls/netapi32/netapi32.c
 +++ b/dlls/netapi32/netapi32.c
 @@ -780,7 +780,7 @@ static NET_API_STATUS share_info_to_samba( DWORD level, const BYTE *buf, unsigne
@@ -37,25 +36,12 @@ index bb61e7f..cf4c466 100644
      NET_API_STATUS status;
  
      if (servername && !(server = strdup_unixcp( servername ))) return ERROR_OUTOFMEMORY;
-diff --git a/dlls/winealsa.drv/mmdevdrv.c b/dlls/winealsa.drv/mmdevdrv.c
-index 14eac39..ebff9f1 100644
---- a/dlls/winealsa.drv/mmdevdrv.c
-+++ b/dlls/winealsa.drv/mmdevdrv.c
-@@ -359,7 +359,7 @@ static WCHAR *construct_device_id(EDataFlow flow, const WCHAR *chunk1, const cha
- {
-     WCHAR *ret;
-     const WCHAR *prefix;
--    DWORD len_wchars = 0, chunk1_len, copied = 0, prefix_len;
-+    DWORD len_wchars = 0, chunk1_len = 0, copied = 0, prefix_len;
- 
-     static const WCHAR dashW[] = {' ','-',' ',0};
-     static const size_t dashW_len = (sizeof(dashW) / sizeof(*dashW)) - 1;
 diff --git a/dlls/wined3d/glsl_shader.c b/dlls/wined3d/glsl_shader.c
-index 44e7090..429ae90 100644
+index f96f48d97d1..8fe3318cd78 100644
 --- a/dlls/wined3d/glsl_shader.c
 +++ b/dlls/wined3d/glsl_shader.c
-@@ -6893,7 +6893,7 @@ static void set_glsl_shader_program(const struct wined3d_context *context, const
-     GLuint vs_id = 0;
+@@ -9721,7 +9721,7 @@ static void set_glsl_shader_program(const struct wined3d_context *context, const
+     GLuint ds_id = 0;
      GLuint gs_id = 0;
      GLuint ps_id = 0;
 -    struct list *ps_list, *vs_list;
@@ -64,10 +50,10 @@ index 44e7090..429ae90 100644
      struct wined3d_string_buffer *tmp_name;
  
 diff --git a/tools/makedep.c b/tools/makedep.c
-index d8cf2f5..280f62f 100644
+index 296356b0a57..5a2873b56f1 100644
 --- a/tools/makedep.c
 +++ b/tools/makedep.c
-@@ -1559,7 +1559,7 @@ static const char *get_make_variable( const struct makefile *make, const char *n
+@@ -1608,7 +1608,7 @@ static const char *get_make_variable( const struct makefile *make, const char *n
  static char *get_expanded_make_variable( const struct makefile *make, const char *name )
  {
      const char *var;
@@ -77,5 +63,5 @@ index d8cf2f5..280f62f 100644
      var = get_make_variable( make, name );
      if (!var) return NULL;
 -- 
-2.6.2
+2.13.1
 

patches/Compiler_Warnings/0032-wsdapi-Avoid-implicit-cast-of-interface-pointer.patch

@@ -0,0 +1,25 @@
+From 814a4e7a4cad942e284a4828927dd0b67938af33 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 2 Jul 2017 22:32:45 +0200
+Subject: wsdapi: Avoid implicit cast of interface pointer.
+
+---
+ dlls/wsdapi/msgparams.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dlls/wsdapi/msgparams.c b/dlls/wsdapi/msgparams.c
+index a7a2f0a73b3..47a77138709 100644
+--- a/dlls/wsdapi/msgparams.c
++++ b/dlls/wsdapi/msgparams.c
+@@ -45,7 +45,7 @@ static inline IWSDMessageParametersImpl *impl_from_IWSDMessageParameters(IWSDMes
+ 
+ static inline IWSDUdpMessageParametersImpl *impl_from_IWSDUdpMessageParameters(IWSDUdpMessageParameters *iface)
+ {
+-    return CONTAINING_RECORD(iface, IWSDUdpMessageParametersImpl, base.IWSDMessageParameters_iface);
++    return CONTAINING_RECORD((IWSDMessageParameters *)iface, IWSDUdpMessageParametersImpl, base.IWSDMessageParameters_iface);
+ }
+ 
+ /* IWSDMessageParameters implementation */
+-- 
+2.13.1
+

patches/Exagear/0001-ntdll-Implement-emulation-of-SIDT-instruction-when-u.patch

@@ -1,287 +0,0 @@
-From 472184e5801de5d1fb92d275d9c0c7e840c9a0bf Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Tue, 11 Nov 2014 03:11:33 +0100
-Subject: ntdll: Implement emulation of SIDT instruction when using Exagear.
-
----
- configure.ac             |   8 ++
- dlls/ntdll/signal_i386.c | 223 +++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 231 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 1e6bba3..43bf0db 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -32,6 +32,7 @@ AC_ARG_ENABLE(win16, AS_HELP_STRING([--disable-win16],[do not include Win16 supp
- AC_ARG_ENABLE(win64, AS_HELP_STRING([--enable-win64],[build a Win64 emulator on AMD64 (won't run Win32 binaries)]))
- AC_ARG_ENABLE(tests, AS_HELP_STRING([--disable-tests],[do not build the regression tests]))
- AC_ARG_ENABLE(maintainer-mode, AS_HELP_STRING([--enable-maintainer-mode],[enable maintainer-specific build rules]))
-+AC_ARG_ENABLE(exagear-compat, AS_HELP_STRING([--enable-exagear-compat],[use workarounds for known problems in the Exagear emulator]))
- 
- AC_ARG_WITH(alsa,      AS_HELP_STRING([--without-alsa],[do not use the Alsa sound support]),
-             [if test "x$withval" = "xno"; then ac_cv_header_sys_asoundlib_h=no; ac_cv_header_alsa_asoundlib_h=no; fi])
-@@ -364,6 +365,13 @@ WINE_WARNING_WITH(gettext,[test "$MSGFMT" = false],
-                   [gettext tools not found (or too old), translations won't be built.],
-                   [enable_po])
- 
-+dnl **** Enable Exagear workarounds ****
-+
-+if test "x$enable_exagear_compat" = "xyes"
-+then
-+  AC_DEFINE(EXAGEAR_COMPAT, 1, [Define if you want to enable Exagear emulator workarounds])
-+fi
-+
- dnl **** Check for some libraries ****
- 
- dnl Check for -li386 for NetBSD and OpenBSD
-diff --git a/dlls/ntdll/signal_i386.c b/dlls/ntdll/signal_i386.c
-index ee8855a..4269329 100644
---- a/dlls/ntdll/signal_i386.c
-+++ b/dlls/ntdll/signal_i386.c
-@@ -96,6 +96,14 @@ typedef struct
-     BYTE Reserved4[96];
- } XMM_SAVE_AREA32;
- 
-+#include "pshpack1.h"
-+struct idtr
-+{
-+    WORD  limit;
-+    BYTE *base;
-+};
-+#include "poppack.h"
-+
- /***********************************************************************
-  * signal context platform-specific definitions
-  */
-@@ -1898,6 +1906,213 @@ static inline DWORD get_fpu_code( const CONTEXT *context )
- }
- 
- 
-+#ifdef EXAGEAR_COMPAT
-+
-+/***********************************************************************
-+ *           INSTR_GetOperandAddr
-+ *
-+ * Return the address of an instruction operand (from the mod/rm byte).
-+ */
-+static BYTE *INSTR_GetOperandAddr( CONTEXT *context, const BYTE *instr,
-+                                   int long_addr, int segprefix, int *len )
-+{
-+    int mod, rm, base = 0, index = 0, ss = 0, off;
-+
-+#define GET_VAL(val,type) \
-+    { *val = *(type *)instr; instr += sizeof(type); *len += sizeof(type); }
-+
-+    *len = 0;
-+    GET_VAL( &mod, BYTE );
-+    rm = mod & 7;
-+    mod >>= 6;
-+
-+    if (mod == 3)
-+    {
-+        switch(rm)
-+        {
-+        case 0: return (BYTE *)&context->Eax;
-+        case 1: return (BYTE *)&context->Ecx;
-+        case 2: return (BYTE *)&context->Edx;
-+        case 3: return (BYTE *)&context->Ebx;
-+        case 4: return (BYTE *)&context->Esp;
-+        case 5: return (BYTE *)&context->Ebp;
-+        case 6: return (BYTE *)&context->Esi;
-+        case 7: return (BYTE *)&context->Edi;
-+        }
-+    }
-+
-+    if (long_addr)
-+    {
-+        if (rm == 4)
-+        {
-+            BYTE sib;
-+            GET_VAL( &sib, BYTE );
-+            rm = sib & 7;
-+            ss = sib >> 6;
-+            switch((sib >> 3) & 7)
-+            {
-+            case 0: index = context->Eax; break;
-+            case 1: index = context->Ecx; break;
-+            case 2: index = context->Edx; break;
-+            case 3: index = context->Ebx; break;
-+            case 4: index = 0; break;
-+            case 5: index = context->Ebp; break;
-+            case 6: index = context->Esi; break;
-+            case 7: index = context->Edi; break;
-+            }
-+        }
-+
-+        switch(rm)
-+        {
-+        case 0: base = context->Eax; break;
-+        case 1: base = context->Ecx; break;
-+        case 2: base = context->Edx; break;
-+        case 3: base = context->Ebx; break;
-+        case 4: base = context->Esp; break;
-+        case 5: base = context->Ebp; break;
-+        case 6: base = context->Esi; break;
-+        case 7: base = context->Edi; break;
-+        }
-+        switch (mod)
-+        {
-+        case 0:
-+            if (rm == 5)  /* special case: ds:(disp32) */
-+            {
-+                GET_VAL( &base, DWORD );
-+            }
-+            break;
-+
-+        case 1:  /* 8-bit disp */
-+            GET_VAL( &off, BYTE );
-+            base += (signed char)off;
-+            break;
-+
-+        case 2:  /* 32-bit disp */
-+            GET_VAL( &off, DWORD );
-+            base += (signed long)off;
-+            break;
-+        }
-+    }
-+    else  /* short address */
-+    {
-+        switch(rm)
-+        {
-+        case 0:  /* ds:(bx,si) */
-+            base = LOWORD(context->Ebx) + LOWORD(context->Esi);
-+            break;
-+        case 1:  /* ds:(bx,di) */
-+            base = LOWORD(context->Ebx) + LOWORD(context->Edi);
-+            break;
-+        case 2:  /* ss:(bp,si) */
-+            base = LOWORD(context->Ebp) + LOWORD(context->Esi);
-+            break;
-+        case 3:  /* ss:(bp,di) */
-+            base = LOWORD(context->Ebp) + LOWORD(context->Edi);
-+            break;
-+        case 4:  /* ds:(si) */
-+            base = LOWORD(context->Esi);
-+            break;
-+        case 5:  /* ds:(di) */
-+            base = LOWORD(context->Edi);
-+            break;
-+        case 6:  /* ss:(bp) */
-+            base = LOWORD(context->Ebp);
-+            break;
-+        case 7:  /* ds:(bx) */
-+            base = LOWORD(context->Ebx);
-+            break;
-+        }
-+
-+        switch(mod)
-+        {
-+        case 0:
-+            if (rm == 6)  /* special case: ds:(disp16) */
-+            {
-+                GET_VAL( &base, WORD );
-+            }
-+            break;
-+
-+        case 1:  /* 8-bit disp */
-+            GET_VAL( &off, BYTE );
-+            base += (signed char)off;
-+            break;
-+
-+        case 2:  /* 16-bit disp */
-+            GET_VAL( &off, WORD );
-+            base += (signed short)off;
-+            break;
-+        }
-+        base &= 0xffff;
-+    }
-+    /* FIXME: we assume that all segments have a base of 0 */
-+    return (BYTE *)(base + (index << ss));
-+#undef GET_VAL
-+}
-+
-+
-+/***********************************************************************
-+ *           check_invalid_instr
-+ *
-+ * Support for instructions not implemented by Exagear.
-+ */
-+static inline BOOL check_invalid_instr( CONTEXT *context )
-+{
-+    const BYTE *instr;
-+    unsigned int prefix_count = 0;
-+    int len, long_addr = 1;
-+
-+    if (!wine_ldt_is_system( context->SegCs )) return FALSE;
-+    instr = (BYTE *)context->Eip;
-+
-+    for (;;) switch (*instr)
-+    {
-+    /* instruction prefixes */
-+    case 0x2e:  /* %cs: */
-+    case 0x36:  /* %ss: */
-+    case 0x3e:  /* %ds: */
-+    case 0x26:  /* %es: */
-+    case 0x64:  /* %fs: */
-+    case 0x65:  /* %gs: */
-+    case 0x66:  /* opcode size */
-+    case 0x67:  /* addr size */
-+    case 0xf0:  /* lock */
-+    case 0xf2:  /* repne */
-+    case 0xf3:  /* repe */
-+        if (++prefix_count >= 15) return FALSE;
-+        if (*instr == 0x67) long_addr = !long_addr; /* addr size */
-+        instr++;
-+        continue;
-+    case 0x0f: /* extended instruction */
-+        switch (instr[1])
-+        {
-+        case 0x01:
-+            if (((instr[2] >> 3) & 7) == 1) /* sidt m */
-+            {
-+                struct idtr ret;
-+                BYTE *addr;
-+
-+                if ((instr[2] >> 6) == 3) return FALSE; /* loading to register not allowed */
-+                addr = INSTR_GetOperandAddr( context, instr + 2, long_addr, 0, &len );
-+
-+                /* fake IDT structure */
-+                ret.limit = 0xfff;
-+                ret.base  = (void *)0xff000000;
-+                memcpy(addr, &ret, sizeof(ret));
-+
-+                context->Eip += prefix_count + len + 2;
-+                return TRUE;
-+            }
-+            break;
-+        }
-+        return FALSE;
-+    default:
-+        return FALSE;
-+    }
-+}
-+
-+#endif /* EXAGEAR_COMPAT */
-+
-+
- /**********************************************************************
-  *		raise_segv_exception
-  */
-@@ -1907,6 +2122,14 @@ static void WINAPI raise_segv_exception( EXCEPTION_RECORD *rec, CONTEXT *context
- 
-     switch(rec->ExceptionCode)
-     {
-+#ifdef EXAGEAR_COMPAT
-+    case EXCEPTION_ILLEGAL_INSTRUCTION:
-+        {
-+            if (check_invalid_instr( context ))
-+                goto done;
-+        }
-+        break;
-+#endif
-     case EXCEPTION_ACCESS_VIOLATION:
-         if (rec->NumberParameters == 2)
-         {
--- 
-2.7.1
-

patches/Exagear/0002-ntdll-Fix-issues-with-write-watches-when-using-Exage.patch

@@ -1,51 +0,0 @@
-From 5a4827d5c16aefd82029583710b9032a2356917b Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sat, 22 Nov 2014 05:49:30 +0100
-Subject: ntdll: Fix issues with write watches when using Exagear.
-
----
- dlls/ntdll/virtual.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
-index f7aae0b..3fa2027 100644
---- a/dlls/ntdll/virtual.c
-+++ b/dlls/ntdll/virtual.c
-@@ -1558,6 +1558,26 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack )
-     {
-         void *page = ROUND_ADDR( addr, page_mask );
-         BYTE *vprot = &view->prot[((const char *)page - (const char *)view->base) >> page_shift];
-+#ifdef EXAGEAR_COMPAT
-+        /* Exagear doesn't correctly set err, so always check for write watches, and
-+         * retry after removing the VPROT_WRITEWATCH or VPROT_WRITECOPY flag. In
-+         * contrary to the general implementation below this is not completely race-
-+         * condition safe. When multiple threads trigger the write watch at the same
-+         * time only the first thread will properly continue the execution, the rest
-+         * will crash. */
-+        if ((view->protect & VPROT_WRITEWATCH) && (*vprot & VPROT_WRITEWATCH))
-+        {
-+            *vprot &= ~VPROT_WRITEWATCH;
-+            VIRTUAL_SetProt( view, page, page_size, *vprot );
-+            if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-+        }
-+        if (*vprot & VPROT_WRITECOPY)
-+        {
-+            *vprot = (*vprot & ~VPROT_WRITECOPY) | VPROT_WRITE;
-+            VIRTUAL_SetProt( view, page, page_size, *vprot );
-+            if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-+        }
-+#else
-         if (err & EXCEPTION_WRITE_FAULT)
-         {
-             if ((view->protect & VPROT_WRITEWATCH) && (*vprot & VPROT_WRITEWATCH))
-@@ -1573,6 +1593,7 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack )
-             /* ignore fault if page is writable now */
-             if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
-         }
-+#endif
-         if (!on_signal_stack && (*vprot & VPROT_GUARD))
-         {
-             VIRTUAL_SetProt( view, page, page_size, *vprot & ~VPROT_GUARD );
--- 
-2.2.2
-

patches/Exagear/0003-server-Don-t-attempt-to-use-ptrace-when-running-with.patch

@@ -1,25 +0,0 @@
-From 67cc0e23b26d5d9abda7eb771dc2bec309cb8650 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 23 Nov 2014 22:33:51 +0100
-Subject: server: Don't attempt to use ptrace when running with Exagear.
-
----
- server/ptrace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/server/ptrace.c b/server/ptrace.c
-index cb436b6..fb29b5a 100644
---- a/server/ptrace.c
-+++ b/server/ptrace.c
-@@ -531,7 +531,7 @@ void get_selector_entry( struct thread *thread, int entry, unsigned int *base,
- 
- 
- #if defined(linux) && (defined(HAVE_SYS_USER_H) || defined(HAVE_ASM_USER_H)) \
--    && (defined(__i386__) || defined(__x86_64__))
-+    && (defined(__i386__) || defined(__x86_64__)) && !defined(EXAGEAR_COMPAT)
- 
- #ifdef HAVE_SYS_USER_H
- #include <sys/user.h>
--- 
-2.1.3
-

patches/advapi-LsaLookupPrivilegeName/0003-advapi32-Implement-LsaLookupPrivilegeName.patch

@@ -1,4 +1,4 @@
-From fdc085e009942fa89ef5f0cd4104ab78c9d80b1b Mon Sep 17 00:00:00 2001
+From fcefc5661656de44d02fed0431b4a61fa618b663 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sun, 5 Mar 2017 23:50:06 +0100
 Subject: advapi32: Implement LsaLookupPrivilegeName.
@@ -6,26 +6,26 @@ Subject: advapi32: Implement LsaLookupPrivilegeName.
 ---
  dlls/advapi32/advapi32.spec   |  2 +-
  dlls/advapi32/advapi32_misc.h |  2 ++
- dlls/advapi32/lsa.c           | 38 ++++++++++++++++++++++++++++++++++++++
+ dlls/advapi32/lsa.c           | 39 +++++++++++++++++++++++++++++++++++++++
  dlls/advapi32/security.c      | 27 ++++++++++++++++++---------
  include/ntsecapi.h            |  1 +
- 5 files changed, 60 insertions(+), 10 deletions(-)
+ 5 files changed, 61 insertions(+), 10 deletions(-)
 
 diff --git a/dlls/advapi32/advapi32.spec b/dlls/advapi32/advapi32.spec
-index 3000973265c..2c599c8bd92 100644
+index d5503490a0..709a385967 100644
 --- a/dlls/advapi32/advapi32.spec
 +++ b/dlls/advapi32/advapi32.spec
-@@ -446,7 +446,7 @@
- @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
+@@ -469,7 +469,7 @@
  @ stdcall LsaLookupNames(long long ptr ptr ptr)
+ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
  @ stub LsaLookupPrivilegeDisplayName
 -# @ stub LsaLookupPrivilegeName
 +@ stdcall LsaLookupPrivilegeName(long ptr ptr)
  # @ stub LsaLookupPrivilegeValue
  @ stdcall LsaLookupSids(ptr long ptr ptr ptr)
- # @ stub LsaManageSidNameMapping
+ # @ stub LsaLookupSids2
 diff --git a/dlls/advapi32/advapi32_misc.h b/dlls/advapi32/advapi32_misc.h
-index d116ecb836e..ecb07f635a6 100644
+index d116ecb836..ecb07f635a 100644
 --- a/dlls/advapi32/advapi32_misc.h
 +++ b/dlls/advapi32/advapi32_misc.h
 @@ -68,4 +68,6 @@ static inline WCHAR *strdupAW( const char *src )
@@ -36,10 +36,10 @@ index d116ecb836e..ecb07f635a6 100644
 +
  #endif /* __WINE_ADVAPI32MISC_H */
 diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
-index 0f2167d19ab..6a7a69a9eb7 100644
+index 3da6d19b82..af5f9dd46d 100644
 --- a/dlls/advapi32/lsa.c
 +++ b/dlls/advapi32/lsa.c
-@@ -1012,3 +1012,41 @@ NTSTATUS WINAPI LsaUnregisterPolicyChangeNotification(
+@@ -973,3 +973,42 @@ NTSTATUS WINAPI LsaUnregisterPolicyChangeNotification(
      FIXME("(%d,%p) stub\n", class, event);
      return STATUS_SUCCESS;
  }
@@ -67,7 +67,8 @@ index 0f2167d19ab..6a7a69a9eb7 100644
 +
 +    if (lpLuid->HighPart ||
 +        (lpLuid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
-+         lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
++         lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE ||
++         !WellKnownPrivNames[lpLuid->LowPart]))
 +        return STATUS_NO_SUCH_PRIVILEGE;
 +
 +    priv_size = (strlenW(WellKnownPrivNames[lpLuid->LowPart]) + 1) * sizeof(WCHAR);
@@ -82,7 +83,7 @@ index 0f2167d19ab..6a7a69a9eb7 100644
 +    return STATUS_SUCCESS;
 +}
 diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
-index b0b368d6abf..24ec3099713 100644
+index e36792cff4..3bc8f48b19 100644
 --- a/dlls/advapi32/security.c
 +++ b/dlls/advapi32/security.c
 @@ -1840,7 +1840,7 @@ static const WCHAR SE_IMPERSONATE_NAME_W[] =
@@ -146,7 +147,7 @@ index b0b368d6abf..24ec3099713 100644
      }
  }
 diff --git a/include/ntsecapi.h b/include/ntsecapi.h
-index 2bb3d312e43..0bf0eca43ed 100644
+index 2bb3d312e4..0bf0eca43e 100644
 --- a/include/ntsecapi.h
 +++ b/include/ntsecapi.h
 @@ -370,6 +370,7 @@ NTSTATUS WINAPI LsaLookupNames(LSA_HANDLE,ULONG,PLSA_UNICODE_STRING,PLSA_REFEREN
@@ -158,5 +159,5 @@ index 2bb3d312e43..0bf0eca43ed 100644
  ULONG WINAPI LsaNtStatusToWinError(NTSTATUS);
  NTSTATUS WINAPI LsaOpenPolicy(PLSA_UNICODE_STRING,PLSA_OBJECT_ATTRIBUTES,ACCESS_MASK,PLSA_HANDLE);
 -- 
-2.11.0
+2.13.1
 

patches/advapi-LsaLookupPrivilegeName/0004-advapi32-Add-stub-for-LsaLookupPrivilegeDisplayName.patch

@@ -1,4 +1,4 @@
-From 01efac6b4fa338715ad775c147a6bfc42e0bc38e Mon Sep 17 00:00:00 2001
+From 63d642a1af3ccc579123cb8fd13959ab5e9136dd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Mon, 6 Mar 2017 00:01:53 +0100
 Subject: advapi32: Add stub for LsaLookupPrivilegeDisplayName.
@@ -9,23 +9,23 @@ Subject: advapi32: Add stub for LsaLookupPrivilegeDisplayName.
  2 files changed, 22 insertions(+), 1 deletion(-)
 
 diff --git a/dlls/advapi32/advapi32.spec b/dlls/advapi32/advapi32.spec
-index 2c599c8bd92..ce1838d8c5a 100644
+index 124f527282..0b03cec3f5 100644
 --- a/dlls/advapi32/advapi32.spec
 +++ b/dlls/advapi32/advapi32.spec
-@@ -445,7 +445,7 @@
+@@ -468,7 +468,7 @@
  # @ stub LsaICLookupSidsWithCreds
- @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
  @ stdcall LsaLookupNames(long long ptr ptr ptr)
+ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr)
 -@ stub LsaLookupPrivilegeDisplayName
 +@ stdcall LsaLookupPrivilegeDisplayName(long ptr ptr ptr)
  @ stdcall LsaLookupPrivilegeName(long ptr ptr)
  # @ stub LsaLookupPrivilegeValue
  @ stdcall LsaLookupSids(ptr long ptr ptr ptr)
 diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
-index 6a7a69a9eb7..fdb238f74b2 100644
+index ceb3b05c05..c2e02fb462 100644
 --- a/dlls/advapi32/lsa.c
 +++ b/dlls/advapi32/lsa.c
-@@ -45,6 +45,12 @@ WINE_DEFAULT_DEBUG_CHANNEL(advapi);
+@@ -44,6 +44,12 @@ WINE_DEFAULT_DEBUG_CHANNEL(advapi);
          return FailureCode; \
  }
  
@@ -38,7 +38,7 @@ index 6a7a69a9eb7..fdb238f74b2 100644
  static void dumpLsaAttributes(const LSA_OBJECT_ATTRIBUTES *oa)
  {
      if (oa)
-@@ -1050,3 +1056,18 @@ NTSTATUS WINAPI LsaLookupPrivilegeName(
+@@ -1011,3 +1017,18 @@ NTSTATUS WINAPI LsaLookupPrivilegeName(
      *name = priv_unicode;
      return STATUS_SUCCESS;
  }

patches/advapi-LsaLookupPrivilegeName/definition

@@ -1 +1 @@
-Fixes: Add LsaLookupPrivilege[Display]Name stubs
+Fixes: [43316] Add LsaLookupPrivilege[Display]Name stubs

patches/advapi32-BuildSecurityDescriptor/0001-advapi32-Implement-BuildSecurityDescriptorW.patch

@@ -0,0 +1,268 @@
+From 994fe46f1b68d851d285a29cce904bd9f22540ea Mon Sep 17 00:00:00 2001
+From: Andrew Wesie <awesie@gmail.com>
+Date: Tue, 2 May 2017 00:59:49 -0500
+Subject: advapi32: Implement BuildSecurityDescriptorW.
+
+---
+ dlls/advapi32/security.c | 218 +++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 164 insertions(+), 54 deletions(-)
+
+diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
+index 24ec3099713..82bb6689d43 100644
+--- a/dlls/advapi32/security.c
++++ b/dlls/advapi32/security.c
+@@ -58,6 +58,7 @@ static BOOL ParseStringSecurityDescriptorToSecurityDescriptor(
+     SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
+     LPDWORD cBytes);
+ static DWORD ParseAclStringFlags(LPCWSTR* StringAcl);
++static DWORD trustee_to_sid(DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee);
+ 
+ typedef struct _ACEFLAG
+ {
+@@ -1264,16 +1265,122 @@ DWORD WINAPI BuildSecurityDescriptorW(
+     IN ULONG cCountOfAccessEntries,
+     IN PEXPLICIT_ACCESSW pListOfAccessEntries,
+     IN ULONG cCountOfAuditEntries,
+-    IN PEXPLICIT_ACCESSW pListofAuditEntries,
++    IN PEXPLICIT_ACCESSW pListOfAuditEntries,
+     IN PSECURITY_DESCRIPTOR pOldSD,
+     IN OUT PULONG lpdwBufferLength,
+     OUT PSECURITY_DESCRIPTOR* pNewSD)
+ { 
+-    FIXME("(%p,%p,%d,%p,%d,%p,%p,%p,%p) stub!\n",pOwner,pGroup,
+-          cCountOfAccessEntries,pListOfAccessEntries,cCountOfAuditEntries,
+-          pListofAuditEntries,pOldSD,lpdwBufferLength,pNewSD);
++    SECURITY_DESCRIPTOR desc;
++    NTSTATUS status;
++    DWORD ret = ERROR_SUCCESS;
++
++    TRACE("(%p,%p,%d,%p,%d,%p,%p,%p,%p)\n", pOwner, pGroup,
++          cCountOfAccessEntries, pListOfAccessEntries, cCountOfAuditEntries,
++          pListOfAuditEntries, pOldSD, lpdwBufferLength, pNewSD);
+  
+-    return ERROR_CALL_NOT_IMPLEMENTED;
++    if (pOldSD)
++    {
++        SECURITY_DESCRIPTOR_CONTROL control;
++        DWORD desc_size, dacl_size = 0, sacl_size = 0, owner_size = 0, group_size = 0;
++        PACL dacl = NULL, sacl = NULL;
++        PSID owner = NULL, group = NULL;
++        DWORD revision;
++
++        if ((status = RtlGetControlSecurityDescriptor( pOldSD, &control, &revision )) != STATUS_SUCCESS)
++            return RtlNtStatusToDosError( status );
++        if (!(control & SE_SELF_RELATIVE))
++            return ERROR_INVALID_SECURITY_DESCR;
++
++        desc_size = sizeof(desc);
++        status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
++                                              owner, &owner_size, group, &group_size );
++        if (status == STATUS_BUFFER_TOO_SMALL)
++        {
++            if (dacl_size)
++                dacl = LocalAlloc( LMEM_FIXED, dacl_size );
++            if (sacl_size)
++                sacl = LocalAlloc( LMEM_FIXED, sacl_size );
++            if (owner_size)
++                owner = LocalAlloc( LMEM_FIXED, owner_size );
++            if (group_size)
++                group = LocalAlloc( LMEM_FIXED, group_size );
++
++            desc_size = sizeof(desc);
++            status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
++                                                  owner, &owner_size, group, &group_size );
++        }
++        if (status != STATUS_SUCCESS)
++        {
++            LocalFree( dacl );
++            LocalFree( sacl );
++            LocalFree( owner );
++            LocalFree( group );
++            return RtlNtStatusToDosError( status );
++        }
++    }
++    else
++    {
++        if ((status = RtlCreateSecurityDescriptor( &desc, SECURITY_DESCRIPTOR_REVISION )) != STATUS_SUCCESS)
++            return RtlNtStatusToDosError( status );
++    }
++
++    if (pOwner)
++    {
++        LocalFree( desc.Owner );
++        desc.Owner = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
++        if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Owner, pOwner )))
++            goto done;
++    }
++
++    if (pGroup)
++    {
++        LocalFree( desc.Group );
++        desc.Group = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
++        if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Group, pGroup )))
++            goto done;
++    }
++
++    if (pListOfAccessEntries)
++    {
++        PACL new_dacl;
++
++        if ((ret = SetEntriesInAclW( cCountOfAccessEntries, pListOfAccessEntries, desc.Dacl, &new_dacl )))
++            goto done;
++
++        LocalFree( desc.Dacl );
++        desc.Dacl = new_dacl;
++        desc.Control |= SE_DACL_PRESENT;
++    }
++
++    if (pListOfAuditEntries)
++    {
++        PACL new_sacl;
++
++        if ((ret = SetEntriesInAclW( cCountOfAuditEntries, pListOfAuditEntries, desc.Sacl, &new_sacl )))
++            goto done;
++
++        LocalFree( desc.Sacl );
++        desc.Sacl = new_sacl;
++        desc.Control |= SE_SACL_PRESENT;
++    }
++
++    *lpdwBufferLength = RtlLengthSecurityDescriptor( &desc );
++    *pNewSD = LocalAlloc( LMEM_FIXED, *lpdwBufferLength );
++
++    if ((status = RtlMakeSelfRelativeSD( &desc, *pNewSD, lpdwBufferLength )) != STATUS_SUCCESS)
++    {
++        ret = RtlNtStatusToDosError( status );
++        LocalFree( *pNewSD );
++        *pNewSD = NULL;
++    }
++
++done:
++    /* free absolute descriptor */
++    LocalFree( desc.Owner );
++    LocalFree( desc.Group );
++    LocalFree( desc.Sacl );
++    LocalFree( desc.Dacl );
++    return ret;
+ } 
+ 
+ /******************************************************************************
+@@ -3766,6 +3873,56 @@ static void free_trustee_name(TRUSTEE_FORM form, WCHAR *trustee_nameW)
+     }
+ }
+ 
++static DWORD trustee_to_sid( DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee )
++{
++    if (pTrustee->MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE)
++    {
++        WARN("bad multiple trustee operation %d\n", pTrustee->MultipleTrusteeOperation);
++        return ERROR_INVALID_PARAMETER;
++    }
++
++    switch (pTrustee->TrusteeForm)
++    {
++    case TRUSTEE_IS_SID:
++        if (!CopySid(nDestinationSidLength, pDestinationSid, pTrustee->ptstrName))
++        {
++            WARN("bad sid %p\n", pTrustee->ptstrName);
++            return ERROR_INVALID_PARAMETER;
++        }
++        break;
++    case TRUSTEE_IS_NAME:
++    {
++        DWORD sid_size = nDestinationSidLength;
++        DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1;
++        SID_NAME_USE use;
++        if (!strcmpW( pTrustee->ptstrName, CURRENT_USER ))
++        {
++            if (!lookup_user_account_name( pDestinationSid, &sid_size, NULL, &domain_size, &use ))
++            {
++                return GetLastError();
++            }
++        }
++        else if (!LookupAccountNameW(NULL, pTrustee->ptstrName, pDestinationSid, &sid_size, NULL, &domain_size, &use))
++        {
++            WARN("bad user name %s\n", debugstr_w(pTrustee->ptstrName));
++            return ERROR_INVALID_PARAMETER;
++        }
++        break;
++    }
++    case TRUSTEE_IS_OBJECTS_AND_SID:
++        FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n");
++        break;
++    case TRUSTEE_IS_OBJECTS_AND_NAME:
++        FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n");
++        break;
++    default:
++        WARN("bad trustee form %d\n", pTrustee->TrusteeForm);
++        return ERROR_INVALID_PARAMETER;
++    }
++
++    return ERROR_SUCCESS;
++}
++
+ /******************************************************************************
+  * SetEntriesInAclA [ADVAPI32.@]
+  */
+@@ -3861,56 +4018,9 @@ DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries,
+               pEntries[i].Trustee.TrusteeForm, pEntries[i].Trustee.TrusteeType,
+               pEntries[i].Trustee.ptstrName);
+ 
+-        if (pEntries[i].Trustee.MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE)
+-        {
+-            WARN("bad multiple trustee operation %d for trustee %d\n", pEntries[i].Trustee.MultipleTrusteeOperation, i);
+-            ret = ERROR_INVALID_PARAMETER;
+-            goto exit;
+-        }
+-
+-        switch (pEntries[i].Trustee.TrusteeForm)
+-        {
+-        case TRUSTEE_IS_SID:
+-            if (!CopySid(FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]),
+-                         ppsid[i], pEntries[i].Trustee.ptstrName))
+-            {
+-                WARN("bad sid %p for trustee %d\n", pEntries[i].Trustee.ptstrName, i);
+-                ret = ERROR_INVALID_PARAMETER;
+-                goto exit;
+-            }
+-            break;
+-        case TRUSTEE_IS_NAME:
+-        {
+-            DWORD sid_size = FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]);
+-            DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1;
+-            SID_NAME_USE use;
+-            if (!strcmpW( pEntries[i].Trustee.ptstrName, CURRENT_USER ))
+-            {
+-                if (!lookup_user_account_name( ppsid[i], &sid_size, NULL, &domain_size, &use ))
+-                {
+-                    ret = GetLastError();
+-                    goto exit;
+-                }
+-            }
+-            else if (!LookupAccountNameW(NULL, pEntries[i].Trustee.ptstrName, ppsid[i], &sid_size, NULL, &domain_size, &use))
+-            {
+-                WARN("bad user name %s for trustee %d\n", debugstr_w(pEntries[i].Trustee.ptstrName), i);
+-                ret = ERROR_INVALID_PARAMETER;
+-                goto exit;
+-            }
+-            break;
+-        }
+-        case TRUSTEE_IS_OBJECTS_AND_SID:
+-            FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n");
+-            break;
+-        case TRUSTEE_IS_OBJECTS_AND_NAME:
+-            FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n");
+-            break;
+-        default:
+-            WARN("bad trustee form %d for trustee %d\n", pEntries[i].Trustee.TrusteeForm, i);
+-            ret = ERROR_INVALID_PARAMETER;
++        ret = trustee_to_sid( FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]), ppsid[i], &pEntries[i].Trustee);
++        if (ret)
+             goto exit;
+-        }
+ 
+         /* Note: we overestimate the ACL size here as a tradeoff between
+          * instructions (simplicity) and memory */
+-- 
+2.12.2
+

patches/advapi32-BuildSecurityDescriptor/0002-advapi32-tests-Add-basic-tests-for-BuildSecurityDesc.patch

@@ -0,0 +1,69 @@
+From 09d62cfc4fa999eacc89af2ad414810e22c910a9 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Fri, 5 May 2017 00:18:50 +0200
+Subject: advapi32/tests: Add basic tests for BuildSecurityDescriptor.
+
+---
+ dlls/advapi32/tests/security.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index ca5edffae5..db5a0f934c 100644
+--- a/dlls/advapi32/tests/security.c
++++ b/dlls/advapi32/tests/security.c
+@@ -7217,6 +7217,44 @@ static void test_GetExplicitEntriesFromAclW(void)
+     HeapFree(GetProcessHeap(), 0, old_acl);
+ }
+ 
++static void test_BuildSecurityDescriptorW(void)
++{
++    SECURITY_DESCRIPTOR old_sd, *new_sd, *rel_sd;
++    ULONG new_sd_size;
++    DWORD buf_size;
++    char buf[1024];
++    BOOL success;
++    DWORD ret;
++
++    InitializeSecurityDescriptor(&old_sd, SECURITY_DESCRIPTOR_REVISION);
++
++    buf_size = sizeof(buf);
++    rel_sd = (SECURITY_DESCRIPTOR *)buf;
++    success = MakeSelfRelativeSD(&old_sd, rel_sd, &buf_size);
++    ok(success, "MakeSelfRelativeSD failed with %u\n", GetLastError());
++
++    new_sd = NULL;
++    new_sd_size = 0;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, NULL, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
++    ok(new_sd != NULL, "expected new_sd != NULL\n");
++    ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
++    LocalFree(new_sd);
++
++    new_sd = (void *)0xdeadbeef;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, &old_sd, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_INVALID_SECURITY_DESCR, "expected ERROR_INVALID_SECURITY_DESCR, got %u\n", ret);
++    ok(new_sd == (void *)0xdeadbeef, "expected new_sd == 0xdeadbeef, got %p\n", new_sd);
++
++    new_sd = NULL;
++    new_sd_size = 0;
++    ret = BuildSecurityDescriptorW(NULL, NULL, 0, NULL, 0, NULL, rel_sd, &new_sd_size, (void **)&new_sd);
++    ok(ret == ERROR_SUCCESS, "BuildSecurityDescriptor failed with %u\n", ret);
++    ok(new_sd != NULL, "expected new_sd != NULL\n");
++    ok(new_sd_size == sizeof(old_sd), "expected new_sd_size == sizeof(old_sd), got %u\n", new_sd_size);
++    LocalFree(new_sd);
++}
++
+ START_TEST(security)
+ {
+     init();
+@@ -7271,6 +7309,7 @@ START_TEST(security)
+     test_maximum_allowed();
+     test_token_label();
+     test_GetExplicitEntriesFromAclW();
++    test_BuildSecurityDescriptorW();
+ 
+     /* Must be the last test, modifies process token */
+     test_token_security_descriptor();
+-- 
+2.13.1
+

patches/advapi32-BuildSecurityDescriptor/definition

@@ -0,0 +1,2 @@
+Fixes: Initial implementation of advapi32.BuildSecurityDescriptorW
+Depends: advapi32-GetExplicitEntriesFromAclW

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -0,0 +1,315 @@
+From 3f314cc8251f62f592013abe7b1c3b977de0699a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Fri, 4 Aug 2017 02:33:14 +0200
+Subject: ntdll: Implement NtFilterToken.
+
+---
+ dlls/ntdll/nt.c       | 59 ++++++++++++++++++++++++++++++++++++
+ dlls/ntdll/ntdll.spec |  2 +-
+ include/winnt.h       |  5 +++
+ include/winternl.h    |  1 +
+ server/process.c      |  2 +-
+ server/protocol.def   | 10 ++++++
+ server/security.h     |  4 ++-
+ server/token.c        | 84 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ 8 files changed, 162 insertions(+), 5 deletions(-)
+
+diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
+index 93554e929be..5822dec9b15 100644
+--- a/dlls/ntdll/nt.c
++++ b/dlls/ntdll/nt.c
+@@ -136,6 +136,65 @@ NTSTATUS WINAPI NtDuplicateToken(
+ }
+ 
+ /******************************************************************************
++ *  NtFilterToken        [NTDLL.@]
++ *  ZwFilterToken        [NTDLL.@]
++ */
++NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
++                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
++                               HANDLE *new_token )
++{
++    data_size_t privileges_len = 0;
++    data_size_t sids_len = 0;
++    SID *sids = NULL;
++    NTSTATUS status;
++
++    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
++           restrict_sids, new_token );
++
++    if (flags)
++        FIXME( "flags %x unsupported\n", flags );
++
++    if (restrict_sids)
++        FIXME( "support for restricting sids not yet implemented\n" );
++
++    if (privileges)
++        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
++
++    if (disable_sids)
++    {
++        DWORD len, i;
++        BYTE *tmp;
++
++        for (i = 0; i < disable_sids->GroupCount; i++)
++            sids_len += RtlLengthSid( disable_sids->Groups[i].Sid );
++
++        sids = RtlAllocateHeap( GetProcessHeap(), 0, sids_len );
++        if (!sids) return STATUS_NO_MEMORY;
++
++        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
++        {
++            len = RtlLengthSid( disable_sids->Groups[i].Sid );
++            memcpy( tmp, disable_sids->Groups[i].Sid, len );
++        }
++    }
++
++    SERVER_START_REQ( filter_token )
++    {
++        req->handle          = wine_server_obj_handle( token );
++        req->flags           = flags;
++        req->privileges_size = privileges_len;
++        wine_server_add_data( req, privileges->Privileges, privileges_len );
++        wine_server_add_data( req, sids, sids_len );
++        status = wine_server_call( req );
++        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
++    }
++    SERVER_END_REQ;
++
++    RtlFreeHeap( GetProcessHeap(), 0, sids );
++    return status;
++}
++
++/******************************************************************************
+  *  NtOpenProcessToken		[NTDLL.@]
+  *  ZwOpenProcessToken		[NTDLL.@]
+  */
+diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
+index 4f7ee496437..275fda57970 100644
+--- a/dlls/ntdll/ntdll.spec
++++ b/dlls/ntdll/ntdll.spec
+@@ -179,7 +179,7 @@
+ # @ stub NtEnumerateSystemEnvironmentValuesEx
+ @ stdcall NtEnumerateValueKey(long long long ptr long ptr)
+ @ stub NtExtendSection
+-# @ stub NtFilterToken
++@ stdcall NtFilterToken(long long ptr ptr ptr ptr)
+ @ stdcall NtFindAtom(ptr long ptr)
+ @ stdcall NtFlushBuffersFile(long ptr)
+ @ stdcall NtFlushInstructionCache(long ptr long)
+diff --git a/include/winnt.h b/include/winnt.h
+index f91f81eb559..891c9b6d4bb 100644
+--- a/include/winnt.h
++++ b/include/winnt.h
+@@ -3844,6 +3844,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
+ 					TOKEN_ADJUST_SESSIONID | \
+ 					TOKEN_ADJUST_DEFAULT )
+ 
++#define DISABLE_MAX_PRIVILEGE 0x1
++#define SANDBOX_INERT         0x2
++#define LUA_TOKEN             0x4
++#define WRITE_RESTRICTED      0x8
++
+ #ifndef _SECURITY_DEFINED
+ #define _SECURITY_DEFINED
+ 
+diff --git a/include/winternl.h b/include/winternl.h
+index 140669b0105..899e8324d67 100644
+--- a/include/winternl.h
++++ b/include/winternl.h
+@@ -2348,6 +2348,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
+ NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
+ NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
+ NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
++NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
+ NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
+ NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
+ NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
+diff --git a/server/process.c b/server/process.c
+index cbe726afe81..f0f60edcd3f 100644
+--- a/server/process.c
++++ b/server/process.c
+@@ -571,7 +571,7 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
+                                        : alloc_handle_table( process, 0 );
+         /* Note: for security reasons, starting a new process does not attempt
+          * to use the current impersonation token for the new process */
+-        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
++        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
+         process->affinity = parent->affinity;
+     }
+     if (!process->handles || !process->token) goto error;
+diff --git a/server/protocol.def b/server/protocol.def
+index fc6e343af52..b3dce66eb9c 100644
+--- a/server/protocol.def
++++ b/server/protocol.def
+@@ -3391,6 +3391,16 @@ enum caret_state
+     obj_handle_t  new_handle; /* duplicated handle */
+ @END
+ 
++@REQ(filter_token)
++    obj_handle_t  handle;          /* handle to the token to duplicate */
++    unsigned int  flags;           /* flags */
++    data_size_t   privileges_size; /* size of privileges */
++    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
++    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
++@REPLY
++    obj_handle_t  new_handle;      /* filtered handle */
++@END
++
+ @REQ(access_check)
+     obj_handle_t    handle; /* handle to the token */
+     unsigned int    desired_access; /* desired access to the object */
+diff --git a/server/security.h b/server/security.h
+index 606dbb2ab2c..6c337143c3d 100644
+--- a/server/security.h
++++ b/server/security.h
+@@ -56,7 +56,9 @@ extern const PSID security_high_label_sid;
+ extern struct token *token_create_admin(void);
+ extern int token_assign_label( struct token *token, PSID label );
+ extern struct token *token_duplicate( struct token *src_token, unsigned primary,
+-                                      int impersonation_level, const struct security_descriptor *sd );
++                                      int impersonation_level, const struct security_descriptor *sd,
++                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
++                                      const SID *filter_groups, unsigned int group_count );
+ extern int token_check_privileges( struct token *token, int all_required,
+                                    const LUID_AND_ATTRIBUTES *reqprivs,
+                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
+diff --git a/server/token.c b/server/token.c
+index 74db66e1e24..acd7a4dedb5 100644
+--- a/server/token.c
++++ b/server/token.c
+@@ -299,6 +299,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
+     return TRUE;
+ }
+ 
++static unsigned int get_sid_count( const SID *sid, data_size_t size )
++{
++    unsigned int count;
++
++    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
++    {
++        size -= security_sid_len( sid );
++        sid = (const SID *)((char *)sid + security_sid_len( sid ));
++    }
++
++    return count;
++}
++
+ /* checks whether all members of a security descriptor fit inside the size
+  * of memory specified */
+ int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
+@@ -639,8 +652,36 @@ static struct token *create_token( unsigned primary, const SID *user,
+     return token;
+ }
+ 
++static int filter_group( struct group *group, const SID *filter, unsigned int count )
++{
++    unsigned int i;
++
++    for (i = 0; i < count; i++)
++    {
++        if (security_equal_sid( &group->sid, filter )) return 1;
++        filter = (const SID *)((char *)filter + security_sid_len( filter ));
++    }
++
++    return 0;
++}
++
++static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
++{
++    unsigned int i;
++
++    for (i = 0; i < count; i++)
++    {
++        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
++            return 1;
++    }
++
++    return 0;
++}
++
+ struct token *token_duplicate( struct token *src_token, unsigned primary,
+-                               int impersonation_level, const struct security_descriptor *sd )
++                               int impersonation_level, const struct security_descriptor *sd,
++                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
++                               const SID *filter_groups, unsigned int group_count)
+ {
+     const luid_t *modified_id =
+         primary || (impersonation_level == src_token->impersonation_level) ?
+@@ -676,6 +717,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
+             return NULL;
+         }
+         memcpy( newgroup, group, size );
++        if (filter_group( group, filter_groups, group_count ))
++        {
++            newgroup->enabled = 0;
++            newgroup->def = 0;
++            newgroup->deny_only = 1;
++        }
+         list_add_tail( &token->groups, &newgroup->entry );
+         if (src_token->primary_group == &group->sid)
+             token->primary_group = &newgroup->sid;
+@@ -684,11 +731,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
+ 
+     /* copy privileges */
+     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
++    {
++        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
+         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
+         {
+             release_object( token );
+             return NULL;
+         }
++    }
+ 
+     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
+                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
+@@ -1322,7 +1372,7 @@ DECL_HANDLER(duplicate_token)
+                                                      TOKEN_DUPLICATE,
+                                                      &token_ops )))
+     {
+-        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
++        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
+         if (token)
+         {
+             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
+@@ -1332,6 +1382,36 @@ DECL_HANDLER(duplicate_token)
+     }
+ }
+ 
++/* creates a restricted version of a token */
++DECL_HANDLER(filter_token)
++{
++    struct token *src_token;
++
++    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
++                                                     TOKEN_DUPLICATE,
++                                                     &token_ops )))
++    {
++        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
++        unsigned int priv_count, group_count;
++        const SID *filter_groups;
++        struct token *token;
++
++        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
++        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
++        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
++
++        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
++                                 filter_privileges, priv_count, filter_groups, group_count );
++        if (token)
++        {
++            unsigned int access = get_handle_access( current->process, req->handle );
++            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
++            release_object( token );
++        }
++        release_object( src_token );
++    }
++}
++
+ /* checks the specified privileges are held by the token */
+ DECL_HANDLER(check_token_privileges)
+ {
+-- 
+2.13.1
+

patches/advapi32-CreateRestrictedToken/0002-advapi32-Implement-CreateRestrictedToken.patch

@@ -0,0 +1,271 @@
+From 2a1064c5f90beac2bd709ab5d1c454c90a16189b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Fri, 4 Aug 2017 02:51:57 +0200
+Subject: advapi32: Implement CreateRestrictedToken.
+
+---
+ dlls/advapi32/security.c       | 88 +++++++++++++++++++++++++++++++++++-------
+ dlls/advapi32/tests/security.c | 88 +++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 157 insertions(+), 19 deletions(-)
+
+diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
+index 82bb6689d43..c531e45c9a0 100644
+--- a/dlls/advapi32/security.c
++++ b/dlls/advapi32/security.c
+@@ -840,6 +840,60 @@ BOOL WINAPI SetThreadToken(PHANDLE thread, HANDLE token)
+                                                  ThreadImpersonationToken, &token, sizeof token ));
+ }
+ 
++static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
++{
++    TOKEN_GROUPS *groups;
++    DWORD i;
++
++    if (!count)
++    {
++        *groups_ret = NULL;
++        return TRUE;
++    }
++
++    groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
++                                        count * sizeof(SID_AND_ATTRIBUTES));
++    if (!groups)
++    {
++        SetLastError(ERROR_OUTOFMEMORY);
++        return FALSE;
++    }
++
++    groups->GroupCount = count;
++    for (i = 0; i < count; i++)
++        groups->Groups[i] = sids[i];
++
++    *groups_ret = groups;
++    return TRUE;
++}
++
++static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
++{
++    TOKEN_PRIVILEGES *privileges;
++    DWORD i;
++
++    if (!count)
++    {
++        *privileges_ret = NULL;
++        return TRUE;
++    }
++
++    privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
++                                                count * sizeof(LUID_AND_ATTRIBUTES));
++    if (!privileges)
++    {
++        SetLastError(ERROR_OUTOFMEMORY);
++        return FALSE;
++    }
++
++    privileges->PrivilegeCount = count;
++    for (i = 0; i < count; i++)
++        privileges->Privileges[i] = privs[i];
++
++    *privileges_ret = privileges;
++    return TRUE;
++}
++
+ /*************************************************************************
+  * CreateRestrictedToken [ADVAPI32.@]
+  *
+@@ -871,25 +925,33 @@ BOOL WINAPI CreateRestrictedToken(
+     PSID_AND_ATTRIBUTES restrictSids,
+     PHANDLE newToken)
+ {
+-    TOKEN_TYPE type;
+-    SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
+-    DWORD size;
++    TOKEN_PRIVILEGES *delete_privs = NULL;
++    TOKEN_GROUPS *disable_groups = NULL;
++    TOKEN_GROUPS *restrict_sids = NULL;
++    BOOL ret = FALSE;
+ 
+-    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
++    TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
+           baseToken, flags, nDisableSids, disableSids,
+           nDeletePrivs, deletePrivs,
+           nRestrictSids, restrictSids,
+           newToken);
+ 
+-    size = sizeof(type);
+-    if (!GetTokenInformation( baseToken, TokenType, &type, size, &size )) return FALSE;
+-    if (type == TokenImpersonation)
+-    {
+-        size = sizeof(level);
+-        if (!GetTokenInformation( baseToken, TokenImpersonationLevel, &level, size, &size ))
+-            return FALSE;
+-    }
+-    return DuplicateTokenEx( baseToken, MAXIMUM_ALLOWED, NULL, level, type, newToken );
++    if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
++        goto done;
++
++    if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
++        goto done;
++
++    if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
++        goto done;
++
++    ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
++
++done:
++    heap_free(disable_groups);
++    heap_free(delete_privs);
++    heap_free(restrict_sids);
++    return ret;
+ }
+ 
+ /*	##############################
+diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
+index a1ecc409b73..0fd41fe82fa 100644
+--- a/dlls/advapi32/tests/security.c
++++ b/dlls/advapi32/tests/security.c
+@@ -5292,10 +5292,13 @@ static void test_GetUserNameW(void)
+ 
+ static void test_CreateRestrictedToken(void)
+ {
++    TOKEN_PRIMARY_GROUP *primary_group, *primary_group2;
+     HANDLE process_token, token, r_token;
+     PTOKEN_GROUPS token_groups, groups2;
+     SID_AND_ATTRIBUTES sattr;
+     SECURITY_IMPERSONATION_LEVEL level;
++    TOKEN_PRIVILEGES *privs;
++    PRIVILEGE_SET privset;
+     TOKEN_TYPE type;
+     BOOL is_member;
+     DWORD size;
+@@ -5311,7 +5314,7 @@ static void test_CreateRestrictedToken(void)
+     ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &process_token);
+     ok(ret, "got error %d\n", GetLastError());
+ 
+-    ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_QUERY,
++    ret = DuplicateTokenEx(process_token, TOKEN_DUPLICATE|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
+         NULL, SecurityImpersonation, TokenImpersonation, &token);
+     ok(ret, "got error %d\n", GetLastError());
+ 
+@@ -5342,11 +5345,21 @@ static void test_CreateRestrictedToken(void)
+     ok(ret, "got error %d\n", GetLastError());
+     ok(is_member, "not a member\n");
+ 
+-    /* disable a SID in new token */
++    privset.PrivilegeCount = 1;
++    privset.Control = PRIVILEGE_SET_ALL_NECESSARY;
++    ret = LookupPrivilegeValueA(NULL, "SeChangeNotifyPrivilege", &privset.Privilege[0].Luid);
++    ok(ret, "got error %d\n", GetLastError());
++
++    is_member = FALSE;
++    ret = PrivilegeCheck(token, &privset, &is_member);
++    ok(ret, "got error %d\n", GetLastError());
++    ok(is_member, "Expected SeChangeNotifyPrivilege to be enabled\n");
++
++    /* disable a SID and a privilege in new token */
+     sattr.Sid = token_groups->Groups[i].Sid;
+     sattr.Attributes = 0;
+     r_token = NULL;
+-    ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
++    ret = pCreateRestrictedToken(token, 0, 1, &sattr, 1, &privset.Privilege[0], 0, NULL, &r_token);
+     ok(ret, "got error %d\n", GetLastError());
+ 
+     if (ret)
+@@ -5355,7 +5368,7 @@ static void test_CreateRestrictedToken(void)
+         is_member = TRUE;
+         ret = pCheckTokenMembership(r_token, token_groups->Groups[i].Sid, &is_member);
+         ok(ret, "got error %d\n", GetLastError());
+-        todo_wine ok(!is_member, "not a member\n");
++        ok(!is_member, "not a member\n");
+ 
+         ret = GetTokenInformation(r_token, TokenGroups, NULL, 0, &size);
+         ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
+@@ -5370,9 +5383,9 @@ static void test_CreateRestrictedToken(void)
+                 break;
+         }
+ 
+-        todo_wine ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
++        ok(groups2->Groups[j].Attributes & SE_GROUP_USE_FOR_DENY_ONLY,
+             "got wrong attributes\n");
+-        todo_wine ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
++        ok((groups2->Groups[j].Attributes & SE_GROUP_ENABLED) == 0,
+             "got wrong attributes\n");
+ 
+         HeapFree(GetProcessHeap(), 0, groups2);
+@@ -5386,10 +5399,73 @@ static void test_CreateRestrictedToken(void)
+         ret = GetTokenInformation(r_token, TokenImpersonationLevel, &level, size, &size);
+         ok(ret, "got error %d\n", GetLastError());
+         ok(level == SecurityImpersonation, "got level %u\n", type);
++
++        is_member = TRUE;
++        ret = PrivilegeCheck(r_token, &privset, &is_member);
++        ok(ret, "got error %d\n", GetLastError());
++        ok(!is_member, "Expected SeChangeNotifyPrivilege not to be enabled\n");
++
++        ret = GetTokenInformation(r_token, TokenPrivileges, NULL, 0, &size);
++        ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
++            ret, GetLastError());
++        privs = HeapAlloc(GetProcessHeap(), 0, size);
++        ret = GetTokenInformation(r_token, TokenPrivileges, privs, size, &size);
++        ok(ret, "got error %d\n", GetLastError());
++
++        is_member = FALSE;
++        for (j = 0; j < privs->PrivilegeCount; j++)
++        {
++            if (RtlEqualLuid(&privs->Privileges[j].Luid, &privset.Privilege[0].Luid))
++            {
++                is_member = TRUE;
++                break;
++            }
++        }
++
++        ok(!is_member, "Expected not to find privilege\n");
++        HeapFree(GetProcessHeap(), 0, privs);
+     }
+ 
+     HeapFree(GetProcessHeap(), 0, token_groups);
+     CloseHandle(r_token);
++
++    ret = GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &size);
++    ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
++        ret, GetLastError());
++    primary_group = HeapAlloc(GetProcessHeap(), 0, size);
++    ret = GetTokenInformation(token, TokenPrimaryGroup, primary_group, size, &size);
++    ok(ret, "got error %d\n", GetLastError());
++
++    /* disable primary group */
++    sattr.Sid = primary_group->PrimaryGroup;
++    sattr.Attributes = 0;
++    r_token = NULL;
++    ret = pCreateRestrictedToken(token, 0, 1, &sattr, 0, NULL, 0, NULL, &r_token);
++    ok(ret, "got error %d\n", GetLastError());
++
++    if (ret)
++    {
++        is_member = TRUE;
++        ret = pCheckTokenMembership(r_token, primary_group->PrimaryGroup, &is_member);
++        ok(ret, "got error %d\n", GetLastError());
++        ok(!is_member, "not a member\n");
++
++        ret = GetTokenInformation(r_token, TokenPrimaryGroup, NULL, 0, &size);
++        ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER, "got %d with error %d\n",
++            ret, GetLastError());
++        primary_group2 = HeapAlloc(GetProcessHeap(), 0, size);
++        ret = GetTokenInformation(r_token, TokenPrimaryGroup, primary_group2, size, &size);
++        ok(ret, "got error %d\n", GetLastError());
++
++        ok(EqualSid(primary_group2->PrimaryGroup, primary_group->PrimaryGroup),
++           "Expected same primary group\n");
++
++        HeapFree(GetProcessHeap(), 0, primary_group2);
++    }
++
++    HeapFree(GetProcessHeap(), 0, primary_group);
++    CloseHandle(r_token);
++
+     CloseHandle(token);
+     CloseHandle(process_token);
+ }
+-- 
+2.13.1
+

patches/advapi32-CreateRestrictedToken/0003-server-Correctly-validate-SID-length-in-sd_is_valid.patch

@@ -0,0 +1,36 @@
+From 22a49dfa50cda9b1f5a5c64eabed2d17b0033896 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Fri, 4 Aug 2017 02:52:50 +0200
+Subject: server: Correctly validate SID length in sd_is_valid.
+
+---
+ server/token.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/server/token.c b/server/token.c
+index acd7a4dedb5..7ab0f634c05 100644
+--- a/server/token.c
++++ b/server/token.c
+@@ -332,8 +332,7 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
+     owner = sd_get_owner( sd );
+     if (owner)
+     {
+-        size_t needed_size = security_sid_len( owner );
+-        if ((sd->owner_len < sizeof(SID)) || (needed_size > sd->owner_len))
++        if ((sd->owner_len < sizeof(SID)) || (security_sid_len( owner ) > sd->owner_len))
+             return FALSE;
+     }
+     offset += sd->owner_len;
+@@ -344,8 +343,7 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
+     group = sd_get_group( sd );
+     if (group)
+     {
+-        size_t needed_size = security_sid_len( group );
+-        if ((sd->group_len < sizeof(SID)) || (needed_size > sd->group_len))
++        if ((sd->group_len < sizeof(SID)) || (security_sid_len( group ) > sd->group_len))
+             return FALSE;
+     }
+     offset += sd->group_len;
+-- 
+2.13.1
+

patches/advapi32-CreateRestrictedToken/definition

@@ -0,0 +1 @@
+Fixes: Implement advapi32.CreateRestrictedToken

patches/advapi32-GetExplicitEntriesFromAclW/0001-advapi32-Implement-GetExplicitEntriesFromAclW.patch

@@ -1,4 +1,4 @@
-From b4469d7a12637ef2b57df3f6aebbe65c9b52ef57 Mon Sep 17 00:00:00 2001
+From 510d9f43f441bc3a9723aabfd2c1cdc8737d6dcc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sun, 28 Aug 2016 21:56:41 +0200
 Subject: advapi32: Implement GetExplicitEntriesFromAclW.
@@ -9,10 +9,10 @@ Subject: advapi32: Implement GetExplicitEntriesFromAclW.
  2 files changed, 221 insertions(+), 2 deletions(-)
 
 diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
-index 7e41c0a7361..ccd0bf64cab 100644
+index e36792cff4..b305947347 100644
 --- a/dlls/advapi32/security.c
 +++ b/dlls/advapi32/security.c
-@@ -4202,8 +4202,85 @@ DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntr
+@@ -4205,8 +4205,85 @@ DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntr
  DWORD WINAPI GetExplicitEntriesFromAclW( PACL pacl, PULONG pcCountOfExplicitEntries,
          PEXPLICIT_ACCESSW* pListOfExplicitEntries)
  {
@@ -101,10 +101,10 @@ index 7e41c0a7361..ccd0bf64cab 100644
  
  /******************************************************************************
 diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index c31dfbeace3..23cbff58117 100644
+index 3c68205922..ca5edffae5 100644
 --- a/dlls/advapi32/tests/security.c
 +++ b/dlls/advapi32/tests/security.c
-@@ -133,6 +133,7 @@ static BOOL     (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
+@@ -134,6 +134,7 @@ static BOOL     (WINAPI *pGetWindowsAccountDomainSid)(PSID,PSID,DWORD*);
  static void     (WINAPI *pRtlInitAnsiString)(PANSI_STRING,PCSZ);
  static NTSTATUS (WINAPI *pRtlFreeUnicodeString)(PUNICODE_STRING);
  static PSID_IDENTIFIER_AUTHORITY (WINAPI *pGetSidIdentifierAuthority)(PSID);
@@ -112,16 +112,16 @@ index c31dfbeace3..23cbff58117 100644
  
  static HMODULE hmod;
  static int     myARGC;
-@@ -227,6 +228,7 @@ static void init(void)
-     pGetAce = (void *)GetProcAddress(hmod, "GetAce");
+@@ -230,6 +231,7 @@ static void init(void)
      pGetWindowsAccountDomainSid = (void *)GetProcAddress(hmod, "GetWindowsAccountDomainSid");
      pGetSidIdentifierAuthority = (void *)GetProcAddress(hmod, "GetSidIdentifierAuthority");
+     pDuplicateTokenEx = (void *)GetProcAddress(hmod, "DuplicateTokenEx");
 +    pGetExplicitEntriesFromAclW = (void *)GetProcAddress(hmod, "GetExplicitEntriesFromAclW");
  
      myARGC = winetest_get_mainargs( &myARGV );
  }
-@@ -6451,6 +6453,145 @@ static void test_maximum_allowed(void)
-     CloseHandle(handle);
+@@ -7076,6 +7078,145 @@ static void test_child_token_sd(void)
+     HeapFree(GetProcessHeap(), 0, sd);
  }
  
 +static void test_GetExplicitEntriesFromAclW(void)
@@ -266,12 +266,14 @@ index c31dfbeace3..23cbff58117 100644
  START_TEST(security)
  {
      init();
-@@ -6499,4 +6640,5 @@ START_TEST(security)
-     test_GetSidIdentifierAuthority();
+@@ -7129,6 +7270,7 @@ START_TEST(security)
      test_pseudo_tokens();
      test_maximum_allowed();
+     test_token_label();
 +    test_GetExplicitEntriesFromAclW();
- }
+ 
+     /* Must be the last test, modifies process token */
+     test_token_security_descriptor();
 -- 
-2.11.0
+2.13.1