Release v6.10

There is no reference for an application that needs this, and a quick test
shows that it is incorrect for both the base passthrough object and for every
filter we have that uses it.

.github/FUNDING.yml

@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+#github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+#patreon: # Replace with a single Patreon username
+#open_collective: # Replace with a single Open Collective username
+#ko_fi: # Replace with a single Ko-fi username
+#tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+#community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+#liberapay: # Replace with a single Liberapay username
+#issuehunt: # Replace with a single IssueHunt username
+#otechie: # Replace with a single Otechie username
+
+patreon: winestaging

.github/workflows/macOS.yml

@@ -0,0 +1,129 @@
+name: MacOS
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  wine-staging:
+    runs-on:  macos-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: |
+          brew update
+          brew install --cask xquartz
+          brew install  bison \
+                        faudio \
+                        gphoto2 \
+                        gst-plugins-base \
+                        jxrlib \
+                        little-cms2 \
+                        mingw-w64 \
+                        molten-vk \
+                        mpg123
+
+      - name: Add bison & krb5 to $PATH
+        run: |
+          set -eu
+          echo "$(brew --prefix bison)/bin" >> $GITHUB_PATH
+          echo "$(brew --prefix krb5)/bin" >> $GITHUB_PATH
+
+      - name: Get upstream-commit
+        run: |
+          mkdir $GITHUB_WORKSPACE/wine
+          cd wine
+          git init
+          git fetch git://source.winehq.org/git/wine.git $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit) --depth=1
+          git checkout $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit)
+
+      - name: Run patchinstall.sh --all
+        run: |
+          $GITHUB_WORKSPACE/patches/patchinstall.sh DESTDIR=$GITHUB_WORKSPACE/wine --all
+
+      - name: Configure wine64
+        env:
+          LDFLAGS: "-Wl,-rpath,/opt/X11/lib"
+          # Avoid weird linker errors with Xcode 10 and later
+          MACOSX_DEPLOYMENT_TARGET: "10.14"
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          ./configure   --enable-win64 \
+                        --without-alsa \
+                        --without-capi \
+                        --without-dbus \
+                        --without-inotify \
+                        --without-oss \
+                        --without-pulse \
+                        --without-udev \
+                        --without-v4l2 \
+                        --x-include=/opt/X11/include \
+                        --x-lib=/opt/X11/lib
+
+      - name: Build wine64
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          make -j$(sysctl -n hw.ncpu 2>/dev/null)
+
+  wine-devel:
+    runs-on:  macos-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: |
+          brew update
+          brew install --cask xquartz
+          brew install  bison \
+                        faudio \
+                        gphoto2 \
+                        gst-plugins-base \
+                        jxrlib \
+                        little-cms2 \
+                        mingw-w64 \
+                        molten-vk \
+                        mpg123
+
+      - name: Add bison & krb5 to $PATH
+        run: |
+          set -eu
+          echo "$(brew --prefix bison)/bin" >> $GITHUB_PATH
+          echo "$(brew --prefix krb5)/bin" >> $GITHUB_PATH
+
+      - name: Get upstream-commit
+        run: |
+          mkdir $GITHUB_WORKSPACE/wine
+          cd wine
+          git init
+          git fetch git://source.winehq.org/git/wine.git $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit) --depth=1
+          git checkout $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit)
+
+      - name: Configure wine64
+        env:
+          LDFLAGS: "-Wl,-rpath,/opt/X11/lib"
+          # Avoid weird linker errors with Xcode 10 and later
+          MACOSX_DEPLOYMENT_TARGET: "10.14"
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+
+          cd $GITHUB_WORKSPACE/wine
+          ./configure   --enable-win64 \
+                        --without-alsa \
+                        --without-capi \
+                        --without-dbus \
+                        --without-inotify \
+                        --without-oss \
+                        --without-pulse \
+                        --without-udev \
+                        --without-v4l2 \
+                        --x-include=/opt/X11/include \
+                        --x-lib=/opt/X11/lib
+
+      - name: Build wine64
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          make -j$(sysctl -n hw.ncpu 2>/dev/null)

README.md

@@ -83,29 +83,28 @@ requests are strongly dispreferred, especially for patches.
 
 Donations
 ---------
-As many of you may or may not know, wine-staging is a large set of experimental
-patches which provide various improvements to WINE, but are not quite suitable for
-upstreaming. This set of patches has been continuously managed for many years by
-us, a small group of volunteers.  The way this works is that we often review patches
-attached to various bug reports found at https://bugs.winehq.org/ which may fix bugs,
-but may not be quite suitable to be upstreamed due to needing some cleanup or more
-proper implementation. In the event that this happens, we add the patches to wine-staging
-instead, and keep them updated/maintained as well as attempt to clean them up to be upstreamed.
-We also both write and verify patches which fix various bugs that may not have patches,
-and in turn allow them run better using WINE. This includes testing on various hardware,
-games, and applications. 
 
-As this is a volunteer project which is separate from WINE and CodeWeavers, any expenses
-for applications, games, or hardware which we do not own comes out of pocket. This is the
-reason this patreon has been created. All of our work is provided publicly for free and can
-be found at https://github.com/wine-staging/wine-staging. We do not expect to be paid for
-any of the work provided, as mentioned this project is completely voluntary. However the
-proceeds from Patreon are most definitely appreciated, and go towards helping us with
-obtaining the various hardware and software mentioned. This in turn allows us to continue
-to perform testing, provide fixes, and get them upstreamed, ultimately aiming to provide a
-better experience for all WINE users.
+wine-staging is a large set of experimental patches which provide various
+improvements to WINE, but are not quite suitable for upstreaming. This set of
+patches has been continuously managed for many years by a small group of
+volunteers. The way this works is that we often review patches attached to
+various bug reports found at https://bugs.winehq.org/ which may fix bugs, but
+may not be quite suitable to be upstreamed due to needing some cleanup or more
+proper implementation. In the event that this happens, we add the patches to
+wine-staging instead, and keep them updated and maintained as well as attempt to
+clean them up to be upstreamed. We also both write and verify patches which fix
+various bugs that may not have patches, and in turn allow them run better using
+WINE. This includes testing on various hardware, games, and applications.
 
+Any expenses for applications, games, or hardware which we do not own comes out
+of pocket. In order to alleviate these expenses, we are now accepting donations.
+This in turn allows us to continue to perform testing, provide fixes, and get
+them upstreamed, ultimately aiming to provide a better experience for all WINE
+users. All of our work is provided publicly for free and can be found at
+<https://github.com/wine-staging/wine-staging>. We do not expect to be paid for
+any of the work provided, nor will donators receive any special benefits or
+compensation.
 
-For anyone interested, wine-staging Patreon can be found here:
+Donations are recieved through Patreon. Anyone interested may donate here:
 
 https://www.patreon.com/winestaging

patches/Compiler_Warnings/0026-dwrite-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,4 +1,4 @@
-From 7529755fcc41fda650aac6b27f34438354435d34 Mon Sep 17 00:00:00 2001
+From b51fdc7e211f676d169c937209bf689e57252c5d Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Tue, 22 Mar 2016 21:58:40 +0100
 Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
@@ -9,10 +9,10 @@ Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
  2 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/dlls/dwrite/font.c b/dlls/dwrite/font.c
-index 9280b5d32..2f0974a4c 100644
+index aa51c744297..7cad015480f 100644
 --- a/dlls/dwrite/font.c
 +++ b/dlls/dwrite/font.c
-@@ -1887,7 +1887,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
+@@ -2130,7 +2130,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontVtbl*)&dwritefontvtbl);
@@ -21,7 +21,7 @@ index 9280b5d32..2f0974a4c 100644
  }
  
  struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
-@@ -1895,7 +1895,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
+@@ -2138,7 +2138,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontFaceVtbl*)&dwritefontfacevtbl);
@@ -31,10 +31,10 @@ index 9280b5d32..2f0974a4c 100644
  
  static struct dwrite_fontfacereference *unsafe_impl_from_IDWriteFontFaceReference(IDWriteFontFaceReference *iface)
 diff --git a/dlls/dwrite/layout.c b/dlls/dwrite/layout.c
-index b9321157a..76ea23ba6 100644
+index 1f6201a6a93..35791d5c22e 100644
 --- a/dlls/dwrite/layout.c
 +++ b/dlls/dwrite/layout.c
-@@ -5895,7 +5895,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
+@@ -5886,7 +5886,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
  static struct dwrite_textformat *unsafe_impl_from_IDWriteTextFormat(IDWriteTextFormat *iface)
  {
      return (iface->lpVtbl == (IDWriteTextFormatVtbl*)&dwritetextformatvtbl) ?
@@ -42,7 +42,7 @@ index b9321157a..76ea23ba6 100644
 +        CONTAINING_RECORD((IDWriteTextFormat3 *)iface, struct dwrite_textformat, IDWriteTextFormat3_iface) : NULL;
  }
  
- HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight, DWRITE_FONT_STYLE style,
+ HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight,
 -- 
-2.24.0
+2.29.2
 

patches/Staging/0001-kernel32-Add-winediag-message-to-show-warning-that-t.patch

@@ -1,49 +1,61 @@
-From aa9cb874b1fb89601d6a5a735b442b8a7aa7b3aa Mon Sep 17 00:00:00 2001
+From e51b05c3a9d03e4dd84a107a30841d95f8a519c3 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:44:31 +0200
-Subject: [PATCH] kernel32: Add winediag message to show warning, that this
- isn't vanilla wine.
+Subject: [PATCH] ntdll: Print a warning message specifying the wine-staging
+ branch name and version.
 
 ---
- dlls/kernel32/process.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
+ dlls/ntdll/loader.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
 
-diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
-index 8f506fcf1320..45bfe7fe7b5d 100644
---- a/dlls/kernel32/process.c
-+++ b/dlls/kernel32/process.c
-@@ -60,6 +60,7 @@
- 
- WINE_DEFAULT_DEBUG_CHANNEL(process);
- WINE_DECLARE_DEBUG_CHANNEL(relay);
+diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
+index ee453700e51..c2d4b3c2f86 100644
+--- a/dlls/ntdll/loader.c
++++ b/dlls/ntdll/loader.c
+@@ -44,6 +44,7 @@ WINE_DECLARE_DEBUG_CHANNEL(relay);
+ WINE_DECLARE_DEBUG_CHANNEL(snoop);
+ WINE_DECLARE_DEBUG_CHANNEL(loaddll);
+ WINE_DECLARE_DEBUG_CHANNEL(imports);
 +WINE_DECLARE_DEBUG_CHANNEL(winediag);
  
- typedef struct
- {
-@@ -125,6 +126,7 @@ static inline DWORD call_process_entry( PEB *peb, LPTHREAD_START_ROUTINE entry )
+ #ifdef _WIN64
+ #define DEFAULT_SECURITY_COOKIE_64  (((ULONGLONG)0x00002b99 << 32) | 0x2ddfa232)
+@@ -3307,6 +3308,7 @@ void WINAPI LdrShutdownProcess(void)
+     process_detach();
  }
- #endif
  
 +extern const char * CDECL wine_get_version(void);
- /***********************************************************************
-  *           __wine_start_process
-  *
-@@ -150,6 +152,15 @@ void CDECL __wine_start_process( LPTHREAD_START_ROUTINE entry, PEB *peb )
  
-     __TRY
-     {
-+        if (CreateEventA(0, 0, 0, "__winestaging_warn_event") && GetLastError() != ERROR_ALREADY_EXISTS)
-+        {
-+            FIXME_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
-+            FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
-+        }
-+        else
-+            WARN_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
+ /******************************************************************
+  *		RtlExitUserProcess (NTDLL.@)
+@@ -3673,6 +3675,9 @@ static void init_wow64(void)
+  */
+ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR unknown3, ULONG_PTR unknown4 )
+ {
++    OBJECT_ATTRIBUTES staging_event_attr;
++    UNICODE_STRING staging_event_string;
++    HANDLE staging_event;
+     static int attach_done;
+     int i;
+     NTSTATUS status;
+@@ -3753,6 +3758,17 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR
+     }
+     else wm = get_modref( NtCurrentTeb()->Peb->ImageBaseAddress );
+ 
++    RtlInitUnicodeString( &staging_event_string, L"\\__wine_staging_warn_event" );
++    InitializeObjectAttributes( &staging_event_attr, &staging_event_string, OBJ_OPENIF, NULL, NULL );
++    if (NtCreateEvent( &staging_event, EVENT_ALL_ACCESS, &staging_event_attr, NotificationEvent, FALSE ) == STATUS_SUCCESS)
++    {
++        FIXME_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
++        FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
++    }
++    else
++        WARN_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
 +
 +
-         if (!CheckRemoteDebuggerPresent( GetCurrentProcess(), &being_debugged ))
-             being_debugged = FALSE;
- 
+     RtlAcquirePebLock();
+     InsertHeadList( &tls_links, &NtCurrentTeb()->TlsLinks );
+     RtlReleasePebLock();
 -- 
-2.26.2
+2.30.2
 

patches/Staging/0002-winelib-Append-Staging-at-the-end-of-the-version-s.patch

@@ -1,39 +1,25 @@
-From c097870c69720ece3874ad4ff987408a8c24ffb2 Mon Sep 17 00:00:00 2001
+From cfcc687562d4fa68b507cbf2c29722ef523d26aa Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:53:46 +0200
 Subject: [PATCH] winelib: Append '(Staging)' at the end of the version string.
 
 ---
- dlls/ntdll/Makefile.in | 2 +-
- libs/wine/Makefile.in  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ Makefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/dlls/ntdll/Makefile.in b/dlls/ntdll/Makefile.in
-index ebf607e9d43..de93445d4e3 100644
---- a/dlls/ntdll/Makefile.in
-+++ b/dlls/ntdll/Makefile.in
-@@ -69,7 +69,7 @@ server_EXTRADEFS = \
- 	-DBIN_TO_DATADIR=\"`$(MAKEDEP) -R ${bindir} ${datadir}/wine`\"
+diff --git a/Makefile.in b/Makefile.in
+index b52495f741f..d5a8cad20da 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -116,7 +116,7 @@ install-manpages:: manpages
+ # Rules for generated source files
  
- unix/version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
+ dlls/ntdll/unix/version.c: dummy
+-	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || ($(RM) $@ && exit 1)
++	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
  
- dummy:
- .PHONY: dummy
-diff --git a/libs/wine/Makefile.in b/libs/wine/Makefile.in
-index fe2a2b45e58..1e55a6b1f46 100644
---- a/libs/wine/Makefile.in
-+++ b/libs/wine/Makefile.in
-@@ -100,7 +100,7 @@ libwine_LDFLAGS = $(LIBWINE_LDFLAGS)
- libwine_DEPS = $(LIBWINE_DEPENDS)
- 
- version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1  (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
- 
- dummy:
- .PHONY: dummy
+ programs/winetest/build.rc: dummy
+ 	@build="STRINGTABLE { 1 \"`GIT_DIR=$(srcdir)/.git git rev-parse HEAD 2>/dev/null`\" }" && (echo $$build | cmp -s - $@) || echo $$build >$@ || (rm -f $@ && exit 1)
 -- 
-2.26.2
+2.20.1
 

patches/Staging/0003-loader-Add-commandline-option-patches-to-show-the-pa.patch

@@ -1,117 +0,0 @@
-From 599c50c9e339fe04e96fdb665b3d7ccb1a7708b7 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Thu, 29 May 2014 23:43:45 +0200
-Subject: [PATCH] loader: Add commandline option --patches to show the patch
- list.
-
----
- include/wine/library.h |  1 +
- libs/wine/config.c     |  6 ++++++
- libs/wine/wine.map     |  1 +
- loader/main.c          | 42 +++++++++++++++++++++++++++++++++++++++++-
- 4 files changed, 49 insertions(+), 1 deletion(-)
-
-diff --git a/include/wine/library.h b/include/wine/library.h
-index 090b8349559..b8a4a2df576 100644
---- a/include/wine/library.h
-+++ b/include/wine/library.h
-@@ -42,6 +42,7 @@ extern "C" {
- /* configuration */
- 
- extern const char *wine_get_version(void);
-+extern const void *wine_get_patches(void);
- extern const char *wine_get_build_id(void);
- extern void wine_init_argv0_path( const char *argv0 );
- extern void wine_exec_wine_binary( const char *name, char **argv, const char *env_var );
-diff --git a/libs/wine/config.c b/libs/wine/config.c
-index f5b4c0de9af..e52739d55ad 100644
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
-@@ -515,6 +515,12 @@ const char *wine_get_version(void)
-     return PACKAGE_VERSION;
- }
- 
-+/* return the applied non-standard patches */
-+const void *wine_get_patches(void)
-+{
-+    return NULL;
-+}
-+
- /* return the build id string */
- const char *wine_get_build_id(void)
- {
-diff --git a/libs/wine/wine.map b/libs/wine/wine.map
-index 1143b129734..55f874d3e74 100644
---- a/libs/wine/wine.map
-+++ b/libs/wine/wine.map
-@@ -13,6 +13,7 @@ WINE_1.0
-     wine_exec_wine_binary;
-     wine_get_build_id;
-     wine_get_version;
-+    wine_get_patches;
-     wine_init;
-     wine_init_argv0_path;
-     wine_mmap_add_reserved_area;
-diff --git a/loader/main.c b/loader/main.c
-index 0e6b6f66b50..24bcfff8c4c 100644
---- a/loader/main.c
-+++ b/loader/main.c
-@@ -55,7 +55,8 @@ static void check_command_line( int argc, char *argv[] )
-     static const char usage[] =
-         "Usage: wine PROGRAM [ARGUMENTS...]   Run the specified program\n"
-         "       wine --help                   Display this help and exit\n"
--        "       wine --version                Output version information and exit";
-+        "       wine --version                Output version information and exit\n"
-+        "       wine --patches                Output patch information and exit";
- 
-     if (argc <= 1)
-     {
-@@ -72,6 +73,45 @@ static void check_command_line( int argc, char *argv[] )
-         printf( "%s\n", wine_get_build_id() );
-         exit(0);
-     }
-+    if (!strcmp( argv[1], "--patches" ))
-+    {
-+        const struct
-+        {
-+            const char *author;
-+            const char *subject;
-+            int revision;
-+        }
-+        *next, *cur = wine_get_patches();
-+
-+        if (!cur)
-+        {
-+            fprintf( stderr, "Patchlist not available.\n" );
-+            exit(1);
-+        }
-+
-+        while (cur->author)
-+        {
-+            next = cur + 1;
-+            while (next->author)
-+            {
-+                if (strcmp( cur->author, next->author )) break;
-+                next++;
-+            }
-+
-+            printf( "%s (%d):\n", cur->author, (int)(next - cur) );
-+            while (cur < next)
-+            {
-+                printf( "      %s", cur->subject );
-+                if (cur->revision != 1)
-+                    printf( " [rev %d]", cur->revision );
-+                printf( "\n" );
-+                cur++;
-+            }
-+            printf( "\n" );
-+        }
-+
-+        exit(0);
-+    }
- }
- 
- 
--- 
-2.26.2
-

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -1,334 +0,0 @@
-From 1b222275e7faf71ae1e5c94e297004055ec6f82f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:33:14 +0200
-Subject: [PATCH] ntdll: Implement NtFilterToken.
-
----
- dlls/ntdll/ntdll.spec      |  2 +-
- dlls/ntdll/unix/security.c | 64 +++++++++++++++++++++++++++++
- include/winnt.h            |  5 +++
- include/winternl.h         |  1 +
- server/named_pipe.c        |  2 +-
- server/process.c           |  2 +-
- server/protocol.def        | 10 +++++
- server/security.h          |  4 +-
- server/token.c             | 84 +++++++++++++++++++++++++++++++++++++-
- 9 files changed, 168 insertions(+), 6 deletions(-)
-
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index a3bc57716da..f604c8a3c35 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -208,7 +208,7 @@
- # @ stub NtEnumerateSystemEnvironmentValuesEx
- @ stdcall -syscall NtEnumerateValueKey(long long long ptr long ptr)
- @ stub NtExtendSection
--# @ stub NtFilterToken
-+@ stdcall -syscall NtFilterToken(long long ptr ptr ptr ptr)
- @ stdcall -syscall NtFindAtom(ptr long ptr)
- @ stdcall -syscall NtFlushBuffersFile(long ptr)
- @ stdcall -syscall NtFlushInstructionCache(long ptr long)
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index daecc5e0591..d063d43d6d4 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -604,6 +604,70 @@ NTSTATUS WINAPI NtAdjustPrivilegesToken( HANDLE token, BOOLEAN disable, TOKEN_PR
- }
- 
- 
-+/***********************************************************************
-+ *             NtFilterToken  (NTDLL.@)
-+ */
-+NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
-+                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
-+                               HANDLE *new_token )
-+{
-+    data_size_t privileges_len = 0;
-+    data_size_t sids_len = 0;
-+    SID *sids = NULL;
-+    NTSTATUS status;
-+
-+    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
-+           restrict_sids, new_token );
-+
-+    if (flags)
-+        FIXME( "flags %x unsupported\n", flags );
-+
-+    if (restrict_sids)
-+        FIXME( "support for restricting sids not yet implemented\n" );
-+
-+    if (privileges)
-+        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
-+
-+    if (disable_sids)
-+    {
-+        DWORD len, i;
-+        BYTE *tmp;
-+
-+        for (i = 0; i < disable_sids->GroupCount; i++)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            sids_len += offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+        }
-+
-+        sids = malloc( sids_len );
-+        if (!sids) return STATUS_NO_MEMORY;
-+
-+        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            len = offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+            memcpy( tmp, disable_sids->Groups[i].Sid, len );
-+        }
-+    }
-+
-+    SERVER_START_REQ( filter_token )
-+    {
-+        req->handle          = wine_server_obj_handle( token );
-+        req->flags           = flags;
-+        req->privileges_size = privileges_len;
-+        wine_server_add_data( req, privileges->Privileges, privileges_len );
-+        wine_server_add_data( req, sids, sids_len );
-+        status = wine_server_call( req );
-+        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
-+    }
-+    SERVER_END_REQ;
-+
-+    free( sids );
-+    return status;
-+}
-+
-+
-+
- /***********************************************************************
-  *             NtPrivilegeCheck  (NTDLL.@)
-  */
-diff --git a/include/winnt.h b/include/winnt.h
-index e1cf78420a6..da17fe3e330 100644
---- a/include/winnt.h
-+++ b/include/winnt.h
-@@ -4221,6 +4221,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
- 					TOKEN_ADJUST_SESSIONID | \
- 					TOKEN_ADJUST_DEFAULT )
- 
-+#define DISABLE_MAX_PRIVILEGE 0x1
-+#define SANDBOX_INERT         0x2
-+#define LUA_TOKEN             0x4
-+#define WRITE_RESTRICTED      0x8
-+
- #ifndef _SECURITY_DEFINED
- #define _SECURITY_DEFINED
- 
-diff --git a/include/winternl.h b/include/winternl.h
-index b3fbb90feff..4687a410ca4 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2749,6 +2749,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
-+NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
- NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
-diff --git a/server/named_pipe.c b/server/named_pipe.c
-index b259abb8de4..4cd4d7dc4a8 100644
---- a/server/named_pipe.c
-+++ b/server/named_pipe.c
-@@ -1142,7 +1142,7 @@ static int pipe_server_ioctl( struct fd *fd, ioctl_code_t code, struct async *as
-         if (current->process->token) /* FIXME: use the client token */
-         {
-             struct token *token;
--            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL )))
-+            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL, NULL, 0, NULL, 0 )))
-                 return 0;
-             if (current->token) release_object( current->token );
-             current->token = token;
-diff --git a/server/process.c b/server/process.c
-index 5e587b28cbe..406167e825b 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -577,7 +577,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
-+        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-diff --git a/server/protocol.def b/server/protocol.def
-index a121c371c19..ee07b1eca14 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3263,6 +3263,16 @@ enum caret_state
-     obj_handle_t  new_handle; /* duplicated handle */
- @END
- 
-+@REQ(filter_token)
-+    obj_handle_t  handle;          /* handle to the token to duplicate */
-+    unsigned int  flags;           /* flags */
-+    data_size_t   privileges_size; /* size of privileges */
-+    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
-+    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
-+@REPLY
-+    obj_handle_t  new_handle;      /* filtered handle */
-+@END
-+
- @REQ(access_check)
-     obj_handle_t    handle; /* handle to the token */
-     unsigned int    desired_access; /* desired access to the object */
-diff --git a/server/security.h b/server/security.h
-index 606dbb2ab2c..6c337143c3d 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -56,7 +56,9 @@ extern const PSID security_high_label_sid;
- extern struct token *token_create_admin(void);
- extern int token_assign_label( struct token *token, PSID label );
- extern struct token *token_duplicate( struct token *src_token, unsigned primary,
--                                      int impersonation_level, const struct security_descriptor *sd );
-+                                      int impersonation_level, const struct security_descriptor *sd,
-+                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                                      const SID *filter_groups, unsigned int group_count );
- extern int token_check_privileges( struct token *token, int all_required,
-                                    const LUID_AND_ATTRIBUTES *reqprivs,
-                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
-diff --git a/server/token.c b/server/token.c
-index 2fa95e17aaf..38a4c203d54 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -285,6 +285,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
-     return TRUE;
- }
- 
-+static unsigned int get_sid_count( const SID *sid, data_size_t size )
-+{
-+    unsigned int count;
-+
-+    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
-+    {
-+        size -= security_sid_len( sid );
-+        sid = (const SID *)((char *)sid + security_sid_len( sid ));
-+    }
-+
-+    return count;
-+}
-+
- /* checks whether all members of a security descriptor fit inside the size
-  * of memory specified */
- int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
-@@ -626,8 +639,36 @@ static struct token *create_token( unsigned primary, const SID *user,
-     return token;
- }
- 
-+static int filter_group( struct group *group, const SID *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (security_equal_sid( &group->sid, filter )) return 1;
-+        filter = (const SID *)((char *)filter + security_sid_len( filter ));
-+    }
-+
-+    return 0;
-+}
-+
-+static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
-+            return 1;
-+    }
-+
-+    return 0;
-+}
-+
- struct token *token_duplicate( struct token *src_token, unsigned primary,
--                               int impersonation_level, const struct security_descriptor *sd )
-+                               int impersonation_level, const struct security_descriptor *sd,
-+                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                               const SID *filter_groups, unsigned int group_count)
- {
-     const luid_t *modified_id =
-         primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -663,6 +704,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-             return NULL;
-         }
-         memcpy( newgroup, group, size );
-+        if (filter_group( group, filter_groups, group_count ))
-+        {
-+            newgroup->enabled = 0;
-+            newgroup->def = 0;
-+            newgroup->deny_only = 1;
-+        }
-         list_add_tail( &token->groups, &newgroup->entry );
-         if (src_token->primary_group == &group->sid)
-         {
-@@ -674,11 +721,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
- 
-     /* copy privileges */
-     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-+    {
-+        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
-         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
-         {
-             release_object( token );
-             return NULL;
-         }
-+    }
- 
-     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
-                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
-@@ -1311,7 +1361,7 @@ DECL_HANDLER(duplicate_token)
-                                                      TOKEN_DUPLICATE,
-                                                      &token_ops )))
-     {
--        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
-+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
-             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-@@ -1321,6 +1371,36 @@ DECL_HANDLER(duplicate_token)
-     }
- }
- 
-+/* creates a restricted version of a token */
-+DECL_HANDLER(filter_token)
-+{
-+    struct token *src_token;
-+
-+    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                     TOKEN_DUPLICATE,
-+                                                     &token_ops )))
-+    {
-+        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
-+        unsigned int priv_count, group_count;
-+        const SID *filter_groups;
-+        struct token *token;
-+
-+        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
-+        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
-+        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
-+
-+        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
-+                                 filter_privileges, priv_count, filter_groups, group_count );
-+        if (token)
-+        {
-+            unsigned int access = get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
-+            release_object( token );
-+        }
-+        release_object( src_token );
-+    }
-+}
-+
- /* checks the specified privileges are held by the token */
- DECL_HANDLER(check_token_privileges)
- {
--- 
-2.27.0
-

patches/advapi32-CreateRestrictedToken/0002-advapi32-Implement-CreateRestrictedToken.patch

@@ -1,132 +0,0 @@
-From 3c1f5962482e7acf531f57f49d923d9c4e5278b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:51:57 +0200
-Subject: [PATCH] advapi32: Implement CreateRestrictedToken.
-
----
- dlls/kernelbase/security.c | 103 ++++++++++++++++++++++++++++++-------
- 1 file changed, 84 insertions(+), 19 deletions(-)
-
-diff --git a/dlls/kernelbase/security.c b/dlls/kernelbase/security.c
-index 2e75e81ed77..97f6ee6a2fd 100644
---- a/dlls/kernelbase/security.c
-+++ b/dlls/kernelbase/security.c
-@@ -592,31 +592,96 @@ exit:
-     return ret;
- }
- 
-+static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
-+{
-+    TOKEN_GROUPS *groups;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *groups_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
-+                                        count * sizeof(SID_AND_ATTRIBUTES));
-+    if (!groups)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    groups->GroupCount = count;
-+    for (i = 0; i < count; i++)
-+        groups->Groups[i] = sids[i];
-+
-+    *groups_ret = groups;
-+    return TRUE;
-+}
-+
-+static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
-+{
-+    TOKEN_PRIVILEGES *privileges;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *privileges_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
-+                                                count * sizeof(LUID_AND_ATTRIBUTES));
-+    if (!privileges)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    privileges->PrivilegeCount = count;
-+    for (i = 0; i < count; i++)
-+        privileges->Privileges[i] = privs[i];
-+
-+    *privileges_ret = privileges;
-+    return TRUE;
-+}
-+
- /*************************************************************************
-  * CreateRestrictedToken    (kernelbase.@)
-  */
--BOOL WINAPI CreateRestrictedToken( HANDLE token, DWORD flags,
--                                   DWORD disable_count, PSID_AND_ATTRIBUTES disable_sids,
--                                   DWORD delete_count, PLUID_AND_ATTRIBUTES delete_privs,
--                                   DWORD restrict_count, PSID_AND_ATTRIBUTES restrict_sids, PHANDLE ret )
-+BOOL WINAPI CreateRestrictedToken( HANDLE baseToken, DWORD flags,
-+                                   DWORD nDisableSids, PSID_AND_ATTRIBUTES disableSids,
-+                                   DWORD nDeletePrivs, PLUID_AND_ATTRIBUTES deletePrivs,
-+                                   DWORD nRestrictSids, PSID_AND_ATTRIBUTES restrictSids, PHANDLE newToken )
- {
--    TOKEN_TYPE type;
--    SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
--    DWORD size;
-+    TOKEN_PRIVILEGES *delete_privs = NULL;
-+    TOKEN_GROUPS *disable_groups = NULL;
-+    TOKEN_GROUPS *restrict_sids = NULL;
-+    BOOL ret = FALSE;
- 
--    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
--          token, flags, disable_count, disable_sids, delete_count, delete_privs,
--          restrict_count, restrict_sids, ret );
-+    TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
-+          baseToken, flags, nDisableSids, disableSids,
-+          nDeletePrivs, deletePrivs,
-+          nRestrictSids, restrictSids,
-+          newToken);
-+
-+    if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
-+        goto done;
-+
-+    if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
-+        goto done;
-+
-+    if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
-+        goto done;
-+
-+    ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
-+
-+done:
-+    heap_free(disable_groups);
-+    heap_free(delete_privs);
-+    heap_free(restrict_sids);
-+    return ret;
- 
--    size = sizeof(type);
--    if (!GetTokenInformation( token, TokenType, &type, size, &size )) return FALSE;
--    if (type == TokenImpersonation)
--    {
--        size = sizeof(level);
--        if (!GetTokenInformation( token, TokenImpersonationLevel, &level, size, &size ))
--            return FALSE;
--    }
--    return DuplicateTokenEx( token, MAXIMUM_ALLOWED, NULL, level, type, ret );
- }
- 
- /******************************************************************************
--- 
-2.20.1
-

patches/advapi32-CreateRestrictedToken/definition

@@ -1 +0,0 @@
-Fixes: [25834] Implement advapi32.CreateRestrictedToken

patches/advapi32-LsaLookupPrivilegeName/0002-advapi32-Use-TRACE-for-LsaOpenPolicy-LsaClose.patch

@@ -1,34 +0,0 @@
-From 1941137bff72a2297812bbd05fb6f6a1578426b0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sun, 5 Mar 2017 23:05:54 +0100
-Subject: advapi32: Use TRACE for LsaOpenPolicy/LsaClose.
-
----
- dlls/advapi32/lsa.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/dlls/advapi32/lsa.c b/dlls/advapi32/lsa.c
-index e5e3b1649c0..0f2167d19ab 100644
---- a/dlls/advapi32/lsa.c
-+++ b/dlls/advapi32/lsa.c
-@@ -136,7 +136,7 @@ NTSTATUS WINAPI LsaAddAccountRights(
-  */
- NTSTATUS WINAPI LsaClose(IN LSA_HANDLE ObjectHandle)
- {
--    FIXME("(%p) stub\n", ObjectHandle);
-+    TRACE("(%p) semi-stub\n", ObjectHandle);
-     return STATUS_SUCCESS;
- }
- 
-@@ -687,7 +687,7 @@ NTSTATUS WINAPI LsaOpenPolicy(
-     IN ACCESS_MASK DesiredAccess,
-     IN OUT PLSA_HANDLE PolicyHandle)
- {
--    FIXME("(%s,%p,0x%08x,%p) stub\n",
-+    TRACE("(%s,%p,0x%08x,%p) semi-stub\n",
-           SystemName?debugstr_w(SystemName->Buffer):"(null)",
-           ObjectAttributes, DesiredAccess, PolicyHandle);
- 
--- 
-2.11.0
-

patches/advapi32-Token_Integrity_Level/0002-server-Implement-token-elevation-information.patch

@@ -1,137 +0,0 @@
-From d2e98b2054a5af671fd81ded32f2cf60a062312c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 00:26:03 +0200
-Subject: [PATCH] server: Implement token elevation information.
-
----
- dlls/ntdll/unix/security.c | 16 ++++++++++++----
- server/protocol.def        |  8 ++++++++
- server/token.c             | 22 +++++++++++++++++++---
- 3 files changed, 39 insertions(+), 7 deletions(-)
-
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index d063d43d6d4..03a81afa46e 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -390,19 +390,27 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         break;
- 
-     case TokenElevationType:
-+        SERVER_START_REQ( get_token_elevation_type )
-         {
-             TOKEN_ELEVATION_TYPE *type = info;
--            FIXME("QueryInformationToken( ..., TokenElevationType, ...) semi-stub\n");
--            *type = TokenElevationTypeFull;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+                *type = reply->elevation;
-         }
-+        SERVER_END_REQ;
-         break;
- 
-     case TokenElevation:
-+        SERVER_START_REQ( get_token_elevation_type )
-         {
-             TOKEN_ELEVATION *elevation = info;
--            FIXME("QueryInformationToken( ..., TokenElevation, ...) semi-stub\n");
--            elevation->TokenIsElevated = TRUE;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+                elevation->TokenIsElevated = (reply->elevation == TokenElevationTypeFull);
-         }
-+        SERVER_END_REQ;
-         break;
- 
-     case TokenSessionId:
-diff --git a/server/protocol.def b/server/protocol.def
-index ee07b1eca14..84f0b577d72 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3566,6 +3566,14 @@ struct handle_info
- @END
- 
- 
-+/* Get elevation level of token */
-+@REQ(get_token_elevation_type)
-+    obj_handle_t   handle;        /* handle to the object */
-+@REPLY
-+    unsigned int   elevation;     /* elevation level */
-+@END
-+
-+
- /* Create I/O completion port */
- @REQ(create_completion)
-     unsigned int access;          /* desired access to a port */
-diff --git a/server/token.c b/server/token.c
-index 38a4c203d54..14343637af5 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -110,6 +110,7 @@ struct token
-     ACL           *default_dacl;    /* the default DACL to assign to objects created by this user */
-     TOKEN_SOURCE   source;          /* source of the token */
-     int            impersonation_level; /* impersonation level this token is capable of if non-primary token */
-+    TOKEN_ELEVATION_TYPE elevation; /* elevation level */
- };
- 
- struct privilege
-@@ -552,7 +553,7 @@ static struct token *create_token( unsigned primary, const SID *user,
-                                    const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count,
-                                    const ACL *default_dacl, TOKEN_SOURCE source,
-                                    const luid_t *modified_id,
--                                   int impersonation_level )
-+                                   int impersonation_level, TOKEN_ELEVATION_TYPE elevation )
- {
-     struct token *token = alloc_object( &token_ops );
-     if (token)
-@@ -574,6 +575,7 @@ static struct token *create_token( unsigned primary, const SID *user,
-             token->impersonation_level = impersonation_level;
-         token->default_dacl = NULL;
-         token->primary_group = NULL;
-+        token->elevation = elevation;
- 
-         /* copy user */
-         token->user = memdup( user, security_sid_len( user ));
-@@ -689,7 +691,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-     token = create_token( primary, src_token->user, NULL, 0,
-                           NULL, 0, src_token->default_dacl,
-                           src_token->source, modified_id,
--                          impersonation_level );
-+                          impersonation_level,
-+                          src_token->elevation );
-     if (!token) return token;
- 
-     /* copy groups */
-@@ -895,7 +898,7 @@ struct token *token_create_admin( void )
-         static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
-         token = create_token( TRUE, user_sid, admin_groups, ARRAY_SIZE( admin_groups ),
-                               admin_privs, ARRAY_SIZE( admin_privs ), default_dacl,
--                              admin_source, NULL, -1 );
-+                              admin_source, NULL, -1, TokenElevationTypeFull );
-         /* we really need a primary group */
-         assert( token->primary_group );
-     }
-@@ -1634,6 +1637,19 @@ DECL_HANDLER(get_token_statistics)
-     }
- }
- 
-+DECL_HANDLER(get_token_elevation_type)
-+{
-+    struct token *token;
-+
-+    if ((token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                 TOKEN_QUERY,
-+                                                 &token_ops )))
-+    {
-+        reply->elevation = token->elevation;
-+        release_object( token );
-+    }
-+}
-+
- DECL_HANDLER(get_token_default_dacl)
- {
-     struct token *token;
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/0003-server-Correctly-treat-zero-access-mask-in-duplicate.patch

@@ -1,81 +0,0 @@
-From 7e73f449d158f0d6a6b6b421d073dbaf1741e1c7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Mon, 7 Aug 2017 02:22:11 +0200
-Subject: server: Correctly treat zero access mask in duplicate_token
- wineserver call.
-
----
- dlls/advapi32/tests/security.c | 14 +++++++-------
- server/token.c                 |  3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index 4a03db27e69..f1a64e29dea 100644
---- a/dlls/advapi32/tests/security.c
-+++ b/dlls/advapi32/tests/security.c
-@@ -7438,7 +7438,7 @@ static void test_token_security_descriptor(void)
-             ret = DuplicateTokenEx(token4, 0, NULL, SecurityImpersonation, TokenImpersonation, &token5);
-             ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
-             ret = SetThreadToken(NULL, token5);
--            todo_wine ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-+            ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-             CloseHandle(token4);
- 
-             /* Restrict current process token while impersonating a medium integrity token */
-@@ -7503,16 +7503,16 @@ static void test_token_security_descriptor(void)
- 
-             size = 0;
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--            todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+            ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-                "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-             sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--            todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+            ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-             sacl = NULL;
-             ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--            todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+            ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-             todo_wine ok(present, "No SACL in the security descriptor\n");
-             todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-@@ -7606,16 +7606,16 @@ static void test_token_security_descriptor(void)
- 
-         size = 0;
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--        todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+        ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-            "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-         sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--        todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+        ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-         sacl = NULL;
-         ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--        todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+        ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-         todo_wine ok(present, "No SACL in the security descriptor\n");
-         todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-diff --git a/server/token.c b/server/token.c
-index 6a1085bae12..292e1df80fd 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -1376,7 +1376,8 @@ DECL_HANDLER(duplicate_token)
-         struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
--            reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-+            unsigned int access = req->access ? req->access : get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, objattr->attributes );
-             release_object( token );
-         }
-         release_object( src_token );
--- 
-2.13.1
-

patches/advapi32-Token_Integrity_Level/0005-server-Use-all-group-attributes-in-create_token.patch

@@ -1,46 +0,0 @@
-From 48f4c131f9e8ffc091dde12437ad0772ed1c5ca6 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 6 Aug 2017 15:16:33 +0200
-Subject: server: Use all group attributes in create_token.
-
----
- server/token.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/server/token.c b/server/token.c
-index 0019b3a..2a56664 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -592,13 +592,13 @@ static struct token *create_token( unsigned primary, const SID *user,
-                 return NULL;
-             }
-             memcpy( &group->sid, groups[i].Sid, security_sid_len( groups[i].Sid ));
--            group->enabled = TRUE;
--            group->def = TRUE;
--            group->logon = (groups[i].Attributes & SE_GROUP_LOGON_ID) != 0;
-             group->mandatory = (groups[i].Attributes & SE_GROUP_MANDATORY) != 0;
--            group->owner = (groups[i].Attributes & SE_GROUP_OWNER) != 0;
--            group->resource = FALSE;
--            group->deny_only = FALSE;
-+            group->def       = (groups[i].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) != 0;
-+            group->enabled   = (groups[i].Attributes & SE_GROUP_ENABLED) != 0;
-+            group->owner     = (groups[i].Attributes & SE_GROUP_OWNER) != 0;
-+            group->deny_only = (groups[i].Attributes & SE_GROUP_USE_FOR_DENY_ONLY) != 0;
-+            group->logon     = (groups[i].Attributes & SE_GROUP_LOGON_ID) != 0;
-+            group->resource  = (groups[i].Attributes & SE_GROUP_RESOURCE) != 0;
-             list_add_tail( &token->groups, &group->entry );
-             /* Use first owner capable group as owner and primary group */
-             if (!token->primary_group && group->owner)
-@@ -1603,8 +1603,8 @@ DECL_HANDLER(get_token_groups)
-                     if (group->enabled) *attr_ptr |= SE_GROUP_ENABLED;
-                     if (group->owner) *attr_ptr |= SE_GROUP_OWNER;
-                     if (group->deny_only) *attr_ptr |= SE_GROUP_USE_FOR_DENY_ONLY;
--                    if (group->resource) *attr_ptr |= SE_GROUP_RESOURCE;
-                     if (group->logon) *attr_ptr |= SE_GROUP_LOGON_ID;
-+                    if (group->resource) *attr_ptr |= SE_GROUP_RESOURCE;
- 
-                     memcpy(sid_ptr, &group->sid, security_sid_len( &group->sid ));
- 
--- 
-2.7.4
-

patches/advapi32-Token_Integrity_Level/0006-ntdll-Add-function-to-create-new-tokens-for-elevatio.patch

@@ -1,219 +0,0 @@
-From cdf1f84a65198df1ac4162f868f35971e5e1a2a1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 01:45:29 +0200
-Subject: [PATCH] ntdll: Add function to create new tokens for elevation
- purposes.
-
----
- dlls/ntdll/ntdll.spec   |  3 ++
- dlls/ntdll/ntdll_misc.h |  3 ++
- dlls/ntdll/process.c    | 18 +++++++++
- server/protocol.def     |  8 ++++
- server/security.h       |  1 +
- server/token.c          | 84 +++++++++++++++++++++++++++++++++++++++++
- 6 files changed, 117 insertions(+)
-
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index f604c8a3c35..850a40412d0 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -1599,6 +1599,9 @@
- # Virtual memory
- @ cdecl __wine_locked_recvmsg(long ptr long)
- 
-+# Token
-+@ cdecl __wine_create_default_token(long)
-+
- # Version
- @ cdecl wine_get_version()
- @ cdecl wine_get_build_id()
-diff --git a/dlls/ntdll/ntdll_misc.h b/dlls/ntdll/ntdll_misc.h
-index 1f27cd100a7..769d6facc9f 100644
---- a/dlls/ntdll/ntdll_misc.h
-+++ b/dlls/ntdll/ntdll_misc.h
-@@ -68,6 +68,9 @@ extern void init_locale( HMODULE module ) DECLSPEC_HIDDEN;
- extern void init_user_process_params(void) DECLSPEC_HIDDEN;
- extern NTSTATUS restart_process( RTL_USER_PROCESS_PARAMETERS *params, NTSTATUS status ) DECLSPEC_HIDDEN;
- 
-+/* token */
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
-+
- /* server support */
- extern BOOL is_wow64 DECLSPEC_HIDDEN;
- 
-diff --git a/dlls/ntdll/process.c b/dlls/ntdll/process.c
-index 77ba5b371e2..3e91a1fa9c4 100644
---- a/dlls/ntdll/process.c
-+++ b/dlls/ntdll/process.c
-@@ -72,6 +72,24 @@ HANDLE CDECL __wine_make_process_system(void)
-     return ret;
- }
- 
-+/***********************************************************************
-+ *           __wine_create_default_token   (NTDLL.@)
-+ *
-+ * Creates a default limited or admin token.
-+ */
-+HANDLE CDECL __wine_create_default_token( BOOL admin )
-+{
-+    HANDLE ret = NULL;
-+    SERVER_START_REQ( create_token )
-+    {
-+        req->admin = admin;
-+        if (!wine_server_call( req ))
-+            ret = wine_server_ptr_handle( reply->token );
-+    }
-+    SERVER_END_REQ;
-+    return ret;
-+}
-+
- /***********************************************************************
-  *           restart_process
-  */
-diff --git a/server/protocol.def b/server/protocol.def
-index 4d37a0df348..56b52dd2231 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3581,6 +3581,14 @@ struct handle_info
- @END
- 
- 
-+/* Create a new token */
-+@REQ(create_token)
-+    unsigned int  admin;        /* admin or limited token */
-+@REPLY
-+    obj_handle_t  token;        /* handle for new token */
-+@END
-+
-+
- /* Create I/O completion port */
- @REQ(create_completion)
-     unsigned int access;          /* desired access to a port */
-diff --git a/server/security.h b/server/security.h
-index 6c337143c3d..21e90ccf23f 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -49,6 +49,7 @@ extern const PSID security_builtin_users_sid;
- extern const PSID security_builtin_admins_sid;
- extern const PSID security_domain_users_sid;
- extern const PSID security_high_label_sid;
-+extern const PSID security_medium_label_sid;
- 
- 
- /* token functions */
-diff --git a/server/token.c b/server/token.c
-index c4f1cd943c2..970ed1838da 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -77,6 +77,7 @@ static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORIT
- static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
- static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
- static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
-+static const SID medium_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_MEDIUM_RID } };
- static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
- static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
- static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
-@@ -93,6 +94,7 @@ const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
- const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
- const PSID security_domain_users_sid = (PSID)&domain_users_sid;
- const PSID security_high_label_sid = (PSID)&high_label_sid;
-+const PSID security_medium_label_sid = (PSID)&medium_label_sid;
- 
- static luid_t prev_luid_value = { 1000, 0 };
- 
-@@ -915,6 +917,64 @@ struct token *token_create_admin( void )
-     return token;
- }
- 
-+static struct token *token_create_limited( void )
-+{
-+    struct token *token = NULL;
-+    static const SID_IDENTIFIER_AUTHORITY nt_authority = { SECURITY_NT_AUTHORITY };
-+    static const unsigned int alias_admins_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS };
-+    static const unsigned int alias_users_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS };
-+    /* on Windows, this value changes every time the user logs on */
-+    static const unsigned int logon_subauth[] = { SECURITY_LOGON_IDS_RID, 0, 1 /* FIXME: should be randomly generated when tokens are inherited by new processes */ };
-+    PSID alias_admins_sid;
-+    PSID alias_users_sid;
-+    PSID logon_sid;
-+    const SID *user_sid = security_unix_uid_to_sid( getuid() );
-+    ACL *default_dacl = create_default_dacl( user_sid );
-+
-+    alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]),
-+                                           alias_admins_subauth );
-+    alias_users_sid = security_sid_alloc( &nt_authority, sizeof(alias_users_subauth)/sizeof(alias_users_subauth[0]),
-+                                          alias_users_subauth );
-+    logon_sid = security_sid_alloc( &nt_authority, sizeof(logon_subauth)/sizeof(logon_subauth[0]),
-+                                    logon_subauth );
-+
-+    if (alias_admins_sid && alias_users_sid && logon_sid && default_dacl)
-+    {
-+        const LUID_AND_ATTRIBUTES user_privs[] =
-+        {
-+            { SeChangeNotifyPrivilege        , SE_PRIVILEGE_ENABLED },
-+            { SeShutdownPrivilege            , 0                    },
-+            { SeUndockPrivilege              , 0                    },
-+        };
-+        /* note: we don't include non-builtin groups here for the user -
-+         * telling us these is the job of a client-side program */
-+        const SID_AND_ATTRIBUTES user_groups[] =
-+        {
-+            { security_world_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_local_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_interactive_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_authenticated_user_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_domain_users_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_OWNER },
-+            { alias_admins_sid, SE_GROUP_USE_FOR_DENY_ONLY },
-+            { alias_users_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { logon_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_LOGON_ID },
-+        };
-+        static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
-+        token = create_token( TRUE, user_sid, user_groups, sizeof(user_groups)/sizeof(user_groups[0]),
-+                              user_privs, sizeof(user_privs)/sizeof(user_privs[0]), default_dacl,
-+                              admin_source, NULL, -1, TokenElevationTypeLimited, &medium_label_sid );
-+        /* we really need a primary group */
-+        assert( token->primary_group );
-+    }
-+
-+    free( logon_sid );
-+    free( alias_admins_sid );
-+    free( alias_users_sid );
-+    free( default_dacl );
-+
-+    return token;
-+}
-+
- static struct privilege *token_find_privilege( struct token *token, const LUID *luid, int enabled_only )
- {
-     struct privilege *privilege;
-@@ -1720,3 +1780,27 @@ DECL_HANDLER(set_token_default_dacl)
-         release_object( token );
-     }
- }
-+
-+DECL_HANDLER(create_token)
-+{
-+    struct token *token;
-+    PSID label;
-+
-+    if (req->admin)
-+    {
-+        token = token_create_admin();
-+        label = security_high_label_sid;
-+    }
-+    else
-+    {
-+        token = token_create_limited();
-+        label = security_medium_label_sid;
-+    }
-+
-+    if (token)
-+    {
-+        if (token_assign_label( token, label ))
-+            reply->token = alloc_handle( current->process, token, TOKEN_ALL_ACCESS, 0 );
-+        release_object( token );
-+    }
-+}
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/0007-shell32-Implement-process-elevation-using-runas-verb.patch

@@ -1,66 +0,0 @@
-From cf24ca0854a5b0dca2055f0991fd9a932125c65e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 02:03:20 +0200
-Subject: shell32: Implement process elevation using runas verb.
-
----
- dlls/shell32/shlexec.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c
-index 0cf112b6373..af50078dbca 100644
---- a/dlls/shell32/shlexec.c
-+++ b/dlls/shell32/shlexec.c
-@@ -50,6 +50,8 @@
- 
- WINE_DEFAULT_DEBUG_CHANNEL(exec);
- 
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
-+
- static const WCHAR wszOpen[] = {'o','p','e','n',0};
- static const WCHAR wszExe[] = {'.','e','x','e',0};
- static const WCHAR wszILPtr[] = {':','%','p',0};
-@@ -312,6 +314,8 @@ static HRESULT SHELL_GetPathFromIDListForExecuteW(LPCITEMIDLIST pidl, LPWSTR psz
- static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
- 			    const SHELLEXECUTEINFOW *psei, LPSHELLEXECUTEINFOW psei_out)
- {
-+    static WCHAR runasW[] = {'r','u','n','a','s',0};
-+    HANDLE token = NULL;
-     STARTUPINFOW  startup;
-     PROCESS_INFORMATION info;
-     UINT_PTR retval = SE_ERR_NOASSOC;
-@@ -344,8 +348,20 @@ static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
-     dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
-     if (!(psei->fMask & SEE_MASK_NO_CONSOLE))
-         dwCreationFlags |= CREATE_NEW_CONSOLE;
--    if (CreateProcessW(NULL, (LPWSTR)lpCmd, NULL, NULL, FALSE, dwCreationFlags, env,
--                       lpDirectory, &startup, &info))
-+
-+    /* Spawning a process with runas verb means that the process should be
-+     * executed with admin rights. This function ignores the manifest data,
-+     * and allows programs to elevate rights on-demand. On Windows a complex
-+     * RPC menchanism is used, using CreateProcessAsUser would fail because
-+     * it can only be used to drop rights. */
-+    if (psei->lpVerb && !strcmpiW(psei->lpVerb, runasW))
-+    {
-+        if (!(token = __wine_create_default_token(TRUE)))
-+            ERR("Failed to create admin token\n");
-+    }
-+
-+    if (CreateProcessAsUserW(token, NULL, (LPWSTR)lpCmd, NULL, NULL, FALSE,
-+                             dwCreationFlags, env, lpDirectory, &startup, &info))
-     {
-         /* Give 30 seconds to the app to come up, if desired. Probably only needed
-            when starting app immediately before making a DDE connection. */
-@@ -365,6 +381,8 @@ static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
-         retval = ERROR_BAD_FORMAT;
-     }
- 
-+    if (token) CloseHandle(token);
-+
-     TRACE("returning %lu\n", retval);
- 
-     psei_out->hInstApp = (HINSTANCE)retval;
--- 
-2.13.1
-

patches/advapi32-Token_Integrity_Level/0008-ntdll-Implement-process-token-elevation-through-mani.patch

@@ -1,4 +1,4 @@
-From f058e0e1425aab869a1a7d0db0446944af9bc8d6 Mon Sep 17 00:00:00 2001
+From 51cde3dff5de27d1aebc964a4802758534d56773 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 03:39:55 +0200
 Subject: [PATCH] ntdll: Implement process token elevation through manifests.
@@ -74,7 +74,7 @@ index 6290cbcb4e6..9a8f13901b2 100644
      RemoveEntryList( &wm->ldr.InLoadOrderLinks );
      InsertHeadList( &peb->LdrData->InLoadOrderModuleList, &wm->ldr.InLoadOrderLinks );
 diff --git a/server/process.c b/server/process.c
-index 7875db09801..d7334ffc959 100644
+index fa8495511e0..df72efdecc8 100644
 --- a/server/process.c
 +++ b/server/process.c
 @@ -1086,6 +1086,14 @@ int set_process_debug_flag( struct process *process, int flag )
@@ -93,7 +93,7 @@ index 7875db09801..d7334ffc959 100644
  DECL_HANDLER(new_process)
  {
 diff --git a/server/process.h b/server/process.h
-index 3944a67d571..3cbf70fda21 100644
+index 0fdf070b78e..43e8cc1ad7e 100644
 --- a/server/process.h
 +++ b/server/process.h
 @@ -129,6 +129,7 @@ extern void kill_console_processes( struct thread *renderer, int exit_code );
@@ -103,12 +103,12 @@ index 3944a67d571..3cbf70fda21 100644
 +extern void replace_process_token( struct process *process, struct token *token );
  
  /* console functions */
- extern obj_handle_t inherit_console( struct thread *parent_thread, struct process *parent,
+ extern obj_handle_t inherit_console( struct thread *parent_thread, obj_handle_t handle,
 diff --git a/server/protocol.def b/server/protocol.def
-index b84d1d10004..65bcb99d486 100644
+index a9308904afc..8c40fba8d0a 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3526,6 +3526,13 @@ struct handle_info
+@@ -3489,6 +3489,13 @@ struct handle_info
  @END
  
  
@@ -145,5 +145,5 @@ index 970ed1838da..1c1d49989b3 100644
 +    }
 +}
 -- 
-2.27.0
+2.28.0
 

patches/advapi32-Token_Integrity_Level/0010-server-Implement-support-for-creating-processes-usin.patch

@@ -1,310 +0,0 @@
-From 9c61f6acfa2c43e43f07fae1a5cd447573b9529b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sun, 6 Aug 2017 02:08:05 +0200
-Subject: [PATCH] server: Implement support for creating processes using a
- token.
-
----
- dlls/kernelbase/process.c | 24 +++++++++++++-----------
- dlls/ntdll/unix/process.c |  1 +
- server/process.c          | 39 +++++++++++++++++++++++++++++++++++----
- server/process.h          |  2 +-
- server/protocol.def       |  1 +
- server/request.c          |  2 +-
- server/security.h         |  2 ++
- server/token.c            | 11 +++++++++++
- 8 files changed, 65 insertions(+), 17 deletions(-)
-
-diff --git a/dlls/kernelbase/process.c b/dlls/kernelbase/process.c
-index a3b168543fc..b5c8b47239d 100644
---- a/dlls/kernelbase/process.c
-+++ b/dlls/kernelbase/process.c
-@@ -244,7 +244,7 @@ static RTL_USER_PROCESS_PARAMETERS *create_process_params( const WCHAR *filename
- /***********************************************************************
-  *           create_nt_process
-  */
--static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_nt_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                    BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                    RTL_USER_PROCESS_INFORMATION *info, HANDLE parent )
- {
-@@ -259,7 +259,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
-         status = RtlCreateUserProcess( &nameW, OBJ_CASE_INSENSITIVE, params,
-                                        psa ? psa->lpSecurityDescriptor : NULL,
-                                        tsa ? tsa->lpSecurityDescriptor : NULL,
--                                       parent, inherit, 0, 0, info );
-+                                       parent, inherit, 0, token, info );
-         RtlFreeUnicodeString( &nameW );
-     }
-     return status;
-@@ -269,7 +269,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
- /***********************************************************************
-  *           create_vdm_process
-  */
--static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_vdm_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -290,7 +290,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-               winevdm, params->ImagePathName.Buffer, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, winevdm );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     HeapFree( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -299,7 +299,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
- /***********************************************************************
-  *           create_cmd_process
-  */
--static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_cmd_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -318,7 +318,7 @@ static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-     swprintf( newcmdline, len, L"%s /s/c \"%s\"", comspec, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, comspec );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     RtlFreeHeap( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -450,7 +450,9 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
- 
-     TRACE( "app %s cmdline %s\n", debugstr_w(app_name), debugstr_w(cmd_line) );
- 
--    if (token) FIXME( "Creating a process with a token is not yet implemented\n" );
-+    /* FIXME: Starting a process which requires admin rights should fail
-+     * with ERROR_ELEVATION_REQUIRED when no token is passed. */
-+
-     if (new_token) FIXME( "No support for returning created process token\n" );
- 
-     if (app_name)
-@@ -523,7 +525,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         }
-     }
- 
--    status = create_nt_process( process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-+    status = create_nt_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-     switch (status)
-     {
-     case STATUS_SUCCESS:
-@@ -532,7 +534,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-     case STATUS_INVALID_IMAGE_NE_FORMAT:
-     case STATUS_INVALID_IMAGE_PROTECT:
-         TRACE( "starting %s as Win16/DOS binary\n", debugstr_w(app_name) );
--        status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+        status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         break;
-     case STATUS_INVALID_IMAGE_NOT_MZ:
-         /* check for .com or .bat extension */
-@@ -540,12 +542,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         if (!wcsicmp( p, L".com" ) || !wcsicmp( p, L".pif" ))
-         {
-             TRACE( "starting %s as DOS binary\n", debugstr_w(app_name) );
--            status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         else if (!wcsicmp( p, L".bat" ) || !wcsicmp( p, L".cmd" ))
-         {
-             TRACE( "starting %s as batch binary\n", debugstr_w(app_name) );
--            status = create_cmd_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_cmd_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         break;
-     }
-diff --git a/dlls/ntdll/unix/process.c b/dlls/ntdll/unix/process.c
-index cca6c2747bf..379a0036b63 100644
---- a/dlls/ntdll/unix/process.c
-+++ b/dlls/ntdll/unix/process.c
-@@ -827,6 +827,7 @@ NTSTATUS WINAPI NtCreateUserProcess( HANDLE *process_handle_ptr, HANDLE *thread_
-         req->access         = process_access;
-         req->cpu            = pe_info.cpu;
-         req->info_size      = startup_info_size;
-+        req->token          = wine_server_obj_handle( token );
-         wine_server_add_data( req, objattr, attr_len );
-         wine_server_add_data( req, startup_info, startup_info_size );
-         wine_server_add_data( req, params->Environment, env_size );
-diff --git a/server/process.c b/server/process.c
-index 52604ec4d61..047916ffd09 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -499,7 +499,7 @@ static void start_sigkill_timer( struct process *process )
- /* create a new process */
- /* if the function fails the fd is closed */
- struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                const struct security_descriptor *sd )
-+                                const struct security_descriptor *sd, struct token *token )
- {
-     struct process *process;
- 
-@@ -576,7 +576,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-+        process->token = token_duplicate( token ? token : parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-@@ -1132,6 +1132,7 @@ DECL_HANDLER(new_process)
-     const struct security_descriptor *sd;
-     const struct object_attributes *objattr = get_req_object_attributes( &sd, &name, NULL );
-     struct process *process = NULL;
-+    struct token *token = NULL;
-     struct process *parent;
-     struct thread *parent_thread = current;
-     int socket_fd = thread_get_inflight_fd( current, req->socket_fd );
-@@ -1185,10 +1186,39 @@ DECL_HANDLER(new_process)
-         return;
-     }
- 
-+    if (req->token)
-+    {
-+        token = get_token_from_handle( req->token, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY );
-+        if (!token)
-+        {
-+            close( socket_fd );
-+            return;
-+        }
-+        if (!token_is_primary( token ))
-+        {
-+            set_error( STATUS_BAD_TOKEN_TYPE );
-+            release_object( token );
-+            close( socket_fd );
-+            return;
-+        }
-+    }
-+
-+    if (!req->info_size)  /* create an orphaned process */
-+    {
-+        if ((process = create_process( socket_fd, NULL, 0, sd, token )))
-+        {
-+            create_thread( -1, process, NULL );
-+            release_object( process );
-+        }
-+        if (token) release_object( token );
-+        return;
-+    }
-+
-     /* build the startup info for a new process */
-     if (!(info = alloc_object( &startup_info_ops )))
-     {
-         close( socket_fd );
-+        if (token) release_object( token );
-         release_object( parent );
-         return;
-     }
-@@ -1236,7 +1266,7 @@ DECL_HANDLER(new_process)
- #undef FIXUP_LEN
-     }
- 
--    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd ))) goto done;
-+    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd, token ))) goto done;
- 
-     process->startup_info = (struct startup_info *)grab_object( info );
- 
-@@ -1297,6 +1327,7 @@ DECL_HANDLER(new_process)
-     reply->handle = alloc_handle_no_access_check( current->process, process, req->access, objattr->attributes );
- 
-  done:
-+    if (token) release_object( token );
-     if (process) release_object( process );
-     release_object( parent );
-     release_object( info );
-@@ -1330,7 +1361,7 @@ DECL_HANDLER(exec_process)
-         close( socket_fd );
-         return;
-     }
--    if (!(process = create_process( socket_fd, NULL, 0, NULL ))) return;
-+    if (!(process = create_process( socket_fd, NULL, 0, NULL, NULL ))) return;
-     create_thread( -1, process, NULL );
-     release_object( process );
- }
-diff --git a/server/process.h b/server/process.h
-index dfe5c4e52d8..61b83abf693 100644
---- a/server/process.h
-+++ b/server/process.h
-@@ -118,7 +118,7 @@ extern unsigned int alloc_ptid( void *ptr );
- extern void free_ptid( unsigned int id );
- extern void *get_ptid_entry( unsigned int id );
- extern struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                       const struct security_descriptor *sd );
-+                                       const struct security_descriptor *sd, struct token *token );
- extern data_size_t init_process( struct thread *thread );
- extern struct thread *get_process_first_thread( struct process *process );
- extern struct process *get_process_from_id( process_id_t id );
-diff --git a/server/protocol.def b/server/protocol.def
-index 901c380b721..8c86967609f 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -801,6 +801,7 @@ struct rawinput_device
-     unsigned int access;         /* access rights for process object */
-     client_cpu_t cpu;            /* CPU that the new process will use */
-     data_size_t  info_size;      /* size of startup info */
-+    obj_handle_t token;          /* token for the new process */
-     VARARG(objattr,object_attributes);   /* object attributes */
-     VARARG(info,startup_info,info_size); /* startup information */
-     VARARG(env,unicode_str);     /* environment for new process */
-diff --git a/server/request.c b/server/request.c
-index 4c1f30a5fe7..321bb6cfa81 100644
---- a/server/request.c
-+++ b/server/request.c
-@@ -582,7 +582,7 @@ static void master_socket_poll_event( struct fd *fd, int event )
-         int client = accept( get_unix_fd( master_socket->fd ), (struct sockaddr *) &dummy, &len );
-         if (client == -1) return;
-         fcntl( client, F_SETFL, O_NONBLOCK );
--        if ((process = create_process( client, NULL, 0, NULL )))
-+        if ((process = create_process( client, NULL, 0, NULL, NULL )))
-         {
-             create_thread( -1, process, NULL );
-             release_object( process );
-diff --git a/server/security.h b/server/security.h
-index 21e90ccf23f..32dfe5f8db9 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -67,6 +67,8 @@ extern const ACL *token_get_default_dacl( struct token *token );
- extern const SID *token_get_user( struct token *token );
- extern const SID *token_get_primary_group( struct token *token );
- extern int token_sid_present( struct token *token, const SID *sid, int deny);
-+extern struct token *get_token_from_handle( obj_handle_t handle, unsigned int access );
-+extern int token_is_primary( struct token *token );
- 
- static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
- {
-diff --git a/server/token.c b/server/token.c
-index 1c1d49989b3..2f466aa1b25 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -843,6 +843,12 @@ int token_assign_label( struct token *token, PSID label )
-     return ret;
- }
- 
-+struct token *get_token_from_handle( obj_handle_t handle, unsigned int access )
-+{
-+    return (struct token *)get_handle_obj( current->process, handle,
-+                                           access, &token_ops );
-+}
-+
- struct token *token_create_admin( void )
- {
-     struct token *token = NULL;
-@@ -1269,6 +1275,11 @@ const SID *token_get_primary_group( struct token *token )
-     return token->primary_group;
- }
- 
-+int token_is_primary( struct token *token )
-+{
-+    return token->primary;
-+}
-+
- int check_object_access(struct object *obj, unsigned int *access)
- {
-     GENERIC_MAPPING mapping;
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/0015-ntdll-Add-semi-stub-for-TokenLinkedToken-info-class.patch

@@ -1,67 +0,0 @@
-From e34d019222909281390f83149be755a4145024c4 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Mon, 7 Aug 2017 15:28:33 +0200
-Subject: [PATCH] ntdll: Add semi-stub for TokenLinkedToken info class.
-
----
- dlls/ntdll/unix/security.c | 30 +++++++++++++++++++++++++++++-
- 1 file changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index f0057116dee..2769e5f6a7b 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -138,6 +138,7 @@ NTSTATUS WINAPI NtDuplicateToken( HANDLE token, ACCESS_MASK access, OBJECT_ATTRI
-     return status;
- }
- 
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
- 
- /***********************************************************************
-  *             NtQueryInformationToken  (NTDLL.@)
-@@ -166,7 +167,7 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         0,    /* TokenAuditPolicy */
-         0,    /* TokenOrigin */
-         sizeof(TOKEN_ELEVATION_TYPE), /* TokenElevationType */
--        0,    /* TokenLinkedToken */
-+        sizeof(TOKEN_LINKED_TOKEN), /* TokenLinkedToken */
-         sizeof(TOKEN_ELEVATION), /* TokenElevation */
-         0,    /* TokenHasRestrictions */
-         0,    /* TokenAccessInformation */
-@@ -401,6 +402,33 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         SERVER_END_REQ;
-         break;
- 
-+    case TokenLinkedToken:
-+        SERVER_START_REQ( get_token_elevation_type )
-+        {
-+            TOKEN_LINKED_TOKEN *linked_token = info;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+            {
-+                HANDLE token;
-+                /* FIXME: On Wine we do not have real linked tokens yet. Typically, a
-+                 * program running with admin privileges is linked to a limited token,
-+                 * and vice versa. We just create a new token instead of storing links
-+                 * on the wineserver side. Using TokenLinkedToken twice should return
-+                 * back the original token. */
-+                if ((reply->elevation == TokenElevationTypeFull || reply->elevation == TokenElevationTypeLimited) &&
-+                    (token = __wine_create_default_token( reply->elevation != TokenElevationTypeFull )))
-+                {
-+                    status = NtDuplicateToken( token, 0, NULL, SecurityIdentification, TokenImpersonation, &linked_token->LinkedToken );
-+                    NtClose( token );
-+                }
-+                else
-+                    status = STATUS_NO_TOKEN;
-+            }
-+        }
-+        SERVER_END_REQ;
-+        break;
-+
-     case TokenElevation:
-         SERVER_START_REQ( get_token_elevation_type )
-         {
--- 
-2.27.0
-