Release v6.2

The program itself later updated not to use that interrupt, and nobody seems to have an old copy of it.

README.md

@@ -79,4 +79,32 @@ Contributing
 
 For information on contributing to Wine-Staging, please see
 <https://wiki.winehq.org/Wine-Staging_Contributing>. Note that GitHub pull
-requests are strongly dispreferred, especially for patches.
+requests are strongly dispreferred, especially for patches.
+
+Donations
+---------
+
+wine-staging is a large set of experimental patches which provide various
+improvements to WINE, but are not quite suitable for upstreaming. This set of
+patches has been continuously managed for many years by a small group of
+volunteers. The way this works is that we often review patches attached to
+various bug reports found at https://bugs.winehq.org/ which may fix bugs, but
+may not be quite suitable to be upstreamed due to needing some cleanup or more
+proper implementation. In the event that this happens, we add the patches to
+wine-staging instead, and keep them updated and maintained as well as attempt to
+clean them up to be upstreamed. We also both write and verify patches which fix
+various bugs that may not have patches, and in turn allow them run better using
+WINE. This includes testing on various hardware, games, and applications.
+
+Any expenses for applications, games, or hardware which we do not own comes out
+of pocket. In order to alleviate these expenses, we are now accepting donations.
+This in turn allows us to continue to perform testing, provide fixes, and get
+them upstreamed, ultimately aiming to provide a better experience for all WINE
+users. All of our work is provided publicly for free and can be found at
+<https://github.com/wine-staging/wine-staging>. We do not expect to be paid for
+any of the work provided, nor will donators receive any special benefits or
+compensation.
+
+Donations are recieved through Patreon. Anyone interested may donate here:
+
+https://www.patreon.com/winestaging

patches/Compiler_Warnings/0026-dwrite-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,4 +1,4 @@
-From 7529755fcc41fda650aac6b27f34438354435d34 Mon Sep 17 00:00:00 2001
+From b51fdc7e211f676d169c937209bf689e57252c5d Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Tue, 22 Mar 2016 21:58:40 +0100
 Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
@@ -9,10 +9,10 @@ Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
  2 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/dlls/dwrite/font.c b/dlls/dwrite/font.c
-index 9280b5d32..2f0974a4c 100644
+index aa51c744297..7cad015480f 100644
 --- a/dlls/dwrite/font.c
 +++ b/dlls/dwrite/font.c
-@@ -1887,7 +1887,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
+@@ -2130,7 +2130,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontVtbl*)&dwritefontvtbl);
@@ -21,7 +21,7 @@ index 9280b5d32..2f0974a4c 100644
  }
  
  struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
-@@ -1895,7 +1895,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
+@@ -2138,7 +2138,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontFaceVtbl*)&dwritefontfacevtbl);
@@ -31,10 +31,10 @@ index 9280b5d32..2f0974a4c 100644
  
  static struct dwrite_fontfacereference *unsafe_impl_from_IDWriteFontFaceReference(IDWriteFontFaceReference *iface)
 diff --git a/dlls/dwrite/layout.c b/dlls/dwrite/layout.c
-index b9321157a..76ea23ba6 100644
+index 1f6201a6a93..35791d5c22e 100644
 --- a/dlls/dwrite/layout.c
 +++ b/dlls/dwrite/layout.c
-@@ -5895,7 +5895,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
+@@ -5886,7 +5886,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
  static struct dwrite_textformat *unsafe_impl_from_IDWriteTextFormat(IDWriteTextFormat *iface)
  {
      return (iface->lpVtbl == (IDWriteTextFormatVtbl*)&dwritetextformatvtbl) ?
@@ -42,7 +42,7 @@ index b9321157a..76ea23ba6 100644
 +        CONTAINING_RECORD((IDWriteTextFormat3 *)iface, struct dwrite_textformat, IDWriteTextFormat3_iface) : NULL;
  }
  
- HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight, DWRITE_FONT_STYLE style,
+ HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight,
 -- 
-2.24.0
+2.29.2
 

patches/Compiler_Warnings/0031-include-Check-element-type-in-CONTAINING_RECORD-and-.patch

@@ -1,4 +1,4 @@
-From 494fc3abe1eddabcf7cede677ee907284e89eea8 Mon Sep 17 00:00:00 2001
+From a349cc8bdcc3a083ea507dbbdeba9053e3a338e4 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Tue, 22 Mar 2016 23:08:30 +0100
 Subject: [PATCH] include: Check element type in CONTAINING_RECORD and similar
@@ -11,7 +11,7 @@ Subject: [PATCH] include: Check element type in CONTAINING_RECORD and similar
  3 files changed, 24 insertions(+), 6 deletions(-)
 
 diff --git a/include/wine/list.h b/include/wine/list.h
-index b4d681fe..287ad394 100644
+index b4d681fe0f3..287ad394fae 100644
 --- a/include/wine/list.h
 +++ b/include/wine/list.h
 @@ -228,7 +228,13 @@ static inline void list_move_head( struct list *dst, struct list *src )
@@ -31,7 +31,7 @@ index b4d681fe..287ad394 100644
  
  #endif  /* __WINE_SERVER_LIST_H */
 diff --git a/include/wine/rbtree.h b/include/wine/rbtree.h
-index dc50b5e7..8130deb5 100644
+index 8aae29c8c10..330b3e8fbc9 100644
 --- a/include/wine/rbtree.h
 +++ b/include/wine/rbtree.h
 @@ -23,8 +23,14 @@
@@ -52,10 +52,10 @@ index dc50b5e7..8130deb5 100644
  struct wine_rb_entry
  {
 diff --git a/include/winnt.h b/include/winnt.h
-index 2b489382..a156efc4 100644
+index 46e17c546a7..d5c65d2017b 100644
 --- a/include/winnt.h
 +++ b/include/winnt.h
-@@ -760,8 +760,14 @@ typedef struct _MEMORY_BASIC_INFORMATION
+@@ -793,8 +793,14 @@ typedef struct _MEMORY_BASIC_INFORMATION
  #define RTL_FIELD_SIZE(type, field) (sizeof(((type *)0)->field))
  #define RTL_SIZEOF_THROUGH_FIELD(type, field) (FIELD_OFFSET(type, field) + RTL_FIELD_SIZE(type, field))
  
@@ -70,8 +70,8 @@ index 2b489382..a156efc4 100644
 +   ((type *)((PCHAR)(address) - offsetof(type, field)))
 +#endif
  
+ #define ARRAYSIZE(x) (sizeof(x) / sizeof((x)[0]))
  #ifdef __WINESRC__
- # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
 -- 
-2.20.1
+2.26.2
 

patches/Staging/0001-kernel32-Add-winediag-message-to-show-warning-that-t.patch

@@ -1,41 +1,60 @@
-From 9e585de1f2f28e1ef18c1edca875779c491375cb Mon Sep 17 00:00:00 2001
+From 0cf6433af95363c5fbba2af482b2ba50b863dfb7 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:44:31 +0200
-Subject: [PATCH] kernel32: Add winediag message to show warning, that this
- isn't vanilla wine.
+Subject: [PATCH] ntdll: Print a warning message specifying the wine-staging
+ branch name and version.
 
 ---
- dlls/kernel32/process.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ dlls/ntdll/loader.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
 
-diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
-index 36ed82bff8c..b8a677c5485 100644
---- a/dlls/kernel32/process.c
-+++ b/dlls/kernel32/process.c
-@@ -65,6 +65,7 @@
- 
- WINE_DEFAULT_DEBUG_CHANNEL(process);
- WINE_DECLARE_DEBUG_CHANNEL(relay);
+diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
+index 20bc3f977d1..c2187a19397 100644
+--- a/dlls/ntdll/loader.c
++++ b/dlls/ntdll/loader.c
+@@ -44,6 +44,7 @@ WINE_DECLARE_DEBUG_CHANNEL(relay);
+ WINE_DECLARE_DEBUG_CHANNEL(snoop);
+ WINE_DECLARE_DEBUG_CHANNEL(loaddll);
+ WINE_DECLARE_DEBUG_CHANNEL(imports);
 +WINE_DECLARE_DEBUG_CHANNEL(winediag);
  
- typedef struct
+ #ifdef _WIN64
+ #define DEFAULT_SECURITY_COOKIE_64  (((ULONGLONG)0x00002b99 << 32) | 0x2ddfa232)
+@@ -3456,6 +3457,7 @@ static void process_breakpoint(void)
+     __ENDTRY
+ }
+ 
++extern const char * CDECL wine_get_version(void);
+ 
+ /******************************************************************
+  *		LdrInitializeThunk (NTDLL.@)
+@@ -3465,6 +3467,9 @@ static void process_breakpoint(void)
+  */
+ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR unknown3, ULONG_PTR unknown4 )
  {
-@@ -997,6 +998,15 @@ void WINAPI start_process( LPTHREAD_START_ROUTINE entry, PEB *peb )
++    OBJECT_ATTRIBUTES staging_event_attr;
++    UNICODE_STRING staging_event_string;
++    HANDLE staging_event;
+     static int attach_done;
+     int i;
+     NTSTATUS status;
+@@ -3483,6 +3488,16 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR
+     entry = (void **)&context->u.s.X0;
+ #endif
  
-     __TRY
-     {
-+        if (CreateEventA(0, 0, 0, "__winestaging_warn_event") && GetLastError() != ERROR_ALREADY_EXISTS)
-+        {
-+            FIXME_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
-+            FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
-+        }
-+        else
-+            WARN_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
++    RtlInitUnicodeString( &staging_event_string, L"\\__wine_staging_warn_event" );
++    InitializeObjectAttributes( &staging_event_attr, &staging_event_string, OBJ_OPENIF, NULL, NULL );
++    if (NtCreateEvent( &staging_event, EVENT_ALL_ACCESS, &staging_event_attr, NotificationEvent, FALSE ) == STATUS_SUCCESS)
++    {
++        FIXME_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
++        FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
++    }
++    else
++        WARN_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
 +
-+
-         if (!CheckRemoteDebuggerPresent( GetCurrentProcess(), &being_debugged ))
-             being_debugged = FALSE;
+     if (process_detaching) NtTerminateThread( GetCurrentThread(), 0 );
  
+     RtlEnterCriticalSection( &loader_section );
 -- 
-2.23.0
+2.28.0
 

patches/Staging/0002-winelib-Append-Staging-at-the-end-of-the-version-s.patch

@@ -1,25 +1,35 @@
-From 05ca39b029f8f710ca53aeafc36384fd39fd6b89 Mon Sep 17 00:00:00 2001
+From ce5e1fc75139e4de9d92dfe27b4a513a96da013c Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:53:46 +0200
 Subject: [PATCH] winelib: Append '(Staging)' at the end of the version string.
 
 ---
- libs/wine/Makefile.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ Makefile.in            | 2 +-
+ dlls/ntdll/Makefile.in | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/libs/wine/Makefile.in b/libs/wine/Makefile.in
-index 4833eb5..3cfa4f4 100644
---- a/libs/wine/Makefile.in
-+++ b/libs/wine/Makefile.in
-@@ -31,7 +31,7 @@ libwine_LDFLAGS = $(LIBWINE_LDFLAGS)
- libwine_DEPS = $(LIBWINE_DEPENDS)
+diff --git a/Makefile.in b/Makefile.in
+index 307a95b3b1a..61019fed949 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -116,7 +116,7 @@ install-manpages:: manpages
+ # Rules for generated source files
  
- version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1  (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
+ dlls/ntdll/unix/version.c: dummy
+-	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || ($(RM) $@ && exit 1)
++	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
  
- dummy:
- .PHONY: dummy
+ programs/winetest/build.rc: dummy
+ 	@build="STRINGTABLE { 1 \"`GIT_DIR=$(srcdir)/.git git rev-parse HEAD 2>/dev/null`\" }" && (echo $$build | cmp -s - $@) || echo $$build >$@ || (rm -f $@ && exit 1)
+diff --git a/dlls/ntdll/Makefile.in b/dlls/ntdll/Makefile.in
+index f39ffb42c6f..67847bb9392 100644
+--- a/dlls/ntdll/Makefile.in
++++ b/dlls/ntdll/Makefile.in
+@@ -79,3 +79,4 @@ unix_loader_EXTRADEFS = \
+ 	-DBINDIR=\"${bindir}\" \
+ 	-DDLL_TO_BINDIR=\"`${MAKEDEP} -R ${dlldir} ${bindir}`\" \
+ 	-DBIN_TO_DATADIR=\"`${MAKEDEP} -R ${bindir} ${datadir}/wine`\"
++
 -- 
-1.9.1
+2.28.0
 

patches/Staging/0003-loader-Add-commandline-option-patches-to-show-the-pa.patch

@@ -1,150 +0,0 @@
-From d216f85a593a09e7983d9178fb3e1f20bfcf08cc Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Thu, 29 May 2014 23:43:45 +0200
-Subject: [PATCH] loader: Add commandline option --patches to show the patch
- list.
-
----
- dlls/ntdll/misc.c      |  8 ++++++++
- dlls/ntdll/ntdll.spec  |  1 +
- include/wine/library.h |  1 +
- libs/wine/config.c     |  6 ++++++
- libs/wine/wine.map     |  1 +
- loader/main.c          | 42 +++++++++++++++++++++++++++++++++++++++++-
- 6 files changed, 58 insertions(+), 1 deletion(-)
-
-diff --git a/dlls/ntdll/misc.c b/dlls/ntdll/misc.c
-index c29a1c26c..8906e1942 100644
---- a/dlls/ntdll/misc.c
-+++ b/dlls/ntdll/misc.c
-@@ -60,6 +60,14 @@ const char * CDECL NTDLL_wine_get_version(void)
-     return wine_get_version();
- }
- 
-+/*********************************************************************
-+ *                  wine_get_patches   (NTDLL.@)
-+ */
-+const void * CDECL NTDLL_wine_get_patches(void)
-+{
-+    return wine_get_patches();
-+}
-+
- /*********************************************************************
-  *                  wine_get_build_id   (NTDLL.@)
-  */
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index 7aa953ca6..cf7d5b6f9 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -1566,6 +1566,7 @@
- 
- # Version
- @ cdecl wine_get_version() NTDLL_wine_get_version
-+@ cdecl wine_get_patches() NTDLL_wine_get_patches
- @ cdecl wine_get_build_id() NTDLL_wine_get_build_id
- @ cdecl wine_get_host_version(ptr ptr) NTDLL_wine_get_host_version
- 
-diff --git a/include/wine/library.h b/include/wine/library.h
-index a6fe28059..511bf4722 100644
---- a/include/wine/library.h
-+++ b/include/wine/library.h
-@@ -47,6 +47,7 @@ extern const char *wine_get_data_dir(void);
- extern const char *wine_get_server_dir(void);
- extern const char *wine_get_user_name(void);
- extern const char *wine_get_version(void);
-+extern const void *wine_get_patches(void);
- extern const char *wine_get_build_id(void);
- extern void wine_init_argv0_path( const char *argv0 );
- extern void wine_exec_wine_binary( const char *name, char **argv, const char *env_var );
-diff --git a/libs/wine/config.c b/libs/wine/config.c
-index 2a3314cbf..5b66c063d 100644
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
-@@ -504,6 +504,12 @@ const char *wine_get_version(void)
-     return PACKAGE_VERSION;
- }
- 
-+/* return the applied non-standard patches */
-+const void *wine_get_patches(void)
-+{
-+    return NULL;
-+}
-+
- /* return the build id string */
- const char *wine_get_build_id(void)
- {
-diff --git a/libs/wine/wine.map b/libs/wine/wine.map
-index 3f2c430fa..ca46979f5 100644
---- a/libs/wine/wine.map
-+++ b/libs/wine/wine.map
-@@ -28,6 +28,7 @@ WINE_1.0
-     wine_get_ss;
-     wine_get_user_name;
-     wine_get_version;
-+    wine_get_patches;
-     wine_init;
-     wine_init_argv0_path;
-     wine_ldt_alloc_entries;
-diff --git a/loader/main.c b/loader/main.c
-index f197cf802..f6629128d 100644
---- a/loader/main.c
-+++ b/loader/main.c
-@@ -54,7 +54,8 @@ static void check_command_line( int argc, char *argv[] )
-     static const char usage[] =
-         "Usage: wine PROGRAM [ARGUMENTS...]   Run the specified program\n"
-         "       wine --help                   Display this help and exit\n"
--        "       wine --version                Output version information and exit";
-+        "       wine --version                Output version information and exit\n"
-+        "       wine --patches                Output patch information and exit";
- 
-     if (argc <= 1)
-     {
-@@ -71,6 +72,45 @@ static void check_command_line( int argc, char *argv[] )
-         printf( "%s\n", wine_get_build_id() );
-         exit(0);
-     }
-+    if (!strcmp( argv[1], "--patches" ))
-+    {
-+        const struct
-+        {
-+            const char *author;
-+            const char *subject;
-+            int revision;
-+        }
-+        *next, *cur = wine_get_patches();
-+
-+        if (!cur)
-+        {
-+            fprintf( stderr, "Patchlist not available.\n" );
-+            exit(1);
-+        }
-+
-+        while (cur->author)
-+        {
-+            next = cur + 1;
-+            while (next->author)
-+            {
-+                if (strcmp( cur->author, next->author )) break;
-+                next++;
-+            }
-+
-+            printf( "%s (%d):\n", cur->author, (int)(next - cur) );
-+            while (cur < next)
-+            {
-+                printf( "      %s", cur->subject );
-+                if (cur->revision != 1)
-+                    printf( " [rev %d]", cur->revision );
-+                printf( "\n" );
-+                cur++;
-+            }
-+            printf( "\n" );
-+        }
-+
-+        exit(0);
-+    }
- }
- 
- 
--- 
-2.25.0
-

patches/Staging/0004-loader-Add-commandline-option-check-libs.patch

@@ -1,313 +0,0 @@
-From df12fdb8d4cdf11d9f72a068923a5b0097e36bdb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Wed, 28 May 2014 19:50:51 +0200
-Subject: [PATCH] loader: Add commandline option --check-libs.
-
----
- include/wine/library.h |   2 +
- libs/wine/config.c     | 124 +++++++++++++++++++++++++++++++++++++++++
- libs/wine/loader.c     |  36 ++++++++++++
- libs/wine/wine.map     |   2 +
- loader/main.c          |  50 ++++++++++++++++-
- 5 files changed, 213 insertions(+), 1 deletion(-)
-
-diff --git a/include/wine/library.h b/include/wine/library.h
-index 511bf4722a0..557cec20cf8 100644
---- a/include/wine/library.h
-+++ b/include/wine/library.h
-@@ -44,6 +44,7 @@ extern "C" {
- extern const char *wine_get_build_dir(void);
- extern const char *wine_get_config_dir(void);
- extern const char *wine_get_data_dir(void);
-+extern const char **wine_get_libs(void);
- extern const char *wine_get_server_dir(void);
- extern const char *wine_get_user_name(void);
- extern const char *wine_get_version(void);
-@@ -56,6 +57,7 @@ extern void wine_exec_wine_binary( const char *name, char **argv, const char *en
- 
- typedef void (*load_dll_callback_t)( void *, const char * );
- 
-+extern int wine_dladdr( void *addr, void *info, char *error, size_t errorsize );
- extern void *wine_dlopen( const char *filename, int flag, char *error, size_t errorsize );
- extern void *wine_dlsym( void *handle, const char *symbol, char *error, size_t errorsize );
- extern int wine_dlclose( void *handle, char *error, size_t errorsize );
-diff --git a/libs/wine/config.c b/libs/wine/config.c
-index 5b66c063db6..e0988513e14 100644
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
-@@ -470,6 +470,130 @@ const char *wine_get_build_dir(void)
-     return build_dir;
- }
- 
-+const char *wine_libs[] = {
-+#ifdef SONAME_LIBCAIRO
-+    SONAME_LIBCAIRO,
-+#endif
-+#ifdef SONAME_LIBCAPI20
-+    SONAME_LIBCAPI20,
-+#endif
-+#ifdef SONAME_LIBCUPS
-+    SONAME_LIBCUPS,
-+#endif
-+#ifdef SONAME_LIBCURSES
-+    SONAME_LIBCURSES,
-+#endif
-+#ifdef SONAME_LIBDBUS_1
-+    SONAME_LIBDBUS_1,
-+#endif
-+#ifdef SONAME_LIBFONTCONFIG
-+    SONAME_LIBFONTCONFIG,
-+#endif
-+#ifdef SONAME_LIBFREETYPE
-+    SONAME_LIBFREETYPE,
-+#endif
-+#ifdef SONAME_LIBGL
-+    SONAME_LIBGL,
-+#endif
-+#ifdef SONAME_LIBGNUTLS
-+    SONAME_LIBGNUTLS,
-+#endif
-+#ifdef SONAME_LIBGOBJECT_2_0
-+    SONAME_LIBGOBJECT_2_0,
-+#endif
-+#ifdef SONAME_LIBGSM
-+    SONAME_LIBGSM,
-+#endif
-+#ifdef SONAME_LIBGTK_3
-+    SONAME_LIBGTK_3,
-+#endif
-+#ifdef SONAME_LIBHAL
-+    SONAME_LIBHAL,
-+#endif
-+#ifdef SONAME_LIBJPEG
-+    SONAME_LIBJPEG,
-+#endif
-+#ifdef SONAME_LIBNCURSES
-+    SONAME_LIBNCURSES,
-+#endif
-+#ifdef SONAME_LIBNETAPI
-+    SONAME_LIBNETAPI,
-+#endif
-+#ifdef SONAME_LIBODBC
-+    SONAME_LIBODBC,
-+#endif
-+#ifdef SONAME_LIBOSMESA
-+    SONAME_LIBOSMESA,
-+#endif
-+#ifdef SONAME_LIBPCAP
-+    SONAME_LIBPCAP,
-+#endif
-+#ifdef SONAME_LIBPNG
-+    SONAME_LIBPNG,
-+#endif
-+#ifdef SONAME_LIBSANE
-+    SONAME_LIBSANE,
-+#endif
-+#ifdef SONAME_LIBTIFF
-+    SONAME_LIBTIFF,
-+#endif
-+#ifdef SONAME_LIBTXC_DXTN
-+    SONAME_LIBTXC_DXTN,
-+#endif
-+#ifdef SONAME_LIBV4L1
-+    SONAME_LIBV4L1,
-+#endif
-+#ifdef SONAME_LIBVA
-+    SONAME_LIBVA,
-+#endif
-+#ifdef SONAME_LIBVA_DRM
-+    SONAME_LIBVA_DRM,
-+#endif
-+#ifdef SONAME_LIBVA_X11
-+    SONAME_LIBVA_X11,
-+#endif
-+#ifdef SONAME_LIBX11
-+    SONAME_LIBX11,
-+#endif
-+#ifdef SONAME_LIBX11_XCB
-+    SONAME_LIBX11_XCB,
-+#endif
-+#ifdef SONAME_LIBXCOMPOSITE
-+    SONAME_LIBXCOMPOSITE,
-+#endif
-+#ifdef SONAME_LIBXCURSOR
-+    SONAME_LIBXCURSOR,
-+#endif
-+#ifdef SONAME_LIBXEXT
-+    SONAME_LIBXEXT,
-+#endif
-+#ifdef SONAME_LIBXI
-+    SONAME_LIBXI,
-+#endif
-+#ifdef SONAME_LIBXINERAMA
-+    SONAME_LIBXINERAMA,
-+#endif
-+#ifdef SONAME_LIBXRANDR
-+    SONAME_LIBXRANDR,
-+#endif
-+#ifdef SONAME_LIBXRENDER
-+    SONAME_LIBXRENDER,
-+#endif
-+#ifdef SONAME_LIBXSLT
-+    SONAME_LIBXSLT,
-+#endif
-+#ifdef SONAME_LIBXXF86VM
-+    SONAME_LIBXXF86VM,
-+#endif
-+    NULL
-+};
-+
-+/* return the list of shared libs used by wine */
-+const char **wine_get_libs(void)
-+{
-+    return &wine_libs[0];
-+}
-+
- /* return the full name of the server directory (the one containing the socket) */
- const char *wine_get_server_dir(void)
- {
-diff --git a/libs/wine/loader.c b/libs/wine/loader.c
-index 2a569f5b739..5f10c3f9d3e 100644
---- a/libs/wine/loader.c
-+++ b/libs/wine/loader.c
-@@ -1072,6 +1072,42 @@ void *wine_dlopen( const char *filename, int flag, char *error, size_t errorsize
-     return ret;
- }
- 
-+/***********************************************************************
-+ *      wine_dladdr
-+ */
-+int wine_dladdr( void *addr, void *info, char *error, size_t errorsize )
-+{
-+#ifdef HAVE_DLADDR
-+    int ret;
-+    const char *s;
-+    dlerror(); dlerror();
-+    ret = dladdr( addr, (Dl_info *)info );
-+    s = dlerror();
-+    if (error && errorsize)
-+    {
-+        if (s)
-+        {
-+            size_t len = strlen(s);
-+            if (len >= errorsize) len = errorsize - 1;
-+            memcpy( error, s, len );
-+            error[len] = 0;
-+        }
-+        else error[0] = 0;
-+    }
-+    dlerror();
-+    return ret;
-+#else
-+    if (error)
-+    {
-+        static const char msg[] = "dladdr interface not detected by configure";
-+        size_t len = min( errorsize, sizeof(msg) );
-+        memcpy( error, msg, len );
-+        error[len - 1] = 0;
-+    }
-+    return 0;
-+#endif
-+}
-+
- /***********************************************************************
-  *		wine_dlsym
-  */
-diff --git a/libs/wine/wine.map b/libs/wine/wine.map
-index ca46979f5b9..22a4e73b05b 100644
---- a/libs/wine/wine.map
-+++ b/libs/wine/wine.map
-@@ -9,6 +9,7 @@ WINE_1.0
-     wine_anon_mmap;
-     wine_casemap_lower;
-     wine_casemap_upper;
-+    wine_dladdr;
-     wine_dlclose;
-     wine_dll_enum_load_path;
-     wine_dll_set_callback;
-@@ -24,6 +25,7 @@ WINE_1.0
-     wine_get_es;
-     wine_get_fs;
-     wine_get_gs;
-+    wine_get_libs;
-     wine_get_server_dir;
-     wine_get_ss;
-     wine_get_user_name;
-diff --git a/loader/main.c b/loader/main.c
-index d97d6b28bf8..49dc996e354 100644
---- a/loader/main.c
-+++ b/loader/main.c
-@@ -36,6 +36,12 @@
- #ifdef HAVE_UNISTD_H
- # include <unistd.h>
- #endif
-+#ifdef HAVE_DLADDR
-+# include <dlfcn.h>
-+#endif
-+#ifdef HAVE_LINK_H
-+# include <link.h>
-+#endif
- 
- #include "wine/library.h"
- #include "main.h"
-@@ -54,7 +60,8 @@ static void check_command_line( int argc, char *argv[] )
-         "Usage: wine PROGRAM [ARGUMENTS...]   Run the specified program\n"
-         "       wine --help                   Display this help and exit\n"
-         "       wine --version                Output version information and exit\n"
--        "       wine --patches                Output patch information and exit";
-+        "       wine --patches                Output patch information and exit\n"
-+        "       wine --check-libs             Checks if shared libs are installed";
- 
-     if (argc <= 1)
-     {
-@@ -110,6 +117,47 @@ static void check_command_line( int argc, char *argv[] )
- 
-         exit(0);
-     }
-+    if (!strcmp( argv[1], "--check-libs" ))
-+    {
-+        void* lib_handle;
-+        int ret = 0;
-+        const char **wine_libs = wine_get_libs();
-+
-+        for(; *wine_libs; wine_libs++)
-+        {
-+            lib_handle = wine_dlopen( *wine_libs, RTLD_NOW, NULL, 0 );
-+            if (lib_handle)
-+            {
-+            #ifdef HAVE_DLADDR
-+                Dl_info libinfo;
-+                void* symbol;
-+
-+            #ifdef HAVE_LINK_H
-+                struct link_map *lm = (struct link_map *)lib_handle;
-+                symbol = (void *)lm->l_addr;
-+            #else
-+                symbol = wine_dlsym( lib_handle, "_init", NULL, 0 );
-+            #endif
-+                if (symbol && wine_dladdr( symbol, &libinfo, NULL, 0 ))
-+                {
-+                    printf( "%s: %s\n", *wine_libs, libinfo.dli_fname );
-+                }
-+                else
-+            #endif
-+                {
-+                    printf( "%s: found\n", *wine_libs );
-+                }
-+                wine_dlclose( lib_handle, NULL, 0 );
-+            }
-+            else
-+            {
-+                printf( "%s: missing\n", *wine_libs );
-+                ret = 1;
-+            }
-+        }
-+
-+        exit(ret);
-+    }
- }
- 
- 
--- 
-2.25.1
-

patches/Staging/0005-loader-Print-library-paths-for-check-libs-on-Mac-OS-.patch

@@ -1,60 +0,0 @@
-From 07ca5e888c3265c57c88ef1758e6c47fbea4fb07 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 27 Jun 2015 19:28:51 +0200
-Subject: loader: Print library paths for --check-libs on Mac OS X.
-
----
- loader/main.c | 30 +++++++++++++++++++++++++++++-
- 1 file changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/loader/main.c b/loader/main.c
-index a2dc40c51c..1642fb0965 100644
---- a/loader/main.c
-+++ b/loader/main.c
-@@ -50,6 +50,30 @@
- /* the preloader will set this variable */
- const struct wine_preload_info *wine_main_preload_info = NULL;
- 
-+#ifdef __APPLE__
-+#include <mach-o/dyld.h>
-+
-+static const char *get_macho_library_path( const char *libname )
-+{
-+    unsigned int path_len, libname_len = strlen( libname );
-+    uint32_t i, count = _dyld_image_count();
-+
-+    for (i = 0; i < count; i++)
-+    {
-+       const char *path = _dyld_get_image_name( i );
-+        if (!path) continue;
-+
-+        path_len = strlen( path );
-+        if (path_len < libname_len + 1) continue;
-+        if (path[path_len - libname_len - 1] != '/') continue;
-+        if (strcmp( path + path_len - libname_len, libname )) continue;
-+
-+        return path;
-+    }
-+    return NULL;
-+}
-+#endif
-+
- /***********************************************************************
-  *           check_command_line
-  *
-@@ -146,7 +170,11 @@ static void check_command_line( int argc, char *argv[] )
-                 else
-             #endif
-                 {
--                    printf( "%s: found\n", *wine_libs );
-+                    const char *path = NULL;
-+                #ifdef __APPLE__
-+                    path = get_macho_library_path( *wine_libs );
-+                #endif
-+                    printf( "%s: %s\n", *wine_libs, path ? path : "found");
-                 }
-                 wine_dlclose( lib_handle, NULL, 0 );
-             }
--- 
-2.14.1
-

patches/Staging/definition

@@ -0,0 +1 @@
+#Depends: ntdll-NtAlertThreadByThreadId

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -1,315 +0,0 @@
-From 1eb8acd819f9eee8fdf154d0ef43881008265916 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:33:14 +0200
-Subject: ntdll: Implement NtFilterToken.
-
----
- dlls/ntdll/nt.c       | 59 ++++++++++++++++++++++++++++++++++++
- dlls/ntdll/ntdll.spec |  2 +-
- include/winnt.h       |  5 +++
- include/winternl.h    |  1 +
- server/process.c      |  2 +-
- server/protocol.def   | 10 ++++++
- server/security.h     |  4 ++-
- server/token.c        | 84 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 8 files changed, 162 insertions(+), 5 deletions(-)
-
-diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
-index c3f5df3..59a08de 100644
---- a/dlls/ntdll/nt.c
-+++ b/dlls/ntdll/nt.c
-@@ -119,6 +119,65 @@ NTSTATUS WINAPI NtDuplicateToken(
- }
- 
- /******************************************************************************
-+ *  NtFilterToken        [NTDLL.@]
-+ *  ZwFilterToken        [NTDLL.@]
-+ */
-+NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
-+                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
-+                               HANDLE *new_token )
-+{
-+    data_size_t privileges_len = 0;
-+    data_size_t sids_len = 0;
-+    SID *sids = NULL;
-+    NTSTATUS status;
-+
-+    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
-+           restrict_sids, new_token );
-+
-+    if (flags)
-+        FIXME( "flags %x unsupported\n", flags );
-+
-+    if (restrict_sids)
-+        FIXME( "support for restricting sids not yet implemented\n" );
-+
-+    if (privileges)
-+        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
-+
-+    if (disable_sids)
-+    {
-+        DWORD len, i;
-+        BYTE *tmp;
-+
-+        for (i = 0; i < disable_sids->GroupCount; i++)
-+            sids_len += RtlLengthSid( disable_sids->Groups[i].Sid );
-+
-+        sids = RtlAllocateHeap( GetProcessHeap(), 0, sids_len );
-+        if (!sids) return STATUS_NO_MEMORY;
-+
-+        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
-+        {
-+            len = RtlLengthSid( disable_sids->Groups[i].Sid );
-+            memcpy( tmp, disable_sids->Groups[i].Sid, len );
-+        }
-+    }
-+
-+    SERVER_START_REQ( filter_token )
-+    {
-+        req->handle          = wine_server_obj_handle( token );
-+        req->flags           = flags;
-+        req->privileges_size = privileges_len;
-+        wine_server_add_data( req, privileges->Privileges, privileges_len );
-+        wine_server_add_data( req, sids, sids_len );
-+        status = wine_server_call( req );
-+        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
-+    }
-+    SERVER_END_REQ;
-+
-+    RtlFreeHeap( GetProcessHeap(), 0, sids );
-+    return status;
-+}
-+
-+/******************************************************************************
-  *  NtOpenProcessToken		[NTDLL.@]
-  *  ZwOpenProcessToken		[NTDLL.@]
-  */
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index c260b0d..3c5e69c 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -176,7 +176,7 @@
- # @ stub NtEnumerateSystemEnvironmentValuesEx
- @ stdcall NtEnumerateValueKey(long long long ptr long ptr)
- @ stub NtExtendSection
--# @ stub NtFilterToken
-+@ stdcall NtFilterToken(long long ptr ptr ptr ptr)
- @ stdcall NtFindAtom(ptr long ptr)
- @ stdcall NtFlushBuffersFile(long ptr)
- @ stdcall NtFlushInstructionCache(long ptr long)
-diff --git a/include/winnt.h b/include/winnt.h
-index 16d96d8..4e238f9 100644
---- a/include/winnt.h
-+++ b/include/winnt.h
-@@ -3904,6 +3904,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
- 					TOKEN_ADJUST_SESSIONID | \
- 					TOKEN_ADJUST_DEFAULT )
- 
-+#define DISABLE_MAX_PRIVILEGE 0x1
-+#define SANDBOX_INERT         0x2
-+#define LUA_TOKEN             0x4
-+#define WRITE_RESTRICTED      0x8
-+
- #ifndef _SECURITY_DEFINED
- #define _SECURITY_DEFINED
- 
-diff --git a/include/winternl.h b/include/winternl.h
-index c84e6d7..288f93e 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2303,6 +2303,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
-+NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
- NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
-diff --git a/server/process.c b/server/process.c
-index f8739d0..71d9d6d 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -566,7 +566,7 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
-+        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-diff --git a/server/protocol.def b/server/protocol.def
-index 35824ae..6ee6d28 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3356,6 +3356,16 @@ enum caret_state
-     obj_handle_t  new_handle; /* duplicated handle */
- @END
- 
-+@REQ(filter_token)
-+    obj_handle_t  handle;          /* handle to the token to duplicate */
-+    unsigned int  flags;           /* flags */
-+    data_size_t   privileges_size; /* size of privileges */
-+    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
-+    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
-+@REPLY
-+    obj_handle_t  new_handle;      /* filtered handle */
-+@END
-+
- @REQ(access_check)
-     obj_handle_t    handle; /* handle to the token */
-     unsigned int    desired_access; /* desired access to the object */
-diff --git a/server/security.h b/server/security.h
-index 873bbc6..bc4a8f6 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -55,7 +55,9 @@ extern const PSID security_high_label_sid;
- extern struct token *token_create_admin(void);
- extern int token_assign_label( struct token *token, PSID label );
- extern struct token *token_duplicate( struct token *src_token, unsigned primary,
--                                      int impersonation_level, const struct security_descriptor *sd );
-+                                      int impersonation_level, const struct security_descriptor *sd,
-+                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                                      const SID *filter_groups, unsigned int group_count );
- extern int token_check_privileges( struct token *token, int all_required,
-                                    const LUID_AND_ATTRIBUTES *reqprivs,
-                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
-diff --git a/server/token.c b/server/token.c
-index 0810a61..2f6a467 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -276,6 +276,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
-     return TRUE;
- }
- 
-+static unsigned int get_sid_count( const SID *sid, data_size_t size )
-+{
-+    unsigned int count;
-+
-+    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
-+    {
-+        size -= security_sid_len( sid );
-+        sid = (const SID *)((char *)sid + security_sid_len( sid ));
-+    }
-+
-+    return count;
-+}
-+
- /* checks whether all members of a security descriptor fit inside the size
-  * of memory specified */
- int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
-@@ -619,8 +632,36 @@ static struct token *create_token( unsigned primary, const SID *user,
-     return token;
- }
- 
-+static int filter_group( struct group *group, const SID *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (security_equal_sid( &group->sid, filter )) return 1;
-+        filter = (const SID *)((char *)filter + security_sid_len( filter ));
-+    }
-+
-+    return 0;
-+}
-+
-+static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
-+            return 1;
-+    }
-+
-+    return 0;
-+}
-+
- struct token *token_duplicate( struct token *src_token, unsigned primary,
--                               int impersonation_level, const struct security_descriptor *sd )
-+                               int impersonation_level, const struct security_descriptor *sd,
-+                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                               const SID *filter_groups, unsigned int group_count)
- {
-     const luid_t *modified_id =
-         primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -656,6 +697,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-             return NULL;
-         }
-         memcpy( newgroup, group, size );
-+        if (filter_group( group, filter_groups, group_count ))
-+        {
-+            newgroup->enabled = 0;
-+            newgroup->def = 0;
-+            newgroup->deny_only = 1;
-+        }
-         list_add_tail( &token->groups, &newgroup->entry );
-         if (src_token->primary_group == &group->sid)
-         {
-@@ -667,11 +714,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
- 
-     /* copy privileges */
-     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-+    {
-+        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
-         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
-         {
-             release_object( token );
-             return NULL;
-         }
-+    }
- 
-     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
-                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
-@@ -1304,7 +1354,7 @@ DECL_HANDLER(duplicate_token)
-                                                      TOKEN_DUPLICATE,
-                                                      &token_ops )))
-     {
--        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
-+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
-             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-@@ -1314,6 +1364,36 @@ DECL_HANDLER(duplicate_token)
-     }
- }
- 
-+/* creates a restricted version of a token */
-+DECL_HANDLER(filter_token)
-+{
-+    struct token *src_token;
-+
-+    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                     TOKEN_DUPLICATE,
-+                                                     &token_ops )))
-+    {
-+        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
-+        unsigned int priv_count, group_count;
-+        const SID *filter_groups;
-+        struct token *token;
-+
-+        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
-+        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
-+        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
-+
-+        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
-+                                 filter_privileges, priv_count, filter_groups, group_count );
-+        if (token)
-+        {
-+            unsigned int access = get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
-+            release_object( token );
-+        }
-+        release_object( src_token );
-+    }
-+}
-+
- /* checks the specified privileges are held by the token */
- DECL_HANDLER(check_token_privileges)
- {
--- 
-2.7.4
-

patches/advapi32-CreateRestrictedToken/0002-advapi32-Implement-CreateRestrictedToken.patch

@@ -1,132 +0,0 @@
-From 3c1f5962482e7acf531f57f49d923d9c4e5278b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:51:57 +0200
-Subject: [PATCH] advapi32: Implement CreateRestrictedToken.
-
----
- dlls/kernelbase/security.c | 103 ++++++++++++++++++++++++++++++-------
- 1 file changed, 84 insertions(+), 19 deletions(-)
-
-diff --git a/dlls/kernelbase/security.c b/dlls/kernelbase/security.c
-index 2e75e81ed77..97f6ee6a2fd 100644
---- a/dlls/kernelbase/security.c
-+++ b/dlls/kernelbase/security.c
-@@ -592,31 +592,96 @@ exit:
-     return ret;
- }
- 
-+static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
-+{
-+    TOKEN_GROUPS *groups;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *groups_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
-+                                        count * sizeof(SID_AND_ATTRIBUTES));
-+    if (!groups)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    groups->GroupCount = count;
-+    for (i = 0; i < count; i++)
-+        groups->Groups[i] = sids[i];
-+
-+    *groups_ret = groups;
-+    return TRUE;
-+}
-+
-+static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
-+{
-+    TOKEN_PRIVILEGES *privileges;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *privileges_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
-+                                                count * sizeof(LUID_AND_ATTRIBUTES));
-+    if (!privileges)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    privileges->PrivilegeCount = count;
-+    for (i = 0; i < count; i++)
-+        privileges->Privileges[i] = privs[i];
-+
-+    *privileges_ret = privileges;
-+    return TRUE;
-+}
-+
- /*************************************************************************
-  * CreateRestrictedToken    (kernelbase.@)
-  */
--BOOL WINAPI CreateRestrictedToken( HANDLE token, DWORD flags,
--                                   DWORD disable_count, PSID_AND_ATTRIBUTES disable_sids,
--                                   DWORD delete_count, PLUID_AND_ATTRIBUTES delete_privs,
--                                   DWORD restrict_count, PSID_AND_ATTRIBUTES restrict_sids, PHANDLE ret )
-+BOOL WINAPI CreateRestrictedToken( HANDLE baseToken, DWORD flags,
-+                                   DWORD nDisableSids, PSID_AND_ATTRIBUTES disableSids,
-+                                   DWORD nDeletePrivs, PLUID_AND_ATTRIBUTES deletePrivs,
-+                                   DWORD nRestrictSids, PSID_AND_ATTRIBUTES restrictSids, PHANDLE newToken )
- {
--    TOKEN_TYPE type;
--    SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
--    DWORD size;
-+    TOKEN_PRIVILEGES *delete_privs = NULL;
-+    TOKEN_GROUPS *disable_groups = NULL;
-+    TOKEN_GROUPS *restrict_sids = NULL;
-+    BOOL ret = FALSE;
- 
--    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
--          token, flags, disable_count, disable_sids, delete_count, delete_privs,
--          restrict_count, restrict_sids, ret );
-+    TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
-+          baseToken, flags, nDisableSids, disableSids,
-+          nDeletePrivs, deletePrivs,
-+          nRestrictSids, restrictSids,
-+          newToken);
-+
-+    if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
-+        goto done;
-+
-+    if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
-+        goto done;
-+
-+    if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
-+        goto done;
-+
-+    ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
-+
-+done:
-+    heap_free(disable_groups);
-+    heap_free(delete_privs);
-+    heap_free(restrict_sids);
-+    return ret;
- 
--    size = sizeof(type);
--    if (!GetTokenInformation( token, TokenType, &type, size, &size )) return FALSE;
--    if (type == TokenImpersonation)
--    {
--        size = sizeof(level);
--        if (!GetTokenInformation( token, TokenImpersonationLevel, &level, size, &size ))
--            return FALSE;
--    }
--    return DuplicateTokenEx( token, MAXIMUM_ALLOWED, NULL, level, type, ret );
- }
- 
- /******************************************************************************
--- 
-2.20.1
-

patches/advapi32-CreateRestrictedToken/definition

@@ -1 +0,0 @@
-Fixes: [25834] Implement advapi32.CreateRestrictedToken

patches/advapi32-Token_Integrity_Level/0002-server-Implement-token-elevation-information.patch

@@ -1,38 +1,39 @@
-From c8dc0ec6406e8449b59c219ede2e9bd88d8a56fa Mon Sep 17 00:00:00 2001
+From d2e98b2054a5af671fd81ded32f2cf60a062312c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 00:26:03 +0200
 Subject: [PATCH] server: Implement token elevation information.
 
 ---
- dlls/ntdll/nt.c     | 16 ++++++++++++----
- server/protocol.def |  8 ++++++++
- server/token.c      | 22 +++++++++++++++++++---
+ dlls/ntdll/unix/security.c | 16 ++++++++++++----
+ server/protocol.def        |  8 ++++++++
+ server/token.c             | 22 +++++++++++++++++++---
  3 files changed, 39 insertions(+), 7 deletions(-)
 
-diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
-index cd271fde9c..b1dd999cf5 100644
---- a/dlls/ntdll/nt.c
-+++ b/dlls/ntdll/nt.c
-@@ -625,18 +625,26 @@ NTSTATUS WINAPI NtQueryInformationToken(
-         SERVER_END_REQ;
+diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
+index d063d43d6d4..03a81afa46e 100644
+--- a/dlls/ntdll/unix/security.c
++++ b/dlls/ntdll/unix/security.c
+@@ -390,19 +390,27 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
          break;
+ 
      case TokenElevationType:
 +        SERVER_START_REQ( get_token_elevation_type )
          {
-             TOKEN_ELEVATION_TYPE *elevation_type = tokeninfo;
+             TOKEN_ELEVATION_TYPE *type = info;
 -            FIXME("QueryInformationToken( ..., TokenElevationType, ...) semi-stub\n");
--            *elevation_type = TokenElevationTypeFull;
+-            *type = TokenElevationTypeFull;
 +            req->handle = wine_server_obj_handle( token );
 +            status = wine_server_call( req );
 +            if (status == STATUS_SUCCESS)
-+                *elevation_type = reply->elevation;
++                *type = reply->elevation;
          }
 +        SERVER_END_REQ;
          break;
+ 
      case TokenElevation:
 +        SERVER_START_REQ( get_token_elevation_type )
          {
-             TOKEN_ELEVATION *elevation = tokeninfo;
+             TOKEN_ELEVATION *elevation = info;
 -            FIXME("QueryInformationToken( ..., TokenElevation, ...) semi-stub\n");
 -            elevation->TokenIsElevated = TRUE;
 +            req->handle = wine_server_obj_handle( token );
@@ -42,13 +43,13 @@ index cd271fde9c..b1dd999cf5 100644
          }
 +        SERVER_END_REQ;
          break;
+ 
      case TokenSessionId:
-         {
 diff --git a/server/protocol.def b/server/protocol.def
-index 90af9df7f4..93afaabca1 100644
+index ee07b1eca14..84f0b577d72 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3643,6 +3643,14 @@ struct handle_info
+@@ -3566,6 +3566,14 @@ struct handle_info
  @END
  
  
@@ -64,10 +65,10 @@ index 90af9df7f4..93afaabca1 100644
  @REQ(create_completion)
      unsigned int access;          /* desired access to a port */
 diff --git a/server/token.c b/server/token.c
-index 6d193603b4..64f20e1b57 100644
+index 38a4c203d54..14343637af5 100644
 --- a/server/token.c
 +++ b/server/token.c
-@@ -112,6 +112,7 @@ struct token
+@@ -110,6 +110,7 @@ struct token
      ACL           *default_dacl;    /* the default DACL to assign to objects created by this user */
      TOKEN_SOURCE   source;          /* source of the token */
      int            impersonation_level; /* impersonation level this token is capable of if non-primary token */
@@ -75,7 +76,7 @@ index 6d193603b4..64f20e1b57 100644
  };
  
  struct privilege
-@@ -545,7 +546,7 @@ static struct token *create_token( unsigned primary, const SID *user,
+@@ -552,7 +553,7 @@ static struct token *create_token( unsigned primary, const SID *user,
                                     const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count,
                                     const ACL *default_dacl, TOKEN_SOURCE source,
                                     const luid_t *modified_id,
@@ -84,7 +85,7 @@ index 6d193603b4..64f20e1b57 100644
  {
      struct token *token = alloc_object( &token_ops );
      if (token)
-@@ -567,6 +568,7 @@ static struct token *create_token( unsigned primary, const SID *user,
+@@ -574,6 +575,7 @@ static struct token *create_token( unsigned primary, const SID *user,
              token->impersonation_level = impersonation_level;
          token->default_dacl = NULL;
          token->primary_group = NULL;
@@ -92,7 +93,7 @@ index 6d193603b4..64f20e1b57 100644
  
          /* copy user */
          token->user = memdup( user, security_sid_len( user ));
-@@ -682,7 +684,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
+@@ -689,7 +691,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
      token = create_token( primary, src_token->user, NULL, 0,
                            NULL, 0, src_token->default_dacl,
                            src_token->source, modified_id,
@@ -102,7 +103,7 @@ index 6d193603b4..64f20e1b57 100644
      if (!token) return token;
  
      /* copy groups */
-@@ -888,7 +891,7 @@ struct token *token_create_admin( void )
+@@ -895,7 +898,7 @@ struct token *token_create_admin( void )
          static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
          token = create_token( TRUE, user_sid, admin_groups, ARRAY_SIZE( admin_groups ),
                                admin_privs, ARRAY_SIZE( admin_privs ), default_dacl,
@@ -111,7 +112,7 @@ index 6d193603b4..64f20e1b57 100644
          /* we really need a primary group */
          assert( token->primary_group );
      }
-@@ -1627,6 +1630,19 @@ DECL_HANDLER(get_token_statistics)
+@@ -1634,6 +1637,19 @@ DECL_HANDLER(get_token_statistics)
      }
  }
  
@@ -132,5 +133,5 @@ index 6d193603b4..64f20e1b57 100644
  {
      struct token *token;
 -- 
-2.19.1
+2.27.0
 

patches/advapi32-Token_Integrity_Level/0003-server-Correctly-treat-zero-access-mask-in-duplicate.patch

@@ -1,81 +0,0 @@
-From 7e73f449d158f0d6a6b6b421d073dbaf1741e1c7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Mon, 7 Aug 2017 02:22:11 +0200
-Subject: server: Correctly treat zero access mask in duplicate_token
- wineserver call.
-
----
- dlls/advapi32/tests/security.c | 14 +++++++-------
- server/token.c                 |  3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index 4a03db27e69..f1a64e29dea 100644
---- a/dlls/advapi32/tests/security.c
-+++ b/dlls/advapi32/tests/security.c
-@@ -7438,7 +7438,7 @@ static void test_token_security_descriptor(void)
-             ret = DuplicateTokenEx(token4, 0, NULL, SecurityImpersonation, TokenImpersonation, &token5);
-             ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
-             ret = SetThreadToken(NULL, token5);
--            todo_wine ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-+            ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-             CloseHandle(token4);
- 
-             /* Restrict current process token while impersonating a medium integrity token */
-@@ -7503,16 +7503,16 @@ static void test_token_security_descriptor(void)
- 
-             size = 0;
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--            todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+            ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-                "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-             sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--            todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+            ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-             sacl = NULL;
-             ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--            todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+            ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-             todo_wine ok(present, "No SACL in the security descriptor\n");
-             todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-@@ -7606,16 +7606,16 @@ static void test_token_security_descriptor(void)
- 
-         size = 0;
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--        todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+        ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-            "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-         sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--        todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+        ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-         sacl = NULL;
-         ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--        todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+        ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-         todo_wine ok(present, "No SACL in the security descriptor\n");
-         todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-diff --git a/server/token.c b/server/token.c
-index 6a1085bae12..292e1df80fd 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -1376,7 +1376,8 @@ DECL_HANDLER(duplicate_token)
-         struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
--            reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-+            unsigned int access = req->access ? req->access : get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, objattr->attributes );
-             release_object( token );
-         }
-         release_object( src_token );
--- 
-2.13.1
-

patches/advapi32-Token_Integrity_Level/0004-server-Implement-token-integrity-level.patch

@@ -1,19 +1,19 @@
-From ae503e8e7eb8f4fcb9bf3e642458c2a1bba6ccaa Mon Sep 17 00:00:00 2001
+From 6dc1b7d9e533379133857629bb9c09e1045a9020 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Mon, 7 Aug 2017 02:28:35 +0200
 Subject: [PATCH] server: Implement token integrity level.
 
 ---
- dlls/ntdll/nt.c     | 23 ++++++++++++++---------
- server/protocol.def |  7 +++++++
- server/token.c      | 30 +++++++++++++++++++++++++++---
+ dlls/ntdll/unix/security.c | 23 ++++++++++++++---------
+ server/protocol.def        |  7 +++++++
+ server/token.c             | 30 +++++++++++++++++++++++++++---
  3 files changed, 48 insertions(+), 12 deletions(-)
 
-diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
-index ca26ab15..8aab0a48 100644
---- a/dlls/ntdll/nt.c
-+++ b/dlls/ntdll/nt.c
-@@ -400,7 +400,7 @@ NTSTATUS WINAPI NtQueryInformationToken(
+diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
+index 03a81afa46e..f0057116dee 100644
+--- a/dlls/ntdll/unix/security.c
++++ b/dlls/ntdll/unix/security.c
+@@ -172,7 +172,7 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
          0,    /* TokenAccessInformation */
          0,    /* TokenVirtualizationAllowed */
          sizeof(DWORD), /* TokenVirtualizationEnabled */
@@ -22,9 +22,9 @@ index ca26ab15..8aab0a48 100644
          0,    /* TokenUIAccess */
          0,    /* TokenMandatoryPolicy */
          0,    /* TokenLogonSid */
-@@ -659,18 +659,23 @@ NTSTATUS WINAPI NtQueryInformationToken(
-         }
+@@ -428,18 +428,23 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
          break;
+ 
      case TokenIntegrityLevel:
 +        SERVER_START_REQ( get_token_integrity )
          {
@@ -32,14 +32,14 @@ index ca26ab15..8aab0a48 100644
 -            static const SID high_level = {SID_REVISION, 1, {SECURITY_MANDATORY_LABEL_AUTHORITY},
 -                                                            {SECURITY_MANDATORY_HIGH_RID}};
 -
-             TOKEN_MANDATORY_LABEL *tml = tokeninfo;
+             TOKEN_MANDATORY_LABEL *tml = info;
 -            PSID psid = tml + 1;
 +            PSID sid = tml + 1;
-+            DWORD sid_len = tokeninfolength < sizeof(*tml) ? 0 : tokeninfolength - sizeof(*tml);
++            DWORD sid_len = length < sizeof(*tml) ? 0 : length - sizeof(*tml);
  
 -            tml->Label.Sid = psid;
 -            tml->Label.Attributes = SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
--            memcpy(psid, &high_level, sizeof(SID));
+-            memcpy( psid, &high_level, sizeof(SID) );
 +            req->handle = wine_server_obj_handle( token );
 +            wine_server_set_reply( req, sid, sid_len );
 +            status = wine_server_call( req );
@@ -52,13 +52,13 @@ index ca26ab15..8aab0a48 100644
          }
 +        SERVER_END_REQ;
          break;
+ 
      case TokenAppContainerSid:
-         {
 diff --git a/server/protocol.def b/server/protocol.def
-index 11221d7d..1bfe3234 100644
+index 84f0b577d72..4d37a0df348 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3405,6 +3405,13 @@ enum caret_state
+@@ -3296,6 +3296,13 @@ enum caret_state
      VARARG(sid,SID);              /* the sid specified by which_sid from the token */
  @END
  
@@ -73,10 +73,10 @@ index 11221d7d..1bfe3234 100644
      obj_handle_t    handle;       /* handle to the token */
  @REPLY
 diff --git a/server/token.c b/server/token.c
-index ccde0c2d..2d81118a 100644
+index 7c510fbdad9..d267991f751 100644
 --- a/server/token.c
 +++ b/server/token.c
-@@ -113,6 +113,7 @@ struct token
+@@ -111,6 +111,7 @@ struct token
      TOKEN_SOURCE   source;          /* source of the token */
      int            impersonation_level; /* impersonation level this token is capable of if non-primary token */
      TOKEN_ELEVATION_TYPE elevation; /* elevation level */
@@ -84,7 +84,7 @@ index ccde0c2d..2d81118a 100644
  };
  
  struct privilege
-@@ -546,7 +547,8 @@ static struct token *create_token( unsigned primary, const SID *user,
+@@ -553,7 +554,8 @@ static struct token *create_token( unsigned primary, const SID *user,
                                     const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count,
                                     const ACL *default_dacl, TOKEN_SOURCE source,
                                     const luid_t *modified_id,
@@ -94,7 +94,7 @@ index ccde0c2d..2d81118a 100644
  {
      struct token *token = alloc_object( &token_ops );
      if (token)
-@@ -630,6 +632,7 @@ static struct token *create_token( unsigned primary, const SID *user,
+@@ -637,6 +639,7 @@ static struct token *create_token( unsigned primary, const SID *user,
          }
  
          token->source = source;
@@ -102,7 +102,7 @@ index ccde0c2d..2d81118a 100644
      }
      return token;
  }
-@@ -685,7 +688,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
+@@ -692,7 +695,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
                            NULL, 0, src_token->default_dacl,
                            src_token->source, modified_id,
                            impersonation_level,
@@ -112,7 +112,7 @@ index ccde0c2d..2d81118a 100644
      if (!token) return token;
  
      /* copy groups */
-@@ -890,7 +894,7 @@ struct token *token_create_admin( void )
+@@ -898,7 +902,7 @@ struct token *token_create_admin( void )
          static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
          token = create_token( TRUE, user_sid, admin_groups, ARRAY_SIZE( admin_groups ),
                                admin_privs, ARRAY_SIZE( admin_privs ), default_dacl,
@@ -121,7 +121,7 @@ index ccde0c2d..2d81118a 100644
          /* we really need a primary group */
          assert( token->primary_group );
      }
-@@ -1524,6 +1528,26 @@ DECL_HANDLER(get_token_sid)
+@@ -1532,6 +1536,26 @@ DECL_HANDLER(get_token_sid)
      }
  }
  
@@ -149,5 +149,5 @@ index ccde0c2d..2d81118a 100644
  DECL_HANDLER(get_token_groups)
  {
 -- 
-2.19.1
+2.27.0
 

patches/advapi32-Token_Integrity_Level/0006-ntdll-Add-function-to-create-new-tokens-for-elevatio.patch

@@ -1,4 +1,4 @@
-From 8959c13f2be7e2a31f27c8483ee2202692f00710 Mon Sep 17 00:00:00 2001
+From c47977a8bbd739483589d1f01cfece435be1c100 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 01:45:29 +0200
 Subject: [PATCH] ntdll: Add function to create new tokens for elevation
@@ -14,10 +14,10 @@ Subject: [PATCH] ntdll: Add function to create new tokens for elevation
  6 files changed, 117 insertions(+)
 
 diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index d626e0bf2..5057e2b07 100644
+index 0997c310110..8e3786e1972 100644
 --- a/dlls/ntdll/ntdll.spec
 +++ b/dlls/ntdll/ntdll.spec
-@@ -1556,6 +1556,9 @@
+@@ -1600,6 +1600,9 @@
  # Virtual memory
  @ cdecl __wine_locked_recvmsg(long ptr long)
  
@@ -25,27 +25,27 @@ index d626e0bf2..5057e2b07 100644
 +@ cdecl __wine_create_default_token(long)
 +
  # Version
- @ cdecl wine_get_version() NTDLL_wine_get_version
- @ cdecl wine_get_patches() NTDLL_wine_get_patches
+ @ cdecl wine_get_version()
+ @ cdecl wine_get_build_id()
 diff --git a/dlls/ntdll/ntdll_misc.h b/dlls/ntdll/ntdll_misc.h
-index ac1469412..6c2345c6c 100644
+index 63ceac42e94..5a98501381b 100644
 --- a/dlls/ntdll/ntdll_misc.h
 +++ b/dlls/ntdll/ntdll_misc.h
-@@ -89,6 +89,9 @@ extern void init_user_process_params( SIZE_T data_size ) DECLSPEC_HIDDEN;
- extern char **build_envp( const WCHAR *envW ) DECLSPEC_HIDDEN;
+@@ -67,6 +67,9 @@ extern void init_user_process_params(void) DECLSPEC_HIDDEN;
  extern NTSTATUS restart_process( RTL_USER_PROCESS_PARAMETERS *params, NTSTATUS status ) DECLSPEC_HIDDEN;
+ extern void CDECL DECLSPEC_NORETURN signal_start_thread( CONTEXT *ctx ) DECLSPEC_HIDDEN;
  
 +/* token */
 +extern HANDLE CDECL __wine_create_default_token(BOOL admin);
 +
  /* server support */
- extern timeout_t server_start_time DECLSPEC_HIDDEN;
- extern unsigned int server_cpus DECLSPEC_HIDDEN;
+ extern BOOL is_wow64 DECLSPEC_HIDDEN;
+ 
 diff --git a/dlls/ntdll/process.c b/dlls/ntdll/process.c
-index 52d7ea429..e24691b8a 100644
+index 77ba5b371e2..3e91a1fa9c4 100644
 --- a/dlls/ntdll/process.c
 +++ b/dlls/ntdll/process.c
-@@ -125,6 +125,24 @@ HANDLE CDECL __wine_make_process_system(void)
+@@ -72,6 +72,24 @@ HANDLE CDECL __wine_make_process_system(void)
      return ret;
  }
  
@@ -67,14 +67,14 @@ index 52d7ea429..e24691b8a 100644
 +    return ret;
 +}
 +
- static UINT process_error_mode;
- 
- #define UNIMPLEMENTED_INFO_CLASS(c) \
+ /***********************************************************************
+  *           restart_process
+  */
 diff --git a/server/protocol.def b/server/protocol.def
-index e908f2131..0177cb579 100644
+index 30a102d7b82..a9308904afc 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3734,6 +3734,14 @@ struct handle_info
+@@ -3481,6 +3481,14 @@ struct handle_info
  @END
  
  
@@ -90,7 +90,7 @@ index e908f2131..0177cb579 100644
  @REQ(create_completion)
      unsigned int access;          /* desired access to a port */
 diff --git a/server/security.h b/server/security.h
-index 6c337143c..21e90ccf2 100644
+index 6c337143c3d..21e90ccf23f 100644
 --- a/server/security.h
 +++ b/server/security.h
 @@ -49,6 +49,7 @@ extern const PSID security_builtin_users_sid;
@@ -102,10 +102,10 @@ index 6c337143c..21e90ccf2 100644
  
  /* token functions */
 diff --git a/server/token.c b/server/token.c
-index 381ae6871..fcab79955 100644
+index c4f1cd943c2..970ed1838da 100644
 --- a/server/token.c
 +++ b/server/token.c
-@@ -79,6 +79,7 @@ static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORIT
+@@ -77,6 +77,7 @@ static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORIT
  static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
  static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
  static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
@@ -113,7 +113,7 @@ index 381ae6871..fcab79955 100644
  static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
  static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
  static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
-@@ -95,6 +96,7 @@ const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
+@@ -93,6 +94,7 @@ const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
  const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
  const PSID security_domain_users_sid = (PSID)&domain_users_sid;
  const PSID security_high_label_sid = (PSID)&high_label_sid;
@@ -121,7 +121,7 @@ index 381ae6871..fcab79955 100644
  
  static luid_t prev_luid_value = { 1000, 0 };
  
-@@ -917,6 +919,64 @@ struct token *token_create_admin( void )
+@@ -915,6 +917,64 @@ struct token *token_create_admin( void )
      return token;
  }
  
@@ -186,7 +186,7 @@ index 381ae6871..fcab79955 100644
  static struct privilege *token_find_privilege( struct token *token, const LUID *luid, int enabled_only )
  {
      struct privilege *privilege;
-@@ -1722,3 +1782,27 @@ DECL_HANDLER(set_token_default_dacl)
+@@ -1720,3 +1780,27 @@ DECL_HANDLER(set_token_default_dacl)
          release_object( token );
      }
  }
@@ -215,5 +215,5 @@ index 381ae6871..fcab79955 100644
 +    }
 +}
 -- 
-2.23.0
+2.28.0
 

patches/advapi32-Token_Integrity_Level/0008-ntdll-Implement-process-token-elevation-through-mani.patch

@@ -1,4 +1,4 @@
-From 6a09d34647aa517e45bc0bb20a92d0d94a1da888 Mon Sep 17 00:00:00 2001
+From 51cde3dff5de27d1aebc964a4802758534d56773 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 03:39:55 +0200
 Subject: [PATCH] ntdll: Implement process token elevation through manifests.
@@ -12,10 +12,10 @@ Subject: [PATCH] ntdll: Implement process token elevation through manifests.
  5 files changed, 67 insertions(+)
 
 diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
-index 2f203447e..7c5dd308b 100644
+index 6290cbcb4e6..9a8f13901b2 100644
 --- a/dlls/ntdll/loader.c
 +++ b/dlls/ntdll/loader.c
-@@ -3804,6 +3804,32 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, void **entry, ULONG_PTR unknow
+@@ -3489,6 +3489,32 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, void **entry, ULONG_PTR unknow
  }
  
  
@@ -48,17 +48,17 @@ index 2f203447e..7c5dd308b 100644
  /***********************************************************************
   *           load_global_options
   */
-@@ -4233,6 +4259,7 @@ void __wine_process_init(void)
-                                       's','y','s','t','e','m','3','2','\\',
+@@ -3900,6 +3926,7 @@ void __wine_process_init(void)
                                        'k','e','r','n','e','l','3','2','.','d','l','l',0};
+     void (WINAPI *kernel32_start_process)(LPTHREAD_START_ROUTINE,void*) = NULL;
      RTL_USER_PROCESS_PARAMETERS *params;
 +    ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION runlevel;
      WINE_MODREF *wm;
      NTSTATUS status;
      ANSI_STRING func_name;
-@@ -4324,6 +4351,16 @@ void __wine_process_init(void)
- 
-     virtual_set_large_address_space();
+@@ -4021,6 +4048,16 @@ void __wine_process_init(void)
+     }
+ #endif
  
 +    /* elevate process if necessary */
 +    status = RtlQueryInformationActivationContext( 0, NULL, 0, RunlevelInformationInActivationContext,
@@ -71,14 +71,14 @@ index 2f203447e..7c5dd308b 100644
 +    }
 +
      /* the main exe needs to be the first in the load order list */
-     RemoveEntryList( &wm->ldr.InLoadOrderModuleList );
-     InsertHeadList( &peb->LdrData->InLoadOrderModuleList, &wm->ldr.InLoadOrderModuleList );
+     RemoveEntryList( &wm->ldr.InLoadOrderLinks );
+     InsertHeadList( &peb->LdrData->InLoadOrderModuleList, &wm->ldr.InLoadOrderLinks );
 diff --git a/server/process.c b/server/process.c
-index 4c7da9223..d6f71a774 100644
+index fa8495511e0..df72efdecc8 100644
 --- a/server/process.c
 +++ b/server/process.c
-@@ -1107,6 +1107,14 @@ struct process_snapshot *process_snap( int *count )
-     return snapshot;
+@@ -1086,6 +1086,14 @@ int set_process_debug_flag( struct process *process, int flag )
+     return write_process_memory( process, process->peb + 2, 1, &data );
  }
  
 +/* replace the token of a process */
@@ -93,22 +93,22 @@ index 4c7da9223..d6f71a774 100644
  DECL_HANDLER(new_process)
  {
 diff --git a/server/process.h b/server/process.h
-index 5b83e111a..dfe5c4e52 100644
+index 0fdf070b78e..43e8cc1ad7e 100644
 --- a/server/process.h
 +++ b/server/process.h
-@@ -139,6 +139,7 @@ extern void kill_debugged_processes( struct thread *debugger, int exit_code );
+@@ -129,6 +129,7 @@ extern void kill_console_processes( struct thread *renderer, int exit_code );
+ extern void kill_debugged_processes( struct thread *debugger, int exit_code );
  extern void detach_debugged_processes( struct thread *debugger );
- extern struct process_snapshot *process_snap( int *count );
  extern void enum_processes( int (*cb)(struct process*, void*), void *user);
 +extern void replace_process_token( struct process *process, struct token *token );
  
  /* console functions */
- extern void inherit_console( struct thread *parent_thread, struct process *parent,
+ extern obj_handle_t inherit_console( struct thread *parent_thread, obj_handle_t handle,
 diff --git a/server/protocol.def b/server/protocol.def
-index 6022e1715..45ab670ea 100644
+index a9308904afc..8c40fba8d0a 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3755,6 +3755,13 @@ struct handle_info
+@@ -3489,6 +3489,13 @@ struct handle_info
  @END
  
  
@@ -123,10 +123,10 @@ index 6022e1715..45ab670ea 100644
  @REQ(create_completion)
      unsigned int access;          /* desired access to a port */
 diff --git a/server/token.c b/server/token.c
-index fcab79955..181219d21 100644
+index 970ed1838da..1c1d49989b3 100644
 --- a/server/token.c
 +++ b/server/token.c
-@@ -1806,3 +1806,17 @@ DECL_HANDLER(create_token)
+@@ -1804,3 +1804,17 @@ DECL_HANDLER(create_token)
          release_object( token );
      }
  }
@@ -145,5 +145,5 @@ index fcab79955..181219d21 100644
 +    }
 +}
 -- 
-2.24.0
+2.28.0
 

patches/advapi32-Token_Integrity_Level/0010-server-Implement-support-for-creating-processes-usin.patch

@@ -1,319 +0,0 @@
-From 51830c6683b199e79cb9e782ee51555054a4da7c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sun, 6 Aug 2017 02:08:05 +0200
-Subject: [PATCH] server: Implement support for creating processes using a
- token.
-
----
- dlls/kernelbase/process.c | 24 +++++++++++++-----------
- dlls/ntdll/process.c      |  3 ++-
- server/process.c          | 39 +++++++++++++++++++++++++++++++++++----
- server/process.h          |  2 +-
- server/protocol.def       |  1 +
- server/request.c          |  2 +-
- server/security.h         |  2 ++
- server/token.c            | 11 +++++++++++
- 8 files changed, 66 insertions(+), 18 deletions(-)
-
-diff --git a/dlls/kernelbase/process.c b/dlls/kernelbase/process.c
-index a07dddb1f..99985ab89 100644
---- a/dlls/kernelbase/process.c
-+++ b/dlls/kernelbase/process.c
-@@ -242,7 +242,7 @@ static RTL_USER_PROCESS_PARAMETERS *create_process_params( const WCHAR *filename
- /***********************************************************************
-  *           create_nt_process
-  */
--static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_nt_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                    BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                    RTL_USER_PROCESS_INFORMATION *info, HANDLE parent )
- {
-@@ -257,7 +257,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
-         status = RtlCreateUserProcess( &nameW, OBJ_CASE_INSENSITIVE, params,
-                                        psa ? psa->lpSecurityDescriptor : NULL,
-                                        tsa ? tsa->lpSecurityDescriptor : NULL,
--                                       parent, inherit, 0, 0, info );
-+                                       parent, inherit, 0, token, info );
-         RtlFreeUnicodeString( &nameW );
-     }
-     return status;
-@@ -267,7 +267,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
- /***********************************************************************
-  *           create_vdm_process
-  */
--static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_vdm_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -288,7 +288,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-               winevdm, params->ImagePathName.Buffer, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, winevdm );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     HeapFree( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -297,7 +297,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
- /***********************************************************************
-  *           create_cmd_process
-  */
--static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_cmd_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -316,7 +316,7 @@ static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-     swprintf( newcmdline, len, L"%s /s/c \"%s\"", comspec, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, comspec );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     RtlFreeHeap( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -448,7 +448,9 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
- 
-     TRACE( "app %s cmdline %s\n", debugstr_w(app_name), debugstr_w(cmd_line) );
- 
--    if (token) FIXME( "Creating a process with a token is not yet implemented\n" );
-+    /* FIXME: Starting a process which requires admin rights should fail
-+     * with ERROR_ELEVATION_REQUIRED when no token is passed. */
-+
-     if (new_token) FIXME( "No support for returning created process token\n" );
- 
-     if (app_name)
-@@ -521,7 +523,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         }
-     }
- 
--    status = create_nt_process( process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-+    status = create_nt_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-     switch (status)
-     {
-     case STATUS_SUCCESS:
-@@ -530,7 +532,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-     case STATUS_INVALID_IMAGE_NE_FORMAT:
-     case STATUS_INVALID_IMAGE_PROTECT:
-         TRACE( "starting %s as Win16/DOS binary\n", debugstr_w(app_name) );
--        status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+        status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         break;
-     case STATUS_INVALID_IMAGE_NOT_MZ:
-         /* check for .com or .bat extension */
-@@ -538,12 +540,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         if (!wcsicmp( p, L".com" ) || !wcsicmp( p, L".pif" ))
-         {
-             TRACE( "starting %s as DOS binary\n", debugstr_w(app_name) );
--            status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         else if (!wcsicmp( p, L".bat" ) || !wcsicmp( p, L".cmd" ))
-         {
-             TRACE( "starting %s as batch binary\n", debugstr_w(app_name) );
--            status = create_cmd_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_cmd_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         break;
-     }
-diff --git a/dlls/ntdll/process.c b/dlls/ntdll/process.c
-index f3d9079f8..2fa553091 100644
---- a/dlls/ntdll/process.c
-+++ b/dlls/ntdll/process.c
-@@ -1667,7 +1667,7 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
-                                       RTL_USER_PROCESS_PARAMETERS *params,
-                                       SECURITY_DESCRIPTOR *process_descr,
-                                       SECURITY_DESCRIPTOR *thread_descr,
--                                      HANDLE parent, BOOLEAN inherit, HANDLE debug, HANDLE exception,
-+                                      HANDLE parent, BOOLEAN inherit, HANDLE debug, HANDLE token,
-                                       RTL_USER_PROCESS_INFORMATION *info )
- {
-     NTSTATUS status;
-@@ -1735,6 +1735,7 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
-         req->access         = PROCESS_ALL_ACCESS;
-         req->cpu            = pe_info.cpu;
-         req->info_size      = startup_info_size;
-+        req->token          = wine_server_obj_handle( token );
-         wine_server_add_data( req, objattr, attr_len );
-         wine_server_add_data( req, startup_info, startup_info_size );
-         wine_server_add_data( req, params->Environment, env_size );
-diff --git a/server/process.c b/server/process.c
-index d6f71a774..aa66814d8 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -491,7 +491,7 @@ static void start_sigkill_timer( struct process *process )
- /* create a new process */
- /* if the function fails the fd is closed */
- struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                const struct security_descriptor *sd )
-+                                const struct security_descriptor *sd, struct token *token )
- {
-     struct process *process;
- 
-@@ -568,7 +568,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-+        process->token = token_duplicate( token ? token : parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-@@ -1124,6 +1124,7 @@ DECL_HANDLER(new_process)
-     const struct security_descriptor *sd;
-     const struct object_attributes *objattr = get_req_object_attributes( &sd, &name, NULL );
-     struct process *process = NULL;
-+    struct token *token = NULL;
-     struct process *parent;
-     struct thread *parent_thread = current;
-     int socket_fd = thread_get_inflight_fd( current, req->socket_fd );
-@@ -1177,10 +1178,39 @@ DECL_HANDLER(new_process)
-         return;
-     }
- 
-+    if (req->token)
-+    {
-+        token = get_token_from_handle( req->token, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY );
-+        if (!token)
-+        {
-+            close( socket_fd );
-+            return;
-+        }
-+        if (!token_is_primary( token ))
-+        {
-+            set_error( STATUS_BAD_TOKEN_TYPE );
-+            release_object( token );
-+            close( socket_fd );
-+            return;
-+        }
-+    }
-+
-+    if (!req->info_size)  /* create an orphaned process */
-+    {
-+        if ((process = create_process( socket_fd, NULL, 0, sd, token )))
-+        {
-+            create_thread( -1, process, NULL );
-+            release_object( process );
-+        }
-+        if (token) release_object( token );
-+        return;
-+    }
-+
-     /* build the startup info for a new process */
-     if (!(info = alloc_object( &startup_info_ops )))
-     {
-         close( socket_fd );
-+        if (token) release_object( token );
-         release_object( parent );
-         return;
-     }
-@@ -1228,7 +1258,7 @@ DECL_HANDLER(new_process)
- #undef FIXUP_LEN
-     }
- 
--    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd ))) goto done;
-+    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd, token ))) goto done;
- 
-     process->startup_info = (struct startup_info *)grab_object( info );
- 
-@@ -1289,6 +1319,7 @@ DECL_HANDLER(new_process)
-     reply->handle = alloc_handle_no_access_check( current->process, process, req->access, objattr->attributes );
- 
-  done:
-+    if (token) release_object( token );
-     if (process) release_object( process );
-     release_object( parent );
-     release_object( info );
-@@ -1322,7 +1353,7 @@ DECL_HANDLER(exec_process)
-         close( socket_fd );
-         return;
-     }
--    if (!(process = create_process( socket_fd, NULL, 0, NULL ))) return;
-+    if (!(process = create_process( socket_fd, NULL, 0, NULL, NULL ))) return;
-     create_thread( -1, process, NULL );
-     release_object( process );
- }
-diff --git a/server/process.h b/server/process.h
-index dfe5c4e52..61b83abf6 100644
---- a/server/process.h
-+++ b/server/process.h
-@@ -118,7 +118,7 @@ extern unsigned int alloc_ptid( void *ptr );
- extern void free_ptid( unsigned int id );
- extern void *get_ptid_entry( unsigned int id );
- extern struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                       const struct security_descriptor *sd );
-+                                       const struct security_descriptor *sd, struct token *token );
- extern data_size_t init_process( struct thread *thread );
- extern struct thread *get_process_first_thread( struct process *process );
- extern struct process *get_process_from_id( process_id_t id );
-diff --git a/server/protocol.def b/server/protocol.def
-index 45ab670ea..c763da4ca 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -791,6 +791,7 @@ struct rawinput_device
-     unsigned int access;         /* access rights for process object */
-     client_cpu_t cpu;            /* CPU that the new process will use */
-     data_size_t  info_size;      /* size of startup info */
-+    obj_handle_t token;          /* token for the new process */
-     VARARG(objattr,object_attributes);   /* object attributes */
-     VARARG(info,startup_info,info_size); /* startup information */
-     VARARG(env,unicode_str);     /* environment for new process */
-diff --git a/server/request.c b/server/request.c
-index 200c2697d..f743b720a 100644
---- a/server/request.c
-+++ b/server/request.c
-@@ -582,7 +582,7 @@ static void master_socket_poll_event( struct fd *fd, int event )
-         int client = accept( get_unix_fd( master_socket->fd ), (struct sockaddr *) &dummy, &len );
-         if (client == -1) return;
-         fcntl( client, F_SETFL, O_NONBLOCK );
--        if ((process = create_process( client, NULL, 0, NULL )))
-+        if ((process = create_process( client, NULL, 0, NULL, NULL )))
-         {
-             create_thread( -1, process, NULL );
-             release_object( process );
-diff --git a/server/security.h b/server/security.h
-index 21e90ccf2..32dfe5f8d 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -67,6 +67,8 @@ extern const ACL *token_get_default_dacl( struct token *token );
- extern const SID *token_get_user( struct token *token );
- extern const SID *token_get_primary_group( struct token *token );
- extern int token_sid_present( struct token *token, const SID *sid, int deny);
-+extern struct token *get_token_from_handle( obj_handle_t handle, unsigned int access );
-+extern int token_is_primary( struct token *token );
- 
- static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
- {
-diff --git a/server/token.c b/server/token.c
-index 181219d21..858ec25d7 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -845,6 +845,12 @@ int token_assign_label( struct token *token, PSID label )
-     return ret;
- }
- 
-+struct token *get_token_from_handle( obj_handle_t handle, unsigned int access )
-+{
-+    return (struct token *)get_handle_obj( current->process, handle,
-+                                           access, &token_ops );
-+}
-+
- struct token *token_create_admin( void )
- {
-     struct token *token = NULL;
-@@ -1271,6 +1277,11 @@ const SID *token_get_primary_group( struct token *token )
-     return token->primary_group;
- }
- 
-+int token_is_primary( struct token *token )
-+{
-+    return token->primary;
-+}
-+
- int check_object_access(struct object *obj, unsigned int *access)
- {
-     GENERIC_MAPPING mapping;
--- 
-2.24.0
-

patches/advapi32-Token_Integrity_Level/0015-ntdll-Add-semi-stub-for-TokenLinkedToken-info-class.patch

@@ -1,17 +1,25 @@
-From 6d4621ddba8139747345c05f6251bae9b3c68e39 Mon Sep 17 00:00:00 2001
+From e34d019222909281390f83149be755a4145024c4 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Mon, 7 Aug 2017 15:28:33 +0200
-Subject: ntdll: Add semi-stub for TokenLinkedToken info class.
+Subject: [PATCH] ntdll: Add semi-stub for TokenLinkedToken info class.
 
 ---
- dlls/ntdll/nt.c | 28 +++++++++++++++++++++++++++-
- 1 file changed, 27 insertions(+), 1 deletion(-)
+ dlls/ntdll/unix/security.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
 
-diff --git a/dlls/ntdll/nt.c b/dlls/ntdll/nt.c
-index 6f2b24e6ba4..99dba58b426 100644
---- a/dlls/ntdll/nt.c
-+++ b/dlls/ntdll/nt.c
-@@ -366,7 +366,7 @@ NTSTATUS WINAPI NtQueryInformationToken(
+diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
+index f0057116dee..2769e5f6a7b 100644
+--- a/dlls/ntdll/unix/security.c
++++ b/dlls/ntdll/unix/security.c
+@@ -138,6 +138,7 @@ NTSTATUS WINAPI NtDuplicateToken( HANDLE token, ACCESS_MASK access, OBJECT_ATTRI
+     return status;
+ }
+ 
++extern HANDLE CDECL __wine_create_default_token(BOOL admin);
+ 
+ /***********************************************************************
+  *             NtQueryInformationToken  (NTDLL.@)
+@@ -166,7 +167,7 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
          0,    /* TokenAuditPolicy */
          0,    /* TokenOrigin */
          sizeof(TOKEN_ELEVATION_TYPE), /* TokenElevationType */
@@ -20,14 +28,14 @@ index 6f2b24e6ba4..99dba58b426 100644
          sizeof(TOKEN_ELEVATION), /* TokenElevation */
          0,    /* TokenHasRestrictions */
          0,    /* TokenAccessInformation */
-@@ -607,6 +607,32 @@ NTSTATUS WINAPI NtQueryInformationToken(
-         }
+@@ -401,6 +402,33 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
          SERVER_END_REQ;
          break;
+ 
 +    case TokenLinkedToken:
 +        SERVER_START_REQ( get_token_elevation_type )
 +        {
-+            TOKEN_LINKED_TOKEN *linked_token = tokeninfo;
++            TOKEN_LINKED_TOKEN *linked_token = info;
 +            req->handle = wine_server_obj_handle( token );
 +            status = wine_server_call( req );
 +            if (status == STATUS_SUCCESS)
@@ -50,9 +58,10 @@ index 6f2b24e6ba4..99dba58b426 100644
 +        }
 +        SERVER_END_REQ;
 +        break;
++
      case TokenElevation:
          SERVER_START_REQ( get_token_elevation_type )
          {
 -- 
-2.13.1
+2.27.0
 

patches/advapi32-Token_Integrity_Level/XX13-server-Correctly-assign-security-labels-for-tokens.patch

@@ -1,20 +1,21 @@
-From 6d8fd34cabbcbc64062675be610fb8704fcdc3ec Mon Sep 17 00:00:00 2001
+From a8915b8ebd4c06b0216fc82d1ba8d958a677eccf Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Mon, 7 Aug 2017 03:33:26 +0200
 Subject: [PATCH] server: Correctly assign security labels for tokens.
 
 ---
- dlls/advapi32/tests/security.c | 21 ++++++++++-----------
- server/process.c               |  8 +-------
+ dlls/advapi32/tests/security.c | 21 +++++++++--------
+ server/named_pipe.c            |  2 +-
+ server/process.c               |  8 +------
  server/security.h              |  2 +-
- server/token.c                 | 41 ++++++++++++++++++++++++-----------------
- 4 files changed, 36 insertions(+), 36 deletions(-)
+ server/token.c                 | 41 ++++++++++++++++++++--------------
+ 5 files changed, 37 insertions(+), 37 deletions(-)
 
 diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index bf4161c..0610ec7 100644
+index 94f3ea4601a..ab572421a73 100644
 --- a/dlls/advapi32/tests/security.c
 +++ b/dlls/advapi32/tests/security.c
-@@ -7186,7 +7186,6 @@ static void test_token_security_descriptor(void)
+@@ -7105,7 +7105,6 @@ static void test_token_security_descriptor(void)
      defaulted = TRUE;
      ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
      ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
@@ -22,7 +23,7 @@ index bf4161c..0610ec7 100644
      ok(present, "DACL not present\n");
  
      if (present)
-@@ -7307,7 +7306,7 @@ static void test_token_security_descriptor(void)
+@@ -7226,7 +7225,7 @@ static void test_token_security_descriptor(void)
                  ok(ret, "GetAce failed with error %u\n", GetLastError());
                  ok(ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
                     "Unexpected ACE type %#x\n", ace->Header.AceType);
@@ -31,7 +32,7 @@ index bf4161c..0610ec7 100644
                     "Expected medium integrity level\n");
              }
  
-@@ -7360,8 +7359,8 @@ static void test_token_security_descriptor(void)
+@@ -7279,8 +7278,8 @@ static void test_token_security_descriptor(void)
              sacl = NULL;
              ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
              ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
@@ -42,7 +43,7 @@ index bf4161c..0610ec7 100644
  
              if (sacl)
              {
-@@ -7410,8 +7409,8 @@ static void test_token_security_descriptor(void)
+@@ -7329,8 +7328,8 @@ static void test_token_security_descriptor(void)
              sacl = NULL;
              ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
              ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
@@ -53,7 +54,7 @@ index bf4161c..0610ec7 100644
  
              if (sacl)
              {
-@@ -7475,8 +7474,8 @@ static void test_token_security_descriptor(void)
+@@ -7394,8 +7393,8 @@ static void test_token_security_descriptor(void)
  
          ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
          ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
@@ -64,7 +65,7 @@ index bf4161c..0610ec7 100644
  
          if (sacl)
          {
-@@ -7513,8 +7512,8 @@ static void test_token_security_descriptor(void)
+@@ -7432,8 +7431,8 @@ static void test_token_security_descriptor(void)
          sacl = NULL;
          ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
          ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
@@ -75,7 +76,7 @@ index bf4161c..0610ec7 100644
  
          if (sacl)
          {
-@@ -7732,7 +7731,7 @@ static void test_child_token_sd_medium(void)
+@@ -7652,7 +7651,7 @@ static void test_child_token_sd_medium(void)
      ok(ret, "GetAce failed with error %u\n", GetLastError());
      ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
         "Unexpected ACE type %#x\n", ace_label->Header.AceType);
@@ -84,11 +85,24 @@ index bf4161c..0610ec7 100644
         "Expected medium integrity level\n");
  
      memset(buffer_integrity, 0, sizeof(buffer_integrity));
+diff --git a/server/named_pipe.c b/server/named_pipe.c
+index 4cd4d7dc4a8..06bf8402aea 100644
+--- a/server/named_pipe.c
++++ b/server/named_pipe.c
+@@ -1142,7 +1142,7 @@ static int pipe_server_ioctl( struct fd *fd, ioctl_code_t code, struct async *as
+         if (current->process->token) /* FIXME: use the client token */
+         {
+             struct token *token;
+-            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL, NULL, 0, NULL, 0 )))
++            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL, NULL, 0, NULL, 0, NULL )))
+                 return 0;
+             if (current->token) release_object( current->token );
+             current->token = token;
 diff --git a/server/process.c b/server/process.c
-index b7c9da3..250f777 100644
+index 31d5b96a25d..2c485831e33 100644
 --- a/server/process.c
 +++ b/server/process.c
-@@ -562,17 +562,11 @@ struct process *create_process( int fd, struct thread *parent_thread, int inheri
+@@ -577,17 +577,11 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
                                         : alloc_handle_table( process, 0 );
          /* Note: for security reasons, starting a new process does not attempt
           * to use the current impersonation token for the new process */
@@ -108,7 +122,7 @@ index b7c9da3..250f777 100644
      return process;
  
 diff --git a/server/security.h b/server/security.h
-index 32dfe5f..87377cc 100644
+index 32dfe5f8db9..87377ccd673 100644
 --- a/server/security.h
 +++ b/server/security.h
 @@ -59,7 +59,7 @@ extern int token_assign_label( struct token *token, PSID label );
@@ -121,10 +135,10 @@ index 32dfe5f..87377cc 100644
                                     const LUID_AND_ATTRIBUTES *reqprivs,
                                     unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
 diff --git a/server/token.c b/server/token.c
-index 5db97b4..bd251c7 100644
+index 2f466aa1b25..23bc1cc13f7 100644
 --- a/server/token.c
 +++ b/server/token.c
-@@ -668,7 +668,7 @@ static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBU
+@@ -675,7 +675,7 @@ static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBU
  struct token *token_duplicate( struct token *src_token, unsigned primary,
                                 int impersonation_level, const struct security_descriptor *sd,
                                 const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
@@ -133,7 +147,7 @@ index 5db97b4..bd251c7 100644
  {
      const luid_t *modified_id =
          primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -735,6 +735,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
+@@ -742,6 +742,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
      if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
                              DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
  
@@ -146,7 +160,7 @@ index 5db97b4..bd251c7 100644
      return token;
  }
  
-@@ -906,6 +912,12 @@ struct token *token_create_admin( void )
+@@ -913,6 +919,12 @@ struct token *token_create_admin( void )
                                admin_source, NULL, -1, TokenElevationTypeFull, &high_label_sid );
          /* we really need a primary group */
          assert( token->primary_group );
@@ -159,7 +173,7 @@ index 5db97b4..bd251c7 100644
      }
  
      free( logon_sid );
-@@ -964,6 +976,12 @@ static struct token *token_create_limited( void )
+@@ -971,6 +983,12 @@ static struct token *token_create_limited( void )
                                admin_source, NULL, -1, TokenElevationTypeLimited, &medium_label_sid );
          /* we really need a primary group */
          assert( token->primary_group );
@@ -172,7 +186,7 @@ index 5db97b4..bd251c7 100644
      }
  
      free( logon_sid );
-@@ -1432,7 +1450,8 @@ DECL_HANDLER(duplicate_token)
+@@ -1439,7 +1457,8 @@ DECL_HANDLER(duplicate_token)
                                                       TOKEN_DUPLICATE,
                                                       &token_ops )))
      {
@@ -182,7 +196,7 @@ index 5db97b4..bd251c7 100644
          if (token)
          {
              unsigned int access = req->access ? req->access : get_handle_access( current->process, req->handle );
-@@ -1462,7 +1481,7 @@ DECL_HANDLER(filter_token)
+@@ -1469,7 +1488,7 @@ DECL_HANDLER(filter_token)
          group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
  
          token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
@@ -191,7 +205,7 @@ index 5db97b4..bd251c7 100644
          if (token)
          {
              unsigned int access = get_handle_access( current->process, req->handle );
-@@ -1788,23 +1807,11 @@ DECL_HANDLER(set_token_default_dacl)
+@@ -1795,23 +1814,11 @@ DECL_HANDLER(set_token_default_dacl)
  DECL_HANDLER(create_token)
  {
      struct token *token;
@@ -218,5 +232,5 @@ index 5db97b4..bd251c7 100644
      }
  }
 -- 
-2.7.4
+2.27.0