server: Add a data type for generic access mappings.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Alexandre Julliard 2021-02-04 13:21:49 +01:00
parent 4d483cd855
commit 928a22cd02
7 changed files with 49 additions and 45 deletions

View File

@ -723,10 +723,10 @@ NTSTATUS WINAPI NtAccessCheck( PSECURITY_DESCRIPTOR descr, HANDLE token, ACCESS_
{
req->handle = wine_server_obj_handle( token );
req->desired_access = access;
req->mapping_read = mapping->GenericRead;
req->mapping_write = mapping->GenericWrite;
req->mapping_execute = mapping->GenericExecute;
req->mapping_all = mapping->GenericAll;
req->mapping.read = mapping->GenericRead;
req->mapping.write = mapping->GenericWrite;
req->mapping.exec = mapping->GenericExecute;
req->mapping.all = mapping->GenericAll;
wine_server_add_data( req, objattr + 1, objattr->sd_len );
wine_server_set_reply( req, privs->Privilege, *retlen - offsetof( PRIVILEGE_SET, Privilege ) );

View File

@ -366,6 +366,14 @@ typedef struct
int high_part;
} luid_t;
typedef struct
{
unsigned int read;
unsigned int write;
unsigned int exec;
unsigned int all;
} generic_map_t;
#define MAX_ACL_LEN 65535
struct security_descriptor
@ -4454,10 +4462,7 @@ struct access_check_request
struct request_header __header;
obj_handle_t handle;
unsigned int desired_access;
unsigned int mapping_read;
unsigned int mapping_write;
unsigned int mapping_execute;
unsigned int mapping_all;
generic_map_t mapping;
/* VARARG(sd,security_descriptor); */
char __pad_36[4];
};
@ -6229,7 +6234,7 @@ union generic_reply
/* ### protocol_version begin ### */
#define SERVER_PROTOCOL_VERSION 664
#define SERVER_PROTOCOL_VERSION 665
/* ### protocol_version end ### */

View File

@ -382,6 +382,14 @@ typedef struct
int high_part;
} luid_t;
typedef struct
{
unsigned int read;
unsigned int write;
unsigned int exec;
unsigned int all;
} generic_map_t;
#define MAX_ACL_LEN 65535
struct security_descriptor
@ -3135,10 +3143,7 @@ enum caret_state
@REQ(access_check)
obj_handle_t handle; /* handle to the token */
unsigned int desired_access; /* desired access to the object */
unsigned int mapping_read; /* mapping from generic read to specific rights */
unsigned int mapping_write; /* mapping from generic write to specific rights */
unsigned int mapping_execute; /* mapping from generic execute to specific rights */
unsigned int mapping_all; /* mapping from generic all to specific rights */
generic_map_t mapping; /* mapping to specific rights */
VARARG(sd,security_descriptor); /* security descriptor to check */
@REPLY
unsigned int access_granted; /* access rights actually granted */

View File

@ -691,6 +691,7 @@ C_ASSERT( sizeof(client_cpu_t) == 4 );
C_ASSERT( sizeof(client_ptr_t) == 8 );
C_ASSERT( sizeof(data_size_t) == 4 );
C_ASSERT( sizeof(file_pos_t) == 8 );
C_ASSERT( sizeof(generic_map_t) == 16 );
C_ASSERT( sizeof(hw_input_t) == 32 );
C_ASSERT( sizeof(int) == 4 );
C_ASSERT( sizeof(ioctl_code_t) == 4 );
@ -1971,10 +1972,7 @@ C_ASSERT( FIELD_OFFSET(struct filter_token_reply, new_handle) == 8 );
C_ASSERT( sizeof(struct filter_token_reply) == 16 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, handle) == 12 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, desired_access) == 16 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_read) == 20 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_write) == 24 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_execute) == 28 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_all) == 32 );
C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping) == 20 );
C_ASSERT( sizeof(struct access_check_request) == 40 );
C_ASSERT( FIELD_OFFSET(struct access_check_reply, access_granted) == 8 );
C_ASSERT( FIELD_OFFSET(struct access_check_reply, access_status) == 12 );

View File

@ -464,13 +464,13 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
}
/* maps from generic rights to specific rights as given by a mapping */
static inline void map_generic_mask(unsigned int *mask, const GENERIC_MAPPING *mapping)
static inline void map_generic_mask( unsigned int *mask, const generic_map_t *mapping )
{
if (*mask & GENERIC_READ) *mask |= mapping->GenericRead;
if (*mask & GENERIC_WRITE) *mask |= mapping->GenericWrite;
if (*mask & GENERIC_EXECUTE) *mask |= mapping->GenericExecute;
if (*mask & GENERIC_ALL) *mask |= mapping->GenericAll;
*mask &= 0x0FFFFFFF;
if (*mask & GENERIC_READ) *mask |= mapping->read;
if (*mask & GENERIC_WRITE) *mask |= mapping->write;
if (*mask & GENERIC_EXECUTE) *mask |= mapping->exec;
if (*mask & GENERIC_ALL) *mask |= mapping->all;
*mask &= ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
}
static inline int is_equal_luid( const LUID *luid1, const LUID *luid2 )
@ -1039,7 +1039,7 @@ static unsigned int token_access_check( struct token *token,
unsigned int desired_access,
LUID_AND_ATTRIBUTES *privs,
unsigned int *priv_count,
const GENERIC_MAPPING *mapping,
const generic_map_t *mapping,
unsigned int *granted_access,
unsigned int *status )
{
@ -1074,7 +1074,7 @@ static unsigned int token_access_check( struct token *token,
{
if (priv_count) *priv_count = 0;
if (desired_access & MAXIMUM_ALLOWED)
*granted_access = mapping->GenericAll;
*granted_access = mapping->all;
else
*granted_access = desired_access;
return *status = STATUS_SUCCESS;
@ -1212,25 +1212,24 @@ const SID *token_get_primary_group( struct token *token )
int check_object_access(struct token *token, struct object *obj, unsigned int *access)
{
GENERIC_MAPPING mapping;
generic_map_t mapping;
unsigned int status;
int res;
if (!token)
token = current->token ? current->token : current->process->token;
mapping.GenericAll = obj->ops->map_access( obj, GENERIC_ALL );
mapping.all = obj->ops->map_access( obj, GENERIC_ALL );
if (!obj->sd)
{
if (*access & MAXIMUM_ALLOWED)
*access = mapping.GenericAll;
if (*access & MAXIMUM_ALLOWED) *access = mapping.all;
return TRUE;
}
mapping.GenericRead = obj->ops->map_access( obj, GENERIC_READ );
mapping.GenericWrite = obj->ops->map_access( obj, GENERIC_WRITE );
mapping.GenericExecute = obj->ops->map_access( obj, GENERIC_EXECUTE );
mapping.read = obj->ops->map_access( obj, GENERIC_READ );
mapping.write = obj->ops->map_access( obj, GENERIC_WRITE );
mapping.exec = obj->ops->map_access( obj, GENERIC_EXECUTE );
res = token_access_check( token, obj->sd, *access, NULL, NULL,
&mapping, access, &status ) == STATUS_SUCCESS &&
@ -1451,7 +1450,6 @@ DECL_HANDLER(access_check)
TOKEN_QUERY,
&token_ops )))
{
GENERIC_MAPPING mapping;
unsigned int status;
LUID_AND_ATTRIBUTES priv;
unsigned int priv_count = 1;
@ -1473,14 +1471,8 @@ DECL_HANDLER(access_check)
return;
}
mapping.GenericRead = req->mapping_read;
mapping.GenericWrite = req->mapping_write;
mapping.GenericExecute = req->mapping_execute;
mapping.GenericAll = req->mapping_all;
status = token_access_check(
token, sd, req->desired_access, &priv, &priv_count, &mapping,
&reply->access_granted, &reply->access_status );
status = token_access_check( token, sd, req->desired_access, &priv, &priv_count, &req->mapping,
&reply->access_granted, &reply->access_status );
reply->privileges_len = priv_count*sizeof(LUID_AND_ATTRIBUTES);

View File

@ -427,6 +427,12 @@ static void dump_luid( const char *prefix, const luid_t *luid )
fprintf( stderr, "%s%d.%u", prefix, luid->high_part, luid->low_part );
}
static void dump_generic_map( const char *prefix, const generic_map_t *map )
{
fprintf( stderr, "%s{r=%08x,w=%08x,x=%08x,a=%08x}",
prefix, map->read, map->write, map->exec, map->all );
}
static void dump_varargs_ints( const char *prefix, data_size_t size )
{
const int *data = cur_data;
@ -3814,10 +3820,7 @@ static void dump_access_check_request( const struct access_check_request *req )
{
fprintf( stderr, " handle=%04x", req->handle );
fprintf( stderr, ", desired_access=%08x", req->desired_access );
fprintf( stderr, ", mapping_read=%08x", req->mapping_read );
fprintf( stderr, ", mapping_write=%08x", req->mapping_write );
fprintf( stderr, ", mapping_execute=%08x", req->mapping_execute );
fprintf( stderr, ", mapping_all=%08x", req->mapping_all );
dump_generic_map( ", mapping=", &req->mapping );
dump_varargs_security_descriptor( ", sd=", cur_size );
}

View File

@ -50,6 +50,7 @@ my %formats =
"async_data_t" => [ 40, 8, "&dump_async_data" ],
"irp_params_t" => [ 32, 8, "&dump_irp_params" ],
"luid_t" => [ 8, 4, "&dump_luid" ],
"generic_map_t" => [ 16, 4, "&dump_generic_map" ],
"ioctl_code_t" => [ 4, 4, "&dump_ioctl_code" ],
"client_cpu_t" => [ 4, 4, "&dump_client_cpu" ],
"hw_input_t" => [ 32, 8, "&dump_hw_input" ],