server: Add a data type for generic access mappings.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
2021-02-04 13:21:49 +01:00 · 2021-02-04 13:21:49 +01:00 · 928a22cd02
parent 4d483cd855
commit 928a22cd02
7 changed files with 49 additions and 45 deletions
--- a/dlls/ntdll/unix/security.c
+++ b/dlls/ntdll/unix/security.c
@ -723,10 +723,10 @@ NTSTATUS WINAPI NtAccessCheck( PSECURITY_DESCRIPTOR descr, HANDLE token, ACCESS_
    {
        req->handle = wine_server_obj_handle( token );
        req->desired_access = access;
-        req->mapping_read = mapping->GenericRead;
+        req->mapping.read = mapping->GenericRead;
-        req->mapping_write = mapping->GenericWrite;
+        req->mapping.write = mapping->GenericWrite;
-        req->mapping_execute = mapping->GenericExecute;
+        req->mapping.exec = mapping->GenericExecute;
-        req->mapping_all = mapping->GenericAll;
+        req->mapping.all = mapping->GenericAll;
        wine_server_add_data( req, objattr + 1, objattr->sd_len );
        wine_server_set_reply( req, privs->Privilege, *retlen - offsetof( PRIVILEGE_SET, Privilege ) );
--- a/include/wine/server_protocol.h
+++ b/include/wine/server_protocol.h
@ -366,6 +366,14 @@ typedef struct
    int          high_part;
 } luid_t;
 typedef struct
 {
    unsigned int read;
    unsigned int write;
    unsigned int exec;
    unsigned int all;
 } generic_map_t;
 #define MAX_ACL_LEN 65535
 struct security_descriptor
@ -4454,10 +4462,7 @@ struct access_check_request
    struct request_header __header;
    obj_handle_t    handle;
    unsigned int    desired_access;
-    unsigned int    mapping_read;
+    generic_map_t   mapping;
    unsigned int    mapping_write;
    unsigned int    mapping_execute;
    unsigned int    mapping_all;
    /* VARARG(sd,security_descriptor); */
    char __pad_36[4];
 };
@ -6229,7 +6234,7 @@ union generic_reply
 /* ### protocol_version begin ### */
-#define SERVER_PROTOCOL_VERSION 664
+#define SERVER_PROTOCOL_VERSION 665
 /* ### protocol_version end ### */
--- a/server/protocol.def
+++ b/server/protocol.def
@ -382,6 +382,14 @@ typedef struct
    int          high_part;
 } luid_t;
 typedef struct
 {
    unsigned int read;
    unsigned int write;
    unsigned int exec;
    unsigned int all;
 } generic_map_t;
 #define MAX_ACL_LEN 65535
 struct security_descriptor
@ -3135,10 +3143,7 @@ enum caret_state
@REQ(access_check)
    obj_handle_t    handle; /* handle to the token */
    unsigned int    desired_access; /* desired access to the object */
-    unsigned int    mapping_read; /* mapping from generic read to specific rights */
+    generic_map_t   mapping;        /* mapping to specific rights */
    unsigned int    mapping_write; /* mapping from generic write to specific rights */
    unsigned int    mapping_execute; /* mapping from generic execute to specific rights */
    unsigned int    mapping_all; /* mapping from generic all to specific rights */
    VARARG(sd,security_descriptor); /* security descriptor to check */
@REPLY
    unsigned int    access_granted; /* access rights actually granted */
--- a/server/request.h
+++ b/server/request.h
@ -691,6 +691,7 @@ C_ASSERT( sizeof(client_cpu_t) == 4 );
 C_ASSERT( sizeof(client_ptr_t) == 8 );
 C_ASSERT( sizeof(data_size_t) == 4 );
 C_ASSERT( sizeof(file_pos_t) == 8 );
 C_ASSERT( sizeof(generic_map_t) == 16 );
 C_ASSERT( sizeof(hw_input_t) == 32 );
 C_ASSERT( sizeof(int) == 4 );
 C_ASSERT( sizeof(ioctl_code_t) == 4 );
@ -1971,10 +1972,7 @@ C_ASSERT( FIELD_OFFSET(struct filter_token_reply, new_handle) == 8 );
 C_ASSERT( sizeof(struct filter_token_reply) == 16 );
 C_ASSERT( FIELD_OFFSET(struct access_check_request, handle) == 12 );
 C_ASSERT( FIELD_OFFSET(struct access_check_request, desired_access) == 16 );
-C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_read) == 20 );
+C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping) == 20 );
 C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_write) == 24 );
 C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_execute) == 28 );
 C_ASSERT( FIELD_OFFSET(struct access_check_request, mapping_all) == 32 );
 C_ASSERT( sizeof(struct access_check_request) == 40 );
 C_ASSERT( FIELD_OFFSET(struct access_check_reply, access_granted) == 8 );
 C_ASSERT( FIELD_OFFSET(struct access_check_reply, access_status) == 12 );
--- a/server/token.c
+++ b/server/token.c
@ -464,13 +464,13 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
 }
 /* maps from generic rights to specific rights as given by a mapping */
-static inline void map_generic_mask(unsigned int *mask, const GENERIC_MAPPING *mapping)
+static inline void map_generic_mask( unsigned int *mask, const generic_map_t *mapping )
 {
-    if (*mask & GENERIC_READ) *mask |= mapping->GenericRead;
+    if (*mask & GENERIC_READ)    *mask |= mapping->read;
-    if (*mask & GENERIC_WRITE) *mask |= mapping->GenericWrite;
+    if (*mask & GENERIC_WRITE)   *mask |= mapping->write;
-    if (*mask & GENERIC_EXECUTE) *mask |= mapping->GenericExecute;
+    if (*mask & GENERIC_EXECUTE) *mask |= mapping->exec;
-    if (*mask & GENERIC_ALL) *mask |= mapping->GenericAll;
+    if (*mask & GENERIC_ALL)     *mask |= mapping->all;
-    *mask &= 0x0FFFFFFF;
+    *mask &= ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
 }
 static inline int is_equal_luid( const LUID *luid1, const LUID *luid2 )
@ -1039,7 +1039,7 @@ static unsigned int token_access_check( struct token *token,
                                 unsigned int desired_access,
                                 LUID_AND_ATTRIBUTES *privs,
                                 unsigned int *priv_count,
-                                 const GENERIC_MAPPING *mapping,
+                                 const generic_map_t *mapping,
                                 unsigned int *granted_access,
                                 unsigned int *status )
 {
@ -1074,7 +1074,7 @@ static unsigned int token_access_check( struct token *token,
    {
        if (priv_count) *priv_count = 0;
        if (desired_access & MAXIMUM_ALLOWED)
-            *granted_access = mapping->GenericAll;
+            *granted_access = mapping->all;
        else
            *granted_access = desired_access;
        return *status = STATUS_SUCCESS;
@ -1212,25 +1212,24 @@ const SID *token_get_primary_group( struct token *token )
 int check_object_access(struct token *token, struct object *obj, unsigned int *access)
 {
-    GENERIC_MAPPING mapping;
+    generic_map_t mapping;
    unsigned int status;
    int res;
    if (!token)
        token = current->token ? current->token : current->process->token;
-    mapping.GenericAll = obj->ops->map_access( obj, GENERIC_ALL );
+    mapping.all = obj->ops->map_access( obj, GENERIC_ALL );
    if (!obj->sd)
    {
-        if (*access & MAXIMUM_ALLOWED)
+        if (*access & MAXIMUM_ALLOWED) *access = mapping.all;
            *access = mapping.GenericAll;
        return TRUE;
    }
-    mapping.GenericRead  = obj->ops->map_access( obj, GENERIC_READ );
+    mapping.read  = obj->ops->map_access( obj, GENERIC_READ );
-    mapping.GenericWrite = obj->ops->map_access( obj, GENERIC_WRITE );
+    mapping.write = obj->ops->map_access( obj, GENERIC_WRITE );
-    mapping.GenericExecute = obj->ops->map_access( obj, GENERIC_EXECUTE );
+    mapping.exec = obj->ops->map_access( obj, GENERIC_EXECUTE );
    res = token_access_check( token, obj->sd, *access, NULL, NULL,
                              &mapping, access, &status ) == STATUS_SUCCESS &&
@ -1451,7 +1450,6 @@ DECL_HANDLER(access_check)
                                                 TOKEN_QUERY,
                                                 &token_ops )))
    {
        GENERIC_MAPPING mapping;
        unsigned int status;
        LUID_AND_ATTRIBUTES priv;
        unsigned int priv_count = 1;
@ -1473,14 +1471,8 @@ DECL_HANDLER(access_check)
            return;
        }
-        mapping.GenericRead = req->mapping_read;
+        status = token_access_check( token, sd, req->desired_access, &priv, &priv_count, &req->mapping,
-        mapping.GenericWrite = req->mapping_write;
+                                     &reply->access_granted, &reply->access_status );
        mapping.GenericExecute = req->mapping_execute;
        mapping.GenericAll = req->mapping_all;
        status = token_access_check(
            token, sd, req->desired_access, &priv, &priv_count, &mapping,
            &reply->access_granted, &reply->access_status );
        reply->privileges_len = priv_count*sizeof(LUID_AND_ATTRIBUTES);
--- a/server/trace.c
+++ b/server/trace.c
@ -427,6 +427,12 @@ static void dump_luid( const char *prefix, const luid_t *luid )
    fprintf( stderr, "%s%d.%u", prefix, luid->high_part, luid->low_part );
 }
 static void dump_generic_map( const char *prefix, const generic_map_t *map )
 {
    fprintf( stderr, "%s{r=%08x,w=%08x,x=%08x,a=%08x}",
             prefix, map->read, map->write, map->exec, map->all );
 }
 static void dump_varargs_ints( const char *prefix, data_size_t size )
 {
    const int *data = cur_data;
@ -3814,10 +3820,7 @@ static void dump_access_check_request( const struct access_check_request *req )
 {
    fprintf( stderr, " handle=%04x", req->handle );
    fprintf( stderr, ", desired_access=%08x", req->desired_access );
-    fprintf( stderr, ", mapping_read=%08x", req->mapping_read );
+    dump_generic_map( ", mapping=", &req->mapping );
    fprintf( stderr, ", mapping_write=%08x", req->mapping_write );
    fprintf( stderr, ", mapping_execute=%08x", req->mapping_execute );
    fprintf( stderr, ", mapping_all=%08x", req->mapping_all );
    dump_varargs_security_descriptor( ", sd=", cur_size );
 }
--- a/tools/make_requests
+++ b/tools/make_requests
@ -50,6 +50,7 @@ my %formats =
    "async_data_t"  => [  40,  8,  "&dump_async_data" ],
    "irp_params_t"  => [  32,  8,  "&dump_irp_params" ],
    "luid_t"        => [  8,   4,  "&dump_luid" ],
    "generic_map_t" => [  16,  4,  "&dump_generic_map" ],
    "ioctl_code_t"  => [  4,   4,  "&dump_ioctl_code" ],
    "client_cpu_t"  => [  4,   4,  "&dump_client_cpu" ],
    "hw_input_t"    => [  32,  8,  "&dump_hw_input" ],