server: Assign a default label to all tokens.
Signed-off-by: Matteo Bruni <mbruni@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Michael Müller
Alexandre Julliard
parent
08f3fef34c
commit
a78d419420
|
|
@ -6847,7 +6847,6 @@ static void test_token_security_descriptor(void)
|
|||
defaulted = TRUE;
|
||||
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
|
||||
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
|
||||
todo_wine
|
||||
ok(present, "DACL not present\n");
|
||||
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
|
||||
ok(!defaulted, "DACL defaulted\n");
|
||||
|
|
@ -6949,20 +6948,16 @@ static void test_child_token_sd(void)
|
|||
defaulted = TRUE;
|
||||
ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
|
||||
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
|
||||
todo_wine ok(present, "DACL not present\n");
|
||||
ok(present, "DACL not present\n");
|
||||
ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
|
||||
ok(!defaulted, "DACL defaulted\n");
|
||||
|
||||
if (present && acl)
|
||||
ok(acl->AceCount, "Expected at least one ACE\n");
|
||||
for (i = 0; i < acl->AceCount; i++)
|
||||
{
|
||||
ok(acl != (void *)0xdeadbeef, "DACL not set\n");
|
||||
ok(!defaulted, "DACL defaulted\n");
|
||||
|
||||
ok(acl->AceCount, "Expected at least one ACE\n");
|
||||
for (i = 0; i < acl->AceCount; i++)
|
||||
{
|
||||
ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
|
||||
ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
|
||||
"ACE inherited from the parent\n");
|
||||
}
|
||||
ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
|
||||
ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
|
||||
"ACE inherited from the parent\n");
|
||||
}
|
||||
|
||||
LocalFree(psid);
|
||||
|
|
@ -6987,21 +6982,16 @@ static void test_child_token_sd(void)
|
|||
defaulted = TRUE;
|
||||
ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
|
||||
ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
|
||||
todo_wine ok(present, "SACL not present\n");
|
||||
|
||||
if (present && acl)
|
||||
{
|
||||
ok(acl != (void *)0xdeadbeef, "Got invalid SACL\n");
|
||||
ok(!defaulted, "SACL defaulted\n");
|
||||
|
||||
ok(acl->AceCount == 1, "Expected exactly one ACE\n");
|
||||
ret = pGetAce(acl, 0, (void **)&ace_label);
|
||||
ok(ret, "GetAce failed with error %u\n", GetLastError());
|
||||
ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
|
||||
"Unexpected ACE type %#x\n", ace_label->Header.AceType);
|
||||
ok(!EqualSid(&ace_label->SidStart, &low_level),
|
||||
"Low integrity level should not have been inherited\n");
|
||||
}
|
||||
ok(present, "SACL not present\n");
|
||||
ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
|
||||
ok(!defaulted, "SACL defaulted\n");
|
||||
ok(acl->AceCount == 1, "Expected exactly one ACE\n");
|
||||
ret = pGetAce(acl, 0, (void **)&ace_label);
|
||||
ok(ret, "GetAce failed with error %u\n", GetLastError());
|
||||
ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
|
||||
"Unexpected ACE type %#x\n", ace_label->Header.AceType);
|
||||
ok(!EqualSid(&ace_label->SidStart, &low_level),
|
||||
"Low integrity level should not have been inherited\n");
|
||||
|
||||
HeapFree(GetProcessHeap(), 0, sd);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -570,6 +570,12 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
|
|||
}
|
||||
if (!process->handles || !process->token) goto error;
|
||||
|
||||
/* Assign a high security label to the token. The default would be medium
|
||||
* but Wine provides admin access to all applications right now so high
|
||||
* makes more sense for the time being. */
|
||||
if (!token_assign_label( process->token, security_high_label_sid ))
|
||||
goto error;
|
||||
|
||||
/* create the main thread */
|
||||
if (pipe( request_pipe ) == -1)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -47,11 +47,13 @@ extern const PSID security_local_user_sid;
|
|||
extern const PSID security_local_system_sid;
|
||||
extern const PSID security_builtin_users_sid;
|
||||
extern const PSID security_builtin_admins_sid;
|
||||
extern const PSID security_high_label_sid;
|
||||
|
||||
|
||||
/* token functions */
|
||||
|
||||
extern struct token *token_create_admin(void);
|
||||
extern int token_assign_label( struct token *token, PSID label );
|
||||
extern struct token *token_duplicate( struct token *src_token, unsigned primary,
|
||||
int impersonation_level, const struct security_descriptor *sd );
|
||||
extern int token_check_privileges( struct token *token, int all_required,
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
|
|||
static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } };
|
||||
static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
|
||||
static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
|
||||
static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
|
||||
static const struct /* same fields as struct SID */
|
||||
{
|
||||
BYTE Revision;
|
||||
|
|
@ -100,6 +101,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
|
|||
const PSID security_local_user_sid = (PSID)&local_user_sid;
|
||||
const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
|
||||
const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
|
||||
const PSID security_high_label_sid = (PSID)&high_label_sid;
|
||||
|
||||
static luid_t prev_luid_value = { 1000, 0 };
|
||||
|
||||
|
|
@ -726,6 +728,56 @@ struct sid_data
|
|||
unsigned int subauth[MAX_SUBAUTH_COUNT];
|
||||
};
|
||||
|
||||
static struct security_descriptor *create_security_label_sd( struct token *token, PSID label_sid )
|
||||
{
|
||||
size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size;
|
||||
SYSTEM_MANDATORY_LABEL_ACE *smla;
|
||||
struct security_descriptor *sd;
|
||||
ACL *sacl;
|
||||
|
||||
sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
|
||||
sd_size = sizeof(struct security_descriptor) + sacl_size;
|
||||
if (!(sd = mem_alloc( sd_size )))
|
||||
return NULL;
|
||||
|
||||
sd->control = SE_SACL_PRESENT;
|
||||
sd->owner_len = 0;
|
||||
sd->group_len = 0;
|
||||
sd->sacl_len = sacl_size;
|
||||
sd->dacl_len = 0;
|
||||
|
||||
sacl = (ACL *)(sd + 1);
|
||||
sacl->AclRevision = ACL_REVISION;
|
||||
sacl->Sbz1 = 0;
|
||||
sacl->AclSize = sacl_size;
|
||||
sacl->AceCount = 1;
|
||||
sacl->Sbz2 = 0;
|
||||
|
||||
smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1);
|
||||
smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
|
||||
smla->Header.AceFlags = 0;
|
||||
smla->Header.AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
|
||||
smla->Mask = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP;
|
||||
memcpy( &smla->SidStart, label_sid, sid_len );
|
||||
|
||||
assert( sd_is_valid( sd, sd_size ) );
|
||||
return sd;
|
||||
}
|
||||
|
||||
int token_assign_label( struct token *token, PSID label )
|
||||
{
|
||||
struct security_descriptor *sd;
|
||||
int ret = 0;
|
||||
|
||||
if ((sd = create_security_label_sd( token, label )))
|
||||
{
|
||||
ret = set_sd_defaults_from_token( &token->obj, sd, LABEL_SECURITY_INFORMATION, token );
|
||||
free( sd );
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
struct token *token_create_admin( void )
|
||||
{
|
||||
struct token *token = NULL;
|
||||
|
|
|
|||
Loading…
Reference in New Issue