server: Assign a default label to all tokens.

Signed-off-by: Matteo Bruni <mbruni@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
This commit is contained in:
Michael Müller 2017-06-16 20:41:36 +02:00 committed by Alexandre Julliard
parent 08f3fef34c
commit a78d419420
4 changed files with 78 additions and 28 deletions

View File

@ -6847,7 +6847,6 @@ static void test_token_security_descriptor(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
todo_wine
ok(present, "DACL not present\n");
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
ok(!defaulted, "DACL defaulted\n");
@ -6949,11 +6948,8 @@ static void test_child_token_sd(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
todo_wine ok(present, "DACL not present\n");
if (present && acl)
{
ok(acl != (void *)0xdeadbeef, "DACL not set\n");
ok(present, "DACL not present\n");
ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
ok(!defaulted, "DACL defaulted\n");
ok(acl->AceCount, "Expected at least one ACE\n");
@ -6963,7 +6959,6 @@ static void test_child_token_sd(void)
ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
"ACE inherited from the parent\n");
}
}
LocalFree(psid);
HeapFree(GetProcessHeap(), 0, sd);
@ -6987,13 +6982,9 @@ static void test_child_token_sd(void)
defaulted = TRUE;
ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
todo_wine ok(present, "SACL not present\n");
if (present && acl)
{
ok(acl != (void *)0xdeadbeef, "Got invalid SACL\n");
ok(present, "SACL not present\n");
ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
ok(!defaulted, "SACL defaulted\n");
ok(acl->AceCount == 1, "Expected exactly one ACE\n");
ret = pGetAce(acl, 0, (void **)&ace_label);
ok(ret, "GetAce failed with error %u\n", GetLastError());
@ -7001,7 +6992,6 @@ static void test_child_token_sd(void)
"Unexpected ACE type %#x\n", ace_label->Header.AceType);
ok(!EqualSid(&ace_label->SidStart, &low_level),
"Low integrity level should not have been inherited\n");
}
HeapFree(GetProcessHeap(), 0, sd);
}

View File

@ -570,6 +570,12 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
}
if (!process->handles || !process->token) goto error;
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if (!token_assign_label( process->token, security_high_label_sid ))
goto error;
/* create the main thread */
if (pipe( request_pipe ) == -1)
{

View File

@ -47,11 +47,13 @@ extern const PSID security_local_user_sid;
extern const PSID security_local_system_sid;
extern const PSID security_builtin_users_sid;
extern const PSID security_builtin_admins_sid;
extern const PSID security_high_label_sid;
/* token functions */
extern struct token *token_create_admin(void);
extern int token_assign_label( struct token *token, PSID label );
extern struct token *token_duplicate( struct token *src_token, unsigned primary,
int impersonation_level, const struct security_descriptor *sd );
extern int token_check_privileges( struct token *token, int all_required,

View File

@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } };
static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
static const struct /* same fields as struct SID */
{
BYTE Revision;
@ -100,6 +101,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
const PSID security_local_user_sid = (PSID)&local_user_sid;
const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
const PSID security_high_label_sid = (PSID)&high_label_sid;
static luid_t prev_luid_value = { 1000, 0 };
@ -726,6 +728,56 @@ struct sid_data
unsigned int subauth[MAX_SUBAUTH_COUNT];
};
static struct security_descriptor *create_security_label_sd( struct token *token, PSID label_sid )
{
size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size;
SYSTEM_MANDATORY_LABEL_ACE *smla;
struct security_descriptor *sd;
ACL *sacl;
sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
sd_size = sizeof(struct security_descriptor) + sacl_size;
if (!(sd = mem_alloc( sd_size )))
return NULL;
sd->control = SE_SACL_PRESENT;
sd->owner_len = 0;
sd->group_len = 0;
sd->sacl_len = sacl_size;
sd->dacl_len = 0;
sacl = (ACL *)(sd + 1);
sacl->AclRevision = ACL_REVISION;
sacl->Sbz1 = 0;
sacl->AclSize = sacl_size;
sacl->AceCount = 1;
sacl->Sbz2 = 0;
smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1);
smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
smla->Header.AceFlags = 0;
smla->Header.AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
smla->Mask = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP;
memcpy( &smla->SidStart, label_sid, sid_len );
assert( sd_is_valid( sd, sd_size ) );
return sd;
}
int token_assign_label( struct token *token, PSID label )
{
struct security_descriptor *sd;
int ret = 0;
if ((sd = create_security_label_sd( token, label )))
{
ret = set_sd_defaults_from_token( &token->obj, sd, LABEL_SECURITY_INFORMATION, token );
free( sd );
}
return ret;
}
struct token *token_create_admin( void )
{
struct token *token = NULL;