server: Define a server-side structure for ACL.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>
2022-01-25 12:10:40 +01:00 · 2022-01-25 12:10:40 +01:00 · c36f81fa75
parent bf3442fab6
commit c36f81fa75
10 changed files with 144 additions and 120 deletions
--- a/include/wine/server_protocol.h
+++ b/include/wine/server_protocol.h
@ -376,6 +376,15 @@ struct luid_attr
    unsigned int attrs;
 };

+struct acl
+{
+    unsigned char  revision;
+    unsigned char  pad1;
+    unsigned short size;
+    unsigned short count;
+    unsigned short pad2;
+};
+
 typedef struct
 {
    unsigned int read;
@ -4467,7 +4476,7 @@ struct get_token_default_dacl_reply
 {
    struct reply_header __header;
    data_size_t     acl_len;
-    /* VARARG(acl,ACL); */
+    /* VARARG(acl,acl); */
    char __pad_12[4];
 };

@ -4475,7 +4484,7 @@ struct set_token_default_dacl_request
 {
    struct request_header __header;
    obj_handle_t    handle;
-    /* VARARG(acl,ACL); */
+    /* VARARG(acl,acl); */
 };
 struct set_token_default_dacl_reply
 {
@ -6252,7 +6261,7 @@ union generic_reply

 /* ### protocol_version begin ### */

-#define SERVER_PROTOCOL_VERSION 740
+#define SERVER_PROTOCOL_VERSION 741

 /* ### protocol_version end ### */

--- a/server/file.c
+++ b/server/file.c
@ -312,13 +312,13 @@ struct security_descriptor *mode_to_sd( mode_t mode, const SID *user, const SID
    size_t dacl_size;
    ACE_HEADER *current_ace;
    ACCESS_ALLOWED_ACE *aaa;
-    ACL *dacl;
+    struct acl *dacl;
    SID *sid;
    char *ptr;
    const SID *world_sid = security_world_sid;
    const SID *local_system_sid = security_local_system_sid;

-    dacl_size = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) +
+    dacl_size = sizeof(*dacl) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) +
        security_sid_len( local_system_sid );
    if (mode & S_IRWXU)
        dacl_size += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + security_sid_len( user );
@ -346,16 +346,18 @@ struct security_descriptor *mode_to_sd( mode_t mode, const SID *user, const SID
    memcpy( ptr, group, sd->group_len );
    ptr += sd->group_len;

-    dacl = (ACL *)ptr;
-    dacl->AclRevision = ACL_REVISION;
-    dacl->Sbz1 = 0;
-    dacl->AclSize = dacl_size;
-    dacl->AceCount = 1 + (mode & S_IRWXU ? 1 : 0) + (mode & S_IRWXO ? 1 : 0);
+    dacl = (struct acl *)ptr;
+    dacl->revision = ACL_REVISION;
+    dacl->pad1     = 0;
+    dacl->size     = dacl_size;
+    dacl->count    = 1;
+    dacl->pad2     = 0;
+    if (mode & S_IRWXU) dacl->count++;
    if ((!(mode & S_IRUSR) && (mode & (S_IRGRP|S_IROTH))) ||
        (!(mode & S_IWUSR) && (mode & (S_IWGRP|S_IWOTH))) ||
        (!(mode & S_IXUSR) && (mode & (S_IXGRP|S_IXOTH))))
-        dacl->AceCount++;
-    dacl->Sbz2 = 0;
+        dacl->count++;
+    if (mode & S_IRWXO) dacl->count++;

    /* always give FILE_ALL_ACCESS for Local System */
    aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1);
@ -470,12 +472,12 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner )
    mode_t bits_to_set = ~0;
    mode_t mode;
    int present;
-    const ACL *dacl = sd_get_dacl( sd, &present );
+    const struct acl *dacl = sd_get_dacl( sd, &present );
    if (present && dacl)
    {
        const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1);
        ULONG i;
-        for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
+        for (i = 0; i < dacl->count; i++, ace = ace_next( ace ))
        {
            const ACCESS_ALLOWED_ACE *aa_ace;
            const ACCESS_DENIED_ACE *ad_ace;
--- a/server/handle.c
+++ b/server/handle.c
@ -738,8 +738,8 @@ DECL_HANDLER(get_security_object)
    struct security_descriptor req_sd;
    int present;
    const SID *owner, *group;
-    const ACL *sacl, *dacl;
-    ACL *label_acl = NULL;
+    const struct acl *sacl, *dacl;
+    struct acl *label_acl = NULL;

    if (req->security_info & SACL_SECURITY_INFORMATION)
        access |= ACCESS_SYSTEM_SECURITY;
@ -769,7 +769,7 @@ DECL_HANDLER(get_security_object)
        else if (req->security_info & LABEL_SECURITY_INFORMATION && present && sacl)
        {
            if (!(label_acl = extract_security_labels( sacl ))) goto done;
-            req_sd.sacl_len = label_acl->AclSize;
+            req_sd.sacl_len = label_acl->size;
            sacl = label_acl;
        }
        else
--- a/server/object.c
+++ b/server/object.c
@ -544,8 +544,8 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
    struct security_descriptor new_sd, *new_sd_ptr;
    int present;
    const SID *owner = NULL, *group = NULL;
-    const ACL *sacl, *dacl;
-    ACL *replaced_sacl = NULL;
+    const struct acl *sacl, *dacl;
+    struct acl *replaced_sacl = NULL;
    char *ptr;

    if (!set_info) return 1;
@ -594,11 +594,11 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
    }
    else if (set_info & LABEL_SECURITY_INFORMATION && present)
    {
-        const ACL *old_sacl = NULL;
+        const struct acl *old_sacl = NULL;
        if (obj->sd && obj->sd->control & SE_SACL_PRESENT) old_sacl = sd_get_sacl( obj->sd, &present );
        if (!(replaced_sacl = replace_security_labels( old_sacl, sacl ))) return 0;
        new_sd.control |= SE_SACL_PRESENT;
-        new_sd.sacl_len = replaced_sacl->AclSize;
+        new_sd.sacl_len = replaced_sacl->size;
        sacl = replaced_sacl;
    }
    else
@ -633,7 +633,7 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri
        {
            dacl = token_get_default_dacl( token );
            new_sd.control |= SE_DACL_PRESENT;
-            new_sd.dacl_len = dacl->AclSize;
+            new_sd.dacl_len = dacl->size;
        }
        else new_sd.dacl_len = 0;
    }
--- a/server/process.c
+++ b/server/process.c
@ -825,10 +825,10 @@ static struct security_descriptor *process_get_sd( struct object *obj )
    {
        size_t users_sid_len = security_sid_len( security_domain_users_sid );
        size_t admins_sid_len = security_sid_len( security_builtin_admins_sid );
-        size_t dacl_len = sizeof(ACL) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart )
+        size_t dacl_len = sizeof(struct acl) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart )
                          + users_sid_len + admins_sid_len;
        ACCESS_ALLOWED_ACE *aaa;
-        ACL *dacl;
+        struct acl *dacl;

        process_default_sd = mem_alloc( sizeof(*process_default_sd) + admins_sid_len + users_sid_len
                                    + dacl_len );
@ -840,12 +840,12 @@ static struct security_descriptor *process_get_sd( struct object *obj )
        memcpy( process_default_sd + 1, security_builtin_admins_sid, admins_sid_len );
        memcpy( (char *)(process_default_sd + 1) + admins_sid_len, security_domain_users_sid, users_sid_len );

-        dacl = (ACL *)((char *)(process_default_sd + 1) + admins_sid_len + users_sid_len);
-        dacl->AclRevision = ACL_REVISION;
-        dacl->Sbz1 = 0;
-        dacl->AclSize = dacl_len;
-        dacl->AceCount = 2;
-        dacl->Sbz2 = 0;
+        dacl = (struct acl *)((char *)(process_default_sd + 1) + admins_sid_len + users_sid_len);
+        dacl->revision = ACL_REVISION;
+        dacl->pad1     = 0;
+        dacl->size     = dacl_len;
+        dacl->count    = 2;
+        dacl->pad2     = 0;
        aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1);
        aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
        aaa->Header.AceFlags = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE;
--- a/server/protocol.def
+++ b/server/protocol.def
@ -392,6 +392,15 @@ struct luid_attr
    unsigned int attrs;
 };

+struct acl
+{
+    unsigned char  revision;
+    unsigned char  pad1;
+    unsigned short size;
+    unsigned short count;
+    unsigned short pad2;
+};
+
 typedef struct
 {
    unsigned int read;
@ -411,8 +420,8 @@ struct security_descriptor
    data_size_t  dacl_len;
    /* VARARG(owner,SID); */
    /* VARARG(group,SID); */
-    /* VARARG(sacl,ACL); */
-    /* VARARG(dacl,ACL); */
+    /* VARARG(sacl,acl); */
+    /* VARARG(dacl,acl); */
 };

 struct object_attributes
@ -3165,12 +3174,12 @@ enum caret_state
    obj_handle_t    handle;     /* handle to the token */
@REPLY
    data_size_t     acl_len;    /* length needed to store access control list */
-    VARARG(acl,ACL);            /* access control list */
+    VARARG(acl,acl);            /* access control list */
@END

@REQ(set_token_default_dacl)
    obj_handle_t    handle;     /* handle to the token */
-    VARARG(acl,ACL);            /* default dacl to set */
+    VARARG(acl,acl);            /* default dacl to set */
@END

@REQ(set_security_object)
--- a/server/registry.c
+++ b/server/registry.c
@ -369,12 +369,12 @@ static struct security_descriptor *key_get_sd( struct object *obj )

    if (!key_default_sd)
    {
+        struct acl *dacl;
        size_t users_sid_len = security_sid_len( security_builtin_users_sid );
        size_t admins_sid_len = security_sid_len( security_builtin_admins_sid );
-        size_t dacl_len = sizeof(ACL) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart )
+        size_t dacl_len = sizeof(*dacl) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart )
                          + users_sid_len + admins_sid_len;
        ACCESS_ALLOWED_ACE *aaa;
-        ACL *dacl;

        key_default_sd = mem_alloc( sizeof(*key_default_sd) + 2 * admins_sid_len + dacl_len );
        key_default_sd->control   = SE_DACL_PRESENT;
@ -385,12 +385,12 @@ static struct security_descriptor *key_get_sd( struct object *obj )
        memcpy( key_default_sd + 1, security_builtin_admins_sid, admins_sid_len );
        memcpy( (char *)(key_default_sd + 1) + admins_sid_len, security_builtin_admins_sid, admins_sid_len );

-        dacl = (ACL *)((char *)(key_default_sd + 1) + 2 * admins_sid_len);
-        dacl->AclRevision = ACL_REVISION;
-        dacl->Sbz1 = 0;
-        dacl->AclSize = dacl_len;
-        dacl->AceCount = 2;
-        dacl->Sbz2 = 0;
+        dacl = (struct acl *)((char *)(key_default_sd + 1) + 2 * admins_sid_len);
+        dacl->revision = ACL_REVISION;
+        dacl->pad1     = 0;
+        dacl->size     = dacl_len;
+        dacl->count    = 2;
+        dacl->pad2     = 0;
        aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1);
        aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
        aaa->Header.AceFlags = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE;
--- a/server/security.h
+++ b/server/security.h
@ -65,7 +65,7 @@ extern struct token *token_duplicate( struct token *src_token, unsigned primary,
 extern int token_check_privileges( struct token *token, int all_required,
                                   const struct luid_attr *reqprivs,
                                   unsigned int count, struct luid_attr *usedprivs );
-extern const ACL *token_get_default_dacl( struct token *token );
+extern const struct acl *token_get_default_dacl( struct token *token );
 extern const SID *token_get_user( struct token *token );
 extern const SID *token_get_primary_group( struct token *token );
 extern unsigned int token_get_session_id( struct token *token );
@ -105,28 +105,28 @@ static inline int thread_single_check_privilege( struct thread *thread, struct l
 /* security descriptor helper functions */

 extern int sd_is_valid( const struct security_descriptor *sd, data_size_t size );
-extern ACL *extract_security_labels( const ACL *sacl );
-extern ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl );
+extern struct acl *extract_security_labels( const struct acl *sacl );
+extern struct acl *replace_security_labels( const struct acl *old_sacl, const struct acl *new_sacl );

 /* gets the discretionary access control list from a security descriptor */
-static inline const ACL *sd_get_dacl( const struct security_descriptor *sd, int *present )
+static inline const struct acl *sd_get_dacl( const struct security_descriptor *sd, int *present )
 {
    *present = (sd->control & SE_DACL_PRESENT) != 0;

    if (sd->dacl_len)
-        return (const ACL *)((const char *)(sd + 1) +
+        return (const struct acl *)((const char *)(sd + 1) +
            sd->owner_len + sd->group_len + sd->sacl_len);
    else
        return NULL;
 }

 /* gets the system access control list from a security descriptor */
-static inline const ACL *sd_get_sacl( const struct security_descriptor *sd, int *present )
+static inline const struct acl *sd_get_sacl( const struct security_descriptor *sd, int *present )
 {
    *present = (sd->control & SE_SACL_PRESENT) != 0;

    if (sd->sacl_len)
-        return (const ACL *)((const char *)(sd + 1) +
+        return (const struct acl *)((const char *)(sd + 1) +
            sd->owner_len + sd->group_len);
    else
        return NULL;
--- a/server/token.c
+++ b/server/token.c
@ -128,7 +128,7 @@ struct token
    SID           *primary_group;   /* SID of user's primary group (points to one of groups) */
    unsigned int   primary;         /* is this a primary or impersonation token? */
    unsigned int   session_id;      /* token session id */
-    ACL           *default_dacl;    /* the default DACL to assign to objects created by this user */
+    struct acl    *default_dacl;    /* the default DACL to assign to objects created by this user */
    TOKEN_SOURCE   source;          /* source of the token */
    int            impersonation_level; /* impersonation level this token is capable of if non-primary token */
    int            elevation;       /* elevation type */
@ -235,20 +235,18 @@ const SID *security_unix_uid_to_sid( uid_t uid )
        return &anonymous_logon_sid;
 }

-static int acl_is_valid( const ACL *acl, data_size_t size )
+static int acl_is_valid( const struct acl *acl, data_size_t size )
 {
    ULONG i;
    const ACE_HEADER *ace;

-    if (size < sizeof(ACL))
-        return FALSE;
+    if (size < sizeof(*acl)) return FALSE;

    size = min(size, MAX_ACL_LEN);
-
-    size -= sizeof(ACL);
+    size -= sizeof(*acl);

    ace = (const ACE_HEADER *)(acl + 1);
-    for (i = 0; i < acl->AceCount; i++)
+    for (i = 0; i < acl->count; i++)
    {
        const SID *sid;
        data_size_t sid_size;
@ -310,8 +308,8 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
    size_t offset = sizeof(struct security_descriptor);
    const SID *group;
    const SID *owner;
-    const ACL *sacl;
-    const ACL *dacl;
+    const struct acl *sacl;
+    const struct acl *dacl;
    int dummy;

    if (size < offset)
@ -357,16 +355,16 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
 }

 /* extract security labels from SACL */
-ACL *extract_security_labels( const ACL *sacl )
+struct acl *extract_security_labels( const struct acl *sacl )
 {
-    size_t size = sizeof(ACL);
+    size_t size = sizeof(*sacl);
    const ACE_HEADER *ace;
    ACE_HEADER *label_ace;
    unsigned int i, count = 0;
-    ACL *label_acl;
+    struct acl *label_acl;

    ace = (const ACE_HEADER *)(sacl + 1);
-    for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace ))
+    for (i = 0; i < sacl->count; i++, ace = ace_next( ace ))
    {
        if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
        {
@ -378,15 +376,15 @@ ACL *extract_security_labels( const ACL *sacl )
    label_acl = mem_alloc( size );
    if (!label_acl) return NULL;

-    label_acl->AclRevision = sacl->AclRevision;
-    label_acl->Sbz1 = 0;
-    label_acl->AclSize = size;
-    label_acl->AceCount = count;
-    label_acl->Sbz2 = 0;
+    label_acl->revision = sacl->revision;
+    label_acl->pad1     = 0;
+    label_acl->size     = size;
+    label_acl->count    = count;
+    label_acl->pad2     = 0;
    label_ace = (ACE_HEADER *)(label_acl + 1);

    ace = (const ACE_HEADER *)(sacl + 1);
-    for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace ))
+    for (i = 0; i < sacl->count; i++, ace = ace_next( ace ))
    {
        if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
        {
@ -398,20 +396,20 @@ ACL *extract_security_labels( const ACL *sacl )
 }

 /* replace security labels in an existing SACL */
-ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
+struct acl *replace_security_labels( const struct acl *old_sacl, const struct acl *new_sacl )
 {
    const ACE_HEADER *ace;
    ACE_HEADER *replaced_ace;
-    size_t size = sizeof(ACL);
+    size_t size = sizeof(*new_sacl);
    unsigned int i, count = 0;
    BYTE revision = ACL_REVISION;
-    ACL *replaced_acl;
+    struct acl *replaced_acl;

    if (old_sacl)
    {
-        revision = max( revision, old_sacl->AclRevision );
+        revision = max( revision, old_sacl->revision );
        ace = (const ACE_HEADER *)(old_sacl + 1);
-        for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace ))
+        for (i = 0; i < old_sacl->count; i++, ace = ace_next( ace ))
        {
            if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
            size += ace->AceSize;
@ -421,9 +419,9 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )

    if (new_sacl)
    {
-        revision = max( revision, new_sacl->AclRevision );
+        revision = max( revision, new_sacl->revision );
        ace = (const ACE_HEADER *)(new_sacl + 1);
-        for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace ))
+        for (i = 0; i < new_sacl->count; i++, ace = ace_next( ace ))
        {
            if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
            size += ace->AceSize;
@ -434,17 +432,17 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
    replaced_acl = mem_alloc( size );
    if (!replaced_acl) return NULL;

-    replaced_acl->AclRevision = revision;
-    replaced_acl->Sbz1 = 0;
-    replaced_acl->AclSize = size;
-    replaced_acl->AceCount = count;
-    replaced_acl->Sbz2 = 0;
-    replaced_ace = (ACE_HEADER *)(replaced_acl + 1);
+    replaced_acl->revision = revision;
+    replaced_acl->pad1     = 0;
+    replaced_acl->size     = size;
+    replaced_acl->count    = count;
+    replaced_acl->pad2     = 0;

+    replaced_ace = (ACE_HEADER *)(replaced_acl + 1);
    if (old_sacl)
    {
        ace = (const ACE_HEADER *)(old_sacl + 1);
-        for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace ))
+        for (i = 0; i < old_sacl->count; i++, ace = ace_next( ace ))
        {
            if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
            memcpy( replaced_ace, ace, ace->AceSize );
@ -455,7 +453,7 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
    if (new_sacl)
    {
        ace = (const ACE_HEADER *)(new_sacl + 1);
-        for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace ))
+        for (i = 0; i < new_sacl->count; i++, ace = ace_next( ace ))
        {
            if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
            memcpy( replaced_ace, ace, ace->AceSize );
@ -546,7 +544,7 @@ static void token_destroy( struct object *obj )
 static struct token *create_token( unsigned int primary, unsigned int session_id, const SID *user,
                                   const struct sid_attrs *groups, unsigned int group_count,
                                   const struct luid_attr *privs, unsigned int priv_count,
-                                   const ACL *default_dacl, TOKEN_SOURCE source,
+                                   const struct acl *default_dacl, TOKEN_SOURCE source,
                                   const struct luid *modified_id,
                                   int impersonation_level, int elevation )
 {
@ -623,7 +621,7 @@ static struct token *create_token( unsigned int primary, unsigned int session_id

        if (default_dacl)
        {
-            token->default_dacl = memdup( default_dacl, default_dacl->AclSize );
+            token->default_dacl = memdup( default_dacl, default_dacl->size );
            if (!token->default_dacl)
            {
                release_object( token );
@ -730,12 +728,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
    return token;
 }

-static ACL *create_default_dacl( const SID *user )
+static struct acl *create_default_dacl( const SID *user )
 {
    ACCESS_ALLOWED_ACE *aaa;
-    ACL *default_dacl;
+    struct acl *default_dacl;
    SID *sid;
-    size_t default_dacl_size = sizeof(ACL) +
+    size_t default_dacl_size = sizeof(*default_dacl) +
                               2*(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) +
                               sizeof(local_system_sid) +
                               security_sid_len( user );
@ -743,11 +741,11 @@ static ACL *create_default_dacl( const SID *user )
    default_dacl = mem_alloc( default_dacl_size );
    if (!default_dacl) return NULL;

-    default_dacl->AclRevision = ACL_REVISION;
-    default_dacl->Sbz1 = 0;
-    default_dacl->AclSize = default_dacl_size;
-    default_dacl->AceCount = 2;
-    default_dacl->Sbz2 = 0;
+    default_dacl->revision = ACL_REVISION;
+    default_dacl->pad1     = 0;
+    default_dacl->size     = default_dacl_size;
+    default_dacl->count    = 2;
+    default_dacl->pad2     = 0;

    /* GENERIC_ALL for Local System */
    aaa = (ACCESS_ALLOWED_ACE *)(default_dacl + 1);
@ -783,9 +781,9 @@ static struct security_descriptor *create_security_label_sd( struct token *token
    size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size;
    SYSTEM_MANDATORY_LABEL_ACE *smla;
    struct security_descriptor *sd;
-    ACL *sacl;
+    struct acl *sacl;

-    sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
+    sacl_size = sizeof(*sacl) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
    sd_size = sizeof(struct security_descriptor) + sacl_size;
    if (!(sd = mem_alloc( sd_size )))
        return NULL;
@ -796,12 +794,12 @@ static struct security_descriptor *create_security_label_sd( struct token *token
    sd->sacl_len  = sacl_size;
    sd->dacl_len  = 0;

-    sacl = (ACL *)(sd + 1);
-    sacl->AclRevision = ACL_REVISION;
-    sacl->Sbz1 = 0;
-    sacl->AclSize = sacl_size;
-    sacl->AceCount = 1;
-    sacl->Sbz2 = 0;
+    sacl = (struct acl *)(sd + 1);
+    sacl->revision = ACL_REVISION;
+    sacl->pad1     = 0;
+    sacl->size     = sacl_size;
+    sacl->count    = 1;
+    sacl->pad2     = 0;

    smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1);
    smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
@ -845,7 +843,7 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
    PSID alias_users_sid;
    PSID logon_sid;
    const SID *user_sid = security_unix_uid_to_sid( getuid() );
-    ACL *default_dacl = create_default_dacl( user_sid );
+    struct acl *default_dacl = create_default_dacl( user_sid );

    alias_admins_sid = security_sid_alloc( &nt_authority, ARRAY_SIZE( alias_admins_subauth ),
                                           alias_admins_subauth );
@ -1028,7 +1026,7 @@ static unsigned int token_access_check( struct token *token,
    unsigned int current_access = 0;
    unsigned int denied_access = 0;
    ULONG i;
-    const ACL *dacl;
+    const struct acl *dacl;
    int dacl_present;
    const ACE_HEADER *ace;
    const SID *owner;
@ -1116,7 +1114,7 @@ static unsigned int token_access_check( struct token *token,

    /* 4: Grant rights according to the DACL */
    ace = (const ACE_HEADER *)(dacl + 1);
-    for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace ))
+    for (i = 0; i < dacl->count; i++, ace = ace_next( ace ))
    {
        const ACCESS_ALLOWED_ACE *aa_ace;
        const ACCESS_DENIED_ACE *ad_ace;
@ -1175,7 +1173,7 @@ done:
    return STATUS_SUCCESS;
 }

-const ACL *token_get_default_dacl( struct token *token )
+const struct acl *token_get_default_dacl( struct token *token )
 {
    return token->default_dacl;
 }
@ -1606,11 +1604,11 @@ DECL_HANDLER(get_token_default_dacl)
                                                 &token_ops )))
    {
        if (token->default_dacl)
-            reply->acl_len = token->default_dacl->AclSize;
+            reply->acl_len = token->default_dacl->size;

        if (reply->acl_len <= get_reply_max_size())
        {
-            ACL *acl_reply = set_reply_data_size( reply->acl_len );
+            struct acl *acl_reply = set_reply_data_size( reply->acl_len );
            if (acl_reply)
                memcpy( acl_reply, token->default_dacl, reply->acl_len );
        }
@ -1623,14 +1621,19 @@ DECL_HANDLER(get_token_default_dacl)
 DECL_HANDLER(set_token_default_dacl)
 {
    struct token *token;
+    const struct acl *acl = get_req_data();
+    unsigned int acl_size = get_req_data_size();
+
+    if (acl_size && !acl_is_valid( acl, acl_size ))
+    {
+        set_error( STATUS_INVALID_ACL );
+        return;
+    }

    if ((token = (struct token *)get_handle_obj( current->process, req->handle,
                                                 TOKEN_ADJUST_DEFAULT,
                                                 &token_ops )))
    {
-        const ACL *acl = get_req_data();
-        unsigned int acl_size = get_req_data_size();
-
        free( token->default_dacl );
        token->default_dacl = NULL;

--- a/server/trace.c
+++ b/server/trace.c
@ -1045,7 +1045,7 @@ static void dump_varargs_SID( const char *prefix, data_size_t size )
    remove_data( size );
 }

-static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t size )
+static void dump_inline_acl( const char *prefix, const struct acl *acl, data_size_t size )
 {
    const ACE_HEADER *ace;
    ULONG i;
@ -1053,14 +1053,14 @@ static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t siz
    fprintf( stderr,"%s{", prefix );
    if (size)
    {
-        if (size < sizeof(ACL))
+        if (size < sizeof(*acl))
        {
            fprintf( stderr, "<invalid acl>}" );
            return;
        }
-        size -= sizeof(ACL);
+        size -= sizeof(*acl);
        ace = (const ACE_HEADER *)(acl + 1);
-        for (i = 0; i < acl->AceCount; i++)
+        for (i = 0; i < acl->count; i++)
        {
            const SID *sid = NULL;
            data_size_t sid_size = 0;
@ -1115,9 +1115,9 @@ static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t siz
    fputc( '}', stderr );
 }

-static void dump_varargs_ACL( const char *prefix, data_size_t size )
+static void dump_varargs_acl( const char *prefix, data_size_t size )
 {
-    const ACL *acl = cur_data;
+    const struct acl *acl = cur_data;
    dump_inline_acl( prefix, acl, size );
    remove_data( size );
 }
@ -1145,11 +1145,11 @@ static void dump_inline_security_descriptor( const char *prefix, const struct se
        offset += sd->group_len;
        if ((sd->sacl_len >= MAX_ACL_LEN) || (offset + sd->sacl_len > size))
            return;
-        dump_inline_acl( ",sacl=", (const ACL *)((const char *)sd + offset), sd->sacl_len );
+        dump_inline_acl( ",sacl=", (const struct acl *)((const char *)sd + offset), sd->sacl_len );
        offset += sd->sacl_len;
        if ((sd->dacl_len >= MAX_ACL_LEN) || (offset + sd->dacl_len > size))
            return;
-        dump_inline_acl( ",dacl=", (const ACL *)((const char *)sd + offset), sd->dacl_len );
+        dump_inline_acl( ",dacl=", (const struct acl *)((const char *)sd + offset), sd->dacl_len );
        offset += sd->dacl_len;
    }
    fputc( '}', stderr );
@ -3914,13 +3914,13 @@ static void dump_get_token_default_dacl_request( const struct get_token_default_
 static void dump_get_token_default_dacl_reply( const struct get_token_default_dacl_reply *req )
 {
    fprintf( stderr, " acl_len=%u", req->acl_len );
-    dump_varargs_ACL( ", acl=", cur_size );
+    dump_varargs_acl( ", acl=", cur_size );
 }

 static void dump_set_token_default_dacl_request( const struct set_token_default_dacl_request *req )
 {
    fprintf( stderr, " handle=%04x", req->handle );
-    dump_varargs_ACL( ", acl=", cur_size );
+    dump_varargs_acl( ", acl=", cur_size );
 }

 static void dump_set_security_object_request( const struct set_security_object_request *req )
@ -5400,6 +5400,7 @@ static const struct
    { "INFO_LENGTH_MISMATCH",        STATUS_INFO_LENGTH_MISMATCH },
    { "INSTANCE_NOT_AVAILABLE",      STATUS_INSTANCE_NOT_AVAILABLE },
    { "INSUFFICIENT_RESOURCES",      STATUS_INSUFFICIENT_RESOURCES },
+    { "INVALID_ACL",                 STATUS_INVALID_ACL },
    { "INVALID_ADDRESS",             STATUS_INVALID_ADDRESS },
    { "INVALID_ADDRESS_COMPONENT",   STATUS_INVALID_ADDRESS_COMPONENT },
    { "INVALID_CID",                 STATUS_INVALID_CID },