From c36f81fa750591fc395a66d5323ff032e85b762b Mon Sep 17 00:00:00 2001 From: Alexandre Julliard Date: Tue, 25 Jan 2022 12:10:40 +0100 Subject: [PATCH] server: Define a server-side structure for ACL. Signed-off-by: Alexandre Julliard --- include/wine/server_protocol.h | 15 +++- server/file.c | 24 ++++--- server/handle.c | 6 +- server/object.c | 10 +-- server/process.c | 16 ++--- server/protocol.def | 17 +++-- server/registry.c | 16 ++--- server/security.h | 14 ++-- server/token.c | 125 +++++++++++++++++---------------- server/trace.c | 21 +++--- 10 files changed, 144 insertions(+), 120 deletions(-) diff --git a/include/wine/server_protocol.h b/include/wine/server_protocol.h index aebeebb877e..00471154d9a 100644 --- a/include/wine/server_protocol.h +++ b/include/wine/server_protocol.h @@ -376,6 +376,15 @@ struct luid_attr unsigned int attrs; }; +struct acl +{ + unsigned char revision; + unsigned char pad1; + unsigned short size; + unsigned short count; + unsigned short pad2; +}; + typedef struct { unsigned int read; @@ -4467,7 +4476,7 @@ struct get_token_default_dacl_reply { struct reply_header __header; data_size_t acl_len; - /* VARARG(acl,ACL); */ + /* VARARG(acl,acl); */ char __pad_12[4]; }; @@ -4475,7 +4484,7 @@ struct set_token_default_dacl_request { struct request_header __header; obj_handle_t handle; - /* VARARG(acl,ACL); */ + /* VARARG(acl,acl); */ }; struct set_token_default_dacl_reply { @@ -6252,7 +6261,7 @@ union generic_reply /* ### protocol_version begin ### */ -#define SERVER_PROTOCOL_VERSION 740 +#define SERVER_PROTOCOL_VERSION 741 /* ### protocol_version end ### */ diff --git a/server/file.c b/server/file.c index 062322f685d..287a681cd68 100644 --- a/server/file.c +++ b/server/file.c @@ -312,13 +312,13 @@ struct security_descriptor *mode_to_sd( mode_t mode, const SID *user, const SID size_t dacl_size; ACE_HEADER *current_ace; ACCESS_ALLOWED_ACE *aaa; - ACL *dacl; + struct acl *dacl; SID *sid; char *ptr; const SID *world_sid = security_world_sid; const SID *local_system_sid = security_local_system_sid; - dacl_size = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + dacl_size = sizeof(*dacl) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + security_sid_len( local_system_sid ); if (mode & S_IRWXU) dacl_size += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + security_sid_len( user ); @@ -346,16 +346,18 @@ struct security_descriptor *mode_to_sd( mode_t mode, const SID *user, const SID memcpy( ptr, group, sd->group_len ); ptr += sd->group_len; - dacl = (ACL *)ptr; - dacl->AclRevision = ACL_REVISION; - dacl->Sbz1 = 0; - dacl->AclSize = dacl_size; - dacl->AceCount = 1 + (mode & S_IRWXU ? 1 : 0) + (mode & S_IRWXO ? 1 : 0); + dacl = (struct acl *)ptr; + dacl->revision = ACL_REVISION; + dacl->pad1 = 0; + dacl->size = dacl_size; + dacl->count = 1; + dacl->pad2 = 0; + if (mode & S_IRWXU) dacl->count++; if ((!(mode & S_IRUSR) && (mode & (S_IRGRP|S_IROTH))) || (!(mode & S_IWUSR) && (mode & (S_IWGRP|S_IWOTH))) || (!(mode & S_IXUSR) && (mode & (S_IXGRP|S_IXOTH)))) - dacl->AceCount++; - dacl->Sbz2 = 0; + dacl->count++; + if (mode & S_IRWXO) dacl->count++; /* always give FILE_ALL_ACCESS for Local System */ aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1); @@ -470,12 +472,12 @@ mode_t sd_to_mode( const struct security_descriptor *sd, const SID *owner ) mode_t bits_to_set = ~0; mode_t mode; int present; - const ACL *dacl = sd_get_dacl( sd, &present ); + const struct acl *dacl = sd_get_dacl( sd, &present ); if (present && dacl) { const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1); ULONG i; - for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < dacl->count; i++, ace = ace_next( ace )) { const ACCESS_ALLOWED_ACE *aa_ace; const ACCESS_DENIED_ACE *ad_ace; diff --git a/server/handle.c b/server/handle.c index bc692b8ebeb..c62dd6068a4 100644 --- a/server/handle.c +++ b/server/handle.c @@ -738,8 +738,8 @@ DECL_HANDLER(get_security_object) struct security_descriptor req_sd; int present; const SID *owner, *group; - const ACL *sacl, *dacl; - ACL *label_acl = NULL; + const struct acl *sacl, *dacl; + struct acl *label_acl = NULL; if (req->security_info & SACL_SECURITY_INFORMATION) access |= ACCESS_SYSTEM_SECURITY; @@ -769,7 +769,7 @@ DECL_HANDLER(get_security_object) else if (req->security_info & LABEL_SECURITY_INFORMATION && present && sacl) { if (!(label_acl = extract_security_labels( sacl ))) goto done; - req_sd.sacl_len = label_acl->AclSize; + req_sd.sacl_len = label_acl->size; sacl = label_acl; } else diff --git a/server/object.c b/server/object.c index 45ecbba3881..7b57a38aa84 100644 --- a/server/object.c +++ b/server/object.c @@ -544,8 +544,8 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri struct security_descriptor new_sd, *new_sd_ptr; int present; const SID *owner = NULL, *group = NULL; - const ACL *sacl, *dacl; - ACL *replaced_sacl = NULL; + const struct acl *sacl, *dacl; + struct acl *replaced_sacl = NULL; char *ptr; if (!set_info) return 1; @@ -594,11 +594,11 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri } else if (set_info & LABEL_SECURITY_INFORMATION && present) { - const ACL *old_sacl = NULL; + const struct acl *old_sacl = NULL; if (obj->sd && obj->sd->control & SE_SACL_PRESENT) old_sacl = sd_get_sacl( obj->sd, &present ); if (!(replaced_sacl = replace_security_labels( old_sacl, sacl ))) return 0; new_sd.control |= SE_SACL_PRESENT; - new_sd.sacl_len = replaced_sacl->AclSize; + new_sd.sacl_len = replaced_sacl->size; sacl = replaced_sacl; } else @@ -633,7 +633,7 @@ int set_sd_defaults_from_token( struct object *obj, const struct security_descri { dacl = token_get_default_dacl( token ); new_sd.control |= SE_DACL_PRESENT; - new_sd.dacl_len = dacl->AclSize; + new_sd.dacl_len = dacl->size; } else new_sd.dacl_len = 0; } diff --git a/server/process.c b/server/process.c index 58ae97cdb2f..4ffc065f0ba 100644 --- a/server/process.c +++ b/server/process.c @@ -825,10 +825,10 @@ static struct security_descriptor *process_get_sd( struct object *obj ) { size_t users_sid_len = security_sid_len( security_domain_users_sid ); size_t admins_sid_len = security_sid_len( security_builtin_admins_sid ); - size_t dacl_len = sizeof(ACL) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart ) + size_t dacl_len = sizeof(struct acl) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart ) + users_sid_len + admins_sid_len; ACCESS_ALLOWED_ACE *aaa; - ACL *dacl; + struct acl *dacl; process_default_sd = mem_alloc( sizeof(*process_default_sd) + admins_sid_len + users_sid_len + dacl_len ); @@ -840,12 +840,12 @@ static struct security_descriptor *process_get_sd( struct object *obj ) memcpy( process_default_sd + 1, security_builtin_admins_sid, admins_sid_len ); memcpy( (char *)(process_default_sd + 1) + admins_sid_len, security_domain_users_sid, users_sid_len ); - dacl = (ACL *)((char *)(process_default_sd + 1) + admins_sid_len + users_sid_len); - dacl->AclRevision = ACL_REVISION; - dacl->Sbz1 = 0; - dacl->AclSize = dacl_len; - dacl->AceCount = 2; - dacl->Sbz2 = 0; + dacl = (struct acl *)((char *)(process_default_sd + 1) + admins_sid_len + users_sid_len); + dacl->revision = ACL_REVISION; + dacl->pad1 = 0; + dacl->size = dacl_len; + dacl->count = 2; + dacl->pad2 = 0; aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1); aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; aaa->Header.AceFlags = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE; diff --git a/server/protocol.def b/server/protocol.def index b9e4eec1340..8082efcb602 100644 --- a/server/protocol.def +++ b/server/protocol.def @@ -392,6 +392,15 @@ struct luid_attr unsigned int attrs; }; +struct acl +{ + unsigned char revision; + unsigned char pad1; + unsigned short size; + unsigned short count; + unsigned short pad2; +}; + typedef struct { unsigned int read; @@ -411,8 +420,8 @@ struct security_descriptor data_size_t dacl_len; /* VARARG(owner,SID); */ /* VARARG(group,SID); */ - /* VARARG(sacl,ACL); */ - /* VARARG(dacl,ACL); */ + /* VARARG(sacl,acl); */ + /* VARARG(dacl,acl); */ }; struct object_attributes @@ -3165,12 +3174,12 @@ enum caret_state obj_handle_t handle; /* handle to the token */ @REPLY data_size_t acl_len; /* length needed to store access control list */ - VARARG(acl,ACL); /* access control list */ + VARARG(acl,acl); /* access control list */ @END @REQ(set_token_default_dacl) obj_handle_t handle; /* handle to the token */ - VARARG(acl,ACL); /* default dacl to set */ + VARARG(acl,acl); /* default dacl to set */ @END @REQ(set_security_object) diff --git a/server/registry.c b/server/registry.c index 6036dfbd41a..92ecc67d528 100644 --- a/server/registry.c +++ b/server/registry.c @@ -369,12 +369,12 @@ static struct security_descriptor *key_get_sd( struct object *obj ) if (!key_default_sd) { + struct acl *dacl; size_t users_sid_len = security_sid_len( security_builtin_users_sid ); size_t admins_sid_len = security_sid_len( security_builtin_admins_sid ); - size_t dacl_len = sizeof(ACL) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart ) + size_t dacl_len = sizeof(*dacl) + 2 * offsetof( ACCESS_ALLOWED_ACE, SidStart ) + users_sid_len + admins_sid_len; ACCESS_ALLOWED_ACE *aaa; - ACL *dacl; key_default_sd = mem_alloc( sizeof(*key_default_sd) + 2 * admins_sid_len + dacl_len ); key_default_sd->control = SE_DACL_PRESENT; @@ -385,12 +385,12 @@ static struct security_descriptor *key_get_sd( struct object *obj ) memcpy( key_default_sd + 1, security_builtin_admins_sid, admins_sid_len ); memcpy( (char *)(key_default_sd + 1) + admins_sid_len, security_builtin_admins_sid, admins_sid_len ); - dacl = (ACL *)((char *)(key_default_sd + 1) + 2 * admins_sid_len); - dacl->AclRevision = ACL_REVISION; - dacl->Sbz1 = 0; - dacl->AclSize = dacl_len; - dacl->AceCount = 2; - dacl->Sbz2 = 0; + dacl = (struct acl *)((char *)(key_default_sd + 1) + 2 * admins_sid_len); + dacl->revision = ACL_REVISION; + dacl->pad1 = 0; + dacl->size = dacl_len; + dacl->count = 2; + dacl->pad2 = 0; aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1); aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; aaa->Header.AceFlags = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE; diff --git a/server/security.h b/server/security.h index 54f57f309e3..cc3a98bb494 100644 --- a/server/security.h +++ b/server/security.h @@ -65,7 +65,7 @@ extern struct token *token_duplicate( struct token *src_token, unsigned primary, extern int token_check_privileges( struct token *token, int all_required, const struct luid_attr *reqprivs, unsigned int count, struct luid_attr *usedprivs ); -extern const ACL *token_get_default_dacl( struct token *token ); +extern const struct acl *token_get_default_dacl( struct token *token ); extern const SID *token_get_user( struct token *token ); extern const SID *token_get_primary_group( struct token *token ); extern unsigned int token_get_session_id( struct token *token ); @@ -105,28 +105,28 @@ static inline int thread_single_check_privilege( struct thread *thread, struct l /* security descriptor helper functions */ extern int sd_is_valid( const struct security_descriptor *sd, data_size_t size ); -extern ACL *extract_security_labels( const ACL *sacl ); -extern ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl ); +extern struct acl *extract_security_labels( const struct acl *sacl ); +extern struct acl *replace_security_labels( const struct acl *old_sacl, const struct acl *new_sacl ); /* gets the discretionary access control list from a security descriptor */ -static inline const ACL *sd_get_dacl( const struct security_descriptor *sd, int *present ) +static inline const struct acl *sd_get_dacl( const struct security_descriptor *sd, int *present ) { *present = (sd->control & SE_DACL_PRESENT) != 0; if (sd->dacl_len) - return (const ACL *)((const char *)(sd + 1) + + return (const struct acl *)((const char *)(sd + 1) + sd->owner_len + sd->group_len + sd->sacl_len); else return NULL; } /* gets the system access control list from a security descriptor */ -static inline const ACL *sd_get_sacl( const struct security_descriptor *sd, int *present ) +static inline const struct acl *sd_get_sacl( const struct security_descriptor *sd, int *present ) { *present = (sd->control & SE_SACL_PRESENT) != 0; if (sd->sacl_len) - return (const ACL *)((const char *)(sd + 1) + + return (const struct acl *)((const char *)(sd + 1) + sd->owner_len + sd->group_len); else return NULL; diff --git a/server/token.c b/server/token.c index b940df61aef..574cb1e5347 100644 --- a/server/token.c +++ b/server/token.c @@ -128,7 +128,7 @@ struct token SID *primary_group; /* SID of user's primary group (points to one of groups) */ unsigned int primary; /* is this a primary or impersonation token? */ unsigned int session_id; /* token session id */ - ACL *default_dacl; /* the default DACL to assign to objects created by this user */ + struct acl *default_dacl; /* the default DACL to assign to objects created by this user */ TOKEN_SOURCE source; /* source of the token */ int impersonation_level; /* impersonation level this token is capable of if non-primary token */ int elevation; /* elevation type */ @@ -235,20 +235,18 @@ const SID *security_unix_uid_to_sid( uid_t uid ) return &anonymous_logon_sid; } -static int acl_is_valid( const ACL *acl, data_size_t size ) +static int acl_is_valid( const struct acl *acl, data_size_t size ) { ULONG i; const ACE_HEADER *ace; - if (size < sizeof(ACL)) - return FALSE; + if (size < sizeof(*acl)) return FALSE; size = min(size, MAX_ACL_LEN); - - size -= sizeof(ACL); + size -= sizeof(*acl); ace = (const ACE_HEADER *)(acl + 1); - for (i = 0; i < acl->AceCount; i++) + for (i = 0; i < acl->count; i++) { const SID *sid; data_size_t sid_size; @@ -310,8 +308,8 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size ) size_t offset = sizeof(struct security_descriptor); const SID *group; const SID *owner; - const ACL *sacl; - const ACL *dacl; + const struct acl *sacl; + const struct acl *dacl; int dummy; if (size < offset) @@ -357,16 +355,16 @@ int sd_is_valid( const struct security_descriptor *sd, data_size_t size ) } /* extract security labels from SACL */ -ACL *extract_security_labels( const ACL *sacl ) +struct acl *extract_security_labels( const struct acl *sacl ) { - size_t size = sizeof(ACL); + size_t size = sizeof(*sacl); const ACE_HEADER *ace; ACE_HEADER *label_ace; unsigned int i, count = 0; - ACL *label_acl; + struct acl *label_acl; ace = (const ACE_HEADER *)(sacl + 1); - for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) { @@ -378,15 +376,15 @@ ACL *extract_security_labels( const ACL *sacl ) label_acl = mem_alloc( size ); if (!label_acl) return NULL; - label_acl->AclRevision = sacl->AclRevision; - label_acl->Sbz1 = 0; - label_acl->AclSize = size; - label_acl->AceCount = count; - label_acl->Sbz2 = 0; + label_acl->revision = sacl->revision; + label_acl->pad1 = 0; + label_acl->size = size; + label_acl->count = count; + label_acl->pad2 = 0; label_ace = (ACE_HEADER *)(label_acl + 1); ace = (const ACE_HEADER *)(sacl + 1); - for (i = 0; i < sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) { @@ -398,20 +396,20 @@ ACL *extract_security_labels( const ACL *sacl ) } /* replace security labels in an existing SACL */ -ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl ) +struct acl *replace_security_labels( const struct acl *old_sacl, const struct acl *new_sacl ) { const ACE_HEADER *ace; ACE_HEADER *replaced_ace; - size_t size = sizeof(ACL); + size_t size = sizeof(*new_sacl); unsigned int i, count = 0; BYTE revision = ACL_REVISION; - ACL *replaced_acl; + struct acl *replaced_acl; if (old_sacl) { - revision = max( revision, old_sacl->AclRevision ); + revision = max( revision, old_sacl->revision ); ace = (const ACE_HEADER *)(old_sacl + 1); - for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < old_sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue; size += ace->AceSize; @@ -421,9 +419,9 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl ) if (new_sacl) { - revision = max( revision, new_sacl->AclRevision ); + revision = max( revision, new_sacl->revision ); ace = (const ACE_HEADER *)(new_sacl + 1); - for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < new_sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue; size += ace->AceSize; @@ -434,17 +432,17 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl ) replaced_acl = mem_alloc( size ); if (!replaced_acl) return NULL; - replaced_acl->AclRevision = revision; - replaced_acl->Sbz1 = 0; - replaced_acl->AclSize = size; - replaced_acl->AceCount = count; - replaced_acl->Sbz2 = 0; - replaced_ace = (ACE_HEADER *)(replaced_acl + 1); + replaced_acl->revision = revision; + replaced_acl->pad1 = 0; + replaced_acl->size = size; + replaced_acl->count = count; + replaced_acl->pad2 = 0; + replaced_ace = (ACE_HEADER *)(replaced_acl + 1); if (old_sacl) { ace = (const ACE_HEADER *)(old_sacl + 1); - for (i = 0; i < old_sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < old_sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue; memcpy( replaced_ace, ace, ace->AceSize ); @@ -455,7 +453,7 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl ) if (new_sacl) { ace = (const ACE_HEADER *)(new_sacl + 1); - for (i = 0; i < new_sacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < new_sacl->count; i++, ace = ace_next( ace )) { if (ace->AceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue; memcpy( replaced_ace, ace, ace->AceSize ); @@ -546,7 +544,7 @@ static void token_destroy( struct object *obj ) static struct token *create_token( unsigned int primary, unsigned int session_id, const SID *user, const struct sid_attrs *groups, unsigned int group_count, const struct luid_attr *privs, unsigned int priv_count, - const ACL *default_dacl, TOKEN_SOURCE source, + const struct acl *default_dacl, TOKEN_SOURCE source, const struct luid *modified_id, int impersonation_level, int elevation ) { @@ -623,7 +621,7 @@ static struct token *create_token( unsigned int primary, unsigned int session_id if (default_dacl) { - token->default_dacl = memdup( default_dacl, default_dacl->AclSize ); + token->default_dacl = memdup( default_dacl, default_dacl->size ); if (!token->default_dacl) { release_object( token ); @@ -730,12 +728,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary, return token; } -static ACL *create_default_dacl( const SID *user ) +static struct acl *create_default_dacl( const SID *user ) { ACCESS_ALLOWED_ACE *aaa; - ACL *default_dacl; + struct acl *default_dacl; SID *sid; - size_t default_dacl_size = sizeof(ACL) + + size_t default_dacl_size = sizeof(*default_dacl) + 2*(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) + sizeof(local_system_sid) + security_sid_len( user ); @@ -743,11 +741,11 @@ static ACL *create_default_dacl( const SID *user ) default_dacl = mem_alloc( default_dacl_size ); if (!default_dacl) return NULL; - default_dacl->AclRevision = ACL_REVISION; - default_dacl->Sbz1 = 0; - default_dacl->AclSize = default_dacl_size; - default_dacl->AceCount = 2; - default_dacl->Sbz2 = 0; + default_dacl->revision = ACL_REVISION; + default_dacl->pad1 = 0; + default_dacl->size = default_dacl_size; + default_dacl->count = 2; + default_dacl->pad2 = 0; /* GENERIC_ALL for Local System */ aaa = (ACCESS_ALLOWED_ACE *)(default_dacl + 1); @@ -783,9 +781,9 @@ static struct security_descriptor *create_security_label_sd( struct token *token size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size; SYSTEM_MANDATORY_LABEL_ACE *smla; struct security_descriptor *sd; - ACL *sacl; + struct acl *sacl; - sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len; + sacl_size = sizeof(*sacl) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len; sd_size = sizeof(struct security_descriptor) + sacl_size; if (!(sd = mem_alloc( sd_size ))) return NULL; @@ -796,12 +794,12 @@ static struct security_descriptor *create_security_label_sd( struct token *token sd->sacl_len = sacl_size; sd->dacl_len = 0; - sacl = (ACL *)(sd + 1); - sacl->AclRevision = ACL_REVISION; - sacl->Sbz1 = 0; - sacl->AclSize = sacl_size; - sacl->AceCount = 1; - sacl->Sbz2 = 0; + sacl = (struct acl *)(sd + 1); + sacl->revision = ACL_REVISION; + sacl->pad1 = 0; + sacl->size = sacl_size; + sacl->count = 1; + sacl->pad2 = 0; smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1); smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE; @@ -845,7 +843,7 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int PSID alias_users_sid; PSID logon_sid; const SID *user_sid = security_unix_uid_to_sid( getuid() ); - ACL *default_dacl = create_default_dacl( user_sid ); + struct acl *default_dacl = create_default_dacl( user_sid ); alias_admins_sid = security_sid_alloc( &nt_authority, ARRAY_SIZE( alias_admins_subauth ), alias_admins_subauth ); @@ -1028,7 +1026,7 @@ static unsigned int token_access_check( struct token *token, unsigned int current_access = 0; unsigned int denied_access = 0; ULONG i; - const ACL *dacl; + const struct acl *dacl; int dacl_present; const ACE_HEADER *ace; const SID *owner; @@ -1116,7 +1114,7 @@ static unsigned int token_access_check( struct token *token, /* 4: Grant rights according to the DACL */ ace = (const ACE_HEADER *)(dacl + 1); - for (i = 0; i < dacl->AceCount; i++, ace = ace_next( ace )) + for (i = 0; i < dacl->count; i++, ace = ace_next( ace )) { const ACCESS_ALLOWED_ACE *aa_ace; const ACCESS_DENIED_ACE *ad_ace; @@ -1175,7 +1173,7 @@ done: return STATUS_SUCCESS; } -const ACL *token_get_default_dacl( struct token *token ) +const struct acl *token_get_default_dacl( struct token *token ) { return token->default_dacl; } @@ -1606,11 +1604,11 @@ DECL_HANDLER(get_token_default_dacl) &token_ops ))) { if (token->default_dacl) - reply->acl_len = token->default_dacl->AclSize; + reply->acl_len = token->default_dacl->size; if (reply->acl_len <= get_reply_max_size()) { - ACL *acl_reply = set_reply_data_size( reply->acl_len ); + struct acl *acl_reply = set_reply_data_size( reply->acl_len ); if (acl_reply) memcpy( acl_reply, token->default_dacl, reply->acl_len ); } @@ -1623,14 +1621,19 @@ DECL_HANDLER(get_token_default_dacl) DECL_HANDLER(set_token_default_dacl) { struct token *token; + const struct acl *acl = get_req_data(); + unsigned int acl_size = get_req_data_size(); + + if (acl_size && !acl_is_valid( acl, acl_size )) + { + set_error( STATUS_INVALID_ACL ); + return; + } if ((token = (struct token *)get_handle_obj( current->process, req->handle, TOKEN_ADJUST_DEFAULT, &token_ops ))) { - const ACL *acl = get_req_data(); - unsigned int acl_size = get_req_data_size(); - free( token->default_dacl ); token->default_dacl = NULL; diff --git a/server/trace.c b/server/trace.c index 42c0e2bd5e1..53e10c1a961 100644 --- a/server/trace.c +++ b/server/trace.c @@ -1045,7 +1045,7 @@ static void dump_varargs_SID( const char *prefix, data_size_t size ) remove_data( size ); } -static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t size ) +static void dump_inline_acl( const char *prefix, const struct acl *acl, data_size_t size ) { const ACE_HEADER *ace; ULONG i; @@ -1053,14 +1053,14 @@ static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t siz fprintf( stderr,"%s{", prefix ); if (size) { - if (size < sizeof(ACL)) + if (size < sizeof(*acl)) { fprintf( stderr, "}" ); return; } - size -= sizeof(ACL); + size -= sizeof(*acl); ace = (const ACE_HEADER *)(acl + 1); - for (i = 0; i < acl->AceCount; i++) + for (i = 0; i < acl->count; i++) { const SID *sid = NULL; data_size_t sid_size = 0; @@ -1115,9 +1115,9 @@ static void dump_inline_acl( const char *prefix, const ACL *acl, data_size_t siz fputc( '}', stderr ); } -static void dump_varargs_ACL( const char *prefix, data_size_t size ) +static void dump_varargs_acl( const char *prefix, data_size_t size ) { - const ACL *acl = cur_data; + const struct acl *acl = cur_data; dump_inline_acl( prefix, acl, size ); remove_data( size ); } @@ -1145,11 +1145,11 @@ static void dump_inline_security_descriptor( const char *prefix, const struct se offset += sd->group_len; if ((sd->sacl_len >= MAX_ACL_LEN) || (offset + sd->sacl_len > size)) return; - dump_inline_acl( ",sacl=", (const ACL *)((const char *)sd + offset), sd->sacl_len ); + dump_inline_acl( ",sacl=", (const struct acl *)((const char *)sd + offset), sd->sacl_len ); offset += sd->sacl_len; if ((sd->dacl_len >= MAX_ACL_LEN) || (offset + sd->dacl_len > size)) return; - dump_inline_acl( ",dacl=", (const ACL *)((const char *)sd + offset), sd->dacl_len ); + dump_inline_acl( ",dacl=", (const struct acl *)((const char *)sd + offset), sd->dacl_len ); offset += sd->dacl_len; } fputc( '}', stderr ); @@ -3914,13 +3914,13 @@ static void dump_get_token_default_dacl_request( const struct get_token_default_ static void dump_get_token_default_dacl_reply( const struct get_token_default_dacl_reply *req ) { fprintf( stderr, " acl_len=%u", req->acl_len ); - dump_varargs_ACL( ", acl=", cur_size ); + dump_varargs_acl( ", acl=", cur_size ); } static void dump_set_token_default_dacl_request( const struct set_token_default_dacl_request *req ) { fprintf( stderr, " handle=%04x", req->handle ); - dump_varargs_ACL( ", acl=", cur_size ); + dump_varargs_acl( ", acl=", cur_size ); } static void dump_set_security_object_request( const struct set_security_object_request *req ) @@ -5400,6 +5400,7 @@ static const struct { "INFO_LENGTH_MISMATCH", STATUS_INFO_LENGTH_MISMATCH }, { "INSTANCE_NOT_AVAILABLE", STATUS_INSTANCE_NOT_AVAILABLE }, { "INSUFFICIENT_RESOURCES", STATUS_INSUFFICIENT_RESOURCES }, + { "INVALID_ACL", STATUS_INVALID_ACL }, { "INVALID_ADDRESS", STATUS_INVALID_ADDRESS }, { "INVALID_ADDRESS_COMPONENT", STATUS_INVALID_ADDRESS_COMPONENT }, { "INVALID_CID", STATUS_INVALID_CID },