- Implemented RtlAddAccessAllowedAce, RtlAddAccessDeniedAce,

RtlAddAce, RtlValidAcl.
- Added the corresponding functions in advapi32.
- Grouped the ACL functions in advapi32.

dlls/advapi32/advapi32.spec

@@ -6,8 +6,8 @@
 @ stub AccessCheckByType #(ptr ptr long long ptr long ptr ptr ptr ptr ptr) AccessCheckByType
 @ stdcall AddAccessAllowedAce (ptr long long ptr)
 @ stub AddAccessAllowedAceEx #(ptr long long long ptr) AddAccessAllowedAceEx
-@ stub AddAccessDeniedAce
+@ stdcall AddAccessDeniedAce(ptr long long ptr)
-@ stub AddAce
+@ stdcall AddAce(ptr long long ptr long)
 @ stub AddAuditAccessAce
 @ stub AdjustTokenGroups
 @ stdcall AdjustTokenPrivileges(long long ptr long ptr ptr)
@@ -87,7 +87,7 @@
 @ stdcall EnumServicesStatusW (long long long ptr long ptr ptr ptr)
 @ stdcall EqualPrefixSid(ptr ptr)
 @ stdcall EqualSid(ptr ptr)
-@ stub FindFirstFreeAce
+@ stdcall FindFirstFreeAce(ptr ptr)
 @ stdcall FreeSid(ptr)
 @ stdcall GetAce(ptr long ptr)
 @ stub GetAclInformation
@@ -135,7 +135,7 @@
 @ stub IsProcessRestricted
 @ stdcall IsTextUnicode(ptr long ptr) ntdll.RtlIsTextUnicode
 @ stub IsTokenRestricted
-@ stub IsValidAcl
+@ stdcall IsValidAcl(ptr)
 @ stdcall IsValidSecurityDescriptor(ptr)
 @ stdcall IsValidSid(ptr)
 @ stdcall LockServiceDatabase(ptr)

dlls/advapi32/security.c

@@ -651,6 +651,67 @@ DWORD WINAPI InitializeAcl(PACL acl, DWORD size, DWORD rev)
 	CallWin32ToNt (RtlCreateAcl(acl, size, rev));
 }
 
+/******************************************************************************
+ *  AddAccessAllowedAce [ADVAPI32.@]
+ */
+BOOL WINAPI AddAccessAllowedAce(
+        IN OUT PACL pAcl,
+        IN DWORD dwAceRevision,
+        IN DWORD AccessMask,
+        IN PSID pSid)
+{
+	CallWin32ToNt(RtlAddAccessAllowedAce(pAcl, dwAceRevision, AccessMask, pSid));
+}
+
+/******************************************************************************
+ *  AddAccessDeniedAce [ADVAPI32.@]
+ */
+BOOL WINAPI AddAccessDeniedAce(
+        IN OUT PACL pAcl,
+        IN DWORD dwAceRevision,
+        IN DWORD AccessMask,
+        IN PSID pSid)
+{
+	CallWin32ToNt(RtlAddAccessDeniedAce(pAcl, dwAceRevision, AccessMask, pSid));
+}
+
+/******************************************************************************
+ *  AddAccessDeniedAce [ADVAPI32.@]
+ */
+BOOL WINAPI AddAce(
+        IN OUT PACL pAcl,
+        IN DWORD dwAceRevision,
+        IN DWORD dwStartingAceIndex,
+        LPVOID pAceList,
+        DWORD nAceListLength)
+{
+	CallWin32ToNt(RtlAddAce(pAcl, dwAceRevision, dwStartingAceIndex, pAceList, nAceListLength));
+}
+
+/******************************************************************************
+ *  FindFirstFreeAce [ADVAPI32.@]
+ */
+BOOL WINAPI FindFirstFreeAce(IN PACL pAcl, LPVOID * pAce)
+{
+	return RtlFirstFreeAce(pAcl, (PACE_HEADER *)pAce);
+}
+
+/******************************************************************************
+ * GetAce [ADVAPI32.@]
+ */
+BOOL WINAPI GetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
+{
+    CallWin32ToNt(RtlGetAce(pAcl, dwAceIndex, pAce));
+}
+
+/******************************************************************************
+ *  IsValidAcl [ADVAPI32.@]
+ */
+BOOL WINAPI IsValidAcl(IN PACL pAcl)
+{
+	return RtlValidAcl(pAcl);
+}
+
 /*	##############################
 	######	MISC FUNCTIONS	######
 	##############################
@@ -1107,18 +1168,6 @@ BOOL WINAPI SetKernelObjectSecurity (
 	CallWin32ToNt (NtSetSecurityObject (Handle, SecurityInformation, SecurityDescriptor));
 }
 
-/******************************************************************************
- *  AddAccessAllowedAce [ADVAPI32.@]
- */
-BOOL WINAPI AddAccessAllowedAce(
-        IN OUT PACL pAcl,
-        IN DWORD dwAceRevision,
-        IN DWORD AccessMask,
-        IN PSID pSid)
-{
-        return RtlAddAccessAllowedAce(pAcl, dwAceRevision, AccessMask, pSid);
-}
-
 /******************************************************************************
  * LookupAccountNameA [ADVAPI32.@]
  */
@@ -1136,14 +1185,6 @@ LookupAccountNameA(
     return FALSE;
 }
 
-/******************************************************************************
- * GetAce [ADVAPI32.@]
- */
-BOOL WINAPI GetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
-{
-    CallWin32ToNt(RtlGetAce(pAcl, dwAceIndex, pAce));
-}
-
 /******************************************************************************
  * PrivilegeCheck [ADVAPI32.@]
  */

dlls/ntdll/ntdll.spec

@@ -268,8 +268,8 @@
 @ stdcall RtlAcquirePebLock()
 @ stdcall RtlAcquireResourceExclusive(ptr long)
 @ stdcall RtlAcquireResourceShared(ptr long)
-@ stdcall RtlAddAccessAllowedAce(long long long long)
+@ stdcall RtlAddAccessAllowedAce(ptr long long ptr)
-@ stub RtlAddAccessDeniedAce
+@ stdcall RtlAddAccessDeniedAce(ptr long long ptr)
 @ stdcall RtlAddAce(ptr long long ptr long)
 @ stub RtlAddActionToRXact
 @ stub RtlAddAttributeActionToRXact
@@ -561,7 +561,7 @@
 @ stdcall RtlUpperString(ptr ptr)
 @ stub RtlUsageHeap
 @ cdecl -i386 -norelay RtlUshortByteSwap() NTDLL_RtlUshortByteSwap
-@ stub RtlValidAcl
+@ stdcall RtlValidAcl(ptr)
 @ stdcall RtlValidSecurityDescriptor(ptr)
 @ stdcall RtlValidSid(ptr)
 @ stdcall RtlValidateHeap(long long ptr)

dlls/ntdll/sec.c

@@ -314,8 +314,7 @@ DWORD WINAPI RtlCopySid( DWORD nDestinationSidLength, PSID pDestinationSid, PSID
  *   TRUE if pSid is valid,
  *   FALSE otherwise.
  */
-BOOL WINAPI
+BOOLEAN WINAPI RtlValidSid( PSID pSid )
-RtlValidSid( PSID pSid )
 {
     BOOL ret;
     __TRY
@@ -711,15 +710,122 @@ NTSTATUS WINAPI RtlAddAce(
 /******************************************************************************
  *  RtlAddAccessAllowedAce		[NTDLL.@]
  */
-BOOL WINAPI RtlAddAccessAllowedAce(
+NTSTATUS WINAPI RtlAddAccessAllowedAce(
 	IN OUT PACL pAcl,
 	IN DWORD dwAceRevision,
 	IN DWORD AccessMask,
 	IN PSID pSid)
 {
-	FIXME("(%p,0x%08lx,0x%08lx,%p),stub!\n",
+	DWORD dwLengthSid;
+	ACCESS_ALLOWED_ACE * pAaAce;
+	DWORD dwSpaceLeft;
+
+	TRACE("(%p,0x%08lx,0x%08lx,%p)\n",
 		pAcl, dwAceRevision, AccessMask, pSid);
-	return TRUE;
+
+	if (!RtlValidSid(pSid))
+		return STATUS_INVALID_SID;
+	if (!RtlValidAcl(pAcl))
+		return STATUS_INVALID_ACL;
+
+	dwLengthSid = RtlLengthSid(pSid);
+	if (!RtlFirstFreeAce(pAcl, (PACE_HEADER *) &pAaAce))
+		return STATUS_INVALID_ACL;
+
+	if (!pAaAce)
+		return STATUS_ALLOTTED_SPACE_EXCEEDED;
+
+	dwSpaceLeft = (DWORD)pAcl + pAcl->AclSize - (DWORD)pAaAce;
+	if (dwSpaceLeft < sizeof(*pAaAce) - sizeof(pAaAce->SidStart) + dwLengthSid)
+		return STATUS_ALLOTTED_SPACE_EXCEEDED;
+
+	pAaAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+	pAaAce->Header.AceFlags = 0;
+	pAaAce->Header.AceSize = sizeof(*pAaAce) - sizeof(pAaAce->SidStart) + dwLengthSid;
+	pAaAce->Mask = AccessMask;
+	pAcl->AceCount++;
+	RtlCopySid(dwLengthSid, (PSID)&pAaAce->SidStart, pSid);
+	return STATUS_SUCCESS;
+}
+
+/******************************************************************************
+ *  RtlAddAccessDeniedAce		[NTDLL.@]
+ */
+NTSTATUS WINAPI RtlAddAccessDeniedAce(
+	IN OUT PACL pAcl,
+	IN DWORD dwAceRevision,
+	IN DWORD AccessMask,
+	IN PSID pSid)
+{
+	DWORD dwLengthSid;
+	DWORD dwSpaceLeft;
+	ACCESS_DENIED_ACE * pAdAce;
+
+	TRACE("(%p,0x%08lx,0x%08lx,%p)\n",
+		pAcl, dwAceRevision, AccessMask, pSid);
+
+	if (!RtlValidSid(pSid))
+		return STATUS_INVALID_SID;
+	if (!RtlValidAcl(pAcl))
+		return STATUS_INVALID_ACL;
+
+	dwLengthSid = RtlLengthSid(pSid);
+	if (!RtlFirstFreeAce(pAcl, (PACE_HEADER *) &pAdAce))
+		return STATUS_INVALID_ACL;
+
+	if (!pAdAce)
+		return STATUS_ALLOTTED_SPACE_EXCEEDED;
+
+	dwSpaceLeft = (DWORD)pAcl + pAcl->AclSize - (DWORD)pAdAce;
+	if (dwSpaceLeft < sizeof(*pAdAce) - sizeof(pAdAce->SidStart) + dwLengthSid)
+		return STATUS_ALLOTTED_SPACE_EXCEEDED;
+
+	pAdAce->Header.AceType = ACCESS_DENIED_ACE_TYPE;
+	pAdAce->Header.AceFlags = 0;
+	pAdAce->Header.AceSize = sizeof(*pAdAce) - sizeof(pAdAce->SidStart) + dwLengthSid;
+	pAdAce->Mask = AccessMask;
+	pAcl->AceCount++;
+	RtlCopySid(dwLengthSid, (PSID)&pAdAce->SidStart, pSid);
+	return STATUS_SUCCESS;
+}
+
+/******************************************************************************
+ *  RtlValidAcl		[NTDLL.@]
+ */
+BOOLEAN WINAPI RtlValidAcl(PACL pAcl)
+{
+        BOOLEAN ret;
+	TRACE("(%p)\n", pAcl);
+
+	__TRY
+	{
+		PACE_HEADER	ace;
+		int		i;
+
+                if (pAcl->AclRevision != ACL_REVISION)
+                    ret = FALSE;
+                else
+                {
+                    ace = (PACE_HEADER)(pAcl+1);
+                    ret = TRUE;
+                    for (i=0;i<=pAcl->AceCount;i++)
+                    {
+                        if ((char *)ace > (char *)pAcl + pAcl->AclSize)
+                        {
+                            ret = FALSE;
+                            break;
+                        }
+                        ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
+                    }
+                }
+	}
+	__EXCEPT(page_fault)
+	{
+		WARN("(%p): invalid pointer!\n", pAcl);
+		return 0;
+	}
+	__ENDTRY
+        return ret;
 }
 
 /******************************************************************************
@@ -727,8 +833,20 @@ BOOL WINAPI RtlAddAccessAllowedAce(
  */
 DWORD WINAPI RtlGetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
 {
-	FIXME("(%p,%ld,%p),stub!\n",pAcl,dwAceIndex,pAce);
+	PACE_HEADER ace;
-	return 0;
+
+	TRACE("(%p,%ld,%p)\n",pAcl,dwAceIndex,pAce);
+
+	if ((dwAceIndex < 0) || (dwAceIndex > pAcl->AceCount))
+		return STATUS_INVALID_PARAMETER;
+
+	ace = (PACE_HEADER)(pAcl + 1);
+	for (;dwAceIndex;dwAceIndex--)
+		ace = (PACE_HEADER)(((BYTE*)ace)+ace->AceSize);
+
+	*pAce = (LPVOID) ace;
+
+	return STATUS_SUCCESS;
 }
 
 /*

include/winternl.h

@@ -918,8 +918,9 @@ void      WINAPI RtlAcquirePebLock(void);
 BYTE      WINAPI RtlAcquireResourceExclusive(LPRTL_RWLOCK,BYTE);
 BYTE      WINAPI RtlAcquireResourceShared(LPRTL_RWLOCK,BYTE);
 NTSTATUS  WINAPI RtlAddAce(PACL,DWORD,DWORD,PACE_HEADER,DWORD);
-BOOL      WINAPI RtlAddAccessAllowedAce(PACL,DWORD,DWORD,PSID);
+NTSTATUS  WINAPI RtlAddAccessAllowedAce(PACL,DWORD,DWORD,PSID);
 BOOL      WINAPI RtlAddAccessAllowedAceEx(PACL,DWORD,DWORD,DWORD,PSID);
+NTSTATUS  WINAPI RtlAddAccessDeniedAce(PACL,DWORD,DWORD,PSID);
 DWORD     WINAPI RtlAdjustPrivilege(DWORD,DWORD,DWORD,DWORD);
 BOOLEAN   WINAPI RtlAllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY,BYTE,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,DWORD,PSID *);
 PVOID     WINAPI RtlAllocateHeap(HANDLE,ULONG,ULONG);
@@ -1131,7 +1132,8 @@ CHAR      WINAPI RtlUpperChar(CHAR);
 void      WINAPI RtlUpperString(STRING *,const STRING *);
 
 NTSTATUS  WINAPI RtlValidSecurityDescriptor(PSECURITY_DESCRIPTOR);
-BOOL      WINAPI RtlValidSid(PSID);
+BOOLEAN   WINAPI RtlValidAcl(PACL);
+BOOLEAN   WINAPI RtlValidSid(PSID);
 BOOLEAN   WINAPI RtlValidateHeap(HANDLE,ULONG,LPCVOID);
 
 NTSTATUS  WINAPI RtlWalkHeap(HANDLE,PVOID);