Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-cw
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-cw
Commits
4ad93416
Commit
4ad93416
authored
May 24, 2005
by
Robert Shearman
Committed by
Alexandre Julliard
May 24, 2005
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Implement NtAccessCheck.
parent
3889d950
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
138 additions
and
14 deletions
+138
-14
sec.c
dlls/ntdll/sec.c
+75
-13
server_protocol.h
include/wine/server_protocol.h
+23
-1
protocol.def
server/protocol.def
+14
-0
request.h
server/request.h
+2
-0
token.c
server/token.c
+0
-0
trace.c
server/trace.c
+24
-0
No files found.
dlls/ntdll/sec.c
View file @
4ad93416
...
...
@@ -1153,23 +1153,85 @@ RtlImpersonateSelf(SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
/******************************************************************************
* NtAccessCheck [NTDLL.@]
* ZwAccessCheck [NTDLL.@]
*
* Checks that a user represented by a token is allowed to access an object
* represented by a security descriptor.
*
* PARAMS
* SecurityDescriptor [I] The security descriptor of the object to check.
* ClientToken [I] Token of the user accessing the object.
* DesiredAccess [I] The desired access to the object.
* GenericMapping [I] Mapping used to transform access rights in the SD to their specific forms.
* PrivilegeSet [I/O] Privileges used during the access check.
* ReturnLength [O] Number of bytes stored into PrivilegeSet.
* GrantedAccess [O] The actual access rights granted.
* AccessStatus [O] The status of the access check.
*
* RETURNS
* NTSTATUS code.
*
* NOTES
* DesiredAccess may be MAXIMUM_ALLOWED, in which case the function determines
* the maximum access rights allowed by the SD and returns them in
* GrantedAccess.
* The SecurityDescriptor must have a valid owner and groups present,
* otherwise the function will fail.
*/
NTSTATUS
WINAPI
NtAccessCheck
(
IN
PSECURITY_DESCRIPTOR
SecurityDescriptor
,
IN
HANDLE
ClientToken
,
IN
ACCESS_MASK
DesiredAccess
,
IN
PGENERIC_MAPPING
GenericMapping
,
OUT
PPRIVILEGE_SET
PrivilegeSet
,
OUT
PULONG
ReturnLength
,
OUT
PULONG
GrantedAccess
,
OUT
NTSTATUS
*
AccessStatus
)
PSECURITY_DESCRIPTOR
SecurityDescriptor
,
HANDLE
ClientToken
,
ACCESS_MASK
DesiredAccess
,
PGENERIC_MAPPING
GenericMapping
,
PPRIVILEGE_SET
PrivilegeSet
,
PULONG
ReturnLength
,
PULONG
GrantedAccess
,
NTSTATUS
*
AccessStatus
)
{
FIXME
(
"(%p, %p, %08lx, %p, %p, %p, %p, %p), stub
\n
"
,
SecurityDescriptor
,
ClientToken
,
DesiredAccess
,
GenericMapping
,
PrivilegeSet
,
ReturnLength
,
GrantedAccess
,
AccessStatus
);
*
AccessStatus
=
STATUS_SUCCESS
;
return
STATUS_SUCCESS
;
NTSTATUS
status
;
TRACE
(
"(%p, %p, %08lx, %p, %p, %p, %p, %p), stub
\n
"
,
SecurityDescriptor
,
ClientToken
,
DesiredAccess
,
GenericMapping
,
PrivilegeSet
,
ReturnLength
,
GrantedAccess
,
AccessStatus
);
SERVER_START_REQ
(
access_check
)
{
struct
security_descriptor
sd
;
const
SECURITY_DESCRIPTOR
*
RealSD
=
(
const
SECURITY_DESCRIPTOR
*
)
SecurityDescriptor
;
req
->
handle
=
ClientToken
;
req
->
desired_access
=
DesiredAccess
;
req
->
mapping_read
=
GenericMapping
->
GenericRead
;
req
->
mapping_write
=
GenericMapping
->
GenericWrite
;
req
->
mapping_execute
=
GenericMapping
->
GenericExecute
;
req
->
mapping_all
=
GenericMapping
->
GenericAll
;
/* marshal security descriptor */
sd
.
control
=
RealSD
->
Control
;
sd
.
owner_len
=
RtlLengthSid
(
RealSD
->
Owner
);
sd
.
group_len
=
RtlLengthSid
(
RealSD
->
Group
);
sd
.
sacl_len
=
(
RealSD
->
Sacl
?
RealSD
->
Sacl
->
AclSize
:
0
);
sd
.
dacl_len
=
(
RealSD
->
Dacl
?
RealSD
->
Dacl
->
AclSize
:
0
);
wine_server_add_data
(
req
,
&
sd
,
sizeof
(
sd
)
);
wine_server_add_data
(
req
,
RealSD
->
Owner
,
sd
.
owner_len
);
wine_server_add_data
(
req
,
RealSD
->
Group
,
sd
.
group_len
);
wine_server_add_data
(
req
,
RealSD
->
Sacl
,
sd
.
sacl_len
);
wine_server_add_data
(
req
,
RealSD
->
Dacl
,
sd
.
dacl_len
);
wine_server_set_reply
(
req
,
&
PrivilegeSet
->
Privilege
,
*
ReturnLength
-
FIELD_OFFSET
(
PRIVILEGE_SET
,
Privilege
)
);
status
=
wine_server_call
(
req
);
*
ReturnLength
=
FIELD_OFFSET
(
PRIVILEGE_SET
,
Privilege
)
+
reply
->
privileges_len
;
PrivilegeSet
->
PrivilegeCount
=
reply
->
privileges_len
/
sizeof
(
LUID_AND_ATTRIBUTES
);
if
(
status
==
STATUS_SUCCESS
)
*
AccessStatus
=
reply
->
access_status
;
*
GrantedAccess
=
reply
->
access_granted
;
}
SERVER_END_REQ
;
return
status
;
}
/******************************************************************************
...
...
include/wine/server_protocol.h
View file @
4ad93416
...
...
@@ -3331,6 +3331,25 @@ struct duplicate_token_reply
obj_handle_t
new_handle
;
};
struct
access_check_request
{
struct
request_header
__header
;
obj_handle_t
handle
;
unsigned
int
desired_access
;
unsigned
int
mapping_read
;
unsigned
int
mapping_write
;
unsigned
int
mapping_execute
;
unsigned
int
mapping_all
;
/* VARARG(sd,security_descriptor); */
};
struct
access_check_reply
{
struct
reply_header
__header
;
unsigned
int
access_granted
;
unsigned
int
access_status
;
unsigned
int
privileges_len
;
/* VARARG(privileges,LUID_AND_ATTRIBUTES); */
};
struct
create_mailslot_request
...
...
@@ -3574,6 +3593,7 @@ enum request
REQ_get_token_privileges
,
REQ_check_token_privileges
,
REQ_duplicate_token
,
REQ_access_check
,
REQ_create_mailslot
,
REQ_open_mailslot
,
REQ_set_mailslot_info
,
...
...
@@ -3773,6 +3793,7 @@ union generic_request
struct
get_token_privileges_request
get_token_privileges_request
;
struct
check_token_privileges_request
check_token_privileges_request
;
struct
duplicate_token_request
duplicate_token_request
;
struct
access_check_request
access_check_request
;
struct
create_mailslot_request
create_mailslot_request
;
struct
open_mailslot_request
open_mailslot_request
;
struct
set_mailslot_info_request
set_mailslot_info_request
;
...
...
@@ -3970,11 +3991,12 @@ union generic_reply
struct
get_token_privileges_reply
get_token_privileges_reply
;
struct
check_token_privileges_reply
check_token_privileges_reply
;
struct
duplicate_token_reply
duplicate_token_reply
;
struct
access_check_reply
access_check_reply
;
struct
create_mailslot_reply
create_mailslot_reply
;
struct
open_mailslot_reply
open_mailslot_reply
;
struct
set_mailslot_info_reply
set_mailslot_info_reply
;
};
#define SERVER_PROTOCOL_VERSION 17
5
#define SERVER_PROTOCOL_VERSION 17
6
#endif
/* __WINE_WINE_SERVER_PROTOCOL_H */
server/protocol.def
View file @
4ad93416
...
...
@@ -2344,6 +2344,20 @@ enum message_type
obj_handle_t new_handle; /* duplicated handle */
@END
@REQ(access_check)
obj_handle_t handle; /* handle to the token */
unsigned int desired_access; /* desired access to the object */
unsigned int mapping_read; /* mapping from generic read to specific rights */
unsigned int mapping_write; /* mapping from generic write to specific rights */
unsigned int mapping_execute; /* mapping from generic execute to specific rights */
unsigned int mapping_all; /* mapping from generic all to specific rights */
VARARG(sd,security_descriptor); /* security descriptor to check */
@REPLY
unsigned int access_granted; /* access rights actually granted */
unsigned int access_status; /* was access granted? */
unsigned int privileges_len; /* length needed to store privileges */
VARARG(privileges,LUID_AND_ATTRIBUTES); /* privileges used during access check */
@END
/* Create a mailslot */
@REQ(create_mailslot)
...
...
server/request.h
View file @
4ad93416
...
...
@@ -292,6 +292,7 @@ DECL_HANDLER(adjust_token_privileges);
DECL_HANDLER
(
get_token_privileges
);
DECL_HANDLER
(
check_token_privileges
);
DECL_HANDLER
(
duplicate_token
);
DECL_HANDLER
(
access_check
);
DECL_HANDLER
(
create_mailslot
);
DECL_HANDLER
(
open_mailslot
);
DECL_HANDLER
(
set_mailslot_info
);
...
...
@@ -490,6 +491,7 @@ static const req_handler req_handlers[REQ_NB_REQUESTS] =
(
req_handler
)
req_get_token_privileges
,
(
req_handler
)
req_check_token_privileges
,
(
req_handler
)
req_duplicate_token
,
(
req_handler
)
req_access_check
,
(
req_handler
)
req_create_mailslot
,
(
req_handler
)
req_open_mailslot
,
(
req_handler
)
req_set_mailslot_info
,
...
...
server/token.c
View file @
4ad93416
This diff is collapsed.
Click to expand it.
server/trace.c
View file @
4ad93416
...
...
@@ -2872,6 +2872,27 @@ static void dump_duplicate_token_reply( const struct duplicate_token_reply *req
fprintf
(
stderr
,
" new_handle=%p"
,
req
->
new_handle
);
}
static
void
dump_access_check_request
(
const
struct
access_check_request
*
req
)
{
fprintf
(
stderr
,
" handle=%p,"
,
req
->
handle
);
fprintf
(
stderr
,
" desired_access=%08x,"
,
req
->
desired_access
);
fprintf
(
stderr
,
" mapping_read=%08x,"
,
req
->
mapping_read
);
fprintf
(
stderr
,
" mapping_write=%08x,"
,
req
->
mapping_write
);
fprintf
(
stderr
,
" mapping_execute=%08x,"
,
req
->
mapping_execute
);
fprintf
(
stderr
,
" mapping_all=%08x,"
,
req
->
mapping_all
);
fprintf
(
stderr
,
" sd="
);
dump_varargs_security_descriptor
(
cur_size
);
}
static
void
dump_access_check_reply
(
const
struct
access_check_reply
*
req
)
{
fprintf
(
stderr
,
" access_granted=%08x,"
,
req
->
access_granted
);
fprintf
(
stderr
,
" access_status=%08x,"
,
req
->
access_status
);
fprintf
(
stderr
,
" privileges_len=%08x,"
,
req
->
privileges_len
);
fprintf
(
stderr
,
" privileges="
);
dump_varargs_LUID_AND_ATTRIBUTES
(
cur_size
);
}
static
void
dump_create_mailslot_request
(
const
struct
create_mailslot_request
*
req
)
{
fprintf
(
stderr
,
" max_msgsize=%08x,"
,
req
->
max_msgsize
);
...
...
@@ -3105,6 +3126,7 @@ static const dump_func req_dumpers[REQ_NB_REQUESTS] = {
(
dump_func
)
dump_get_token_privileges_request
,
(
dump_func
)
dump_check_token_privileges_request
,
(
dump_func
)
dump_duplicate_token_request
,
(
dump_func
)
dump_access_check_request
,
(
dump_func
)
dump_create_mailslot_request
,
(
dump_func
)
dump_open_mailslot_request
,
(
dump_func
)
dump_set_mailslot_info_request
,
...
...
@@ -3300,6 +3322,7 @@ static const dump_func reply_dumpers[REQ_NB_REQUESTS] = {
(
dump_func
)
dump_get_token_privileges_reply
,
(
dump_func
)
dump_check_token_privileges_reply
,
(
dump_func
)
dump_duplicate_token_reply
,
(
dump_func
)
dump_access_check_reply
,
(
dump_func
)
dump_create_mailslot_reply
,
(
dump_func
)
dump_open_mailslot_reply
,
(
dump_func
)
dump_set_mailslot_info_reply
,
...
...
@@ -3495,6 +3518,7 @@ static const char * const req_names[REQ_NB_REQUESTS] = {
"get_token_privileges"
,
"check_token_privileges"
,
"duplicate_token"
,
"access_check"
,
"create_mailslot"
,
"open_mailslot"
,
"set_mailslot_info"
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment