Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-cw
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-cw
Commits
928a22cd
Commit
928a22cd
authored
Feb 04, 2021
by
Alexandre Julliard
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
server: Add a data type for generic access mappings.
Signed-off-by:
Alexandre Julliard
<
julliard@winehq.org
>
parent
4d483cd8
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
48 additions
and
44 deletions
+48
-44
security.c
dlls/ntdll/unix/security.c
+4
-4
server_protocol.h
include/wine/server_protocol.h
+10
-5
protocol.def
server/protocol.def
+9
-4
request.h
server/request.h
+2
-4
token.c
server/token.c
+15
-23
trace.c
server/trace.c
+7
-4
make_requests
tools/make_requests
+1
-0
No files found.
dlls/ntdll/unix/security.c
View file @
928a22cd
...
@@ -723,10 +723,10 @@ NTSTATUS WINAPI NtAccessCheck( PSECURITY_DESCRIPTOR descr, HANDLE token, ACCESS_
...
@@ -723,10 +723,10 @@ NTSTATUS WINAPI NtAccessCheck( PSECURITY_DESCRIPTOR descr, HANDLE token, ACCESS_
{
{
req
->
handle
=
wine_server_obj_handle
(
token
);
req
->
handle
=
wine_server_obj_handle
(
token
);
req
->
desired_access
=
access
;
req
->
desired_access
=
access
;
req
->
mapping
_
read
=
mapping
->
GenericRead
;
req
->
mapping
.
read
=
mapping
->
GenericRead
;
req
->
mapping
_
write
=
mapping
->
GenericWrite
;
req
->
mapping
.
write
=
mapping
->
GenericWrite
;
req
->
mapping
_execute
=
mapping
->
GenericExecute
;
req
->
mapping
.
exec
=
mapping
->
GenericExecute
;
req
->
mapping
_
all
=
mapping
->
GenericAll
;
req
->
mapping
.
all
=
mapping
->
GenericAll
;
wine_server_add_data
(
req
,
objattr
+
1
,
objattr
->
sd_len
);
wine_server_add_data
(
req
,
objattr
+
1
,
objattr
->
sd_len
);
wine_server_set_reply
(
req
,
privs
->
Privilege
,
*
retlen
-
offsetof
(
PRIVILEGE_SET
,
Privilege
)
);
wine_server_set_reply
(
req
,
privs
->
Privilege
,
*
retlen
-
offsetof
(
PRIVILEGE_SET
,
Privilege
)
);
...
...
include/wine/server_protocol.h
View file @
928a22cd
...
@@ -366,6 +366,14 @@ typedef struct
...
@@ -366,6 +366,14 @@ typedef struct
int
high_part
;
int
high_part
;
}
luid_t
;
}
luid_t
;
typedef
struct
{
unsigned
int
read
;
unsigned
int
write
;
unsigned
int
exec
;
unsigned
int
all
;
}
generic_map_t
;
#define MAX_ACL_LEN 65535
#define MAX_ACL_LEN 65535
struct
security_descriptor
struct
security_descriptor
...
@@ -4454,10 +4462,7 @@ struct access_check_request
...
@@ -4454,10 +4462,7 @@ struct access_check_request
struct
request_header
__header
;
struct
request_header
__header
;
obj_handle_t
handle
;
obj_handle_t
handle
;
unsigned
int
desired_access
;
unsigned
int
desired_access
;
unsigned
int
mapping_read
;
generic_map_t
mapping
;
unsigned
int
mapping_write
;
unsigned
int
mapping_execute
;
unsigned
int
mapping_all
;
/* VARARG(sd,security_descriptor); */
/* VARARG(sd,security_descriptor); */
char
__pad_36
[
4
];
char
__pad_36
[
4
];
};
};
...
@@ -6229,7 +6234,7 @@ union generic_reply
...
@@ -6229,7 +6234,7 @@ union generic_reply
/* ### protocol_version begin ### */
/* ### protocol_version begin ### */
#define SERVER_PROTOCOL_VERSION 66
4
#define SERVER_PROTOCOL_VERSION 66
5
/* ### protocol_version end ### */
/* ### protocol_version end ### */
...
...
server/protocol.def
View file @
928a22cd
...
@@ -382,6 +382,14 @@ typedef struct
...
@@ -382,6 +382,14 @@ typedef struct
int high_part;
int high_part;
} luid_t;
} luid_t;
typedef struct
{
unsigned int read;
unsigned int write;
unsigned int exec;
unsigned int all;
} generic_map_t;
#define MAX_ACL_LEN 65535
#define MAX_ACL_LEN 65535
struct security_descriptor
struct security_descriptor
...
@@ -3135,10 +3143,7 @@ enum caret_state
...
@@ -3135,10 +3143,7 @@ enum caret_state
@REQ(access_check)
@REQ(access_check)
obj_handle_t handle; /* handle to the token */
obj_handle_t handle; /* handle to the token */
unsigned int desired_access; /* desired access to the object */
unsigned int desired_access; /* desired access to the object */
unsigned int mapping_read; /* mapping from generic read to specific rights */
generic_map_t mapping; /* mapping to specific rights */
unsigned int mapping_write; /* mapping from generic write to specific rights */
unsigned int mapping_execute; /* mapping from generic execute to specific rights */
unsigned int mapping_all; /* mapping from generic all to specific rights */
VARARG(sd,security_descriptor); /* security descriptor to check */
VARARG(sd,security_descriptor); /* security descriptor to check */
@REPLY
@REPLY
unsigned int access_granted; /* access rights actually granted */
unsigned int access_granted; /* access rights actually granted */
...
...
server/request.h
View file @
928a22cd
...
@@ -691,6 +691,7 @@ C_ASSERT( sizeof(client_cpu_t) == 4 );
...
@@ -691,6 +691,7 @@ C_ASSERT( sizeof(client_cpu_t) == 4 );
C_ASSERT
(
sizeof
(
client_ptr_t
)
==
8
);
C_ASSERT
(
sizeof
(
client_ptr_t
)
==
8
);
C_ASSERT
(
sizeof
(
data_size_t
)
==
4
);
C_ASSERT
(
sizeof
(
data_size_t
)
==
4
);
C_ASSERT
(
sizeof
(
file_pos_t
)
==
8
);
C_ASSERT
(
sizeof
(
file_pos_t
)
==
8
);
C_ASSERT
(
sizeof
(
generic_map_t
)
==
16
);
C_ASSERT
(
sizeof
(
hw_input_t
)
==
32
);
C_ASSERT
(
sizeof
(
hw_input_t
)
==
32
);
C_ASSERT
(
sizeof
(
int
)
==
4
);
C_ASSERT
(
sizeof
(
int
)
==
4
);
C_ASSERT
(
sizeof
(
ioctl_code_t
)
==
4
);
C_ASSERT
(
sizeof
(
ioctl_code_t
)
==
4
);
...
@@ -1971,10 +1972,7 @@ C_ASSERT( FIELD_OFFSET(struct filter_token_reply, new_handle) == 8 );
...
@@ -1971,10 +1972,7 @@ C_ASSERT( FIELD_OFFSET(struct filter_token_reply, new_handle) == 8 );
C_ASSERT
(
sizeof
(
struct
filter_token_reply
)
==
16
);
C_ASSERT
(
sizeof
(
struct
filter_token_reply
)
==
16
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
handle
)
==
12
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
handle
)
==
12
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
desired_access
)
==
16
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
desired_access
)
==
16
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
mapping_read
)
==
20
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
mapping
)
==
20
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
mapping_write
)
==
24
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
mapping_execute
)
==
28
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_request
,
mapping_all
)
==
32
);
C_ASSERT
(
sizeof
(
struct
access_check_request
)
==
40
);
C_ASSERT
(
sizeof
(
struct
access_check_request
)
==
40
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_reply
,
access_granted
)
==
8
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_reply
,
access_granted
)
==
8
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_reply
,
access_status
)
==
12
);
C_ASSERT
(
FIELD_OFFSET
(
struct
access_check_reply
,
access_status
)
==
12
);
...
...
server/token.c
View file @
928a22cd
...
@@ -464,13 +464,13 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
...
@@ -464,13 +464,13 @@ ACL *replace_security_labels( const ACL *old_sacl, const ACL *new_sacl )
}
}
/* maps from generic rights to specific rights as given by a mapping */
/* maps from generic rights to specific rights as given by a mapping */
static
inline
void
map_generic_mask
(
unsigned
int
*
mask
,
const
GENERIC_MAPPING
*
mapping
)
static
inline
void
map_generic_mask
(
unsigned
int
*
mask
,
const
generic_map_t
*
mapping
)
{
{
if
(
*
mask
&
GENERIC_READ
)
*
mask
|=
mapping
->
GenericR
ead
;
if
(
*
mask
&
GENERIC_READ
)
*
mask
|=
mapping
->
r
ead
;
if
(
*
mask
&
GENERIC_WRITE
)
*
mask
|=
mapping
->
GenericW
rite
;
if
(
*
mask
&
GENERIC_WRITE
)
*
mask
|=
mapping
->
w
rite
;
if
(
*
mask
&
GENERIC_EXECUTE
)
*
mask
|=
mapping
->
GenericExecute
;
if
(
*
mask
&
GENERIC_EXECUTE
)
*
mask
|=
mapping
->
exec
;
if
(
*
mask
&
GENERIC_ALL
)
*
mask
|=
mapping
->
GenericA
ll
;
if
(
*
mask
&
GENERIC_ALL
)
*
mask
|=
mapping
->
a
ll
;
*
mask
&=
0x0FFFFFFF
;
*
mask
&=
~
(
GENERIC_READ
|
GENERIC_WRITE
|
GENERIC_EXECUTE
|
GENERIC_ALL
)
;
}
}
static
inline
int
is_equal_luid
(
const
LUID
*
luid1
,
const
LUID
*
luid2
)
static
inline
int
is_equal_luid
(
const
LUID
*
luid1
,
const
LUID
*
luid2
)
...
@@ -1039,7 +1039,7 @@ static unsigned int token_access_check( struct token *token,
...
@@ -1039,7 +1039,7 @@ static unsigned int token_access_check( struct token *token,
unsigned
int
desired_access
,
unsigned
int
desired_access
,
LUID_AND_ATTRIBUTES
*
privs
,
LUID_AND_ATTRIBUTES
*
privs
,
unsigned
int
*
priv_count
,
unsigned
int
*
priv_count
,
const
GENERIC_MAPPING
*
mapping
,
const
generic_map_t
*
mapping
,
unsigned
int
*
granted_access
,
unsigned
int
*
granted_access
,
unsigned
int
*
status
)
unsigned
int
*
status
)
{
{
...
@@ -1074,7 +1074,7 @@ static unsigned int token_access_check( struct token *token,
...
@@ -1074,7 +1074,7 @@ static unsigned int token_access_check( struct token *token,
{
{
if
(
priv_count
)
*
priv_count
=
0
;
if
(
priv_count
)
*
priv_count
=
0
;
if
(
desired_access
&
MAXIMUM_ALLOWED
)
if
(
desired_access
&
MAXIMUM_ALLOWED
)
*
granted_access
=
mapping
->
GenericA
ll
;
*
granted_access
=
mapping
->
a
ll
;
else
else
*
granted_access
=
desired_access
;
*
granted_access
=
desired_access
;
return
*
status
=
STATUS_SUCCESS
;
return
*
status
=
STATUS_SUCCESS
;
...
@@ -1212,25 +1212,24 @@ const SID *token_get_primary_group( struct token *token )
...
@@ -1212,25 +1212,24 @@ const SID *token_get_primary_group( struct token *token )
int
check_object_access
(
struct
token
*
token
,
struct
object
*
obj
,
unsigned
int
*
access
)
int
check_object_access
(
struct
token
*
token
,
struct
object
*
obj
,
unsigned
int
*
access
)
{
{
GENERIC_MAPPING
mapping
;
generic_map_t
mapping
;
unsigned
int
status
;
unsigned
int
status
;
int
res
;
int
res
;
if
(
!
token
)
if
(
!
token
)
token
=
current
->
token
?
current
->
token
:
current
->
process
->
token
;
token
=
current
->
token
?
current
->
token
:
current
->
process
->
token
;
mapping
.
GenericA
ll
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_ALL
);
mapping
.
a
ll
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_ALL
);
if
(
!
obj
->
sd
)
if
(
!
obj
->
sd
)
{
{
if
(
*
access
&
MAXIMUM_ALLOWED
)
if
(
*
access
&
MAXIMUM_ALLOWED
)
*
access
=
mapping
.
all
;
*
access
=
mapping
.
GenericAll
;
return
TRUE
;
return
TRUE
;
}
}
mapping
.
GenericR
ead
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_READ
);
mapping
.
r
ead
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_READ
);
mapping
.
GenericW
rite
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_WRITE
);
mapping
.
w
rite
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_WRITE
);
mapping
.
GenericExecute
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_EXECUTE
);
mapping
.
exec
=
obj
->
ops
->
map_access
(
obj
,
GENERIC_EXECUTE
);
res
=
token_access_check
(
token
,
obj
->
sd
,
*
access
,
NULL
,
NULL
,
res
=
token_access_check
(
token
,
obj
->
sd
,
*
access
,
NULL
,
NULL
,
&
mapping
,
access
,
&
status
)
==
STATUS_SUCCESS
&&
&
mapping
,
access
,
&
status
)
==
STATUS_SUCCESS
&&
...
@@ -1451,7 +1450,6 @@ DECL_HANDLER(access_check)
...
@@ -1451,7 +1450,6 @@ DECL_HANDLER(access_check)
TOKEN_QUERY
,
TOKEN_QUERY
,
&
token_ops
)))
&
token_ops
)))
{
{
GENERIC_MAPPING
mapping
;
unsigned
int
status
;
unsigned
int
status
;
LUID_AND_ATTRIBUTES
priv
;
LUID_AND_ATTRIBUTES
priv
;
unsigned
int
priv_count
=
1
;
unsigned
int
priv_count
=
1
;
...
@@ -1473,13 +1471,7 @@ DECL_HANDLER(access_check)
...
@@ -1473,13 +1471,7 @@ DECL_HANDLER(access_check)
return
;
return
;
}
}
mapping
.
GenericRead
=
req
->
mapping_read
;
status
=
token_access_check
(
token
,
sd
,
req
->
desired_access
,
&
priv
,
&
priv_count
,
&
req
->
mapping
,
mapping
.
GenericWrite
=
req
->
mapping_write
;
mapping
.
GenericExecute
=
req
->
mapping_execute
;
mapping
.
GenericAll
=
req
->
mapping_all
;
status
=
token_access_check
(
token
,
sd
,
req
->
desired_access
,
&
priv
,
&
priv_count
,
&
mapping
,
&
reply
->
access_granted
,
&
reply
->
access_status
);
&
reply
->
access_granted
,
&
reply
->
access_status
);
reply
->
privileges_len
=
priv_count
*
sizeof
(
LUID_AND_ATTRIBUTES
);
reply
->
privileges_len
=
priv_count
*
sizeof
(
LUID_AND_ATTRIBUTES
);
...
...
server/trace.c
View file @
928a22cd
...
@@ -427,6 +427,12 @@ static void dump_luid( const char *prefix, const luid_t *luid )
...
@@ -427,6 +427,12 @@ static void dump_luid( const char *prefix, const luid_t *luid )
fprintf
(
stderr
,
"%s%d.%u"
,
prefix
,
luid
->
high_part
,
luid
->
low_part
);
fprintf
(
stderr
,
"%s%d.%u"
,
prefix
,
luid
->
high_part
,
luid
->
low_part
);
}
}
static
void
dump_generic_map
(
const
char
*
prefix
,
const
generic_map_t
*
map
)
{
fprintf
(
stderr
,
"%s{r=%08x,w=%08x,x=%08x,a=%08x}"
,
prefix
,
map
->
read
,
map
->
write
,
map
->
exec
,
map
->
all
);
}
static
void
dump_varargs_ints
(
const
char
*
prefix
,
data_size_t
size
)
static
void
dump_varargs_ints
(
const
char
*
prefix
,
data_size_t
size
)
{
{
const
int
*
data
=
cur_data
;
const
int
*
data
=
cur_data
;
...
@@ -3814,10 +3820,7 @@ static void dump_access_check_request( const struct access_check_request *req )
...
@@ -3814,10 +3820,7 @@ static void dump_access_check_request( const struct access_check_request *req )
{
{
fprintf
(
stderr
,
" handle=%04x"
,
req
->
handle
);
fprintf
(
stderr
,
" handle=%04x"
,
req
->
handle
);
fprintf
(
stderr
,
", desired_access=%08x"
,
req
->
desired_access
);
fprintf
(
stderr
,
", desired_access=%08x"
,
req
->
desired_access
);
fprintf
(
stderr
,
", mapping_read=%08x"
,
req
->
mapping_read
);
dump_generic_map
(
", mapping="
,
&
req
->
mapping
);
fprintf
(
stderr
,
", mapping_write=%08x"
,
req
->
mapping_write
);
fprintf
(
stderr
,
", mapping_execute=%08x"
,
req
->
mapping_execute
);
fprintf
(
stderr
,
", mapping_all=%08x"
,
req
->
mapping_all
);
dump_varargs_security_descriptor
(
", sd="
,
cur_size
);
dump_varargs_security_descriptor
(
", sd="
,
cur_size
);
}
}
...
...
tools/make_requests
View file @
928a22cd
...
@@ -50,6 +50,7 @@ my %formats =
...
@@ -50,6 +50,7 @@ my %formats =
"async_data_t"
=>
[
40
,
8
,
"&dump_async_data"
],
"async_data_t"
=>
[
40
,
8
,
"&dump_async_data"
],
"irp_params_t"
=>
[
32
,
8
,
"&dump_irp_params"
],
"irp_params_t"
=>
[
32
,
8
,
"&dump_irp_params"
],
"luid_t"
=>
[
8
,
4
,
"&dump_luid"
],
"luid_t"
=>
[
8
,
4
,
"&dump_luid"
],
"generic_map_t"
=>
[
16
,
4
,
"&dump_generic_map"
],
"ioctl_code_t"
=>
[
4
,
4
,
"&dump_ioctl_code"
],
"ioctl_code_t"
=>
[
4
,
4
,
"&dump_ioctl_code"
],
"client_cpu_t"
=>
[
4
,
4
,
"&dump_client_cpu"
],
"client_cpu_t"
=>
[
4
,
4
,
"&dump_client_cpu"
],
"hw_input_t"
=>
[
32
,
8
,
"&dump_hw_input"
],
"hw_input_t"
=>
[
32
,
8
,
"&dump_hw_input"
],
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment