Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-winehq
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-winehq
Commits
a78d4194
Commit
a78d4194
authored
Jun 16, 2017
by
Michael Müller
Committed by
Alexandre Julliard
Jun 19, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
server: Assign a default label to all tokens.
Signed-off-by:
Matteo Bruni
<
mbruni@codeweavers.com
>
Signed-off-by:
Alexandre Julliard
<
julliard@winehq.org
>
parent
08f3fef3
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
78 additions
and
28 deletions
+78
-28
security.c
dlls/advapi32/tests/security.c
+18
-28
process.c
server/process.c
+6
-0
security.h
server/security.h
+2
-0
token.c
server/token.c
+52
-0
No files found.
dlls/advapi32/tests/security.c
View file @
a78d4194
...
...
@@ -6847,7 +6847,6 @@ static void test_token_security_descriptor(void)
defaulted
=
TRUE
;
ret
=
GetSecurityDescriptorDacl
(
sd2
,
&
present
,
&
acl2
,
&
defaulted
);
ok
(
ret
,
"GetSecurityDescriptorDacl failed with error %u
\n
"
,
GetLastError
());
todo_wine
ok
(
present
,
"DACL not present
\n
"
);
ok
(
acl2
!=
(
void
*
)
0xdeadbeef
,
"DACL not set
\n
"
);
ok
(
!
defaulted
,
"DACL defaulted
\n
"
);
...
...
@@ -6949,20 +6948,16 @@ static void test_child_token_sd(void)
defaulted
=
TRUE
;
ret
=
GetSecurityDescriptorDacl
(
sd
,
&
present
,
&
acl
,
&
defaulted
);
ok
(
ret
,
"GetSecurityDescriptorDacl failed with error %u
\n
"
,
GetLastError
());
todo_wine
ok
(
present
,
"DACL not present
\n
"
);
ok
(
present
,
"DACL not present
\n
"
);
ok
(
acl
&&
acl
!=
(
void
*
)
0xdeadbeef
,
"Got invalid DACL
\n
"
);
ok
(
!
defaulted
,
"DACL defaulted
\n
"
);
if
(
present
&&
acl
)
ok
(
acl
->
AceCount
,
"Expected at least one ACE
\n
"
);
for
(
i
=
0
;
i
<
acl
->
AceCount
;
i
++
)
{
ok
(
acl
!=
(
void
*
)
0xdeadbeef
,
"DACL not set
\n
"
);
ok
(
!
defaulted
,
"DACL defaulted
\n
"
);
ok
(
acl
->
AceCount
,
"Expected at least one ACE
\n
"
);
for
(
i
=
0
;
i
<
acl
->
AceCount
;
i
++
)
{
ok
(
pGetAce
(
acl
,
i
,
(
void
**
)
&
acc_ace
),
"GetAce failed with error %u
\n
"
,
GetLastError
());
ok
(
acc_ace
->
Header
.
AceType
!=
ACCESS_ALLOWED_ACE_TYPE
||
!
EqualSid
(
&
acc_ace
->
SidStart
,
psid
),
"ACE inherited from the parent
\n
"
);
}
ok
(
pGetAce
(
acl
,
i
,
(
void
**
)
&
acc_ace
),
"GetAce failed with error %u
\n
"
,
GetLastError
());
ok
(
acc_ace
->
Header
.
AceType
!=
ACCESS_ALLOWED_ACE_TYPE
||
!
EqualSid
(
&
acc_ace
->
SidStart
,
psid
),
"ACE inherited from the parent
\n
"
);
}
LocalFree
(
psid
);
...
...
@@ -6987,21 +6982,16 @@ static void test_child_token_sd(void)
defaulted
=
TRUE
;
ret
=
GetSecurityDescriptorSacl
(
sd
,
&
present
,
&
acl
,
&
defaulted
);
ok
(
ret
,
"GetSecurityDescriptorSacl failed with error %u
\n
"
,
GetLastError
());
todo_wine
ok
(
present
,
"SACL not present
\n
"
);
if
(
present
&&
acl
)
{
ok
(
acl
!=
(
void
*
)
0xdeadbeef
,
"Got invalid SACL
\n
"
);
ok
(
!
defaulted
,
"SACL defaulted
\n
"
);
ok
(
acl
->
AceCount
==
1
,
"Expected exactly one ACE
\n
"
);
ret
=
pGetAce
(
acl
,
0
,
(
void
**
)
&
ace_label
);
ok
(
ret
,
"GetAce failed with error %u
\n
"
,
GetLastError
());
ok
(
ace_label
->
Header
.
AceType
==
SYSTEM_MANDATORY_LABEL_ACE_TYPE
,
"Unexpected ACE type %#x
\n
"
,
ace_label
->
Header
.
AceType
);
ok
(
!
EqualSid
(
&
ace_label
->
SidStart
,
&
low_level
),
"Low integrity level should not have been inherited
\n
"
);
}
ok
(
present
,
"SACL not present
\n
"
);
ok
(
acl
&&
acl
!=
(
void
*
)
0xdeadbeef
,
"Got invalid SACL
\n
"
);
ok
(
!
defaulted
,
"SACL defaulted
\n
"
);
ok
(
acl
->
AceCount
==
1
,
"Expected exactly one ACE
\n
"
);
ret
=
pGetAce
(
acl
,
0
,
(
void
**
)
&
ace_label
);
ok
(
ret
,
"GetAce failed with error %u
\n
"
,
GetLastError
());
ok
(
ace_label
->
Header
.
AceType
==
SYSTEM_MANDATORY_LABEL_ACE_TYPE
,
"Unexpected ACE type %#x
\n
"
,
ace_label
->
Header
.
AceType
);
ok
(
!
EqualSid
(
&
ace_label
->
SidStart
,
&
low_level
),
"Low integrity level should not have been inherited
\n
"
);
HeapFree
(
GetProcessHeap
(),
0
,
sd
);
}
...
...
server/process.c
View file @
a78d4194
...
...
@@ -570,6 +570,12 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
}
if
(
!
process
->
handles
||
!
process
->
token
)
goto
error
;
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if
(
!
token_assign_label
(
process
->
token
,
security_high_label_sid
))
goto
error
;
/* create the main thread */
if
(
pipe
(
request_pipe
)
==
-
1
)
{
...
...
server/security.h
View file @
a78d4194
...
...
@@ -47,11 +47,13 @@ extern const PSID security_local_user_sid;
extern
const
PSID
security_local_system_sid
;
extern
const
PSID
security_builtin_users_sid
;
extern
const
PSID
security_builtin_admins_sid
;
extern
const
PSID
security_high_label_sid
;
/* token functions */
extern
struct
token
*
token_create_admin
(
void
);
extern
int
token_assign_label
(
struct
token
*
token
,
PSID
label
);
extern
struct
token
*
token_duplicate
(
struct
token
*
src_token
,
unsigned
primary
,
int
impersonation_level
,
const
struct
security_descriptor
*
sd
);
extern
int
token_check_privileges
(
struct
token
*
token
,
int
all_required
,
...
...
server/token.c
View file @
a78d4194
...
...
@@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
static
const
SID
anonymous_logon_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_ANONYMOUS_LOGON_RID
}
};
static
const
SID
authenticated_user_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_AUTHENTICATED_USER_RID
}
};
static
const
SID
local_system_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_LOCAL_SYSTEM_RID
}
};
static
const
SID
high_label_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_MANDATORY_LABEL_AUTHORITY
},
{
SECURITY_MANDATORY_HIGH_RID
}
};
static
const
struct
/* same fields as struct SID */
{
BYTE
Revision
;
...
...
@@ -100,6 +101,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
const
PSID
security_local_user_sid
=
(
PSID
)
&
local_user_sid
;
const
PSID
security_builtin_admins_sid
=
(
PSID
)
&
builtin_admins_sid
;
const
PSID
security_builtin_users_sid
=
(
PSID
)
&
builtin_users_sid
;
const
PSID
security_high_label_sid
=
(
PSID
)
&
high_label_sid
;
static
luid_t
prev_luid_value
=
{
1000
,
0
};
...
...
@@ -726,6 +728,56 @@ struct sid_data
unsigned
int
subauth
[
MAX_SUBAUTH_COUNT
];
};
static
struct
security_descriptor
*
create_security_label_sd
(
struct
token
*
token
,
PSID
label_sid
)
{
size_t
sid_len
=
security_sid_len
(
label_sid
),
sacl_size
,
sd_size
;
SYSTEM_MANDATORY_LABEL_ACE
*
smla
;
struct
security_descriptor
*
sd
;
ACL
*
sacl
;
sacl_size
=
sizeof
(
ACL
)
+
FIELD_OFFSET
(
SYSTEM_MANDATORY_LABEL_ACE
,
SidStart
)
+
sid_len
;
sd_size
=
sizeof
(
struct
security_descriptor
)
+
sacl_size
;
if
(
!
(
sd
=
mem_alloc
(
sd_size
)))
return
NULL
;
sd
->
control
=
SE_SACL_PRESENT
;
sd
->
owner_len
=
0
;
sd
->
group_len
=
0
;
sd
->
sacl_len
=
sacl_size
;
sd
->
dacl_len
=
0
;
sacl
=
(
ACL
*
)(
sd
+
1
);
sacl
->
AclRevision
=
ACL_REVISION
;
sacl
->
Sbz1
=
0
;
sacl
->
AclSize
=
sacl_size
;
sacl
->
AceCount
=
1
;
sacl
->
Sbz2
=
0
;
smla
=
(
SYSTEM_MANDATORY_LABEL_ACE
*
)(
sacl
+
1
);
smla
->
Header
.
AceType
=
SYSTEM_MANDATORY_LABEL_ACE_TYPE
;
smla
->
Header
.
AceFlags
=
0
;
smla
->
Header
.
AceSize
=
FIELD_OFFSET
(
SYSTEM_MANDATORY_LABEL_ACE
,
SidStart
)
+
sid_len
;
smla
->
Mask
=
SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
;
memcpy
(
&
smla
->
SidStart
,
label_sid
,
sid_len
);
assert
(
sd_is_valid
(
sd
,
sd_size
)
);
return
sd
;
}
int
token_assign_label
(
struct
token
*
token
,
PSID
label
)
{
struct
security_descriptor
*
sd
;
int
ret
=
0
;
if
((
sd
=
create_security_label_sd
(
token
,
label
)))
{
ret
=
set_sd_defaults_from_token
(
&
token
->
obj
,
sd
,
LABEL_SECURITY_INFORMATION
,
token
);
free
(
sd
);
}
return
ret
;
}
struct
token
*
token_create_admin
(
void
)
{
struct
token
*
token
=
NULL
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment