server: Assign a default label to all tokens.

Signed-off-by: Matteo Bruni <mbruni@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

server: Assign a default label to all tokens.
a78d4194 · Michael Müller · Alexandre Julliard · 08f3fef3 · a78d4194 · a78d4194
Commit a78d4194 authored Jun 16, 2017 by Michael Müller Committed by Alexandre Julliard Jun 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 78 additions and 28 deletions

security.c dlls/advapi32/tests/security.c +18 -28

process.c server/process.c +6 -0

security.h server/security.h +2 -0

token.c server/token.c +52 -0

No files found.
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6847,7 +6847,6 @@ static void test_token_security_descriptor(void)
    defaulted = TRUE;
    ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
    ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
-    todo_wine
    ok(present, "DACL not present\n");
    ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
    ok(!defaulted, "DACL defaulted\n");
@@ -6949,20 +6948,16 @@ static void test_child_token_sd(void)
    defaulted = TRUE;
    ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
    ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
-    todo_wine ok(present, "DACL not present\n");
+    ok(present, "DACL not present\n");
+    ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
+    ok(!defaulted, "DACL defaulted\n");
-    if (present && acl)
+    ok(acl->AceCount, "Expected at least one ACE\n");
+    for (i = 0; i < acl->AceCount; i++)
    {
-        ok(acl != (void *)0xdeadbeef, "DACL not set\n");
+        ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
-        ok(!defaulted, "DACL defaulted\n");
+        ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
+           "ACE inherited from the parent\n");
-        ok(acl->AceCount, "Expected at least one ACE\n");
-        for (i = 0; i < acl->AceCount; i++)
-        {
-            ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
-            ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
-               "ACE inherited from the parent\n");
-        }
    }
    LocalFree(psid);
@@ -6987,21 +6982,16 @@ static void test_child_token_sd(void)
    defaulted = TRUE;
    ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
    ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-    todo_wine ok(present, "SACL not present\n");
+    ok(present, "SACL not present\n");
+    ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
-    if (present && acl)
+    ok(!defaulted, "SACL defaulted\n");
-    {
+    ok(acl->AceCount == 1, "Expected exactly one ACE\n");
-        ok(acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+    ret = pGetAce(acl, 0, (void **)&ace_label);
-        ok(!defaulted, "SACL defaulted\n");
+    ok(ret, "GetAce failed with error %u\n", GetLastError());
+    ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
-        ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+       "Unexpected ACE type %#x\n", ace_label->Header.AceType);
-        ret = pGetAce(acl, 0, (void **)&ace_label);
+    ok(!EqualSid(&ace_label->SidStart, &low_level),
-        ok(ret, "GetAce failed with error %u\n", GetLastError());
+       "Low integrity level should not have been inherited\n");
-        ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
-           "Unexpected ACE type %#x\n", ace_label->Header.AceType);
-        ok(!EqualSid(&ace_label->SidStart, &low_level),
-           "Low integrity level should not have been inherited\n");
-    }
    HeapFree(GetProcessHeap(), 0, sd);
 }

--- a/server/process.c
+++ b/server/process.c
@@ -570,6 +570,12 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
    }
    if (!process->handles || !process->token) goto error;
+    /* Assign a high security label to the token. The default would be medium
+     * but Wine provides admin access to all applications right now so high
+     * makes more sense for the time being. */
+    if (!token_assign_label( process->token, security_high_label_sid ))
+        goto error;
    /* create the main thread */
    if (pipe( request_pipe ) == -1)
    {

--- a/server/security.h
+++ b/server/security.h
@@ -47,11 +47,13 @@ extern const PSID security_local_user_sid;
 extern const PSID security_local_system_sid;
 extern const PSID security_builtin_users_sid;
 extern const PSID security_builtin_admins_sid;
+extern const PSID security_high_label_sid;
 /* token functions */
 extern struct token *token_create_admin(void);
+extern int token_assign_label( struct token *token, PSID label );
 extern struct token *token_duplicate( struct token *src_token, unsigned primary,
                                      int impersonation_level, const struct security_descriptor *sd );
 extern int token_check_privileges( struct token *token, int all_required,

--- a/server/token.c
+++ b/server/token.c
@@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
 static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } };
 static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
 static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
+static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
 static const struct /* same fields as struct SID */
 {
    BYTE Revision;
@@ -100,6 +101,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
 const PSID security_local_user_sid = (PSID)&local_user_sid;
 const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
 const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
+const PSID security_high_label_sid = (PSID)&high_label_sid;
 static luid_t prev_luid_value = { 1000, 0 };
@@ -726,6 +728,56 @@ struct sid_data
    unsigned int subauth[MAX_SUBAUTH_COUNT];
 };
+static struct security_descriptor *create_security_label_sd( struct token *token, PSID label_sid )
+{
+    size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size;
+    SYSTEM_MANDATORY_LABEL_ACE *smla;
+    struct security_descriptor *sd;
+    ACL *sacl;
+    sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
+    sd_size = sizeof(struct security_descriptor) + sacl_size;
+    if (!(sd = mem_alloc( sd_size )))
+        return NULL;
+    sd->control   = SE_SACL_PRESENT;
+    sd->owner_len = 0;
+    sd->group_len = 0;
+    sd->sacl_len  = sacl_size;
+    sd->dacl_len  = 0;
+    sacl = (ACL *)(sd + 1);
+    sacl->AclRevision = ACL_REVISION;
+    sacl->Sbz1 = 0;
+    sacl->AclSize = sacl_size;
+    sacl->AceCount = 1;
+    sacl->Sbz2 = 0;
+    smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1);
+    smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
+    smla->Header.AceFlags = 0;
+    smla->Header.AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
+    smla->Mask = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP;
+    memcpy( &smla->SidStart, label_sid, sid_len );
+    assert( sd_is_valid( sd, sd_size ) );
+    return sd;
+}
+int token_assign_label( struct token *token, PSID label )
+{
+    struct security_descriptor *sd;
+    int ret = 0;
+    if ((sd = create_security_label_sd( token, label )))
+    {
+        ret = set_sd_defaults_from_token( &token->obj, sd, LABEL_SECURITY_INFORMATION, token );
+        free( sd );
+    }
+    return ret;
+}
 struct token *token_create_admin( void )
 {
    struct token *token = NULL;