7 Oct
2022
7 Oct
'22
7:22 a.m.
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
--
v3: ntoskrnl.exe: Add FltBuildDefaultSecurityDescriptor test
fltmgr.sys: Create import library
fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor
https://gitlab.winehq.org/wine/wine/-/merge_requests/414
7 Oct
7 Oct
7:22 a.m.
New subject: [PATCH v3 1/3] fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
---
dlls/fltmgr.sys/Makefile.in | 1 +
dlls/fltmgr.sys/fltmgr.sys.spec | 4 +-
dlls/fltmgr.sys/main.c | 71 +++++++++++++++++++++++++++++++++
include/ddk/fltkernel.h | 3 +-
4 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/dlls/fltmgr.sys/Makefile.in b/dlls/fltmgr.sys/Makefile.in
index ba106a43831..bb1f34b4896 100644
--- a/dlls/fltmgr.sys/Makefile.in
+++ b/dlls/fltmgr.sys/Makefile.in
@@ -1,5 +1,6 @@
MODULE = fltmgr.sys
EXTRADLLFLAGS = -Wl,--subsystem,native
+IMPORTS = ntoskrnl
C_SRCS = \
main.c
diff --git a/dlls/fltmgr.sys/fltmgr.sys.spec b/dlls/fltmgr.sys/fltmgr.sys.spec
index 39ce6798178..8943b9f85cf 100644
--- a/dlls/fltmgr.sys/fltmgr.sys.spec
+++ b/dlls/fltmgr.sys/fltmgr.sys.spec
@@ -10,7 +10,7 @@
@ stub FltAllocatePoolAlignedWithTag
@ stub FltAttachVolume
@ stub FltAttachVolumeAtAltitude
-@ stub FltBuildDefaultSecurityDescriptor
+@ stdcall FltBuildDefaultSecurityDescriptor(ptr long)
@ stub FltCancelFileOpen
@ stub FltCancelIo
@ stub FltCbdqDisable
@@ -60,7 +60,7 @@
@ stub FltFreeFileLock
@ stub FltFreeGenericWorkItem
@ stub FltFreePoolAlignedWithTag
-@ stub FltFreeSecurityDescriptor
+@ stdcall FltFreeSecurityDescriptor(ptr)
@ stub FltFsControlFile
@ stub FltGetBottomInstance
@ stub FltGetContexts
diff --git a/dlls/fltmgr.sys/main.c b/dlls/fltmgr.sys/main.c
index e1016a4989c..ea9685b4308 100644
--- a/dlls/fltmgr.sys/main.c
+++ b/dlls/fltmgr.sys/main.c
@@ -93,3 +93,74 @@ void* WINAPI FltGetRoutineAddress(LPCSTR name)
return func;
}
+
+NTSTATUS WINAPI FltBuildDefaultSecurityDescriptor(PSECURITY_DESCRIPTOR *descriptor,
ACCESS_MASK access)
+{
+ PACL dacl;
+ NTSTATUS ret = STATUS_INSUFFICIENT_RESOURCES;
+ ULONG sid_len;
+ PSID sid;
+ PSID sid_system;
+ PSECURITY_DESCRIPTOR sec_desc = NULL;
+ SID_IDENTIFIER_AUTHORITY auth = { SECURITY_NULL_SID_AUTHORITY };
+
+ *descriptor = NULL;
+
+ ret = RtlAllocateAndInitializeSid(&auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_GROUP_RID_ADMINS,
+ 0, 0, 0, 0, 0, 0, &sid);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ ret = RtlAllocateAndInitializeSid(&auth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0,
0, 0, 0, 0, &sid_system);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ sid_len = SECURITY_DESCRIPTOR_MIN_LENGTH + sizeof(ACL) +
+ sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid) +
+ sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid_system);
+
+ sec_desc = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, sid_len);
+ if (!sec_desc)
+ {
+ ret = STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ ret = RtlCreateSecurityDescriptor(sec_desc, SECURITY_DESCRIPTOR_REVISION);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ dacl = (PACL)((char*)sec_desc + SECURITY_DESCRIPTOR_MIN_LENGTH);
+ ret = RtlCreateAcl(dacl, sid_len - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ ret = RtlAddAccessAllowedAce(dacl, ACL_REVISION, access, sid);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ ret = RtlAddAccessAllowedAce(dacl, ACL_REVISION, access, sid_system);
+ if (ret != STATUS_SUCCESS)
+ goto done;
+
+ ret = RtlSetDaclSecurityDescriptor(sec_desc, 1, dacl, 0);
+ if (ret == STATUS_SUCCESS)
+ *descriptor = sec_desc;
+
+done:
+ if (ret != STATUS_SUCCESS && sec_desc != NULL)
+ RtlFreeHeap(GetProcessHeap(), 0, sec_desc);
+
+ if (sid != NULL)
+ RtlFreeHeap(GetProcessHeap(), 0, sid);
+
+ if (sid_system != NULL)
+ RtlFreeHeap(GetProcessHeap(), 0, sid_system);
+
+ return ret;
+}
+
+void WINAPI FltFreeSecurityDescriptor(PSECURITY_DESCRIPTOR descriptor)
+{
+ RtlFreeHeap(GetProcessHeap(), 0, descriptor);
+}
\ No newline at end of file
diff --git a/include/ddk/fltkernel.h b/include/ddk/fltkernel.h
index 8ebebfa2e81..9ece0990810 100644
--- a/include/ddk/fltkernel.h
+++ b/include/ddk/fltkernel.h
@@ -653,7 +653,8 @@ typedef struct _FLT_REGISTRATION
PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback;
} FLT_REGISTRATION, *PFLT_REGISTRATION;
-
+NTSTATUS WINAPI FltBuildDefaultSecurityDescriptor(PSECURITY_DESCRIPTOR *, ACCESS_MASK);
+void WINAPI FltFreeSecurityDescriptor(PSECURITY_DESCRIPTOR);
void* WINAPI FltGetRoutineAddress(LPCSTR name);
NTSTATUS WINAPI FltRegisterFilter(PDRIVER_OBJECT, const FLT_REGISTRATION *, PFLT_FILTER
*);
NTSTATUS WINAPI FltStartFiltering(PFLT_FILTER);
--
GitLab
https://gitlab.winehq.org/wine/wine/-/merge_requests/414
7:22 a.m.
New subject: [PATCH v3 2/3] fltmgr.sys: Create import library
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
---
dlls/fltmgr.sys/Makefile.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/dlls/fltmgr.sys/Makefile.in b/dlls/fltmgr.sys/Makefile.in
index bb1f34b4896..5540df35d6a 100644
--- a/dlls/fltmgr.sys/Makefile.in
+++ b/dlls/fltmgr.sys/Makefile.in
@@ -1,4 +1,5 @@
MODULE = fltmgr.sys
+IMPORTLIB = fltmgr
EXTRADLLFLAGS = -Wl,--subsystem,native
IMPORTS = ntoskrnl
--
GitLab
https://gitlab.winehq.org/wine/wine/-/merge_requests/414
7:22 a.m.
New subject: [PATCH v3 3/3] ntoskrnl.exe: Add FltBuildDefaultSecurityDescriptor test
From: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
Signed-off-by: Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com>
---
dlls/ntoskrnl.exe/tests/Makefile.in | 2 +-
dlls/ntoskrnl.exe/tests/driver.c | 65 +++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/dlls/ntoskrnl.exe/tests/Makefile.in b/dlls/ntoskrnl.exe/tests/Makefile.in
index ab1db85adbb..9c89e44e70a 100644
--- a/dlls/ntoskrnl.exe/tests/Makefile.in
+++ b/dlls/ntoskrnl.exe/tests/Makefile.in
@@ -1,7 +1,7 @@
TESTDLL = ntoskrnl.exe
IMPORTS = advapi32 crypt32 newdev setupapi user32 wintrust ws2_32 hid
-driver_IMPORTS = winecrt0 ntoskrnl hal
+driver_IMPORTS = winecrt0 ntoskrnl hal fltmgr
driver_EXTRADLLFLAGS = -nodefaultlibs -nostartfiles -Wl,--subsystem,native
driver2_IMPORTS = winecrt0 ntoskrnl hal
driver2_EXTRADLLFLAGS = -nodefaultlibs -nostartfiles -Wl,--subsystem,native
diff --git a/dlls/ntoskrnl.exe/tests/driver.c b/dlls/ntoskrnl.exe/tests/driver.c
index d293889c823..66f5bb122be 100644
--- a/dlls/ntoskrnl.exe/tests/driver.c
+++ b/dlls/ntoskrnl.exe/tests/driver.c
@@ -32,6 +32,7 @@
#include "ddk/ntddk.h"
#include "ddk/ntifs.h"
#include "ddk/wdm.h"
+#include "ddk/fltkernel.h"
#include "driver.h"
@@ -2293,6 +2294,69 @@ static void test_permanence(void)
ok(status == STATUS_OBJECT_NAME_NOT_FOUND, "got %#lx\n", status);
}
+static void test_default_security(void)
+{
+ PSECURITY_DESCRIPTOR sd = NULL;
+ NTSTATUS status;
+ PSID group = NULL, owner = NULL;
+ BOOLEAN isdefault, present;
+ PACL acl = NULL;
+ PACCESS_ALLOWED_ACE ace;
+ SID_IDENTIFIER_AUTHORITY auth = { SECURITY_NULL_SID_AUTHORITY };
+ PSID sid1, sid2;
+
+ status = FltBuildDefaultSecurityDescriptor(&sd, STANDARD_RIGHTS_ALL);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+ ok(sd != NULL, "Failed to return descriptor\n");
+
+ status = RtlGetGroupSecurityDescriptor(sd, &group, &isdefault);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+ ok(group == NULL, "group isn't NULL\n");
+
+ status = RtlGetOwnerSecurityDescriptor(sd, &owner, &isdefault);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+ ok(owner == NULL, "owner isn't NULL\n");
+
+ status = RtlGetDaclSecurityDescriptor(sd, &present, &acl, &isdefault);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+ ok(acl != NULL, "acl is NULL\n");
+ ok(acl->AceCount == 2, "got %d\n", acl->AceCount);
+
+ sid1 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(2));
+ RtlInitializeSid(sid1, &auth, 2);
+ *RtlSubAuthoritySid(sid1, 0) = SECURITY_BUILTIN_DOMAIN_RID;
+ *RtlSubAuthoritySid(sid1, 1) = DOMAIN_GROUP_RID_ADMINS;
+
+ sid2 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(1));
+ RtlInitializeSid(sid2, &auth, 1);
+ *RtlSubAuthoritySid(sid2, 0) = SECURITY_LOCAL_SYSTEM_RID;
+
+ /* SECURITY_BUILTIN_DOMAIN_RID */
+ status = RtlGetAce(acl, 0, (void**)&ace);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+
+ ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "got %#x\n",
ace->Header.AceType);
+ ok(ace->Header.AceFlags == 0, "got %#x\n", ace->Header.AceFlags);
+ ok(ace->Mask == STANDARD_RIGHTS_ALL, "got %#lx\n", ace->Mask);
+
+ ok(RtlEqualSid(sid1, (PSID)&ace->SidStart), "SID not equal\n");
+
+ /* SECURITY_LOCAL_SYSTEM_RID */
+ status = RtlGetAce(acl, 1, (void**)&ace);
+ ok(status == STATUS_SUCCESS, "got %#lx\n", status);
+
+ ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "got %#x\n",
ace->Header.AceType);
+ ok(ace->Header.AceFlags == 0, "got %#x\n", ace->Header.AceFlags);
+ ok(ace->Mask == STANDARD_RIGHTS_ALL, "got %#lx\n", ace->Mask);
+
+ ok(RtlEqualSid(sid2, (PSID)&ace->SidStart), "SID not equal\n");
+
+ RtlFreeHeap(GetProcessHeap(), 0, sid1);
+ RtlFreeHeap(GetProcessHeap(), 0, sid2);
+
+ FltFreeSecurityDescriptor(sd);
+}
+
static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *stack)
{
void *buffer = irp->AssociatedIrp.SystemBuffer;
@@ -2336,6 +2400,7 @@ static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp,
IO_STACK_LOCATION *st
test_dpc();
test_process_memory(test_input);
test_permanence();
+ test_default_security();
IoMarkIrpPending(irp);
IoQueueWorkItem(work_item, main_test_task, DelayedWorkQueue, irp);
--
GitLab
https://gitlab.winehq.org/wine/wine/-/merge_requests/414
8:22 a.m.
New subject: [PATCH v3 3/3] ntoskrnl.exe: Add FltBuildDefaultSecurityDescriptor test
Hi,
It looks like your patch introduced the new failures shown below.
Please investigate and fix them before resubmitting your patch.
If they are not new, fixing them anyway would help a lot. Otherwise
please ask for the known failures list to be updated.
The full results can be found at:
https://testbot.winehq.org/JobDetails.pl?Key=124785
Your paranoid android.
=== w7u_2qxl (testbot log) ===
WineRunTask.pl:error: An error occurred while waiting for the test to complete: network
read got a premature EOF (wait2:ListSize:0/4)
WineRunTask.pl:error: The test VM has crashed, rebooted or lost connectivity (or the
TestAgent server died)
WineRunTask.pl:error: The previous 2 run(s) terminated abnormally
=== w7u_el (testbot log) ===
WineRunTask.pl:error: An error occurred while waiting for the test to complete: network
read got a premature EOF (wait2/connect:AgentVersion.h:0/9)
WineRunTask.pl:error: The test VM has crashed, rebooted or lost connectivity (or the
TestAgent server died)
WineRunTask.pl:error: The previous 2 run(s) terminated abnormally
=== w8 (testbot log) ===
WineRunTask.pl:error: An error occurred while waiting for the test to complete: network
read timed out (wait2/connect:AgentVersion.h:0/9)
WineRunTask.pl:error: The test VM has crashed, rebooted or lost connectivity (or the
TestAgent server died)
WineRunTask.pl:error: The previous 2 run(s) terminated abnormally
=== w1064_tsign (testbot log) ===
WineRunTask.pl:error: An error occurred while waiting for the test to complete: the 1060
process does not exist or is not a child process
WineRunTask.pl:error: The test VM has crashed, rebooted or lost connectivity (or the
TestAgent server died)
WineRunTask.pl:error: The previous 2 run(s) terminated abnormally
604
days inactive
604
days old
4 comments
3 participants
participants (3)
-
Alistair Leslie-Hughes -
Alistair Leslie-Hughes (@alesliehughes)
-
Marvin