=?UTF-8?Q?Michael=20M=C3=BCller=20?=: server: Assign a default label to all tokens.
Alexandre Julliard
julliard at winehq.org
Mon Jun 19 14:49:30 CDT 2017
Module: wine
Branch: master
Commit: a78d419420a43e1f428ac155082b87143117e381
URL: http://source.winehq.org/git/wine.git/?a=commit;h=a78d419420a43e1f428ac155082b87143117e381
Author: Michael Müller <michael at fds-team.de>
Date: Fri Jun 16 20:41:36 2017 +0200
server: Assign a default label to all tokens.
Signed-off-by: Matteo Bruni <mbruni at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/advapi32/tests/security.c | 46 +++++++++++++++----------------------
server/process.c | 6 +++++
server/security.h | 2 ++
server/token.c | 52 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 78 insertions(+), 28 deletions(-)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 3a8e7e9..8044cae 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -6847,7 +6847,6 @@ static void test_token_security_descriptor(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
- todo_wine
ok(present, "DACL not present\n");
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
ok(!defaulted, "DACL defaulted\n");
@@ -6949,20 +6948,16 @@ static void test_child_token_sd(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd, &present, &acl, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %u\n", GetLastError());
- todo_wine ok(present, "DACL not present\n");
+ ok(present, "DACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid DACL\n");
+ ok(!defaulted, "DACL defaulted\n");
- if (present && acl)
+ ok(acl->AceCount, "Expected at least one ACE\n");
+ for (i = 0; i < acl->AceCount; i++)
{
- ok(acl != (void *)0xdeadbeef, "DACL not set\n");
- ok(!defaulted, "DACL defaulted\n");
-
- ok(acl->AceCount, "Expected at least one ACE\n");
- for (i = 0; i < acl->AceCount; i++)
- {
- ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
- ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
- "ACE inherited from the parent\n");
- }
+ ok(pGetAce(acl, i, (void **)&acc_ace), "GetAce failed with error %u\n", GetLastError());
+ ok(acc_ace->Header.AceType != ACCESS_ALLOWED_ACE_TYPE || !EqualSid(&acc_ace->SidStart, psid),
+ "ACE inherited from the parent\n");
}
LocalFree(psid);
@@ -6987,21 +6982,16 @@ static void test_child_token_sd(void)
defaulted = TRUE;
ret = GetSecurityDescriptorSacl(sd, &present, &acl, &defaulted);
ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
- todo_wine ok(present, "SACL not present\n");
-
- if (present && acl)
- {
- ok(acl != (void *)0xdeadbeef, "Got invalid SACL\n");
- ok(!defaulted, "SACL defaulted\n");
-
- ok(acl->AceCount == 1, "Expected exactly one ACE\n");
- ret = pGetAce(acl, 0, (void **)&ace_label);
- ok(ret, "GetAce failed with error %u\n", GetLastError());
- ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
- "Unexpected ACE type %#x\n", ace_label->Header.AceType);
- ok(!EqualSid(&ace_label->SidStart, &low_level),
- "Low integrity level should not have been inherited\n");
- }
+ ok(present, "SACL not present\n");
+ ok(acl && acl != (void *)0xdeadbeef, "Got invalid SACL\n");
+ ok(!defaulted, "SACL defaulted\n");
+ ok(acl->AceCount == 1, "Expected exactly one ACE\n");
+ ret = pGetAce(acl, 0, (void **)&ace_label);
+ ok(ret, "GetAce failed with error %u\n", GetLastError());
+ ok(ace_label->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+ "Unexpected ACE type %#x\n", ace_label->Header.AceType);
+ ok(!EqualSid(&ace_label->SidStart, &low_level),
+ "Low integrity level should not have been inherited\n");
HeapFree(GetProcessHeap(), 0, sd);
}
diff --git a/server/process.c b/server/process.c
index 3e962ca..2327a26 100644
--- a/server/process.c
+++ b/server/process.c
@@ -570,6 +570,12 @@ struct thread *create_process( int fd, struct thread *parent_thread, int inherit
}
if (!process->handles || !process->token) goto error;
+ /* Assign a high security label to the token. The default would be medium
+ * but Wine provides admin access to all applications right now so high
+ * makes more sense for the time being. */
+ if (!token_assign_label( process->token, security_high_label_sid ))
+ goto error;
+
/* create the main thread */
if (pipe( request_pipe ) == -1)
{
diff --git a/server/security.h b/server/security.h
index 3cbfcb9..873bbc6 100644
--- a/server/security.h
+++ b/server/security.h
@@ -47,11 +47,13 @@ extern const PSID security_local_user_sid;
extern const PSID security_local_system_sid;
extern const PSID security_builtin_users_sid;
extern const PSID security_builtin_admins_sid;
+extern const PSID security_high_label_sid;
/* token functions */
extern struct token *token_create_admin(void);
+extern int token_assign_label( struct token *token, PSID label );
extern struct token *token_duplicate( struct token *src_token, unsigned primary,
int impersonation_level, const struct security_descriptor *sd );
extern int token_check_privileges( struct token *token, int all_required,
diff --git a/server/token.c b/server/token.c
index f518544..532d7b7 100644
--- a/server/token.c
+++ b/server/token.c
@@ -70,6 +70,7 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY },
static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } };
static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
+static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
static const struct /* same fields as struct SID */
{
BYTE Revision;
@@ -100,6 +101,7 @@ const PSID security_local_system_sid = (PSID)&local_system_sid;
const PSID security_local_user_sid = (PSID)&local_user_sid;
const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
+const PSID security_high_label_sid = (PSID)&high_label_sid;
static luid_t prev_luid_value = { 1000, 0 };
@@ -726,6 +728,56 @@ struct sid_data
unsigned int subauth[MAX_SUBAUTH_COUNT];
};
+static struct security_descriptor *create_security_label_sd( struct token *token, PSID label_sid )
+{
+ size_t sid_len = security_sid_len( label_sid ), sacl_size, sd_size;
+ SYSTEM_MANDATORY_LABEL_ACE *smla;
+ struct security_descriptor *sd;
+ ACL *sacl;
+
+ sacl_size = sizeof(ACL) + FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
+ sd_size = sizeof(struct security_descriptor) + sacl_size;
+ if (!(sd = mem_alloc( sd_size )))
+ return NULL;
+
+ sd->control = SE_SACL_PRESENT;
+ sd->owner_len = 0;
+ sd->group_len = 0;
+ sd->sacl_len = sacl_size;
+ sd->dacl_len = 0;
+
+ sacl = (ACL *)(sd + 1);
+ sacl->AclRevision = ACL_REVISION;
+ sacl->Sbz1 = 0;
+ sacl->AclSize = sacl_size;
+ sacl->AceCount = 1;
+ sacl->Sbz2 = 0;
+
+ smla = (SYSTEM_MANDATORY_LABEL_ACE *)(sacl + 1);
+ smla->Header.AceType = SYSTEM_MANDATORY_LABEL_ACE_TYPE;
+ smla->Header.AceFlags = 0;
+ smla->Header.AceSize = FIELD_OFFSET(SYSTEM_MANDATORY_LABEL_ACE, SidStart) + sid_len;
+ smla->Mask = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP;
+ memcpy( &smla->SidStart, label_sid, sid_len );
+
+ assert( sd_is_valid( sd, sd_size ) );
+ return sd;
+}
+
+int token_assign_label( struct token *token, PSID label )
+{
+ struct security_descriptor *sd;
+ int ret = 0;
+
+ if ((sd = create_security_label_sd( token, label )))
+ {
+ ret = set_sd_defaults_from_token( &token->obj, sd, LABEL_SECURITY_INFORMATION, token );
+ free( sd );
+ }
+
+ return ret;
+}
+
struct token *token_create_admin( void )
{
struct token *token = NULL;
More information about the wine-cvs
mailing list