Author: ekohl
Date: Sat Apr 10 13:44:57 2010
New Revision: 46811
URL: http://svn.reactos.org/svn/reactos?rev=46811&view=rev
Log:
Enable old access check code until the bug that keeps the device installer from
working has been fixed.
Modified:
trunk/reactos/ntoskrnl/se/semgr.c
Modified: trunk/reactos/ntoskrnl/se/semgr.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/semgr.c?rev=46811&r1=46810&r2=46811&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/semgr.c [iso-8859-1] Sat Apr 10 13:44:57 2010
@@ -377,6 +377,9 @@
}
}
+
+#define OLD_ACCESS_CHECK
+
BOOLEAN NTAPI
SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
@@ -389,6 +392,9 @@
OUT PNTSTATUS AccessStatus)
{
LUID_AND_ATTRIBUTES Privilege;
+#ifdef OLD_ACCESS_CHECK
+ ACCESS_MASK CurrentAccess, AccessMask;
+#endif
ACCESS_MASK RemainingAccess;
ACCESS_MASK TempAccess;
ACCESS_MASK TempGrantedAccess = 0;
@@ -426,6 +432,9 @@
if (PreviouslyGrantedAccess)
RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess = PreviouslyGrantedAccess;
+#endif
/* Initialize remaining access rights */
RemainingAccess = DesiredAccess;
@@ -490,6 +499,10 @@
return TRUE;
}
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess = PreviouslyGrantedAccess;
+#endif
+
/* RULE 2: Check token for 'take ownership' privilege */
if (DesiredAccess & WRITE_OWNER)
{
@@ -505,6 +518,9 @@
/* Adjust access rights */
RemainingAccess &= ~WRITE_OWNER;
PreviouslyGrantedAccess |= WRITE_OWNER;
+#ifdef OLD_ACCESS_CHECK
+ CurrentAccess |= WRITE_OWNER;
+#endif
/* Succeed if there are no more rights to grant */
if (RemainingAccess == 0)
@@ -618,6 +634,11 @@
{
if (SepSidInToken(Token, Sid))
{
+#ifdef OLD_ACCESS_CHECK
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
@@ -625,18 +646,25 @@
/* Leave if a remaining right must be denied */
if (RemainingAccess & TempAccess)
break;
+#endif
}
}
else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
if (SepSidInToken(Token, Sid))
{
+#ifdef OLD_ACCESS_CHECK
+ AccessMask = CurrentAce->AccessMask;
+ RtlMapGenericMask(&AccessMask, GenericMapping);
+ CurrentAccess |= AccessMask;
+#else
/* Map access rights from the ACE */
TempAccess = CurrentAce->AccessMask;
RtlMapGenericMask(&TempAccess, GenericMapping);
/* Remove granted rights */
RemainingAccess &= ~TempAccess;
+#endif
}
}
else
@@ -649,6 +677,28 @@
CurrentAce = (PACE)((ULONG_PTR)CurrentAce +
CurrentAce->Header.AceSize);
}
+#ifdef OLD_ACCESS_CHECK
+ DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
+ CurrentAccess, DesiredAccess);
+
+ *GrantedAccess = CurrentAccess & DesiredAccess;
+
+ if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
+ (DesiredAccess & ~VALID_INHERIT_FLAGS))
+ {
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+ else
+ {
+ DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired
0x%lx (generic mapping %p).\n",
+ *GrantedAccess, DesiredAccess, GenericMapping);
+ //*AccessStatus = STATUS_ACCESS_DENIED;
+ //return FALSE;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
+#else
DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess
%08lx\nRemainingAccess %08lx\n",
DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
@@ -674,6 +724,7 @@
*AccessStatus = STATUS_SUCCESS;
return TRUE;
+#endif
}
static PSID
