[PATCH 0/3] MR414: fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor

List overview All Threads

newer

older

Re: [PATCH v2 0/4] MR47:...

Alistair Leslie-Hughes (＠alesliehughes)

10 Jul 2022 10 Jul '22

3:05 a.m.

Signed-off-by: Alistair Leslie-Hughes leslie_alistair@hotmail.com

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/414

Show replies by date

Alistair Leslie-Hughes

10 Jul 10 Jul

3:05 a.m.

New subject: [PATCH 1/3] fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor

From: Alistair Leslie-Hughes leslie_alistair@hotmail.com

Signed-off-by: Alistair Leslie-Hughes leslie_alistair@hotmail.com --- dlls/fltmgr.sys/Makefile.in | 1 + dlls/fltmgr.sys/fltmgr.sys.spec | 4 +- dlls/fltmgr.sys/main.c | 71 +++++++++++++++++++++++++++++++++ include/ddk/fltkernel.h | 3 +- 4 files changed, 76 insertions(+), 3 deletions(-)

diff --git a/dlls/fltmgr.sys/Makefile.in b/dlls/fltmgr.sys/Makefile.in index ba106a43831..bb1f34b4896 100644 --- a/dlls/fltmgr.sys/Makefile.in +++ b/dlls/fltmgr.sys/Makefile.in @@ -1,5 +1,6 @@ MODULE = fltmgr.sys EXTRADLLFLAGS = -Wl,--subsystem,native +IMPORTS = ntoskrnl

C_SRCS = \ main.c diff --git a/dlls/fltmgr.sys/fltmgr.sys.spec b/dlls/fltmgr.sys/fltmgr.sys.spec index 39ce6798178..8943b9f85cf 100644 --- a/dlls/fltmgr.sys/fltmgr.sys.spec +++ b/dlls/fltmgr.sys/fltmgr.sys.spec @@ -10,7 +10,7 @@ @ stub FltAllocatePoolAlignedWithTag @ stub FltAttachVolume @ stub FltAttachVolumeAtAltitude -@ stub FltBuildDefaultSecurityDescriptor +@ stdcall FltBuildDefaultSecurityDescriptor(ptr long) @ stub FltCancelFileOpen @ stub FltCancelIo @ stub FltCbdqDisable @@ -60,7 +60,7 @@ @ stub FltFreeFileLock @ stub FltFreeGenericWorkItem @ stub FltFreePoolAlignedWithTag -@ stub FltFreeSecurityDescriptor +@ stdcall FltFreeSecurityDescriptor(ptr) @ stub FltFsControlFile @ stub FltGetBottomInstance @ stub FltGetContexts diff --git a/dlls/fltmgr.sys/main.c b/dlls/fltmgr.sys/main.c index e1016a4989c..ea9685b4308 100644 --- a/dlls/fltmgr.sys/main.c +++ b/dlls/fltmgr.sys/main.c @@ -93,3 +93,74 @@ void* WINAPI FltGetRoutineAddress(LPCSTR name)

return func; } + +NTSTATUS WINAPI FltBuildDefaultSecurityDescriptor(PSECURITY_DESCRIPTOR *descriptor, ACCESS_MASK access) +{ + PACL dacl; + NTSTATUS ret = STATUS_INSUFFICIENT_RESOURCES; + ULONG sid_len; + PSID sid; + PSID sid_system; + PSECURITY_DESCRIPTOR sec_desc = NULL; + SID_IDENTIFIER_AUTHORITY auth = { SECURITY_NULL_SID_AUTHORITY }; + + *descriptor = NULL; + + ret = RtlAllocateAndInitializeSid(&auth, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ADMINS, + 0, 0, 0, 0, 0, 0, &sid); + if (ret != STATUS_SUCCESS) + goto done; + + ret = RtlAllocateAndInitializeSid(&auth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &sid_system); + if (ret != STATUS_SUCCESS) + goto done; + + sid_len = SECURITY_DESCRIPTOR_MIN_LENGTH + sizeof(ACL) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid_system); + + sec_desc = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, sid_len); + if (!sec_desc) + { + ret = STATUS_NO_MEMORY; + goto done; + } + + ret = RtlCreateSecurityDescriptor(sec_desc, SECURITY_DESCRIPTOR_REVISION); + if (ret != STATUS_SUCCESS) + goto done; + + dacl = (PACL)((char*)sec_desc + SECURITY_DESCRIPTOR_MIN_LENGTH); + ret = RtlCreateAcl(dacl, sid_len - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION); + if (ret != STATUS_SUCCESS) + goto done; + + ret = RtlAddAccessAllowedAce(dacl, ACL_REVISION, access, sid); + if (ret != STATUS_SUCCESS) + goto done; + + ret = RtlAddAccessAllowedAce(dacl, ACL_REVISION, access, sid_system); + if (ret != STATUS_SUCCESS) + goto done; + + ret = RtlSetDaclSecurityDescriptor(sec_desc, 1, dacl, 0); + if (ret == STATUS_SUCCESS) + *descriptor = sec_desc; + +done: + if (ret != STATUS_SUCCESS && sec_desc != NULL) + RtlFreeHeap(GetProcessHeap(), 0, sec_desc); + + if (sid != NULL) + RtlFreeHeap(GetProcessHeap(), 0, sid); + + if (sid_system != NULL) + RtlFreeHeap(GetProcessHeap(), 0, sid_system); + + return ret; +} + +void WINAPI FltFreeSecurityDescriptor(PSECURITY_DESCRIPTOR descriptor) +{ + RtlFreeHeap(GetProcessHeap(), 0, descriptor); +} \ No newline at end of file diff --git a/include/ddk/fltkernel.h b/include/ddk/fltkernel.h index 8ebebfa2e81..9ece0990810 100644 --- a/include/ddk/fltkernel.h +++ b/include/ddk/fltkernel.h @@ -653,7 +653,8 @@ typedef struct _FLT_REGISTRATION PFLT_SECTION_CONFLICT_NOTIFICATION_CALLBACK SectionNotificationCallback; } FLT_REGISTRATION, *PFLT_REGISTRATION;

- +NTSTATUS WINAPI FltBuildDefaultSecurityDescriptor(PSECURITY_DESCRIPTOR *, ACCESS_MASK); +void WINAPI FltFreeSecurityDescriptor(PSECURITY_DESCRIPTOR); void* WINAPI FltGetRoutineAddress(LPCSTR name); NTSTATUS WINAPI FltRegisterFilter(PDRIVER_OBJECT, const FLT_REGISTRATION *, PFLT_FILTER *); NTSTATUS WINAPI FltStartFiltering(PFLT_FILTER);

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/414

Alistair Leslie-Hughes

3:05 a.m.

New subject: [PATCH 2/3] fltmgr.sys: Create import library

From: Alistair Leslie-Hughes leslie_alistair@hotmail.com

Signed-off-by: Alistair Leslie-Hughes leslie_alistair@hotmail.com --- dlls/fltmgr.sys/Makefile.in | 1 + 1 file changed, 1 insertion(+)

diff --git a/dlls/fltmgr.sys/Makefile.in b/dlls/fltmgr.sys/Makefile.in index bb1f34b4896..5540df35d6a 100644 --- a/dlls/fltmgr.sys/Makefile.in +++ b/dlls/fltmgr.sys/Makefile.in @@ -1,4 +1,5 @@ MODULE = fltmgr.sys +IMPORTLIB = fltmgr EXTRADLLFLAGS = -Wl,--subsystem,native IMPORTS = ntoskrnl

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/414

Alistair Leslie-Hughes

3:05 a.m.

New subject: [PATCH 3/3] ntoskrnl.exe: Add FltBuildDefaultSecurityDescriptor test

From: Alistair Leslie-Hughes leslie_alistair@hotmail.com

Signed-off-by: Alistair Leslie-Hughes leslie_alistair@hotmail.com --- dlls/ntoskrnl.exe/tests/Makefile.in | 2 +- dlls/ntoskrnl.exe/tests/driver.c | 65 +++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/dlls/ntoskrnl.exe/tests/Makefile.in b/dlls/ntoskrnl.exe/tests/Makefile.in index ab1db85adbb..9c89e44e70a 100644 --- a/dlls/ntoskrnl.exe/tests/Makefile.in +++ b/dlls/ntoskrnl.exe/tests/Makefile.in @@ -1,7 +1,7 @@ TESTDLL = ntoskrnl.exe IMPORTS = advapi32 crypt32 newdev setupapi user32 wintrust ws2_32 hid

-driver_IMPORTS = winecrt0 ntoskrnl hal +driver_IMPORTS = winecrt0 ntoskrnl hal fltmgr driver_EXTRADLLFLAGS = -nodefaultlibs -nostartfiles -Wl,--subsystem,native driver2_IMPORTS = winecrt0 ntoskrnl hal driver2_EXTRADLLFLAGS = -nodefaultlibs -nostartfiles -Wl,--subsystem,native diff --git a/dlls/ntoskrnl.exe/tests/driver.c b/dlls/ntoskrnl.exe/tests/driver.c index dc4f4ad993d..24e44e8285e 100644 --- a/dlls/ntoskrnl.exe/tests/driver.c +++ b/dlls/ntoskrnl.exe/tests/driver.c @@ -32,6 +32,7 @@ #include "ddk/ntddk.h" #include "ddk/ntifs.h" #include "ddk/wdm.h" +#include "ddk/fltkernel.h"

#include "driver.h"

@@ -2290,6 +2291,69 @@ static void test_permanence(void) ok(status == STATUS_OBJECT_NAME_NOT_FOUND, "got %#lx\n", status); }

+static void test_default_security(void) +{ + PSECURITY_DESCRIPTOR sd = NULL; + NTSTATUS status; + PSID group = NULL, owner = NULL; + BOOLEAN isdefault, present; + PACL acl = NULL; + PACCESS_ALLOWED_ACE ace; + SID_IDENTIFIER_AUTHORITY auth = { SECURITY_NULL_SID_AUTHORITY }; + PSID sid1, sid2; + + status = FltBuildDefaultSecurityDescriptor(&sd, STANDARD_RIGHTS_ALL); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + ok(sd != NULL, "Failed to return descriptor\n"); + + status = RtlGetGroupSecurityDescriptor(sd, &group, &isdefault); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + ok(group == NULL, "group isn't NULL\n"); + + status = RtlGetOwnerSecurityDescriptor(sd, &owner, &isdefault); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + ok(owner == NULL, "owner isn't NULL\n"); + + status = RtlGetDaclSecurityDescriptor(sd, &present, &acl, &isdefault); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + ok(acl != NULL, "acl is NULL\n"); + ok(acl->AceCount == 2, "got %d\n", acl->AceCount); + + sid1 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(2)); + RtlInitializeSid(sid1, &auth, 2); + *RtlSubAuthoritySid(sid1, 0) = SECURITY_BUILTIN_DOMAIN_RID; + *RtlSubAuthoritySid(sid1, 1) = DOMAIN_GROUP_RID_ADMINS; + + sid2 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(1)); + RtlInitializeSid(sid2, &auth, 1); + *RtlSubAuthoritySid(sid2, 0) = SECURITY_LOCAL_SYSTEM_RID; + + /* SECURITY_BUILTIN_DOMAIN_RID */ + status = RtlGetAce(acl, 0, (void**)&ace); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + + ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "got %#x\n", ace->Header.AceType); + ok(ace->Header.AceFlags == 0, "got %#x\n", ace->Header.AceFlags); + ok(ace->Mask == STANDARD_RIGHTS_ALL, "got %#lx\n", ace->Mask); + + ok(RtlEqualSid(sid1, (PSID)&ace->SidStart), "SID not equal\n"); + + /* SECURITY_LOCAL_SYSTEM_RID */ + status = RtlGetAce(acl, 1, (void**)&ace); + ok(status == STATUS_SUCCESS, "got %#lx\n", status); + + ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "got %#x\n", ace->Header.AceType); + ok(ace->Header.AceFlags == 0, "got %#x\n", ace->Header.AceFlags); + ok(ace->Mask == STANDARD_RIGHTS_ALL, "got %#lx\n", ace->Mask); + + ok(RtlEqualSid(sid2, (PSID)&ace->SidStart), "SID not equal\n"); + + RtlFreeHeap(GetProcessHeap(), 0, sid1); + RtlFreeHeap(GetProcessHeap(), 0, sid2); + + FltFreeSecurityDescriptor(sd); +} + static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *stack) { void *buffer = irp->AssociatedIrp.SystemBuffer; @@ -2333,6 +2397,7 @@ static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *st test_dpc(); test_process_memory(test_input); test_permanence(); + test_default_security();

IoMarkIrpPending(irp); IoQueueWorkItem(work_item, main_test_task, DelayedWorkQueue, irp);

-- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/414

942

Age (days ago)

942

Last active (days ago)

wine-gitlab@winehq.org

3 comments

2 participants

tags (0)

participants (2)

Alistair Leslie-Hughes
Alistair Leslie-Hughes (＠alesliehughes)