From ed297ecba5e3e379df0edfbfbc8afaed7bb88dba Mon Sep 17 00:00:00 2001 From: Elizabeth Figura Date: Tue, 4 Jun 2024 19:25:45 -0500 Subject: [PATCH] server: Inherit the source token's label in token_duplicate(). And assign it in token_create_admin(). Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56640 --- dlls/advapi32/tests/security.c | 22 +++++++++------------- server/process.c | 6 ------ server/security.h | 1 - server/token.c | 29 ++++++++++++++++++++++++++++- 4 files changed, 37 insertions(+), 21 deletions(-) diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c index 2669c13748b..43709352560 100644 --- a/dlls/advapi32/tests/security.c +++ b/dlls/advapi32/tests/security.c @@ -7376,23 +7376,19 @@ static void test_token_security_descriptor(void) defaulted = TRUE; ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted); ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError()); - todo_wine ok(present, "DACL not present\n"); - if (present) - { - ok(acl2 != (void *)0xdeadbeef, "DACL not set\n"); - ok(!defaulted, "DACL defaulted\n"); + ok(acl2 != (void *)0xdeadbeef, "DACL not set\n"); + ok(!defaulted, "DACL defaulted\n"); - index = 0; - found = FALSE; - while (GetAce(acl2, index++, (void **)&ace)) - { - if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid)) - found = TRUE; - } - ok(!found, "Access allowed ACE was inherited\n"); + index = 0; + found = FALSE; + while (GetAce(acl2, index++, (void **)&ace)) + { + if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid)) + found = TRUE; } + ok(!found, "Access allowed ACE was inherited\n"); free(sd2); diff --git a/server/process.c b/server/process.c index 733b0288f72..66f90fb80c4 100644 --- a/server/process.c +++ b/server/process.c @@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla if (!process->handles || !process->token) goto error; process->session_id = token_get_session_id( process->token ); - /* Assign a high security label to the token. The default would be medium - * but Wine provides admin access to all applications right now so high - * makes more sense for the time being. */ - if (!token_assign_label( process->token, &high_label_sid )) - goto error; - set_fd_events( process->msg_fd, POLLIN ); /* start listening to events */ return process; diff --git a/server/security.h b/server/security.h index 58ab1594eae..f4dff679179 100644 --- a/server/security.h +++ b/server/security.h @@ -50,7 +50,6 @@ extern const struct sid local_system_sid; extern const struct sid builtin_users_sid; extern const struct sid builtin_admins_sid; extern const struct sid domain_users_sid; -extern const struct sid high_label_sid; struct ace { diff --git a/server/token.c b/server/token.c index f23013103dd..da7f0bb7ff2 100644 --- a/server/token.c +++ b/server/token.c @@ -72,7 +72,6 @@ struct sid_attrs const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } }; const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } }; -const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } }; const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } }; const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } }; const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } }; @@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } }; static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } }; static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } }; +static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } }; static struct luid prev_luid_value = { 1000, 0 }; @@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary, if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ); + if (src_token->obj.sd) + { + const struct acl *sacl; + const struct ace *ace; + unsigned int i; + int present; + + sacl = sd_get_sacl( src_token->obj.sd, &present ); + if (present) + { + for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace )) + { + if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue; + token_assign_label( token, (const struct sid *)(ace + 1) ); + } + } + } + return token; } @@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int /* we really need a primary group */ assert( token->primary_group ); + /* Assign a high security label to the token. The default would be medium + * but Wine provides admin access to all applications right now so high + * makes more sense for the time being. */ + if (!token_assign_label( token, &high_label_sid )) + { + release_object( token ); + return NULL; + } + free( default_dacl ); return token; }