server: Inherit the source token's label in token_duplicate().

And assign it in token_create_admin().

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56640
This commit is contained in:
Elizabeth Figura 2024-06-04 19:25:45 -05:00 committed by Alexandre Julliard
parent 524b431123
commit ed297ecba5
Notes: Alexandre Julliard 2024-06-06 23:31:15 +02:00
Approved-by: Alexandre Julliard (@julliard)
Merge-Request: https://gitlab.winehq.org/wine/wine/-/merge_requests/5793
4 changed files with 37 additions and 21 deletions

View file

@ -7376,11 +7376,8 @@ static void test_token_security_descriptor(void)
defaulted = TRUE;
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError());
todo_wine
ok(present, "DACL not present\n");
if (present)
{
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
ok(!defaulted, "DACL defaulted\n");
@ -7392,7 +7389,6 @@ static void test_token_security_descriptor(void)
found = TRUE;
}
ok(!found, "Access allowed ACE was inherited\n");
}
free(sd2);

View file

@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla
if (!process->handles || !process->token) goto error;
process->session_id = token_get_session_id( process->token );
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if (!token_assign_label( process->token, &high_label_sid ))
goto error;
set_fd_events( process->msg_fd, POLLIN ); /* start listening to events */
return process;

View file

@ -50,7 +50,6 @@ extern const struct sid local_system_sid;
extern const struct sid builtin_users_sid;
extern const struct sid builtin_admins_sid;
extern const struct sid domain_users_sid;
extern const struct sid high_label_sid;
struct ace
{

View file

@ -72,7 +72,6 @@ struct sid_attrs
const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR
static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } };
static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } };
static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } };
static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
static struct luid prev_luid_value = { 1000, 0 };
@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
if (src_token->obj.sd)
{
const struct acl *sacl;
const struct ace *ace;
unsigned int i;
int present;
sacl = sd_get_sacl( src_token->obj.sd, &present );
if (present)
{
for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace ))
{
if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
token_assign_label( token, (const struct sid *)(ace + 1) );
}
}
}
return token;
}
@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
/* we really need a primary group */
assert( token->primary_group );
/* Assign a high security label to the token. The default would be medium
* but Wine provides admin access to all applications right now so high
* makes more sense for the time being. */
if (!token_assign_label( token, &high_label_sid ))
{
release_object( token );
return NULL;
}
free( default_dacl );
return token;
}