mirror of
https://gitlab.winehq.org/wine/wine.git
synced 2024-11-19 17:06:04 -07:00
server: Inherit the source token's label in token_duplicate().
And assign it in token_create_admin(). Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56640
This commit is contained in:
parent
524b431123
commit
ed297ecba5
Notes:
Alexandre Julliard
2024-06-06 23:31:15 +02:00
Approved-by: Alexandre Julliard (@julliard) Merge-Request: https://gitlab.winehq.org/wine/wine/-/merge_requests/5793
4 changed files with 37 additions and 21 deletions
|
@ -7376,11 +7376,8 @@ static void test_token_security_descriptor(void)
|
|||
defaulted = TRUE;
|
||||
ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
|
||||
ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError());
|
||||
todo_wine
|
||||
ok(present, "DACL not present\n");
|
||||
|
||||
if (present)
|
||||
{
|
||||
ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
|
||||
ok(!defaulted, "DACL defaulted\n");
|
||||
|
||||
|
@ -7392,7 +7389,6 @@ static void test_token_security_descriptor(void)
|
|||
found = TRUE;
|
||||
}
|
||||
ok(!found, "Access allowed ACE was inherited\n");
|
||||
}
|
||||
|
||||
free(sd2);
|
||||
|
||||
|
|
|
@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla
|
|||
if (!process->handles || !process->token) goto error;
|
||||
process->session_id = token_get_session_id( process->token );
|
||||
|
||||
/* Assign a high security label to the token. The default would be medium
|
||||
* but Wine provides admin access to all applications right now so high
|
||||
* makes more sense for the time being. */
|
||||
if (!token_assign_label( process->token, &high_label_sid ))
|
||||
goto error;
|
||||
|
||||
set_fd_events( process->msg_fd, POLLIN ); /* start listening to events */
|
||||
return process;
|
||||
|
||||
|
|
|
@ -50,7 +50,6 @@ extern const struct sid local_system_sid;
|
|||
extern const struct sid builtin_users_sid;
|
||||
extern const struct sid builtin_admins_sid;
|
||||
extern const struct sid domain_users_sid;
|
||||
extern const struct sid high_label_sid;
|
||||
|
||||
struct ace
|
||||
{
|
||||
|
|
|
@ -72,7 +72,6 @@ struct sid_attrs
|
|||
|
||||
const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
|
||||
const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
|
||||
const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
|
||||
const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
|
||||
const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
|
||||
const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
|
||||
|
@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR
|
|||
static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } };
|
||||
static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } };
|
||||
static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } };
|
||||
static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
|
||||
|
||||
static struct luid prev_luid_value = { 1000, 0 };
|
||||
|
||||
|
@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
|
|||
if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
|
||||
DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
|
||||
|
||||
if (src_token->obj.sd)
|
||||
{
|
||||
const struct acl *sacl;
|
||||
const struct ace *ace;
|
||||
unsigned int i;
|
||||
int present;
|
||||
|
||||
sacl = sd_get_sacl( src_token->obj.sd, &present );
|
||||
if (present)
|
||||
{
|
||||
for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace ))
|
||||
{
|
||||
if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
|
||||
token_assign_label( token, (const struct sid *)(ace + 1) );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return token;
|
||||
}
|
||||
|
||||
|
@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
|
|||
/* we really need a primary group */
|
||||
assert( token->primary_group );
|
||||
|
||||
/* Assign a high security label to the token. The default would be medium
|
||||
* but Wine provides admin access to all applications right now so high
|
||||
* makes more sense for the time being. */
|
||||
if (!token_assign_label( token, &high_label_sid ))
|
||||
{
|
||||
release_object( token );
|
||||
return NULL;
|
||||
}
|
||||
|
||||
free( default_dacl );
|
||||
return token;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue