ntdll: Implement RtlAddProcessTrustLabelAce().

dlls/ntdll/ntdll.spec

@@ -482,10 +482,11 @@
 @ stdcall RtlAddAuditAccessAceEx(ptr long long long ptr long long)
 @ stdcall RtlAddAuditAccessObjectAce(ptr long long long ptr ptr ptr long long)
 # @ stub RtlAddCompoundAce
-@ stdcall RtlAddMandatoryAce(ptr long long long long ptr)
-# @ stub RtlAddRange
 @ cdecl -arch=arm,arm64,x86_64 RtlAddFunctionTable(ptr long long)
 @ stdcall -arch=arm,arm64,x86_64 RtlAddGrowableFunctionTable(ptr ptr long long long long)
+@ stdcall RtlAddMandatoryAce(ptr long long long long ptr)
+@ stdcall RtlAddProcessTrustLabelAce(ptr long long ptr long long)
+# @ stub RtlAddRange
 @ stdcall RtlAddRefActivationContext(ptr)
 # @ stub RtlAddRefMemoryStream
 @ stdcall RtlAddVectoredContinueHandler(long ptr)

dlls/ntdll/sec.c

@@ -1478,22 +1478,31 @@ NTSTATUS WINAPI RtlAddMandatoryAce(
     IN DWORD dwAceType,
     IN PSID pSid)
 {
-    static const DWORD valid_flags = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
-                                     SYSTEM_MANDATORY_LABEL_NO_READ_UP |
-                                     SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
-
     TRACE("(%p, %lu, 0x%08lx, 0x%08lx, %lu, %p)\n",
           pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, dwAceType, pSid);
 
     if (dwAceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE)
         return STATUS_INVALID_PARAMETER;
-
-    if (dwMandatoryFlags & ~valid_flags)
+    if (dwMandatoryFlags & ~SYSTEM_MANDATORY_LABEL_VALID_MASK)
         return STATUS_INVALID_PARAMETER;
 
     return add_access_ace(pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, pSid, dwAceType);
 }
 
+/**************************************************************************
+ *  RtlAddProcessTrustLabelAce		[NTDLL.@]
+ */
+NTSTATUS WINAPI RtlAddProcessTrustLabelAce( ACL *acl, DWORD revision, DWORD flags,
+                                            PSID sid, DWORD type, DWORD mask )
+{
+    TRACE( "%p %lx %lx %p %lx %lx\n", acl, revision, flags, sid, type, mask );
+
+    if (type != SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE) return STATUS_INVALID_PARAMETER;
+    if (mask & ~SYSTEM_PROCESS_TRUST_LABEL_VALID_MASK) return STATUS_INVALID_PARAMETER;
+
+    return add_access_ace( acl, revision, flags, mask, sid, type );
+}
+
 /******************************************************************************
  *  RtlValidAcl		[NTDLL.@]
  */

include/winnt.h

@@ -4848,6 +4848,12 @@ typedef struct _SYSTEM_MANDATORY_LABEL_ACE {
     DWORD       SidStart;
 } SYSTEM_MANDATORY_LABEL_ACE,*PSYSTEM_MANDATORY_LABEL_ACE;
 
+typedef struct _SYSTEM_PROCESS_TRUST_LABEL_ACE {
+    ACE_HEADER  Header;
+    ACCESS_MASK Mask;
+    DWORD       SidStart;
+} SYSTEM_PROCESS_TRUST_LABEL_ACE, *PSYSTEM_PROCESS_TRUST_LABEL_ACE;
+
 typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
     ACE_HEADER  Header;
     ACCESS_MASK Mask;
@@ -4948,6 +4954,8 @@ typedef struct _SYSTEM_ALARM_CALLBACK_OBJECT_ACE {
 #define SYSTEM_MANDATORY_LABEL_NO_READ_UP       0x2
 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP    0x4
 #define SYSTEM_MANDATORY_LABEL_VALID_MASK       0x7
+#define SYSTEM_PROCESS_TRUST_LABEL_VALID_MASK   0x00ffffff
+#define SYSTEM_PROCESS_TRUST_NOCONSTRAINT_MASK  0xffffffff
 
 typedef enum tagSID_NAME_USE {
 	SidTypeUser = 1,

include/winternl.h

@@ -4259,6 +4259,7 @@ NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL);
 NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL);
 NTSYSAPI NTSTATUS  WINAPI RtlAddAuditAccessObjectAce(PACL,DWORD,DWORD,DWORD,GUID*,GUID*,PSID,BOOL,BOOL);
 NTSYSAPI NTSTATUS  WINAPI RtlAddMandatoryAce(PACL,DWORD,DWORD,DWORD,DWORD,PSID);
+NTSYSAPI NTSTATUS  WINAPI RtlAddProcessTrustLabelAce(PACL,DWORD,DWORD,PSID,DWORD,DWORD);
 NTSYSAPI void      WINAPI RtlAddRefActivationContext(HANDLE);
 NTSYSAPI PVOID     WINAPI RtlAddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER);
 NTSYSAPI PVOID     WINAPI RtlAddressInSectionTable(const IMAGE_NT_HEADERS*,HMODULE,DWORD);