diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec index 3117e4c9b72..b0186eb7641 100644 --- a/dlls/ntdll/ntdll.spec +++ b/dlls/ntdll/ntdll.spec @@ -482,10 +482,11 @@ @ stdcall RtlAddAuditAccessAceEx(ptr long long long ptr long long) @ stdcall RtlAddAuditAccessObjectAce(ptr long long long ptr ptr ptr long long) # @ stub RtlAddCompoundAce -@ stdcall RtlAddMandatoryAce(ptr long long long long ptr) -# @ stub RtlAddRange @ cdecl -arch=arm,arm64,x86_64 RtlAddFunctionTable(ptr long long) @ stdcall -arch=arm,arm64,x86_64 RtlAddGrowableFunctionTable(ptr ptr long long long long) +@ stdcall RtlAddMandatoryAce(ptr long long long long ptr) +@ stdcall RtlAddProcessTrustLabelAce(ptr long long ptr long long) +# @ stub RtlAddRange @ stdcall RtlAddRefActivationContext(ptr) # @ stub RtlAddRefMemoryStream @ stdcall RtlAddVectoredContinueHandler(long ptr) diff --git a/dlls/ntdll/sec.c b/dlls/ntdll/sec.c index 56f18423ad6..51308384ee8 100644 --- a/dlls/ntdll/sec.c +++ b/dlls/ntdll/sec.c @@ -1478,22 +1478,31 @@ NTSTATUS WINAPI RtlAddMandatoryAce( IN DWORD dwAceType, IN PSID pSid) { - static const DWORD valid_flags = SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | - SYSTEM_MANDATORY_LABEL_NO_READ_UP | - SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP; - TRACE("(%p, %lu, 0x%08lx, 0x%08lx, %lu, %p)\n", pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, dwAceType, pSid); if (dwAceType != SYSTEM_MANDATORY_LABEL_ACE_TYPE) return STATUS_INVALID_PARAMETER; - - if (dwMandatoryFlags & ~valid_flags) + if (dwMandatoryFlags & ~SYSTEM_MANDATORY_LABEL_VALID_MASK) return STATUS_INVALID_PARAMETER; return add_access_ace(pAcl, dwAceRevision, dwAceFlags, dwMandatoryFlags, pSid, dwAceType); } +/************************************************************************** + * RtlAddProcessTrustLabelAce [NTDLL.@] + */ +NTSTATUS WINAPI RtlAddProcessTrustLabelAce( ACL *acl, DWORD revision, DWORD flags, + PSID sid, DWORD type, DWORD mask ) +{ + TRACE( "%p %lx %lx %p %lx %lx\n", acl, revision, flags, sid, type, mask ); + + if (type != SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE) return STATUS_INVALID_PARAMETER; + if (mask & ~SYSTEM_PROCESS_TRUST_LABEL_VALID_MASK) return STATUS_INVALID_PARAMETER; + + return add_access_ace( acl, revision, flags, mask, sid, type ); +} + /****************************************************************************** * RtlValidAcl [NTDLL.@] */ diff --git a/include/winnt.h b/include/winnt.h index 04c2e96d1e1..17dce6e84e5 100644 --- a/include/winnt.h +++ b/include/winnt.h @@ -4848,6 +4848,12 @@ typedef struct _SYSTEM_MANDATORY_LABEL_ACE { DWORD SidStart; } SYSTEM_MANDATORY_LABEL_ACE,*PSYSTEM_MANDATORY_LABEL_ACE; +typedef struct _SYSTEM_PROCESS_TRUST_LABEL_ACE { + ACE_HEADER Header; + ACCESS_MASK Mask; + DWORD SidStart; +} SYSTEM_PROCESS_TRUST_LABEL_ACE, *PSYSTEM_PROCESS_TRUST_LABEL_ACE; + typedef struct _ACCESS_ALLOWED_OBJECT_ACE { ACE_HEADER Header; ACCESS_MASK Mask; @@ -4948,6 +4954,8 @@ typedef struct _SYSTEM_ALARM_CALLBACK_OBJECT_ACE { #define SYSTEM_MANDATORY_LABEL_NO_READ_UP 0x2 #define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP 0x4 #define SYSTEM_MANDATORY_LABEL_VALID_MASK 0x7 +#define SYSTEM_PROCESS_TRUST_LABEL_VALID_MASK 0x00ffffff +#define SYSTEM_PROCESS_TRUST_NOCONSTRAINT_MASK 0xffffffff typedef enum tagSID_NAME_USE { SidTypeUser = 1, diff --git a/include/winternl.h b/include/winternl.h index 93bd32e3786..95abf79812b 100644 --- a/include/winternl.h +++ b/include/winternl.h @@ -4259,6 +4259,7 @@ NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessAce(PACL,DWORD,DWORD,PSID,BOOL,BOOL); NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessAceEx(PACL,DWORD,DWORD,DWORD,PSID,BOOL,BOOL); NTSYSAPI NTSTATUS WINAPI RtlAddAuditAccessObjectAce(PACL,DWORD,DWORD,DWORD,GUID*,GUID*,PSID,BOOL,BOOL); NTSYSAPI NTSTATUS WINAPI RtlAddMandatoryAce(PACL,DWORD,DWORD,DWORD,DWORD,PSID); +NTSYSAPI NTSTATUS WINAPI RtlAddProcessTrustLabelAce(PACL,DWORD,DWORD,PSID,DWORD,DWORD); NTSYSAPI void WINAPI RtlAddRefActivationContext(HANDLE); NTSYSAPI PVOID WINAPI RtlAddVectoredExceptionHandler(ULONG,PVECTORED_EXCEPTION_HANDLER); NTSYSAPI PVOID WINAPI RtlAddressInSectionTable(const IMAGE_NT_HEADERS*,HMODULE,DWORD);