server: Inherit the source token's label in token_duplicate().

And assign it in token_create_admin(). Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56640
2024-06-29 06:14:34 +00:00 · 2024-06-04 19:25:45 -05:00 · 2024-06-04 19:25:45 -05:00 · ed297ecba5
commit ed297ecba5
parent 524b431123
4 changed files with 37 additions and 21 deletions
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@ -7376,23 +7376,19 @@ static void test_token_security_descriptor(void)
    defaulted = TRUE;
    ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
    ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError());
-    todo_wine
    ok(present, "DACL not present\n");

-    if (present)
-    {
-        ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
-        ok(!defaulted, "DACL defaulted\n");
+    ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
+    ok(!defaulted, "DACL defaulted\n");

-        index = 0;
-        found = FALSE;
-        while (GetAce(acl2, index++, (void **)&ace))
-        {
-            if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
-                found = TRUE;
-        }
-        ok(!found, "Access allowed ACE was inherited\n");
+    index = 0;
+    found = FALSE;
+    while (GetAce(acl2, index++, (void **)&ace))
+    {
+        if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+            found = TRUE;
    }
+    ok(!found, "Access allowed ACE was inherited\n");

    free(sd2);

--- a/server/process.c
+++ b/server/process.c
@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla
    if (!process->handles || !process->token) goto error;
    process->session_id = token_get_session_id( process->token );

-    /* Assign a high security label to the token. The default would be medium
-     * but Wine provides admin access to all applications right now so high
-     * makes more sense for the time being. */
-    if (!token_assign_label( process->token, &high_label_sid ))
-        goto error;
-
    set_fd_events( process->msg_fd, POLLIN );  /* start listening to events */
    return process;

--- a/server/security.h
+++ b/server/security.h
@ -50,7 +50,6 @@ extern const struct sid local_system_sid;
 extern const struct sid builtin_users_sid;
 extern const struct sid builtin_admins_sid;
 extern const struct sid domain_users_sid;
-extern const struct sid high_label_sid;

 struct ace
 {
--- a/server/token.c
+++ b/server/token.c
@ -72,7 +72,6 @@ struct sid_attrs

 const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
 const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
-const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
 const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
 const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
 const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR
 static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } };
 static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } };
 static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } };
+static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };

 static struct luid prev_luid_value = { 1000, 0 };

@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
    if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
                            DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );

+    if (src_token->obj.sd)
+    {
+        const struct acl *sacl;
+        const struct ace *ace;
+        unsigned int i;
+        int present;
+
+        sacl = sd_get_sacl( src_token->obj.sd, &present );
+        if (present)
+        {
+            for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace ))
+            {
+                if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+                token_assign_label( token, (const struct sid *)(ace + 1) );
+            }
+        }
+    }
+
    return token;
 }

@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
    /* we really need a primary group */
    assert( token->primary_group );

+    /* Assign a high security label to the token. The default would be medium
+     * but Wine provides admin access to all applications right now so high
+     * makes more sense for the time being. */
+    if (!token_assign_label( token, &high_label_sid ))
+    {
+        release_object( token );
+        return NULL;
+    }
+
    free( default_dacl );
    return token;
 }