[newlib-cygwin] Drop has_mandatory_integrity_control flag

Fri, 24 Jun 2016 02:11:32 -0700 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=aacc4f63d0f8d2d853e1834b27a13ac97ea1011b

commit aacc4f63d0f8d2d853e1834b27a13ac97ea1011b
Author: Corinna Vinschen <cori...@vinschen.de>
Date:   Tue Dec 15 14:58:52 2015 +0100

    Drop has_mandatory_integrity_control flag

Diff:
---
 winsup/cygwin/sec_auth.cc | 69 +++++++++++++++++++++--------------------------
 winsup/cygwin/wincap.cc   |  7 -----
 winsup/cygwin/wincap.h    |  2 --
 3 files changed, 31 insertions(+), 47 deletions(-)

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 853a07f..e8d1d91 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -45,39 +45,36 @@ issetugid (void)
 static HANDLE
 get_full_privileged_inheritable_token (HANDLE token)
 {
-  if (wincap.has_mandatory_integrity_control ())
+  TOKEN_LINKED_TOKEN linked;
+  ULONG size;
+
+  /* When fetching the linked token without TCB privs, then the linked
+     token is not a primary token, only an impersonation token, which is
+     not suitable for CreateProcessAsUser.  Converting it to a primary
+     token using DuplicateTokenEx does NOT work for the linked token in
+     this case.  So we have to switch on TCB privs to get a primary token.
+     This is generally performed in the calling functions.  */
+  if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
+                                          (PVOID) &linked, sizeof linked,
+                                          &size)))
     {
-      TOKEN_LINKED_TOKEN linked;
-      ULONG size;
-
-      /* When fetching the linked token without TCB privs, then the linked
-        token is not a primary token, only an impersonation token, which is
-        not suitable for CreateProcessAsUser.  Converting it to a primary
-        token using DuplicateTokenEx does NOT work for the linked token in
-        this case.  So we have to switch on TCB privs to get a primary token.
-        This is generally performed in the calling functions.  */
-      if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
-                                              (PVOID) &linked, sizeof linked,
-                                              &size)))
+      debug_printf ("Linked Token: %p", linked.LinkedToken);
+      if (linked.LinkedToken)
        {
-         debug_printf ("Linked Token: %p", linked.LinkedToken);
-         if (linked.LinkedToken)
+         TOKEN_TYPE type;
+
+         /* At this point we don't know if the user actually had TCB
+            privileges.  Check if the linked token is a primary token.
+            If not, just return the original token. */
+         if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
+                                                  TokenType, (PVOID) &type,
+                                                  sizeof type, &size))
+             && type != TokenPrimary)
+           debug_printf ("Linked Token is not a primary token!");
+         else
            {
-             TOKEN_TYPE type;
-
-             /* At this point we don't know if the user actually had TCB
-                privileges.  Check if the linked token is a primary token.
-                If not, just return the original token. */
-             if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
-                                                      TokenType, (PVOID) &type,
-                                                      sizeof type, &size))
-                 && type != TokenPrimary)
-               debug_printf ("Linked Token is not a primary token!");
-             else
-               {
-                 CloseHandle (token);
-                 token = linked.LinkedToken;
-               }
+             CloseHandle (token);
+             token = linked.LinkedToken;
            }
        }
     }
@@ -972,14 +969,10 @@ create_token (cygsid &usersid, user_groups &new_groups)
                               &mandatory_integrity_sid)))
     goto out;
 
-  /* On systems supporting Mandatory Integrity Control, add the MIC SID. */
-  if (wincap.has_mandatory_integrity_control ())
-    {
-      new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
-       SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
-      new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
-       = mandatory_integrity_sid;
-    }
+  new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
+    SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
+  new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+    = mandatory_integrity_sid;
 
   /* Let's be heroic... */
   status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
diff --git a/winsup/cygwin/wincap.cc b/winsup/cygwin/wincap.cc
index 4146ee4..3fd7a4a 100644
--- a/winsup/cygwin/wincap.cc
+++ b/winsup/cygwin/wincap.cc
@@ -21,7 +21,6 @@ wincaps wincap_xpsp2 __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:false,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:false,
@@ -52,7 +51,6 @@ wincaps wincap_2003 __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:false,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:false,
@@ -83,7 +81,6 @@ wincaps wincap_vista __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:true,
   has_gaa_largeaddress_bug:true,
   has_transactions:true,
@@ -114,7 +111,6 @@ wincaps wincap_7 __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:true,
   has_transactions:true,
@@ -145,7 +141,6 @@ wincaps wincap_8 __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
@@ -176,7 +171,6 @@ wincaps wincap_10 __attribute__((section 
(".cygwin_dll_common"), shared)) = {
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
@@ -207,7 +201,6 @@ wincaps wincap_10_1511 __attribute__((section 
(".cygwin_dll_common"), shared)) =
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
diff --git a/winsup/cygwin/wincap.h b/winsup/cygwin/wincap.h
index 4f60d11..441a112 100644
--- a/winsup/cygwin/wincap.h
+++ b/winsup/cygwin/wincap.h
@@ -14,7 +14,6 @@ struct wincaps
   DWORD    def_guard_pages;
   DWORD    max_sys_priv;
   unsigned is_server                                    : 1;
-  unsigned has_mandatory_integrity_control             : 1;
   unsigned needs_count_in_si_lpres2                    : 1;
   unsigned has_gaa_largeaddress_bug                    : 1;
   unsigned has_transactions                            : 1;
@@ -70,7 +69,6 @@ public:
   }
   DWORD IMPLEMENT (max_sys_priv)
   bool  IMPLEMENT (is_server)
-  bool IMPLEMENT (has_mandatory_integrity_control)
   bool IMPLEMENT (needs_count_in_si_lpres2)
   bool IMPLEMENT (has_gaa_largeaddress_bug)
   bool IMPLEMENT (has_transactions)

Reply via email to