Author: gedmurphy
Date: Tue Jun 14 18:01:02 2016
New Revision: 71636
URL: http://svn.reactos.org/svn/reactos?rev=71636&view=rev
Log:
[NTOS]
- Properly implement ObpValidateAccessMask
- If the security descriptor has a system acl, the caller will need access to it
Modified:
trunk/reactos/ntoskrnl/ob/obhandle.c
Modified: trunk/reactos/ntoskrnl/ob/obhandle.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obhandle.c?rev=71636&r1=71635&r2=71636&view=diff
==============================================================================
--- trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] Tue Jun 14
18:01:02 2016
@@ -484,7 +484,22 @@
NTAPI
ObpValidateAccessMask(IN PACCESS_STATE AccessState)
{
- /* TODO */
+ PISECURITY_DESCRIPTOR SecurityDescriptor;
+
+ /* We're only interested if the object for this access state has an SD */
+ SecurityDescriptor = AccessState->SecurityDescriptor;
+ if (SecurityDescriptor)
+ {
+ /* Check if the SD has a system ACL but hasn't been granted access to
get/set it */
+ if ((SecurityDescriptor->Control & SE_SACL_PRESENT) &&
+ !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY))
+ {
+ /* We're gonna need access */
+ AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY;
+ }
+ }
+
+ /* This can't fail */
return STATUS_SUCCESS;
}
