From b8eeedbce423520ef6a7ae029145caedd7ed2104 Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Tue, 20 Mar 2018 00:03:37 +0000
Subject: ipc and keyed object directories: support multi-user env. via sec.
 descriptor.

---
 src/object/ntapi_tt_keyed_object_directory.c | 86 +++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/object/ntapi_tt_keyed_object_directory.c b/src/object/ntapi_tt_keyed_object_directory.c
index c744326..c34d8ec 100644
--- a/src/object/ntapi_tt_keyed_object_directory.c
+++ b/src/object/ntapi_tt_keyed_object_directory.c
@@ -8,6 +8,7 @@
 #include <ntapi/nt_object.h>
 #include <ntapi/nt_guid.h>
 #include <ntapi/nt_string.h>
+#include <ntapi/nt_acl.h>
 #include "ntapi_impl.h"
 
 typedef ntapi_zw_open_directory_object objdir_open_fn;
@@ -19,6 +20,77 @@ static  nt_keyed_objdir_name __template_name = {__NT_BASED_NAMED_OBJECTS,
 						{0}};
 
 
+static nt_access_allowed_ace * __ipc_ace_init(
+	nt_access_allowed_ace * ace,
+	uint32_t		mask,
+	const nt_sid *		sid)
+{
+	ace->mask             = mask;
+	ace->header.ace_type  = NT_ACE_TYPE_ACCESS_ALLOWED;
+	ace->header.ace_flags = 0;
+	ace->header.ace_size  = sizeof(uint32_t) * sid->sub_authority_count
+	                        + __offsetof(nt_access_allowed_ace,sid_start)
+	                        + __offsetof(nt_sid,sub_authority);
+
+	__ntapi->tt_sid_copy(
+		(nt_sid *)&ace->sid_start,
+		sid);
+
+	return (nt_access_allowed_ace *)((size_t)ace + ace->header.ace_size);
+}
+
+static void __ipc_sd_init(nt_sd_common_buffer * sd, int fdir)
+{
+	nt_access_allowed_ace * ace;
+	uint32_t		mask_system;
+	uint32_t		mask_owner;
+	uint32_t		mask_other;
+
+	/* access mask */
+	if (fdir) {
+		mask_system = NT_SEC_READ_CONTROL
+				| NT_DIRECTORY_QUERY
+				| NT_DIRECTORY_TRAVERSE
+				| NT_DIRECTORY_CREATE_OBJECT
+				| NT_DIRECTORY_CREATE_SUBDIRECTORY;
+
+		mask_owner  = NT_DIRECTORY_ALL_ACCESS;
+		mask_other  = mask_system;
+	} else {
+		mask_system = NT_SYMBOLIC_LINK_ALL_ACCESS;
+		mask_owner  = NT_SYMBOLIC_LINK_ALL_ACCESS;
+		mask_other  = NT_SYMBOLIC_LINK_QUERY;
+	}
+
+	/* sd header */
+	sd->sd.revision         = 1;
+	sd->sd.sbz_1st          = 0;
+	sd->sd.control          = NT_SE_SELF_RELATIVE | NT_SE_DACL_PRESENT;
+	sd->sd.offset_owner     = __offsetof(nt_sd_common_buffer,owner);
+	sd->sd.offset_group     = 0;
+	sd->sd.offset_dacl      = __offsetof(nt_sd_common_buffer,dacl);
+	sd->sd.offset_sacl      = 0;
+
+	/* owner sid */
+	__ntapi->tt_sid_copy(
+		(nt_sid *)&sd->owner,
+		__ntapi_internals()->sid);
+
+
+	/* ace's for LOCAL_SYSTEM, AUTHENTICATED_USERS, and process token user */
+	ace = (nt_access_allowed_ace *)&sd->buffer;
+	ace = __ipc_ace_init(ace,mask_system,&(nt_sid){1,1,{{0,0,0,0,0,5}},{18}});
+	ace = __ipc_ace_init(ace,mask_other,&(nt_sid){1,1,{{0,0,0,0,0,5}},{11}});
+	ace = __ipc_ace_init(ace,mask_owner,(nt_sid *)&sd->owner);
+
+	sd->dacl.acl_revision   = 0x02;
+	sd->dacl.sbz_1st        = 0;
+	sd->dacl.acl_size       = (uint16_t)((char *)ace - (char *)&sd->dacl);
+	sd->dacl.ace_count      = 3;
+	sd->dacl.sbz_2nd        = 0;
+
+}
+
 static int32_t __stdcall __tt_create_ipc_object_directory(
 	__out	void **			hdir,
 	__in	uint32_t		desired_access,
@@ -28,6 +100,7 @@ static int32_t __stdcall __tt_create_ipc_object_directory(
 	int32_t			status;
 	nt_ipc_objdir_name	objdir_name;
 	nt_unicode_string	name;
+	nt_sd_common_buffer	sd;
 	nt_oa			oa;
 	nt_sqos			sqos = {
 					sizeof(sqos),
@@ -35,6 +108,8 @@ static int32_t __stdcall __tt_create_ipc_object_directory(
 					NT_SECURITY_TRACKING_DYNAMIC,
 					1};
 
+	__ipc_sd_init(&sd,1);
+
 	__ntapi->tt_generic_memcpy(
 		&objdir_name,
 		&__template_name,
@@ -62,7 +137,7 @@ static int32_t __stdcall __tt_create_ipc_object_directory(
 	oa.obj_attr	= NT_OBJ_INHERIT
 			  | NT_OBJ_OPENIF
 			  | NT_OBJ_CASE_INSENSITIVE;
-	oa.sec_desc	= 0;
+	oa.sec_desc	= &sd.sd;
 	oa.sec_qos	= &sqos;
 
 	status = __ntapi->zw_create_directory_object(
@@ -84,6 +159,7 @@ static int32_t __stdcall __tt_create_keyed_object_directory(
 {
 	nt_keyed_objdir_name	objdir_name;
 	nt_unicode_string	name;
+	nt_sd_common_buffer	sd;
 	nt_oa			oa;
 	nt_sqos			sqos = {
 					sizeof(sqos),
@@ -91,6 +167,8 @@ static int32_t __stdcall __tt_create_keyed_object_directory(
 					NT_SECURITY_TRACKING_DYNAMIC,
 					1};
 
+	__ipc_sd_init(&sd,1);
+
 	__ntapi->tt_generic_memcpy(
 		&objdir_name,
 		&__template_name,
@@ -120,7 +198,7 @@ static int32_t __stdcall __tt_create_keyed_object_directory(
 	oa.root_dir	= 0;
 	oa.obj_name	= &name;
 	oa.obj_attr	= NT_OBJ_INHERIT;
-	oa.sec_desc	= 0;
+	oa.sec_desc	= &sd.sd;
 	oa.sec_qos	= &sqos;
 
 	return openfn(hdir,desired_access,&oa);
@@ -138,6 +216,7 @@ static int32_t __stdcall __tt_create_object_directory_entry(
 	int32_t			status;
 	nt_oa			oa;
 	nt_unicode_string	name;
+	nt_sd_common_buffer	sd;
 	wchar16_t		keystr[8];
 	uintptr_t		buffer[2048/sizeof(uintptr_t)];
 	nt_sqos			sqos = {
@@ -155,6 +234,7 @@ static int32_t __stdcall __tt_create_object_directory_entry(
 		target_name = (nt_unicode_string *)buffer;
 	}
 
+	__ipc_sd_init(&sd,0);
 	__ntapi->tt_uint32_to_hex_utf16(key,keystr);
 
 	name.strlen = sizeof(keystr);
@@ -165,7 +245,7 @@ static int32_t __stdcall __tt_create_object_directory_entry(
 	oa.root_dir	= hdir;
 	oa.obj_name	= &name;
 	oa.obj_attr	= 0;
-	oa.sec_desc	= 0;
+	oa.sec_desc	= &sd.sd;
 	oa.sec_qos	= &sqos;
 
 	return __ntapi->zw_create_symbolic_link_object(
-- 
cgit v1.2.3