X-Git-Url: https://git.openafs.org/?p=openafs.git;a=blobdiff_plain;f=src%2FWINNT%2Fafsrdr%2Fkernel%2Ffs%2FAFSCommSupport.cpp;h=2905dc969c5c1ba1b80ba801625716dae0292f83;hp=cb3cde77abbdf44833d5cbf998ced54100b938a5;hb=4da5f0b498782094b979737f6bee6e0bd2f5cb79;hpb=dd672fffe9bfef6bd872b008e7f3e3dd5f904a80 diff --git a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp index cb3cde7..2905dc9 100644 --- a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp +++ b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp @@ -385,6 +385,157 @@ try_exit: return ntStatus; } +static +NTSTATUS +AFSCheckIoctlPermissions( IN ULONG ControlCode) +{ + switch ( ControlCode) + { + // + // First the FS ioctls + // + + case IOCTL_AFS_INITIALIZE_CONTROL_DEVICE: + + // + // Only a System Service can run this (unless we are compiled + // for debug with the correct flags set. + // + + if ( !AFSIsUser( SeExports->SeLocalSystemSid) +#if DBG + && !BooleanFlagOn( AFSDebugFlags, AFS_DBG_DISABLE_SYSTEM_SID_CHECK) +#endif + ) + { + + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + + case IOCTL_AFS_INITIALIZE_REDIRECTOR_DEVICE: + case IOCTL_AFS_PROCESS_IRP_REQUEST: + case IOCTL_AFS_PROCESS_IRP_RESULT: + case IOCTL_AFS_SYSNAME_NOTIFICATION: + case IOCTL_AFS_SHUTDOWN: + + // + // Once initialized, only the service can call these + // + + if ( !AFSIsService()) + { + + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + + case IOCTL_AFS_CONFIGURE_DEBUG_TRACE: + case IOCTL_AFS_GET_TRACE_BUFFER: + case IOCTL_AFS_FORCE_CRASH: + + // + // Any admin can call these + // + + if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) + { + + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + + case IOCTL_AFS_AUTHGROUP_CREATE_AND_SET: + case IOCTL_AFS_AUTHGROUP_QUERY: + case IOCTL_AFS_AUTHGROUP_SET: + case IOCTL_AFS_AUTHGROUP_RESET: + case IOCTL_AFS_AUTHGROUP_LOGON_CREATE: + case IOCTL_AFS_AUTHGROUP_SID_CREATE: + case IOCTL_AFS_AUTHGROUP_SID_QUERY: + + // + // Anyone can call these. + // + + return STATUS_SUCCESS; + + // + // And now the LIB ioctls + // + + case IOCTL_AFS_INITIALIZE_LIBRARY_DEVICE: + + // + // Only the kernel can issue this + // + + return STATUS_ACCESS_DENIED; + + case IOCTL_AFS_STATUS_REQUEST: + case 0x140390: // IOCTL_LMR_DISABLE_LOCAL_BUFFERING + + // + // Anyone can call these. + // + + return STATUS_SUCCESS; + + case IOCTL_AFS_ADD_CONNECTION: + case IOCTL_AFS_CANCEL_CONNECTION: + case IOCTL_AFS_GET_CONNECTION: + case IOCTL_AFS_LIST_CONNECTIONS: + case IOCTL_AFS_GET_CONNECTION_INFORMATION: + + // + // These must only be called by the network provider but we + // don't have a method of enforcing that at the moment. + // + + return STATUS_SUCCESS; + + case IOCTL_AFS_SET_FILE_EXTENTS: + case IOCTL_AFS_RELEASE_FILE_EXTENTS: + case IOCTL_AFS_SET_FILE_EXTENT_FAILURE: + case IOCTL_AFS_INVALIDATE_CACHE: + case IOCTL_AFS_NETWORK_STATUS: + case IOCTL_AFS_VOLUME_STATUS: + + // + // Again, service only + // + + if ( !AFSIsService()) + { + + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + + case IOCTL_AFS_GET_OBJECT_INFORMATION: + + // + // Admins only + // + + if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) + { + + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + + default: + + // + // NOTE that for security we police all known functions here + // and return STATUS_NOT_IMPLEMENTED. So new ioctls need to + // be added both here and either below or in + // ..\lib\AFSDevControl.cpp + // + + return STATUS_NOT_IMPLEMENTED; + } +} NTSTATUS AFSProcessControlRequest( IN PIRP Irp) { @@ -402,21 +553,18 @@ AFSProcessControlRequest( IN PIRP Irp) ulIoControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; + ntStatus = AFSCheckIoctlPermissions( ulIoControlCode); + + if ( !NT_SUCCESS( ntStatus)) + { + try_return( ntStatus); + } + switch( ulIoControlCode) { case IOCTL_AFS_INITIALIZE_CONTROL_DEVICE: { - if ( !AFSIsUser( SeExports->SeLocalSystemSid) -#if DBG - && !BooleanFlagOn( AFSDebugFlags, AFS_DBG_DISABLE_SYSTEM_SID_CHECK) -#endif - ) - { - - ntStatus = STATUS_ACCESS_DENIED; - break; - } // // Go intialize the pool // @@ -448,14 +596,6 @@ AFSProcessControlRequest( IN PIRP Irp) AFSRedirectorInitInfo *pRedirInitInfo = (AFSRedirectorInitInfo *)Irp->AssociatedIrp.SystemBuffer; - if ( !AFSIsService()) - { - - ntStatus = STATUS_ACCESS_DENIED; - - break; - } - // // Extract off the passed in information which contains the // cache file parameters @@ -495,14 +635,6 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_PROCESS_IRP_REQUEST: { - if ( !AFSIsService()) - { - - ntStatus = STATUS_ACCESS_DENIED; - - break; - } - ntStatus = AFSProcessIrpRequest( Irp); break; @@ -511,14 +643,6 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_PROCESS_IRP_RESULT: { - if ( !AFSIsService()) - { - - ntStatus = STATUS_ACCESS_DENIED; - - break; - } - ntStatus = AFSProcessIrpResult( Irp); break; @@ -529,14 +653,6 @@ AFSProcessControlRequest( IN PIRP Irp) AFSSysNameNotificationCB *pSysNameInfo = (AFSSysNameNotificationCB *)Irp->AssociatedIrp.SystemBuffer; - if ( !AFSIsService()) - { - - ntStatus = STATUS_ACCESS_DENIED; - - break; - } - if( pSysNameInfo == NULL || pIrpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof( AFSSysNameNotificationCB)) { @@ -557,13 +673,6 @@ AFSProcessControlRequest( IN PIRP Irp) AFSTraceConfigCB *pTraceInfo = (AFSTraceConfigCB *)Irp->AssociatedIrp.SystemBuffer; - if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) - { - - ntStatus = STATUS_ACCESS_DENIED; - break; - } - if( pTraceInfo == NULL || pIrpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof( AFSTraceConfigCB)) { @@ -581,13 +690,6 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_GET_TRACE_BUFFER: { - if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) - { - - ntStatus = STATUS_ACCESS_DENIED; - break; - } - if( pIrpSp->Parameters.DeviceIoControl.OutputBufferLength == 0) { @@ -606,13 +708,6 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_FORCE_CRASH: { - if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) - { - - ntStatus = STATUS_ACCESS_DENIED; - break; - } - #if DBG if( BooleanFlagOn( AFSDebugFlags, AFS_DBG_FLAG_ENABLE_FORCE_CRASH)) @@ -689,14 +784,6 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_SHUTDOWN: { - if ( !AFSIsService()) - { - - ntStatus = STATUS_ACCESS_DENIED; - - break; - } - ntStatus = AFSShutdownRedirector(); break; @@ -851,8 +938,6 @@ AFSProcessControlRequest( IN PIRP Irp) } } -//try_exit: - } __except( AFSExceptionFilter( __FUNCTION__, GetExceptionCode(), GetExceptionInformation())) { @@ -862,6 +947,8 @@ AFSProcessControlRequest( IN PIRP Irp) AFSDumpTraceFilesFnc(); } +try_exit: + if( bCompleteRequest) {