Windows: QuerySecurity deny access to SACL
authorJeffrey Altman <jaltman@your-file-system.com>
Tue, 20 Nov 2012 06:23:08 +0000 (01:23 -0500)
committerJeffrey Altman <jaltman@your-file-system.com>
Fri, 23 Nov 2012 15:48:49 +0000 (07:48 -0800)
The SACL requires System Access Level.  Requests for SACL by
end user applications must be denied.  Permit access to Owner,
Group, DACL and Label but not SACL.

This change permits executables to be initiated from drive
letter mappings.

Change-Id: Ibf847261f0c36dc7b6175b0536657161158cd44f
Reviewed-on: http://gerrit.openafs.org/8483
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Rod Widdowson <rdw@steadingsoftware.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>

src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp

index c15d32b..52990fc 100644 (file)
@@ -82,16 +82,52 @@ AFSQuerySecurity( IN PDEVICE_OBJECT LibDeviceObject,
     PMDL pUserBufferMdl = NULL;
     void *pLockedUserBuffer = NULL;
     ULONG ulSDLength = 0;
+    SECURITY_INFORMATION SecurityInformation;
+    PFILE_OBJECT pFileObject;
+    AFSFcb *pFcb = NULL;
+    AFSCcb *pCcb = NULL;
 
     __try
     {
 
         pIrpSp = IoGetCurrentIrpStackLocation( Irp);
 
+        SecurityInformation = pIrpSp->Parameters.QuerySecurity.SecurityInformation;
+
+        pFileObject = pIrpSp->FileObject;
+
+        pFcb = (AFSFcb *)pFileObject->FsContext;
+
+        pCcb = (AFSCcb *)pFileObject->FsContext2;
+
         AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                       AFS_TRACE_LEVEL_VERBOSE,
-                      "AFSQuerySecurity Entry for FO %08lX\n",
-                      pIrpSp->FileObject);
+                      "AFSQuerySecurity (%08lX) Entry for FO %08lX SI %08lX\n",
+                      Irp,
+                      pFileObject,
+                      SecurityInformation);
+
+        if( pFcb == NULL)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) when pFcb == NULL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_INVALID_DEVICE_REQUEST);
+        }
+
+        if ( SecurityInformation & SACL_SECURITY_INFORMATION)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) SACL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_ACCESS_DENIED);
+        }
 
         if( AFSDefaultSD == NULL)
         {