Windows: Assign AuthGroup during Process Create
authorJeffrey Altman <jaltman@your-file-system.com>
Tue, 20 Mar 2012 02:38:06 +0000 (22:38 -0400)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Sun, 25 Mar 2012 20:50:30 +0000 (13:50 -0700)
As the process is being created, assign the AuthGroup so that
the must up to date information is used to assign AuthGroup
inheritance from Impersonation states and to prevent the parent
process from being destroyed before the AuthGroup is determined.

Change-Id: I176360a589d7f2bcf4b1ededad069424e3ce5393
Reviewed-on: http://gerrit.openafs.org/6927
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Peter Scott <pscott@kerneldrivers.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>

src/WINNT/afsrdr/kernel/fs/AFSAuthGroupSupport.cpp
src/WINNT/afsrdr/kernel/fs/AFSCreate.cpp
src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp
src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h

index 4eb31a1..105bf09 100644 (file)
@@ -224,7 +224,7 @@ AFSRetrieveAuthGroup( IN ULONGLONG ProcessId,
                           ProcessId,
                           ThreadId);
 
-            pAuthGroup = AFSValidateProcessEntry();
+            pAuthGroup = AFSValidateProcessEntry( PsGetCurrentProcessId());
 
             if( pAuthGroup != NULL)
             {
index 55d7418..547c58b 100644 (file)
@@ -118,7 +118,7 @@ AFSCommonCreate( IN PDEVICE_OBJECT DeviceObject,
         // Validate the process entry
         //
 
-        pAuthGroup = AFSValidateProcessEntry();
+        pAuthGroup = AFSValidateProcessEntry( PsGetCurrentProcessId());
 
         if( pAuthGroup != NULL)
         {
index c30b868..20740c9 100644 (file)
@@ -130,6 +130,12 @@ AFSProcessCreate( IN HANDLE ParentId,
             pProcessCB->CreatingThreadId = (ULONGLONG)CreatingThreadId;
         }
 
+        //
+        // Now assign the AuthGroup ACE
+        //
+
+        AFSValidateProcessEntry( ProcessId);
+
         AFSReleaseResource( pDeviceExt->Specific.Control.ProcessTree.TreeLock);
     }
 
@@ -230,14 +236,14 @@ AFSProcessDestroy( IN HANDLE ParentId,
 //
 
 GUID *
-AFSValidateProcessEntry( void)
+AFSValidateProcessEntry( IN HANDLE ProcessId)
 {
 
     GUID *pAuthGroup = NULL;
     NTSTATUS ntStatus = STATUS_SUCCESS;
     AFSProcessCB *pProcessCB = NULL, *pParentProcessCB = NULL;
     AFSDeviceExt *pDeviceExt = (AFSDeviceExt *)AFSDeviceObject->DeviceExtension;
-    ULONGLONG ullProcessID = (ULONGLONG)PsGetCurrentProcessId();
+    ULONGLONG ullProcessID = (ULONGLONG)ProcessId;
     UNICODE_STRING uniSIDString;
     ULONG ulSIDHash = 0;
     AFSSIDEntryCB *pSIDEntryCB = NULL;
index 311fea0..15f1bef 100644 (file)
@@ -812,7 +812,7 @@ AFSProcessDestroy( IN HANDLE ParentId,
                    IN HANDLE ProcessId);
 
 GUID *
-AFSValidateProcessEntry( void);
+AFSValidateProcessEntry( IN HANDLE ProcessId);
 
 BOOLEAN
 AFSIs64BitProcess( IN ULONGLONG ProcessId);