* sec_helper.cc (sid_auth): Remove.

(well_known_this_org_sid): New well known sid. (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define. (mandatory_medium_integrity_sid): New well known sid. (mandatory_high_integrity_sid): Ditto. (mandatory_system_integrity_sid): Ditto. (cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY. Allow all authorities fitting in a UCHAR. * security.cc (get_token_group_sidlist): Always add the local group to the token. Add comment. Add "This Organization" group if available in incoming group list. (get_server_groups): Only add world and authenticated users groups if not already in list. (create_token): Add matching mandatory integrity SID to group list on systems supporting Mandatory Integrity Control. * security.h (well_known_this_org_sid): Define. (mandatory_medium_integrity_sid): Define. (mandatory_high_integrity_sid): Define. (mandatory_system_integrity_sid): Define. * wincap.h: Define has_mandatory_integrity_control throughout. * wincap.cc: Ditto.
2006-11-08 11:38:05 +00:00 · 2006-11-08 11:38:05 +00:00 · 2fd2ddf3f5
parent 86bc8fadff
commit 2fd2ddf3f5
6 changed files with 76 additions and 14 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,27 @@
+2006-11-08  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_helper.cc (sid_auth): Remove.
+	(well_known_this_org_sid): New well known sid.
+	(SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define.
+	(mandatory_medium_integrity_sid): New well known sid.
+	(mandatory_high_integrity_sid): Ditto.
+	(mandatory_system_integrity_sid): Ditto.
+	(cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY.  Allow all
+	authorities fitting in a UCHAR.
+	* security.cc (get_token_group_sidlist): Always add the local
+	group to the token.  Add comment.  Add "This Organization" group
+	if available in incoming group list.
+	(get_server_groups): Only add world and authenticated users groups
+	if not already in list.
+	(create_token): Add matching mandatory integrity SID to group list
+	on systems supporting Mandatory Integrity Control.
+	* security.h (well_known_this_org_sid): Define.
+	(mandatory_medium_integrity_sid): Define.
+	(mandatory_high_integrity_sid): Define.
+	(mandatory_system_integrity_sid): Define.
+	* wincap.h: Define has_mandatory_integrity_control throughout.
+	* wincap.cc: Ditto.
+
 2006-11-07  Corinna Vinschen  <corinna@vinschen.de>

 	* fhandler.cc (check_posix_perm): Moved here from syscalls.cc.
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@ -38,15 +38,6 @@ SECURITY_ATTRIBUTES NO_COPY sec_none_nih;
 SECURITY_ATTRIBUTES NO_COPY sec_all;
 SECURITY_ATTRIBUTES NO_COPY sec_all_nih;

-SID_IDENTIFIER_AUTHORITY NO_COPY sid_auth[] = {
-	{SECURITY_NULL_SID_AUTHORITY},
-	{SECURITY_WORLD_SID_AUTHORITY},
-	{SECURITY_LOCAL_SID_AUTHORITY},
-	{SECURITY_CREATOR_SID_AUTHORITY},
-	{SECURITY_NON_UNIQUE_AUTHORITY},
-	{SECURITY_NT_AUTHORITY}
-};
-
 SID (well_known_null_sid, "S-1-0-0",
     SECURITY_NULL_SID_AUTHORITY, 1, SECURITY_NULL_RID);
 SID (well_known_world_sid, "S-1-1-0",
@ -69,12 +60,23 @@ SID (well_known_service_sid, "S-1-5-6",
     SECURITY_NT_AUTHORITY, 1, SECURITY_SERVICE_RID);
 SID (well_known_authenticated_users_sid, "S-1-5-11",
     SECURITY_NT_AUTHORITY, 1, SECURITY_AUTHENTICATED_USER_RID);
+SID (well_known_this_org_sid, "S-1-5-15",
+     SECURITY_NT_AUTHORITY, 1, 15);
 SID (well_known_system_sid, "S-1-5-18",
     SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID);
 SID (well_known_admins_sid, "S-1-5-32-544",
     SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
 			       DOMAIN_ALIAS_RID_ADMINS);

+#define SECURITY_MANDATORY_INTEGRITY_AUTHORITY       {0,0,0,0,0,16}
+
+SID (mandatory_medium_integrity_sid, "S-1-64-8192",
+     SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 8192);
+SID (mandatory_high_integrity_sid, "S-1-64-12288",
+     SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 12288);
+SID (mandatory_system_integrity_sid, "S-1-64-16384",
+     SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 16384);
+
 bool
 cygpsid::operator== (const char *nsidstr) const
 {
@ -136,14 +138,16 @@ PSID
 cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r)
 {
  DWORD i;
+  SID_IDENTIFIER_AUTHORITY sid_auth = {0,0,0,0,0,0};

-  if (s > 5 || cnt < 1 || cnt > 8)
+  if (s > 255 || cnt < 1 || cnt > 8)
    {
      psid = NO_SID;
      return NULL;
    }
+  sid_auth.Value[5] = s;
  set ();
-  InitializeSid (psid, &sid_auth[s], cnt);
+  InitializeSid (psid, &sid_auth, cnt);
  for (i = 0; i < cnt; ++i)
    memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD));
  return psid;
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
  auth_pos = -1;
  if (my_grps)
    {
-      if (sid_in_token_groups (my_grps, well_known_local_sid))
+      /* In Vista the Local SID is missing in a token constructed by
+         subauthentication.  We add the group unconditionally now. */
+      /*if (sid_in_token_groups (my_grps, well_known_local_sid))*/
 	grp_list += well_known_local_sid;
      if (sid_in_token_groups (my_grps, well_known_dialup_sid))
 	grp_list += well_known_dialup_sid;
@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
 	grp_list += well_known_interactive_sid;
      if (sid_in_token_groups (my_grps, well_known_service_sid))
 	grp_list += well_known_service_sid;
+      if (sid_in_token_groups (my_grps, well_known_this_org_sid))
+	grp_list += well_known_this_org_sid;
    }
  else
    {
@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
      return true;
    }

-  grp_list += well_known_world_sid;
-  grp_list += well_known_authenticated_users_sid;
+  if (!grp_list.contains (well_known_world_sid))
+    grp_list += well_known_world_sid;
+  if (!grp_list.contains (well_known_authenticated_users_sid))
+    grp_list += well_known_authenticated_users_sid;
  extract_nt_dom_user (pw, domain, user);
  if (get_logon_server (domain, server, wserver, false)
      && !get_user_groups (wserver, grp_list, user, domain)
@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
  else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw,
 				    my_tok_gsids, auth_luid, auth_pos))
    goto out;
+  if (wincap.has_mandatory_integrity_control ())
+    {
+      if (usersid == well_known_system_sid)
+	tmp_gsids += mandatory_system_integrity_sid;
+      else if (tmp_gsids.contains (well_known_admins_sid))
+	tmp_gsids += mandatory_high_integrity_sid;
+      else
+	tmp_gsids += mandatory_medium_integrity_sid;
+    }

  /* Primary group. */
  pgrp.PrimaryGroup = new_groups.pgsid;
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@ -245,8 +245,12 @@ extern cygpsid well_known_batch_sid;
 extern cygpsid well_known_interactive_sid;
 extern cygpsid well_known_service_sid;
 extern cygpsid well_known_authenticated_users_sid;
+extern cygpsid well_known_this_org_sid;
 extern cygpsid well_known_system_sid;
 extern cygpsid well_known_admins_sid;
+extern cygpsid mandatory_medium_integrity_sid;
+extern cygpsid mandatory_high_integrity_sid;
+extern cygpsid mandatory_system_integrity_sid;

 /* Order must be same as cygpriv in sec_helper.cc. */
 enum cygpriv_idx {
--- a/winsup/cygwin/wincap.cc
+++ b/winsup/cygwin/wincap.cc
@ -68,6 +68,7 @@ static NO_COPY wincaps wincap_unknown = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_95 = {
@ -127,6 +128,7 @@ static NO_COPY wincaps wincap_95 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_95osr2 = {
@ -186,6 +188,7 @@ static NO_COPY wincaps wincap_95osr2 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_98 = {
@ -245,6 +248,7 @@ static NO_COPY wincaps wincap_98 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_98se = {
@ -304,6 +308,7 @@ static NO_COPY wincaps wincap_98se = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_me = {
@ -363,6 +368,7 @@ static NO_COPY wincaps wincap_me = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_nt3 = {
@ -422,6 +428,7 @@ static NO_COPY wincaps wincap_nt3 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_nt4 = {
@ -481,6 +488,7 @@ static NO_COPY wincaps wincap_nt4 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:false,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_nt4sp4 = {
@ -540,6 +548,7 @@ static NO_COPY wincaps wincap_nt4sp4 = {
  has_fileid_dirinfo:false,
  has_exclusiveaddruse:true,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_2000 = {
@ -599,6 +608,7 @@ static NO_COPY wincaps wincap_2000 = {
  has_fileid_dirinfo:true,
  has_exclusiveaddruse:true,
  has_buggy_restart_scan:true,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_xp = {
@ -658,6 +668,7 @@ static NO_COPY wincaps wincap_xp = {
  has_fileid_dirinfo:true,
  has_exclusiveaddruse:true,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_2003 = {
@ -717,6 +728,7 @@ static NO_COPY wincaps wincap_2003 = {
  has_fileid_dirinfo:true,
  has_exclusiveaddruse:true,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:false,
 };

 static NO_COPY wincaps wincap_vista = {
@ -776,6 +788,7 @@ static NO_COPY wincaps wincap_vista = {
  has_fileid_dirinfo:true,
  has_exclusiveaddruse:true,
  has_buggy_restart_scan:false,
+  has_mandatory_integrity_control:true,
 };

 wincapc wincap __attribute__((section (".cygwin_dll_common"), shared));
--- a/winsup/cygwin/wincap.h
+++ b/winsup/cygwin/wincap.h
@ -69,6 +69,7 @@ struct wincaps
  unsigned has_fileid_dirinfo				: 1;
  unsigned has_exclusiveaddruse				: 1;
  unsigned has_buggy_restart_scan			: 1;
+  unsigned has_mandatory_integrity_control		: 1;
 };

 class wincapc
@ -144,6 +145,7 @@ public:
  bool	IMPLEMENT (has_fileid_dirinfo)
  bool	IMPLEMENT (has_exclusiveaddruse)
  bool	IMPLEMENT (has_buggy_restart_scan)
+  bool	IMPLEMENT (has_mandatory_integrity_control)

 #undef IMPLEMENT
 };