libs/newlib-cygwin
libs
/
newlib-cygwin
mirror of git://sourceware.org/git/newlib-cygwin.git
4
0
Fork 0
Code Issues Projects Releases Wiki Activity

Drop has_mandatory_integrity_control flag

This commit is contained in:
Corinna Vinschen 2015-12-15 14:58:52 +01:00
parent 380b9affd1
commit aacc4f63d0
3 changed files with 31 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
winsup/cygwin/sec_auth.cc
View File

@ -45,39 +45,36 @@ issetugid (void)
static HANDLE static HANDLE
get_full_privileged_inheritable_token (HANDLE token) get_full_privileged_inheritable_token (HANDLE token)
{ {
if (wincap.has_mandatory_integrity_control ()) TOKEN_LINKED_TOKEN linked;
ULONG size;
/* When fetching the linked token without TCB privs, then the linked
token is not a primary token, only an impersonation token, which is
not suitable for CreateProcessAsUser. Converting it to a primary
token using DuplicateTokenEx does NOT work for the linked token in
this case. So we have to switch on TCB privs to get a primary token.
This is generally performed in the calling functions. */
if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
(PVOID) &linked, sizeof linked,
&size)))
{ {
TOKEN_LINKED_TOKEN linked; debug_printf ("Linked Token: %p", linked.LinkedToken);
ULONG size; if (linked.LinkedToken)
/* When fetching the linked token without TCB privs, then the linked
token is not a primary token, only an impersonation token, which is
not suitable for CreateProcessAsUser. Converting it to a primary
token using DuplicateTokenEx does NOT work for the linked token in
this case. So we have to switch on TCB privs to get a primary token.
This is generally performed in the calling functions. */
if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
(PVOID) &linked, sizeof linked,
&size)))
{ {
debug_printf ("Linked Token: %p", linked.LinkedToken); TOKEN_TYPE type;
if (linked.LinkedToken)
{
TOKEN_TYPE type;
/* At this point we don't know if the user actually had TCB /* At this point we don't know if the user actually had TCB
privileges. Check if the linked token is a primary token. privileges. Check if the linked token is a primary token.
If not, just return the original token. */ If not, just return the original token. */
if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken, if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
TokenType, (PVOID) &type, TokenType, (PVOID) &type,
sizeof type, &size)) sizeof type, &size))
&& type != TokenPrimary) && type != TokenPrimary)
debug_printf ("Linked Token is not a primary token!"); debug_printf ("Linked Token is not a primary token!");
else else
{ {
CloseHandle (token); CloseHandle (token);
token = linked.LinkedToken; token = linked.LinkedToken;
}
} }
} }
} }
@ -972,14 +969,10 @@ create_token (cygsid &usersid, user_groups &new_groups)
&mandatory_integrity_sid))) &mandatory_integrity_sid)))
goto out; goto out;
/* On systems supporting Mandatory Integrity Control, add the MIC SID. */ new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
if (wincap.has_mandatory_integrity_control ()) SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
{ new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = = mandatory_integrity_sid;
SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
= mandatory_integrity_sid;
}
/* Let's be heroic... */ /* Let's be heroic... */
status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation, status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,

7
winsup/cygwin/wincap.cc
View File

@ -21,7 +21,6 @@ wincaps wincap_xpsp2 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1, def_guard_pages:1,
max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE, max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:false,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false, has_gaa_largeaddress_bug:false,
has_transactions:false, has_transactions:false,
@ -52,7 +51,6 @@ wincaps wincap_2003 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1, def_guard_pages:1,
max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE, max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:false,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false, has_gaa_largeaddress_bug:false,
has_transactions:false, has_transactions:false,
@ -83,7 +81,6 @@ wincaps wincap_vista __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1, def_guard_pages:1,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:true, needs_count_in_si_lpres2:true,
has_gaa_largeaddress_bug:true, has_gaa_largeaddress_bug:true,
has_transactions:true, has_transactions:true,
@ -114,7 +111,6 @@ wincaps wincap_7 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1, def_guard_pages:1,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:true, has_gaa_largeaddress_bug:true,
has_transactions:true, has_transactions:true,
@ -145,7 +141,6 @@ wincaps wincap_8 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:2, def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false, has_gaa_largeaddress_bug:false,
has_transactions:true, has_transactions:true,
@ -176,7 +171,6 @@ wincaps wincap_10 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:2, def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false, has_gaa_largeaddress_bug:false,
has_transactions:true, has_transactions:true,
@ -207,7 +201,6 @@ wincaps wincap_10_1511 __attribute__((section (".cygwin_dll_common"), shared)) =
def_guard_pages:2, def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE, max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false, is_server:false,
has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false, needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false, has_gaa_largeaddress_bug:false,
has_transactions:true, has_transactions:true,

2
winsup/cygwin/wincap.h
View File

@ -14,7 +14,6 @@ struct wincaps
DWORD def_guard_pages; DWORD def_guard_pages;
DWORD max_sys_priv; DWORD max_sys_priv;
unsigned is_server : 1; unsigned is_server : 1;
unsigned has_mandatory_integrity_control : 1;
unsigned needs_count_in_si_lpres2 : 1; unsigned needs_count_in_si_lpres2 : 1;
unsigned has_gaa_largeaddress_bug : 1; unsigned has_gaa_largeaddress_bug : 1;
unsigned has_transactions : 1; unsigned has_transactions : 1;
@ -70,7 +69,6 @@ public:
} }
DWORD IMPLEMENT (max_sys_priv) DWORD IMPLEMENT (max_sys_priv)
bool IMPLEMENT (is_server) bool IMPLEMENT (is_server)
bool IMPLEMENT (has_mandatory_integrity_control)
bool IMPLEMENT (needs_count_in_si_lpres2) bool IMPLEMENT (needs_count_in_si_lpres2)
bool IMPLEMENT (has_gaa_largeaddress_bug) bool IMPLEMENT (has_gaa_largeaddress_bug)
bool IMPLEMENT (has_transactions) bool IMPLEMENT (has_transactions)