diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index 8c9502d25..85648fcf1 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,15 @@ +2008-04-22 Corinna Vinschen + + * sec_auth.cc (create_token): Add integrity level SID to token on + systems supporting that. Remove useless check for dynamically loading + NtCreateToken function. + * sec_helper.cc (mandatory_medium_integrity_sid): Define. + (mandatory_high_integrity_sid): Define. + (mandatory_system_integrity_sid): Define. + * sec_helper.h (mandatory_medium_integrity_sid): Declare. + (mandatory_high_integrity_sid): Declare. + (mandatory_system_integrity_sid): Declare. + 2008-04-21 Corinna Vinschen * mount.cc (mount_info::init): Remove call to from_registry. Print diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index d760ac6bf..8ae2424c3 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -825,7 +825,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) /* Create a TOKEN_GROUPS list from the above retrieved list of sids. */ new_tok_gsids = (PTOKEN_GROUPS) - alloca (sizeof (DWORD) + tmp_gsids.count () + alloca (sizeof (DWORD) + (tmp_gsids.count () + 1) * sizeof (SID_AND_ATTRIBUTES)); new_tok_gsids->GroupCount = tmp_gsids.count (); for (DWORD i = 0; i < new_tok_gsids->GroupCount; ++i) @@ -837,6 +837,23 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) } if (auth_pos >= 0) new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID; + + /* On systems supporting Mandatory Integrity Control, add a MIC SID. */ + if (wincap.has_mandatory_integrity_control ()) + { + new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes = + SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED; + if (usersid == well_known_system_sid) + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_system_integrity_sid; + else if (tmp_gsids.contains (well_known_admins_sid)) + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_high_integrity_sid; + else + new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid + = mandatory_medium_integrity_sid; + } + /* Retrieve list of privileges of that user. */ if (!(privs = get_priv_list (lsa, usersid, tmp_gsids, psize))) goto out; @@ -847,11 +864,6 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) &pgrp, &dacl, &source); if (ret) __seterrno_from_nt_status (ret); - else if (GetLastError () == ERROR_PROC_NOT_FOUND) - { - __seterrno (); - debug_printf ("Loading NtCreateToken failed."); - } else { /* Convert to primary token. */ diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc index 13fc56ddd..aa7d8105c 100644 --- a/winsup/cygwin/sec_helper.cc +++ b/winsup/cygwin/sec_helper.cc @@ -60,6 +60,12 @@ MKSID (well_known_admins_sid, "S-1-5-32-544", DOMAIN_ALIAS_RID_ADMINS); MKSID (fake_logon_sid, "S-1-5-5-0-0", SECURITY_NT_AUTHORITY, 3, SECURITY_LOGON_IDS_RID, 0, 0); +MKSID (mandatory_medium_integrity_sid, "S-1-16-8192", + SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_MEDIUM_RID); +MKSID (mandatory_high_integrity_sid, "S-1-16-12288", + SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_HIGH_RID); +MKSID (mandatory_system_integrity_sid, "S-1-16-16384", + SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_SYSTEM_RID); bool cygpsid::operator== (const char *nsidstr) const diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 4f8084a3c..1eb81b3a2 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -323,6 +323,9 @@ extern cygpsid well_known_this_org_sid; extern cygpsid well_known_system_sid; extern cygpsid well_known_admins_sid; extern cygpsid fake_logon_sid; +extern cygpsid mandatory_medium_integrity_sid; +extern cygpsid mandatory_high_integrity_sid; +extern cygpsid mandatory_system_integrity_sid; bool privilege_luid (const char *pname, LUID *luid);