static
DWORD
VmAfdCreateAccessToken(
PACCESS_TOKEN * AccessToken,
PTOKEN_USER User,
PTOKEN_GROUPS Groups,
PTOKEN_PRIVILEGES Privileges,
PTOKEN_OWNER Owner,
PTOKEN_PRIMARY_GROUP PrimaryGroup,
PTOKEN_DEFAULT_DACL DefaultDacl)
{
DWORD dwError = 0;
NTSTATUS ntStatus = 0;
ntStatus = RtlCreateAccessToken(
AccessToken,
User,
Groups,
Privileges,
Owner,
PrimaryGroup,
DefaultDacl,
NULL);
dwError = LwNtStatusToWin32Error(ntStatus);
return dwError;
}
static
NTSTATUS
LwIoFuseCreateAccessTokenForOther(
PACCESS_TOKEN* ppOtherToken
)
{
NTSTATUS status = STATUS_SUCCESS;
PACCESS_TOKEN pOtherToken = NULL;
TOKEN_USER user = {{0}};
TOKEN_OWNER owner = {0};
TOKEN_GROUPS groups = {0};
TOKEN_PRIVILEGES privileges = {0};
TOKEN_PRIMARY_GROUP primaryGroup = {0};
TOKEN_DEFAULT_DACL dacl = {0};
status = RtlAllocateSidFromCString(
&user.User.Sid,
"S-1-1-0");
BAIL_ON_NT_STATUS(status);
status = RtlCreateAccessToken(
&pOtherToken,
&user,
&groups,
&privileges,
&owner,
&primaryGroup,
&dacl,
NULL);
BAIL_ON_NT_STATUS(status);
*ppOtherToken = pOtherToken;
cleanup:
RTL_FREE(&user.User.Sid);
return status;
error:
*ppOtherToken = NULL;
if (pOtherToken)
{
RtlReleaseAccessToken(&pOtherToken);
}
goto cleanup;
}
static
NTSTATUS
LwIoFuseCreateAccessTokenForGroup(
PSID pGroupSid,
PACCESS_TOKEN* ppGroupToken
)
{
NTSTATUS status = STATUS_SUCCESS;
PACCESS_TOKEN pGroupToken = NULL;
TOKEN_USER user = {{0}};
TOKEN_OWNER owner = {0};
TOKEN_GROUPS groups = {0};
TOKEN_PRIVILEGES privileges = {0};
TOKEN_PRIMARY_GROUP primaryGroup = {0};
TOKEN_DEFAULT_DACL dacl = {0};
user.User.Sid = pGroupSid;
status = RtlCreateAccessToken(
&pGroupToken,
&user,
&groups,
&privileges,
&owner,
&primaryGroup,
&dacl,
NULL);
BAIL_ON_NT_STATUS(status);
*ppGroupToken = pGroupToken;
cleanup:
return status;
error:
*ppGroupToken = NULL;
if (pGroupToken)
{
RtlReleaseAccessToken(&pGroupToken);
}
goto cleanup;
}
NTSTATUS
RtlSelfRelativeAccessTokenToAccessToken(
IN PACCESS_TOKEN_SELF_RELATIVE pRelative,
IN ULONG ulRelativeSize,
OUT PACCESS_TOKEN* ppToken
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG ulOffset = 0;
PBYTE pBuffer = (PBYTE) pRelative;
PSID pSid = NULL;
PSID_AND_ATTRIBUTES_SELF_RELATIVE pGroups = NULL;
ULONG ulSize = 0;
ULONG ulRealSize = 0;
ULONG i = 0;
TOKEN_USER User = {{0}};
TOKEN_OWNER Owner = {0};
TOKEN_PRIMARY_GROUP PrimaryGroup = {0};
TOKEN_UNIX Unix = {0};
PTOKEN_GROUPS pTokenGroups = NULL;
PTOKEN_PRIVILEGES pTokenPrivileges = NULL;
TOKEN_DEFAULT_DACL DefaultDacl = {0};
status = CheckOffset(0, sizeof(*pRelative), ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
if (pRelative->Flags & ACCESS_TOKEN_FLAG_UNIX_PRESENT)
{
Unix.Uid = pRelative->Uid;
Unix.Gid = pRelative->Gid;
Unix.Umask = pRelative->Umask;
}
User.User.Attributes = pRelative->User.Attributes;
ulOffset = pRelative->User.SidOffset;
pSid = (PSID) (pBuffer + ulOffset);
status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
User.User.Sid = pSid;
ulOffset = pRelative->GroupsOffset;
if (ulOffset)
{
status = LwRtlSafeMultiplyULONG(
&ulSize,
sizeof(SID_AND_ATTRIBUTES_SELF_RELATIVE),
pRelative->GroupCount);
GOTO_CLEANUP_ON_STATUS(status);
status = LwRtlSafeMultiplyULONG(
&ulRealSize,
sizeof(SID_AND_ATTRIBUTES),
pRelative->GroupCount);
GOTO_CLEANUP_ON_STATUS(status);
status = LwRtlSafeAddULONG(
&ulRealSize,
ulRealSize,
sizeof(TOKEN_GROUPS));
GOTO_CLEANUP_ON_STATUS(status);
status = CheckOffset(ulOffset, ulSize, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
pGroups = (PSID_AND_ATTRIBUTES_SELF_RELATIVE) (pBuffer + ulOffset);
status = RTL_ALLOCATE(&pTokenGroups, TOKEN_GROUPS, ulRealSize);
GOTO_CLEANUP_ON_STATUS(status);
pTokenGroups->GroupCount = pRelative->GroupCount;
for (i = 0; i < pRelative->GroupCount; i++)
{
pTokenGroups->Groups[i].Attributes = pGroups[i].Attributes;
ulOffset = pGroups[i].SidOffset;
pSid = (PSID) (pBuffer + ulOffset);
status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
pTokenGroups->Groups[i].Sid = pSid;
}
}
ulOffset = pRelative->PrivilegesOffset;
if (ulOffset)
{
status = LwRtlSafeMultiplyULONG(
&ulSize,
sizeof(LUID_AND_ATTRIBUTES),
pRelative->PrivilegeCount);
GOTO_CLEANUP_ON_STATUS(status);
status = LwRtlSafeMultiplyULONG(
&ulRealSize,
sizeof(LUID_AND_ATTRIBUTES),
pRelative->PrivilegeCount);
GOTO_CLEANUP_ON_STATUS(status);
status = LwRtlSafeAddULONG(
&ulRealSize,
ulRealSize,
sizeof(TOKEN_PRIVILEGES));
GOTO_CLEANUP_ON_STATUS(status);
status = CheckOffset(ulOffset, ulSize, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
status = RTL_ALLOCATE(&pTokenPrivileges, TOKEN_PRIVILEGES, ulRealSize);
GOTO_CLEANUP_ON_STATUS(status);
pTokenPrivileges->PrivilegeCount = pRelative->PrivilegeCount;
memcpy(pTokenPrivileges->Privileges,
pBuffer + ulOffset,
sizeof(LUID_AND_ATTRIBUTES) * pTokenPrivileges->PrivilegeCount);
}
ulOffset = pRelative->OwnerOffset;
if (ulOffset)
{
pSid = (PSID) (pBuffer + ulOffset);
status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
Owner.Owner = pSid;
}
ulOffset = pRelative->PrimaryGroupOffset;
if (ulOffset)
{
pSid = (PSID) (pBuffer + ulOffset);
status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize);
GOTO_CLEANUP_ON_STATUS(status);
PrimaryGroup.PrimaryGroup = pSid;
}
status = RtlCreateAccessToken(
ppToken,
&User,
pTokenGroups,
pTokenPrivileges,
&Owner,
&PrimaryGroup,
&DefaultDacl,
pRelative->Flags & ACCESS_TOKEN_FLAG_UNIX_PRESENT ? &Unix : NULL);
GOTO_CLEANUP_ON_STATUS(status);
cleanup:
RTL_FREE(&pTokenGroups);
if (!NT_SUCCESS(status))
{
*ppToken = NULL;
}
return status;
}
