VOID
VmAfdFreeAcl (
PVMAFD_ACL pAcl
)
{
if (pAcl)
{
if (pAcl->pAceList)
{
VmAfdFreeAceList (pAcl->pAceList);
}
VMAFD_SAFE_FREE_MEMORY (pAcl);
}
}
static
VOID
VmAfdCleanSecurityDescriptor (
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor
)
{
PVMAFD_ACE_LIST pAceListCursor = NULL;
PVMAFD_ACE_LIST pPrev = NULL;
PVMAFD_ACE_LIST pAceToClean = NULL;
if (pSecurityDescriptor &&
pSecurityDescriptor->pAcl
)
{
pAceListCursor = pSecurityDescriptor->pAcl->pAceList;
while (pAceListCursor)
{
if (!pAceListCursor->Ace.accessMask)
{
if (!pPrev)
{
pSecurityDescriptor->pAcl->pAceList = pAceListCursor->pNext;
}
else
{
pPrev->pNext = pAceListCursor->pNext;
}
pAceToClean = pAceListCursor;
pAceListCursor = pAceListCursor->pNext;
pAceToClean->pNext = NULL;
VmAfdFreeAceList (pAceToClean);
pSecurityDescriptor->pAcl->dwAceCount--;
}
else
{
pPrev = pAceListCursor;
pAceListCursor = pAceListCursor->pNext;
}
}
}
}
static
DWORD
VmAfdCopyAceList(
PVMAFD_ACE_LIST pAceListSrc,
PVMAFD_ACE_LIST *ppAceListDest
)
{
DWORD dwError = 0;
PVMAFD_ACE_LIST pAceListCursor = NULL;
PVMAFD_ACE_LIST pAceListStart = NULL;
PVMAFD_ACE_LIST pAceListDstCursor = NULL;
PVMAFD_ACE_LIST pAceListDstPrev = NULL;
if (
!ppAceListDest
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
pAceListCursor = pAceListSrc;
while (pAceListCursor)
{
dwError = VmAfdAllocateMemory(
sizeof (VMAFD_ACE_LIST),
(PVOID *) &pAceListDstCursor
);
BAIL_ON_VMAFD_ERROR (dwError);
if (!pAceListStart)
{
pAceListStart = pAceListDstCursor;
}
if (pAceListDstPrev)
{
pAceListDstPrev->pNext = pAceListDstCursor;
}
pAceListDstCursor->Ace.type = pAceListCursor->Ace.type;
pAceListDstCursor->Ace.changeStatus =
pAceListCursor->Ace.changeStatus;
pAceListDstCursor->Ace.accessMask =
pAceListCursor->Ace.accessMask;
dwError = VmAfdCopySecurityContext(
pAceListCursor->Ace.pSecurityContext,
&(pAceListDstCursor->Ace.pSecurityContext
)
);
BAIL_ON_VMAFD_ERROR (dwError);
pAceListDstPrev = pAceListDstCursor;
pAceListCursor = pAceListCursor->pNext;
}
*ppAceListDest = pAceListStart;
cleanup:
return dwError;
error:
if (ppAceListDest)
{
*ppAceListDest = NULL;
}
if (pAceListStart)
{
VmAfdFreeAceList(pAceListStart);
}
goto cleanup;
}
DWORD
VmAfdModifyPermissions (
PVECS_SERV_STORE pStore,
PCWSTR pszServiceName,
DWORD accessMask,
VMAFD_ACE_TYPE aceType,
PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor,
VMW_IPC_MODIFY_PERMISSIONS modifyType
)
{
DWORD dwError = 0;
PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL;
PVMAFD_ACL pAcl = NULL;
PVMAFD_ACE_LIST pAceList = NULL;
PVMAFD_ACE_LIST pAceListCursor = NULL;
PVMAFD_ACE_LIST pAceListNew = NULL;
WCHAR wszEveryone[] = GROUP_EVERYONE_W;
if (IsNullOrEmptyString (pszServiceName) ||
!pSecurityDescriptor ||
!modifyType ||
!pStore ||
!accessMask
)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
if (VmAfdStringIsEqualW(
pszServiceName,
wszEveryone,
FALSE
)
)
{
dwError = VmAfdCreateWellKnownContext (
VM_AFD_CONTEXT_TYPE_EVERYONE,
&pSecurityContext
);
}
else
{
dwError = VmAfdAllocateContextFromName (
pszServiceName,
&pSecurityContext
);
}
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdCheckOwnerShip (
pStore,
pSecurityContext
);
if (dwError == 0)
{
goto cleanup;
}
dwError = 0;
if (
!pSecurityDescriptor->pAcl &&
modifyType != VMW_IPC_MODIFY_PERMISSIONS_REVOKE
)
{
dwError = VmAfdAllocateMemory(
sizeof (VMAFD_ACL),
(PVOID *) &pAcl
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdAllocateMemory (
sizeof (VMAFD_ACE_LIST),
(PVOID *) pAceList
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdCopySecurityContext(
pSecurityContext,
&(pAceList->Ace.pSecurityContext
)
);
BAIL_ON_VMAFD_ERROR (dwError);
pAceList->Ace.accessMask = accessMask;
pAceList->Ace.changeStatus = VMAFD_UPDATE_STATUS_NEW;
pAceList->Ace.type = aceType;
pAcl->pAceList = pAceList;
pAcl->dwAceCount ++;
pSecurityDescriptor->pAcl = pAcl;
}
else if (pSecurityDescriptor->pAcl)
{
pAceListCursor = pSecurityDescriptor->pAcl->pAceList;
while (pAceListCursor)
{
if (
VmAfdEqualsSecurityContext(
pSecurityContext,
pAceListCursor->Ace.pSecurityContext
)
&&
pAceListCursor->Ace.type == aceType
)
{
break;
}
pAceListCursor = pAceListCursor->pNext;
}
if (
!pAceListCursor &&
modifyType != VMW_IPC_MODIFY_PERMISSIONS_REVOKE
)
{
dwError = VmAfdAllocateMemory (
sizeof (VMAFD_ACE_LIST),
(PVOID *) &pAceListNew
);
BAIL_ON_VMAFD_ERROR (dwError);
dwError = VmAfdCopySecurityContext (
pSecurityContext,
&(pAceListNew->Ace.pSecurityContext)
);
BAIL_ON_VMAFD_ERROR (dwError);
pAceListNew->pNext = pSecurityDescriptor->pAcl->pAceList;
pAceListNew->Ace.accessMask = accessMask;
pAceListNew->Ace.changeStatus = VMAFD_UPDATE_STATUS_NEW;
pAceListNew->Ace.type = aceType;
pSecurityDescriptor->pAcl->pAceList = pAceListNew;
pSecurityDescriptor->pAcl->dwAceCount ++;
}
else if (pAceListCursor)
{
switch (modifyType)
{
case VMW_IPC_MODIFY_PERMISSIONS_SET:
pAceListCursor->Ace.accessMask = accessMask;
break;
case VMW_IPC_MODIFY_PERMISSIONS_ADD:
pAceListCursor->Ace.accessMask = pAceListCursor->Ace.accessMask |
accessMask;
break;
case VMW_IPC_MODIFY_PERMISSIONS_REVOKE:
pAceListCursor->Ace.accessMask = pAceListCursor->Ace.accessMask &
~accessMask;
break;
default:
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR (dwError);
}
pAceListCursor->Ace.changeStatus = VMAFD_UPDATE_STATUS_MODIFIED;
}
}
if (pSecurityDescriptor->changeStatus == VMAFD_UPDATE_STATUS_UNCHANGED)
{
pSecurityDescriptor->changeStatus = VMAFD_UPDATE_STATUS_MODIFIED;
}
cleanup:
if (pSecurityContext)
{
VmAfdFreeSecurityContext (pSecurityContext);
}
return dwError;
error:
if (pAcl)
{
VmAfdFreeAcl (pAcl);
}
if (pAceList)
{
VmAfdFreeAceList (pAceList);
}
if (pAceListNew)
{
VmAfdFreeAceList (pAceListNew);
}
goto cleanup;
}
static
DWORD
VecsDbGetAces (
PVECS_DB_CONTEXT pDbContext,
DWORD dwStoreID,
PVMAFD_ACE_LIST *ppAceList,
PDWORD pdwAceCount
)
{
DWORD dwError = 0;
DWORD dwDbStatus = 0;
PVMAFD_ACE_LIST pAceListCurr = NULL;
PVMAFD_ACE_LIST pAceListPrev = NULL;
PBYTE pSecurityContextBlob = NULL;
DWORD dwAceCount = 0;
sqlite3_stmt* pDbQuery = NULL;
if (!pDbContext || !ppAceList)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VECS_ERROR (dwError);
}
if (!pDbContext->pQueryGetAces)
{
CHAR szQuery[] = "SELECT * FROM AceTable"
" WHERE StoreID = :storeid;";
dwError = sqlite3_prepare_v2 (
pDbContext->pDb,
szQuery,
-1,
&pDbContext->pQueryGetAces,
NULL
);
BAIL_ON_VECS_ERROR (dwError);
}
pDbQuery = pDbContext->pQueryGetAces;
dwError = VecsBindDword(
pDbQuery,
":storeid",
dwStoreID
);
BAIL_ON_VECS_ERROR (dwError);
do
{
dwDbStatus = VecsDbStepSql (pDbQuery);
if (dwDbStatus == SQLITE_ROW)
{
DWORD dwContextSize = 0;
dwError = VmAfdAllocateMemory (
sizeof (VMAFD_ACE_LIST),
(PVOID *)&pAceListCurr
);
BAIL_ON_VECS_ERROR (dwError);
pAceListCurr->pNext = pAceListPrev;
dwError = VecsDBGetColumnBlob (
pDbQuery,
"ContextBlob",
&pSecurityContextBlob,
&dwContextSize
);
BAIL_ON_VECS_ERROR (dwError);
dwError = VmAfdDecodeSecurityContext (
pSecurityContextBlob,
dwContextSize,
&(pAceListCurr->Ace.pSecurityContext)
);
BAIL_ON_VECS_ERROR (dwError);
VMAFD_SAFE_FREE_MEMORY (pSecurityContextBlob);
dwError = VecsDBGetColumnInt (
pDbQuery,
"AccessMask",
&pAceListCurr->Ace.accessMask
);
BAIL_ON_VECS_ERROR (dwError);
dwError = VecsDBGetColumnInt (
pDbQuery,
"AccessType",
&pAceListCurr->Ace.type
);
BAIL_ON_VECS_ERROR (dwError);
pAceListPrev = pAceListCurr;
pAceListCurr = NULL;
dwAceCount++;
}
else if (dwDbStatus != SQLITE_DONE)
{
dwError = dwDbStatus;
BAIL_ON_VECS_ERROR (dwError);
}
}while (dwDbStatus == SQLITE_ROW);
*ppAceList = pAceListPrev;
if (pdwAceCount)
{
*pdwAceCount = dwAceCount;
}
cleanup:
VMAFD_SAFE_FREE_MEMORY (pSecurityContextBlob);
if (pDbQuery)
{
sqlite3_reset (pDbQuery);
}
return dwError;
error:
if (ppAceList)
{
*ppAceList = NULL;
}
if (pAceListPrev)
{
VmAfdFreeAceList (pAceListPrev);
}
if (pdwAceCount)
{
*pdwAceCount = 0;
}
goto cleanup;
}