DWORD VmAfdInitializeSecurityContext( PVM_AFD_CONNECTION pConnection, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0 ; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (ppSecurityContext == NULL){ dwError = ERROR_INVALID_PARAMETER ; BAIL_ON_VMAFD_ERROR (dwError); } dwError = gIPCVtable.pfnInitializeSecurityContext( pConnection, &pSecurityContext); BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext != NULL){ *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdModifyOwner( PVECS_SERV_STORE pStore, PCWSTR pszUserName, PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; PVM_AFD_SECURITY_CONTEXT pSecurityContextToClean = NULL; if (IsNullOrEmptyString (pszUserName) || !pSecurityDescriptor || !pStore ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateContextFromName ( pszUserName, &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContextToClean = pSecurityContext; dwError = VmAfdCheckOwnerShip ( pStore, pSecurityContext ); if (dwError == 0) { goto cleanup; } dwError = 0; pSecurityContextToClean = pSecurityDescriptor->pOwnerSecurityContext; pSecurityDescriptor->pOwnerSecurityContext = pSecurityContext; cleanup: if (pSecurityContextToClean) { VmAfdFreeSecurityContext (pSecurityContextToClean); } return dwError; error: goto cleanup; }
DWORD VmAfdCreateWellKnownContextImpl ( VM_AFD_CONTEXT_TYPE contextType, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (!ppSecurityContext) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory ( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *)&pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); switch (contextType) { case VM_AFD_CONTEXT_TYPE_ROOT: pSecurityContext->uid = 0; break; case VM_AFD_CONTEXT_TYPE_EVERYONE: pSecurityContext->uid = EVERYONE_UID; break; default: dwError = ERROR_INVALID_PARAMETER; break; } BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
VOID VmAfdFreeConnectionContext( PVM_AFD_CONNECTION_CONTEXT pConnectionContext ) { if (pConnectionContext != NULL) { VmAfdFreeSecurityContext(pConnectionContext->pSecurityContext); } VMAFD_SAFE_FREE_MEMORY (pConnectionContext); }
DWORD VmAfdCreateAnonymousConnectionContextImpl( PVM_AFD_CONNECTION_CONTEXT *ppConnectionContext ) { DWORD dwError = 0; PVM_AFD_CONNECTION_CONTEXT pConnectionContext = NULL; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (ppConnectionContext == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory ( sizeof(VM_AFD_CONNECTION_CONTEXT), (PVOID *) &pConnectionContext ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdAllocateMemory( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *)&pSecurityContext); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContext->uid = 0; pConnectionContext->pConnection = NULL; pConnectionContext->pSecurityContext = pSecurityContext; pConnectionContext->bAnonymousContext = TRUE; *ppConnectionContext = pConnectionContext; cleanup: return dwError; error: if (ppConnectionContext != NULL){ *ppConnectionContext = NULL; } if (pSecurityContext){ VmAfdFreeSecurityContext(pSecurityContext); } if (pConnectionContext){ VmAfdFreeMemory(pConnectionContext); } goto cleanup; }
DWORD VmAfdAllocateContextFromNameImpl ( PCWSTR pszAccountName, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; struct passwd *pd = NULL; PSTR psazAccountName = NULL; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; dwError = VmAfdAllocateStringAFromW ( pszAccountName, &psazAccountName ); BAIL_ON_VMAFD_ERROR (dwError); pd = getpwnam (psazAccountName); if (pd == NULL) { dwError = ERROR_NONE_MAPPED; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory ( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *)&pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContext->uid = pd->pw_uid; *ppSecurityContext = pSecurityContext; cleanup: VMAFD_SAFE_FREE_MEMORY (psazAccountName); return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext(pSecurityContext); } goto cleanup; }
VOID VmAfdFreeAce ( PVMAFD_ACE pAce ) { if (pAce) { if (pAce->pSecurityContext) { VmAfdFreeSecurityContext( pAce->pSecurityContext ); } VMAFD_SAFE_FREE_MEMORY (pAce); } }
static VOID VmAfdFreeContextListEntry ( PVECS_STORE_CONTEXT_LIST pContextListEntry ) { if (pContextListEntry) { if (pContextListEntry->pSecurityContext) { VmAfdFreeSecurityContext( pContextListEntry->pSecurityContext ); } VMAFD_SAFE_FREE_MEMORY (pContextListEntry); } }
DWORD VmAfdCopySecurityContextImpl ( PVM_AFD_SECURITY_CONTEXT pSecurityContextSrc, PVM_AFD_SECURITY_CONTEXT *ppSecurityContextDst ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (!pSecurityContextSrc || !ppSecurityContextDst ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory ( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *) &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContext->uid = pSecurityContextSrc->uid; *ppSecurityContextDst = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContextDst) { *ppSecurityContextDst = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdDecodeSecurityContextImpl ( PBYTE pByteSecurityContext, DWORD dwBuffSize, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (dwBuffSize < sizeof (VM_AFD_SECURITY_CONTEXT)) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory ( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *)&pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContext->uid = ((PVM_AFD_SECURITY_CONTEXT) pByteSecurityContext)->uid; *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdCopySecurityContext ( PVM_AFD_SECURITY_CONTEXT pSecurityContextSrc, PVM_AFD_SECURITY_CONTEXT *ppSecurityContextDst ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (!pSecurityContextSrc || !ppSecurityContextDst ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = gIPCVtable.pfnCopySecurityContext( pSecurityContextSrc, &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContextDst = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContextDst) { *ppSecurityContextDst = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdDecodeSecurityContext ( PBYTE pByteSecurityContext, DWORD dwBufSize, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (!pByteSecurityContext || !ppSecurityContext ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = gIPCVtable.pfnDecodeSecurityContext ( pByteSecurityContext, dwBufSize, &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
VOID VmAfdFreeSecurityDescriptor ( PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor ) { if (pSecurityDescriptor) { if (pSecurityDescriptor->pOwnerSecurityContext) { VmAfdFreeSecurityContext ( pSecurityDescriptor->pOwnerSecurityContext ); } if (pSecurityDescriptor->pAcl) { VmAfdFreeAcl (pSecurityDescriptor->pAcl); } VMAFD_SAFE_FREE_MEMORY (pSecurityDescriptor); } }
VOID VmAfdFreeAceList ( PVMAFD_ACE_LIST pAceList ) { PVMAFD_ACE_LIST pAceListCurr = pAceList; PVMAFD_ACE_LIST pAceListNext = NULL; while (pAceListCurr) { pAceListNext = pAceListCurr->pNext; if (pAceListCurr->Ace.pSecurityContext) { VmAfdFreeSecurityContext (pAceListCurr->Ace.pSecurityContext); } VMAFD_SAFE_FREE_MEMORY (pAceListCurr); pAceListCurr = pAceListNext; } }
DWORD VmAfdCreateWellKnownContext ( VM_AFD_CONTEXT_TYPE contextType, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (!ppSecurityContext) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = gIPCVtable.pfnCreateWellKnownContext ( contextType, &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdAllocateContextFromName ( PCWSTR pszAccountName, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if (IsNullOrEmptyString(pszAccountName) || !ppSecurityContext ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } dwError = gIPCVtable.pfnAllocateContextFromName ( pszAccountName, &pSecurityContext ); BAIL_ON_VMAFD_ERROR (dwError); *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext) { *ppSecurityContext = NULL; } if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } goto cleanup; }
DWORD VmAfdInitializeSecurityContextImpl( PVM_AFD_CONNECTION pConnection, PVM_AFD_SECURITY_CONTEXT *ppSecurityContext ) { DWORD dwError = 0; struct ucred credentials = {0}; int credLength = sizeof (struct ucred); PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; if ((getsockopt ( pConnection->fd, SOL_SOCKET, SO_PEERCRED, &credentials, &credLength)) < 0){ dwError = LwErrnoToWin32Error (errno); BAIL_ON_VMAFD_ERROR (dwError); } dwError = VmAfdAllocateMemory( sizeof (VM_AFD_SECURITY_CONTEXT), (PVOID *)&pSecurityContext); BAIL_ON_VMAFD_ERROR (dwError); pSecurityContext->uid = credentials.uid; *ppSecurityContext = pSecurityContext; cleanup: return dwError; error: if (ppSecurityContext != NULL){ *ppSecurityContext = NULL; } if (pSecurityContext){ VmAfdFreeSecurityContext(pSecurityContext); } goto cleanup; }
static DWORD VmAfdCreateNewClientInstance ( PVM_AFD_SECURITY_CONTEXT pSecurityContext, DWORD dwHashedIndx, PDWORD pdwClientInstance ) { DWORD dwError = 0; PVECS_STORE_CONTEXT_LIST pContextListCursor = NULL; PVECS_STORE_CONTEXT_LIST pContextListEntryNew = NULL; PVM_AFD_SECURITY_CONTEXT pSecurityContextTmp = NULL; DWORD dwClientInstance = 0; VECS_SRV_STORE_MAP storeMapEntry = gVecsGlobalStoreMap[dwHashedIndx]; if (!pSecurityContext || !pdwClientInstance ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } pContextListCursor = storeMapEntry.pStoreContextList; while (pContextListCursor) { if (VmAfdEqualsSecurityContext( pContextListCursor->pSecurityContext, pSecurityContext ) ) { dwError = VmAfdGetOpenClientInstance( pContextListCursor, &dwClientInstance ); BAIL_ON_VMAFD_ERROR (dwError); pContextListCursor->dwClientInstances = pContextListCursor->dwClientInstances | dwClientInstance; break; } pContextListCursor = pContextListCursor->pNext; } if (pContextListCursor == NULL) { dwError = VmAfdCopySecurityContext ( pSecurityContext, &pSecurityContextTmp ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdAllocateMemory ( sizeof (VECS_STORE_CONTEXT_LIST), (PVOID *)&pContextListEntryNew ); BAIL_ON_VMAFD_ERROR (dwError); pContextListEntryNew->pSecurityContext = pSecurityContextTmp; pContextListEntryNew->dwClientInstances = 1; pContextListEntryNew->pNext = storeMapEntry.pStoreContextList; if (storeMapEntry.pStoreContextList) { storeMapEntry.pStoreContextList->pPrev = pContextListEntryNew; } gVecsGlobalStoreMap[dwHashedIndx].pStoreContextList = pContextListEntryNew; dwClientInstance = 1; } *pdwClientInstance = dwClientInstance; cleanup: return dwError; error: if (pdwClientInstance) { *pdwClientInstance = 0; } if (pContextListEntryNew) { VmAfdFreeContextListEntry( pContextListEntryNew ); } if (pSecurityContextTmp) { VmAfdFreeSecurityContext( pSecurityContextTmp ); } goto cleanup; }
DWORD VmAfdModifyPermissions ( PVECS_SERV_STORE pStore, PCWSTR pszServiceName, DWORD accessMask, VMAFD_ACE_TYPE aceType, PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor, VMW_IPC_MODIFY_PERMISSIONS modifyType ) { DWORD dwError = 0; PVM_AFD_SECURITY_CONTEXT pSecurityContext = NULL; PVMAFD_ACL pAcl = NULL; PVMAFD_ACE_LIST pAceList = NULL; PVMAFD_ACE_LIST pAceListCursor = NULL; PVMAFD_ACE_LIST pAceListNew = NULL; WCHAR wszEveryone[] = GROUP_EVERYONE_W; if (IsNullOrEmptyString (pszServiceName) || !pSecurityDescriptor || !modifyType || !pStore || !accessMask ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } if (VmAfdStringIsEqualW( pszServiceName, wszEveryone, FALSE ) ) { dwError = VmAfdCreateWellKnownContext ( VM_AFD_CONTEXT_TYPE_EVERYONE, &pSecurityContext ); } else { dwError = VmAfdAllocateContextFromName ( pszServiceName, &pSecurityContext ); } BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdCheckOwnerShip ( pStore, pSecurityContext ); if (dwError == 0) { goto cleanup; } dwError = 0; if ( !pSecurityDescriptor->pAcl && modifyType != VMW_IPC_MODIFY_PERMISSIONS_REVOKE ) { dwError = VmAfdAllocateMemory( sizeof (VMAFD_ACL), (PVOID *) &pAcl ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdAllocateMemory ( sizeof (VMAFD_ACE_LIST), (PVOID *) pAceList ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdCopySecurityContext( pSecurityContext, &(pAceList->Ace.pSecurityContext ) ); BAIL_ON_VMAFD_ERROR (dwError); pAceList->Ace.accessMask = accessMask; pAceList->Ace.changeStatus = VMAFD_UPDATE_STATUS_NEW; pAceList->Ace.type = aceType; pAcl->pAceList = pAceList; pAcl->dwAceCount ++; pSecurityDescriptor->pAcl = pAcl; } else if (pSecurityDescriptor->pAcl) { pAceListCursor = pSecurityDescriptor->pAcl->pAceList; while (pAceListCursor) { if ( VmAfdEqualsSecurityContext( pSecurityContext, pAceListCursor->Ace.pSecurityContext ) && pAceListCursor->Ace.type == aceType ) { break; } pAceListCursor = pAceListCursor->pNext; } if ( !pAceListCursor && modifyType != VMW_IPC_MODIFY_PERMISSIONS_REVOKE ) { dwError = VmAfdAllocateMemory ( sizeof (VMAFD_ACE_LIST), (PVOID *) &pAceListNew ); BAIL_ON_VMAFD_ERROR (dwError); dwError = VmAfdCopySecurityContext ( pSecurityContext, &(pAceListNew->Ace.pSecurityContext) ); BAIL_ON_VMAFD_ERROR (dwError); pAceListNew->pNext = pSecurityDescriptor->pAcl->pAceList; pAceListNew->Ace.accessMask = accessMask; pAceListNew->Ace.changeStatus = VMAFD_UPDATE_STATUS_NEW; pAceListNew->Ace.type = aceType; pSecurityDescriptor->pAcl->pAceList = pAceListNew; pSecurityDescriptor->pAcl->dwAceCount ++; } else if (pAceListCursor) { switch (modifyType) { case VMW_IPC_MODIFY_PERMISSIONS_SET: pAceListCursor->Ace.accessMask = accessMask; break; case VMW_IPC_MODIFY_PERMISSIONS_ADD: pAceListCursor->Ace.accessMask = pAceListCursor->Ace.accessMask | accessMask; break; case VMW_IPC_MODIFY_PERMISSIONS_REVOKE: pAceListCursor->Ace.accessMask = pAceListCursor->Ace.accessMask & ~accessMask; break; default: dwError = ERROR_INVALID_PARAMETER; BAIL_ON_VMAFD_ERROR (dwError); } pAceListCursor->Ace.changeStatus = VMAFD_UPDATE_STATUS_MODIFIED; } } if (pSecurityDescriptor->changeStatus == VMAFD_UPDATE_STATUS_UNCHANGED) { pSecurityDescriptor->changeStatus = VMAFD_UPDATE_STATUS_MODIFIED; } cleanup: if (pSecurityContext) { VmAfdFreeSecurityContext (pSecurityContext); } return dwError; error: if (pAcl) { VmAfdFreeAcl (pAcl); } if (pAceList) { VmAfdFreeAceList (pAceList); } if (pAceListNew) { VmAfdFreeAceList (pAceListNew); } goto cleanup; }