-
-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Added /CanonicalizeAcls operation that will reorder access control entries that to do not follow the canonical ordering (i.e., explicit deny, explicit allow, inherited deny, inherited allow). - Updated and signed binaries for 1.11.0.0.
- Loading branch information
1 parent
746027f
commit 76b348e
Showing
12 changed files
with
142 additions
and
18 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#include "OperationCanonicalizeAcls.h" | ||
#include "OperationCheckCanonical.h" | ||
#include "DriverKitPartial.h" | ||
#include "InputOutput.h" | ||
#include "Functions.h" | ||
|
||
ClassFactory<OperationCanonicalizeAcls> * OperationCanonicalizeAcls::RegisteredFactory = | ||
new ClassFactory<OperationCanonicalizeAcls>(GetCommand()); | ||
|
||
OperationCanonicalizeAcls::OperationCanonicalizeAcls(std::queue<std::wstring> & oArgList) : Operation(oArgList) | ||
{ | ||
// flag this as being an ace-level action | ||
AppliesToDacl = true; | ||
} | ||
|
||
bool OperationCanonicalizeAcls::ProcessAclAction(WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PACL & tCurrentAcl, bool & bAclReplacement) | ||
{ | ||
// sanity check (null acl is considered valid) | ||
if (tCurrentAcl == NULL) return false; | ||
|
||
// use the simpler algorithm to determine if correct | ||
bool bHasProblems = false; | ||
OperationCheckCanonical::AceOrder oOrderOverall = OperationCheckCanonical::Unspecified; | ||
ACCESS_ACE * tCheckAce = FirstAce(tCurrentAcl); | ||
for (ULONG iEntry = 0; iEntry < tCurrentAcl->AceCount; tCheckAce = NextAce(tCheckAce), iEntry++) | ||
{ | ||
// determine the overall over type of this ace | ||
OperationCheckCanonical::AceOrder oThisAceOrder = OperationCheckCanonical::DetermineAceOrder(tCheckAce); | ||
|
||
// make sure this order is not less then the current order | ||
if (oThisAceOrder < oOrderOverall) break; | ||
{ | ||
bHasProblems = true; | ||
break; | ||
} | ||
|
||
oOrderOverall = oThisAceOrder; | ||
} | ||
|
||
// if no problem, then no need to perform a sort | ||
if (!bHasProblems) | ||
{ | ||
return false; | ||
} | ||
|
||
BYTE tNewAclBuffer[MAXWORD]; | ||
ACCESS_ACE * tNewAce = (ACCESS_ACE *) &tNewAclBuffer; | ||
for (int iAceOrder = 0; iAceOrder < OperationCheckCanonical::MaxAceOrder; iAceOrder++) | ||
{ | ||
ACCESS_ACE * tAce = FirstAce(tCurrentAcl); | ||
for (ULONG iEntry = 0; iEntry < tCurrentAcl->AceCount; tAce = NextAce(tAce), iEntry++) | ||
{ | ||
// determine the overall over type of this ace | ||
OperationCheckCanonical::AceOrder oThisAceOrder = OperationCheckCanonical::DetermineAceOrder(tAce); | ||
|
||
// copy the ace if it matches the sequential order (explicit deny, explicit allow, ...) | ||
if (iAceOrder == oThisAceOrder) | ||
{ | ||
memcpy(tNewAce, tAce, tAce->Header.AceSize); | ||
tNewAce = NextAce(tNewAce); | ||
} | ||
} | ||
} | ||
|
||
// recopy the updated list back into the original dacl memory space | ||
memcpy(FirstAce(tCurrentAcl), &tNewAclBuffer, (PBYTE) tNewAce - (PBYTE) &tNewAclBuffer); | ||
InputOutput::AddInfo(L"Access control list was canonicalized", sSdPart); | ||
return true; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#pragma once | ||
|
||
#include "Operation.h" | ||
|
||
class OperationCanonicalizeAcls : public Operation | ||
{ | ||
private: | ||
|
||
// statics used by command registration utility | ||
static std::wstring GetCommand() { return L"CanonicalizeAcls"; } | ||
static ClassFactory<OperationCanonicalizeAcls> * RegisteredFactory; | ||
|
||
public: | ||
|
||
// overrides | ||
bool ProcessAclAction(WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PACL & tCurrentAcl, bool & bAclReplacement) override; | ||
|
||
// constructors | ||
OperationCanonicalizeAcls(std::queue<std::wstring> & oArgList); | ||
}; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
#pragma once | ||
|
||
#define VERSION_STRING "1.10.0.3" | ||
#define VERSION_COMMA 1,10,0,3 | ||
#define VERSION_STRING "1.11.0.0" | ||
#define VERSION_COMMA 1,11,0,0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters