* advapi32.cc (InitializeAcl): Remove.

(AddAce): Remove. (FindFirstFreeAce): Remove. (GetAce): Remove. (InitializeSecurityDescriptor): Remove. (OpenProcessToken): Remove. * dcrt0.cc: Replace above functions throughout with their ntdll.dll equivalent. * fhandler_tty.cc: Ditto. * flock.cc: Ditto. * pinfo.cc: Ditto. Drop unnecessary error handling. * sec_acl.cc: Ditto. * sec_auth.cc: Ditto. * sec_helper.cc: Ditto. * security.cc: Ditto.
2011-04-28 09:30:36 +00:00 · 2011-04-28 09:30:36 +00:00 · 1754539e56
parent 158e516b9d
commit 1754539e56
10 changed files with 65 additions and 98 deletions
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@ -1,3 +1,21 @@
+2011-04-28  Corinna Vinschen  <corinna@vinschen.de>
+
+	* advapi32.cc (InitializeAcl): Remove.
+	(AddAce): Remove.
+	(FindFirstFreeAce): Remove.
+	(GetAce): Remove.
+	(InitializeSecurityDescriptor): Remove.
+	(OpenProcessToken): Remove.
+	* dcrt0.cc: Replace above functions throughout with their ntdll.dll
+	equivalent.
+	* fhandler_tty.cc: Ditto.
+	* flock.cc: Ditto.
+	* pinfo.cc: Ditto.  Drop unnecessary error handling.
+	* sec_acl.cc: Ditto.
+	* sec_auth.cc: Ditto.
+	* sec_helper.cc: Ditto.
+	* security.cc: Ditto.
+
 2011-04-28  Corinna Vinschen  <corinna@vinschen.de>

 	* advapi32.cc (InitializeSid): Remove.
@ -6,7 +24,7 @@
 	(GetSidSubAuthority): Remove.
 	(GetSidSubAuthorityCount): Remove.
 	(GetSidIdentifierAuthority): Remove.
-	* fhandler_disk_file.cc: Remove above functions throughout with their
+	* fhandler_disk_file.cc: Replace above functions throughout with their
 	ntdll.dll equivalent.
 	* sec_auth.cc: Ditto.
 	* sec_helper.cc: Ditto.
--- a/winsup/cygwin/advapi32.cc
+++ b/winsup/cygwin/advapi32.cc
@ -53,13 +53,6 @@ CopySid (DWORD len, PSID dest, PSID src)
  DEFAULT_NTSTATUS_TO_BOOL_RETURN
 }

-BOOL WINAPI
-InitializeAcl (PACL acl, DWORD len, DWORD revision)
-{
-  NTSTATUS status = RtlCreateAcl (acl, len, revision);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
 BOOL WINAPI
 AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
 {
@ -74,34 +67,6 @@ AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
  DEFAULT_NTSTATUS_TO_BOOL_RETURN
 }

-BOOL WINAPI
-AddAce (PACL acl, DWORD revision, DWORD index, LPVOID ace_list, DWORD len)
-{
-  NTSTATUS status = RtlAddAce (acl, revision, index, ace_list, len);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-FindFirstFreeAce (PACL acl, LPVOID *ace)
-{
-  NTSTATUS status = RtlFirstFreeAce (acl, ace);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-GetAce (PACL acl, DWORD index, LPVOID *ace)
-{
-  NTSTATUS status = RtlGetAce (acl, index, ace);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-InitializeSecurityDescriptor (PSECURITY_DESCRIPTOR sd, DWORD revision)
-{
-  NTSTATUS status = RtlCreateSecurityDescriptor (sd, revision);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
 BOOL WINAPI
 MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd,
 		    LPDWORD len)
@ -156,13 +121,6 @@ SetSecurityDescriptorOwner (PSECURITY_DESCRIPTOR sd, PSID sid, BOOL def)
  DEFAULT_NTSTATUS_TO_BOOL_RETURN
 }

-BOOL WINAPI
-OpenProcessToken (HANDLE process, DWORD access, PHANDLE tok)
-{
-  NTSTATUS status = NtOpenProcessToken (process, access, tok);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
 BOOL WINAPI
 OpenThreadToken (HANDLE thread, DWORD access, BOOL as_self, PHANDLE tok)
 {
--- a/winsup/cygwin/dcrt0.cc
+++ b/winsup/cygwin/dcrt0.cc
@ -685,7 +685,7 @@ dll_crt0_0 ()
 		   GetCurrentProcess (), &hMainThread,
 		   0, false, DUPLICATE_SAME_ACCESS);

-  OpenProcessToken (GetCurrentProcess (), MAXIMUM_ALLOWED, &hProcToken);
+  NtOpenProcessToken (NtCurrentProcess (), MAXIMUM_ALLOWED, &hProcToken);
  set_cygwin_privileges (hProcToken);

  device::init ();
--- a/winsup/cygwin/fhandler_tty.cc
+++ b/winsup/cygwin/fhandler_tty.cc
@ -529,7 +529,7 @@ fhandler_tty_slave::open (int flags, mode_t)
    /* Create security attribute.  Default permissions are 0620. */
    security_descriptor sd;
    sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-    InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+    RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
    SECURITY_ATTRIBUTES sa = { sizeof (SECURITY_ATTRIBUTES), NULL, TRUE };
    if (!create_object_sd_from_attribute (NULL, myself->uid, myself->gid,
 					  S_IFCHR | S_IRUSR | S_IWUSR | S_IWGRP,
@ -1305,7 +1305,7 @@ fhandler_tty_slave::fchmod (mode_t mode)
 	goto errout;
    }
  sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
  if (!get_object_attribute (input_available_event, &uid, &gid, NULL)
      && !create_object_sd_from_attribute (NULL, uid, gid, S_IFCHR | mode, sd))
    ret = fch_set_sd (sd, false);
@ -1334,7 +1334,7 @@ fhandler_tty_slave::fchown (__uid32_t uid, __gid32_t gid)
 	goto errout;
    }
  sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
  if (!get_object_attribute (input_available_event, &o_uid, &o_gid, &mode))
    {
      if ((uid == ILLEGAL_UID || uid == o_uid)
@ -1796,7 +1796,7 @@ fhandler_pty_master::setup (bool ispty)

  /* Create security attribute.  Default permissions are 0620. */
  sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
  if (!create_object_sd_from_attribute (NULL, myself->uid, myself->gid,
 					S_IFCHR | S_IRUSR | S_IWUSR | S_IWGRP,
 					sd))
--- a/winsup/cygwin/flock.cc
+++ b/winsup/cygwin/flock.cc
@ -178,9 +178,10 @@ allow_others_to_sync ()
      return;
    }
  /* Set the size of the DACL correctly. */
-  if (!FindFirstFreeAce (dacl, &ace))
+  status = RtlFirstFreeAce (dacl, &ace);
+  if (!NT_SUCCESS (status))
    {
-      debug_printf ("FindFirstFreeAce: %lu", GetLastError ());
+      debug_printf ("RtlFirstFreeAce: %p", status);
      return;
    }
  dacl->AclSize = (char *) ace - (char *) dacl;
--- a/winsup/cygwin/pinfo.cc
+++ b/winsup/cygwin/pinfo.cc
@ -350,9 +350,8 @@ pinfo::set_acl()

  sec_acl (acl_buf, true, true, cygheap->user.sid (),
 	   well_known_world_sid, FILE_MAP_READ);
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    debug_printf ("InitializeSecurityDescriptor %E");
-  else if (!SetSecurityDescriptorDacl (&sd, TRUE, acl_buf, FALSE))
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
+  if (!SetSecurityDescriptorDacl (&sd, TRUE, acl_buf, FALSE))
    debug_printf ("SetSecurityDescriptorDacl %E");
  else if ((status = NtSetSecurityObject (h, DACL_SECURITY_INFORMATION, &sd)))
    debug_printf ("NtSetSecurityObject %lx", status);
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@ -21,6 +21,7 @@ details. */
 #include "fhandler.h"
 #include "dtable.h"
 #include "cygheap.h"
+#include "ntdll.h"
 #include "pwdgrp.h"
 #include "tls_pbuf.h"

@ -68,11 +69,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,

  /* Initialize local security descriptor. */
  SECURITY_DESCRIPTOR sd;
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    {
-      __seterrno ();
-      return -1;
-    }
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
  if (!SetSecurityDescriptorOwner (&sd, owner, FALSE))
    {
      __seterrno ();
@ -94,11 +91,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
  struct __group32 *gr;
  int pos;

-  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
-    {
-      __seterrno ();
-      return -1;
-    }
+  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);

  writable = false;

@ -332,7 +325,7 @@ getacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp)
 	{
 	  ACCESS_ALLOWED_ACE *ace;

-	  if (!GetAce (acl, i, (PVOID *) &ace))
+	  if (!NT_SUCCESS (RtlGetAce (acl, i, (PVOID *) &ace)))
 	    continue;

 	  cygpsid ace_sid ((PSID) &ace->SidStart);
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@ -1019,7 +1019,7 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
 	  + RtlLengthSid (well_known_admins_sid)
 	  + RtlLengthSid (well_known_system_sid);
  dacl = (PACL) alloca (dsize);
-  if (!InitializeAcl (dacl, dsize, ACL_REVISION))
+  if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
    goto out;
  if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid))
    goto out;
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@ -463,7 +463,7 @@ get_null_sd ()

  if (!null_sdp)
    {
-      InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
+      RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
      SetSecurityDescriptorDacl (&sd, TRUE, NULL, FALSE);
      null_sdp = &sd;
    }
@ -488,6 +488,7 @@ init_global_security ()
 bool
 sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
 {
+  NTSTATUS status;
  size_t acl_len = MAX_DACL_LEN (5);
  LPVOID pAce;
  cygpsid psid;
@ -496,9 +497,10 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
  if ((unsigned long) acl % 4)
    api_fatal ("Incorrectly aligned incoming ACL buffer!");
 #endif
-  if (!InitializeAcl (acl, acl_len, ACL_REVISION))
+  status = RtlCreateAcl (acl, acl_len, ACL_REVISION);
+  if (!NT_SUCCESS (status))
    {
-      debug_printf ("InitializeAcl %E");
+      debug_printf ("RtlCreateAcl: %p", status);
      return false;
    }
  if (sid1)
@ -521,11 +523,11 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
  if (!AddAccessAllowedAce (acl, ACL_REVISION,
 			    GENERIC_ALL, well_known_system_sid))
    debug_printf ("AddAccessAllowedAce(system) %E");
-  FindFirstFreeAce (acl, &pAce);
-  if (pAce)
+  status = RtlFirstFreeAce (acl, &pAce);
+  if (NT_SUCCESS (status) && pAce)
    acl->AclSize = (char *) pAce - (char *) acl;
  else
-    debug_printf ("FindFirstFreeAce %E");
+    debug_printf ("RtlFirstFreeAce: %p", status);

  return true;
 }
@ -545,8 +547,7 @@ __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
  if (!sec_acl (acl, true, true, sid1, sid2, access2))
    return inherit ? &sec_none : &sec_none_nih;

-  if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION))
-    debug_printf ("InitializeSecurityDescriptor %E");
+  RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);

 /*
 * Setting the owner lets the created security attribute not work
@ -574,13 +575,14 @@ __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
 PSECURITY_DESCRIPTOR
 _everyone_sd (void *buf, ACCESS_MASK access)
 {
+  NTSTATUS status;
  PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;

  if (psd)
    {
-      InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
+      RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
      PACL dacl = (PACL) (psd + 1);
-      InitializeAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
+      RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
      if (!AddAccessAllowedAce (dacl, ACL_REVISION, access,
 				well_known_world_sid))
 	{
@ -588,9 +590,10 @@ _everyone_sd (void *buf, ACCESS_MASK access)
 	  return NULL;
 	}
      LPVOID ace;
-      if (!FindFirstFreeAce (dacl, &ace))
+      status = RtlFirstFreeAce (dacl, &ace);
+      if (!NT_SUCCESS (status))
 	{
-	  debug_printf ("FindFirstFreeAce: %lu", GetLastError ());
+	  debug_printf ("RtlFirstFreeAce: %p", status);
 	  return NULL;
 	}
      dacl->AclSize = (char *) ace - (char *) dacl;
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@ -139,7 +139,7 @@ get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
      if (NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd, &exists, &dacl, &def))
 	  && exists && dacl)
 	for (ULONG idx = 0; idx < dacl->AceCount; ++idx)
-	  if (RtlGetAce (dacl, idx, (PVOID *) &ace)
+	  if (NT_SUCCESS (RtlGetAce (dacl, idx, (PVOID *) &ace))
 	      && (ace->Header.AceFlags & INHERITED_ACE))
 	    return 0;
      /* Otherwise, open the parent directory with READ_CONTROL... */
@ -245,7 +245,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,

  for (DWORD i = 0; i < acl->AceCount; ++i)
    {
-      if (!GetAce (acl, i, (PVOID *) &ace))
+      if (!NT_SUCCESS (RtlGetAce (acl, i, (PVOID *) &ace)))
 	continue;
      if (ace->Header.AceFlags & INHERIT_ONLY_ACE)
 	continue;
@ -472,7 +472,7 @@ add_access_allowed_ace (PACL acl, int offset, DWORD attributes,
      return false;
    }
  ACCESS_ALLOWED_ACE *ace;
-  if (inherit && GetAce (acl, offset, (PVOID *) &ace))
+  if (inherit && NT_SUCCESS (RtlGetAce (acl, offset, (PVOID *) &ace)))
    ace->Header.AceFlags |= inherit;
  len_add += sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
  return true;
@ -488,7 +488,7 @@ add_access_denied_ace (PACL acl, int offset, DWORD attributes,
      return false;
    }
  ACCESS_DENIED_ACE *ace;
-  if (inherit && GetAce (acl, offset, (PVOID *) &ace))
+  if (inherit && NT_SUCCESS (RtlGetAce (acl, offset, (PVOID *) &ace)))
    ace->Header.AceFlags |= inherit;
  len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
  return true;
@ -544,11 +544,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,

  /* Initialize local security descriptor. */
  SECURITY_DESCRIPTOR sd;
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    {
-      __seterrno ();
-      return NULL;
-    }
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);

  /* We set the SE_DACL_PROTECTED flag here to prevent the DACL from being
     modified by inheritable ACEs. */
@ -570,11 +566,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,

  /* Initialize local access control list. */
  PACL acl = (PACL) tp.w_get ();
-  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
-    {
-      __seterrno ();
-      return NULL;
-    }
+  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);

  /* From here fill ACL. */
  size_t acl_len = sizeof (ACL);
@ -713,10 +705,12 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
  PACL oacl;
  BOOL acl_exists = FALSE;
  ACCESS_ALLOWED_ACE *ace;
+  NTSTATUS status;
+
  if (GetSecurityDescriptorDacl (sd_ret, &acl_exists, &oacl, &dummy)
      && acl_exists && oacl)
    for (DWORD i = 0; i < oacl->AceCount; ++i)
-      if (GetAce (oacl, i, (PVOID *) &ace))
+      if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
 	{
 	  cygpsid ace_sid ((PSID) &ace->SidStart);

@ -767,12 +761,13 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 	   * behind the owner_deny, ACCESS_ALLOWED_ACE to the end.
 	   * FIXME: this would break the order of the inherit-only ACEs
 	   */
-	  if (!AddAce (acl, ACL_REVISION,
-		       ace->Header.AceType == ACCESS_DENIED_ACE_TYPE
-		       ?  (owner_deny ? 1 : 0) : MAXDWORD,
-		       (LPVOID) ace, ace->Header.AceSize))
+	  status = RtlAddAce (acl, ACL_REVISION,
+			      ace->Header.AceType == ACCESS_DENIED_ACE_TYPE
+			      ?  (owner_deny ? 1 : 0) : MAXDWORD,
+			      (LPVOID) ace, ace->Header.AceSize);
+	  if (!NT_SUCCESS (status))
 	    {
-	      __seterrno ();
+	      __seterrno_from_nt_status (status);
 	      return NULL;
 	    }
 	  ace_off++;
@ -862,7 +857,7 @@ set_security_attribute (path_conv &pc, int attribute, PSECURITY_ATTRIBUTES psa,
 			security_descriptor &sd)
 {
  psa->lpSecurityDescriptor = sd.malloc (SECURITY_DESCRIPTOR_MIN_LENGTH);
-  InitializeSecurityDescriptor ((PSECURITY_DESCRIPTOR)psa->lpSecurityDescriptor,
+  RtlCreateSecurityDescriptor ((PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor,
 				SECURITY_DESCRIPTOR_REVISION);
  psa->lpSecurityDescriptor = alloc_sd (pc, geteuid32 (), getegid32 (),
 					attribute, sd);