-
-
Notifications
You must be signed in to change notification settings - Fork 16
/
OperationCheckCanonical.cpp
75 lines (64 loc) · 2.45 KB
/
OperationCheckCanonical.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#include "OperationCheckCanonical.h"
#include "DriverKitPartial.h"
#include "InputOutput.h"
#include "Helpers.h"
ClassFactory<OperationCheckCanonical> OperationCheckCanonical::RegisteredFactory(GetCommand());
OperationCheckCanonical::OperationCheckCanonical(std::queue<std::wstring> & oArgList, const std::wstring & sCommand) : Operation(oArgList)
{
// flag this as being an ace-level action
AppliesToDacl = true;
}
bool OperationCheckCanonical::ProcessAclAction(const WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PACL & tCurrentAcl, bool & bAclReplacement)
{
// sanity check (null acl is considered valid)
if (tCurrentAcl == nullptr) return false;
// do the check and report
if (!IsAclCanonical(tCurrentAcl))
{
InputOutput::AddInfo(L"Access control list is not canonical", sSdPart);
}
// report the
return false;
}
bool OperationCheckCanonical::IsAclCanonical(const PACL & tAcl)
{
// sanity check (null acl is considered valid)
if (tAcl == nullptr) return true;
AceOrder oOrderOverall = Unspecified;
PACE_ACCESS_HEADER tAce = FirstAce(tAcl);
for (ULONG iEntry = 0; iEntry < tAcl->AceCount; tAce = NextAce(tAce), iEntry++)
{
// check inheritance bits
const AceOrder oThisAceOrder = DetermineAceOrder(tAce);
// make sure this order is not less then the current order
if (oThisAceOrder < oOrderOverall)
{
return false;
}
oOrderOverall = oThisAceOrder;
}
return true;
}
OperationCheckCanonical::AceOrder OperationCheckCanonical::DetermineAceOrder(PACE_ACCESS_HEADER tAce)
{
// determine ace order
if (IsInherited(tAce))
{
if (tAce->AceType == ACCESS_ALLOWED_ACE_TYPE) return InheritedAllow;
if (tAce->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) return InheritedAllow;
if (tAce->AceType == ACCESS_ALLOWED_CALLBACK_ACE_TYPE) return InheritedAllow;
if (tAce->AceType == ACCESS_DENIED_ACE_TYPE) return InheritedDeny;
if (tAce->AceType == ACCESS_DENIED_OBJECT_ACE_TYPE) return InheritedDeny;
if (tAce->AceType == ACCESS_DENIED_CALLBACK_ACE_TYPE) return InheritedDeny;
}
else
{
if (tAce->AceType == ACCESS_ALLOWED_ACE_TYPE) return ExplicitAllow;
if (tAce->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) return ExplicitAllow;
if (tAce->AceType == ACCESS_ALLOWED_CALLBACK_ACE_TYPE) return ExplicitAllow;
if (tAce->AceType == ACCESS_DENIED_ACE_TYPE) return ExplicitDeny;
if (tAce->AceType == ACCESS_DENIED_OBJECT_ACE_TYPE) return ExplicitDeny;
if (tAce->AceType == ACCESS_DENIED_CALLBACK_ACE_TYPE) return ExplicitDeny;
}
return Unspecified;
}