Skip to content

Commit

Permalink
Added additional security functions (#667)
Browse files Browse the repository at this point in the history
Added to Advapi32: SetFileSecurity, GetSecurityInfo and SetSecurityInfo
Added to NtDll: NtSetSecurityObject and NtQuerySecurityObject
  • Loading branch information
amarcionek authored and matthiasblaesing committed Aug 8, 2016
1 parent 5d7e4b0 commit 3ca98aa
Show file tree
Hide file tree
Showing 5 changed files with 456 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ Features
* [#654](https://github.com/java-native-access/jna/pull/654): Support named arguments for `com.sun.jna.platform.win32.COM.util.CallbackProxy` based callbacks - [@matthiasblaesing](https://github.com/matthiasblaesing).
* [#659](https://github.com/java-native-access/jna/issues/659): Enable LCID (locale) override for `com.sun.jna.platform.win32.COM.util.ProxyObject`-based COM calls - [@matthiasblaesing](https://github.com/matthiasblaesing).
* [#665](https://github.com/java-native-access/jna/pull/665): Added `XSetWMProtocols` and `XGetWMProtocols` to `com.sun.jna.platform.unix.X11` - [@zainab-ali](https://github.com/zainab-ali).
* [#667](https://github.com/java-native-access/jna/pull/667): Added SetFileSecurity, GetSecurityInfo and SetSecurityInfo to `com.sun.jna.platform.win32.Advapi32` - [@amarcionek](https://github.com/amarcionek).
* [#667](https://github.com/java-native-access/jna/pull/667): Added NtSetSecurityObject and NtQuerySecurityObject to `com.sun.jna.platform.win32.NtDll` - [@amarcionek](https://github.com/amarcionek).
* [#680](https://github.com/java-native-access/jna/pull/680): Added `SetCurrentProcessExplicitAppUserModelID` and `GetCurrentProcessExplicitAppUserModelID` to `com.sun.jna.platform.win32.Shell32` for setting the [System.AppUserModel.ID](https://msdn.microsoft.com/en-us/library/windows/desktop/dd391569.aspx) of the host process - [@rednoah](https://github.com/rednoah).

Bug Fixes
Expand Down
138 changes: 138 additions & 0 deletions contrib/platform/src/com/sun/jna/platform/win32/Advapi32.java
Original file line number Diff line number Diff line change
Expand Up @@ -1634,6 +1634,144 @@ boolean GetFileSecurity(String lpFileName,
int RequestedInformation, Pointer pointer, int nLength,
IntByReference lpnLengthNeeded);

/**
* The SetFileSecurity function sets the security of a file or directory object.
* This function is obsolete. Use the SetNamedSecurityInfo function instead.
*
* @param lpFileName
* A pointer to a null-terminated string that specifies the file or directory for which security is set.
* Note that security applied to a directory is not inherited by its children.
* @param SecurityInformation
* Specifies a SECURITY_INFORMATION structure that identifies the contents of the security descriptor
* pointed to by the pSecurityDescriptor parameter.
* @param pSecurityDescriptor
* A pointer to a SECURITY_DESCRIPTOR structure.
* @return
* If the function succeeds, the function returns nonzero. If the function fails, it returns zero. To get
* extended error information, call GetLastError.
*/
boolean SetFileSecurity(String lpFileName, int SecurityInformation, Pointer pSecurityDescriptor);

/**
* The GetSecurityInfo function retrieves a copy of the security descriptor for an object specified by a handle.
*
* @param handle [in]
* A handle to the object from which to retrieve security information.
* @param ObjectType [in]
* SE_OBJECT_TYPE enumeration value that indicates the type of object.
* @param SecurityInfo [in]
* A set of bit flags that indicate the type of security information to retrieve. See WinNT *_SECURITY_INFORMATION
* @param ppsidOwner [out, optional]
* A pointer to a variable that receives a pointer to the owner SID in the security descriptor returned
* in ppSecurityDescriptor. The returned pointer is valid only if you set the OWNER_SECURITY_INFORMATION flag.
* This parameter can be NULL if you do not need the owner SID.
* @param ppsidGroup [in, optional]
* A pointer to a variable that receives a pointer to the primary group SID in the returned security descriptor.
* The returned pointer is valid only if you set the GROUP_SECURITY_INFORMATION flag. This parameter can be NULL
* if you do not need the group SID.
* @param ppDacl [in, optional]
* A pointer to a variable that receives a pointer to the DACL in the returned security descriptor. The returned
* pointer is valid only if you set the DACL_SECURITY_INFORMATION flag. This parameter can be NULL if you do not
* need the DACL.
* @param ppSacl [in, optional]
* A pointer to a variable that receives a pointer to the SACL in the returned security descriptor. The returned
* pointer is valid only if you set the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you do not
* need the SACL.
* @param ppSecurityDescriptor
* A pointer to a variable that receives a pointer to the security descriptor of the object. When you have finished
* using the pointer, free the returned buffer by calling the LocalFree function.
* This parameter is required if any one of the ppsidOwner, ppsidGroup, ppDacl, or ppSacl parameters is not NULL.
* @return whether the call succeeded. A nonzero return is a failure.
*
* <p><b>NOTES:</b></p>
* <p>1. If the ppsidOwner, ppsidGroup, ppDacl, and ppSacl parameters are non-NULL, and the SecurityInfo parameter specifies
* that they be retrieved from the object, those parameters will point to the corresponding parameters in the security descriptor
* returned in ppSecurityDescriptor.</p>
* <p>2. To read the owner, group, or DACL from the object's security descriptor, the calling process must have been granted
* READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or
* the object's DACL must grant the access.</p>
* <p>3. To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access
* when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's
* current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.</p>
* <p>4. If the supplied handle was opened with an ACCESS_MASK value of MAXIMUM_ALLOWED,
* then the SetSecurityInfo function will not propagate ACEs to children.</p>
*/
int GetSecurityInfo(HANDLE handle,
int ObjectType,
int SecurityInfo,
PointerByReference ppsidOwner,
PointerByReference ppsidGroup,
PointerByReference ppDacl,
PointerByReference ppSacl,
PointerByReference ppSecurityDescriptor);

/**
* The SetSecurityInfo function sets specified security information in
* the security descriptor of a specified object. The caller identifies the
* object by a handle.
*
* @param handle [in]
* A handle to the object for which to set security information.
* @param ObjectType [in]
* A value of the SE_OBJECT_TYPE enumeration that indicates the type
* of object named by the pObjectName parameter.
* @param SecurityInfo [in]
* A set of bit flags that indicate the type of security
* information to set. See WinNT *_SECURITY_INFORMATION
* @param ppsidOwner [in, optional]
* A pointer to a SID structure that identifies the owner of the object.
* If the caller does not have the SeRestorePrivilege constant
* (see Privilege Constants), this SID must be contained in the
* caller's token, and must have the SE_GROUP_OWNER permission enabled.
* The SecurityInfo parameter must include the OWNER_SECURITY_INFORMATION
* flag. To set the owner, the caller must have WRITE_OWNER access to
* the object or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.
* If you are not setting the owner SID, this parameter can be NULL.
* @param ppsidGroup [in, optional]
* A pointer to a SID that identifies the primary group of the object.
* The SecurityInfo parameter must include the GROUP_SECURITY_INFORMATION
* flag. If you are not setting the primary group SID, this parameter
* can be NULL.
* @param ppDacl [in, optional]
* A pointer to the new DACL for the object. The SecurityInfo parameter
* must include the DACL_SECURITY_INFORMATION flag. The caller must have
* WRITE_DAC access to the object or be the owner of the object. If you
* are not setting the DACL, this parameter can be NULL.
* @param ppSacl [in, optional]
* A pointer to the new SACL for the object. The SecurityInfo parameter
* must include any of the following flags: SACL_SECURITY_INFORMATION,
* LABEL_SECURITY_INFORMATION, ATTRIBUTE_SECURITY_INFORMATION,
* SCOPE_SECURITY_INFORMATION, or BACKUP_SECURITY_INFORMATION.
* If setting SACL_SECURITY_INFORMATION or SCOPE_SECURITY_INFORMATION,
* the caller must have the SE_SECURITY_NAME privilege enabled. If
* you are not setting the SACL, this parameter can be NULL.
* @return whether the call succeeded. A nonzero return is a failure.
*
* <p><b>NOTES:</b></p>
* <p>1. If you are setting the discretionary access control list (DACL) or any elements
* in the system access control list (SACL) of an object, the system automatically
* propagates any inheritable access control entries (ACEs) to existing child objects,
* according to the ACE inheritance rules.</p>
* <p>2. The SetSecurityInfo function does not reorder access-allowed or access-denied
* ACEs based on the preferred order. When propagating inheritable ACEs to existing
* child objects, SetSecurityInfo puts inherited ACEs in order after all of the
* noninherited ACEs in the DACLs of the child objects.</p>
* <p>3. If share access to the children of the object is not available, this function
* will not propagate unprotected ACEs to the children. For example, if a directory
* is opened with exclusive access, the operating system will not propagate unprotected
* ACEs to the subdirectories or files of that directory when the security on the
* directory is changed.</p>
* <p>4. If the supplied handle was opened with an ACCESS_MASK value of MAXIMUM_ALLOWED,
* then the SetSecurityInfo function will not propagate ACEs to children.</p>
*/
int SetSecurityInfo(HANDLE handle,
int ObjectType,
int SecurityInfo,
Pointer ppsidOwner,
Pointer ppsidGroup,
Pointer ppDacl,
Pointer ppSacl);

/**
* The GetNamedSecurityInfo function retrieves a copy of the security
* descriptor for an object specified by name
Expand Down
53 changes: 53 additions & 0 deletions contrib/platform/src/com/sun/jna/platform/win32/NtDll.java
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
package com.sun.jna.platform.win32;

import com.sun.jna.Native;
import com.sun.jna.Pointer;
import com.sun.jna.Structure;
import com.sun.jna.platform.win32.WinNT.HANDLE;
import com.sun.jna.ptr.IntByReference;
Expand Down Expand Up @@ -51,4 +52,56 @@ public interface NtDll extends StdCallLibrary {
*/
public int ZwQueryKey(HANDLE KeyHandle, int KeyInformationClass,
Structure KeyInformation, int Length, IntByReference ResultLength);

/**
* The NtSetSecurityObject routine sets an object's security state.
* @param handle [in]
* Handle for the object whose security state is to be set. This handle must have the access
* specified in the Meaning column of the table shown in the description of the
* SecurityInformation parameter.
* @param SecurityInformation [in]
* SECURITY_INFORMATION value specifying the information to be set. Can be a combination of
* one or more of the following:
* DACL_SECURITY_INFORMATION
* Indicates the discretionary access control list (DACL) of the object is to be set. Requires WRITE_DAC access.
* GROUP_SECURITY_INFORMATION
* Indicates the primary group identifier of the object is to be set. Requires WRITE_OWNER access.
* OWNER_SECURITY_INFORMATION
* Indicates the owner identifier of the object is to be set. Requires WRITE_OWNER access.
* SACL_SECURITY_INFORMATION
* Indicates the system ACL (SACL) of the object is to be set. Requires ACCESS_SYSTEM_SECURITY access.
* @param pSecurityDescriptor [in]
* Pointer to the security descriptor to be set for the object.
* @return
* NtSetSecurityObject returns STATUS_SUCCESS or an appropriate error status.
*/
public int NtSetSecurityObject(HANDLE handle, int SecurityInformation, Pointer pSecurityDescriptor);

/**
* The NtQuerySecurityObject routine retrieves a copy of an object's security descriptor.
*
* @param handle [in]
* Handle for the object whose security descriptor is to be queried. This handle must have the access specified
* in the Meaning column of the table shown in the description of the SecurityInformation parameter.
* @param SecurityInformation [in]
* Pointer to a SECURITY_INFORMATION value specifying the information to be queried. Can be a combination of
* one or more of the following:
* DACL_SECURITY_INFORMATION
* Indicates the discretionary access control list (DACL) of the object is to be set. Requires WRITE_DAC access.
* GROUP_SECURITY_INFORMATION
* Indicates the primary group identifier of the object is to be set. Requires WRITE_OWNER access.
* OWNER_SECURITY_INFORMATION
* Indicates the owner identifier of the object is to be set. Requires WRITE_OWNER access.
* SACL_SECURITY_INFORMATION
* Indicates the system ACL (SACL) of the object is to be set. Requires ACCESS_SYSTEM_SECURITY access.
* @param SecurityDescriptor [out]
* Pointer to the security descriptor to be set for the object.
* @param Length [in]
* Size, in bytes, of the buffer pointed to by SecurityDescriptor.
* @param LengthNeeded [in]
* Pointer to a caller-allocated variable that receives the number of bytes required to store the copied security descriptor.
* @return
* NtQuerySecurityObject returns STATUS_SUCCESS or an appropriate error status.
*/
public int NtQuerySecurityObject(HANDLE handle, int SecurityInformation, Pointer SecurityDescriptor, int Length, IntByReference LengthNeeded);
}
Loading

0 comments on commit 3ca98aa

Please sign in to comment.