From 7146fe8b47895461d66f3159bfa9a913e7144eba Mon Sep 17 00:00:00 2001 From: Bill Zissimopoulos Date: Sun, 3 Jan 2016 20:39:16 -0800 Subject: [PATCH] dll: WIP --- inc/winfsp/winfsp.h | 9 ++------- src/dll/access.c | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/inc/winfsp/winfsp.h b/inc/winfsp/winfsp.h index 8e978123..4b4deb8e 100644 --- a/inc/winfsp/winfsp.h +++ b/inc/winfsp/winfsp.h @@ -46,14 +46,9 @@ typedef struct _FSP_FILE_SYSTEM_INTERFACE { NTSTATUS (*AccessCheck)(FSP_FILE_SYSTEM *FileSystem, FSP_FSCTL_TRANSACT_REQ *Request, DWORD DesiredAccess, PDWORD PGrantedAccess); - NTSTATUS (*GetAttributes)(FSP_FILE_SYSTEM *FileSystem, - PWSTR FileName, PDWORD PAttributes); - NTSTATUS (*SetAttributes)(FSP_FILE_SYSTEM *FileSystem, - PWSTR FileName, DWORD Attributes); NTSTATUS (*GetSecurity)(FSP_FILE_SYSTEM *FileSystem, - PWSTR FileName, PSECURITY_DESCRIPTOR SecurityDescriptor, SIZE_T *PSecurityDescriptorSize); - NTSTATUS (*SetSecurity)(FSP_FILE_SYSTEM *FileSystem, - PWSTR FileName, PSECURITY_DESCRIPTOR SecurityDescriptor, SIZE_T SecurityDescriptorSize); + PWSTR FileName, PDWORD PFileAttributes, + PSECURITY_DESCRIPTOR SecurityDescriptor, SIZE_T *PSecurityDescriptorSize); NTSTATUS (*FileCreate)(FSP_FILE_SYSTEM *FileSystem, FSP_FSCTL_TRANSACT_REQ *Request, FSP_FILE_NODE **PFileNode); NTSTATUS (*FileOpen)(FSP_FILE_SYSTEM *FileSystem, diff --git a/src/dll/access.c b/src/dll/access.c index 275867f1..16a5a979 100644 --- a/src/dll/access.c +++ b/src/dll/access.c @@ -19,13 +19,14 @@ FSP_API PGENERIC_MAPPING FspGetFileGenericMapping(VOID) return &FspFileGenericMapping; } -static NTSTATUS FspGetFileSecurityDescriptor(FSP_FILE_SYSTEM *FileSystem, - PWSTR FileName, PSECURITY_DESCRIPTOR *PSecurityDescriptor, SIZE_T *PSecurityDescriptorSize) +static NTSTATUS FspGetSecurity(FSP_FILE_SYSTEM *FileSystem, + PWSTR FileName, PDWORD PFileAttributes, + PSECURITY_DESCRIPTOR *PSecurityDescriptor, SIZE_T *PSecurityDescriptorSize) { for (;;) { NTSTATUS Result = FileSystem->Interface->GetSecurity(FileSystem, - FileName, *PSecurityDescriptor, PSecurityDescriptorSize); + FileName, PFileAttributes, *PSecurityDescriptor, PSecurityDescriptorSize); if (STATUS_BUFFER_OVERFLOW != Result) return Result; @@ -50,6 +51,7 @@ FSP_API NTSTATUS FspAccessCheck(FSP_FILE_SYSTEM *FileSystem, } NTSTATUS Result; + DWORD FileAttributes; PSECURITY_DESCRIPTOR SecurityDescriptor = 0; SIZE_T SecurityDescriptorSize; DWORD PrivilegeSetLength; @@ -80,7 +82,7 @@ FSP_API NTSTATUS FspAccessCheck(FSP_FILE_SYSTEM *FileSystem, } Prefix = L'\0' == Prefix[0] ? L"\\" : (PWSTR)Request->Buffer; - Result = FspGetFileSecurityDescriptor(FileSystem, Prefix, + Result = FspGetSecurity(FileSystem, Prefix, &FileAttributes, &SecurityDescriptor, &SecurityDescriptorSize); FspPathCombine((PWSTR)Request->Buffer, Path); @@ -103,11 +105,26 @@ FSP_API NTSTATUS FspAccessCheck(FSP_FILE_SYSTEM *FileSystem, } } - Result = FspGetFileSecurityDescriptor(FileSystem, (PWSTR)Request->Buffer, + Result = FspGetSecurity(FileSystem, (PWSTR)Request->Buffer, &FileAttributes, &SecurityDescriptor, &SecurityDescriptorSize); if (!NT_SUCCESS(Result)) goto exit; + if (0 != (FileAttributes && FILE_ATTRIBUTE_READONLY)) + { + if (DesiredAccess & + (FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_ADD_SUBDIRECTORY | FILE_DELETE_CHILD)) + { + Result = STATUS_ACCESS_DENIED; + goto exit; + } + if (Request->Req.Create.CreateOptions & FILE_DELETE_ON_CLOSE) + { + Result = STATUS_CANNOT_DELETE; + goto exit; + } + } + if (AccessCheck(SecurityDescriptor, (HANDLE)Request->Req.Create.AccessToken, DesiredAccess, &FspFileGenericMapping, 0, &PrivilegeSetLength, PGrantedAccess, &AccessStatus)) Result = AccessStatus ? STATUS_SUCCESS : STATUS_ACCESS_DENIED;