From 8c3f912e058a67558c50d1a90583850d8f659679 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Thu, 3 Dec 2015 21:25:18 -0800
Subject: [PATCH] sys: IRP_MJ_CREATE

---
 inc/winfsp/fsctl.h |  2 +-
 src/sys/create.c   | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/inc/winfsp/fsctl.h b/inc/winfsp/fsctl.h
index ffdcf5ea..5d4cabb2 100644
--- a/inc/winfsp/fsctl.h
+++ b/inc/winfsp/fsctl.h
@@ -75,7 +75,7 @@ typedef struct
     UINT32 SerialNumber;
     UINT32 EaSupported:1;               /* supports extended attributes (unimplemented; set to 0) */
     UINT32 FileNameRequired:1;          /* FileName required for all operations (not just Create) */
-    UINT32 NoAccessCheck:1;             /* if set the user-mode flie system performs access checks */
+    UINT32 NoSystemAccessCheck:1;       /* if set the user-mode flie system performs access checks */
 } FSP_FSCTL_VOLUME_PARAMS;
 typedef struct
 {
diff --git a/src/sys/create.c b/src/sys/create.c
index a1cd89a1..d6181c03 100644
--- a/src/sys/create.c
+++ b/src/sys/create.c
@@ -63,6 +63,7 @@ static NTSTATUS FspFsvolCreate(
     PSECURITY_DESCRIPTOR SecurityDescriptor = AccessState->SecurityDescriptor;
     ULONG SecurityDescriptorSize = 0;
     LARGE_INTEGER AllocationSize = Irp->Overlay.AllocationSize;
+    HANDLE AccessToken;
     ACCESS_MASK DesiredAccess = IrpSp->Parameters.Create.SecurityContext->DesiredAccess;
     USHORT ShareAccess = IrpSp->Parameters.Create.ShareAccess;
     PFILE_FULL_EA_INFORMATION EaBuffer = Irp->AssociatedIrp.SystemBuffer;
@@ -215,6 +216,8 @@ static NTSTATUS FspFsvolCreate(
     Request->Req.Create.HasTraversePrivilege = HasTraversePrivilege;
     Request->Req.Create.OpenTargetDirectory = BooleanFlagOn(Flags, SL_OPEN_TARGET_DIRECTORY);
     Request->Req.Create.CaseSensitive = BooleanFlagOn(Flags, SL_CASE_SENSITIVE);
+
+    /* copy the security descriptor into the request */
     if (IsAbsoluteSecurityDescriptor)
     {
         Result = RtlAbsoluteToSelfRelativeSD(SecurityDescriptor, 0, &SecurityDescriptorSize);
@@ -230,6 +233,22 @@ static NTSTATUS FspFsvolCreate(
         RtlCopyMemory(Request->Buffer + Request->Req.Create.SecurityDescriptor,
             SecurityDescriptor, SecurityDescriptorSize);
 
+    /* if the user-mode file system is doing access checks, send it the access token */
+    if (FsvrtDeviceExtension->VolumeParams.NoSystemAccessCheck)
+    {
+        Result = ObOpenObjectByPointer(
+            SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext),
+            OBJ_KERNEL_HANDLE, 0, TOKEN_QUERY, 0, KernelMode, &AccessToken);
+        if (!NT_SUCCESS(Result))
+        {
+            FspFileContextDelete(FsContext);
+            return Result;
+        }
+
+        /* send the kernel handle and change it into a process handle at prepare time */
+        Request->Req.Create.AccessToken = (UINT_PTR)AccessToken;
+    }
+
     /*
      * Post the IRP to our Ioq; we do this here instead of at FSP_LEAVE_MJ time,
      * so that we can FspFileContextDelete() on failure.