src: ku: posix.c

- src/ku directory contains shared kernel/user mode code

build/VStudio/winfsp_dll.vcxproj

@@ -35,6 +35,7 @@
     <ClInclude Include="..\..\src\dll\fuse3\library.h" />
     <ClInclude Include="..\..\src\dll\fuse\library.h" />
     <ClInclude Include="..\..\src\dll\library.h" />
+    <ClInclude Include="..\..\src\ku\library.h" />
     <ClInclude Include="..\..\src\shared\minimal.h" />
   </ItemGroup>
   <ItemGroup>
@@ -51,7 +52,6 @@
     <ClCompile Include="..\..\src\dll\fuse\fuse_opt.c" />
     <ClCompile Include="..\..\src\dll\launch.c" />
     <ClCompile Include="..\..\src\dll\np.c" />
-    <ClCompile Include="..\..\src\dll\posix.c" />
     <ClCompile Include="..\..\src\dll\security.c" />
     <ClCompile Include="..\..\src\dll\debug.c" />
     <ClCompile Include="..\..\src\dll\fsctl.c" />
@@ -63,6 +63,7 @@
     <ClCompile Include="..\..\src\dll\service.c" />
     <ClCompile Include="..\..\src\dll\util.c" />
     <ClCompile Include="..\..\src\dll\wksid.c" />
+    <ClCompile Include="..\..\src\ku\posix.c" />
   </ItemGroup>
   <ItemGroup>
     <CustomBuild Include="..\..\src\dll\fuse\fuse.pc.in">

build/VStudio/winfsp_dll.vcxproj.filters

@@ -27,6 +27,9 @@
     <Filter Include="Source\fuse3">
       <UniqueIdentifier>{96091a7b-3923-4a74-9491-3ee230c688f9}</UniqueIdentifier>
     </Filter>
+    <Filter Include="Source\ku">
+      <UniqueIdentifier>{613cce77-2428-4f9a-9187-f37e009253c1}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\..\inc\winfsp\fsctl.h">
@@ -77,6 +80,9 @@
     <ClInclude Include="..\..\src\dll\fuse3\library.h">
       <Filter>Source\fuse3</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\src\ku\library.h">
+      <Filter>Source\ku</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\src\dll\library.c">
@@ -124,9 +130,6 @@
     <ClCompile Include="..\..\src\dll\fuse\fuse_main.c">
       <Filter>Source\fuse</Filter>
     </ClCompile>
-    <ClCompile Include="..\..\src\dll\posix.c">
-      <Filter>Source</Filter>
-    </ClCompile>
     <ClCompile Include="..\..\src\dll\fuse\fuse_intf.c">
       <Filter>Source\fuse</Filter>
     </ClCompile>
@@ -154,6 +157,9 @@
     <ClCompile Include="..\..\src\dll\fuse3\fuse3_compat.c">
       <Filter>Source\fuse3</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\src\ku\posix.c">
+      <Filter>Source\ku</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="..\..\src\dll\library.def">

build/VStudio/winfsp_sys.vcxproj

@@ -155,6 +155,7 @@
     <FilesToPackage Include="$(TargetPath)" />
   </ItemGroup>
   <ItemGroup>
+    <ClCompile Include="..\..\src\ku\posix.c" />
     <ClCompile Include="..\..\src\sys\cleanup.c" />
     <ClCompile Include="..\..\src\sys\close.c" />
     <ClCompile Include="..\..\src\sys\create.c" />
@@ -190,6 +191,7 @@
   <ItemGroup>
     <ClInclude Include="..\..\inc\winfsp\fsctl.h" />
     <ClInclude Include="..\..\opt\fsext\inc\winfsp\fsext.h" />
+    <ClInclude Include="..\..\src\ku\library.h" />
     <ClInclude Include="..\..\src\sys\driver.h" />
   </ItemGroup>
   <ItemGroup>

build/VStudio/winfsp_sys.vcxproj.filters

@@ -12,6 +12,9 @@
     <Filter Include="Include\winfsp">
       <UniqueIdentifier>{904f0df1-2fb8-4f84-aa46-fa929488c39a}</UniqueIdentifier>
     </Filter>
+    <Filter Include="Source\ku">
+      <UniqueIdentifier>{235076b8-290c-4dec-b005-71d9b8e8cba7}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\src\sys\driver.c">
@@ -107,6 +110,9 @@
     <ClCompile Include="..\..\src\sys\fsext.c">
       <Filter>Source</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\src\ku\posix.c">
+      <Filter>Source\ku</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\..\src\sys\driver.h">
@@ -118,6 +124,9 @@
     <ClInclude Include="..\..\opt\fsext\inc\winfsp\fsext.h">
       <Filter>Include\winfsp</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\src\ku\library.h">
+      <Filter>Source\ku</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="..\..\src\sys\version.rc">

opt/fsext/inc/winfsp/fsext.h

@@ -51,10 +51,43 @@ typedef struct
     UINT32 DeviceExtensionOffset;
 } FSP_FSEXT_PROVIDER;
 
-FSP_DDI_DEF(NTSTATUS, FspFsextProviderRegister, FSP_FSEXT_PROVIDER *Provider)
+FSP_DDI_DEF(NTSTATUS, FspFsextProviderRegister,
+    FSP_FSEXT_PROVIDER *Provider)
 
-FSP_DDI_DEF(NTSTATUS, FspPosixMapSidToUid, PSID Sid, PUINT32 PUid)
-FSP_DDI_DEF(NTSTATUS, FspPosixMapWindowsToPosixPathEx, PWSTR WindowsPath, char **PPosixPath,
+FSP_DDI_DEF(NTSTATUS, FspPosixMapUidToSid,
+    UINT32 Uid,
+    PSID *PSid)
+FSP_DDI_DEF(NTSTATUS, FspPosixMapSidToUid,
+    PSID Sid,
+    PUINT32 PUid)
+FSP_DDI_DEF(VOID, FspDeleteSid,
+    PSID Sid,
+    NTSTATUS (*CreateFunc)())
+FSP_DDI_DEF(NTSTATUS, FspPosixMapPermissionsToSecurityDescriptor,
+    UINT32 Uid,
+    UINT32 Gid,
+    UINT32 Mode,
+    PSECURITY_DESCRIPTOR *PSecurityDescriptor)
+FSP_DDI_DEF(NTSTATUS, FspPosixMapSecurityDescriptorToPermissions,
+    PSECURITY_DESCRIPTOR SecurityDescriptor,
+    PUINT32 PUid,
+    PUINT32 PGid,
+    PUINT32 PMode)
+FSP_DDI_DEF(NTSTATUS, FspPosixMapWindowsToPosixPathEx,
+    PWSTR WindowsPath,
+    char **PPosixPath,
     BOOLEAN Translate)
+FSP_DDI_DEF(NTSTATUS, FspPosixMapPosixToWindowsPathEx,
+    const char *PosixPath,
+    PWSTR *PWindowsPath,
+    BOOLEAN Translate)
+FSP_DDI_DEF(VOID, FspPosixDeletePath,
+    void *Path)
+FSP_DDI_DEF(VOID, FspPosixEncodeWindowsPath,
+    PWSTR WindowsPath,
+    ULONG Size)
+FSP_DDI_DEF(VOID, FspPosixDecodeWindowsPath,
+    PWSTR WindowsPath,
+    ULONG Size)
 
 #endif

src/ku/library.h

@@ -0,0 +1,222 @@
+/**
+ * @file ku/library.h
+ *
+ * @copyright 2015-2019 Bill Zissimopoulos
+ */
+/*
+ * This file is part of WinFsp.
+ *
+ * You can redistribute it and/or modify it under the terms of the GNU
+ * General Public License version 3 as published by the Free Software
+ * Foundation.
+ *
+ * Licensees holding a valid commercial license may use this software
+ * in accordance with the commercial license agreement provided in
+ * conjunction with the software.  The terms and conditions of any such
+ * commercial license agreement shall govern, supersede, and render
+ * ineffective any application of the GPLv3 license to this software,
+ * notwithstanding of any reference thereto in the software or
+ * associated repository.
+ */
+
+#ifndef WINFSP_KU_LIBRARY_H_INCLUDED
+#define WINFSP_KU_LIBRARY_H_INCLUDED
+
+#if !defined(_KERNEL_MODE)
+
+#include <dll/library.h>
+#include <aclapi.h>
+#define _NTDEF_
+#include <ntsecapi.h>
+
+#define FSP_KU_CODE                     ((void)0)
+
+#else
+
+#include <sys/driver.h>
+
+#define FSP_KU_CODE                     PAGED_CODE(); NTSTATUS fsp_ku_status = STATUS_SUCCESS; (VOID)fsp_ku_status
+
+#define FSP_API                         FSP_DDI
+
+#define BYTE                            UINT8
+#define BOOL                            BOOLEAN
+#define LPBOOL                          PBOOLEAN
+#define UINT                            ULONG
+
+#define GetLastError()                  ((DWORD)fsp_ku_status)
+#define FspNtStatusFromWin32(Err)       ((NTSTATUS)(Err))
+#define ERROR_INSUFFICIENT_BUFFER       STATUS_BUFFER_TOO_SMALL
+
+#define InitOnceExecuteOnce(I, F, P, C) RtlRunOnceExecuteOnce(I, F, P, C)
+#define INIT_ONCE                       RTL_RUN_ONCE
+#define INIT_ONCE_STATIC_INIT           RTL_RUN_ONCE_INIT
+
+#define AddAccessAllowedAce(Acl, Rev, Acc, Sid)\
+                                        (fsp_ku_status = RtlAddAccessAllowedAce(Acl, Rev, Acc, Sid),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define AddAccessDeniedAce(Acl, Rev, Acc, Sid)\
+                                        (fsp_ku_status = FspKuAddAccessDeniedAce(Acl, Rev, Acc, Sid),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define EqualSid(Sid1, Sid2)            (fsp_ku_status = 0, RtlEqualSid(Sid1, Sid2))
+#define GetAce(Acl, Idx, Ace)           (fsp_ku_status = RtlGetAce(Acl, Idx, Ace), NT_SUCCESS(fsp_ku_status))
+#define GetAclInformation(Acl, Inf, Len, Cls)\
+                                        (fsp_ku_status = FspKuQueryInformationAcl(Acl, Inf, Len, Cls),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define GetLengthSid(Sid)               (fsp_ku_status = 0, RtlLengthSid(Sid))
+#define GetSecurityDescriptorDacl(Sec, Prs, Dac, Def)\
+                                        (fsp_ku_status = RtlGetDaclSecurityDescriptor(Sec, Prs, Dac, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define GetSecurityDescriptorGroup(Sec, Grp, Def)\
+                                        (fsp_ku_status = RtlGetGroupSecurityDescriptor(Sec, Grp, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define GetSecurityDescriptorOwner(Sec, Own, Def)\
+                                        (fsp_ku_status = RtlGetOwnerSecurityDescriptor(Sec, Own, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define GetSidIdentifierAuthority(Sid)  (fsp_ku_status = 0, &((PISID)(Sid))->IdentifierAuthority)
+#define GetSidSubAuthority(Sid, Sub)    (fsp_ku_status = 0, RtlSubAuthoritySid(Sid, Sub))
+#define GetSidSubAuthorityCount(Sid)    (fsp_ku_status = 0, RtlSubAuthorityCountSid(Sid))
+#define InitializeAcl(Acl, Len, Rev)    (fsp_ku_status = RtlCreateAcl(Acl, Len, Rev), NT_SUCCESS(fsp_ku_status))
+#define InitializeSecurityDescriptor(Sec, Rev)\
+                                        (fsp_ku_status = RtlCreateSecurityDescriptor(Sec, Rev),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define InitializeSid(Sid, Aut, Cnt)    (fsp_ku_status = RtlInitializeSid(Sid, Aut, Cnt), NT_SUCCESS(fsp_ku_status))
+#define IsValidSid(Sid)                 (RtlValidSid(Sid) || (fsp_ku_status = STATUS_INVALID_SID, FALSE))
+#define MakeSelfRelativeSD(Abs, Rel, Len)\
+                                        (fsp_ku_status = RtlAbsoluteToSelfRelativeSD(Abs, Rel, Len),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define SetSecurityDescriptorControl(Sec, Msk, Bit)\
+                                        (fsp_ku_status = FspKuSetControlSecurityDescriptor(Sec, Msk, Bit),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define SetSecurityDescriptorDacl(Sec, Prs, Dac, Def)\
+                                        (fsp_ku_status = RtlSetDaclSecurityDescriptor(Sec, Prs, Dac, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define SetSecurityDescriptorGroup(Sec, Grp, Def)\
+                                        (fsp_ku_status = RtlSetGroupSecurityDescriptor(Sec, Grp, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+#define SetSecurityDescriptorOwner(Sec, Own, Def)\
+                                        (fsp_ku_status = RtlSetOwnerSecurityDescriptor(Sec, Own, Def),\
+                                            NT_SUCCESS(fsp_ku_status))
+static inline NTSTATUS FspKuAddAccessDeniedAce(
+    PACL Acl,
+    ULONG AceRevision,
+    ACCESS_MASK AccessMask,
+    PSID Sid)
+{
+    /* We are missing RtlAddAccessDeniedAce. So we need this malarkey! */
+    NTSTATUS Result;
+    PACE_HEADER Ace;
+    Result = RtlAddAccessAllowedAce(Acl, AceRevision, AccessMask, Sid);
+    if (!NT_SUCCESS(Result))
+        return Result;
+    Result = RtlGetAce(Acl, Acl->AceCount - 1, &Ace);
+    if (!NT_SUCCESS(Result))
+        return Result;
+    Ace->AceType = ACCESS_DENIED_ACE_TYPE;
+    return STATUS_SUCCESS;
+}
+typedef enum
+{
+    AclRevisionInformation__DO_NOT_USE = 1,
+    AclSizeInformation,
+} ACL_INFORMATION_CLASS;
+typedef struct
+{
+    DWORD AceCount;
+    DWORD AclBytesInUse__DO_NOT_USE;
+    DWORD AclBytesFree__DO_NOT_USE;
+} ACL_SIZE_INFORMATION, *PACL_SIZE_INFORMATION;
+static inline NTSTATUS FspKuQueryInformationAcl(
+    PACL Acl,
+    PVOID AclInformation,
+    ULONG AclInformationLength,
+    ACL_INFORMATION_CLASS AclInformationClass)
+{
+    ASSERT(AclSizeInformation == AclInformationClass);
+    ASSERT(sizeof(ACL_SIZE_INFORMATION) <= AclInformationLength);
+    ((PACL_SIZE_INFORMATION)AclInformation)->AceCount = Acl->AceCount;
+    return STATUS_SUCCESS;
+}
+static inline NTSTATUS FspKuSetControlSecurityDescriptor(
+    PSECURITY_DESCRIPTOR SecurityDescriptor,
+    SECURITY_DESCRIPTOR_CONTROL ControlMask,
+    SECURITY_DESCRIPTOR_CONTROL ControlBits)
+{
+    ((PUSHORT)(SecurityDescriptor))[1] &= ~ControlMask;
+    ((PUSHORT)(SecurityDescriptor))[1] |= ControlBits;
+    return STATUS_SUCCESS;
+}
+
+#define WideCharToMultiByte(C, F, W, w, B, b, D, d)\
+                                        (FspKuWideCharToMultiByte(C, F, W, w, B, b, D, d, &fsp_ku_status))
+#define MultiByteToWideChar(C, F, B, b, W, w)\
+                                        (FspKuMultiByteToWideChar(C, F, B, b, W, w, &fsp_ku_status))
+#define CP_UTF8                         65001
+static inline int FspKuWideCharToMultiByte(
+    UINT CodePage,
+    DWORD dwFlags,
+    LPCWCH lpWideCharStr,
+    int cchWideChar,
+    LPSTR lpMultiByteStr,
+    int cbMultiByte,
+    LPCCH lpDefaultChar,
+    LPBOOL lpUsedDefaultChar,
+    PNTSTATUS PResult)
+{
+    ASSERT(CP_UTF8 == CodePage);
+    ASSERT(0 == dwFlags);
+    ASSERT(0 == lpDefaultChar);
+    ASSERT(0 == lpUsedDefaultChar);
+    NTSTATUS Result;
+    ULONG ByteCount;
+    if (-1 == cchWideChar)
+        cchWideChar = (int)wcslen(lpWideCharStr);
+    Result = RtlUnicodeToUTF8N(
+        lpMultiByteStr, cbMultiByte, &ByteCount,
+        lpWideCharStr, cchWideChar * sizeof(WCHAR));
+    if (STATUS_SOME_NOT_MAPPED == Result)
+        Result = STATUS_SUCCESS;
+    else if (!NT_SUCCESS(Result))
+        return 0;
+    *PResult = Result;
+    return ByteCount;
+}
+static inline int FspKuMultiByteToWideChar(
+    UINT CodePage,
+    DWORD dwFlags,
+    LPCCH lpMultiByteStr,
+    int cbMultiByte,
+    LPWSTR lpWideCharStr,
+    int cchWideChar,
+    PNTSTATUS PResult)
+{
+    ASSERT(CP_UTF8 == CodePage);
+    ASSERT(0 == dwFlags);
+    NTSTATUS Result;
+    ULONG ByteCount;
+    if (-1 == cbMultiByte)
+        cbMultiByte = (int)strlen(lpMultiByteStr);
+    Result = RtlUTF8ToUnicodeN(
+        lpWideCharStr, cchWideChar * sizeof(WCHAR), &ByteCount,
+        lpMultiByteStr, cbMultiByte);
+    if (STATUS_SOME_NOT_MAPPED == Result)
+        Result = STATUS_SUCCESS;
+    else if (!NT_SUCCESS(Result))
+        return 0;
+    *PResult = Result;
+    return ByteCount / sizeof(WCHAR);
+}
+
+static inline void *MemAlloc(size_t Size)
+{
+    return FspAlloc(Size);
+}
+static inline void MemFree(void *Pointer)
+{
+    if (0 != Pointer)
+        FspFree(Pointer);
+}
+
+#endif
+
+#endif

src/ku/posix.c

@@ -1,5 +1,5 @@
 /**
- * @file dll/posix.c
+ * @file ku/posix.c
  * POSIX Interop.
  *
  * This file provides routines for Windows/POSIX interoperability. It is based
@@ -32,15 +32,67 @@
  * associated repository.
  */
 
-#include <dll/library.h>
-#include <aclapi.h>
-#define _NTDEF_
-#include <ntsecapi.h>
+#include <ku/library.h>
 
+FSP_API NTSTATUS FspPosixMapUidToSid(UINT32 Uid, PSID *PSid);
+FSP_API NTSTATUS FspPosixMapSidToUid(PSID Sid, PUINT32 PUid);
 static PISID FspPosixCreateSid(BYTE Authority, ULONG Count, ...);
+FSP_API VOID FspDeleteSid(PSID Sid, NTSTATUS (*CreateFunc)());
+FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
+    UINT32 Uid, UINT32 Gid, UINT32 Mode,
+    PSECURITY_DESCRIPTOR *PSecurityDescriptor);
+FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
+    PSECURITY_DESCRIPTOR SecurityDescriptor,
+    PUINT32 PUid, PUINT32 PGid, PUINT32 PMode);
+FSP_API NTSTATUS FspPosixMapWindowsToPosixPathEx(PWSTR WindowsPath, char **PPosixPath,
+    BOOLEAN Translate);
+FSP_API NTSTATUS FspPosixMapPosixToWindowsPathEx(const char *PosixPath, PWSTR *PWindowsPath,
+    BOOLEAN Translate);
+FSP_API VOID FspPosixDeletePath(void *Path);
+FSP_API VOID FspPosixEncodeWindowsPath(PWSTR WindowsPath, ULONG Size);
+FSP_API VOID FspPosixDecodeWindowsPath(PWSTR WindowsPath, ULONG Size);
 
-static INIT_ONCE FspPosixInitOnce = INIT_ONCE_STATIC_INIT;
-union
+#if defined(_KERNEL_MODE)
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, FspPosixMapUidToSid)
+#pragma alloc_text(PAGE, FspPosixMapSidToUid)
+#pragma alloc_text(PAGE, FspPosixCreateSid)
+#pragma alloc_text(PAGE, FspDeleteSid)
+#pragma alloc_text(PAGE, FspPosixMapPermissionsToSecurityDescriptor)
+#pragma alloc_text(PAGE, FspPosixMapSecurityDescriptorToPermissions)
+#pragma alloc_text(PAGE, FspPosixMapWindowsToPosixPathEx)
+#pragma alloc_text(PAGE, FspPosixMapPosixToWindowsPathEx)
+#pragma alloc_text(PAGE, FspPosixDeletePath)
+#pragma alloc_text(PAGE, FspPosixEncodeWindowsPath)
+#pragma alloc_text(PAGE, FspPosixDecodeWindowsPath)
+#endif
+#endif
+
+static union
+{
+    SID V;
+    UINT8 B[sizeof(SID) - sizeof(DWORD) + (1 * sizeof(DWORD))];
+} FspWorldSidBuf =
+{
+    /* S-1-1-0 */
+    .V.Revision = SID_REVISION,
+    .V.SubAuthorityCount = 1,
+    .V.IdentifierAuthority.Value[5] = 1,
+    .V.SubAuthority[0] = 0,
+};
+static union
+{
+    SID V;
+    UINT8 B[sizeof(SID) - sizeof(DWORD) + (1 * sizeof(DWORD))];
+} FspAuthUsersSidBuf =
+{
+    /* S-1-5-11 */
+    .V.Revision = SID_REVISION,
+    .V.SubAuthorityCount = 1,
+    .V.IdentifierAuthority.Value[5] = 5,
+    .V.SubAuthority[0] = 11,
+};
+static union
 {
     SID V;
     UINT8 B[sizeof(SID) - sizeof(DWORD) + (1 * sizeof(DWORD))];
@@ -52,11 +104,15 @@ union
     .V.IdentifierAuthority.Value[5] = 0,
     .V.SubAuthority[0] = 65534,
 };
-static PISID FspAccountDomainSid, FspPrimaryDomainSid;
 
+#define FspWorldSid                     (&FspWorldSidBuf.V)
+#define FspAuthUsersSid                 (&FspAuthUsersSidBuf.V)
 #define FspUnmappedSid                  (&FspUnmappedSidBuf.V)
 #define FspUnmappedUid                  (65534)
 
+static PISID FspAccountDomainSid, FspPrimaryDomainSid;
+static INIT_ONCE FspPosixInitOnce = INIT_ONCE_STATIC_INIT;
+#if !defined(_KERNEL_MODE)
 static BOOL WINAPI FspPosixInitialize(
     PINIT_ONCE InitOnce, PVOID Parameter, PVOID *Context)
 {
@@ -120,9 +176,79 @@ VOID FspPosixFinalize(BOOLEAN Dynamic)
         MemFree(FspPrimaryDomainSid);
     }
 }
+#else
+ULONG NTAPI FspPosixInitialize(
+    PRTL_RUN_ONCE RunOnce, PVOID Parameter, PVOID *Context)
+{
+    static union
+    {
+        SID V;
+        UINT8 B[SECURITY_MAX_SID_SIZE];
+    } FspAccountDomainSidBuf;
+    static union
+    {
+        SID V;
+        UINT8 B[SECURITY_MAX_SID_SIZE];
+    } FspPrimaryDomainSidBuf;
+    UNICODE_STRING Path;
+    UNICODE_STRING Name;
+    union
+    {
+        KEY_VALUE_PARTIAL_INFORMATION V;
+        UINT8 B[FIELD_OFFSET(KEY_VALUE_PARTIAL_INFORMATION, Data) + SECURITY_MAX_SID_SIZE];
+    } Value;
+    ULONG Length;
+    NTSTATUS Result;
+
+    RtlInitUnicodeString(&Path, L"\\Machine\\SECURITY\\Policy\\PolAcDmS");
+    RtlZeroMemory(&Name, sizeof Name);
+    Length = sizeof Value;
+    Result = FspRegistryGetValue(&Path, &Name, &Value.V, &Length);
+    if (STATUS_SUCCESS == Result /*!NT_SUCCESS*/ && REG_NONE == Value.V.Type &&
+        sizeof(SID) <= Value.V.DataLength && RtlValidSid((PSID)&Value.V.Data))
+    {
+        RtlCopyMemory(&FspAccountDomainSidBuf.V, &Value.V.Data, Value.V.DataLength);
+        FspAccountDomainSid = &FspAccountDomainSidBuf.V;
+    }
+
+    RtlInitUnicodeString(&Path, L"\\Machine\\SECURITY\\Policy\\PolPrDmS");
+    RtlZeroMemory(&Name, sizeof Name);
+    Length = sizeof Value;
+    Result = FspRegistryGetValue(&Path, &Name, &Value.V, &Length);
+    if (STATUS_SUCCESS == Result /*!NT_SUCCESS*/ && REG_NONE == Value.V.Type &&
+        sizeof(SID) <= Value.V.DataLength && RtlValidSid((PSID)&Value.V.Data))
+    {
+        RtlCopyMemory(&FspPrimaryDomainSidBuf.V, &Value.V.Data, Value.V.DataLength);
+        FspPrimaryDomainSid = &FspPrimaryDomainSidBuf.V;
+    }
+
+    return TRUE;
+}
+#endif
+
+static inline BOOLEAN FspPosixIsRelativeSid(PISID Sid1, PISID Sid2)
+{
+    if (Sid1->Revision != Sid2->Revision)
+        return FALSE;
+    if (Sid1->IdentifierAuthority.Value[0] != Sid2->IdentifierAuthority.Value[0] ||
+        Sid1->IdentifierAuthority.Value[1] != Sid2->IdentifierAuthority.Value[1] ||
+        Sid1->IdentifierAuthority.Value[2] != Sid2->IdentifierAuthority.Value[2] ||
+        Sid1->IdentifierAuthority.Value[3] != Sid2->IdentifierAuthority.Value[3] ||
+        Sid1->IdentifierAuthority.Value[4] != Sid2->IdentifierAuthority.Value[4] ||
+        Sid1->IdentifierAuthority.Value[5] != Sid2->IdentifierAuthority.Value[5])
+        return FALSE;
+    if (Sid1->SubAuthorityCount + 1 != Sid2->SubAuthorityCount)
+        return FALSE;
+    for (ULONG I = 0; Sid1->SubAuthorityCount > I; I++)
+        if (Sid1->SubAuthority[I] != Sid2->SubAuthority[I])
+            return FALSE;
+    return TRUE;
+}
 
 FSP_API NTSTATUS FspPosixMapUidToSid(UINT32 Uid, PSID *PSid)
 {
+    FSP_KU_CODE;
+
     InitOnceExecuteOnce(&FspPosixInitOnce, FspPosixInitialize, 0, 0);
 
     *PSid = 0;
@@ -221,7 +347,7 @@ FSP_API NTSTATUS FspPosixMapUidToSid(UINT32 Uid, PSID *PSid)
      *     S-1-X-Y                             <=> uid/gid: 0x10000 + 0x100 * X + Y
      */
     else if (0x10000 <= Uid && Uid < 0x11000)
-        *PSid = FspPosixCreateSid((Uid - 0x10000) >> 8, 1, (Uid - 0x10000) & 0xff);
+        *PSid = FspPosixCreateSid((BYTE)((Uid - 0x10000) >> 8), 1, (Uid - 0x10000) & 0xff);
 
     /* [IDMAP]
      * Other well-known SIDs in the NT_AUTHORITY domain (S-1-5-X-RID):
@@ -238,13 +364,15 @@ FSP_API NTSTATUS FspPosixMapUidToSid(UINT32 Uid, PSID *PSid)
 
 FSP_API NTSTATUS FspPosixMapSidToUid(PSID Sid, PUINT32 PUid)
 {
+    FSP_KU_CODE;
+
     InitOnceExecuteOnce(&FspPosixInitOnce, FspPosixInitialize, 0, 0);
 
     BYTE Authority;
     BYTE Count;
     UINT32 SubAuthority0, Rid;
 
-    *PUid = -1;
+    *PUid = (UINT32)-1;
 
     if (!IsValidSid(Sid) || 0 == (Count = *GetSidSubAuthorityCount(Sid)))
         return STATUS_INVALID_SID;
@@ -298,12 +426,11 @@ FSP_API NTSTATUS FspPosixMapSidToUid(PSID Sid, PUINT32 PUid)
              * has PrimaryDomainSid == AccountDomainSid.
              */
 
-            BOOL EqualDomains = FALSE;
             if (0 != FspPrimaryDomainSid &&
-                EqualDomainSid(FspPrimaryDomainSid, Sid, &EqualDomains) && EqualDomains)
+                FspPosixIsRelativeSid(FspPrimaryDomainSid, Sid))
                 *PUid = 0x100000 + Rid;
             else if (0 != FspAccountDomainSid &&
-                EqualDomainSid(FspAccountDomainSid, Sid, &EqualDomains) && EqualDomains)
+                FspPosixIsRelativeSid(FspAccountDomainSid, Sid))
                 *PUid = 0x30000 + Rid;
 
             /*
@@ -348,6 +475,8 @@ FSP_API NTSTATUS FspPosixMapSidToUid(PSID Sid, PUINT32 PUid)
 
 static PISID FspPosixCreateSid(BYTE Authority, ULONG Count, ...)
 {
+    FSP_KU_CODE;
+
     PISID Sid;
     SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
     va_list ap;
@@ -370,6 +499,8 @@ static PISID FspPosixCreateSid(BYTE Authority, ULONG Count, ...)
 
 FSP_API VOID FspDeleteSid(PSID Sid, NTSTATUS (*CreateFunc)())
 {
+    FSP_KU_CODE;
+
     if (FspUnmappedSid == Sid)
         ;
     else if ((NTSTATUS (*)())FspPosixMapUidToSid == CreateFunc)
@@ -439,7 +570,9 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
     UINT32 Uid, UINT32 Gid, UINT32 Mode,
     PSECURITY_DESCRIPTOR *PSecurityDescriptor)
 {
-    PSID OwnerSid = 0, GroupSid = 0, WorldSid = 0;
+    FSP_KU_CODE;
+
+    PSID OwnerSid = 0, GroupSid = 0;
     UINT32 OwnerPerm, OwnerDeny, GroupPerm, GroupDeny, WorldPerm;
     PACL Acl = 0;
     SECURITY_DESCRIPTOR SecurityDescriptor;
@@ -457,13 +590,6 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
     if (!NT_SUCCESS(Result))
         goto exit;
 
-    WorldSid = FspWksidGet(WinWorldSid);
-    if (0 == WorldSid)
-    {
-        Result = STATUS_INSUFFICIENT_RESOURCES;
-        goto exit;
-    }
-
     OwnerPerm = (Mode & 0700) >> 6;
     GroupPerm = (Mode & 0070) >> 3;
     WorldPerm = (Mode & 0007);
@@ -502,7 +628,7 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
         sizeof(ACCESS_DENIED_ACE) * (!!OwnerDeny + !!GroupDeny);
     Size += GetLengthSid(OwnerSid) - sizeof(DWORD);
     Size += GetLengthSid(GroupSid) - sizeof(DWORD);
-    Size += GetLengthSid(WorldSid) - sizeof(DWORD);
+    Size += GetLengthSid(FspWorldSid) - sizeof(DWORD);
     if (OwnerDeny)
         Size += GetLengthSid(OwnerSid) - sizeof(DWORD);
     if (GroupDeny)
@@ -546,7 +672,7 @@ FSP_API NTSTATUS FspPosixMapPermissionsToSecurityDescriptor(
 
     if (!AddAccessAllowedAce(Acl, ACL_REVISION,
         FspPosixDefaultPerm | FspPosixMapPermissionToAccessMask(Mode, WorldPerm),
-        WorldSid))
+        FspWorldSid))
         goto lasterror;
 
     if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
@@ -621,7 +747,9 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
     PSECURITY_DESCRIPTOR SecurityDescriptor,
     PUINT32 PUid, PUINT32 PGid, PUINT32 PMode)
 {
-    PSID OwnerSid = 0, GroupSid = 0, WorldSid = 0, AuthUsersSid = 0;
+    FSP_KU_CODE;
+
+    PSID OwnerSid = 0, GroupSid = 0;
     BOOL Defaulted, DaclPresent;
     PACL Acl = 0;
     ACL_SIZE_INFORMATION AclSizeInfo;
@@ -653,20 +781,6 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
 
     if (0 != Acl)
     {
-        WorldSid = FspWksidGet(WinWorldSid);
-        if (0 == WorldSid)
-        {
-            Result = STATUS_INSUFFICIENT_RESOURCES;
-            goto exit;
-        }
-
-        AuthUsersSid = FspWksidGet(WinAuthenticatedUserSid);
-        if (0 == AuthUsersSid)
-        {
-            Result = STATUS_INSUFFICIENT_RESOURCES;
-            goto exit;
-        }
-
         OwnerAllow = OwnerDeny = GroupAllow = GroupDeny = WorldAllow = WorldDeny = 0;
 
         if (!GetAclInformation(Acl, &AclSizeInfo, sizeof AclSizeInfo, AclSizeInformation))
@@ -701,7 +815,7 @@ FSP_API NTSTATUS FspPosixMapSecurityDescriptorToPermissions(
              * add the allowed or denied access right bits into the "owner", "group"
              * and "other" collections.
              */
-            if (EqualSid(WorldSid, AceSid) || EqualSid(AuthUsersSid, AceSid))
+            if (EqualSid(FspWorldSid, AceSid) || EqualSid(FspAuthUsersSid, AceSid))
             {
                 /* [PERMS]
                  * If this is an access-denied ACE, then add each access right to the set
@@ -812,6 +926,8 @@ static UINT32 FspPosixInvalidPathChars[4] =
 FSP_API NTSTATUS FspPosixMapWindowsToPosixPathEx(PWSTR WindowsPath, char **PPosixPath,
     BOOLEAN Translate)
 {
+    FSP_KU_CODE;
+
     NTSTATUS Result;
     ULONG Size;
     char *PosixPath = 0, *p, *q;
@@ -874,6 +990,8 @@ lasterror:
 FSP_API NTSTATUS FspPosixMapPosixToWindowsPathEx(const char *PosixPath, PWSTR *PWindowsPath,
     BOOLEAN Translate)
 {
+    FSP_KU_CODE;
+
     NTSTATUS Result;
     ULONG Size;
     PWSTR WindowsPath = 0, p;
@@ -925,11 +1043,15 @@ lasterror:
 
 FSP_API VOID FspPosixDeletePath(void *Path)
 {
+    FSP_KU_CODE;
+
     MemFree(Path);
 }
 
 FSP_API VOID FspPosixEncodeWindowsPath(PWSTR WindowsPath, ULONG Size)
 {
+    FSP_KU_CODE;
+
     for (PWSTR p = WindowsPath, endp = p + Size; endp > p; p++)
     {
         WCHAR c = *p;
@@ -944,6 +1066,8 @@ FSP_API VOID FspPosixEncodeWindowsPath(PWSTR WindowsPath, ULONG Size)
 
 FSP_API VOID FspPosixDecodeWindowsPath(PWSTR WindowsPath, ULONG Size)
 {
+    FSP_KU_CODE;
+
     for (PWSTR p = WindowsPath, endp = p + Size; endp > p; p++)
     {
         WCHAR c = *p;

src/sys/driver.h

@@ -493,6 +493,8 @@ PVOID FspAllocateIrpMustSucceed(CCHAR StackSize);
 NTSTATUS FspCreateGuid(GUID *Guid);
 NTSTATUS FspGetDeviceObjectPointer(PUNICODE_STRING ObjectName, ACCESS_MASK DesiredAccess,
     PULONG PFileNameIndex, PFILE_OBJECT *PFileObject, PDEVICE_OBJECT *PDeviceObject);
+NTSTATUS FspRegistryGetValue(PUNICODE_STRING Path, PUNICODE_STRING ValueName,
+    PKEY_VALUE_PARTIAL_INFORMATION ValueInformation, PULONG PValueInformationLength);
 NTSTATUS FspSendSetInformationIrp(PDEVICE_OBJECT DeviceObject, PFILE_OBJECT FileObject,
     FILE_INFORMATION_CLASS FileInformationClass, PVOID FileInformation, ULONG Length);
 NTSTATUS FspSendQuerySecurityIrp(PDEVICE_OBJECT DeviceObject, PFILE_OBJECT FileObject,

src/sys/util.c

@@ -24,6 +24,8 @@
 NTSTATUS FspCreateGuid(GUID *Guid);
 NTSTATUS FspGetDeviceObjectPointer(PUNICODE_STRING ObjectName, ACCESS_MASK DesiredAccess,
     PULONG PFileNameIndex, PFILE_OBJECT *PFileObject, PDEVICE_OBJECT *PDeviceObject);
+NTSTATUS FspRegistryGetValue(PUNICODE_STRING Path, PUNICODE_STRING ValueName,
+    PKEY_VALUE_PARTIAL_INFORMATION ValueInformation, PULONG PValueInformationLength);
 NTSTATUS FspSendSetInformationIrp(PDEVICE_OBJECT DeviceObject, PFILE_OBJECT FileObject,
     FILE_INFORMATION_CLASS FileInformationClass, PVOID FileInformation, ULONG Length);
 NTSTATUS FspSendQuerySecurityIrp(PDEVICE_OBJECT DeviceObject, PFILE_OBJECT FileObject,
@@ -130,6 +132,7 @@ NTSTATUS FspIrpHookNext(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context);
 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(PAGE, FspCreateGuid)
 #pragma alloc_text(PAGE, FspGetDeviceObjectPointer)
+#pragma alloc_text(PAGE, FspRegistryGetValue)
 #pragma alloc_text(PAGE, FspSendSetInformationIrp)
 #pragma alloc_text(PAGE, FspSendQuerySecurityIrp)
 #pragma alloc_text(PAGE, FspSendQueryEaIrp)
@@ -280,6 +283,37 @@ NTSTATUS FspGetDeviceObjectPointer(PUNICODE_STRING ObjectName, ACCESS_MASK Desir
     return Result;
 }
 
+NTSTATUS FspRegistryGetValue(PUNICODE_STRING Path, PUNICODE_STRING ValueName,
+    PKEY_VALUE_PARTIAL_INFORMATION ValueInformation, PULONG PValueInformationLength)
+{
+    PAGED_CODE();
+
+    OBJECT_ATTRIBUTES ObjectAttributes;
+    HANDLE Handle = 0;
+    NTSTATUS Result;
+
+    InitializeObjectAttributes(&ObjectAttributes,
+        Path, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
+
+    Result = ZwOpenKey(&Handle, KEY_QUERY_VALUE, &ObjectAttributes);
+    if (!NT_SUCCESS(Result))
+        goto exit;
+
+    Result = ZwQueryValueKey(Handle, ValueName,
+        KeyValuePartialInformation, ValueInformation,
+        *PValueInformationLength, PValueInformationLength);
+    if (!NT_SUCCESS(Result))
+        goto exit;
+
+    Result = STATUS_SUCCESS;
+
+exit:
+    if (0 != Handle)
+        ZwClose(Handle);
+
+    return Result;
+}
+
 typedef struct
 {
     IO_STATUS_BLOCK IoStatus;