This is the mail archive of the cygwin-cvs@cygwin.com mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[newlib-cygwin] Drop has_mandatory_integrity_control flag

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=aacc4f63d0f8d2d853e1834b27a13ac97ea1011b

commit aacc4f63d0f8d2d853e1834b27a13ac97ea1011b
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Tue Dec 15 14:58:52 2015 +0100

    Drop has_mandatory_integrity_control flag

Diff:
---
 winsup/cygwin/sec_auth.cc | 69 +++++++++++++++++++++--------------------------
 winsup/cygwin/wincap.cc   |  7 -----
 winsup/cygwin/wincap.h    |  2 --
 3 files changed, 31 insertions(+), 47 deletions(-)

diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 853a07f..e8d1d91 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -45,39 +45,36 @@ issetugid (void)
 static HANDLE
 get_full_privileged_inheritable_token (HANDLE token)
 {
-  if (wincap.has_mandatory_integrity_control ())
+  TOKEN_LINKED_TOKEN linked;
+  ULONG size;
+
+  /* When fetching the linked token without TCB privs, then the linked
+     token is not a primary token, only an impersonation token, which is
+     not suitable for CreateProcessAsUser.  Converting it to a primary
+     token using DuplicateTokenEx does NOT work for the linked token in
+     this case.  So we have to switch on TCB privs to get a primary token.
+     This is generally performed in the calling functions.  */
+  if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
+					   (PVOID) &linked, sizeof linked,
+					   &size)))
     {
-      TOKEN_LINKED_TOKEN linked;
-      ULONG size;
-
-      /* When fetching the linked token without TCB privs, then the linked
-	 token is not a primary token, only an impersonation token, which is
-	 not suitable for CreateProcessAsUser.  Converting it to a primary
-	 token using DuplicateTokenEx does NOT work for the linked token in
-	 this case.  So we have to switch on TCB privs to get a primary token.
-	 This is generally performed in the calling functions.  */
-      if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
-					       (PVOID) &linked, sizeof linked,
-					       &size)))
+      debug_printf ("Linked Token: %p", linked.LinkedToken);
+      if (linked.LinkedToken)
 	{
-	  debug_printf ("Linked Token: %p", linked.LinkedToken);
-	  if (linked.LinkedToken)
+	  TOKEN_TYPE type;
+
+	  /* At this point we don't know if the user actually had TCB
+	     privileges.  Check if the linked token is a primary token.
+	     If not, just return the original token. */
+	  if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
+						   TokenType, (PVOID) &type,
+						   sizeof type, &size))
+	      && type != TokenPrimary)
+	    debug_printf ("Linked Token is not a primary token!");
+	  else
 	    {
-	      TOKEN_TYPE type;
-
-	      /* At this point we don't know if the user actually had TCB
-		 privileges.  Check if the linked token is a primary token.
-		 If not, just return the original token. */
-	      if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
-						       TokenType, (PVOID) &type,
-						       sizeof type, &size))
-		  && type != TokenPrimary)
-		debug_printf ("Linked Token is not a primary token!");
-	      else
-		{
-		  CloseHandle (token);
-		  token = linked.LinkedToken;
-		}
+	      CloseHandle (token);
+	      token = linked.LinkedToken;
 	    }
 	}
     }
@@ -972,14 +969,10 @@ create_token (cygsid &usersid, user_groups &new_groups)
 			       &mandatory_integrity_sid)))
     goto out;
 
-  /* On systems supporting Mandatory Integrity Control, add the MIC SID. */
-  if (wincap.has_mandatory_integrity_control ())
-    {
-      new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
-	SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
-      new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
-	= mandatory_integrity_sid;
-    }
+  new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
+    SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
+  new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+    = mandatory_integrity_sid;
 
   /* Let's be heroic... */
   status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
diff --git a/winsup/cygwin/wincap.cc b/winsup/cygwin/wincap.cc
index 4146ee4..3fd7a4a 100644
--- a/winsup/cygwin/wincap.cc
+++ b/winsup/cygwin/wincap.cc
@@ -21,7 +21,6 @@ wincaps wincap_xpsp2 __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:false,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:false,
@@ -52,7 +51,6 @@ wincaps wincap_2003 __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:false,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:false,
@@ -83,7 +81,6 @@ wincaps wincap_vista __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:true,
   has_gaa_largeaddress_bug:true,
   has_transactions:true,
@@ -114,7 +111,6 @@ wincaps wincap_7 __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:1,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:true,
   has_transactions:true,
@@ -145,7 +141,6 @@ wincaps wincap_8 __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
@@ -176,7 +171,6 @@ wincaps wincap_10 __attribute__((section (".cygwin_dll_common"), shared)) = {
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
@@ -207,7 +201,6 @@ wincaps wincap_10_1511 __attribute__((section (".cygwin_dll_common"), shared)) =
   def_guard_pages:2,
   max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
   is_server:false,
-  has_mandatory_integrity_control:true,
   needs_count_in_si_lpres2:false,
   has_gaa_largeaddress_bug:false,
   has_transactions:true,
diff --git a/winsup/cygwin/wincap.h b/winsup/cygwin/wincap.h
index 4f60d11..441a112 100644
--- a/winsup/cygwin/wincap.h
+++ b/winsup/cygwin/wincap.h
@@ -14,7 +14,6 @@ struct wincaps
   DWORD    def_guard_pages;
   DWORD    max_sys_priv;
   unsigned is_server                                    : 1;
-  unsigned has_mandatory_integrity_control		: 1;
   unsigned needs_count_in_si_lpres2			: 1;
   unsigned has_gaa_largeaddress_bug			: 1;
   unsigned has_transactions				: 1;
@@ -70,7 +69,6 @@ public:
   }
   DWORD IMPLEMENT (max_sys_priv)
   bool  IMPLEMENT (is_server)
-  bool	IMPLEMENT (has_mandatory_integrity_control)
   bool	IMPLEMENT (needs_count_in_si_lpres2)
   bool	IMPLEMENT (has_gaa_largeaddress_bug)
   bool	IMPLEMENT (has_transactions)
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]