This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] Drop has_mandatory_integrity_control flag
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 24 Jun 2016 09:11:10 -0000
- Subject: [newlib-cygwin] Drop has_mandatory_integrity_control flag
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=aacc4f63d0f8d2d853e1834b27a13ac97ea1011b
commit aacc4f63d0f8d2d853e1834b27a13ac97ea1011b
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Tue Dec 15 14:58:52 2015 +0100
Drop has_mandatory_integrity_control flag
Diff:
---
winsup/cygwin/sec_auth.cc | 69 +++++++++++++++++++++--------------------------
winsup/cygwin/wincap.cc | 7 -----
winsup/cygwin/wincap.h | 2 --
3 files changed, 31 insertions(+), 47 deletions(-)
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 853a07f..e8d1d91 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -45,39 +45,36 @@ issetugid (void)
static HANDLE
get_full_privileged_inheritable_token (HANDLE token)
{
- if (wincap.has_mandatory_integrity_control ())
+ TOKEN_LINKED_TOKEN linked;
+ ULONG size;
+
+ /* When fetching the linked token without TCB privs, then the linked
+ token is not a primary token, only an impersonation token, which is
+ not suitable for CreateProcessAsUser. Converting it to a primary
+ token using DuplicateTokenEx does NOT work for the linked token in
+ this case. So we have to switch on TCB privs to get a primary token.
+ This is generally performed in the calling functions. */
+ if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
+ (PVOID) &linked, sizeof linked,
+ &size)))
{
- TOKEN_LINKED_TOKEN linked;
- ULONG size;
-
- /* When fetching the linked token without TCB privs, then the linked
- token is not a primary token, only an impersonation token, which is
- not suitable for CreateProcessAsUser. Converting it to a primary
- token using DuplicateTokenEx does NOT work for the linked token in
- this case. So we have to switch on TCB privs to get a primary token.
- This is generally performed in the calling functions. */
- if (NT_SUCCESS (NtQueryInformationToken (token, TokenLinkedToken,
- (PVOID) &linked, sizeof linked,
- &size)))
+ debug_printf ("Linked Token: %p", linked.LinkedToken);
+ if (linked.LinkedToken)
{
- debug_printf ("Linked Token: %p", linked.LinkedToken);
- if (linked.LinkedToken)
+ TOKEN_TYPE type;
+
+ /* At this point we don't know if the user actually had TCB
+ privileges. Check if the linked token is a primary token.
+ If not, just return the original token. */
+ if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
+ TokenType, (PVOID) &type,
+ sizeof type, &size))
+ && type != TokenPrimary)
+ debug_printf ("Linked Token is not a primary token!");
+ else
{
- TOKEN_TYPE type;
-
- /* At this point we don't know if the user actually had TCB
- privileges. Check if the linked token is a primary token.
- If not, just return the original token. */
- if (NT_SUCCESS (NtQueryInformationToken (linked.LinkedToken,
- TokenType, (PVOID) &type,
- sizeof type, &size))
- && type != TokenPrimary)
- debug_printf ("Linked Token is not a primary token!");
- else
- {
- CloseHandle (token);
- token = linked.LinkedToken;
- }
+ CloseHandle (token);
+ token = linked.LinkedToken;
}
}
}
@@ -972,14 +969,10 @@ create_token (cygsid &usersid, user_groups &new_groups)
&mandatory_integrity_sid)))
goto out;
- /* On systems supporting Mandatory Integrity Control, add the MIC SID. */
- if (wincap.has_mandatory_integrity_control ())
- {
- new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
- SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
- new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
- = mandatory_integrity_sid;
- }
+ new_tok_gsids->Groups[new_tok_gsids->GroupCount].Attributes =
+ SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
+ new_tok_gsids->Groups[new_tok_gsids->GroupCount++].Sid
+ = mandatory_integrity_sid;
/* Let's be heroic... */
status = NtCreateToken (&token, TOKEN_ALL_ACCESS, &oa, TokenImpersonation,
diff --git a/winsup/cygwin/wincap.cc b/winsup/cygwin/wincap.cc
index 4146ee4..3fd7a4a 100644
--- a/winsup/cygwin/wincap.cc
+++ b/winsup/cygwin/wincap.cc
@@ -21,7 +21,6 @@ wincaps wincap_xpsp2 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1,
max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:false,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false,
has_transactions:false,
@@ -52,7 +51,6 @@ wincaps wincap_2003 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1,
max_sys_priv:SE_CREATE_GLOBAL_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:false,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false,
has_transactions:false,
@@ -83,7 +81,6 @@ wincaps wincap_vista __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:true,
has_gaa_largeaddress_bug:true,
has_transactions:true,
@@ -114,7 +111,6 @@ wincaps wincap_7 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:1,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:true,
has_transactions:true,
@@ -145,7 +141,6 @@ wincaps wincap_8 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false,
has_transactions:true,
@@ -176,7 +171,6 @@ wincaps wincap_10 __attribute__((section (".cygwin_dll_common"), shared)) = {
def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false,
has_transactions:true,
@@ -207,7 +201,6 @@ wincaps wincap_10_1511 __attribute__((section (".cygwin_dll_common"), shared)) =
def_guard_pages:2,
max_sys_priv:SE_CREATE_SYMBOLIC_LINK_PRIVILEGE,
is_server:false,
- has_mandatory_integrity_control:true,
needs_count_in_si_lpres2:false,
has_gaa_largeaddress_bug:false,
has_transactions:true,
diff --git a/winsup/cygwin/wincap.h b/winsup/cygwin/wincap.h
index 4f60d11..441a112 100644
--- a/winsup/cygwin/wincap.h
+++ b/winsup/cygwin/wincap.h
@@ -14,7 +14,6 @@ struct wincaps
DWORD def_guard_pages;
DWORD max_sys_priv;
unsigned is_server : 1;
- unsigned has_mandatory_integrity_control : 1;
unsigned needs_count_in_si_lpres2 : 1;
unsigned has_gaa_largeaddress_bug : 1;
unsigned has_transactions : 1;
@@ -70,7 +69,6 @@ public:
}
DWORD IMPLEMENT (max_sys_priv)
bool IMPLEMENT (is_server)
- bool IMPLEMENT (has_mandatory_integrity_control)
bool IMPLEMENT (needs_count_in_si_lpres2)
bool IMPLEMENT (has_gaa_largeaddress_bug)
bool IMPLEMENT (has_transactions)