return granted & ~denied;
}
+
+static NTSTATUS check_callback_ace_access(const struct security_ace *ace,
+ const struct security_token *token,
+ const struct security_descriptor *sd,
+ bool *grant_access);
+
+
static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor *sd,
const struct security_token *token,
uint32_t access_desired,
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
struct security_ace *ace = &sd->dacl->aces[i];
bool is_owner_rights_ace = false;
+ bool callback_ok = false;
+ NTSTATUS status;
if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
continue;
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
explicitly_denied_bits |= (bits_remaining & ace->access_mask);
break;
+
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
+ status = check_callback_ace_access(ace, token, sd,
+ &callback_ok);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (callback_ok) {
+ bits_remaining &= ~ace->access_mask;
+ }
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
+ status = check_callback_ace_access(ace, token, sd,
+ &callback_ok);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (callback_ok) {
+ explicitly_denied_bits |= (bits_remaining & ace->access_mask);
+ }
+ break;
+
+ case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
+ explicitly_denied_bits |= (bits_remaining & ace->access_mask);
+ break;
default: /* Other ACE types not handled/supported */
break;
}
+++ /dev/null
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_001-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_002-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_003-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_004-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_005-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_006-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_007-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_008-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_010-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_011-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_012-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_013-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_014-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_015-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_016-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_017-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_018-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_019-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_020-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_021-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_022-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_023-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_024-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_025-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_026-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_027-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_028-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_029-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_030-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_031-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_032-
-
+++ /dev/null
-^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes\b
-^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2\b
-^samba.unittests.run_conditional_ace.test_resource_ace_single\b
-^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of\b
-^samba.unittests.run_conditional_ace.test_resource_ace_multi\b
-^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of\b
-^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim\b
-^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim\b
-^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim\b
-^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim\b
-^samba.unittests.run_conditional_ace.test_not_Not_Contains_1\b
-^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of\b
-^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of\b
-^samba.unittests.run_conditional_ace.test_not_any_of_1\b
-^samba.unittests.run_conditional_ace.test_not_contains_1\b
-^samba.unittests.run_conditional_ace.test_any_of_1\b
-^samba.unittests.run_conditional_ace.test_any_of\b
-^samba.unittests.run_conditional_ace.test_any_of_match_last\b
-^samba.unittests.run_conditional_ace.test_contains\b
-^samba.unittests.run_conditional_ace.test_contains_1\b
-^samba.unittests.run_conditional_ace.test_device_claims_composite\b
-^samba.unittests.run_conditional_ace.test_claim_name_different_case\b
-^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag\b
-^samba.unittests.run_conditional_ace.test_composite_different_order\b
-^samba.unittests.run_conditional_ace.test_different_case\b
-^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes\b
-^samba.unittests.run_conditional_ace.test_more_values_not_equal\b
-
projects / thirdparty / samba.git / commitdiff
