From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 13 Sep 2023 05:24:57 +0000 (+1200)
Subject: libcli/security: sec_access_check_ds uses new callback ACE checks
X-Git-Tag: tevent-0.16.0~418
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d6f0927f5416c0bae057a2b5d0032bf4607e323;p=thirdparty%2Fsamba.git

libcli/security: sec_access_check_ds uses new callback ACE checks

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index e876f2e2bd5..9d8fc0ee407 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -914,18 +914,32 @@ NTSTATUS sec_access_check_ds_implicit_owner(const struct security_descriptor *sd
 			}
 			break;
 		case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
-		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
-			status = check_callback_ace_access(ace, token, sd,
-                                                           &grant_access);
-
-			if (!NT_STATUS_IS_OK(status)) {
-				return status;
+		{
+			enum ace_callback_result allow =
+				check_callback_ace_allow(ace, token, sd);
+			if (allow == ACE_CALLBACK_INVALID) {
+				return NT_STATUS_INVALID_ACE_CONDITION;
+			}
+			if (allow == ACE_CALLBACK_ALLOW) {
+				bits_remaining &= ~ace->access_mask;
 			}
+			break;
+		}
 
-			if (grant_access) {
-				return NT_STATUS_OK;
+		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
+		{
+			enum ace_callback_result deny =
+				check_callback_ace_deny(ace, token, sd);
+			if (deny == ACE_CALLBACK_INVALID) {
+				return NT_STATUS_INVALID_ACE_CONDITION;
+			}
+			if (deny == ACE_CALLBACK_DENY) {
+				if (bits_remaining & ace->access_mask) {
+					return NT_STATUS_ACCESS_DENIED;
+				}
 			}
 			break;
+		}
 
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 		case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: