From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 13 Sep 2023 05:25:34 +0000 (+1200)
Subject: libcli/security: conditional ace access checks for file server
X-Git-Tag: tevent-0.16.0~442
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7bd1f438bef450dec891d6cab672d689e8c555f;p=thirdparty%2Fsamba.git

libcli/security: conditional ace access checks for file server

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index fb7d3841336..e919e7091f8 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -201,6 +201,13 @@ static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
 	return granted & ~denied;
 }
 
+
+static NTSTATUS check_callback_ace_access(const struct security_ace *ace,
+					  const struct security_token *token,
+					  const struct security_descriptor *sd,
+					  bool *grant_access);
+
+
 static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor *sd,
 					       const struct security_token *token,
 					       uint32_t access_desired,
@@ -279,6 +286,8 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 	for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
 		struct security_ace *ace = &sd->dacl->aces[i];
 		bool is_owner_rights_ace = false;
+		bool callback_ok = false;
+		NTSTATUS status;
 
 		if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
 			continue;
@@ -303,6 +312,33 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
 			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
 			break;
+
+		case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK:
+			status = check_callback_ace_access(ace, token, sd,
+							   &callback_ok);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+			if (callback_ok) {
+				bits_remaining &= ~ace->access_mask;
+			}
+			break;
+		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK:
+			status = check_callback_ace_access(ace, token, sd,
+							   &callback_ok);
+
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+			if (callback_ok) {
+				explicitly_denied_bits |= (bits_remaining & ace->access_mask);
+			}
+			break;
+
+		case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT:
+			explicitly_denied_bits |= (bits_remaining & ace->access_mask);
+			break;
 		default:	/* Other ACE types not handled/supported */
 			break;
 		}
diff --git a/selftest/knownfail.d/conditional_ace_claims b/selftest/knownfail.d/conditional_ace_claims
deleted file mode 100644
index 11e96d70651..00000000000
--- a/selftest/knownfail.d/conditional_ace_claims
+++ /dev/null
@@ -1,32 +0,0 @@
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_001-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_002-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_003-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_004-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_005-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_006-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_007-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_008-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_010-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_011-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_012-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_013-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_014-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_015-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_016-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_017-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_018-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_019-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_020-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_021-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_022-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_023-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_024-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_025-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_026-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_027-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_028-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_029-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_030-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_031-
-^samba.tests.+conditional_ace_claims.AllowTests.test_allow_032-
-
diff --git a/selftest/knownfail.d/run_conditional_ace b/selftest/knownfail.d/run_conditional_ace
deleted file mode 100644
index 0bddf924e87..00000000000
--- a/selftest/knownfail.d/run_conditional_ace
+++ /dev/null
@@ -1,28 +0,0 @@
-^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes\b
-^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2\b
-^samba.unittests.run_conditional_ace.test_resource_ace_single\b
-^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of\b
-^samba.unittests.run_conditional_ace.test_resource_ace_multi\b
-^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of\b
-^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim\b
-^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim\b
-^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim\b
-^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim\b
-^samba.unittests.run_conditional_ace.test_not_Not_Contains_1\b
-^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of\b
-^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of\b
-^samba.unittests.run_conditional_ace.test_not_any_of_1\b
-^samba.unittests.run_conditional_ace.test_not_contains_1\b
-^samba.unittests.run_conditional_ace.test_any_of_1\b
-^samba.unittests.run_conditional_ace.test_any_of\b
-^samba.unittests.run_conditional_ace.test_any_of_match_last\b
-^samba.unittests.run_conditional_ace.test_contains\b
-^samba.unittests.run_conditional_ace.test_contains_1\b
-^samba.unittests.run_conditional_ace.test_device_claims_composite\b
-^samba.unittests.run_conditional_ace.test_claim_name_different_case\b
-^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag\b
-^samba.unittests.run_conditional_ace.test_composite_different_order\b
-^samba.unittests.run_conditional_ace.test_different_case\b
-^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes\b
-^samba.unittests.run_conditional_ace.test_more_values_not_equal\b
-