From: Andrew Bartlett Date: Fri, 15 Sep 2023 00:36:56 +0000 (+1200) Subject: libcli/security: Hook in ability to disable conditional ACE evaluation X-Git-Tag: tevent-0.16.0~421 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3f28c2ecf6a8cd335d21e1dbf8d247520de2177;p=thirdparty%2Fsamba.git libcli/security: Hook in ability to disable conditional ACE evaluation Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index e919e7091f8..76c1d1d93d0 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -220,6 +220,22 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor bool am_owner = false; bool have_owner_rights_ace = false; + switch (token->evaluate_claims) { + case CLAIMS_EVALUATION_INVALID_STATE: + if (token->num_local_claims > 0 || + token->num_user_claims > 0 || + token->num_device_claims > 0 || + token->num_device_sids > 0) { + DBG_WARNING("Refusing to evaluate token with claims or device SIDs but also " + "with CLAIMS_EVALUATION_INVALID_STATE\n"); + return NT_STATUS_INVALID_TOKEN; + } + break; + case CLAIMS_EVALUATION_ALWAYS: + case CLAIMS_EVALUATION_NEVER: + break; + } + *access_granted = access_desired; bits_remaining = access_desired; @@ -314,6 +330,30 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor break; case SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK: + { + bool evaluate_claims = true; + switch (token->evaluate_claims) { + case CLAIMS_EVALUATION_INVALID_STATE: + DBG_WARNING("Refusing to evaluate ACL with " + "conditional ACE against security " + "token with CLAIMS_EVALUATION_INVALID_STATE\n"); + return NT_STATUS_INVALID_ACE_CONDITION; + case CLAIMS_EVALUATION_NEVER: + evaluate_claims = false; + break; + case CLAIMS_EVALUATION_ALWAYS: + evaluate_claims = true; + break; + } + + if (!evaluate_claims) { + /* + * We are asked to pretend we never + * understood this ACE type + */ + break; + } + status = check_callback_ace_access(ace, token, sd, &callback_ok); @@ -324,7 +364,33 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor bits_remaining &= ~ace->access_mask; } break; + } + case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK: + { + bool evaluate_claims = true; + switch (token->evaluate_claims) { + case CLAIMS_EVALUATION_INVALID_STATE: + DBG_WARNING("Refusing to evaluate ACL with " + "conditional ACE against security " + "token with CLAIMS_EVALUATION_INVALID_STATE\n"); + return NT_STATUS_INVALID_ACE_CONDITION; + case CLAIMS_EVALUATION_NEVER: + evaluate_claims = false; + break; + case CLAIMS_EVALUATION_ALWAYS: + evaluate_claims = true; + break; + } + + if (!evaluate_claims) { + /* + * We are asked to pretend we never + * understood this ACE type + */ + break; + } + status = check_callback_ace_access(ace, token, sd, &callback_ok); @@ -335,6 +401,7 @@ static NTSTATUS se_access_check_implicit_owner(const struct security_descriptor explicitly_denied_bits |= (bits_remaining & ace->access_mask); } break; + } case SEC_ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT: explicitly_denied_bits |= (bits_remaining & ace->access_mask); diff --git a/selftest/knownfail.d/conditional-ace-token b/selftest/knownfail.d/conditional-ace-token new file mode 100644 index 00000000000..fbd38be24de --- /dev/null +++ b/selftest/knownfail.d/conditional-ace-token @@ -0,0 +1,41 @@ +^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_and_user_attr +^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_resource_attr +^samba.unittests.run_conditional_ace.test_user_attr_any_of_missing_user_attr +^samba.unittests.run_conditional_ace.test_composite_mixed_types +^samba.unittests.run_conditional_ace.test_composite_different_order_with_SID_dupes +^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim_2 +^samba.unittests.run_conditional_ace.test_not_Not_Any_of_1 +^samba.unittests.run_conditional_ace.test_not_any_of_composite_1 +^samba.unittests.run_conditional_ace.test_resource_ace_single +^samba.unittests.run_conditional_ace.test_horrible_fuzz_derived_test_3 +^samba.unittests.run_conditional_ace.test_Device_Member_of_and_Member_of +^samba.unittests.run_conditional_ace.test_resource_ace_multi +^samba.unittests.run_conditional_ace.test_resource_ace_multi_any_of +^samba.unittests.run_conditional_ace.test_user_claim_eq_device_claim +^samba.unittests.run_conditional_ace.test_device_claim_comtains_resource_claim +^samba.unittests.run_conditional_ace.test_device_claim_eq_resource_claim +^samba.unittests.run_conditional_ace.test_Device_claim_contains_Resource_claim +^samba.unittests.run_conditional_ace.test_not_Not_Contains_1 +^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of_fail +^samba.unittests.run_conditional_ace.test_not_not_Not_Member_of +^samba.unittests.run_conditional_ace.test_not_not_not_not_not_not_not_not_not_not_Not_Member_of +^samba.unittests.run_conditional_ace.test_not_any_of_1_fail +^samba.unittests.run_conditional_ace.test_not_any_of_1 +^samba.unittests.run_conditional_ace.test_not_contains_1 +^samba.unittests.run_conditional_ace.test_not_contains_1_fail +^samba.unittests.run_conditional_ace.test_any_of_1_fail +^samba.unittests.run_conditional_ace.test_any_of_1 +^samba.unittests.run_conditional_ace.test_any_of +^samba.unittests.run_conditional_ace.test_any_of_match_last +^samba.unittests.run_conditional_ace.test_contains_incomplete +^samba.unittests.run_conditional_ace.test_contains +^samba.unittests.run_conditional_ace.test_contains_1 +^samba.unittests.run_conditional_ace.test_contains_1_fail +^samba.unittests.run_conditional_ace.test_device_claims_composite +^samba.unittests.run_conditional_ace.test_claim_name_different_case +^samba.unittests.run_conditional_ace.test_claim_name_different_case_case_flag +^samba.unittests.run_conditional_ace.test_different_case_with_case_sensitive_flag +^samba.unittests.run_conditional_ace.test_composite_different_order +^samba.unittests.run_conditional_ace.test_different_case +^samba.unittests.run_conditional_ace.test_composite_different_order_with_dupes +^samba.unittests.run_conditional_ace.test_more_values_not_equal