-
-
Notifications
You must be signed in to change notification settings - Fork 16
/
OperationRemoveRedundant.cpp
77 lines (63 loc) · 3 KB
/
OperationRemoveRedundant.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#include "OperationRemoveRedundant.h"
#include "DriverKitPartial.h"
#include "InputOutput.h"
#include "Helpers.h"
ClassFactory<OperationRemoveRedundant> OperationRemoveRedundant::RegisteredFactory(GetCommand());
OperationRemoveRedundant::OperationRemoveRedundant(std::queue<std::wstring> & oArgList, const std::wstring & sCommand) : Operation(oArgList)
{
// flag this as being an ace-level action
AppliesToDacl = true;
AppliesToSacl = true;
}
bool OperationRemoveRedundant::ProcessAclAction(const WCHAR * const sSdPart, ObjectEntry & tObjectEntry, PACL & tCurrentAcl, bool & bAclReplacement)
{
// sanity check
if (tCurrentAcl == nullptr) return false;
// track whether the acl was actually change so the caller may decide
// that the change needs to be persisted
bool bMadeChange = false;
bool bSkipIncrement = false;
PACE_ACCESS_HEADER tAceExplicit = FirstAce(tCurrentAcl);
for (ULONG iEntryExplicit = 0; iEntryExplicit < tCurrentAcl->AceCount;
tAceExplicit = (bSkipIncrement) ? tAceExplicit : NextAce(tAceExplicit), iEntryExplicit += (bSkipIncrement) ? 0 : 1)
{
// reset skip increment variable
bSkipIncrement = false;
// only process explicit items in the outer loop
if (IsInherited(tAceExplicit)) continue;
// only process standard ace types
if (tAceExplicit->AceType != ACCESS_ALLOWED_ACE_TYPE &&
tAceExplicit->AceType != ACCESS_DENIED_ACE_TYPE &&
tAceExplicit->AceType != SYSTEM_AUDIT_ACE_TYPE) continue;
// assume we are increments on the next round
PACE_ACCESS_HEADER tAceInherited = FirstAce(tCurrentAcl);
for (ULONG iEntryInherited = 0; iEntryInherited < tCurrentAcl->AceCount; tAceInherited = NextAce(tAceInherited), iEntryInherited++)
{
// only process inherited items in the inner loop
if (!IsInherited(tAceInherited)) continue;
// stop processing if we have a mismatching type
if (tAceInherited->AceType != tAceExplicit->AceType) continue;
// stop processing if the explit mask is not a subset of the inherited mask
if ((tAceExplicit->Mask | tAceInherited->Mask) != tAceInherited->Mask) continue;
// stop processing if the explcit mask has container or object inherit
// but the inherited entry does not
if (HasContainerInherit(tAceExplicit) && !HasContainerInherit(tAceInherited)) continue;
if (HasObjectInherit(tAceExplicit) && !HasObjectInherit(tAceInherited)) continue;
// stop processing if the inherited ace has a inherit only limitation but
// the explcit entry does not
if (HasInheritOnly(tAceInherited) && !HasInheritOnly(tAceExplicit)) continue;
if (HasNoPropogate(tAceInherited) && !HasNoPropogate(tAceExplicit)) continue;
// if sids are equal then delete this ace since it is redundant
if (SidMatch(GetSidFromAce(tAceInherited), GetSidFromAce(tAceExplicit)))
{
InputOutput::AddInfo(L"Removed redundant explicit entry for '" +
GetNameFromSidEx(GetSidFromAce(tAceExplicit)) + L"'", sSdPart);
DeleteAce(tCurrentAcl, iEntryExplicit);
bMadeChange = true;
bSkipIncrement = true;
break;
}
}
}
return bMadeChange;
}