Changeset 52633 in vbox for trunk/src/VBox/HostDrivers

Timestamp:

Sep 6, 2014 5:46:52 PM (10 years ago)

Author:

vboxsync

Message:

Fixed ACL issue, shouldn't use GENERIC_* in the deny mask when I want to control the special access bits individually. This makes the parent watcher code work and makes it possible open the VM and stub processes for waiting or querying without requiring debugging privileges.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (3 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -2036 +2036 @@
     ClientId.UniqueProcess = (HANDLE)BasicInfo.InheritedFromUniqueProcessId;
     ClientId.UniqueThread  = NULL;
-#if 0 /** @todo fix me later. */
+
     HANDLE hParent;
     rcNt = NtOpenProcess(&hParent, SYNCHRONIZE | PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
     if (!NT_SUCCESS(rcNt))
-        supR3HardenedFatalMsg("supR3HardenedWinCreateParentWatcherThread", kSupInitOp_Misc, VERR_GENERAL_FAILUREps,
+        supR3HardenedFatalMsg("supR3HardenedWinCreateParentWatcherThread", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
                               "NtOpenProcess(%p.0) failed: %#x\n", ClientId.UniqueProcess, rcNt);
 
@@ -2050 +2050 @@
     if (RT_FAILURE(rc))
         supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: RTThreadCreate failed: %Rrc\n", rc);
-#endif
 }
 
@@ -2706 +2705 @@
     SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateAcl(&pCleanup->Acl.AclHdr, sizeof(pCleanup->Acl), ACL_REVISION));
 
-    ULONG fDeny  = DELETE | WRITE_DAC | WRITE_OWNER | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL;
+    ULONG fDeny  = DELETE | WRITE_DAC | WRITE_OWNER;
     ULONG fAllow = SYNCHRONIZE | READ_CONTROL;
     ULONG fAllowLogin = SYNCHRONIZE | READ_CONTROL;