From 5acf8b7f98ecd3daa721e60b49c7a582c7ce3b8d Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Tue, 20 Nov 2012 01:23:08 -0500
Subject: [PATCH] Windows: QuerySecurity deny access to SACL

The SACL requires System Access Level.  Requests for SACL by
end user applications must be denied.  Permit access to Owner,
Group, DACL and Label but not SACL.

This change permits executables to be initiated from drive
letter mappings.

Change-Id: Ibf847261f0c36dc7b6175b0536657161158cd44f
Reviewed-on: http://gerrit.openafs.org/8483
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Rod Widdowson <rdw@steadingsoftware.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp | 40 +++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
index c15d32b8e..52990fcbd 100644
--- a/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSSecurity.cpp
@@ -82,16 +82,52 @@ AFSQuerySecurity( IN PDEVICE_OBJECT LibDeviceObject,
     PMDL pUserBufferMdl = NULL;
     void *pLockedUserBuffer = NULL;
     ULONG ulSDLength = 0;
+    SECURITY_INFORMATION SecurityInformation;
+    PFILE_OBJECT pFileObject;
+    AFSFcb *pFcb = NULL;
+    AFSCcb *pCcb = NULL;
 
     __try
     {
 
         pIrpSp = IoGetCurrentIrpStackLocation( Irp);
 
+        SecurityInformation = pIrpSp->Parameters.QuerySecurity.SecurityInformation;
+
+        pFileObject = pIrpSp->FileObject;
+
+        pFcb = (AFSFcb *)pFileObject->FsContext;
+
+        pCcb = (AFSCcb *)pFileObject->FsContext2;
+
         AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
                       AFS_TRACE_LEVEL_VERBOSE,
-                      "AFSQuerySecurity Entry for FO %08lX\n",
-                      pIrpSp->FileObject);
+                      "AFSQuerySecurity (%08lX) Entry for FO %08lX SI %08lX\n",
+                      Irp,
+                      pFileObject,
+                      SecurityInformation);
+
+        if( pFcb == NULL)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) when pFcb == NULL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_INVALID_DEVICE_REQUEST);
+        }
+
+        if ( SecurityInformation & SACL_SECURITY_INFORMATION)
+        {
+
+            AFSDbgLogMsg( AFS_SUBSYSTEM_FILE_PROCESSING,
+                          AFS_TRACE_LEVEL_ERROR,
+                          "AFSQuerySecurity Attempted access (%08lX) SACL\n",
+                          Irp);
+
+            try_return( ntStatus = STATUS_ACCESS_DENIED);
+        }
 
         if( AFSDefaultSD == NULL)
         {
-- 
2.39.5