You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by mt...@apache.org on 2009/08/19 08:27:49 UTC
svn commit: r805674 - in /commons/sandbox/runtime/trunk/src/main/native:
include/arch/windows/acr_arch_private.h os/win32/main.c os/win32/platform.c
os/win32/pmutex.c os/win32/psema.c os/win32/shm.c os/win32/wusec.c
Author: mturk
Date: Wed Aug 19 06:27:48 2009
New Revision: 805674
URL: http://svn.apache.org/viewvc?rev=805674&view=rev
Log:
Add SecurityDecriptor cache
Modified:
commons/sandbox/runtime/trunk/src/main/native/include/arch/windows/acr_arch_private.h
commons/sandbox/runtime/trunk/src/main/native/os/win32/main.c
commons/sandbox/runtime/trunk/src/main/native/os/win32/platform.c
commons/sandbox/runtime/trunk/src/main/native/os/win32/pmutex.c
commons/sandbox/runtime/trunk/src/main/native/os/win32/psema.c
commons/sandbox/runtime/trunk/src/main/native/os/win32/shm.c
commons/sandbox/runtime/trunk/src/main/native/os/win32/wusec.c
Modified: commons/sandbox/runtime/trunk/src/main/native/include/arch/windows/acr_arch_private.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/arch/windows/acr_arch_private.h?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/arch/windows/acr_arch_private.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/arch/windows/acr_arch_private.h Wed Aug 19 06:27:48 2009
@@ -98,6 +98,7 @@
DWORD ACR_SetTokenPrivilege(LPCWSTR szPrivilege, BOOL bEnablePrivilege);
DWORD ACR_EnablePrivilege(LPCWSTR szPrivilege);
PSID ACR_DuplicateSid(JNIEnv *_E, PSID sSID);
+int ACR_InitSecurityDescriptorTable(JNIEnv *);
LPVOID ACR_GetSecurityDescriptor(JNIEnv *, DWORD, DWORD);
/**
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/main.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/main.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/main.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/main.c Wed Aug 19 06:27:48 2009
@@ -47,11 +47,6 @@
PSID acr_everyone_sid = NULL;
PSID acr_adminsgr_sid = NULL;
-PSECURITY_DESCRIPTOR acr_sd_generic_admin = NULL;
-PSECURITY_DESCRIPTOR acr_sd_filesys_admin = NULL;
-PSECURITY_DESCRIPTOR acr_sd_generic_users = NULL;
-PSECURITY_DESCRIPTOR acr_sd_filesys_users = NULL;
-
typedef struct acr_thread_local_t {
JNIEnv *env;
int attached;
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/platform.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/platform.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/platform.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/platform.c Wed Aug 19 06:27:48 2009
@@ -26,10 +26,6 @@
extern PSID acr_everyone_sid;
extern PSID acr_adminsgr_sid;
extern LPSYSTEM_INFO acr_osinf;
-extern PSECURITY_DESCRIPTOR acr_sd_generic_admin;
-extern PSECURITY_DESCRIPTOR acr_sd_filesys_admin;
-extern PSECURITY_DESCRIPTOR acr_sd_generic_users;
-extern PSECURITY_DESCRIPTOR acr_sd_filesys_users;
acr_size_t acr_page_size;
int acr_native_codepage = ACR_CP_DEFAULT;
@@ -43,6 +39,7 @@
static int initialized = 0;
ACR_DECLARE(int) ACR_PlatformInitialize(JNIEnv *_E, int ios)
{
+ int rc;
if (initialized++)
return 0;
acr_page_size = (acr_size_t)acr_osinf->dwPageSize;
@@ -52,34 +49,27 @@
if (!acr_adminsgr_sid) {
acr_adminsgr_sid = ACR_AllocateWellKnownSid(_E, WinBuiltinAdministratorsSid);
}
+ if ((rc = ACR_InitSecurityDescriptorTable(_E)))
+ return rc;
/*
* Create standard security descriptors
*/
- if (!acr_sd_generic_admin) {
- /* All access to Admins */
- acr_sd_generic_admin = ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
- GENERIC_ALL,
- 0);
- }
- if (!acr_sd_filesys_admin) {
- /* All file access to Admins */
- acr_sd_filesys_admin = ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
- GENERIC_ALL | FILE_ALL_ACCESS,
- 0);
- }
- if (!acr_sd_generic_users) {
- /* RWX access to Authenticated users */
- acr_sd_generic_users = ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
- GENERIC_ALL,
- GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE);
- }
- if (!acr_sd_filesys_users) {
- /* RWX file access to Authenticated users */
- acr_sd_filesys_users = ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
- GENERIC_ALL | FILE_ALL_ACCESS,
- GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE |
- FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE);
- }
+ ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
+ GENERIC_ALL,
+ 0);
+ /* All file access to Admins */
+ ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
+ GENERIC_ALL | FILE_ALL_ACCESS,
+ 0);
+ /* RWX access to Authenticated users */
+ ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
+ GENERIC_ALL,
+ GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE);
+ /* RWX file access to Authenticated users */
+ ACR_GetSecurityDescriptor(INVALID_HANDLE_VALUE,
+ GENERIC_ALL | FILE_ALL_ACCESS,
+ GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE |
+ FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE);
return acr_ioh_init(ios);
}
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/pmutex.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/pmutex.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/pmutex.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/pmutex.c Wed Aug 19 06:27:48 2009
@@ -53,11 +53,13 @@
reskey = res_name_from_filenamew(ACR_DT_MUTEX, keybuf, fname);
}
/* Mark the mutex as non inheritable
+ * with Modify access to Authenticated users
*/
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
- sa.lpSecurityDescriptor = NULL;
+ sa.lpSecurityDescriptor = ACR_GetSecurityDescriptor(_E,
+ GENERIC_ALL | MUTEX_ALL_ACCESS,
+ MUTEX_MODIFY_STATE);
sa.bInheritHandle = FALSE;
-
m = CreateMutexW(&sa, FALSE, reskey);
if (!m)
return -1;
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/psema.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/psema.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/psema.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/psema.c Wed Aug 19 06:27:48 2009
@@ -23,8 +23,6 @@
#include "acr_descriptor.h"
#include "acr_semaphore.h"
-static volatile unsigned int _sem_counter = 1;
-
static int semaphore_cleanup(void *sema, int type, unsigned int flags)
{
if (type == ACR_DT_SEMAPHORE) {
@@ -60,13 +58,16 @@
*/
reskey = res_name_from_filenamew(ACR_DT_MUTEX, keybuf, name);
}
- /* Mark the semaphore as non inheritable.
+ if (value > maxval)
+ maxval = value;
+ /* Mark the semaphore as non inheritable
+ * with Modify access to Authenticated users
*/
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
- sa.lpSecurityDescriptor = NULL;
+ sa.lpSecurityDescriptor = ACR_GetSecurityDescriptor(_E,
+ GENERIC_ALL | SEMAPHORE_ALL_ACCESS,
+ SEMAPHORE_MODIFY_STATE);
sa.bInheritHandle = FALSE;
- if (value > maxval)
- maxval = value;
s = CreateSemaphoreW(&sa, (LONG)value, (LONG)maxval, reskey);
if (!s)
return -1;
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/shm.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/shm.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/shm.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/shm.c Wed Aug 19 06:27:48 2009
@@ -42,9 +42,6 @@
const wchar_t *filename;
};
-extern PSECURITY_DESCRIPTOR acr_sd_filesys_admin;
-extern PSECURITY_DESCRIPTOR acr_sd_filesys_users;
-
static int shm_cleanup(void *shm, int type, unsigned int flags)
{
int rc = 0;
@@ -150,7 +147,9 @@
/* Name-based shared memory */
else {
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
- sa.lpSecurityDescriptor = acr_sd_filesys_admin;
+ sa.lpSecurityDescriptor = ACR_GetSecurityDescriptor(_E,
+ GENERIC_ALL | FILE_ALL_ACCESS,
+ 0);
sa.bInheritHandle = FALSE;
/* Do file backed, which is not an inherited handle
* While we could open APR_EXCL, it doesn't seem that Unix
Modified: commons/sandbox/runtime/trunk/src/main/native/os/win32/wusec.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/os/win32/wusec.c?rev=805674&r1=805673&r2=805674&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/os/win32/wusec.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/os/win32/wusec.c Wed Aug 19 06:27:48 2009
@@ -21,6 +21,7 @@
#include "acr_error.h"
#include "acr_memory.h"
#include "acr_string.h"
+#include "acr_tables.h"
#include "acr_descriptor.h"
#include "acr_users.h"
@@ -293,6 +294,23 @@
return dwError;
}
+static CRITICAL_SECTION security_lock;
+static acr_table_t *security_table = NULL;
+
+int ACR_InitSecurityDescriptorTable(JNIEnv *_E)
+{
+
+ if (security_table)
+ return ACR_SUCCESS;
+ InitializeCriticalSectionAndSpinCount(&security_lock, ACR_SPINCOUNT);
+ security_table = ACR_TableMake(_E, THROW_FMARK, 16);
+ if (!security_table)
+ return ACR_ENOMEM;
+
+ return ACR_SUCCESS;
+}
+
+
LPVOID ACR_GetSecurityDescriptor(JNIEnv *_E,
DWORD dwAdminAccessMask,
DWORD dwUsersAccessMask)
@@ -326,6 +344,12 @@
strcat(sdd, saa);
strcat(sdd, ";;;AU)");
}
+ EnterCriticalSection(&security_lock);
+ if (ACR_TableGet(security_table, sdd, &pSD, NULL) == ACR_SUCCESS) {
+ /* Return catched entry */
+ LeaveCriticalSection(&security_lock);
+ return pSD;
+ }
if (!ConvertStringSecurityDescriptorToSecurityDescriptorA(sdd,
SDDL_REVISION_1, &pSD, NULL)) {
pSD = NULL;
@@ -334,6 +358,13 @@
ACR_GET_OS_ERROR());
}
}
+ if (pSD) {
+ /* Add the security descriptor to the cache.
+ * It will live there for the process life time.
+ */
+ ACR_TableAdd(security_table, sdd, pDS, sizeof(PSECURITY_DESCRIPTOR));
+ }
+ LeaveCriticalSection(&security_lock);
return pSD;
}