1 /* 2 * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.nio.fs; 27 28 import static sun.nio.fs.WindowsNativeDispatcher.*; 29 import static sun.nio.fs.WindowsConstants.*; 30 31 /** 32 * Security related utility methods. 33 */ 34 35 class WindowsSecurity { WindowsSecurity()36 private WindowsSecurity() { } 37 38 // opens process token for given access openProcessToken(int access)39 private static long openProcessToken(int access) { 40 try { 41 return OpenProcessToken(GetCurrentProcess(), access); 42 } catch (WindowsException x) { 43 return 0L; 44 } 45 } 46 47 /** 48 * Returns the access token for this process with TOKEN_DUPLICATE access 49 */ 50 static final long processTokenWithDuplicateAccess = 51 openProcessToken(TOKEN_DUPLICATE); 52 53 /** 54 * Returns the access token for this process with TOKEN_QUERY access 55 */ 56 static final long processTokenWithQueryAccess = 57 openProcessToken(TOKEN_QUERY); 58 59 /** 60 * Returned by enablePrivilege when code may require a given privilege. 61 * The drop method should be invoked after the operation completes so as 62 * to revert the privilege. 63 */ 64 static interface Privilege { drop()65 void drop(); 66 } 67 68 /** 69 * Attempts to enable the given privilege for this method. 70 */ enablePrivilege(String priv)71 static Privilege enablePrivilege(String priv) { 72 final long pLuid; 73 try { 74 pLuid = LookupPrivilegeValue(priv); 75 } catch (WindowsException x) { 76 // indicates bug in caller 77 throw new AssertionError(x); 78 } 79 80 long hToken = 0L; 81 boolean impersontating = false; 82 boolean elevated = false; 83 try { 84 hToken = OpenThreadToken(GetCurrentThread(), 85 TOKEN_ADJUST_PRIVILEGES, false); 86 if (hToken == 0L && processTokenWithDuplicateAccess != 0L) { 87 hToken = DuplicateTokenEx(processTokenWithDuplicateAccess, 88 (TOKEN_ADJUST_PRIVILEGES|TOKEN_IMPERSONATE)); 89 SetThreadToken(0L, hToken); 90 impersontating = true; 91 } 92 93 if (hToken != 0L) { 94 AdjustTokenPrivileges(hToken, pLuid, SE_PRIVILEGE_ENABLED); 95 elevated = true; 96 } 97 } catch (WindowsException x) { 98 // nothing to do, privilege not enabled 99 } 100 101 final long token = hToken; 102 final boolean stopImpersontating = impersontating; 103 final boolean needToRevert = elevated; 104 105 return () -> { 106 try { 107 if (token != 0L) { 108 try { 109 if (stopImpersontating) 110 SetThreadToken(0L, 0L); 111 else if (needToRevert) 112 AdjustTokenPrivileges(token, pLuid, 0); 113 } catch (WindowsException x) { 114 // should not happen 115 throw new AssertionError(x); 116 } finally { 117 CloseHandle(token); 118 } 119 } 120 } finally { 121 LocalFree(pLuid); 122 } 123 }; 124 } 125 126 /** 127 * Check the access right against the securityInfo in the current thread. 128 */ 129 static boolean checkAccessMask(long securityInfo, int accessMask, 130 int genericRead, int genericWrite, int genericExecute, int genericAll) 131 throws WindowsException 132 { 133 int privileges = TOKEN_QUERY; 134 long hToken = OpenThreadToken(GetCurrentThread(), privileges, false); 135 if (hToken == 0L && processTokenWithDuplicateAccess != 0L) 136 hToken = DuplicateTokenEx(processTokenWithDuplicateAccess, 137 privileges); 138 139 boolean hasRight = false; 140 if (hToken != 0L) { 141 try { 142 hasRight = AccessCheck(hToken, securityInfo, accessMask, 143 genericRead, genericWrite, genericExecute, genericAll); 144 } finally { 145 CloseHandle(hToken); 146 } 147 } 148 return hasRight; 149 } 150 151 } 152