From: Hans Leidekker <hans@codeweavers.com>
Subject: [1/2] advapi32: Support parsing mandatory label ACE strings.
Message-Id: <1429196549.1899.6.camel@codeweavers.com>
Date: Thu, 16 Apr 2015 17:02:29 +0200

---
 dlls/advapi32/security.c       | 10 ++++++++++
 dlls/advapi32/tests/security.c |  7 +++++++
 include/winnt.h                | 11 +++++++++++
 3 files changed, 28 insertions(+)

diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
index 2cd3f74..d27b2e7 100644
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -311,6 +311,10 @@ static const WCHAR SDDL_GENERIC_READ[]     = {'G','R',0};
 static const WCHAR SDDL_GENERIC_WRITE[]    = {'G','W',0};
 static const WCHAR SDDL_GENERIC_EXECUTE[]  = {'G','X',0};
 
+static const WCHAR SDDL_NO_READ_UP[]       = {'N','R',0};
+static const WCHAR SDDL_NO_WRITE_UP[]      = {'N','W',0};
+static const WCHAR SDDL_NO_EXECUTE_UP[]    = {'N','X',0};
+
 /*
  * ACL flags
  */
@@ -325,6 +329,7 @@ static const WCHAR SDDL_ACCESS_ALLOWED[]        = {'A',0};
 static const WCHAR SDDL_ACCESS_DENIED[]         = {'D',0};
 static const WCHAR SDDL_AUDIT[]                 = {'A','U',0};
 static const WCHAR SDDL_ALARM[]                 = {'A','L',0};
+static const WCHAR SDDL_MANDATORY_LABEL[]       = {'M','L',0};
 
 /*
  * ACE flags
@@ -4147,6 +4152,7 @@ static const ACEFLAG AceType[] =
     { SDDL_AUDIT,          SYSTEM_AUDIT_ACE_TYPE },
     { SDDL_ACCESS_ALLOWED, ACCESS_ALLOWED_ACE_TYPE },
     { SDDL_ACCESS_DENIED,  ACCESS_DENIED_ACE_TYPE },
+    { SDDL_MANDATORY_LABEL,SYSTEM_MANDATORY_LABEL_ACE_TYPE },
     /*
     { SDDL_OBJECT_ACCESS_ALLOWED, ACCESS_ALLOWED_OBJECT_ACE_TYPE },
     { SDDL_OBJECT_ACCESS_DENIED,  ACCESS_DENIED_OBJECT_ACE_TYPE },
@@ -4257,6 +4263,10 @@ static const ACEFLAG AceRights[] =
     { SDDL_KEY_READ,        KEY_READ },
     { SDDL_KEY_WRITE,       KEY_WRITE },
     { SDDL_KEY_EXECUTE,     KEY_EXECUTE },
+
+    { SDDL_NO_READ_UP,      SYSTEM_MANDATORY_LABEL_NO_READ_UP },
+    { SDDL_NO_WRITE_UP,     SYSTEM_MANDATORY_LABEL_NO_WRITE_UP },
+    { SDDL_NO_EXECUTE_UP,   SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP },
     { NULL, 0 },
 };
 
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 466100d..b43f212 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -3901,6 +3901,13 @@ static void test_ConvertStringSecurityDescriptor(void)
         Blank, SDDL_REVISION_1, &pSD, NULL);
     ok(ret, "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %d\n", GetLastError());
     LocalFree(pSD);
+
+    SetLastError(0xdeadbeef);
+    ret = pConvertStringSecurityDescriptorToSecurityDescriptorA(
+        "D:P(A;;GRGW;;;BA)(A;;GRGW;;;S-1-5-21-0-0-0-1000)S:(ML;;NWNR;;;S-1-16-12288)", SDDL_REVISION_1, &pSD, NULL);
+    ok(ret || broken(!ret && GetLastError() == ERROR_INVALID_DATATYPE) /* win2k */,
+       "ConvertStringSecurityDescriptorToSecurityDescriptor failed with error %u\n", GetLastError());
+    if (ret) LocalFree(pSD);
 }
 
 static void test_ConvertSecurityDescriptorToString(void)
diff --git a/include/winnt.h b/include/winnt.h
index c2aa50e..9b08544 100644
--- a/include/winnt.h
+++ b/include/winnt.h
@@ -4445,6 +4445,7 @@ typedef struct _ACE_HEADER {
 #define	ACCESS_DENIED_ACE_TYPE		1
 #define	SYSTEM_AUDIT_ACE_TYPE		2
 #define	SYSTEM_ALARM_ACE_TYPE		3
+#define SYSTEM_MANDATORY_LABEL_ACE_TYPE 0x11
 
 /* inherit AceFlags */
 #define	OBJECT_INHERIT_ACE		0x01
@@ -4489,6 +4490,16 @@ typedef struct _SYSTEM_ALARM_ACE {
 	DWORD		SidStart;
 } SYSTEM_ALARM_ACE,*PSYSTEM_ALARM_ACE;
 
+typedef struct _SYSTEM_MANDATORY_LABEL_ACE {
+    ACE_HEADER  Header;
+    ACCESS_MASK Mask;
+    DWORD       SidStart;
+} SYSTEM_MANDATORY_LABEL_ACE,*PSYSTEM_MANDATORY_LABEL_ACE;
+
+#define SYSTEM_MANDATORY_LABEL_NO_WRITE_UP      0x1
+#define SYSTEM_MANDATORY_LABEL_NO_READ_UP       0x2
+#define SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP    0x4
+
 typedef enum tagSID_NAME_USE {
 	SidTypeUser = 1,
 	SidTypeGroup,