private void CheckAccess(TokenEntry token, NtFile file, AccessMask access_rights, SecurityDescriptor sd, SecurityDescriptor parent_sd)
{
NtType type = file.NtType;
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd, token.Token, type.GenericMapping);
// Determine if the parent gives additonal rights to this file.
if (!granted_access.IsAllAccessGranted(FileDirectoryAccessRights.ReadAttributes | FileDirectoryAccessRights.Delete) && parent_sd != null)
{
AccessMask parent_granted_access = NtSecurity.GetMaximumAccess(parent_sd, token.Token, type.GenericMapping);
if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.DeleteChild))
{
granted_access |= FileAccessRights.Delete;
}
if (parent_granted_access.IsAccessGranted(FileDirectoryAccessRights.ListDirectory))
{
granted_access |= FileAccessRights.ReadAttributes;
}
}
if (IsAccessGranted(granted_access, access_rights))
{
bool is_directory = IsDirectoryNoThrow(file);
WriteAccessCheckResult(FormatWin32Path ? file.Win32PathName : file.FullPath, type.Name, granted_access, type.GenericMapping,
sd, is_directory ? typeof(FileDirectoryAccessRights) : typeof(FileAccessRights), is_directory, token.Information);
}
}
/// <summary>
/// Is an access mask granted to the object.
/// </summary>
/// <param name="access">The access to check.</param>
/// <returns>True if all access is granted.</returns>
public bool IsAccessMaskGranted(AccessMask access)
{
// We can't tell if we really have access or not, so just assume we do.
if (_granted_access.IsAccessGranted(GenericAccessRights.MaximumAllowed))
{
return(true);
}
return(_granted_access.IsAllAccessGranted(access));
}
private static AccessMask AdjustProcessAccess(AccessMask granted_access)
{
if (granted_access.IsAccessGranted(ProcessAccessRights.QueryInformation))
{
granted_access |= ProcessAccessRights.QueryLimitedInformation;
}
if (granted_access.IsAllAccessGranted(ProcessAccessRights.VmWrite | ProcessAccessRights.VmOperation))
{
granted_access |= ProcessAccessRights.QueryLimitedInformation;
}
if (granted_access.IsAccessGranted(ProcessAccessRights.SetInformation))
{
granted_access |= ProcessAccessRights.SetLimitedInformation;
}
return(granted_access);
}
private protected bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights)
{
if (granted_access.IsEmpty)
{
return(AllowEmptyAccess);
}
if (access_rights.IsEmpty)
{
return(true);
}
if (AllowPartialAccess)
{
return(granted_access.IsAccessGranted(access_rights));
}
return(granted_access.IsAllAccessGranted(access_rights));
}
internal bool IsAccessGranted(AccessMask granted_access, AccessMask access_rights)
{
if (granted_access.IsEmpty)
{
return(false);
}
if (access_rights.IsEmpty)
{
return(true);
}
if (AllowPartialAccess)
{
return(granted_access.IsAccessGranted(access_rights));
}
return(granted_access.IsAllAccessGranted(access_rights));
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
if (Empty)
{
WriteObject(AccessMask.IsEmpty);
}
else if (ParameterSetName == "WriteRestricted")
{
GenericMapping std_map = NtSecurity.StandardAccessMapping;
WriteObject((std_map.GenericWrite & ~(std_map.GenericRead | std_map.GenericExecute)
| WriteRestricted.GenericWrite & ~(WriteRestricted.GenericRead | WriteRestricted.GenericExecute)).IsEmpty);
}
else if (All)
{
WriteObject(AccessMask.IsAllAccessGranted(GetAccessMask()));
}
else
{
WriteObject(AccessMask.IsAccessGranted(GetAccessMask()));
}
}
