// // Modifies the SACL // private bool ModifyAudit(AccessControlModification modification, ObjectAuditRule rule, out bool modified) { bool result = true; if (_securityDescriptor.SystemAcl == null) { if (modification == AccessControlModification.Remove || modification == AccessControlModification.RemoveAll || modification == AccessControlModification.RemoveSpecific) { modified = false; return(result); } //_securityDescriptor.SystemAcl = new SystemAcl(IsContainer, IsDS, GenericAcl.AclRevisionDS, 1); //_securityDescriptor.AddControlFlags(ControlFlags.SystemAclPresent); _securityDescriptor.AddSystemAcl(GenericAcl.AclRevisionDS, 1); } else if ((modification == AccessControlModification.Add || modification == AccessControlModification.Set || modification == AccessControlModification.Reset) && (rule.ObjectFlags != ObjectAceFlags.None)) { // // This will result in an object ace being added to the sacl, so the sacl revision must be AclRevisionDS // if (_securityDescriptor.SystemAcl.Revision < GenericAcl.AclRevisionDS) { // // we need to create a new sacl with the same aces as the existing one but the revision should be AclRevisionDS // byte[] binaryForm = new byte[_securityDescriptor.SystemAcl.BinaryLength]; _securityDescriptor.SystemAcl.GetBinaryForm(binaryForm, 0); binaryForm[0] = GenericAcl.AclRevisionDS; // revision is the first byte of the binary form _securityDescriptor.SystemAcl = new SystemAcl(IsContainer, IsDS, new RawAcl(binaryForm, 0)); } } SecurityIdentifier sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)) as SecurityIdentifier; switch (modification) { case AccessControlModification.Add: //_securityDescriptor.SystemAcl.AddAudit(rule.AuditFlags, sid, rule.AccessMask, rule.InheritanceFlags, rule.PropagationFlags, rule.ObjectFlags, rule.ObjectType, rule.InheritedObjectType); _securityDescriptor.SystemAcl.AddAudit(sid, rule); break; case AccessControlModification.Set: //_securityDescriptor.SystemAcl.SetAudit(rule.AuditFlags, sid, rule.AccessMask, rule.InheritanceFlags, rule.PropagationFlags, rule.ObjectFlags, rule.ObjectType, rule.InheritedObjectType); _securityDescriptor.SystemAcl.SetAudit(sid, rule); break; case AccessControlModification.Reset: _securityDescriptor.SystemAcl.RemoveAudit(AuditFlags.Failure | AuditFlags.Success, sid, -1, InheritanceFlags.ContainerInherit, 0, ObjectAceFlags.None, Guid.Empty, Guid.Empty); //_securityDescriptor.SystemAcl.SetAudit(rule.AuditFlags, sid, rule.AccessMask, rule.InheritanceFlags, rule.PropagationFlags, rule.ObjectFlags, rule.ObjectType, rule.InheritedObjectType); _securityDescriptor.SystemAcl.SetAudit(sid, rule); break; case AccessControlModification.Remove: //result = _securityDescriptor.SystemAcl.RemoveAudit(rule.AuditFlags, sid, rule.AccessMask, rule.InheritanceFlags, rule.PropagationFlags, rule.ObjectFlags, rule.ObjectType, rule.InheritedObjectType); result = _securityDescriptor.SystemAcl.RemoveAudit(sid, rule); break; case AccessControlModification.RemoveAll: result = _securityDescriptor.SystemAcl.RemoveAudit(AuditFlags.Failure | AuditFlags.Success, sid, -1, InheritanceFlags.ContainerInherit, 0, ObjectAceFlags.None, Guid.Empty, Guid.Empty); if (result == false) { Debug.Assert(false, "Invalid operation"); throw new Exception(); } break; case AccessControlModification.RemoveSpecific: //_securityDescriptor.SystemAcl.RemoveAuditSpecific(rule.AuditFlags, sid, rule.AccessMask, rule.InheritanceFlags, rule.PropagationFlags, rule.ObjectFlags, rule.ObjectType, rule.InheritedObjectType); _securityDescriptor.SystemAcl.RemoveAuditSpecific(sid, rule); break; default: throw new ArgumentOutOfRangeException( "modification", SR.ArgumentOutOfRange_Enum); } modified = result; AuditRulesModified |= modified; return(result); }