#include "pch.h" BOOL MyAccessCheck( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PACE_HEADER pAce, IN PVOID pArgs OPTIONAL, IN OUT PBOOL pbAceApplicable ) /*++ Routine Description This is a very trivial example of a callback access check routine. Here we randomly decide if the ACE applies to the given client context. Arguments hAuthzClientContext - handle to AuthzClientContext. pAce - pointer to Ace header. pArgs - optional arguments that can be used in evaluating the ACE. pbAceApplicable - returns the result of the evaluation. Return value Bool, true if ACE is applicable, false otherwise. --*/ { *pbAceApplicable = (BOOL) rand() % 2; return TRUE; } BOOL MyComputeDynamicGroups( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PVOID Args, OUT PSID_AND_ATTRIBUTES *pSidAttrArray, OUT PDWORD pSidCount, OUT PSID_AND_ATTRIBUTES *pRestrictedSidAttrArray, OUT PDWORD pRestrictedSidCount ) /*++ Routine Description Resource manager callback to compute dynamic groups. This is used by the RM to decide if the specified client context should be included in any RM defined groups. Arguments hAuthzClientContext - handle to client context. Args - optional parameter to pass information for evaluating group membership. pSidAttrArray - computed group membership SIDs pSidCount - count of SIDs pRestrictedSidAttrArray - computed group membership restricted SIDs pRestrictedSidCount - count of restricted SIDs Return Value Bool, true for success, false on failure. --*/ { ULONG Length = 0; if (Args == -1) { return TRUE; } *pSidCount = 2; *pRestrictedSidCount = 0; *pRestrictedSidAttrArray = 0; Length = RtlLengthSid((PSID) KedarSid); Length += RtlLengthSid((PSID) RahulSid); if (!(*pSidAttrArray = malloc(sizeof(SID_AND_ATTRIBUTES) * 2 + Length))) { SetLastError(ERROR_NOT_ENOUGH_MEMORY); return FALSE; } (*pSidAttrArray)[0].Attributes = SE_GROUP_ENABLED; (*pSidAttrArray)[0].Sid = ((PUCHAR) (*pSidAttrArray)) + 2 * sizeof(SID_AND_ATTRIBUTES); RtlCopySid(Length/2, (*pSidAttrArray)[0].Sid, (PSID) KedarSid); (*pSidAttrArray)[1].Attributes = SE_GROUP_USE_FOR_DENY_ONLY; (*pSidAttrArray)[1].Sid = ((PUCHAR) (*pSidAttrArray)) + 2 * sizeof(SID_AND_ATTRIBUTES) + Length/2; RtlCopySid(Length/2, (*pSidAttrArray)[1].Sid, (PSID) RahulSid); return TRUE; } VOID MyFreeDynamicGroups ( IN PSID_AND_ATTRIBUTES pSidAttrArray ) /*++ Routine Description Frees memory allocated for the dynamic group array. Arguments pSidAttrArray - array to free. Return Value None. --*/ { if (pSidAttrArray) free(pSidAttrArray); }