Add "uint32_t access_granted" to policy handles

All policy handles have a mask of allowed operations attached that were
calculated at creation time, so they should carry this mask. This is the basis
for consolidating all our policy handle access checks.

If you want to do your own more complicated access checks further down, just
pass "0" to policy_handle_find.

1 files changed, 12 insertions, 7 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index b99588f717..fa60e6de09 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5885,16 +5885,21 @@ bool close_policy_hnd(pipes_struct *p, struct policy_handle *hnd);
 void close_policy_by_pipe(pipes_struct *p);
 bool pipe_access_check(pipes_struct *p);
 
-NTSTATUS _policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
-			       void *pdata, size_t size, const char *name);
-#define policy_handle_create(_p, _hnd, _ptr, _type) \
-	_policy_handle_create((_p), (_hnd), (_ptr), sizeof(_type), #_type)
+void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
+			    uint32_t access_granted, size_t data_size,
+			    const char *type, NTSTATUS *pstatus);
+#define policy_handle_create(_p, _hnd, _access, _type, _pstatus) \
+	(_type *)_policy_handle_create((_p), (_hnd), (_access), sizeof(_type), #_type, \
+				       (_pstatus))
 
 void *_policy_handle_find(struct pipes_struct *p,
 			  const struct policy_handle *hnd,
-			  const char *type);
-#define policy_handle_find(_p, _hnd, _type) \
-	(_type *)_policy_handle_find((_p), (_hnd), #_type)
+			  uint32_t access_required, uint32_t *paccess_granted,
+			  const char *name, const char *location,
+			  NTSTATUS *pstatus);
+#define policy_handle_find(_p, _hnd, _access_required, _access_granted, _type, _pstatus) \
+	(_type *)_policy_handle_find((_p), (_hnd), (_access_required), \
+				     (_access_granted), #_type, __location__, (_pstatus))
 
 
 /* The following definitions come from rpc_server/srv_pipe.c  */