* advapi32.cc (InitializeAcl): Remove.

	(AddAce): Remove.
	(FindFirstFreeAce): Remove.
	(GetAce): Remove.
	(InitializeSecurityDescriptor): Remove.
	(OpenProcessToken): Remove.
	* dcrt0.cc: Replace above functions throughout with their ntdll.dll
	equivalent.
	* fhandler_tty.cc: Ditto.
	* flock.cc: Ditto.
	* pinfo.cc: Ditto.  Drop unnecessary error handling.
	* sec_acl.cc: Ditto.
	* sec_auth.cc: Ditto.
	* sec_helper.cc: Ditto.
	* security.cc: Ditto.

10 files changed, 65 insertions, 98 deletions

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 831579620..1f0c1b588 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,12 +1,30 @@
 2011-04-28  Corinna Vinschen  <corinna@vinschen.de>
 
+	* advapi32.cc (InitializeAcl): Remove.
+	(AddAce): Remove.
+	(FindFirstFreeAce): Remove.
+	(GetAce): Remove.
+	(InitializeSecurityDescriptor): Remove.
+	(OpenProcessToken): Remove.
+	* dcrt0.cc: Replace above functions throughout with their ntdll.dll
+	equivalent.
+	* fhandler_tty.cc: Ditto.
+	* flock.cc: Ditto.
+	* pinfo.cc: Ditto.  Drop unnecessary error handling.
+	* sec_acl.cc: Ditto.
+	* sec_auth.cc: Ditto.
+	* sec_helper.cc: Ditto.
+	* security.cc: Ditto.
+
+2011-04-28  Corinna Vinschen  <corinna@vinschen.de>
+
 	* advapi32.cc (InitializeSid): Remove.
 	(EqualPrefixSid): Remove.
 	(GetLengthSid): Remove.
 	(GetSidSubAuthority): Remove.
 	(GetSidSubAuthorityCount): Remove.
 	(GetSidIdentifierAuthority): Remove.
-	* fhandler_disk_file.cc: Remove above functions throughout with their
+	* fhandler_disk_file.cc: Replace above functions throughout with their
 	ntdll.dll equivalent.
 	* sec_auth.cc: Ditto.
 	* sec_helper.cc: Ditto.
diff --git a/winsup/cygwin/advapi32.cc b/winsup/cygwin/advapi32.cc
index 70ab4c0b1..7ee92e6a1 100644
--- a/winsup/cygwin/advapi32.cc
+++ b/winsup/cygwin/advapi32.cc
@@ -54,13 +54,6 @@ CopySid (DWORD len, PSID dest, PSID src)
 }
 
 BOOL WINAPI
-InitializeAcl (PACL acl, DWORD len, DWORD revision)
-{
-  NTSTATUS status = RtlCreateAcl (acl, len, revision);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
 AddAccessAllowedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
 {
   NTSTATUS status = RtlAddAccessAllowedAce (acl, revision, mask, sid);
@@ -75,34 +68,6 @@ AddAccessDeniedAce (PACL acl, DWORD revision, DWORD mask, PSID sid)
 }
 
 BOOL WINAPI
-AddAce (PACL acl, DWORD revision, DWORD index, LPVOID ace_list, DWORD len)
-{
-  NTSTATUS status = RtlAddAce (acl, revision, index, ace_list, len);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-FindFirstFreeAce (PACL acl, LPVOID *ace)
-{
-  NTSTATUS status = RtlFirstFreeAce (acl, ace);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-GetAce (PACL acl, DWORD index, LPVOID *ace)
-{
-  NTSTATUS status = RtlGetAce (acl, index, ace);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
-InitializeSecurityDescriptor (PSECURITY_DESCRIPTOR sd, DWORD revision)
-{
-  NTSTATUS status = RtlCreateSecurityDescriptor (sd, revision);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
 MakeSelfRelativeSD (PSECURITY_DESCRIPTOR abs_sd, PSECURITY_DESCRIPTOR rel_sd,
 		    LPDWORD len)
 {
@@ -157,13 +122,6 @@ SetSecurityDescriptorOwner (PSECURITY_DESCRIPTOR sd, PSID sid, BOOL def)
 }
 
 BOOL WINAPI
-OpenProcessToken (HANDLE process, DWORD access, PHANDLE tok)
-{
-  NTSTATUS status = NtOpenProcessToken (process, access, tok);
-  DEFAULT_NTSTATUS_TO_BOOL_RETURN
-}
-
-BOOL WINAPI
 OpenThreadToken (HANDLE thread, DWORD access, BOOL as_self, PHANDLE tok)
 {
   NTSTATUS status = NtOpenThreadToken (thread, access, as_self, tok);
diff --git a/winsup/cygwin/dcrt0.cc b/winsup/cygwin/dcrt0.cc
index 827441c33..3c33f8054 100644
--- a/winsup/cygwin/dcrt0.cc
+++ b/winsup/cygwin/dcrt0.cc
@@ -685,7 +685,7 @@ dll_crt0_0 ()
 		   GetCurrentProcess (), &hMainThread,
 		   0, false, DUPLICATE_SAME_ACCESS);
 
-  OpenProcessToken (GetCurrentProcess (), MAXIMUM_ALLOWED, &hProcToken);
+  NtOpenProcessToken (NtCurrentProcess (), MAXIMUM_ALLOWED, &hProcToken);
   set_cygwin_privileges (hProcToken);
 
   device::init ();
diff --git a/winsup/cygwin/fhandler_tty.cc b/winsup/cygwin/fhandler_tty.cc
index 478397a54..20ab9598e 100644
--- a/winsup/cygwin/fhandler_tty.cc
+++ b/winsup/cygwin/fhandler_tty.cc
@@ -529,7 +529,7 @@ fhandler_tty_slave::open (int flags, mode_t)
     /* Create security attribute.  Default permissions are 0620. */
     security_descriptor sd;
     sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-    InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+    RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
     SECURITY_ATTRIBUTES sa = { sizeof (SECURITY_ATTRIBUTES), NULL, TRUE };
     if (!create_object_sd_from_attribute (NULL, myself->uid, myself->gid,
 					  S_IFCHR | S_IRUSR | S_IWUSR | S_IWGRP,
@@ -1305,7 +1305,7 @@ fhandler_tty_slave::fchmod (mode_t mode)
 	goto errout;
     }
   sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
   if (!get_object_attribute (input_available_event, &uid, &gid, NULL)
       && !create_object_sd_from_attribute (NULL, uid, gid, S_IFCHR | mode, sd))
     ret = fch_set_sd (sd, false);
@@ -1334,7 +1334,7 @@ fhandler_tty_slave::fchown (__uid32_t uid, __gid32_t gid)
 	goto errout;
     }
   sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
   if (!get_object_attribute (input_available_event, &o_uid, &o_gid, &mode))
     {
       if ((uid == ILLEGAL_UID || uid == o_uid)
@@ -1796,7 +1796,7 @@ fhandler_pty_master::setup (bool ispty)
 
   /* Create security attribute.  Default permissions are 0620. */
   sd.malloc (sizeof (SECURITY_DESCRIPTOR));
-  InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
+  RtlCreateSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION);
   if (!create_object_sd_from_attribute (NULL, myself->uid, myself->gid,
 					S_IFCHR | S_IRUSR | S_IWUSR | S_IWGRP,
 					sd))
diff --git a/winsup/cygwin/flock.cc b/winsup/cygwin/flock.cc
index c899361ff..16e2911a6 100644
--- a/winsup/cygwin/flock.cc
+++ b/winsup/cygwin/flock.cc
@@ -178,9 +178,10 @@ allow_others_to_sync ()
       return;
     }
   /* Set the size of the DACL correctly. */
-  if (!FindFirstFreeAce (dacl, &ace))
+  status = RtlFirstFreeAce (dacl, &ace);
+  if (!NT_SUCCESS (status))
     {
-      debug_printf ("FindFirstFreeAce: %lu", GetLastError ());
+      debug_printf ("RtlFirstFreeAce: %p", status);
       return;
     }
   dacl->AclSize = (char *) ace - (char *) dacl;
diff --git a/winsup/cygwin/pinfo.cc b/winsup/cygwin/pinfo.cc
index 91542b4d9..badee7074 100644
--- a/winsup/cygwin/pinfo.cc
+++ b/winsup/cygwin/pinfo.cc
@@ -350,9 +350,8 @@ pinfo::set_acl()
 
   sec_acl (acl_buf, true, true, cygheap->user.sid (),
 	   well_known_world_sid, FILE_MAP_READ);
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    debug_printf ("InitializeSecurityDescriptor %E");
-  else if (!SetSecurityDescriptorDacl (&sd, TRUE, acl_buf, FALSE))
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
+  if (!SetSecurityDescriptorDacl (&sd, TRUE, acl_buf, FALSE))
     debug_printf ("SetSecurityDescriptorDacl %E");
   else if ((status = NtSetSecurityObject (h, DACL_SECURITY_INFORMATION, &sd)))
     debug_printf ("NtSetSecurityObject %lx", status);
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index 2a1802420..48012e267 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -21,6 +21,7 @@ details. */
 #include "fhandler.h"
 #include "dtable.h"
 #include "cygheap.h"
+#include "ntdll.h"
 #include "pwdgrp.h"
 #include "tls_pbuf.h"
 
@@ -68,11 +69,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
 
   /* Initialize local security descriptor. */
   SECURITY_DESCRIPTOR sd;
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    {
-      __seterrno ();
-      return -1;
-    }
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
   if (!SetSecurityDescriptorOwner (&sd, owner, FALSE))
     {
       __seterrno ();
@@ -94,11 +91,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
   struct __group32 *gr;
   int pos;
 
-  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
-    {
-      __seterrno ();
-      return -1;
-    }
+  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
 
   writable = false;
 
@@ -332,7 +325,7 @@ getacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp)
 	{
 	  ACCESS_ALLOWED_ACE *ace;
 
-	  if (!GetAce (acl, i, (PVOID *) &ace))
+	  if (!NT_SUCCESS (RtlGetAce (acl, i, (PVOID *) &ace)))
 	    continue;
 
 	  cygpsid ace_sid ((PSID) &ace->SidStart);
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index f2dd26da5..c0c605e02 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -1019,7 +1019,7 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
 	  + RtlLengthSid (well_known_admins_sid)
 	  + RtlLengthSid (well_known_system_sid);
   dacl = (PACL) alloca (dsize);
-  if (!InitializeAcl (dacl, dsize, ACL_REVISION))
+  if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
     goto out;
   if (!AddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL, usersid))
     goto out;
diff --git a/winsup/cygwin/sec_helper.cc b/winsup/cygwin/sec_helper.cc
index 71fbd742c..6ce9ccc37 100644
--- a/winsup/cygwin/sec_helper.cc
+++ b/winsup/cygwin/sec_helper.cc
@@ -463,7 +463,7 @@ get_null_sd ()
 
   if (!null_sdp)
     {
-      InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
+      RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
       SetSecurityDescriptorDacl (&sd, TRUE, NULL, FALSE);
       null_sdp = &sd;
     }
@@ -488,6 +488,7 @@ init_global_security ()
 bool
 sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
 {
+  NTSTATUS status;
   size_t acl_len = MAX_DACL_LEN (5);
   LPVOID pAce;
   cygpsid psid;
@@ -496,9 +497,10 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
   if ((unsigned long) acl % 4)
     api_fatal ("Incorrectly aligned incoming ACL buffer!");
 #endif
-  if (!InitializeAcl (acl, acl_len, ACL_REVISION))
+  status = RtlCreateAcl (acl, acl_len, ACL_REVISION);
+  if (!NT_SUCCESS (status))
     {
-      debug_printf ("InitializeAcl %E");
+      debug_printf ("RtlCreateAcl: %p", status);
       return false;
     }
   if (sid1)
@@ -521,11 +523,11 @@ sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD acces
   if (!AddAccessAllowedAce (acl, ACL_REVISION,
 			    GENERIC_ALL, well_known_system_sid))
     debug_printf ("AddAccessAllowedAce(system) %E");
-  FindFirstFreeAce (acl, &pAce);
-  if (pAce)
+  status = RtlFirstFreeAce (acl, &pAce);
+  if (NT_SUCCESS (status) && pAce)
     acl->AclSize = (char *) pAce - (char *) acl;
   else
-    debug_printf ("FindFirstFreeAce %E");
+    debug_printf ("RtlFirstFreeAce: %p", status);
 
   return true;
 }
@@ -545,8 +547,7 @@ __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
   if (!sec_acl (acl, true, true, sid1, sid2, access2))
     return inherit ? &sec_none : &sec_none_nih;
 
-  if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION))
-    debug_printf ("InitializeSecurityDescriptor %E");
+  RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
 
 /*
  * Setting the owner lets the created security attribute not work
@@ -574,13 +575,14 @@ __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
 PSECURITY_DESCRIPTOR
 _everyone_sd (void *buf, ACCESS_MASK access)
 {
+  NTSTATUS status;
   PSECURITY_DESCRIPTOR psd = (PSECURITY_DESCRIPTOR) buf;
 
   if (psd)
     {
-      InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
+      RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
       PACL dacl = (PACL) (psd + 1);
-      InitializeAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
+      RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
       if (!AddAccessAllowedAce (dacl, ACL_REVISION, access,
 				well_known_world_sid))
 	{
@@ -588,9 +590,10 @@ _everyone_sd (void *buf, ACCESS_MASK access)
 	  return NULL;
 	}
       LPVOID ace;
-      if (!FindFirstFreeAce (dacl, &ace))
+      status = RtlFirstFreeAce (dacl, &ace);
+      if (!NT_SUCCESS (status))
 	{
-	  debug_printf ("FindFirstFreeAce: %lu", GetLastError ());
+	  debug_printf ("RtlFirstFreeAce: %p", status);
 	  return NULL;
 	}
       dacl->AclSize = (char *) ace - (char *) dacl;
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 428c874a2..a72fb525a 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -139,7 +139,7 @@ get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
       if (NT_SUCCESS (RtlGetDaclSecurityDescriptor (sd, &exists, &dacl, &def))
 	  && exists && dacl)
 	for (ULONG idx = 0; idx < dacl->AceCount; ++idx)
-	  if (RtlGetAce (dacl, idx, (PVOID *) &ace)
+	  if (NT_SUCCESS (RtlGetAce (dacl, idx, (PVOID *) &ace))
 	      && (ace->Header.AceFlags & INHERITED_ACE))
 	    return 0;
       /* Otherwise, open the parent directory with READ_CONTROL... */
@@ -245,7 +245,7 @@ get_attribute_from_acl (mode_t *attribute, PACL acl, PSID owner_sid,
 
   for (DWORD i = 0; i < acl->AceCount; ++i)
     {
-      if (!GetAce (acl, i, (PVOID *) &ace))
+      if (!NT_SUCCESS (RtlGetAce (acl, i, (PVOID *) &ace)))
 	continue;
       if (ace->Header.AceFlags & INHERIT_ONLY_ACE)
 	continue;
@@ -472,7 +472,7 @@ add_access_allowed_ace (PACL acl, int offset, DWORD attributes,
       return false;
     }
   ACCESS_ALLOWED_ACE *ace;
-  if (inherit && GetAce (acl, offset, (PVOID *) &ace))
+  if (inherit && NT_SUCCESS (RtlGetAce (acl, offset, (PVOID *) &ace)))
     ace->Header.AceFlags |= inherit;
   len_add += sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
   return true;
@@ -488,7 +488,7 @@ add_access_denied_ace (PACL acl, int offset, DWORD attributes,
       return false;
     }
   ACCESS_DENIED_ACE *ace;
-  if (inherit && GetAce (acl, offset, (PVOID *) &ace))
+  if (inherit && NT_SUCCESS (RtlGetAce (acl, offset, (PVOID *) &ace)))
     ace->Header.AceFlags |= inherit;
   len_add += sizeof (ACCESS_DENIED_ACE) - sizeof (DWORD) + RtlLengthSid (sid);
   return true;
@@ -544,11 +544,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 
   /* Initialize local security descriptor. */
   SECURITY_DESCRIPTOR sd;
-  if (!InitializeSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION))
-    {
-      __seterrno ();
-      return NULL;
-    }
+  RtlCreateSecurityDescriptor (&sd, SECURITY_DESCRIPTOR_REVISION);
 
   /* We set the SE_DACL_PROTECTED flag here to prevent the DACL from being
      modified by inheritable ACEs. */
@@ -570,11 +566,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 
   /* Initialize local access control list. */
   PACL acl = (PACL) tp.w_get ();
-  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
-    {
-      __seterrno ();
-      return NULL;
-    }
+  RtlCreateAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION);
 
   /* From here fill ACL. */
   size_t acl_len = sizeof (ACL);
@@ -713,10 +705,12 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
   PACL oacl;
   BOOL acl_exists = FALSE;
   ACCESS_ALLOWED_ACE *ace;
+  NTSTATUS status;
+
   if (GetSecurityDescriptorDacl (sd_ret, &acl_exists, &oacl, &dummy)
       && acl_exists && oacl)
     for (DWORD i = 0; i < oacl->AceCount; ++i)
-      if (GetAce (oacl, i, (PVOID *) &ace))
+      if (NT_SUCCESS (RtlGetAce (oacl, i, (PVOID *) &ace)))
 	{
 	  cygpsid ace_sid ((PSID) &ace->SidStart);
 
@@ -767,12 +761,13 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 	   * behind the owner_deny, ACCESS_ALLOWED_ACE to the end.
 	   * FIXME: this would break the order of the inherit-only ACEs
 	   */
-	  if (!AddAce (acl, ACL_REVISION,
-		       ace->Header.AceType == ACCESS_DENIED_ACE_TYPE
-		       ?  (owner_deny ? 1 : 0) : MAXDWORD,
-		       (LPVOID) ace, ace->Header.AceSize))
+	  status = RtlAddAce (acl, ACL_REVISION,
+			      ace->Header.AceType == ACCESS_DENIED_ACE_TYPE
+			      ?  (owner_deny ? 1 : 0) : MAXDWORD,
+			      (LPVOID) ace, ace->Header.AceSize);
+	  if (!NT_SUCCESS (status))
 	    {
-	      __seterrno ();
+	      __seterrno_from_nt_status (status);
 	      return NULL;
 	    }
 	  ace_off++;
@@ -862,7 +857,7 @@ set_security_attribute (path_conv &pc, int attribute, PSECURITY_ATTRIBUTES psa,
 			security_descriptor &sd)
 {
   psa->lpSecurityDescriptor = sd.malloc (SECURITY_DESCRIPTOR_MIN_LENGTH);
-  InitializeSecurityDescriptor ((PSECURITY_DESCRIPTOR)psa->lpSecurityDescriptor,
+  RtlCreateSecurityDescriptor ((PSECURITY_DESCRIPTOR) psa->lpSecurityDescriptor,
 				SECURITY_DESCRIPTOR_REVISION);
   psa->lpSecurityDescriptor = alloc_sd (pc, geteuid32 (), getegid32 (),
 					attribute, sd);