nixos-config/config/games/wine/server-default_integrity/0007-ntdll-Elevate-processes-if-requested-in-RtlCreateUse.patch

From 20e95575948faec1eca2e88967e985539a512cd5 Mon Sep 17 00:00:00 2001
From: Zebediah Figura <z.figura12@gmail.com>
Date: Sun, 18 Apr 2021 17:46:44 -0500
Subject: [PATCH] ntdll: Elevate processes if requested in
 RtlCreateUserProcess().

Signed-off-by: Zebediah Figura <z.figura12@gmail.com>
---
 dlls/ntdll/process.c | 79 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 74 insertions(+), 5 deletions(-)

diff --git a/dlls/ntdll/process.c b/dlls/ntdll/process.c
index 160b1f549c9..fd437ea07d4 100644
--- a/dlls/ntdll/process.c
+++ b/dlls/ntdll/process.c
@@ -39,6 +39,9 @@
 WINE_DEFAULT_DEBUG_CHANNEL(process);
 
 
+/* we don't want to include winuser.h */
+#define CREATEPROCESS_MANIFEST_RESOURCE_ID ((ULONG_PTR)1)
+
 /******************************************************************************
  *  RtlGetCurrentPeb  [NTDLL.@]
  *
@@ -82,6 +85,63 @@ NTSTATUS WINAPI RtlWow64EnableFsRedirectionEx( ULONG disable, ULONG *old_value )
 }
 
 
+static BOOL image_needs_elevation( const UNICODE_STRING *path )
+{
+    ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION run_level;
+    UNICODE_STRING path0;
+    BOOL ret = FALSE;
+    HANDLE handle;
+    ACTCTXW ctx;
+
+    if (RtlDuplicateUnicodeString( 1, path, &path0 ))
+        return FALSE;
+
+    ctx.cbSize = sizeof(ctx);
+    ctx.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID;
+    ctx.lpSource = path0.Buffer;
+    ctx.lpResourceName = (const WCHAR *)CREATEPROCESS_MANIFEST_RESOURCE_ID;
+
+    if (RtlCreateActivationContext( &handle, &ctx ))
+    {
+        RtlFreeUnicodeString( &path0 );
+        return FALSE;
+    }
+
+    if (!RtlQueryInformationActivationContext( 0, handle, NULL, RunlevelInformationInActivationContext,
+                                               &run_level, sizeof(run_level), NULL ))
+    {
+        TRACE( "image requested run level %#x\n", run_level.RunLevel );
+        if (run_level.RunLevel == ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE
+                || run_level.RunLevel == ACTCTX_RUN_LEVEL_REQUIRE_ADMIN)
+            ret = TRUE;
+    }
+    RtlReleaseActivationContext( handle );
+    RtlFreeUnicodeString( &path0 );
+    return ret;
+}
+
+
+static HANDLE get_elevated_token(void)
+{
+    TOKEN_ELEVATION_TYPE type;
+    TOKEN_LINKED_TOKEN linked;
+    NTSTATUS status;
+
+    if ((status = NtQueryInformationToken( GetCurrentThreadEffectiveToken(),
+                                           TokenElevationType, &type, sizeof(type), NULL )))
+        return NULL;
+
+    if (type == TokenElevationTypeFull) return NULL;
+
+
+    if ((status = NtQueryInformationToken( GetCurrentThreadEffectiveToken(),
+                                           TokenLinkedToken, &linked, sizeof(linked), NULL )))
+        return NULL;
+
+    return linked.LinkedToken;
+}
+
+
 /**********************************************************************
  *           RtlWow64GetCurrentMachine  (NTDLL.@)
  */
@@ -294,8 +354,15 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
     PS_CREATE_INFO create_info;
     ULONG_PTR buffer[offsetof( PS_ATTRIBUTE_LIST, Attributes[6] ) / sizeof(ULONG_PTR)];
     PS_ATTRIBUTE_LIST *attr = (PS_ATTRIBUTE_LIST *)buffer;
+    HANDLE elevated_token = NULL;
+    NTSTATUS status;
     UINT pos = 0;
 
+    /* It's not clear whether we should use path or &params->ImagePathName here,
+     * but Roblox Player tries to pass an empty string for the latter. */
+    if (!token && image_needs_elevation( path ))
+        token = elevated_token = get_elevated_token();
+
     RtlNormalizeProcessParams( params );
 
     attr->Attributes[pos].Attribute    = PS_ATTRIBUTE_IMAGE_NAME;
@@ -342,11 +409,13 @@ NTSTATUS WINAPI RtlCreateUserProcess( UNICODE_STRING *path, ULONG attributes,
     InitializeObjectAttributes( &process_attr, NULL, 0, NULL, process_descr );
     InitializeObjectAttributes( &thread_attr, NULL, 0, NULL, thread_descr );
 
-    return NtCreateUserProcess( &info->Process, &info->Thread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS,
-                                &process_attr, &thread_attr,
-                                inherit ? PROCESS_CREATE_FLAGS_INHERIT_HANDLES : 0,
-                                THREAD_CREATE_FLAGS_CREATE_SUSPENDED, params,
-                                &create_info, attr );
+    status = NtCreateUserProcess( &info->Process, &info->Thread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS,
+                                  &process_attr, &thread_attr,
+                                  inherit ? PROCESS_CREATE_FLAGS_INHERIT_HANDLES : 0,
+                                  THREAD_CREATE_FLAGS_CREATE_SUSPENDED, params, &create_info, attr );
+
+    if (elevated_token) NtClose( elevated_token );
+    return status;
 }
 
 /***********************************************************************
-- 
2.32.0