Add necessary permissions for packaged applications

m417z · janwilmans · commit 0de5b985157d · 2025-07-29T22:33:12.000+02:00
diff --git a/application/DebugViewppLib/DBWinReader.cpp b/application/DebugViewppLib/DBWinReader.cpp
@@ -43,14 +43,14 @@ DBWinReader::DBWinReader(Timer& timer, ILineBuffer& linebuffer, bool global) :
     SetDescription(global ? L"Global Win32 Messages" : L"Win32 Messages");
 
     //Option 1:
-    //Win32::AdjustObjectDACL(m_hBuffer.get());
-    //Win32::AdjustObjectDACL(m_dbWinBufferReady.get());
-    //Win32::AdjustObjectDACL(m_dbWinDataReady.get());
+    Win32::AdjustObjectDACL(m_hBuffer.get());
+    Win32::AdjustObjectDACL(m_dbWinBufferReady.get());
+    Win32::AdjustObjectDACL(m_dbWinDataReady.get());
 
     //Option 2:
-    Win32::DeleteObjectDACL(m_hBuffer.get());
-    Win32::DeleteObjectDACL(m_dbWinBufferReady.get());
-    Win32::DeleteObjectDACL(m_dbWinDataReady.get());
+    //Win32::DeleteObjectDACL(m_hBuffer.get());
+    //Win32::DeleteObjectDACL(m_dbWinBufferReady.get());
+    //Win32::DeleteObjectDACL(m_dbWinDataReady.get());
 
     // TODO(jan): Please test this and choose one
 
diff --git a/application/Win32Lib/Win32Lib.cpp b/application/Win32Lib/Win32Lib.cpp
@@ -307,6 +307,7 @@ void DeleteObjectDACL(HANDLE hObject)
 }
 
 //add necessary permissions for "Authenticated Users" group (all non-anonymous users)
+//and for "All Application Packages", "All Restricted Application Packages" for UWP support
 void AdjustObjectDACL(HANDLE hObject)
 {
     ACL* pOldDACL;
@@ -317,20 +318,41 @@ void AdjustObjectDACL(HANDLE hObject)
     SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY;
     AllocateAndInitializeSid(&authNt, 1, SECURITY_AUTHENTICATED_USER_RID, 0, 0, 0, 0, 0, 0, 0, &pSid);
 
-    EXPLICIT_ACCESS ea = {};
-    ea.grfAccessMode = GRANT_ACCESS;
-    ea.grfAccessPermissions = GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE;
-    ea.grfInheritance = NO_INHERITANCE;
-    ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
-    ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
-    ea.Trustee.ptstrName = static_cast<LPTSTR>(pSid);
+    PSID pAnyPackageSid = nullptr;
+    SID_IDENTIFIER_AUTHORITY SIDAuthAppPackage = SECURITY_APP_PACKAGE_AUTHORITY;
+    AllocateAndInitializeSid(&SIDAuthAppPackage, SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT,
+        SECURITY_APP_PACKAGE_BASE_RID, SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE,
+        0, 0, 0, 0, 0, 0,
+        &pAnyPackageSid);
+
+    PSID pAnyRestrictedPackageSid = nullptr;
+    AllocateAndInitializeSid(&SIDAuthAppPackage, SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT,
+        SECURITY_APP_PACKAGE_BASE_RID, SECURITY_BUILTIN_PACKAGE_ANY_RESTRICTED_PACKAGE,
+        0, 0, 0, 0, 0, 0,
+        &pAnyRestrictedPackageSid);
+
+    EXPLICIT_ACCESS ea[3] = {};
+    for (auto& item : ea)
+    {
+        item.grfAccessMode = GRANT_ACCESS;
+        item.grfAccessPermissions = GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE;
+        item.grfInheritance = NO_INHERITANCE;
+        item.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
+        item.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    }
+
+    ea[0].Trustee.ptstrName = static_cast<LPTSTR>(pSid);
+    ea[1].Trustee.ptstrName = static_cast<LPTSTR>(pAnyPackageSid);
+    ea[2].Trustee.ptstrName = static_cast<LPTSTR>(pAnyRestrictedPackageSid);
 
     ACL* pNewDACL = nullptr;
-    SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
+    SetEntriesInAcl(std::size(ea), ea, pOldDACL, &pNewDACL);
 
     Win32::SetSecurityInfo(hObject, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nullptr, nullptr, pNewDACL, nullptr);
 
     FreeSid(pSid);
+    FreeSid(pAnyPackageSid);
+    FreeSid(pAnyRestrictedPackageSid);
     LocalFree(pNewDACL);
     LocalFree(pSD);
 }
