Added dissection for Dynamic Access Control (DAC) specific ACEs.
These are Conditional ACEs, System Resource Attribute ACEs and System
Scoped Policy ID ACEs.
A Condition ACE must be one of the following types:
ACE_TYPE_ACCESS_ALLOWED_CALLBACK
ACE_TYPE_ACCESS_DENIED_CALLBACK
ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT
ACE_TYPE_ACCESS_DENIED_CALLBACK_OBJECT
ACE_TYPE_SYSTEM_AUDIT_CALLBACK
ACE_TYPE_SYSTEM_AUDIT_CALLBACK_OBJECT
Such an ACE may include a conditional expression (that will, if
present, be evaluated to determine whether or not the ACE allows or
denies access). If a conditional expression is present the ACE data
will start with the string "artx". The remainder of the ACE data will
be the conditional expression which is simply a list of tokens
(see MS-DTYP for details of each token type). With this change,
filter "nt.ace.cond" can be used to find packets containing one or
more Conditional ACEs and their details are dissected.
A System Resource Attribute ACE has a name, value type and a list of
values. The value types are: INT64, UINT64, STRING, SID, BOOLEAN and
OCTET_STRING (i.e. binary data). With this change, filter "nt.ace.sra"
can be used to find packets containing one or more System Resource
Attribute ACEs and their details are dissected.
System Scoped Policy ID is simply a new ACE type and it does not
require any new dissection. The SID associated with a System Scoped
Policy ID ACE will start with S-1-17 and identifies the "Central
Access Policy" that should be used.
John Bankier