projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[NTOSKRNL] Rewrite/fix our UUID generation implementation
[reactos.git] / ntoskrnl / include / internal / se.h
1 #pragma once
2
3 typedef struct _KNOWN_ACE
4 {
5 ACE_HEADER Header;
6 ACCESS_MASK Mask;
7 ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12 ACE_HEADER Header;
13 ACCESS_MASK Mask;
14 ULONG Flags;
15 ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20 ACE_HEADER Header;
21 ACCESS_MASK Mask;
22 USHORT CompoundAceType;
23 USHORT Reserved;
24 ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33
34 if (Descriptor->Control & SE_SELF_RELATIVE)
35 {
36 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37 if (!SdRel->Group) return NULL;
38 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39 }
40 else
41 {
42 return Descriptor->Group;
43 }
44 }
45
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52
53 if (Descriptor->Control & SE_SELF_RELATIVE)
54 {
55 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56 if (!SdRel->Owner) return NULL;
57 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58 }
59 else
60 {
61 return Descriptor->Owner;
62 }
63 }
64
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71
72 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73
74 if (Descriptor->Control & SE_SELF_RELATIVE)
75 {
76 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77 if (!SdRel->Dacl) return NULL;
78 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79 }
80 else
81 {
82 return Descriptor->Dacl;
83 }
84 }
85
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92
93 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94
95 if (Descriptor->Control & SE_SELF_RELATIVE)
96 {
97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98 if (!SdRel->Sacl) return NULL;
99 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100 }
101 else
102 {
103 return Descriptor->Sacl;
104 }
105 }
106
107 #ifndef RTL_H
108
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146 extern PSID SeLocalServiceSid;
147 extern PSID SeNetworkServiceSid;
148
149 /* Privileges */
150 extern const LUID SeCreateTokenPrivilege;
151 extern const LUID SeAssignPrimaryTokenPrivilege;
152 extern const LUID SeLockMemoryPrivilege;
153 extern const LUID SeIncreaseQuotaPrivilege;
154 extern const LUID SeUnsolicitedInputPrivilege;
155 extern const LUID SeTcbPrivilege;
156 extern const LUID SeSecurityPrivilege;
157 extern const LUID SeTakeOwnershipPrivilege;
158 extern const LUID SeLoadDriverPrivilege;
159 extern const LUID SeSystemProfilePrivilege;
160 extern const LUID SeSystemtimePrivilege;
161 extern const LUID SeProfileSingleProcessPrivilege;
162 extern const LUID SeIncreaseBasePriorityPrivilege;
163 extern const LUID SeCreatePagefilePrivilege;
164 extern const LUID SeCreatePermanentPrivilege;
165 extern const LUID SeBackupPrivilege;
166 extern const LUID SeRestorePrivilege;
167 extern const LUID SeShutdownPrivilege;
168 extern const LUID SeDebugPrivilege;
169 extern const LUID SeAuditPrivilege;
170 extern const LUID SeSystemEnvironmentPrivilege;
171 extern const LUID SeChangeNotifyPrivilege;
172 extern const LUID SeRemoteShutdownPrivilege;
173 extern const LUID SeUndockPrivilege;
174 extern const LUID SeSyncAgentPrivilege;
175 extern const LUID SeEnableDelegationPrivilege;
176 extern const LUID SeManageVolumePrivilege;
177 extern const LUID SeImpersonatePrivilege;
178 extern const LUID SeCreateGlobalPrivilege;
179 extern const LUID SeTrustedCredmanPrivilege;
180 extern const LUID SeRelabelPrivilege;
181 extern const LUID SeIncreaseWorkingSetPrivilege;
182 extern const LUID SeTimeZonePrivilege;
183 extern const LUID SeCreateSymbolicLinkPrivilege;
184
185 /* DACLs */
186 extern PACL SePublicDefaultUnrestrictedDacl;
187 extern PACL SePublicOpenDacl;
188 extern PACL SePublicOpenUnrestrictedDacl;
189 extern PACL SeUnrestrictedDacl;
190
191 /* SDs */
192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
198
199
200 #define SepAcquireTokenLockExclusive(Token) \
201 { \
202 KeEnterCriticalRegion(); \
203 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \
204 }
205 #define SepAcquireTokenLockShared(Token) \
206 { \
207 KeEnterCriticalRegion(); \
208 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \
209 }
210
211 #define SepReleaseTokenLock(Token) \
212 { \
213 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \
214 KeLeaveCriticalRegion(); \
215 }
216
217 //
218 // Token Functions
219 //
220 BOOLEAN
221 NTAPI
222 SepTokenIsOwner(
223 IN PACCESS_TOKEN _Token,
224 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
225 IN BOOLEAN TokenLocked
226 );
227
228 BOOLEAN
229 NTAPI
230 SepSidInToken(
231 IN PACCESS_TOKEN _Token,
232 IN PSID Sid
233 );
234
235 BOOLEAN
236 NTAPI
237 SepSidInTokenEx(
238 IN PACCESS_TOKEN _Token,
239 IN PSID PrincipalSelfSid,
240 IN PSID _Sid,
241 IN BOOLEAN Deny,
242 IN BOOLEAN Restricted
243 );
244
245 /* Functions */
246 INIT_FUNCTION
247 BOOLEAN
248 NTAPI
249 SeInitSystem(VOID);
250
251 INIT_FUNCTION
252 VOID
253 NTAPI
254 SepInitPrivileges(VOID);
255
256 INIT_FUNCTION
257 BOOLEAN
258 NTAPI
259 SepInitSecurityIDs(VOID);
260
261 INIT_FUNCTION
262 BOOLEAN
263 NTAPI
264 SepInitDACLs(VOID);
265
266 INIT_FUNCTION
267 BOOLEAN
268 NTAPI
269 SepInitSDs(VOID);
270
271 BOOLEAN
272 NTAPI
273 SeRmInitPhase0(VOID);
274
275 BOOLEAN
276 NTAPI
277 SeRmInitPhase1(VOID);
278
279 VOID
280 NTAPI
281 SeDeassignPrimaryToken(struct _EPROCESS *Process);
282
283 NTSTATUS
284 NTAPI
285 SeSubProcessToken(
286 IN PTOKEN Parent,
287 OUT PTOKEN *Token,
288 IN BOOLEAN InUse,
289 IN ULONG SessionId
290 );
291
292 NTSTATUS
293 NTAPI
294 SeInitializeProcessAuditName(
295 IN PFILE_OBJECT FileObject,
296 IN BOOLEAN DoAudit,
297 OUT POBJECT_NAME_INFORMATION *AuditInfo
298 );
299
300 NTSTATUS
301 NTAPI
302 SeCreateAccessStateEx(
303 IN PETHREAD Thread,
304 IN PEPROCESS Process,
305 IN OUT PACCESS_STATE AccessState,
306 IN PAUX_ACCESS_DATA AuxData,
307 IN ACCESS_MASK Access,
308 IN PGENERIC_MAPPING GenericMapping
309 );
310
311 NTSTATUS
312 NTAPI
313 SeIsTokenChild(
314 IN PTOKEN Token,
315 OUT PBOOLEAN IsChild
316 );
317
318 NTSTATUS
319 NTAPI
320 SeIsTokenSibling(
321 IN PTOKEN Token,
322 OUT PBOOLEAN IsSibling
323 );
324
325 NTSTATUS
326 NTAPI
327 SepCreateImpersonationTokenDacl(
328 _In_ PTOKEN Token,
329 _In_ PTOKEN PrimaryToken,
330 _Out_ PACL* Dacl
331 );
332
333 INIT_FUNCTION
334 VOID
335 NTAPI
336 SepInitializeTokenImplementation(VOID);
337
338 PTOKEN
339 NTAPI
340 SepCreateSystemProcessToken(VOID);
341
342 BOOLEAN
343 NTAPI
344 SeDetailedAuditingWithToken(IN PTOKEN Token);
345
346 VOID
347 NTAPI
348 SeAuditProcessExit(IN PEPROCESS Process);
349
350 VOID
351 NTAPI
352 SeAuditProcessCreate(IN PEPROCESS Process);
353
354 NTSTATUS
355 NTAPI
356 SeExchangePrimaryToken(
357 _In_ PEPROCESS Process,
358 _In_ PACCESS_TOKEN NewAccessToken,
359 _Out_ PACCESS_TOKEN* OldAccessToken
360 );
361
362 VOID
363 NTAPI
364 SeCaptureSubjectContextEx(
365 IN PETHREAD Thread,
366 IN PEPROCESS Process,
367 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
368 );
369
370 NTSTATUS
371 NTAPI
372 SeCaptureLuidAndAttributesArray(
373 PLUID_AND_ATTRIBUTES Src,
374 ULONG PrivilegeCount,
375 KPROCESSOR_MODE PreviousMode,
376 PLUID_AND_ATTRIBUTES AllocatedMem,
377 ULONG AllocatedLength,
378 POOL_TYPE PoolType,
379 BOOLEAN CaptureIfKernel,
380 PLUID_AND_ATTRIBUTES* Dest,
381 PULONG Length
382 );
383
384 VOID
385 NTAPI
386 SeReleaseLuidAndAttributesArray(
387 PLUID_AND_ATTRIBUTES Privilege,
388 KPROCESSOR_MODE PreviousMode,
389 BOOLEAN CaptureIfKernel
390 );
391
392 BOOLEAN
393 NTAPI
394 SepPrivilegeCheck(
395 PTOKEN Token,
396 PLUID_AND_ATTRIBUTES Privileges,
397 ULONG PrivilegeCount,
398 ULONG PrivilegeControl,
399 KPROCESSOR_MODE PreviousMode
400 );
401
402 NTSTATUS
403 NTAPI
404 SePrivilegePolicyCheck(
405 _Inout_ PACCESS_MASK DesiredAccess,
406 _Inout_ PACCESS_MASK GrantedAccess,
407 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
408 _In_ PTOKEN Token,
409 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
410 _In_ KPROCESSOR_MODE PreviousMode);
411
412 BOOLEAN
413 NTAPI
414 SeCheckPrivilegedObject(
415 IN LUID PrivilegeValue,
416 IN HANDLE ObjectHandle,
417 IN ACCESS_MASK DesiredAccess,
418 IN KPROCESSOR_MODE PreviousMode
419 );
420
421 NTSTATUS
422 NTAPI
423 SepDuplicateToken(
424 _In_ PTOKEN Token,
425 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
426 _In_ BOOLEAN EffectiveOnly,
427 _In_ TOKEN_TYPE TokenType,
428 _In_ SECURITY_IMPERSONATION_LEVEL Level,
429 _In_ KPROCESSOR_MODE PreviousMode,
430 _Out_ PTOKEN* NewAccessToken
431 );
432
433 NTSTATUS
434 NTAPI
435 SepCaptureSecurityQualityOfService(
436 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
437 IN KPROCESSOR_MODE AccessMode,
438 IN POOL_TYPE PoolType,
439 IN BOOLEAN CaptureIfKernel,
440 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
441 OUT PBOOLEAN Present
442 );
443
444 VOID
445 NTAPI
446 SepReleaseSecurityQualityOfService(
447 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
448 IN KPROCESSOR_MODE AccessMode,
449 IN BOOLEAN CaptureIfKernel
450 );
451
452 NTSTATUS
453 NTAPI
454 SepCaptureSid(
455 IN PSID InputSid,
456 IN KPROCESSOR_MODE AccessMode,
457 IN POOL_TYPE PoolType,
458 IN BOOLEAN CaptureIfKernel,
459 OUT PSID *CapturedSid
460 );
461
462 VOID
463 NTAPI
464 SepReleaseSid(
465 IN PSID CapturedSid,
466 IN KPROCESSOR_MODE AccessMode,
467 IN BOOLEAN CaptureIfKernel
468 );
469
470 NTSTATUS
471 NTAPI
472 SeCaptureSidAndAttributesArray(
473 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
474 _In_ ULONG AttributeCount,
475 _In_ KPROCESSOR_MODE PreviousMode,
476 _In_opt_ PVOID AllocatedMem,
477 _In_ ULONG AllocatedLength,
478 _In_ POOL_TYPE PoolType,
479 _In_ BOOLEAN CaptureIfKernel,
480 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
481 _Out_ PULONG ResultLength);
482
483 VOID
484 NTAPI
485 SeReleaseSidAndAttributesArray(
486 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
487 _In_ KPROCESSOR_MODE AccessMode,
488 _In_ BOOLEAN CaptureIfKernel);
489
490 NTSTATUS
491 NTAPI
492 SeComputeQuotaInformationSize(
493 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
494 _Out_ PULONG QuotaInfoSize);
495
496 NTSTATUS
497 NTAPI
498 SepCaptureAcl(
499 IN PACL InputAcl,
500 IN KPROCESSOR_MODE AccessMode,
501 IN POOL_TYPE PoolType,
502 IN BOOLEAN CaptureIfKernel,
503 OUT PACL *CapturedAcl
504 );
505
506 VOID
507 NTAPI
508 SepReleaseAcl(
509 IN PACL CapturedAcl,
510 IN KPROCESSOR_MODE AccessMode,
511 IN BOOLEAN CaptureIfKernel
512 );
513
514 NTSTATUS
515 SepPropagateAcl(
516 _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
517 _Inout_ PULONG AclLength,
518 _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
519 _In_ PSID Owner,
520 _In_ PSID Group,
521 _In_ BOOLEAN IsInherited,
522 _In_ BOOLEAN IsDirectoryObject,
523 _In_ PGENERIC_MAPPING GenericMapping);
524
525 PACL
526 SepSelectAcl(
527 _In_opt_ PACL ExplicitAcl,
528 _In_ BOOLEAN ExplicitPresent,
529 _In_ BOOLEAN ExplicitDefaulted,
530 _In_opt_ PACL ParentAcl,
531 _In_opt_ PACL DefaultAcl,
532 _Out_ PULONG AclLength,
533 _In_ PSID Owner,
534 _In_ PSID Group,
535 _Out_ PBOOLEAN AclPresent,
536 _Out_ PBOOLEAN IsInherited,
537 _In_ BOOLEAN IsDirectoryObject,
538 _In_ PGENERIC_MAPPING GenericMapping);
539
540 NTSTATUS
541 NTAPI
542 SeDefaultObjectMethod(
543 PVOID Object,
544 SECURITY_OPERATION_CODE OperationType,
545 PSECURITY_INFORMATION SecurityInformation,
546 PSECURITY_DESCRIPTOR NewSecurityDescriptor,
547 PULONG ReturnLength,
548 PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
549 POOL_TYPE PoolType,
550 PGENERIC_MAPPING GenericMapping
551 );
552
553 NTSTATUS
554 NTAPI
555 SeSetWorldSecurityDescriptor(
556 SECURITY_INFORMATION SecurityInformation,
557 PISECURITY_DESCRIPTOR SecurityDescriptor,
558 PULONG BufferLength
559 );
560
561 NTSTATUS
562 NTAPI
563 SeCopyClientToken(
564 IN PACCESS_TOKEN Token,
565 IN SECURITY_IMPERSONATION_LEVEL Level,
566 IN KPROCESSOR_MODE PreviousMode,
567 OUT PACCESS_TOKEN* NewToken
568 );
569
570 VOID NTAPI
571 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
572 OUT PACCESS_MASK DesiredAccess);
573
574 VOID NTAPI
575 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
576 OUT PACCESS_MASK DesiredAccess);
577
578 BOOLEAN
579 NTAPI
580 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
581 IN PACCESS_STATE AccessState,
582 IN ACCESS_MASK DesiredAccess,
583 IN KPROCESSOR_MODE AccessMode);
584
585 BOOLEAN
586 NTAPI
587 SeCheckAuditPrivilege(
588 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
589 _In_ KPROCESSOR_MODE PreviousMode);
590
591 VOID
592 NTAPI
593 SePrivilegedServiceAuditAlarm(
594 _In_opt_ PUNICODE_STRING ServiceName,
595 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
596 _In_ PPRIVILEGE_SET PrivilegeSet,
597 _In_ BOOLEAN AccessGranted);
598
599 NTSTATUS
600 SepRmReferenceLogonSession(
601 PLUID LogonLuid);
602
603 NTSTATUS
604 SepRmDereferenceLogonSession(
605 PLUID LogonLuid);
606
607 #endif
608
609 /* EOF */
A free Windows-compatible Operating System