projects / reactos.git / blob
? search:


619ff56d2472d578f5c5acaf49d7b13a26c32038
[reactos.git] / ntoskrnl / ps / security.c
1 /*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: ntoskrnl/ps/security.c
5 * PURPOSE: Process Manager: Process/Thread Security
6 * PROGRAMMERS: Alex Ionescu (alex.ionescu@reactos.org)
7 * Eric Kohl
8 * Thomas Weidenmueller (w3seek@reactos.org)
9 */
10
11 /* INCLUDES ******************************************************************/
12
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16
17 PTOKEN PspBootAccessToken;
18
19 VOID
20 NTAPI
21 SeAssignPrimaryToken(
22 IN PEPROCESS Process,
23 IN PTOKEN Token
24 );
25
26 /* PRIVATE FUNCTIONS *********************************************************/
27
28 VOID
29 NTAPI
30 PspDeleteProcessSecurity(IN PEPROCESS Process)
31 {
32 PAGED_CODE();
33 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
34
35 /* Check if we have a token */
36 if (Process->Token.Object)
37 {
38 /* Deassign it */
39 SeDeassignPrimaryToken(Process);
40 Process->Token.Object = NULL;
41 }
42 }
43
44 VOID
45 NTAPI
46 PspDeleteThreadSecurity(IN PETHREAD Thread)
47 {
48 PPS_IMPERSONATION_INFORMATION ImpersonationInfo = Thread->ImpersonationInfo;
49 PAGED_CODE();
50 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
51
52 /* Check if we have active impersonation info */
53 if (Thread->ActiveImpersonationInfo)
54 {
55 /* Dereference its token */
56 ObDereferenceObject(ImpersonationInfo->Token);
57 }
58
59 /* Check if we have impersonation info */
60 if (ImpersonationInfo)
61 {
62 /* Free it */
63 ExFreePool(ImpersonationInfo);
64 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
65 Thread->ImpersonationInfo = NULL;
66 }
67 }
68
69 NTSTATUS
70 NTAPI
71 PspInitializeProcessSecurity(IN PEPROCESS Process,
72 IN PEPROCESS Parent OPTIONAL)
73 {
74 NTSTATUS Status = STATUS_SUCCESS;
75 PTOKEN NewToken, ParentToken;
76 PAGED_CODE();
77 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
78
79 /* If we have a parent, then duplicate the Token */
80 if (Parent)
81 {
82 /* Get the Parent Token */
83 ParentToken = PsReferencePrimaryToken(Parent);
84
85 /* Duplicate it */
86 Status = SeSubProcessToken(ParentToken,
87 &NewToken,
88 TRUE,
89 MmGetSessionId(Process));
90
91 /* Dereference the Parent */
92 ObFastDereferenceObject(&Parent->Token, ParentToken);
93
94 /* Set the new Token */
95 if (NT_SUCCESS(Status))
96 {
97 /* Initailize the fast reference */
98 ObInitializeFastReference(&Process->Token, NewToken);
99 }
100 }
101 else
102 {
103 /* No parent, assign the Boot Token */
104 ObInitializeFastReference(&Process->Token, NULL);
105 SeAssignPrimaryToken(Process, PspBootAccessToken);
106 }
107
108 /* Return to caller */
109 return Status;
110 }
111
112 NTSTATUS
113 NTAPI
114 PspWriteTebImpersonationInfo(IN PETHREAD Thread,
115 IN PETHREAD CurrentThread)
116 {
117 PEPROCESS Process;
118 PTEB Teb;
119 BOOLEAN Attached = FALSE;
120 BOOLEAN IsImpersonating;
121 KAPC_STATE ApcState;
122 PAGED_CODE();
123 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
124
125 /* Sanity check */
126 ASSERT(CurrentThread == PsGetCurrentThread());
127
128 /* Get process and TEB */
129 Process = Thread->ThreadsProcess;
130 Teb = Thread->Tcb.Teb;
131 if (Teb)
132 {
133 /* Check if we're not in the right process */
134 if (Thread->Tcb.ApcState.Process != &Process->Pcb)
135 {
136 /* Attach to the process */
137 KeStackAttachProcess(&Process->Pcb, &ApcState);
138 Attached = TRUE;
139 }
140
141 /* Check if we're in a different thread or acquire rundown */
142 if ((Thread == CurrentThread) ||
143 (ExAcquireRundownProtection(&Thread->RundownProtect)))
144 {
145 /* Check if the thread is impersonating */
146 IsImpersonating = (BOOLEAN)Thread->ActiveImpersonationInfo;
147 if (IsImpersonating)
148 {
149 /* Set TEB data */
150 Teb->ImpersonationLocale = -1;
151 Teb->IsImpersonating = 1;
152 }
153 else
154 {
155 /* Set TEB data */
156 Teb->ImpersonationLocale = 0;
157 Teb->IsImpersonating = 0;
158 }
159 }
160
161 /* Check if we're in a different thread */
162 if (Thread != CurrentThread)
163 {
164 /* Release protection */
165 ExReleaseRundownProtection(&Thread->RundownProtect);
166 }
167
168 /* Detach */
169 if (Attached) KeUnstackDetachProcess(&ApcState);
170 }
171
172 /* Return to caller */
173 return STATUS_SUCCESS;
174 }
175
176 NTSTATUS
177 NTAPI
178 PspAssignPrimaryToken(IN PEPROCESS Process,
179 IN HANDLE Token,
180 IN PACCESS_TOKEN AccessToken OPTIONAL)
181 {
182 PACCESS_TOKEN NewToken = AccessToken, OldToken;
183 NTSTATUS Status;
184 PAGED_CODE();
185 PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
186
187 /* Check if we don't have a pointer */
188 if (!AccessToken)
189 {
190 /* Reference it from the handle */
191 Status = ObReferenceObjectByHandle(Token,
192 TOKEN_ASSIGN_PRIMARY,
193 SeTokenObjectType,
194 ExGetPreviousMode(),
195 &NewToken,
196 NULL);
197 if (!NT_SUCCESS(Status)) return Status;
198 }
199
200 /* Exchange tokens */
201 Status = SeExchangePrimaryToken(Process, NewToken, &OldToken);
202
203 /* Acquire and release the lock */
204 PspLockProcessSecurityExclusive(Process);
205 PspUnlockProcessSecurityExclusive(Process);
206
207 /* Dereference Tokens and Return */
208 if (NT_SUCCESS(Status)) ObDereferenceObject(OldToken);
209 if (!AccessToken) ObDereferenceObject(NewToken);
210 return Status;
211 }
212
213 NTSTATUS
214 NTAPI
215 PspSetPrimaryToken(IN PEPROCESS Process,
216 IN HANDLE TokenHandle OPTIONAL,
217 IN PACCESS_TOKEN Token OPTIONAL)
218 {
219 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
220 BOOLEAN IsChildOrSibling;
221 PACCESS_TOKEN NewToken = Token;
222 NTSTATUS Status, AccessStatus;
223 BOOLEAN Result, SdAllocated;
224 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
225 SECURITY_SUBJECT_CONTEXT SubjectContext;
226
227 PSTRACE(PS_SECURITY_DEBUG, "Process: %p Token: %p\n", Process, Token);
228
229 /* Reference the token by handle if we don't already have a token object */
230 if (!Token)
231 {
232 Status = ObReferenceObjectByHandle(TokenHandle,
233 TOKEN_ASSIGN_PRIMARY,
234 SeTokenObjectType,
235 PreviousMode,
236 (PVOID*)&NewToken,
237 NULL);
238 if (!NT_SUCCESS(Status)) return Status;
239 }
240
241 /*
242 * Check whether this token is a child or sibling of the current process token.
243 * NOTE: On Windows Vista+ both of these checks (together with extra steps)
244 * are now performed by a new SeIsTokenAssignableToProcess() helper.
245 */
246 Status = SeIsTokenChild(NewToken, &IsChildOrSibling);
247 if (!NT_SUCCESS(Status))
248 {
249 /* Failed, dereference */
250 if (!Token) ObDereferenceObject(NewToken);
251 return Status;
252 }
253 if (!IsChildOrSibling)
254 {
255 Status = SeIsTokenSibling(NewToken, &IsChildOrSibling);
256 if (!NT_SUCCESS(Status))
257 {
258 /* Failed, dereference */
259 if (!Token) ObDereferenceObject(NewToken);
260 return Status;
261 }
262 }
263
264 /* Check if this was an independent token */
265 if (!IsChildOrSibling)
266 {
267 /* Make sure we have the privilege to assign a new one */
268 if (!SeSinglePrivilegeCheck(SeAssignPrimaryTokenPrivilege,
269 PreviousMode))
270 {
271 /* Failed, dereference */
272 if (!Token) ObDereferenceObject(NewToken);
273 return STATUS_PRIVILEGE_NOT_HELD;
274 }
275 }
276
277 /* Assign the token */
278 Status = PspAssignPrimaryToken(Process, NULL, NewToken);
279 if (NT_SUCCESS(Status))
280 {
281 /*
282 * We need to completely reverify if the process still has access to
283 * itself under this new token.
284 */
285 Status = ObGetObjectSecurity(Process,
286 &SecurityDescriptor,
287 &SdAllocated);
288 if (NT_SUCCESS(Status))
289 {
290 /* Setup the security context */
291 SubjectContext.ProcessAuditId = Process;
292 SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
293 SubjectContext.ClientToken = NULL;
294
295 /* Do the access check */
296 Result = SeAccessCheck(SecurityDescriptor,
297 &SubjectContext,
298 FALSE,
299 MAXIMUM_ALLOWED,
300 0,
301 NULL,
302 &PsProcessType->TypeInfo.GenericMapping,
303 PreviousMode,
304 &Process->GrantedAccess,
305 &AccessStatus);
306
307 /* Dereference the token and let go the SD */
308 ObFastDereferenceObject(&Process->Token,
309 SubjectContext.PrimaryToken);
310 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
311
312 /* Remove access if it failed */
313 if (!Result) Process->GrantedAccess = 0;
314
315 /* Setup granted access */
316 Process->GrantedAccess |= (PROCESS_VM_OPERATION |
317 PROCESS_VM_READ |
318 PROCESS_VM_WRITE |
319 PROCESS_QUERY_INFORMATION |
320 PROCESS_TERMINATE |
321 PROCESS_CREATE_THREAD |
322 PROCESS_DUP_HANDLE |
323 PROCESS_CREATE_PROCESS |
324 PROCESS_SET_INFORMATION |
325 STANDARD_RIGHTS_ALL |
326 PROCESS_SET_QUOTA);
327 }
328
329 /*
330 * In case LUID device maps are enable, we may not be using
331 * system device map for this process, but a logon LUID based
332 * device map. Because we change primary token, this usage is
333 * no longer valid, so dereference the process device map
334 */
335 if (ObIsLUIDDeviceMapsEnabled()) ObDereferenceDeviceMap(Process);
336 }
337
338 /* Dereference the token */
339 if (!Token) ObDereferenceObject(NewToken);
340 return Status;
341 }
342
343 /* FUNCTIONS *****************************************************************/
344
345 /*
346 * @implemented
347 */
348 NTSTATUS
349 NTAPI
350 NtOpenProcessToken(IN HANDLE ProcessHandle,
351 IN ACCESS_MASK DesiredAccess,
352 OUT PHANDLE TokenHandle)
353 {
354 /* Call the newer API */
355 return NtOpenProcessTokenEx(ProcessHandle,
356 DesiredAccess,
357 0,
358 TokenHandle);
359 }
360
361 /*
362 * @implemented
363 */
364 NTSTATUS
365 NTAPI
366 NtOpenProcessTokenEx(IN HANDLE ProcessHandle,
367 IN ACCESS_MASK DesiredAccess,
368 IN ULONG HandleAttributes,
369 OUT PHANDLE TokenHandle)
370 {
371 PACCESS_TOKEN Token;
372 HANDLE hToken;
373 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
374 NTSTATUS Status;
375 PAGED_CODE();
376 PSTRACE(PS_SECURITY_DEBUG,
377 "Process: %p DesiredAccess: %lx\n", ProcessHandle, DesiredAccess);
378
379 /* Check if caller was user-mode */
380 if (PreviousMode != KernelMode)
381 {
382 /* Enter SEH for probing */
383 _SEH2_TRY
384 {
385 /* Probe the token handle */
386 ProbeForWriteHandle(TokenHandle);
387 }
388 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
389 {
390 /* Return the exception code */
391 _SEH2_YIELD(return _SEH2_GetExceptionCode());
392 }
393 _SEH2_END;
394 }
395
396 /* Validate object attributes */
397 HandleAttributes = ObpValidateAttributes(HandleAttributes, PreviousMode);
398
399 /* Open the process token */
400 Status = PsOpenTokenOfProcess(ProcessHandle, &Token);
401 if (NT_SUCCESS(Status))
402 {
403 /* Reference it by handle and dereference the pointer */
404 Status = ObOpenObjectByPointer(Token,
405 HandleAttributes,
406 NULL,
407 DesiredAccess,
408 SeTokenObjectType,
409 PreviousMode,
410 &hToken);
411 ObDereferenceObject(Token);
412
413 /* Make sure we got a handle */
414 if (NT_SUCCESS(Status))
415 {
416 /* Enter SEH for write */
417 _SEH2_TRY
418 {
419 /* Return the handle */
420 *TokenHandle = hToken;
421 }
422 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
423 {
424 /* Get exception code */
425 Status = _SEH2_GetExceptionCode();
426 }
427 _SEH2_END;
428 }
429 }
430
431 /* Return status */
432 return Status;
433 }
434
435 /*
436 * @implemented
437 */
438 PACCESS_TOKEN
439 NTAPI
440 PsReferencePrimaryToken(PEPROCESS Process)
441 {
442 PACCESS_TOKEN Token;
443 PAGED_CODE();
444 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", Process);
445
446 /* Fast Reference the Token */
447 Token = ObFastReferenceObject(&Process->Token);
448
449 /* Check if we got the Token or if we got locked */
450 if (!Token)
451 {
452 /* Lock the Process */
453 PspLockProcessSecurityShared(Process);
454
455 /* Do a Locked Fast Reference */
456 Token = ObFastReferenceObjectLocked(&Process->Token);
457
458 /* Unlock the Process */
459 PspUnlockProcessSecurityShared(Process);
460 }
461
462 /* Return the Token */
463 return Token;
464 }
465
466 /*
467 * @implemented
468 */
469 NTSTATUS
470 NTAPI
471 PsOpenTokenOfProcess(IN HANDLE ProcessHandle,
472 OUT PACCESS_TOKEN* Token)
473 {
474 PEPROCESS Process;
475 NTSTATUS Status;
476 PAGED_CODE();
477 PSTRACE(PS_SECURITY_DEBUG, "Process: %p\n", ProcessHandle);
478
479 /* Get the Token */
480 Status = ObReferenceObjectByHandle(ProcessHandle,
481 PROCESS_QUERY_INFORMATION,
482 PsProcessType,
483 ExGetPreviousMode(),
484 (PVOID*)&Process,
485 NULL);
486 if (NT_SUCCESS(Status))
487 {
488 /* Reference the token and dereference the process */
489 *Token = PsReferencePrimaryToken(Process);
490 ObDereferenceObject(Process);
491 }
492
493 /* Return */
494 return Status;
495 }
496
497 /*
498 * @implemented
499 */
500 NTSTATUS
501 NTAPI
502 PsAssignImpersonationToken(IN PETHREAD Thread,
503 IN HANDLE TokenHandle)
504 {
505 PACCESS_TOKEN Token;
506 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
507 NTSTATUS Status;
508 PAGED_CODE();
509 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p Token: %p\n", Thread, TokenHandle);
510
511 /* Check if we were given a handle */
512 if (!TokenHandle)
513 {
514 /* Undo impersonation */
515 PsRevertThreadToSelf(Thread);
516 return STATUS_SUCCESS;
517 }
518
519 /* Get the token object */
520 Status = ObReferenceObjectByHandle(TokenHandle,
521 TOKEN_IMPERSONATE,
522 SeTokenObjectType,
523 KeGetPreviousMode(),
524 (PVOID*)&Token,
525 NULL);
526 if (!NT_SUCCESS(Status)) return(Status);
527
528 /* Make sure it's an impersonation token */
529 if (SeTokenType(Token) != TokenImpersonation)
530 {
531 /* Fail */
532 ObDereferenceObject(Token);
533 return STATUS_BAD_TOKEN_TYPE;
534 }
535
536 /* Get the impersonation level */
537 ImpersonationLevel = SeTokenImpersonationLevel(Token);
538
539 /* Call the impersonation API */
540 Status = PsImpersonateClient(Thread,
541 Token,
542 FALSE,
543 FALSE,
544 ImpersonationLevel);
545
546 /* Dereference the token and return status */
547 ObDereferenceObject(Token);
548 return Status;
549 }
550
551 /*
552 * @implemented
553 */
554 VOID
555 NTAPI
556 PsRevertToSelf(VOID)
557 {
558 /* Call the per-thread API */
559 PAGED_CODE();
560 PsRevertThreadToSelf(PsGetCurrentThread());
561 }
562
563 /*
564 * @implemented
565 */
566 VOID
567 NTAPI
568 PsRevertThreadToSelf(IN PETHREAD Thread)
569 {
570 PTOKEN Token = NULL;
571 PAGED_CODE();
572 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
573
574 /* Make sure we had impersonation information */
575 if (Thread->ActiveImpersonationInfo)
576 {
577 /* Lock the thread security */
578 PspLockThreadSecurityExclusive(Thread);
579
580 /* Make sure it's still active */
581 if (Thread->ActiveImpersonationInfo)
582 {
583 /* Disable impersonation */
584 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
585
586 /* Get the token */
587 Token = Thread->ImpersonationInfo->Token;
588 }
589
590 /* Release thread security */
591 PspUnlockThreadSecurityExclusive(Thread);
592
593 /* Check if we had a token */
594 if (Token)
595 {
596 /* Dereference the impersonation token */
597 ObDereferenceObject(Token);
598
599 /* Write impersonation info to the TEB */
600 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
601 }
602 }
603 }
604
605 /*
606 * @implemented
607 */
608 NTSTATUS
609 NTAPI
610 PsImpersonateClient(IN PETHREAD Thread,
611 IN PACCESS_TOKEN Token,
612 IN BOOLEAN CopyOnOpen,
613 IN BOOLEAN EffectiveOnly,
614 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
615 {
616 PPS_IMPERSONATION_INFORMATION Impersonation, OldData;
617 PTOKEN OldToken = NULL;
618 PAGED_CODE();
619 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p, Token: %p\n", Thread, Token);
620
621 /* Check if we don't have a token */
622 if (!Token)
623 {
624 /* Make sure we're impersonating */
625 if (Thread->ActiveImpersonationInfo)
626 {
627 /* We seem to be, lock the thread */
628 PspLockThreadSecurityExclusive(Thread);
629
630 /* Make sure we're still impersonating */
631 if (Thread->ActiveImpersonationInfo)
632 {
633 /* Disable impersonation */
634 PspClearCrossThreadFlag(Thread,
635 CT_ACTIVE_IMPERSONATION_INFO_BIT);
636
637 /* Get the token */
638 OldToken = Thread->ImpersonationInfo->Token;
639 }
640
641 /* Unlock the process and write TEB information */
642 PspUnlockThreadSecurityExclusive(Thread);
643 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
644 }
645 }
646 else
647 {
648 /* Check if we have impersonation info */
649 Impersonation = Thread->ImpersonationInfo;
650 if (!Impersonation)
651 {
652 /* We need to allocate a new one */
653 Impersonation = ExAllocatePoolWithTag(PagedPool,
654 sizeof(*Impersonation),
655 TAG_PS_IMPERSONATION);
656 if (!Impersonation) return STATUS_INSUFFICIENT_RESOURCES;
657
658 /* Update the pointer */
659 OldData = InterlockedCompareExchangePointer((PVOID*)&Thread->
660 ImpersonationInfo,
661 Impersonation,
662 NULL);
663 if (OldData)
664 {
665 /* Someone beat us to it, free our copy */
666 ExFreePoolWithTag(Impersonation, TAG_PS_IMPERSONATION);
667 Impersonation = OldData;
668 }
669 }
670
671 /* Check if this is a job, which we don't support yet */
672 if (Thread->ThreadsProcess->Job) ASSERT(FALSE);
673
674 /* Lock thread security */
675 PspLockThreadSecurityExclusive(Thread);
676
677 /* Check if we're impersonating */
678 if (Thread->ActiveImpersonationInfo)
679 {
680 /* Get the token */
681 OldToken = Impersonation->Token;
682 }
683 else
684 {
685 /* Otherwise, enable impersonation */
686 PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
687 }
688
689 /* Now fill it out */
690 Impersonation->ImpersonationLevel = ImpersonationLevel;
691 Impersonation->CopyOnOpen = CopyOnOpen;
692 Impersonation->EffectiveOnly = EffectiveOnly;
693 Impersonation->Token = Token;
694 ObReferenceObject(Token);
695
696 /* Unlock the thread */
697 PspUnlockThreadSecurityExclusive(Thread);
698
699 /* Write impersonation info to the TEB */
700 PspWriteTebImpersonationInfo(Thread, PsGetCurrentThread());
701 }
702
703 /* Dereference the token and return success */
704 if (OldToken) PsDereferenceImpersonationToken(OldToken);
705 return STATUS_SUCCESS;
706 }
707
708 /*
709 * @implemented
710 */
711 PACCESS_TOKEN
712 NTAPI
713 PsReferenceEffectiveToken(IN PETHREAD Thread,
714 OUT IN PTOKEN_TYPE TokenType,
715 OUT PBOOLEAN EffectiveOnly,
716 OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
717 {
718 PEPROCESS Process;
719 PACCESS_TOKEN Token = NULL;
720
721 PAGED_CODE();
722
723 PSTRACE(PS_SECURITY_DEBUG,
724 "Thread: %p, TokenType: %p\n", Thread, TokenType);
725
726 /* Check if we don't have impersonation info */
727 Process = Thread->ThreadsProcess;
728 if (Thread->ActiveImpersonationInfo)
729 {
730 /* Lock the Process */
731 PspLockProcessSecurityShared(Process);
732
733 /* Make sure impersonation is still active */
734 if (Thread->ActiveImpersonationInfo)
735 {
736 /* Get the token */
737 Token = Thread->ImpersonationInfo->Token;
738 ObReferenceObject(Token);
739
740 /* Return data to caller */
741 *TokenType = TokenImpersonation;
742 *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
743 *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
744
745 /* Unlock the Process */
746 PspUnlockProcessSecurityShared(Process);
747 return Token;
748 }
749
750 /* Unlock the Process */
751 PspUnlockProcessSecurityShared(Process);
752 }
753
754 /* Fast Reference the Token */
755 Token = ObFastReferenceObject(&Process->Token);
756
757 /* Check if we got the Token or if we got locked */
758 if (!Token)
759 {
760 /* Lock the Process */
761 PspLockProcessSecurityShared(Process);
762
763 /* Do a Locked Fast Reference */
764 Token = ObFastReferenceObjectLocked(&Process->Token);
765
766 /* Unlock the Process */
767 PspUnlockProcessSecurityShared(Process);
768 }
769
770 /* Return the token */
771 *TokenType = TokenPrimary;
772 *EffectiveOnly = FALSE;
773 // NOTE: ImpersonationLevel is left untouched on purpose!
774 return Token;
775 }
776
777 /*
778 * @implemented
779 */
780 PACCESS_TOKEN
781 NTAPI
782 PsReferenceImpersonationToken(IN PETHREAD Thread,
783 OUT PBOOLEAN CopyOnOpen,
784 OUT PBOOLEAN EffectiveOnly,
785 OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
786 {
787 PTOKEN Token = NULL;
788 PAGED_CODE();
789 PSTRACE(PS_SECURITY_DEBUG, "Thread: %p\n", Thread);
790
791 /* If we don't have impersonation info, just quit */
792 if (!Thread->ActiveImpersonationInfo) return NULL;
793
794 /* Lock the thread */
795 PspLockThreadSecurityShared(Thread);
796
797 /* Make sure we still have active impersonation */
798 if (Thread->ActiveImpersonationInfo)
799 {
800 /* Return data from caller */
801 ObReferenceObject(Thread->ImpersonationInfo->Token);
802 *ImpersonationLevel = Thread->ImpersonationInfo->ImpersonationLevel;
803 *CopyOnOpen = Thread->ImpersonationInfo->CopyOnOpen;
804 *EffectiveOnly = Thread->ImpersonationInfo->EffectiveOnly;
805
806 /* Set the token */
807 Token = Thread->ImpersonationInfo->Token;
808 }
809
810 /* Unlock thread and return impersonation token */
811 PspUnlockThreadSecurityShared(Thread);
812 return Token;
813 }
814
815 #undef PsDereferenceImpersonationToken
816 /*
817 * @implemented
818 */
819 VOID
820 NTAPI
821 PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
822 {
823 PAGED_CODE();
824
825 /* If we got a token, dereference it */
826 if (ImpersonationToken) ObDereferenceObject(ImpersonationToken);
827 }
828
829 #undef PsDereferencePrimaryToken
830 /*
831 * @implemented
832 */
833 VOID
834 NTAPI
835 PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken)
836 {
837 PAGED_CODE();
838
839 /* Dereference the token*/
840 ObDereferenceObject(PrimaryToken);
841 }
842
843 /*
844 * @implemented
845 */
846 BOOLEAN
847 NTAPI
848 PsDisableImpersonation(IN PETHREAD Thread,
849 OUT PSE_IMPERSONATION_STATE ImpersonationState)
850 {
851 PPS_IMPERSONATION_INFORMATION Impersonation = NULL;
852 LONG OldFlags;
853 PAGED_CODE();
854 PSTRACE(PS_SECURITY_DEBUG,
855 "Thread: %p State: %p\n", Thread, ImpersonationState);
856
857 /* Check if we don't have impersonation */
858 if (Thread->ActiveImpersonationInfo)
859 {
860 /* Lock thread security */
861 PspLockThreadSecurityExclusive(Thread);
862
863 /* Disable impersonation */
864 OldFlags = PspClearCrossThreadFlag(Thread,
865 CT_ACTIVE_IMPERSONATION_INFO_BIT);
866
867 /* Make sure nobody disabled it behind our back */
868 if (OldFlags & CT_ACTIVE_IMPERSONATION_INFO_BIT)
869 {
870 /* Copy the old state */
871 Impersonation = Thread->ImpersonationInfo;
872 ImpersonationState->Token = Impersonation->Token;
873 ImpersonationState->CopyOnOpen = Impersonation->CopyOnOpen;
874 ImpersonationState->EffectiveOnly = Impersonation->EffectiveOnly;
875 ImpersonationState->Level = Impersonation->ImpersonationLevel;
876 }
877
878 /* Unlock thread security */
879 PspUnlockThreadSecurityExclusive(Thread);
880
881 /* If we had impersonation info, return true */
882 if (Impersonation) return TRUE;
883 }
884
885 /* Clear everything */
886 ImpersonationState->Token = NULL;
887 ImpersonationState->CopyOnOpen = FALSE;
888 ImpersonationState->EffectiveOnly = FALSE;
889 ImpersonationState->Level = SecurityAnonymous;
890 return FALSE;
891 }
892
893 /*
894 * @implemented
895 */
896 VOID
897 NTAPI
898 PsRestoreImpersonation(IN PETHREAD Thread,
899 IN PSE_IMPERSONATION_STATE ImpersonationState)
900 {
901 PTOKEN Token = NULL;
902 PPS_IMPERSONATION_INFORMATION Impersonation;
903 PAGED_CODE();
904 PSTRACE(PS_SECURITY_DEBUG,
905 "Thread: %p State: %p\n", Thread, ImpersonationState);
906
907 /* Lock thread security */
908 PspLockThreadSecurityExclusive(Thread);
909
910 /* Get the impersonation info */
911 Impersonation = Thread->ImpersonationInfo;
912
913 /* Check if we're impersonating */
914 if (Thread->ActiveImpersonationInfo)
915 {
916 /* Get the token */
917 Token = Impersonation->Token;
918 }
919
920 /* Check if we have an impersonation state */
921 if (ImpersonationState)
922 {
923 /* Fill out the impersonation info */
924 Impersonation->ImpersonationLevel = ImpersonationState->Level;
925 Impersonation->CopyOnOpen = ImpersonationState->CopyOnOpen;
926 Impersonation->EffectiveOnly = ImpersonationState->EffectiveOnly;
927 Impersonation->Token = ImpersonationState->Token;
928
929 /* Enable impersonation */
930 PspSetCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
931 }
932 else
933 {
934 /* Disable impersonation */
935 PspClearCrossThreadFlag(Thread, CT_ACTIVE_IMPERSONATION_INFO_BIT);
936 }
937
938 /* Unlock the thread */
939 PspUnlockThreadSecurityExclusive(Thread);
940
941 /* Dereference the token */
942 if (Token) ObDereferenceObject(Token);
943 }
944
945 NTSTATUS
946 NTAPI
947 NtImpersonateThread(IN HANDLE ThreadHandle,
948 IN HANDLE ThreadToImpersonateHandle,
949 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService)
950 {
951 SECURITY_QUALITY_OF_SERVICE SafeServiceQoS;
952 SECURITY_CLIENT_CONTEXT ClientContext;
953 PETHREAD Thread;
954 PETHREAD ThreadToImpersonate;
955 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
956 NTSTATUS Status;
957 PAGED_CODE();
958 PSTRACE(PS_SECURITY_DEBUG,
959 "Threads: %p %p\n", ThreadHandle, ThreadToImpersonateHandle);
960
961 /* Check if call came from user mode */
962 if (PreviousMode != KernelMode)
963 {
964 /* Enter SEH for probing */
965 _SEH2_TRY
966 {
967 /* Probe QoS */
968 ProbeForRead(SecurityQualityOfService,
969 sizeof(SECURITY_QUALITY_OF_SERVICE),
970 sizeof(ULONG));
971
972 /* Capture it */
973 SafeServiceQoS = *SecurityQualityOfService;
974 SecurityQualityOfService = &SafeServiceQoS;
975 }
976 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
977 {
978 /* Return the exception code */
979 _SEH2_YIELD(return _SEH2_GetExceptionCode());
980 }
981 _SEH2_END;
982 }
983
984 /* Reference the thread */
985 Status = ObReferenceObjectByHandle(ThreadHandle,
986 THREAD_DIRECT_IMPERSONATION,
987 PsThreadType,
988 PreviousMode,
989 (PVOID*)&Thread,
990 NULL);
991 if (NT_SUCCESS(Status))
992 {
993 /* Reference the impersonating thead */
994 Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle,
995 THREAD_IMPERSONATE,
996 PsThreadType,
997 PreviousMode,
998 (PVOID*)&ThreadToImpersonate,
999 NULL);
1000 if (NT_SUCCESS(Status))
1001 {
1002 /* Create a client security context */
1003 Status = SeCreateClientSecurity(ThreadToImpersonate,
1004 SecurityQualityOfService,
1005 0,
1006 &ClientContext);
1007 if (NT_SUCCESS(Status))
1008 {
1009 /* Do the impersonation */
1010 SeImpersonateClient(&ClientContext, Thread);
1011 if (ClientContext.ClientToken)
1012 {
1013 /* Dereference the client token if we had one */
1014 ObDereferenceObject(ClientContext.ClientToken);
1015 }
1016 }
1017
1018 /* Dereference the thread to impersonate */
1019 ObDereferenceObject(ThreadToImpersonate);
1020 }
1021
1022 /* Dereference the main thread */
1023 ObDereferenceObject(Thread);
1024 }
1025
1026 /* Return status */
1027 return Status;
1028 }
1029 /* EOF */
A free Windows-compatible Operating System