2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/audit.c
5 * PURPOSE: Audit functions
7 * PROGRAMMERS: Eric Kohl
8 * Timo Kreuzer (timo.kreuzer@reactos.org)
11 /* INCLUDES *******************************************************************/
17 #define SEP_PRIVILEGE_SET_MAX_COUNT 60
19 /* PRIVATE FUNCTIONS***********************************************************/
23 SeDetailedAuditingWithToken(IN PTOKEN Token
)
31 SeAuditProcessCreate(IN PEPROCESS Process
)
38 SeAuditProcessExit(IN PEPROCESS Process
)
45 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject
,
47 OUT POBJECT_NAME_INFORMATION
*AuditInfo
)
49 OBJECT_NAME_INFORMATION LocalNameInfo
;
50 POBJECT_NAME_INFORMATION ObjectNameInfo
= NULL
;
51 ULONG ReturnLength
= 8;
57 /* Check if we should do auditing */
63 /* Now query the name */
64 Status
= ObQueryNameString(FileObject
,
66 sizeof(LocalNameInfo
),
68 if (((Status
== STATUS_BUFFER_OVERFLOW
) ||
69 (Status
== STATUS_BUFFER_TOO_SMALL
) ||
70 (Status
== STATUS_INFO_LENGTH_MISMATCH
)) &&
71 (ReturnLength
!= sizeof(LocalNameInfo
)))
73 /* Allocate required size */
74 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
79 /* Query the name again */
80 Status
= ObQueryNameString(FileObject
,
87 /* Check if we got here due to failure */
88 if ((ObjectNameInfo
) &&
89 (!(NT_SUCCESS(Status
)) || (ReturnLength
== sizeof(LocalNameInfo
))))
91 /* First, free any buffer we might've allocated */
93 if (ObjectNameInfo
) ExFreePool(ObjectNameInfo
);
95 /* Now allocate a temporary one */
96 ReturnLength
= sizeof(OBJECT_NAME_INFORMATION
);
97 ObjectNameInfo
= ExAllocatePoolWithTag(NonPagedPool
,
98 sizeof(OBJECT_NAME_INFORMATION
),
103 RtlZeroMemory(ObjectNameInfo
, ReturnLength
);
104 Status
= STATUS_SUCCESS
;
108 /* Check if memory allocation failed */
109 if (!ObjectNameInfo
) Status
= STATUS_NO_MEMORY
;
111 /* Return the audit name */
112 *AuditInfo
= ObjectNameInfo
;
120 SeLocateProcessImageName(IN PEPROCESS Process
,
121 OUT PUNICODE_STRING
*ProcessImageName
)
123 POBJECT_NAME_INFORMATION AuditName
;
124 PUNICODE_STRING ImageName
;
125 PFILE_OBJECT FileObject
;
126 NTSTATUS Status
= STATUS_SUCCESS
;
131 *ProcessImageName
= NULL
;
133 /* Check if we have audit info */
134 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
137 /* Get the file object */
138 Status
= PsReferenceProcessFilePointer(Process
, &FileObject
);
139 if (!NT_SUCCESS(Status
)) return Status
;
141 /* Initialize the audit structure */
142 Status
= SeInitializeProcessAuditName(FileObject
, TRUE
, &AuditName
);
143 if (NT_SUCCESS(Status
))
146 if (InterlockedCompareExchangePointer((PVOID
*)&Process
->
147 SeAuditProcessCreationInfo
.ImageFileName
,
151 /* Someone beat us to it, deallocate our copy */
152 ExFreePool(AuditName
);
156 /* Dereference the file object */
157 ObDereferenceObject(FileObject
);
158 if (!NT_SUCCESS(Status
)) return Status
;
161 /* Get audit info again, now we have it for sure */
162 AuditName
= Process
->SeAuditProcessCreationInfo
.ImageFileName
;
164 /* Allocate the output string */
165 ImageName
= ExAllocatePoolWithTag(NonPagedPool
,
166 AuditName
->Name
.MaximumLength
+
167 sizeof(UNICODE_STRING
),
169 if (!ImageName
) return STATUS_NO_MEMORY
;
171 /* Make a copy of it */
172 RtlCopyMemory(ImageName
,
174 AuditName
->Name
.MaximumLength
+ sizeof(UNICODE_STRING
));
176 /* Fix up the buffer */
177 ImageName
->Buffer
= (PWSTR
)(ImageName
+ 1);
180 *ProcessImageName
= ImageName
;
188 SepAdtCloseObjectAuditAlarm(
189 PUNICODE_STRING SubsystemName
,
198 SepAdtPrivilegedServiceAuditAlarm(
199 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
200 _In_opt_ PUNICODE_STRING SubsystemName
,
201 _In_opt_ PUNICODE_STRING ServiceName
,
203 _In_ PTOKEN PrimaryToken
,
204 _In_ PPRIVILEGE_SET Privileges
,
205 _In_ BOOLEAN AccessGranted
)
210 _Must_inspect_result_
213 SepAccessCheckAndAuditAlarm(
214 _In_ PUNICODE_STRING SubsystemName
,
215 _In_opt_ PVOID HandleId
,
216 _In_ PHANDLE ClientToken
,
217 _In_ PUNICODE_STRING ObjectTypeName
,
218 _In_ PUNICODE_STRING ObjectName
,
219 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
220 _In_opt_ PSID PrincipalSelfSid
,
221 _In_ ACCESS_MASK DesiredAccess
,
222 _In_ AUDIT_EVENT_TYPE AuditType
,
224 _In_reads_opt_(ObjectTypeListLength
) POBJECT_TYPE_LIST ObjectTypeList
,
225 _In_ ULONG ObjectTypeListLength
,
226 _In_ PGENERIC_MAPPING GenericMapping
,
227 _Out_writes_(ObjectTypeListLength
) PACCESS_MASK GrantedAccessList
,
228 _Out_writes_(ObjectTypeListLength
) PNTSTATUS AccessStatusList
,
229 _Out_ PBOOLEAN GenerateOnClose
,
230 _In_ BOOLEAN UseResultList
)
232 SECURITY_SUBJECT_CONTEXT SubjectContext
;
233 ULONG ResultListLength
;
234 GENERIC_MAPPING LocalGenericMapping
;
238 DBG_UNREFERENCED_LOCAL_VARIABLE(LocalGenericMapping
);
240 /* Only user mode is supported! */
241 ASSERT(ExGetPreviousMode() != KernelMode
);
243 /* Validate AuditType */
244 if ((AuditType
!= AuditEventObjectAccess
) &&
245 (AuditType
!= AuditEventDirectoryServiceAccess
))
247 DPRINT1("Invalid audit type: %u\n", AuditType
);
248 return STATUS_INVALID_PARAMETER
;
251 /* Capture the security subject context */
252 SeCaptureSubjectContext(&SubjectContext
);
254 /* Did the caller pass a token handle? */
255 if (ClientToken
== NULL
)
257 /* Check if we have a token in the subject context */
258 if (SubjectContext
.ClientToken
== NULL
)
260 Status
= STATUS_NO_IMPERSONATION_TOKEN
;
264 /* Check if we have a valid impersonation level */
265 if (SubjectContext
.ImpersonationLevel
< SecurityIdentification
)
267 Status
= STATUS_BAD_IMPERSONATION_LEVEL
;
272 /* Are we using a result list? */
275 /* The list length equals the object type list length */
276 ResultListLength
= ObjectTypeListLength
;
277 if ((ResultListLength
== 0) || (ResultListLength
> 0x1000))
279 Status
= STATUS_INVALID_PARAMETER
;
285 /* List length is 1 */
286 ResultListLength
= 1;
291 /* Probe output buffers */
292 ProbeForWrite(AccessStatusList
,
293 ResultListLength
* sizeof(*AccessStatusList
),
294 sizeof(*AccessStatusList
));
295 ProbeForWrite(GrantedAccessList
,
296 ResultListLength
* sizeof(*GrantedAccessList
),
297 sizeof(*GrantedAccessList
));
299 /* Probe generic mapping and make a local copy */
300 ProbeForRead(GenericMapping
, sizeof(*GenericMapping
), sizeof(ULONG
));
301 LocalGenericMapping
= * GenericMapping
;
303 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
305 Status
= _SEH2_GetExceptionCode();
313 /* For now pretend everything else is ok */
314 Status
= STATUS_SUCCESS
;
318 /* Release the security subject context */
319 SeReleaseSubjectContext(&SubjectContext
);
325 /* PUBLIC FUNCTIONS ***********************************************************/
332 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName
,
333 IN PUNICODE_STRING LinkName
,
344 SeAuditingFileEvents(IN BOOLEAN AccessGranted
,
345 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
356 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted
,
357 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
358 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
369 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted
,
370 IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
381 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted
,
382 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
383 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
394 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted
,
395 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
396 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
)
407 SeCloseObjectAuditAlarm(IN PVOID Object
,
409 IN BOOLEAN PerformAction
)
418 SeDeleteObjectAuditAlarm(IN PVOID Object
,
429 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
430 IN PVOID Object OPTIONAL
,
431 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
432 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
433 IN PACCESS_STATE AccessState
,
434 IN BOOLEAN ObjectCreated
,
435 IN BOOLEAN AccessGranted
,
436 IN KPROCESSOR_MODE AccessMode
,
437 OUT PBOOLEAN GenerateOnClose
)
441 /* Audits aren't done on kernel-mode access */
442 if (AccessMode
== KernelMode
) return;
444 /* Otherwise, unimplemented! */
453 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName
,
454 IN PVOID Object OPTIONAL
,
455 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL
,
456 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
457 IN PACCESS_STATE AccessState
,
458 IN BOOLEAN ObjectCreated
,
459 IN BOOLEAN AccessGranted
,
460 IN KPROCESSOR_MODE AccessMode
,
461 OUT PBOOLEAN GenerateOnClose
)
471 SePrivilegeObjectAuditAlarm(IN HANDLE Handle
,
472 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
473 IN ACCESS_MASK DesiredAccess
,
474 IN PPRIVILEGE_SET Privileges
,
475 IN BOOLEAN AccessGranted
,
476 IN KPROCESSOR_MODE CurrentMode
)
481 /* SYSTEM CALLS ***************************************************************/
485 NtCloseObjectAuditAlarm(
486 PUNICODE_STRING SubsystemName
,
488 BOOLEAN GenerateOnClose
)
490 UNICODE_STRING CapturedSubsystemName
;
491 KPROCESSOR_MODE PreviousMode
;
492 BOOLEAN UseImpersonationToken
;
493 PETHREAD CurrentThread
;
494 BOOLEAN CopyOnOpen
, EffectiveOnly
;
495 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
;
500 /* Get the previous mode (only user mode is supported!) */
501 PreviousMode
= ExGetPreviousMode();
502 ASSERT(PreviousMode
!= KernelMode
);
504 /* Do we even need to do anything? */
505 if (!GenerateOnClose
)
507 /* Nothing to do, return success */
508 return STATUS_SUCCESS
;
511 /* Validate privilege */
512 if (!SeSinglePrivilegeCheck(SeAuditPrivilege
, PreviousMode
))
514 DPRINT1("Caller does not have SeAuditPrivilege\n");
515 return STATUS_PRIVILEGE_NOT_HELD
;
518 /* Probe and capture the subsystem name */
519 Status
= ProbeAndCaptureUnicodeString(&CapturedSubsystemName
,
522 if (!NT_SUCCESS(Status
))
524 DPRINT1("Failed to capture subsystem name!\n");
528 /* Get the current thread and check if it's impersonating */
529 CurrentThread
= PsGetCurrentThread();
530 if (PsIsThreadImpersonating(CurrentThread
))
532 /* Get the impersonation token */
533 Token
= PsReferenceImpersonationToken(CurrentThread
,
536 &ImpersonationLevel
);
537 UseImpersonationToken
= TRUE
;
541 /* Get the primary token */
542 Token
= PsReferencePrimaryToken(PsGetCurrentProcess());
543 UseImpersonationToken
= FALSE
;
546 /* Call the internal function */
547 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName
,
549 Token
->UserAndGroups
->Sid
);
551 /* Release the captured subsystem name */
552 ReleaseCapturedUnicodeString(&CapturedSubsystemName
, PreviousMode
);
554 /* Check what token we used */
555 if (UseImpersonationToken
)
557 /* Release impersonation token */
558 PsDereferenceImpersonationToken(Token
);
562 /* Release primary token */
563 PsDereferencePrimaryToken(Token
);
566 return STATUS_SUCCESS
;
571 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
573 IN BOOLEAN GenerateOnClose
)
576 return STATUS_NOT_IMPLEMENTED
;
581 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
583 IN PUNICODE_STRING ObjectTypeName
,
584 IN PUNICODE_STRING ObjectName
,
585 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
586 IN HANDLE ClientToken
,
587 IN ULONG DesiredAccess
,
588 IN ULONG GrantedAccess
,
589 IN PPRIVILEGE_SET Privileges
,
590 IN BOOLEAN ObjectCreation
,
591 IN BOOLEAN AccessGranted
,
592 OUT PBOOLEAN GenerateOnClose
)
595 return STATUS_NOT_IMPLEMENTED
;
602 NtPrivilegedServiceAuditAlarm(
603 _In_opt_ PUNICODE_STRING SubsystemName
,
604 _In_opt_ PUNICODE_STRING ServiceName
,
605 _In_ HANDLE ClientToken
,
606 _In_ PPRIVILEGE_SET Privileges
,
607 _In_ BOOLEAN AccessGranted
)
609 KPROCESSOR_MODE PreviousMode
;
611 volatile PPRIVILEGE_SET CapturedPrivileges
= NULL
;
612 UNICODE_STRING CapturedSubsystemName
;
613 UNICODE_STRING CapturedServiceName
;
614 ULONG PrivilegeCount
, PrivilegesSize
;
615 SECURITY_SUBJECT_CONTEXT SubjectContext
;
619 /* Get the previous mode (only user mode is supported!) */
620 PreviousMode
= ExGetPreviousMode();
621 ASSERT(PreviousMode
!= KernelMode
);
623 /* Reference the client token */
624 Status
= ObReferenceObjectByHandle(ClientToken
,
630 if (!NT_SUCCESS(Status
))
632 DPRINT1("Failed to reference client token: 0x%lx\n", Status
);
636 /* Validate the token's impersonation level */
637 if ((Token
->TokenType
== TokenImpersonation
) &&
638 (Token
->ImpersonationLevel
< SecurityIdentification
))
640 DPRINT1("Invalid impersonation level (%u)\n", Token
->ImpersonationLevel
);
641 ObfDereferenceObject(Token
);
642 return STATUS_BAD_IMPERSONATION_LEVEL
;
645 /* Validate privilege */
646 if (!SeSinglePrivilegeCheck(SeAuditPrivilege
, PreviousMode
))
648 DPRINT1("Caller does not have SeAuditPrivilege\n");
649 ObfDereferenceObject(Token
);
650 return STATUS_PRIVILEGE_NOT_HELD
;
653 /* Do we have a subsystem name? */
654 if (SubsystemName
!= NULL
)
656 /* Probe and capture the subsystem name */
657 Status
= ProbeAndCaptureUnicodeString(&CapturedSubsystemName
,
660 if (!NT_SUCCESS(Status
))
662 DPRINT1("Failed to capture subsystem name!\n");
667 /* Do we have a service name? */
668 if (ServiceName
!= NULL
)
670 /* Probe and capture the service name */
671 Status
= ProbeAndCaptureUnicodeString(&CapturedServiceName
,
674 if (!NT_SUCCESS(Status
))
676 DPRINT1("Failed to capture service name!\n");
683 /* Probe the basic privilege set structure */
684 ProbeForRead(Privileges
, sizeof(PRIVILEGE_SET
), sizeof(ULONG
));
686 /* Validate privilege count */
687 PrivilegeCount
= Privileges
->PrivilegeCount
;
688 if (PrivilegeCount
> SEP_PRIVILEGE_SET_MAX_COUNT
)
690 Status
= STATUS_INVALID_PARAMETER
;
694 /* Calculate the size of the Privileges structure */
695 PrivilegesSize
= FIELD_OFFSET(PRIVILEGE_SET
, Privilege
[PrivilegeCount
]);
697 /* Probe the whole structure */
698 ProbeForRead(Privileges
, PrivilegesSize
, sizeof(ULONG
));
700 /* Allocate a temp buffer */
701 CapturedPrivileges
= ExAllocatePoolWithTag(PagedPool
,
704 if (CapturedPrivileges
== NULL
)
706 DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize
);
707 Status
= STATUS_INSUFFICIENT_RESOURCES
;
711 /* Copy the privileges */
712 RtlCopyMemory(CapturedPrivileges
, Privileges
, PrivilegesSize
);
714 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
716 Status
= _SEH2_GetExceptionCode();
717 DPRINT1("Got exception 0x%lx\n", Status
);
722 /* Capture the security subject context */
723 SeCaptureSubjectContext(&SubjectContext
);
725 /* Call the internal function */
726 SepAdtPrivilegedServiceAuditAlarm(&SubjectContext
,
727 &CapturedSubsystemName
,
728 &CapturedServiceName
,
730 SubjectContext
.PrimaryToken
,
734 /* Release the security subject context */
735 SeReleaseSubjectContext(&SubjectContext
);
737 Status
= STATUS_SUCCESS
;
740 /* Cleanup resources */
741 if (SubsystemName
!= NULL
)
742 ReleaseCapturedUnicodeString(&CapturedSubsystemName
, PreviousMode
);
743 if (ServiceName
!= NULL
)
744 ReleaseCapturedUnicodeString(&CapturedServiceName
, PreviousMode
);
745 if (CapturedPrivileges
!= NULL
)
746 ExFreePoolWithTag(CapturedPrivileges
, 0);
747 ObDereferenceObject(Token
);
754 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
756 IN HANDLE ClientToken
,
757 IN ULONG DesiredAccess
,
758 IN PPRIVILEGE_SET Privileges
,
759 IN BOOLEAN AccessGranted
)
762 return STATUS_NOT_IMPLEMENTED
;
766 _Must_inspect_result_
770 NtAccessCheckAndAuditAlarm(
771 _In_ PUNICODE_STRING SubsystemName
,
772 _In_opt_ PVOID HandleId
,
773 _In_ PUNICODE_STRING ObjectTypeName
,
774 _In_ PUNICODE_STRING ObjectName
,
775 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
776 _In_ ACCESS_MASK DesiredAccess
,
777 _In_ PGENERIC_MAPPING GenericMapping
,
778 _In_ BOOLEAN ObjectCreation
,
779 _Out_ PACCESS_MASK GrantedAccess
,
780 _Out_ PNTSTATUS AccessStatus
,
781 _Out_ PBOOLEAN GenerateOnClose
)
783 /* Call the internal function */
784 return SepAccessCheckAndAuditAlarm(SubsystemName
,
792 AuditEventObjectAccess
,
803 _Must_inspect_result_
807 NtAccessCheckByTypeAndAuditAlarm(
808 _In_ PUNICODE_STRING SubsystemName
,
809 _In_opt_ PVOID HandleId
,
810 _In_ PUNICODE_STRING ObjectTypeName
,
811 _In_ PUNICODE_STRING ObjectName
,
812 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
813 _In_opt_ PSID PrincipalSelfSid
,
814 _In_ ACCESS_MASK DesiredAccess
,
815 _In_ AUDIT_EVENT_TYPE AuditType
,
817 _In_reads_opt_(ObjectTypeLength
) POBJECT_TYPE_LIST ObjectTypeList
,
818 _In_ ULONG ObjectTypeLength
,
819 _In_ PGENERIC_MAPPING GenericMapping
,
820 _In_ BOOLEAN ObjectCreation
,
821 _Out_ PACCESS_MASK GrantedAccess
,
822 _Out_ PNTSTATUS AccessStatus
,
823 _Out_ PBOOLEAN GenerateOnClose
)
825 /* Call the internal function */
826 return SepAccessCheckAndAuditAlarm(SubsystemName
,
845 _Must_inspect_result_
849 NtAccessCheckByTypeResultListAndAuditAlarm(
850 _In_ PUNICODE_STRING SubsystemName
,
851 _In_opt_ PVOID HandleId
,
852 _In_ PUNICODE_STRING ObjectTypeName
,
853 _In_ PUNICODE_STRING ObjectName
,
854 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
855 _In_opt_ PSID PrincipalSelfSid
,
856 _In_ ACCESS_MASK DesiredAccess
,
857 _In_ AUDIT_EVENT_TYPE AuditType
,
859 _In_reads_opt_(ObjectTypeListLength
) POBJECT_TYPE_LIST ObjectTypeList
,
860 _In_ ULONG ObjectTypeListLength
,
861 _In_ PGENERIC_MAPPING GenericMapping
,
862 _In_ BOOLEAN ObjectCreation
,
863 _Out_writes_(ObjectTypeListLength
) PACCESS_MASK GrantedAccessList
,
864 _Out_writes_(ObjectTypeListLength
) PNTSTATUS AccessStatusList
,
865 _Out_ PBOOLEAN GenerateOnClose
)
867 /* Call the internal function */
868 return SepAccessCheckAndAuditAlarm(SubsystemName
,
879 ObjectTypeListLength
,
887 _Must_inspect_result_
891 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
892 _In_ PUNICODE_STRING SubsystemName
,
893 _In_opt_ PVOID HandleId
,
894 _In_ HANDLE ClientToken
,
895 _In_ PUNICODE_STRING ObjectTypeName
,
896 _In_ PUNICODE_STRING ObjectName
,
897 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
,
898 _In_opt_ PSID PrincipalSelfSid
,
899 _In_ ACCESS_MASK DesiredAccess
,
900 _In_ AUDIT_EVENT_TYPE AuditType
,
902 _In_reads_opt_(ObjectTypeListLength
) POBJECT_TYPE_LIST ObjectTypeList
,
903 _In_ ULONG ObjectTypeListLength
,
904 _In_ PGENERIC_MAPPING GenericMapping
,
905 _In_ BOOLEAN ObjectCreation
,
906 _Out_writes_(ObjectTypeListLength
) PACCESS_MASK GrantedAccessList
,
907 _Out_writes_(ObjectTypeListLength
) PNTSTATUS AccessStatusList
,
908 _Out_ PBOOLEAN GenerateOnClose
)
910 UNREFERENCED_PARAMETER(ObjectCreation
);
912 /* Call the internal function */
913 return SepAccessCheckAndAuditAlarm(SubsystemName
,
924 ObjectTypeListLength
,