projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Sync to trunk revision 61757.
[reactos.git] / ntoskrnl / se / audit.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/audit.c
5 * PURPOSE: Audit functions
6 *
7 * PROGRAMMERS: Eric Kohl
8 * Timo Kreuzer (timo.kreuzer@reactos.org)
9 */
10
11 /* INCLUDES *******************************************************************/
12
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16
17 #define SEP_PRIVILEGE_SET_MAX_COUNT 60
18
19 /* PRIVATE FUNCTIONS***********************************************************/
20
21 BOOLEAN
22 NTAPI
23 SeDetailedAuditingWithToken(IN PTOKEN Token)
24 {
25 /* FIXME */
26 return FALSE;
27 }
28
29 VOID
30 NTAPI
31 SeAuditProcessCreate(IN PEPROCESS Process)
32 {
33 /* FIXME */
34 }
35
36 VOID
37 NTAPI
38 SeAuditProcessExit(IN PEPROCESS Process)
39 {
40 /* FIXME */
41 }
42
43 NTSTATUS
44 NTAPI
45 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject,
46 IN BOOLEAN DoAudit,
47 OUT POBJECT_NAME_INFORMATION *AuditInfo)
48 {
49 OBJECT_NAME_INFORMATION LocalNameInfo;
50 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
51 ULONG ReturnLength = 8;
52 NTSTATUS Status;
53
54 PAGED_CODE();
55 ASSERT(AuditInfo);
56
57 /* Check if we should do auditing */
58 if (DoAudit)
59 {
60 /* FIXME: TODO */
61 }
62
63 /* Now query the name */
64 Status = ObQueryNameString(FileObject,
65 &LocalNameInfo,
66 sizeof(LocalNameInfo),
67 &ReturnLength);
68 if (((Status == STATUS_BUFFER_OVERFLOW) ||
69 (Status == STATUS_BUFFER_TOO_SMALL) ||
70 (Status == STATUS_INFO_LENGTH_MISMATCH)) &&
71 (ReturnLength != sizeof(LocalNameInfo)))
72 {
73 /* Allocate required size */
74 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
75 ReturnLength,
76 TAG_SEPA);
77 if (ObjectNameInfo)
78 {
79 /* Query the name again */
80 Status = ObQueryNameString(FileObject,
81 ObjectNameInfo,
82 ReturnLength,
83 &ReturnLength);
84 }
85 }
86
87 /* Check if we got here due to failure */
88 if ((ObjectNameInfo) &&
89 (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo))))
90 {
91 /* First, free any buffer we might've allocated */
92 ASSERT(FALSE);
93 if (ObjectNameInfo) ExFreePool(ObjectNameInfo);
94
95 /* Now allocate a temporary one */
96 ReturnLength = sizeof(OBJECT_NAME_INFORMATION);
97 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool,
98 sizeof(OBJECT_NAME_INFORMATION),
99 TAG_SEPA);
100 if (ObjectNameInfo)
101 {
102 /* Clear it */
103 RtlZeroMemory(ObjectNameInfo, ReturnLength);
104 Status = STATUS_SUCCESS;
105 }
106 }
107
108 /* Check if memory allocation failed */
109 if (!ObjectNameInfo) Status = STATUS_NO_MEMORY;
110
111 /* Return the audit name */
112 *AuditInfo = ObjectNameInfo;
113
114 /* Return status */
115 return Status;
116 }
117
118 NTSTATUS
119 NTAPI
120 SeLocateProcessImageName(IN PEPROCESS Process,
121 OUT PUNICODE_STRING *ProcessImageName)
122 {
123 POBJECT_NAME_INFORMATION AuditName;
124 PUNICODE_STRING ImageName;
125 PFILE_OBJECT FileObject;
126 NTSTATUS Status = STATUS_SUCCESS;
127
128 PAGED_CODE();
129
130 /* Assume failure */
131 *ProcessImageName = NULL;
132
133 /* Check if we have audit info */
134 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
135 if (!AuditName)
136 {
137 /* Get the file object */
138 Status = PsReferenceProcessFilePointer(Process, &FileObject);
139 if (!NT_SUCCESS(Status)) return Status;
140
141 /* Initialize the audit structure */
142 Status = SeInitializeProcessAuditName(FileObject, TRUE, &AuditName);
143 if (NT_SUCCESS(Status))
144 {
145 /* Set it */
146 if (InterlockedCompareExchangePointer((PVOID*)&Process->
147 SeAuditProcessCreationInfo.ImageFileName,
148 AuditName,
149 NULL))
150 {
151 /* Someone beat us to it, deallocate our copy */
152 ExFreePool(AuditName);
153 }
154 }
155
156 /* Dereference the file object */
157 ObDereferenceObject(FileObject);
158 if (!NT_SUCCESS(Status)) return Status;
159 }
160
161 /* Get audit info again, now we have it for sure */
162 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName;
163
164 /* Allocate the output string */
165 ImageName = ExAllocatePoolWithTag(NonPagedPool,
166 AuditName->Name.MaximumLength +
167 sizeof(UNICODE_STRING),
168 TAG_SEPA);
169 if (!ImageName) return STATUS_NO_MEMORY;
170
171 /* Make a copy of it */
172 RtlCopyMemory(ImageName,
173 &AuditName->Name,
174 AuditName->Name.MaximumLength + sizeof(UNICODE_STRING));
175
176 /* Fix up the buffer */
177 ImageName->Buffer = (PWSTR)(ImageName + 1);
178
179 /* Return it */
180 *ProcessImageName = ImageName;
181
182 /* Return status */
183 return Status;
184 }
185
186 VOID
187 NTAPI
188 SepAdtCloseObjectAuditAlarm(
189 PUNICODE_STRING SubsystemName,
190 PVOID HandleId,
191 PSID Sid)
192 {
193 UNIMPLEMENTED;
194 }
195
196 VOID
197 NTAPI
198 SepAdtPrivilegedServiceAuditAlarm(
199 PSECURITY_SUBJECT_CONTEXT SubjectContext,
200 _In_opt_ PUNICODE_STRING SubsystemName,
201 _In_opt_ PUNICODE_STRING ServiceName,
202 _In_ PTOKEN Token,
203 _In_ PTOKEN PrimaryToken,
204 _In_ PPRIVILEGE_SET Privileges,
205 _In_ BOOLEAN AccessGranted )
206 {
207 UNIMPLEMENTED;
208 }
209
210 _Must_inspect_result_
211 NTSTATUS
212 NTAPI
213 SepAccessCheckAndAuditAlarm(
214 _In_ PUNICODE_STRING SubsystemName,
215 _In_opt_ PVOID HandleId,
216 _In_ PHANDLE ClientToken,
217 _In_ PUNICODE_STRING ObjectTypeName,
218 _In_ PUNICODE_STRING ObjectName,
219 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
220 _In_opt_ PSID PrincipalSelfSid,
221 _In_ ACCESS_MASK DesiredAccess,
222 _In_ AUDIT_EVENT_TYPE AuditType,
223 _In_ ULONG Flags,
224 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
225 _In_ ULONG ObjectTypeListLength,
226 _In_ PGENERIC_MAPPING GenericMapping,
227 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
228 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
229 _Out_ PBOOLEAN GenerateOnClose,
230 _In_ BOOLEAN UseResultList)
231 {
232 SECURITY_SUBJECT_CONTEXT SubjectContext;
233 ULONG ResultListLength;
234 GENERIC_MAPPING LocalGenericMapping;
235 NTSTATUS Status;
236 PAGED_CODE();
237
238 DBG_UNREFERENCED_LOCAL_VARIABLE(LocalGenericMapping);
239
240 /* Only user mode is supported! */
241 ASSERT(ExGetPreviousMode() != KernelMode);
242
243 /* Validate AuditType */
244 if ((AuditType != AuditEventObjectAccess) &&
245 (AuditType != AuditEventDirectoryServiceAccess))
246 {
247 DPRINT1("Invalid audit type: %u\n", AuditType);
248 return STATUS_INVALID_PARAMETER;
249 }
250
251 /* Capture the security subject context */
252 SeCaptureSubjectContext(&SubjectContext);
253
254 /* Did the caller pass a token handle? */
255 if (ClientToken == NULL)
256 {
257 /* Check if we have a token in the subject context */
258 if (SubjectContext.ClientToken == NULL)
259 {
260 Status = STATUS_NO_IMPERSONATION_TOKEN;
261 goto Cleanup;
262 }
263
264 /* Check if we have a valid impersonation level */
265 if (SubjectContext.ImpersonationLevel < SecurityIdentification)
266 {
267 Status = STATUS_BAD_IMPERSONATION_LEVEL;
268 goto Cleanup;
269 }
270 }
271
272 /* Are we using a result list? */
273 if (UseResultList)
274 {
275 /* The list length equals the object type list length */
276 ResultListLength = ObjectTypeListLength;
277 if ((ResultListLength == 0) || (ResultListLength > 0x1000))
278 {
279 Status = STATUS_INVALID_PARAMETER;
280 goto Cleanup;
281 }
282 }
283 else
284 {
285 /* List length is 1 */
286 ResultListLength = 1;
287 }
288
289 _SEH2_TRY
290 {
291 /* Probe output buffers */
292 ProbeForWrite(AccessStatusList,
293 ResultListLength * sizeof(*AccessStatusList),
294 sizeof(*AccessStatusList));
295 ProbeForWrite(GrantedAccessList,
296 ResultListLength * sizeof(*GrantedAccessList),
297 sizeof(*GrantedAccessList));
298
299 /* Probe generic mapping and make a local copy */
300 ProbeForRead(GenericMapping, sizeof(*GenericMapping), sizeof(ULONG));
301 LocalGenericMapping = * GenericMapping;
302 }
303 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
304 {
305 Status = _SEH2_GetExceptionCode();
306 goto Cleanup;
307 }
308 _SEH2_END;
309
310
311 UNIMPLEMENTED;
312
313 /* For now pretend everything else is ok */
314 Status = STATUS_SUCCESS;
315
316 Cleanup:
317
318 /* Release the security subject context */
319 SeReleaseSubjectContext(&SubjectContext);
320
321 return Status;
322 }
323
324
325 /* PUBLIC FUNCTIONS ***********************************************************/
326
327 /*
328 * @unimplemented
329 */
330 VOID
331 NTAPI
332 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
333 IN PUNICODE_STRING LinkName,
334 IN BOOLEAN bSuccess)
335 {
336 UNIMPLEMENTED;
337 }
338
339 /*
340 * @unimplemented
341 */
342 BOOLEAN
343 NTAPI
344 SeAuditingFileEvents(IN BOOLEAN AccessGranted,
345 IN PSECURITY_DESCRIPTOR SecurityDescriptor)
346 {
347 UNIMPLEMENTED;
348 return FALSE;
349 }
350
351 /*
352 * @unimplemented
353 */
354 BOOLEAN
355 NTAPI
356 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
357 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
358 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
359 {
360 UNIMPLEMENTED;
361 return FALSE;
362 }
363
364 /*
365 * @unimplemented
366 */
367 BOOLEAN
368 NTAPI
369 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
370 IN PSECURITY_DESCRIPTOR SecurityDescriptor)
371 {
372 UNIMPLEMENTED;
373 return FALSE;
374 }
375
376 /*
377 * @unimplemented
378 */
379 BOOLEAN
380 NTAPI
381 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
382 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
383 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
384 {
385 UNIMPLEMENTED;
386 return FALSE;
387 }
388
389 /*
390 * @unimplemented
391 */
392 BOOLEAN
393 NTAPI
394 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
395 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
396 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
397 {
398 UNIMPLEMENTED;
399 return FALSE;
400 }
401
402 /*
403 * @unimplemented
404 */
405 VOID
406 NTAPI
407 SeCloseObjectAuditAlarm(IN PVOID Object,
408 IN HANDLE Handle,
409 IN BOOLEAN PerformAction)
410 {
411 UNIMPLEMENTED;
412 }
413
414 /*
415 * @unimplemented
416 */
417 VOID NTAPI
418 SeDeleteObjectAuditAlarm(IN PVOID Object,
419 IN HANDLE Handle)
420 {
421 UNIMPLEMENTED;
422 }
423
424 /*
425 * @unimplemented
426 */
427 VOID
428 NTAPI
429 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
430 IN PVOID Object OPTIONAL,
431 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
432 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
433 IN PACCESS_STATE AccessState,
434 IN BOOLEAN ObjectCreated,
435 IN BOOLEAN AccessGranted,
436 IN KPROCESSOR_MODE AccessMode,
437 OUT PBOOLEAN GenerateOnClose)
438 {
439 PAGED_CODE();
440
441 /* Audits aren't done on kernel-mode access */
442 if (AccessMode == KernelMode) return;
443
444 /* Otherwise, unimplemented! */
445 //UNIMPLEMENTED;
446 return;
447 }
448
449 /*
450 * @unimplemented
451 */
452 VOID NTAPI
453 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
454 IN PVOID Object OPTIONAL,
455 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
456 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
457 IN PACCESS_STATE AccessState,
458 IN BOOLEAN ObjectCreated,
459 IN BOOLEAN AccessGranted,
460 IN KPROCESSOR_MODE AccessMode,
461 OUT PBOOLEAN GenerateOnClose)
462 {
463 UNIMPLEMENTED;
464 }
465
466 /*
467 * @unimplemented
468 */
469 VOID
470 NTAPI
471 SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
472 IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
473 IN ACCESS_MASK DesiredAccess,
474 IN PPRIVILEGE_SET Privileges,
475 IN BOOLEAN AccessGranted,
476 IN KPROCESSOR_MODE CurrentMode)
477 {
478 UNIMPLEMENTED;
479 }
480
481 /* SYSTEM CALLS ***************************************************************/
482
483 NTSTATUS
484 NTAPI
485 NtCloseObjectAuditAlarm(
486 PUNICODE_STRING SubsystemName,
487 PVOID HandleId,
488 BOOLEAN GenerateOnClose)
489 {
490 UNICODE_STRING CapturedSubsystemName;
491 KPROCESSOR_MODE PreviousMode;
492 BOOLEAN UseImpersonationToken;
493 PETHREAD CurrentThread;
494 BOOLEAN CopyOnOpen, EffectiveOnly;
495 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
496 NTSTATUS Status;
497 PTOKEN Token;
498 PAGED_CODE();
499
500 /* Get the previous mode (only user mode is supported!) */
501 PreviousMode = ExGetPreviousMode();
502 ASSERT(PreviousMode != KernelMode);
503
504 /* Do we even need to do anything? */
505 if (!GenerateOnClose)
506 {
507 /* Nothing to do, return success */
508 return STATUS_SUCCESS;
509 }
510
511 /* Validate privilege */
512 if (!SeSinglePrivilegeCheck(SeAuditPrivilege, PreviousMode))
513 {
514 DPRINT1("Caller does not have SeAuditPrivilege\n");
515 return STATUS_PRIVILEGE_NOT_HELD;
516 }
517
518 /* Probe and capture the subsystem name */
519 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
520 PreviousMode,
521 SubsystemName);
522 if (!NT_SUCCESS(Status))
523 {
524 DPRINT1("Failed to capture subsystem name!\n");
525 return Status;
526 }
527
528 /* Get the current thread and check if it's impersonating */
529 CurrentThread = PsGetCurrentThread();
530 if (PsIsThreadImpersonating(CurrentThread))
531 {
532 /* Get the impersonation token */
533 Token = PsReferenceImpersonationToken(CurrentThread,
534 &CopyOnOpen,
535 &EffectiveOnly,
536 &ImpersonationLevel);
537 UseImpersonationToken = TRUE;
538 }
539 else
540 {
541 /* Get the primary token */
542 Token = PsReferencePrimaryToken(PsGetCurrentProcess());
543 UseImpersonationToken = FALSE;
544 }
545
546 /* Call the internal function */
547 SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName,
548 HandleId,
549 Token->UserAndGroups->Sid);
550
551 /* Release the captured subsystem name */
552 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
553
554 /* Check what token we used */
555 if (UseImpersonationToken)
556 {
557 /* Release impersonation token */
558 PsDereferenceImpersonationToken(Token);
559 }
560 else
561 {
562 /* Release primary token */
563 PsDereferencePrimaryToken(Token);
564 }
565
566 return STATUS_SUCCESS;
567 }
568
569
570 NTSTATUS NTAPI
571 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
572 IN PVOID HandleId,
573 IN BOOLEAN GenerateOnClose)
574 {
575 UNIMPLEMENTED;
576 return STATUS_NOT_IMPLEMENTED;
577 }
578
579
580 NTSTATUS NTAPI
581 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
582 IN PVOID HandleId,
583 IN PUNICODE_STRING ObjectTypeName,
584 IN PUNICODE_STRING ObjectName,
585 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
586 IN HANDLE ClientToken,
587 IN ULONG DesiredAccess,
588 IN ULONG GrantedAccess,
589 IN PPRIVILEGE_SET Privileges,
590 IN BOOLEAN ObjectCreation,
591 IN BOOLEAN AccessGranted,
592 OUT PBOOLEAN GenerateOnClose)
593 {
594 UNIMPLEMENTED;
595 return STATUS_NOT_IMPLEMENTED;
596 }
597
598
599 __kernel_entry
600 NTSTATUS
601 NTAPI
602 NtPrivilegedServiceAuditAlarm(
603 _In_opt_ PUNICODE_STRING SubsystemName,
604 _In_opt_ PUNICODE_STRING ServiceName,
605 _In_ HANDLE ClientToken,
606 _In_ PPRIVILEGE_SET Privileges,
607 _In_ BOOLEAN AccessGranted )
608 {
609 KPROCESSOR_MODE PreviousMode;
610 PTOKEN Token;
611 volatile PPRIVILEGE_SET CapturedPrivileges = NULL;
612 UNICODE_STRING CapturedSubsystemName;
613 UNICODE_STRING CapturedServiceName;
614 ULONG PrivilegeCount, PrivilegesSize;
615 SECURITY_SUBJECT_CONTEXT SubjectContext;
616 NTSTATUS Status;
617 PAGED_CODE();
618
619 /* Get the previous mode (only user mode is supported!) */
620 PreviousMode = ExGetPreviousMode();
621 ASSERT(PreviousMode != KernelMode);
622
623 /* Reference the client token */
624 Status = ObReferenceObjectByHandle(ClientToken,
625 TOKEN_QUERY,
626 SeTokenObjectType,
627 PreviousMode,
628 (PVOID*)&Token,
629 NULL);
630 if (!NT_SUCCESS(Status))
631 {
632 DPRINT1("Failed to reference client token: 0x%lx\n", Status);
633 return Status;
634 }
635
636 /* Validate the token's impersonation level */
637 if ((Token->TokenType == TokenImpersonation) &&
638 (Token->ImpersonationLevel < SecurityIdentification))
639 {
640 DPRINT1("Invalid impersonation level (%u)\n", Token->ImpersonationLevel);
641 ObfDereferenceObject(Token);
642 return STATUS_BAD_IMPERSONATION_LEVEL;
643 }
644
645 /* Validate privilege */
646 if (!SeSinglePrivilegeCheck(SeAuditPrivilege, PreviousMode))
647 {
648 DPRINT1("Caller does not have SeAuditPrivilege\n");
649 ObfDereferenceObject(Token);
650 return STATUS_PRIVILEGE_NOT_HELD;
651 }
652
653 /* Do we have a subsystem name? */
654 if (SubsystemName != NULL)
655 {
656 /* Probe and capture the subsystem name */
657 Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
658 PreviousMode,
659 SubsystemName);
660 if (!NT_SUCCESS(Status))
661 {
662 DPRINT1("Failed to capture subsystem name!\n");
663 goto Cleanup;
664 }
665 }
666
667 /* Do we have a service name? */
668 if (ServiceName != NULL)
669 {
670 /* Probe and capture the service name */
671 Status = ProbeAndCaptureUnicodeString(&CapturedServiceName,
672 PreviousMode,
673 ServiceName);
674 if (!NT_SUCCESS(Status))
675 {
676 DPRINT1("Failed to capture service name!\n");
677 goto Cleanup;
678 }
679 }
680
681 _SEH2_TRY
682 {
683 /* Probe the basic privilege set structure */
684 ProbeForRead(Privileges, sizeof(PRIVILEGE_SET), sizeof(ULONG));
685
686 /* Validate privilege count */
687 PrivilegeCount = Privileges->PrivilegeCount;
688 if (PrivilegeCount > SEP_PRIVILEGE_SET_MAX_COUNT)
689 {
690 Status = STATUS_INVALID_PARAMETER;
691 goto Cleanup;
692 }
693
694 /* Calculate the size of the Privileges structure */
695 PrivilegesSize = FIELD_OFFSET(PRIVILEGE_SET, Privilege[PrivilegeCount]);
696
697 /* Probe the whole structure */
698 ProbeForRead(Privileges, PrivilegesSize, sizeof(ULONG));
699
700 /* Allocate a temp buffer */
701 CapturedPrivileges = ExAllocatePoolWithTag(PagedPool,
702 PrivilegesSize,
703 'rPeS');
704 if (CapturedPrivileges == NULL)
705 {
706 DPRINT1("Failed to allocate %u bytes\n", PrivilegesSize);
707 Status = STATUS_INSUFFICIENT_RESOURCES;
708 goto Cleanup;
709 }
710
711 /* Copy the privileges */
712 RtlCopyMemory(CapturedPrivileges, Privileges, PrivilegesSize);
713 }
714 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
715 {
716 Status = _SEH2_GetExceptionCode();
717 DPRINT1("Got exception 0x%lx\n", Status);
718 goto Cleanup;
719 }
720 _SEH2_END;
721
722 /* Capture the security subject context */
723 SeCaptureSubjectContext(&SubjectContext);
724
725 /* Call the internal function */
726 SepAdtPrivilegedServiceAuditAlarm(&SubjectContext,
727 &CapturedSubsystemName,
728 &CapturedServiceName,
729 Token,
730 SubjectContext.PrimaryToken,
731 CapturedPrivileges,
732 AccessGranted);
733
734 /* Release the security subject context */
735 SeReleaseSubjectContext(&SubjectContext);
736
737 Status = STATUS_SUCCESS;
738
739 Cleanup:
740 /* Cleanup resources */
741 if (SubsystemName != NULL)
742 ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
743 if (ServiceName != NULL)
744 ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
745 if (CapturedPrivileges != NULL)
746 ExFreePoolWithTag(CapturedPrivileges, 0);
747 ObDereferenceObject(Token);
748
749 return Status;
750 }
751
752
753 NTSTATUS NTAPI
754 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
755 IN PVOID HandleId,
756 IN HANDLE ClientToken,
757 IN ULONG DesiredAccess,
758 IN PPRIVILEGE_SET Privileges,
759 IN BOOLEAN AccessGranted)
760 {
761 UNIMPLEMENTED;
762 return STATUS_NOT_IMPLEMENTED;
763 }
764
765
766 _Must_inspect_result_
767 __kernel_entry
768 NTSTATUS
769 NTAPI
770 NtAccessCheckAndAuditAlarm(
771 _In_ PUNICODE_STRING SubsystemName,
772 _In_opt_ PVOID HandleId,
773 _In_ PUNICODE_STRING ObjectTypeName,
774 _In_ PUNICODE_STRING ObjectName,
775 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
776 _In_ ACCESS_MASK DesiredAccess,
777 _In_ PGENERIC_MAPPING GenericMapping,
778 _In_ BOOLEAN ObjectCreation,
779 _Out_ PACCESS_MASK GrantedAccess,
780 _Out_ PNTSTATUS AccessStatus,
781 _Out_ PBOOLEAN GenerateOnClose)
782 {
783 /* Call the internal function */
784 return SepAccessCheckAndAuditAlarm(SubsystemName,
785 HandleId,
786 NULL,
787 ObjectTypeName,
788 ObjectName,
789 SecurityDescriptor,
790 NULL,
791 DesiredAccess,
792 AuditEventObjectAccess,
793 0,
794 NULL,
795 0,
796 GenericMapping,
797 GrantedAccess,
798 AccessStatus,
799 GenerateOnClose,
800 FALSE);
801 }
802
803 _Must_inspect_result_
804 __kernel_entry
805 NTSTATUS
806 NTAPI
807 NtAccessCheckByTypeAndAuditAlarm(
808 _In_ PUNICODE_STRING SubsystemName,
809 _In_opt_ PVOID HandleId,
810 _In_ PUNICODE_STRING ObjectTypeName,
811 _In_ PUNICODE_STRING ObjectName,
812 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
813 _In_opt_ PSID PrincipalSelfSid,
814 _In_ ACCESS_MASK DesiredAccess,
815 _In_ AUDIT_EVENT_TYPE AuditType,
816 _In_ ULONG Flags,
817 _In_reads_opt_(ObjectTypeLength) POBJECT_TYPE_LIST ObjectTypeList,
818 _In_ ULONG ObjectTypeLength,
819 _In_ PGENERIC_MAPPING GenericMapping,
820 _In_ BOOLEAN ObjectCreation,
821 _Out_ PACCESS_MASK GrantedAccess,
822 _Out_ PNTSTATUS AccessStatus,
823 _Out_ PBOOLEAN GenerateOnClose)
824 {
825 /* Call the internal function */
826 return SepAccessCheckAndAuditAlarm(SubsystemName,
827 HandleId,
828 NULL,
829 ObjectTypeName,
830 ObjectName,
831 SecurityDescriptor,
832 PrincipalSelfSid,
833 DesiredAccess,
834 AuditType,
835 Flags,
836 ObjectTypeList,
837 ObjectTypeLength,
838 GenericMapping,
839 GrantedAccess,
840 AccessStatus,
841 GenerateOnClose,
842 FALSE);
843 }
844
845 _Must_inspect_result_
846 __kernel_entry
847 NTSTATUS
848 NTAPI
849 NtAccessCheckByTypeResultListAndAuditAlarm(
850 _In_ PUNICODE_STRING SubsystemName,
851 _In_opt_ PVOID HandleId,
852 _In_ PUNICODE_STRING ObjectTypeName,
853 _In_ PUNICODE_STRING ObjectName,
854 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
855 _In_opt_ PSID PrincipalSelfSid,
856 _In_ ACCESS_MASK DesiredAccess,
857 _In_ AUDIT_EVENT_TYPE AuditType,
858 _In_ ULONG Flags,
859 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
860 _In_ ULONG ObjectTypeListLength,
861 _In_ PGENERIC_MAPPING GenericMapping,
862 _In_ BOOLEAN ObjectCreation,
863 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
864 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
865 _Out_ PBOOLEAN GenerateOnClose)
866 {
867 /* Call the internal function */
868 return SepAccessCheckAndAuditAlarm(SubsystemName,
869 HandleId,
870 NULL,
871 ObjectTypeName,
872 ObjectName,
873 SecurityDescriptor,
874 PrincipalSelfSid,
875 DesiredAccess,
876 AuditType,
877 Flags,
878 ObjectTypeList,
879 ObjectTypeListLength,
880 GenericMapping,
881 GrantedAccessList,
882 AccessStatusList,
883 GenerateOnClose,
884 TRUE);
885 }
886
887 _Must_inspect_result_
888 __kernel_entry
889 NTSTATUS
890 NTAPI
891 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
892 _In_ PUNICODE_STRING SubsystemName,
893 _In_opt_ PVOID HandleId,
894 _In_ HANDLE ClientToken,
895 _In_ PUNICODE_STRING ObjectTypeName,
896 _In_ PUNICODE_STRING ObjectName,
897 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
898 _In_opt_ PSID PrincipalSelfSid,
899 _In_ ACCESS_MASK DesiredAccess,
900 _In_ AUDIT_EVENT_TYPE AuditType,
901 _In_ ULONG Flags,
902 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
903 _In_ ULONG ObjectTypeListLength,
904 _In_ PGENERIC_MAPPING GenericMapping,
905 _In_ BOOLEAN ObjectCreation,
906 _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
907 _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
908 _Out_ PBOOLEAN GenerateOnClose)
909 {
910 UNREFERENCED_PARAMETER(ObjectCreation);
911
912 /* Call the internal function */
913 return SepAccessCheckAndAuditAlarm(SubsystemName,
914 HandleId,
915 &ClientToken,
916 ObjectTypeName,
917 ObjectName,
918 SecurityDescriptor,
919 PrincipalSelfSid,
920 DesiredAccess,
921 AuditType,
922 Flags,
923 ObjectTypeList,
924 ObjectTypeListLength,
925 GenericMapping,
926 GrantedAccessList,
927 AccessStatusList,
928 GenerateOnClose,
929 TRUE);
930 }
931
932 /* EOF */
A free Windows-compatible Operating System