[STORPORT] Fix x64 build
[reactos.git] / ntoskrnl / se / semgr.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/semgr.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: No programmer listed.
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 /* GLOBALS ********************************************************************/
17
18 PSE_EXPORTS SeExports = NULL;
19 SE_EXPORTS SepExports;
20 ULONG SidInTokenCalls = 0;
21
22 extern ULONG ExpInitializationPhase;
23 extern ERESOURCE SepSubjectContextLock;
24
25 /* PRIVATE FUNCTIONS **********************************************************/
26
27 static BOOLEAN
28 INIT_FUNCTION
29 SepInitExports(VOID)
30 {
31 SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
32 SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
33 SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
34 SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
35 SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
36 SepExports.SeTcbPrivilege = SeTcbPrivilege;
37 SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
38 SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
39 SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
40 SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
41 SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
42 SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
43 SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
44 SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
45 SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
46 SepExports.SeBackupPrivilege = SeBackupPrivilege;
47 SepExports.SeRestorePrivilege = SeRestorePrivilege;
48 SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
49 SepExports.SeDebugPrivilege = SeDebugPrivilege;
50 SepExports.SeAuditPrivilege = SeAuditPrivilege;
51 SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
52 SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
53 SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
54
55 SepExports.SeNullSid = SeNullSid;
56 SepExports.SeWorldSid = SeWorldSid;
57 SepExports.SeLocalSid = SeLocalSid;
58 SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
59 SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
60 SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
61 SepExports.SeDialupSid = SeDialupSid;
62 SepExports.SeNetworkSid = SeNetworkSid;
63 SepExports.SeBatchSid = SeBatchSid;
64 SepExports.SeInteractiveSid = SeInteractiveSid;
65 SepExports.SeLocalSystemSid = SeLocalSystemSid;
66 SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
67 SepExports.SeAliasUsersSid = SeAliasUsersSid;
68 SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
69 SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
70 SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
71 SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
72 SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
73 SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
74 SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
75 SepExports.SeRestrictedSid = SeRestrictedSid;
76 SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
77 SepExports.SeLocalServiceSid = SeLocalServiceSid;
78 SepExports.SeNetworkServiceSid = SeNetworkServiceSid;
79
80 SepExports.SeUndockPrivilege = SeUndockPrivilege;
81 SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
82 SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
83 SepExports.SeManageVolumePrivilege = SeManageVolumePrivilege;
84 SepExports.SeImpersonatePrivilege = SeImpersonatePrivilege;
85 SepExports.SeCreateGlobalPrivilege = SeCreateGlobalPrivilege;
86
87 SeExports = &SepExports;
88 return TRUE;
89 }
90
91
92 BOOLEAN
93 NTAPI
94 INIT_FUNCTION
95 SepInitializationPhase0(VOID)
96 {
97 PAGED_CODE();
98
99 ExpInitLuid();
100 if (!SepInitSecurityIDs()) return FALSE;
101 if (!SepInitDACLs()) return FALSE;
102 if (!SepInitSDs()) return FALSE;
103 SepInitPrivileges();
104 if (!SepInitExports()) return FALSE;
105
106 /* Initialize the subject context lock */
107 ExInitializeResource(&SepSubjectContextLock);
108
109 /* Initialize token objects */
110 SepInitializeTokenImplementation();
111
112 /* Initialize logon sessions */
113 if (!SeRmInitPhase0()) return FALSE;
114
115 /* Clear impersonation info for the idle thread */
116 PsGetCurrentThread()->ImpersonationInfo = NULL;
117 PspClearCrossThreadFlag(PsGetCurrentThread(),
118 CT_ACTIVE_IMPERSONATION_INFO_BIT);
119
120 /* Initialize the boot token */
121 ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
122 ObInitializeFastReference(&PsGetCurrentProcess()->Token,
123 SepCreateSystemProcessToken());
124 return TRUE;
125 }
126
127 BOOLEAN
128 NTAPI
129 INIT_FUNCTION
130 SepInitializationPhase1(VOID)
131 {
132 OBJECT_ATTRIBUTES ObjectAttributes;
133 UNICODE_STRING Name;
134 HANDLE SecurityHandle;
135 HANDLE EventHandle;
136 NTSTATUS Status;
137
138 PAGED_CODE();
139
140 /* Insert the system token into the tree */
141 Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
142 ~MAX_FAST_REFS),
143 NULL,
144 0,
145 0,
146 NULL,
147 NULL);
148 ASSERT(NT_SUCCESS(Status));
149
150 /* TODO: Create a security desscriptor for the directory */
151
152 /* Create '\Security' directory */
153 RtlInitUnicodeString(&Name, L"\\Security");
154 InitializeObjectAttributes(&ObjectAttributes,
155 &Name,
156 OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
157 0,
158 NULL);
159
160 Status = ZwCreateDirectoryObject(&SecurityHandle,
161 DIRECTORY_ALL_ACCESS,
162 &ObjectAttributes);
163 ASSERT(NT_SUCCESS(Status));
164
165 /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
166 RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
167 InitializeObjectAttributes(&ObjectAttributes,
168 &Name,
169 OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
170 SecurityHandle,
171 SePublicDefaultSd);
172
173 Status = ZwCreateEvent(&EventHandle,
174 GENERIC_WRITE,
175 &ObjectAttributes,
176 NotificationEvent,
177 FALSE);
178 ASSERT(NT_SUCCESS(Status));
179
180 Status = ZwClose(EventHandle);
181 ASSERT(NT_SUCCESS(Status));
182
183 Status = ZwClose(SecurityHandle);
184 ASSERT(NT_SUCCESS(Status));
185
186 return TRUE;
187 }
188
189 BOOLEAN
190 NTAPI
191 INIT_FUNCTION
192 SeInitSystem(VOID)
193 {
194 /* Check the initialization phase */
195 switch (ExpInitializationPhase)
196 {
197 case 0:
198
199 /* Do Phase 0 */
200 return SepInitializationPhase0();
201
202 case 1:
203
204 /* Do Phase 1 */
205 return SepInitializationPhase1();
206
207 default:
208
209 /* Don't know any other phase! Bugcheck! */
210 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
211 0,
212 ExpInitializationPhase,
213 0,
214 0);
215 return FALSE;
216 }
217 }
218
219 NTSTATUS
220 NTAPI
221 SeDefaultObjectMethod(IN PVOID Object,
222 IN SECURITY_OPERATION_CODE OperationType,
223 IN PSECURITY_INFORMATION SecurityInformation,
224 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
225 IN OUT PULONG ReturnLength OPTIONAL,
226 IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
227 IN POOL_TYPE PoolType,
228 IN PGENERIC_MAPPING GenericMapping)
229 {
230 PAGED_CODE();
231
232 /* Select the operation type */
233 switch (OperationType)
234 {
235 /* Setting a new descriptor */
236 case SetSecurityDescriptor:
237
238 /* Sanity check */
239 ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
240
241 /* Set the information */
242 return ObSetSecurityDescriptorInfo(Object,
243 SecurityInformation,
244 SecurityDescriptor,
245 OldSecurityDescriptor,
246 PoolType,
247 GenericMapping);
248
249 case QuerySecurityDescriptor:
250
251 /* Query the information */
252 return ObQuerySecurityDescriptorInfo(Object,
253 SecurityInformation,
254 SecurityDescriptor,
255 ReturnLength,
256 OldSecurityDescriptor);
257
258 case DeleteSecurityDescriptor:
259
260 /* De-assign it */
261 return ObDeassignSecurity(OldSecurityDescriptor);
262
263 case AssignSecurityDescriptor:
264
265 /* Assign it */
266 ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
267 return STATUS_SUCCESS;
268
269 default:
270
271 /* Bug check */
272 KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
273 }
274
275 /* Should never reach here */
276 ASSERT(FALSE);
277 return STATUS_SUCCESS;
278 }
279
280 VOID
281 NTAPI
282 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
283 OUT PACCESS_MASK DesiredAccess)
284 {
285 *DesiredAccess = 0;
286
287 if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
288 GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
289 {
290 *DesiredAccess |= READ_CONTROL;
291 }
292
293 if (SecurityInformation & SACL_SECURITY_INFORMATION)
294 {
295 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
296 }
297 }
298
299 VOID
300 NTAPI
301 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
302 OUT PACCESS_MASK DesiredAccess)
303 {
304 *DesiredAccess = 0;
305
306 if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
307 {
308 *DesiredAccess |= WRITE_OWNER;
309 }
310
311 if (SecurityInformation & DACL_SECURITY_INFORMATION)
312 {
313 *DesiredAccess |= WRITE_DAC;
314 }
315
316 if (SecurityInformation & SACL_SECURITY_INFORMATION)
317 {
318 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
319 }
320 }
321
322 NTSTATUS
323 NTAPI
324 SeReportSecurityEvent(
325 _In_ ULONG Flags,
326 _In_ PUNICODE_STRING SourceName,
327 _In_opt_ PSID UserSid,
328 _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
329 {
330 SECURITY_SUBJECT_CONTEXT SubjectContext;
331 PTOKEN EffectiveToken;
332 PISID Sid;
333 NTSTATUS Status;
334
335 /* Validate parameters */
336 if ((Flags != 0) ||
337 (SourceName == NULL) ||
338 (SourceName->Buffer == NULL) ||
339 (SourceName->Length == 0) ||
340 (AuditParameters == NULL) ||
341 (AuditParameters->ParameterCount > SE_MAX_AUDIT_PARAMETERS - 4))
342 {
343 return STATUS_INVALID_PARAMETER;
344 }
345
346 /* Validate the source name */
347 Status = RtlValidateUnicodeString(0, SourceName);
348 if (!NT_SUCCESS(Status))
349 {
350 return Status;
351 }
352
353 /* Check if we have a user SID */
354 if (UserSid != NULL)
355 {
356 /* Validate it */
357 if (!RtlValidSid(UserSid))
358 {
359 return STATUS_INVALID_PARAMETER;
360 }
361
362 /* Use the user SID */
363 Sid = UserSid;
364 }
365 else
366 {
367 /* No user SID, capture the security subject context */
368 SeCaptureSubjectContext(&SubjectContext);
369
370 /* Extract the effective token */
371 EffectiveToken = SubjectContext.ClientToken ?
372 SubjectContext.ClientToken : SubjectContext.PrimaryToken;
373
374 /* Use the user-and-groups SID */
375 Sid = EffectiveToken->UserAndGroups->Sid;
376 }
377
378 UNIMPLEMENTED;
379
380 /* Check if we captured the subject context */
381 if (Sid != UserSid)
382 {
383 /* Release it */
384 SeReleaseSubjectContext(&SubjectContext);
385 }
386
387 /* Return success */
388 return STATUS_SUCCESS;
389 }
390
391 _Const_
392 NTSTATUS
393 NTAPI
394 SeSetAuditParameter(
395 _Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters,
396 _In_ SE_ADT_PARAMETER_TYPE Type,
397 _In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index,
398 _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
399 {
400 UNIMPLEMENTED;
401 return STATUS_SUCCESS;
402 }
403
404 /* EOF */