2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/semgr.c
5 * PURPOSE: Security manager
7 * PROGRAMMERS: No programmer listed.
10 /* INCLUDES *******************************************************************/
16 /* GLOBALS ********************************************************************/
18 PSE_EXPORTS SeExports
= NULL
;
19 SE_EXPORTS SepExports
;
20 ULONG SidInTokenCalls
= 0;
22 extern ULONG ExpInitializationPhase
;
23 extern ERESOURCE SepSubjectContextLock
;
25 /* PRIVATE FUNCTIONS **********************************************************/
31 SepExports
.SeCreateTokenPrivilege
= SeCreateTokenPrivilege
;
32 SepExports
.SeAssignPrimaryTokenPrivilege
= SeAssignPrimaryTokenPrivilege
;
33 SepExports
.SeLockMemoryPrivilege
= SeLockMemoryPrivilege
;
34 SepExports
.SeIncreaseQuotaPrivilege
= SeIncreaseQuotaPrivilege
;
35 SepExports
.SeUnsolicitedInputPrivilege
= SeUnsolicitedInputPrivilege
;
36 SepExports
.SeTcbPrivilege
= SeTcbPrivilege
;
37 SepExports
.SeSecurityPrivilege
= SeSecurityPrivilege
;
38 SepExports
.SeTakeOwnershipPrivilege
= SeTakeOwnershipPrivilege
;
39 SepExports
.SeLoadDriverPrivilege
= SeLoadDriverPrivilege
;
40 SepExports
.SeCreatePagefilePrivilege
= SeCreatePagefilePrivilege
;
41 SepExports
.SeIncreaseBasePriorityPrivilege
= SeIncreaseBasePriorityPrivilege
;
42 SepExports
.SeSystemProfilePrivilege
= SeSystemProfilePrivilege
;
43 SepExports
.SeSystemtimePrivilege
= SeSystemtimePrivilege
;
44 SepExports
.SeProfileSingleProcessPrivilege
= SeProfileSingleProcessPrivilege
;
45 SepExports
.SeCreatePermanentPrivilege
= SeCreatePermanentPrivilege
;
46 SepExports
.SeBackupPrivilege
= SeBackupPrivilege
;
47 SepExports
.SeRestorePrivilege
= SeRestorePrivilege
;
48 SepExports
.SeShutdownPrivilege
= SeShutdownPrivilege
;
49 SepExports
.SeDebugPrivilege
= SeDebugPrivilege
;
50 SepExports
.SeAuditPrivilege
= SeAuditPrivilege
;
51 SepExports
.SeSystemEnvironmentPrivilege
= SeSystemEnvironmentPrivilege
;
52 SepExports
.SeChangeNotifyPrivilege
= SeChangeNotifyPrivilege
;
53 SepExports
.SeRemoteShutdownPrivilege
= SeRemoteShutdownPrivilege
;
55 SepExports
.SeNullSid
= SeNullSid
;
56 SepExports
.SeWorldSid
= SeWorldSid
;
57 SepExports
.SeLocalSid
= SeLocalSid
;
58 SepExports
.SeCreatorOwnerSid
= SeCreatorOwnerSid
;
59 SepExports
.SeCreatorGroupSid
= SeCreatorGroupSid
;
60 SepExports
.SeNtAuthoritySid
= SeNtAuthoritySid
;
61 SepExports
.SeDialupSid
= SeDialupSid
;
62 SepExports
.SeNetworkSid
= SeNetworkSid
;
63 SepExports
.SeBatchSid
= SeBatchSid
;
64 SepExports
.SeInteractiveSid
= SeInteractiveSid
;
65 SepExports
.SeLocalSystemSid
= SeLocalSystemSid
;
66 SepExports
.SeAliasAdminsSid
= SeAliasAdminsSid
;
67 SepExports
.SeAliasUsersSid
= SeAliasUsersSid
;
68 SepExports
.SeAliasGuestsSid
= SeAliasGuestsSid
;
69 SepExports
.SeAliasPowerUsersSid
= SeAliasPowerUsersSid
;
70 SepExports
.SeAliasAccountOpsSid
= SeAliasAccountOpsSid
;
71 SepExports
.SeAliasSystemOpsSid
= SeAliasSystemOpsSid
;
72 SepExports
.SeAliasPrintOpsSid
= SeAliasPrintOpsSid
;
73 SepExports
.SeAliasBackupOpsSid
= SeAliasBackupOpsSid
;
74 SepExports
.SeAuthenticatedUsersSid
= SeAuthenticatedUsersSid
;
75 SepExports
.SeRestrictedSid
= SeRestrictedSid
;
76 SepExports
.SeAnonymousLogonSid
= SeAnonymousLogonSid
;
77 SepExports
.SeLocalServiceSid
= SeLocalServiceSid
;
78 SepExports
.SeNetworkServiceSid
= SeNetworkServiceSid
;
80 SepExports
.SeUndockPrivilege
= SeUndockPrivilege
;
81 SepExports
.SeSyncAgentPrivilege
= SeSyncAgentPrivilege
;
82 SepExports
.SeEnableDelegationPrivilege
= SeEnableDelegationPrivilege
;
83 SepExports
.SeManageVolumePrivilege
= SeManageVolumePrivilege
;
84 SepExports
.SeImpersonatePrivilege
= SeImpersonatePrivilege
;
85 SepExports
.SeCreateGlobalPrivilege
= SeCreateGlobalPrivilege
;
87 SeExports
= &SepExports
;
95 SepInitializationPhase0(VOID
)
100 if (!SepInitSecurityIDs()) return FALSE
;
101 if (!SepInitDACLs()) return FALSE
;
102 if (!SepInitSDs()) return FALSE
;
104 if (!SepInitExports()) return FALSE
;
106 /* Initialize the subject context lock */
107 ExInitializeResource(&SepSubjectContextLock
);
109 /* Initialize token objects */
110 SepInitializeTokenImplementation();
112 /* Initialize logon sessions */
113 if (!SeRmInitPhase0()) return FALSE
;
115 /* Clear impersonation info for the idle thread */
116 PsGetCurrentThread()->ImpersonationInfo
= NULL
;
117 PspClearCrossThreadFlag(PsGetCurrentThread(),
118 CT_ACTIVE_IMPERSONATION_INFO_BIT
);
120 /* Initialize the boot token */
121 ObInitializeFastReference(&PsGetCurrentProcess()->Token
, NULL
);
122 ObInitializeFastReference(&PsGetCurrentProcess()->Token
,
123 SepCreateSystemProcessToken());
130 SepInitializationPhase1(VOID
)
132 OBJECT_ATTRIBUTES ObjectAttributes
;
134 HANDLE SecurityHandle
;
137 SECURITY_DESCRIPTOR SecurityDescriptor
;
143 /* Insert the system token into the tree */
144 Status
= ObInsertObject((PVOID
)(PsGetCurrentProcess()->Token
.Value
&
151 ASSERT(NT_SUCCESS(Status
));
153 /* Create a security descriptor for the directory */
154 RtlCreateSecurityDescriptor(&SecurityDescriptor
, SECURITY_DESCRIPTOR_REVISION
);
157 DaclLength
= sizeof(ACL
) + 3 * sizeof(ACCESS_ALLOWED_ACE
) +
158 RtlLengthSid(SeLocalSystemSid
) +
159 RtlLengthSid(SeAliasAdminsSid
) +
160 RtlLengthSid(SeWorldSid
);
161 Dacl
= ExAllocatePoolWithTag(NonPagedPool
, DaclLength
, TAG_SE
);
167 Status
= RtlCreateAcl(Dacl
, DaclLength
, ACL_REVISION
);
168 ASSERT(NT_SUCCESS(Status
));
170 /* Grant full access to SYSTEM */
171 Status
= RtlAddAccessAllowedAce(Dacl
,
173 DIRECTORY_ALL_ACCESS
,
175 ASSERT(NT_SUCCESS(Status
));
177 /* Allow admins to traverse and query */
178 Status
= RtlAddAccessAllowedAce(Dacl
,
180 READ_CONTROL
| DIRECTORY_TRAVERSE
| DIRECTORY_QUERY
,
182 ASSERT(NT_SUCCESS(Status
));
184 /* Allow anyone to traverse */
185 Status
= RtlAddAccessAllowedAce(Dacl
,
189 ASSERT(NT_SUCCESS(Status
));
191 /* And link ACL and SD */
192 Status
= RtlSetDaclSecurityDescriptor(&SecurityDescriptor
, TRUE
, Dacl
, FALSE
);
193 ASSERT(NT_SUCCESS(Status
));
195 /* Create '\Security' directory */
196 RtlInitUnicodeString(&Name
, L
"\\Security");
197 InitializeObjectAttributes(&ObjectAttributes
,
199 OBJ_PERMANENT
| OBJ_CASE_INSENSITIVE
,
201 &SecurityDescriptor
);
203 Status
= ZwCreateDirectoryObject(&SecurityHandle
,
204 DIRECTORY_ALL_ACCESS
,
206 ASSERT(NT_SUCCESS(Status
));
209 ExFreePoolWithTag(Dacl
, TAG_SE
);
211 /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
212 RtlInitUnicodeString(&Name
, L
"LSA_AUTHENTICATION_INITIALIZED");
213 InitializeObjectAttributes(&ObjectAttributes
,
215 OBJ_PERMANENT
| OBJ_CASE_INSENSITIVE
,
219 Status
= ZwCreateEvent(&EventHandle
,
224 ASSERT(NT_SUCCESS(Status
));
226 Status
= ZwClose(EventHandle
);
227 ASSERT(NT_SUCCESS(Status
));
229 Status
= ZwClose(SecurityHandle
);
230 ASSERT(NT_SUCCESS(Status
));
240 /* Check the initialization phase */
241 switch (ExpInitializationPhase
)
246 return SepInitializationPhase0();
251 return SepInitializationPhase1();
255 /* Don't know any other phase! Bugcheck! */
256 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL
,
258 ExpInitializationPhase
,
267 SeDefaultObjectMethod(IN PVOID Object
,
268 IN SECURITY_OPERATION_CODE OperationType
,
269 IN PSECURITY_INFORMATION SecurityInformation
,
270 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor
,
271 IN OUT PULONG ReturnLength OPTIONAL
,
272 IN OUT PSECURITY_DESCRIPTOR
*OldSecurityDescriptor
,
273 IN POOL_TYPE PoolType
,
274 IN PGENERIC_MAPPING GenericMapping
)
278 /* Select the operation type */
279 switch (OperationType
)
281 /* Setting a new descriptor */
282 case SetSecurityDescriptor
:
285 ASSERT((PoolType
== PagedPool
) || (PoolType
== NonPagedPool
));
287 /* Set the information */
288 return ObSetSecurityDescriptorInfo(Object
,
291 OldSecurityDescriptor
,
295 case QuerySecurityDescriptor
:
297 /* Query the information */
298 return ObQuerySecurityDescriptorInfo(Object
,
302 OldSecurityDescriptor
);
304 case DeleteSecurityDescriptor
:
307 return ObDeassignSecurity(OldSecurityDescriptor
);
309 case AssignSecurityDescriptor
:
312 ObAssignObjectSecurityDescriptor(Object
, SecurityDescriptor
, PoolType
);
313 return STATUS_SUCCESS
;
318 KeBugCheckEx(SECURITY_SYSTEM
, 0, STATUS_INVALID_PARAMETER
, 0, 0);
321 /* Should never reach here */
323 return STATUS_SUCCESS
;
328 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation
,
329 OUT PACCESS_MASK DesiredAccess
)
333 if (SecurityInformation
& (OWNER_SECURITY_INFORMATION
|
334 GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
))
336 *DesiredAccess
|= READ_CONTROL
;
339 if (SecurityInformation
& SACL_SECURITY_INFORMATION
)
341 *DesiredAccess
|= ACCESS_SYSTEM_SECURITY
;
347 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation
,
348 OUT PACCESS_MASK DesiredAccess
)
352 if (SecurityInformation
& (OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
))
354 *DesiredAccess
|= WRITE_OWNER
;
357 if (SecurityInformation
& DACL_SECURITY_INFORMATION
)
359 *DesiredAccess
|= WRITE_DAC
;
362 if (SecurityInformation
& SACL_SECURITY_INFORMATION
)
364 *DesiredAccess
|= ACCESS_SYSTEM_SECURITY
;
370 SeReportSecurityEvent(
372 _In_ PUNICODE_STRING SourceName
,
373 _In_opt_ PSID UserSid
,
374 _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters
)
376 SECURITY_SUBJECT_CONTEXT SubjectContext
;
377 PTOKEN EffectiveToken
;
381 /* Validate parameters */
383 (SourceName
== NULL
) ||
384 (SourceName
->Buffer
== NULL
) ||
385 (SourceName
->Length
== 0) ||
386 (AuditParameters
== NULL
) ||
387 (AuditParameters
->ParameterCount
> SE_MAX_AUDIT_PARAMETERS
- 4))
389 return STATUS_INVALID_PARAMETER
;
392 /* Validate the source name */
393 Status
= RtlValidateUnicodeString(0, SourceName
);
394 if (!NT_SUCCESS(Status
))
399 /* Check if we have a user SID */
403 if (!RtlValidSid(UserSid
))
405 return STATUS_INVALID_PARAMETER
;
408 /* Use the user SID */
413 /* No user SID, capture the security subject context */
414 SeCaptureSubjectContext(&SubjectContext
);
416 /* Extract the effective token */
417 EffectiveToken
= SubjectContext
.ClientToken
?
418 SubjectContext
.ClientToken
: SubjectContext
.PrimaryToken
;
420 /* Use the user-and-groups SID */
421 Sid
= EffectiveToken
->UserAndGroups
->Sid
;
426 /* Check if we captured the subject context */
430 SeReleaseSubjectContext(&SubjectContext
);
434 return STATUS_SUCCESS
;
441 _Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters
,
442 _In_ SE_ADT_PARAMETER_TYPE Type
,
443 _In_range_(<, SE_MAX_AUDIT_PARAMETERS
) ULONG Index
,
444 _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data
)
447 return STATUS_SUCCESS
;