projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Create a branch for network fixes.
[reactos.git] / ntoskrnl / se / semgr.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/semgr.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: No programmer listed.
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 /* GLOBALS ********************************************************************/
17
18 PSE_EXPORTS SeExports = NULL;
19 SE_EXPORTS SepExports;
20
21 extern ULONG ExpInitializationPhase;
22 extern ERESOURCE SepSubjectContextLock;
23
24 /* PRIVATE FUNCTIONS **********************************************************/
25
26 static BOOLEAN INIT_FUNCTION
27 SepInitExports(VOID)
28 {
29 SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
30 SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
31 SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
32 SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
33 SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
34 SepExports.SeTcbPrivilege = SeTcbPrivilege;
35 SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
36 SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
37 SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
38 SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
39 SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
40 SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
41 SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
42 SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
43 SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
44 SepExports.SeBackupPrivilege = SeBackupPrivilege;
45 SepExports.SeRestorePrivilege = SeRestorePrivilege;
46 SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
47 SepExports.SeDebugPrivilege = SeDebugPrivilege;
48 SepExports.SeAuditPrivilege = SeAuditPrivilege;
49 SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
50 SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
51 SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
52
53 SepExports.SeNullSid = SeNullSid;
54 SepExports.SeWorldSid = SeWorldSid;
55 SepExports.SeLocalSid = SeLocalSid;
56 SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
57 SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
58 SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
59 SepExports.SeDialupSid = SeDialupSid;
60 SepExports.SeNetworkSid = SeNetworkSid;
61 SepExports.SeBatchSid = SeBatchSid;
62 SepExports.SeInteractiveSid = SeInteractiveSid;
63 SepExports.SeLocalSystemSid = SeLocalSystemSid;
64 SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
65 SepExports.SeAliasUsersSid = SeAliasUsersSid;
66 SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
67 SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
68 SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
69 SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
70 SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
71 SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
72 SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
73 SepExports.SeRestrictedSid = SeRestrictedSid;
74 SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
75
76 SepExports.SeUndockPrivilege = SeUndockPrivilege;
77 SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
78 SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
79
80 SeExports = &SepExports;
81 return TRUE;
82 }
83
84
85 BOOLEAN
86 NTAPI
87 SepInitializationPhase0(VOID)
88 {
89 ExpInitLuid();
90 if (!SepInitSecurityIDs()) return FALSE;
91 if (!SepInitDACLs()) return FALSE;
92 if (!SepInitSDs()) return FALSE;
93 SepInitPrivileges();
94 if (!SepInitExports()) return FALSE;
95
96 /* Initialize the subject context lock */
97 ExInitializeResource(&SepSubjectContextLock);
98
99 /* Initialize token objects */
100 SepInitializeTokenImplementation();
101
102 /* Clear impersonation info for the idle thread */
103 PsGetCurrentThread()->ImpersonationInfo = NULL;
104 PspClearCrossThreadFlag(PsGetCurrentThread(),
105 CT_ACTIVE_IMPERSONATION_INFO_BIT);
106
107 /* Initialize the boot token */
108 ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
109 ObInitializeFastReference(&PsGetCurrentProcess()->Token,
110 SepCreateSystemProcessToken());
111 return TRUE;
112 }
113
114 BOOLEAN
115 NTAPI
116 SepInitializationPhase1(VOID)
117 {
118 NTSTATUS Status;
119 PAGED_CODE();
120
121 /* Insert the system token into the tree */
122 Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
123 ~MAX_FAST_REFS),
124 NULL,
125 0,
126 0,
127 NULL,
128 NULL);
129 ASSERT(NT_SUCCESS(Status));
130
131 /* FIXME: TODO \\ Security directory */
132 return TRUE;
133 }
134
135 BOOLEAN
136 NTAPI
137 SeInit(VOID)
138 {
139 /* Check the initialization phase */
140 switch (ExpInitializationPhase)
141 {
142 case 0:
143
144 /* Do Phase 0 */
145 return SepInitializationPhase0();
146
147 case 1:
148
149 /* Do Phase 1 */
150 return SepInitializationPhase1();
151
152 default:
153
154 /* Don't know any other phase! Bugcheck! */
155 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
156 0,
157 ExpInitializationPhase,
158 0,
159 0);
160 return FALSE;
161 }
162 }
163
164 BOOLEAN
165 NTAPI
166 SeInitSRM(VOID)
167 {
168 OBJECT_ATTRIBUTES ObjectAttributes;
169 UNICODE_STRING Name;
170 HANDLE DirectoryHandle;
171 HANDLE EventHandle;
172 NTSTATUS Status;
173
174 /* Create '\Security' directory */
175 RtlInitUnicodeString(&Name,
176 L"\\Security");
177 InitializeObjectAttributes(&ObjectAttributes,
178 &Name,
179 OBJ_PERMANENT,
180 0,
181 NULL);
182 Status = ZwCreateDirectoryObject(&DirectoryHandle,
183 DIRECTORY_ALL_ACCESS,
184 &ObjectAttributes);
185 if (!NT_SUCCESS(Status))
186 {
187 DPRINT1("Failed to create 'Security' directory!\n");
188 return FALSE;
189 }
190
191 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
192 RtlInitUnicodeString(&Name,
193 L"\\LSA_AUTHENTICATION_INITALIZED");
194 InitializeObjectAttributes(&ObjectAttributes,
195 &Name,
196 OBJ_PERMANENT,
197 DirectoryHandle,
198 SePublicDefaultSd);
199 Status = ZwCreateEvent(&EventHandle,
200 EVENT_ALL_ACCESS,
201 &ObjectAttributes,
202 SynchronizationEvent,
203 FALSE);
204 if (!NT_SUCCESS(Status))
205 {
206 DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
207 NtClose(DirectoryHandle);
208 return FALSE;
209 }
210
211 ZwClose(EventHandle);
212 ZwClose(DirectoryHandle);
213
214 /* FIXME: Create SRM port and listener thread */
215
216 return TRUE;
217 }
218
219 NTSTATUS
220 NTAPI
221 SeDefaultObjectMethod(IN PVOID Object,
222 IN SECURITY_OPERATION_CODE OperationType,
223 IN PSECURITY_INFORMATION SecurityInformation,
224 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
225 IN OUT PULONG ReturnLength OPTIONAL,
226 IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
227 IN POOL_TYPE PoolType,
228 IN PGENERIC_MAPPING GenericMapping)
229 {
230 PAGED_CODE();
231
232 /* Select the operation type */
233 switch (OperationType)
234 {
235 /* Setting a new descriptor */
236 case SetSecurityDescriptor:
237
238 /* Sanity check */
239 ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
240
241 /* Set the information */
242 return ObSetSecurityDescriptorInfo(Object,
243 SecurityInformation,
244 SecurityDescriptor,
245 OldSecurityDescriptor,
246 PoolType,
247 GenericMapping);
248
249 case QuerySecurityDescriptor:
250
251 /* Query the information */
252 return ObQuerySecurityDescriptorInfo(Object,
253 SecurityInformation,
254 SecurityDescriptor,
255 ReturnLength,
256 OldSecurityDescriptor);
257
258 case DeleteSecurityDescriptor:
259
260 /* De-assign it */
261 return ObDeassignSecurity(OldSecurityDescriptor);
262
263 case AssignSecurityDescriptor:
264
265 /* Assign it */
266 ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
267 return STATUS_SUCCESS;
268
269 default:
270
271 /* Bug check */
272 KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
273 }
274
275 /* Should never reach here */
276 ASSERT(FALSE);
277 return STATUS_SUCCESS;
278 }
279
280
281 static BOOLEAN
282 SepSidInToken(PACCESS_TOKEN _Token,
283 PSID Sid)
284 {
285 ULONG i;
286 PTOKEN Token = (PTOKEN)_Token;
287
288 PAGED_CODE();
289
290 if (Token->UserAndGroupCount == 0)
291 {
292 return FALSE;
293 }
294
295 for (i=0; i<Token->UserAndGroupCount; i++)
296 {
297 if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
298 {
299 if (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)
300 {
301 return TRUE;
302 }
303
304 return FALSE;
305 }
306 }
307
308 return FALSE;
309 }
310
311
312 VOID STDCALL
313 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
314 OUT PACCESS_MASK DesiredAccess)
315 {
316 *DesiredAccess = 0;
317
318 if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
319 GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
320 {
321 *DesiredAccess |= READ_CONTROL;
322 }
323 if (SecurityInformation & SACL_SECURITY_INFORMATION)
324 {
325 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
326 }
327 }
328
329 VOID STDCALL
330 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
331 OUT PACCESS_MASK DesiredAccess)
332 {
333 *DesiredAccess = 0;
334
335 if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
336 {
337 *DesiredAccess |= WRITE_OWNER;
338 }
339 if (SecurityInformation & DACL_SECURITY_INFORMATION)
340 {
341 *DesiredAccess |= WRITE_DAC;
342 }
343 if (SecurityInformation & SACL_SECURITY_INFORMATION)
344 {
345 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
346 }
347 }
348
349 /* PUBLIC FUNCTIONS ***********************************************************/
350
351 /*
352 * @implemented
353 */
354 BOOLEAN STDCALL
355 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
356 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
357 IN BOOLEAN SubjectContextLocked,
358 IN ACCESS_MASK DesiredAccess,
359 IN ACCESS_MASK PreviouslyGrantedAccess,
360 OUT PPRIVILEGE_SET* Privileges,
361 IN PGENERIC_MAPPING GenericMapping,
362 IN KPROCESSOR_MODE AccessMode,
363 OUT PACCESS_MASK GrantedAccess,
364 OUT PNTSTATUS AccessStatus)
365 {
366 LUID_AND_ATTRIBUTES Privilege;
367 ACCESS_MASK CurrentAccess, AccessMask;
368 PACCESS_TOKEN Token;
369 ULONG i;
370 PACL Dacl;
371 BOOLEAN Present;
372 BOOLEAN Defaulted;
373 PACE CurrentAce;
374 PSID Sid;
375 NTSTATUS Status;
376 PAGED_CODE();
377
378 /* Check if this is kernel mode */
379 if (AccessMode == KernelMode)
380 {
381 /* Check if kernel wants everything */
382 if (DesiredAccess & MAXIMUM_ALLOWED)
383 {
384 /* Give it */
385 *GrantedAccess = GenericMapping->GenericAll;
386 *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
387 *GrantedAccess |= PreviouslyGrantedAccess;
388 }
389 else
390 {
391 /* Give the desired and previous access */
392 *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
393 }
394
395 /* Success */
396 *AccessStatus = STATUS_SUCCESS;
397 return TRUE;
398 }
399
400 /* Check if we didn't get an SD */
401 if (!SecurityDescriptor)
402 {
403 /* Automatic failure */
404 *AccessStatus = STATUS_ACCESS_DENIED;
405 return FALSE;
406 }
407
408 /* Check for invalid impersonation */
409 if ((SubjectSecurityContext->ClientToken) &&
410 (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
411 {
412 *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
413 return FALSE;
414 }
415
416 /* Check for no access desired */
417 if (!DesiredAccess)
418 {
419 /* Check if we had no previous access */
420 if (!PreviouslyGrantedAccess)
421 {
422 /* Then there's nothing to give */
423 *AccessStatus = STATUS_ACCESS_DENIED;
424 return FALSE;
425 }
426
427 /* Return the previous access only */
428 *GrantedAccess = PreviouslyGrantedAccess;
429 *AccessStatus = STATUS_SUCCESS;
430 *Privileges = NULL;
431 return TRUE;
432 }
433
434 /* Acquire the lock if needed */
435 if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
436
437 /* Map given accesses */
438 RtlMapGenericMask(&DesiredAccess, GenericMapping);
439 if (PreviouslyGrantedAccess)
440 RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
441
442
443
444 CurrentAccess = PreviouslyGrantedAccess;
445
446
447
448 Token = SubjectSecurityContext->ClientToken ?
449 SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
450
451 /* Get the DACL */
452 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
453 &Present,
454 &Dacl,
455 &Defaulted);
456 if (!NT_SUCCESS(Status))
457 {
458 if (SubjectContextLocked == FALSE)
459 {
460 SeUnlockSubjectContext(SubjectSecurityContext);
461 }
462
463 *AccessStatus = Status;
464 return FALSE;
465 }
466
467 /* RULE 1: Grant desired access if the object is unprotected */
468 if (Present == TRUE && Dacl == NULL)
469 {
470 if (SubjectContextLocked == FALSE)
471 {
472 SeUnlockSubjectContext(SubjectSecurityContext);
473 }
474
475 *GrantedAccess = DesiredAccess;
476 *AccessStatus = STATUS_SUCCESS;
477 return TRUE;
478 }
479
480 CurrentAccess = PreviouslyGrantedAccess;
481
482 /* RULE 2: Check token for 'take ownership' privilege */
483 Privilege.Luid = SeTakeOwnershipPrivilege;
484 Privilege.Attributes = SE_PRIVILEGE_ENABLED;
485
486 if (SepPrivilegeCheck(Token,
487 &Privilege,
488 1,
489 PRIVILEGE_SET_ALL_NECESSARY,
490 AccessMode))
491 {
492 CurrentAccess |= WRITE_OWNER;
493 if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
494 (CurrentAccess & ~VALID_INHERIT_FLAGS))
495 {
496 if (SubjectContextLocked == FALSE)
497 {
498 SeUnlockSubjectContext(SubjectSecurityContext);
499 }
500
501 *GrantedAccess = CurrentAccess;
502 *AccessStatus = STATUS_SUCCESS;
503 return TRUE;
504 }
505 }
506
507 /* RULE 3: Check whether the token is the owner */
508 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
509 &Sid,
510 &Defaulted);
511 if (!NT_SUCCESS(Status))
512 {
513 DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
514 if (SubjectContextLocked == FALSE)
515 {
516 SeUnlockSubjectContext(SubjectSecurityContext);
517 }
518
519 *AccessStatus = Status;
520 return FALSE;
521 }
522
523 if (Sid && SepSidInToken(Token, Sid))
524 {
525 CurrentAccess |= (READ_CONTROL | WRITE_DAC);
526 if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
527 (CurrentAccess & ~VALID_INHERIT_FLAGS))
528 {
529 if (SubjectContextLocked == FALSE)
530 {
531 SeUnlockSubjectContext(SubjectSecurityContext);
532 }
533
534 *GrantedAccess = CurrentAccess;
535 *AccessStatus = STATUS_SUCCESS;
536 return TRUE;
537 }
538 }
539
540 /* Fail if DACL is absent */
541 if (Present == FALSE)
542 {
543 if (SubjectContextLocked == FALSE)
544 {
545 SeUnlockSubjectContext(SubjectSecurityContext);
546 }
547
548 *GrantedAccess = 0;
549 *AccessStatus = STATUS_ACCESS_DENIED;
550 return FALSE;
551 }
552
553 /* RULE 4: Grant rights according to the DACL */
554 CurrentAce = (PACE)(Dacl + 1);
555 for (i = 0; i < Dacl->AceCount; i++)
556 {
557 Sid = (PSID)(CurrentAce + 1);
558 if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
559 {
560 if (SepSidInToken(Token, Sid))
561 {
562 if (SubjectContextLocked == FALSE)
563 {
564 SeUnlockSubjectContext(SubjectSecurityContext);
565 }
566
567 *GrantedAccess = 0;
568 *AccessStatus = STATUS_ACCESS_DENIED;
569 return FALSE;
570 }
571 }
572
573 else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
574 {
575 if (SepSidInToken(Token, Sid))
576 {
577 AccessMask = CurrentAce->AccessMask;
578 RtlMapGenericMask(&AccessMask, GenericMapping);
579 CurrentAccess |= AccessMask;
580 }
581 }
582 else
583 {
584 DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
585 }
586 CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
587 }
588
589 if (SubjectContextLocked == FALSE)
590 {
591 SeUnlockSubjectContext(SubjectSecurityContext);
592 }
593
594 DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
595 CurrentAccess, DesiredAccess);
596
597 *GrantedAccess = CurrentAccess & DesiredAccess;
598
599 if (DesiredAccess & MAXIMUM_ALLOWED)
600 {
601 *GrantedAccess = CurrentAccess;
602 *AccessStatus = STATUS_SUCCESS;
603 return TRUE;
604 }
605 else if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
606 (DesiredAccess & ~VALID_INHERIT_FLAGS))
607 {
608 *AccessStatus = STATUS_SUCCESS;
609 return TRUE;
610 }
611 else
612 {
613 DPRINT1("Denying access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p)\n",
614 *GrantedAccess, DesiredAccess, GenericMapping);
615 *AccessStatus = STATUS_ACCESS_DENIED;
616 return FALSE;
617 }
618 }
619
620 /* SYSTEM CALLS ***************************************************************/
621
622 NTSTATUS STDCALL
623 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
624 IN HANDLE TokenHandle,
625 IN ACCESS_MASK DesiredAccess,
626 IN PGENERIC_MAPPING GenericMapping,
627 OUT PPRIVILEGE_SET PrivilegeSet,
628 OUT PULONG ReturnLength,
629 OUT PACCESS_MASK GrantedAccess,
630 OUT PNTSTATUS AccessStatus)
631 {
632 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext = {0};
633 KPROCESSOR_MODE PreviousMode;
634 PTOKEN Token;
635 NTSTATUS Status;
636
637 PAGED_CODE();
638
639 DPRINT("NtAccessCheck() called\n");
640
641 PreviousMode = KeGetPreviousMode();
642 if (PreviousMode == KernelMode)
643 {
644 *GrantedAccess = DesiredAccess;
645 *AccessStatus = STATUS_SUCCESS;
646 return STATUS_SUCCESS;
647 }
648
649 Status = ObReferenceObjectByHandle(TokenHandle,
650 TOKEN_QUERY,
651 SepTokenObjectType,
652 PreviousMode,
653 (PVOID*)&Token,
654 NULL);
655 if (!NT_SUCCESS(Status))
656 {
657 DPRINT1("Failed to reference token (Status %lx)\n", Status);
658 return Status;
659 }
660
661 /* Check token type */
662 if (Token->TokenType != TokenImpersonation)
663 {
664 DPRINT1("No impersonation token\n");
665 ObDereferenceObject(Token);
666 return STATUS_ACCESS_VIOLATION;
667 }
668
669 /* Check impersonation level */
670 if (Token->ImpersonationLevel < SecurityAnonymous)
671 {
672 DPRINT1("Invalid impersonation level\n");
673 ObDereferenceObject(Token);
674 return STATUS_ACCESS_VIOLATION;
675 }
676
677 SubjectSecurityContext.ClientToken = Token;
678 SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
679
680 /* Lock subject context */
681 SeLockSubjectContext(&SubjectSecurityContext);
682
683 if (SeAccessCheck(SecurityDescriptor,
684 &SubjectSecurityContext,
685 TRUE,
686 DesiredAccess,
687 0,
688 &PrivilegeSet,
689 GenericMapping,
690 PreviousMode,
691 GrantedAccess,
692 AccessStatus))
693 {
694 Status = *AccessStatus;
695 }
696 else
697 {
698 Status = STATUS_ACCESS_DENIED;
699 }
700
701 /* Unlock subject context */
702 SeUnlockSubjectContext(&SubjectSecurityContext);
703
704 ObDereferenceObject(Token);
705
706 DPRINT("NtAccessCheck() done\n");
707
708 return Status;
709 }
710
711 NTSTATUS
712 NTAPI
713 NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
714 IN PSID PrincipalSelfSid,
715 IN HANDLE ClientToken,
716 IN ACCESS_MASK DesiredAccess,
717 IN POBJECT_TYPE_LIST ObjectTypeList,
718 IN ULONG ObjectTypeLength,
719 IN PGENERIC_MAPPING GenericMapping,
720 IN PPRIVILEGE_SET PrivilegeSet,
721 IN ULONG PrivilegeSetLength,
722 OUT PACCESS_MASK GrantedAccess,
723 OUT PNTSTATUS AccessStatus)
724 {
725 UNIMPLEMENTED;
726 return STATUS_NOT_IMPLEMENTED;
727 }
728
729 NTSTATUS
730 NTAPI
731 NtAccessCheckByTypeAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
732 IN HANDLE HandleId,
733 IN PUNICODE_STRING ObjectTypeName,
734 IN PUNICODE_STRING ObjectName,
735 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
736 IN PSID PrincipalSelfSid,
737 IN ACCESS_MASK DesiredAccess,
738 IN AUDIT_EVENT_TYPE AuditType,
739 IN ULONG Flags,
740 IN POBJECT_TYPE_LIST ObjectTypeList,
741 IN ULONG ObjectTypeLength,
742 IN PGENERIC_MAPPING GenericMapping,
743 IN BOOLEAN ObjectCreation,
744 OUT PACCESS_MASK GrantedAccess,
745 OUT PNTSTATUS AccessStatus,
746 OUT PBOOLEAN GenerateOnClose)
747 {
748 UNIMPLEMENTED;
749 return STATUS_NOT_IMPLEMENTED;
750 }
751
752 NTSTATUS
753 NTAPI
754 NtAccessCheckByTypeResultList(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
755 IN PSID PrincipalSelfSid,
756 IN HANDLE ClientToken,
757 IN ACCESS_MASK DesiredAccess,
758 IN POBJECT_TYPE_LIST ObjectTypeList,
759 IN ULONG ObjectTypeLength,
760 IN PGENERIC_MAPPING GenericMapping,
761 IN PPRIVILEGE_SET PrivilegeSet,
762 IN ULONG PrivilegeSetLength,
763 OUT PACCESS_MASK GrantedAccess,
764 OUT PNTSTATUS AccessStatus)
765 {
766 UNIMPLEMENTED;
767 return STATUS_NOT_IMPLEMENTED;
768 }
769
770 NTSTATUS
771 NTAPI
772 NtAccessCheckByTypeResultListAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
773 IN HANDLE HandleId,
774 IN PUNICODE_STRING ObjectTypeName,
775 IN PUNICODE_STRING ObjectName,
776 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
777 IN PSID PrincipalSelfSid,
778 IN ACCESS_MASK DesiredAccess,
779 IN AUDIT_EVENT_TYPE AuditType,
780 IN ULONG Flags,
781 IN POBJECT_TYPE_LIST ObjectTypeList,
782 IN ULONG ObjectTypeLength,
783 IN PGENERIC_MAPPING GenericMapping,
784 IN BOOLEAN ObjectCreation,
785 OUT PACCESS_MASK GrantedAccess,
786 OUT PNTSTATUS AccessStatus,
787 OUT PBOOLEAN GenerateOnClose)
788 {
789 UNIMPLEMENTED;
790 return STATUS_NOT_IMPLEMENTED;
791 }
792
793 NTSTATUS
794 NTAPI
795 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(IN PUNICODE_STRING SubsystemName,
796 IN HANDLE HandleId,
797 IN HANDLE ClientToken,
798 IN PUNICODE_STRING ObjectTypeName,
799 IN PUNICODE_STRING ObjectName,
800 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
801 IN PSID PrincipalSelfSid,
802 IN ACCESS_MASK DesiredAccess,
803 IN AUDIT_EVENT_TYPE AuditType,
804 IN ULONG Flags,
805 IN POBJECT_TYPE_LIST ObjectTypeList,
806 IN ULONG ObjectTypeLength,
807 IN PGENERIC_MAPPING GenericMapping,
808 IN BOOLEAN ObjectCreation,
809 OUT PACCESS_MASK GrantedAccess,
810 OUT PNTSTATUS AccessStatus,
811 OUT PBOOLEAN GenerateOnClose)
812 {
813 UNIMPLEMENTED;
814 return STATUS_NOT_IMPLEMENTED;
815 }
816
817 /* EOF */
A free Windows-compatible Operating System