Synchronize up to trunk's revision r57784.
[reactos.git] / ntoskrnl / se / sid.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/sid.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitSecurityIDs)
18 #endif
19
20 /* GLOBALS ********************************************************************/
21
22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
27
28 PSID SeNullSid = NULL;
29 PSID SeWorldSid = NULL;
30 PSID SeLocalSid = NULL;
31 PSID SeCreatorOwnerSid = NULL;
32 PSID SeCreatorGroupSid = NULL;
33 PSID SeCreatorOwnerServerSid = NULL;
34 PSID SeCreatorGroupServerSid = NULL;
35 PSID SeNtAuthoritySid = NULL;
36 PSID SeDialupSid = NULL;
37 PSID SeNetworkSid = NULL;
38 PSID SeBatchSid = NULL;
39 PSID SeInteractiveSid = NULL;
40 PSID SeServiceSid = NULL;
41 PSID SePrincipalSelfSid = NULL;
42 PSID SeLocalSystemSid = NULL;
43 PSID SeAuthenticatedUserSid = NULL;
44 PSID SeRestrictedCodeSid = NULL;
45 PSID SeAliasAdminsSid = NULL;
46 PSID SeAliasUsersSid = NULL;
47 PSID SeAliasGuestsSid = NULL;
48 PSID SeAliasPowerUsersSid = NULL;
49 PSID SeAliasAccountOpsSid = NULL;
50 PSID SeAliasSystemOpsSid = NULL;
51 PSID SeAliasPrintOpsSid = NULL;
52 PSID SeAliasBackupOpsSid = NULL;
53 PSID SeAuthenticatedUsersSid = NULL;
54 PSID SeRestrictedSid = NULL;
55 PSID SeAnonymousLogonSid = NULL;
56
57 /* FUNCTIONS ******************************************************************/
58
59 VOID
60 NTAPI
61 FreeInitializedSids(VOID)
62 {
63 if (SeNullSid) ExFreePoolWithTag(SeNullSid, TAG_SID);
64 if (SeWorldSid) ExFreePoolWithTag(SeWorldSid, TAG_SID);
65 if (SeLocalSid) ExFreePoolWithTag(SeLocalSid, TAG_SID);
66 if (SeCreatorOwnerSid) ExFreePoolWithTag(SeCreatorOwnerSid, TAG_SID);
67 if (SeCreatorGroupSid) ExFreePoolWithTag(SeCreatorGroupSid, TAG_SID);
68 if (SeCreatorOwnerServerSid) ExFreePoolWithTag(SeCreatorOwnerServerSid, TAG_SID);
69 if (SeCreatorGroupServerSid) ExFreePoolWithTag(SeCreatorGroupServerSid, TAG_SID);
70 if (SeNtAuthoritySid) ExFreePoolWithTag(SeNtAuthoritySid, TAG_SID);
71 if (SeDialupSid) ExFreePoolWithTag(SeDialupSid, TAG_SID);
72 if (SeNetworkSid) ExFreePoolWithTag(SeNetworkSid, TAG_SID);
73 if (SeBatchSid) ExFreePoolWithTag(SeBatchSid, TAG_SID);
74 if (SeInteractiveSid) ExFreePoolWithTag(SeInteractiveSid, TAG_SID);
75 if (SeServiceSid) ExFreePoolWithTag(SeServiceSid, TAG_SID);
76 if (SePrincipalSelfSid) ExFreePoolWithTag(SePrincipalSelfSid, TAG_SID);
77 if (SeLocalSystemSid) ExFreePoolWithTag(SeLocalSystemSid, TAG_SID);
78 if (SeAuthenticatedUserSid) ExFreePoolWithTag(SeAuthenticatedUserSid, TAG_SID);
79 if (SeRestrictedCodeSid) ExFreePoolWithTag(SeRestrictedCodeSid, TAG_SID);
80 if (SeAliasAdminsSid) ExFreePoolWithTag(SeAliasAdminsSid, TAG_SID);
81 if (SeAliasUsersSid) ExFreePoolWithTag(SeAliasUsersSid, TAG_SID);
82 if (SeAliasGuestsSid) ExFreePoolWithTag(SeAliasGuestsSid, TAG_SID);
83 if (SeAliasPowerUsersSid) ExFreePoolWithTag(SeAliasPowerUsersSid, TAG_SID);
84 if (SeAliasAccountOpsSid) ExFreePoolWithTag(SeAliasAccountOpsSid, TAG_SID);
85 if (SeAliasSystemOpsSid) ExFreePoolWithTag(SeAliasSystemOpsSid, TAG_SID);
86 if (SeAliasPrintOpsSid) ExFreePoolWithTag(SeAliasPrintOpsSid, TAG_SID);
87 if (SeAliasBackupOpsSid) ExFreePoolWithTag(SeAliasBackupOpsSid, TAG_SID);
88 if (SeAuthenticatedUsersSid) ExFreePoolWithTag(SeAuthenticatedUsersSid, TAG_SID);
89 if (SeRestrictedSid) ExFreePoolWithTag(SeRestrictedSid, TAG_SID);
90 if (SeAnonymousLogonSid) ExFreePoolWithTag(SeAnonymousLogonSid, TAG_SID);
91 }
92
93 BOOLEAN
94 INIT_FUNCTION
95 NTAPI
96 SepInitSecurityIDs(VOID)
97 {
98 ULONG SidLength0;
99 ULONG SidLength1;
100 ULONG SidLength2;
101 PULONG SubAuthority;
102
103 SidLength0 = RtlLengthRequiredSid(0);
104 SidLength1 = RtlLengthRequiredSid(1);
105 SidLength2 = RtlLengthRequiredSid(2);
106
107 /* create NullSid */
108 SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
109 SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
110 SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
111 SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
112 SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
113 SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
114 SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
115 SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
116 SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
117 SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
118 SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
119 SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
120 SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
121 SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
122 SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
123 SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
124 SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
125 SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
126 SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
127 SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
128 SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
129 SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
130 SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
131 SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
132 SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
133 SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
134 SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
135 SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
136
137 if (SeNullSid == NULL || SeWorldSid == NULL ||
138 SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
139 SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
140 SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
141 SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
142 SeInteractiveSid == NULL || SeServiceSid == NULL ||
143 SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
144 SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
145 SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
146 SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
147 SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
148 SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
149 SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
150 SeAnonymousLogonSid == NULL)
151 {
152 FreeInitializedSids();
153 return FALSE;
154 }
155
156 RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
157 RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
158 RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
159 RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
160 RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
161 RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
162 RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
163 RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
164 RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
165 RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
166 RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
167 RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
168 RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
169 RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
170 RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
171 RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
172 RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
173 RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
174 RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
175 RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
176 RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
177 RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
178 RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
179 RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
180 RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
181 RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
182 RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
183 RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
184
185 SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
186 *SubAuthority = SECURITY_NULL_RID;
187 SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
188 *SubAuthority = SECURITY_WORLD_RID;
189 SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
190 *SubAuthority = SECURITY_LOCAL_RID;
191 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
192 *SubAuthority = SECURITY_CREATOR_OWNER_RID;
193 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
194 *SubAuthority = SECURITY_CREATOR_GROUP_RID;
195 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
196 *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
197 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
198 *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
199 SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
200 *SubAuthority = SECURITY_DIALUP_RID;
201 SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
202 *SubAuthority = SECURITY_NETWORK_RID;
203 SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
204 *SubAuthority = SECURITY_BATCH_RID;
205 SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
206 *SubAuthority = SECURITY_INTERACTIVE_RID;
207 SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
208 *SubAuthority = SECURITY_SERVICE_RID;
209 SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
210 *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
211 SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
212 *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
213 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
214 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
215 SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
216 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
217 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
218 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
219 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
220 *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
221 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
222 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
223 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
224 *SubAuthority = DOMAIN_ALIAS_RID_USERS;
225 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
226 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
227 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
228 *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
229 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
230 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
231 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
232 *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
233 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
234 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
235 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
236 *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
237 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
238 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
239 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
240 *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
241 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
242 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
243 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
244 *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
245 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
246 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
247 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
248 *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
249 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
250 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
251 SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
252 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
253 SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
254 *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
255
256 return TRUE;
257 }
258
259 NTSTATUS
260 NTAPI
261 SepCaptureSid(IN PSID InputSid,
262 IN KPROCESSOR_MODE AccessMode,
263 IN POOL_TYPE PoolType,
264 IN BOOLEAN CaptureIfKernel,
265 OUT PSID *CapturedSid)
266 {
267 ULONG SidSize = 0;
268 PISID NewSid, Sid = (PISID)InputSid;
269
270 PAGED_CODE();
271
272 if (AccessMode != KernelMode)
273 {
274 _SEH2_TRY
275 {
276 ProbeForRead(Sid, FIELD_OFFSET(SID, SubAuthority), sizeof(UCHAR));
277 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
278 ProbeForRead(Sid, SidSize, sizeof(UCHAR));
279 }
280 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
281 {
282 /* Return the exception code */
283 _SEH2_YIELD(return _SEH2_GetExceptionCode());
284 }
285 _SEH2_END;
286
287 /* allocate a SID and copy it */
288 NewSid = ExAllocatePoolWithTag(PoolType, SidSize, TAG_SID);
289 if (!NewSid)
290 return STATUS_INSUFFICIENT_RESOURCES;
291
292 _SEH2_TRY
293 {
294 RtlCopyMemory(NewSid, Sid, SidSize);
295
296 *CapturedSid = NewSid;
297 }
298 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
299 {
300 /* Free the SID and return the exception code */
301 ExFreePoolWithTag(NewSid, TAG_SID);
302 _SEH2_YIELD(return _SEH2_GetExceptionCode());
303 }
304 _SEH2_END;
305 }
306 else if (!CaptureIfKernel)
307 {
308 *CapturedSid = InputSid;
309 }
310 else
311 {
312 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
313
314 /* allocate a SID and copy it */
315 NewSid = ExAllocatePoolWithTag(PoolType, SidSize, TAG_SID);
316 if (NewSid == NULL)
317 return STATUS_INSUFFICIENT_RESOURCES;
318
319 RtlCopyMemory(NewSid, Sid, SidSize);
320
321 *CapturedSid = NewSid;
322 }
323
324 return STATUS_SUCCESS;
325 }
326
327 VOID
328 NTAPI
329 SepReleaseSid(IN PSID CapturedSid,
330 IN KPROCESSOR_MODE AccessMode,
331 IN BOOLEAN CaptureIfKernel)
332 {
333 PAGED_CODE();
334
335 if (CapturedSid != NULL &&
336 (AccessMode != KernelMode ||
337 (AccessMode == KernelMode && CaptureIfKernel)))
338 {
339 ExFreePoolWithTag(CapturedSid, TAG_SID);
340 }
341 }
342
343 /* EOF */