[NTOSKRNL][LSASRV]
[reactos.git] / reactos / ntoskrnl / include / internal / se.h
1 #pragma once
2
3 typedef struct _KNOWN_ACE
4 {
5 ACE_HEADER Header;
6 ACCESS_MASK Mask;
7 ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12 ACE_HEADER Header;
13 ACCESS_MASK Mask;
14 ULONG Flags;
15 ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20 ACE_HEADER Header;
21 ACCESS_MASK Mask;
22 USHORT CompoundAceType;
23 USHORT Reserved;
24 ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33
34 if (Descriptor->Control & SE_SELF_RELATIVE)
35 {
36 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37 if (!SdRel->Group) return NULL;
38 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39 }
40 else
41 {
42 return Descriptor->Group;
43 }
44 }
45
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52
53 if (Descriptor->Control & SE_SELF_RELATIVE)
54 {
55 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56 if (!SdRel->Owner) return NULL;
57 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58 }
59 else
60 {
61 return Descriptor->Owner;
62 }
63 }
64
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71
72 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73
74 if (Descriptor->Control & SE_SELF_RELATIVE)
75 {
76 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77 if (!SdRel->Dacl) return NULL;
78 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79 }
80 else
81 {
82 return Descriptor->Dacl;
83 }
84 }
85
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92
93 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94
95 if (Descriptor->Control & SE_SELF_RELATIVE)
96 {
97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98 if (!SdRel->Sacl) return NULL;
99 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100 }
101 else
102 {
103 return Descriptor->Sacl;
104 }
105 }
106
107 #ifndef RTL_H
108
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146 extern PSID SeLocalServiceSid;
147 extern PSID SeNetworkServiceSid;
148
149 /* Privileges */
150 extern const LUID SeCreateTokenPrivilege;
151 extern const LUID SeAssignPrimaryTokenPrivilege;
152 extern const LUID SeLockMemoryPrivilege;
153 extern const LUID SeIncreaseQuotaPrivilege;
154 extern const LUID SeUnsolicitedInputPrivilege;
155 extern const LUID SeTcbPrivilege;
156 extern const LUID SeSecurityPrivilege;
157 extern const LUID SeTakeOwnershipPrivilege;
158 extern const LUID SeLoadDriverPrivilege;
159 extern const LUID SeSystemProfilePrivilege;
160 extern const LUID SeSystemtimePrivilege;
161 extern const LUID SeProfileSingleProcessPrivilege;
162 extern const LUID SeIncreaseBasePriorityPrivilege;
163 extern const LUID SeCreatePagefilePrivilege;
164 extern const LUID SeCreatePermanentPrivilege;
165 extern const LUID SeBackupPrivilege;
166 extern const LUID SeRestorePrivilege;
167 extern const LUID SeShutdownPrivilege;
168 extern const LUID SeDebugPrivilege;
169 extern const LUID SeAuditPrivilege;
170 extern const LUID SeSystemEnvironmentPrivilege;
171 extern const LUID SeChangeNotifyPrivilege;
172 extern const LUID SeRemoteShutdownPrivilege;
173 extern const LUID SeUndockPrivilege;
174 extern const LUID SeSyncAgentPrivilege;
175 extern const LUID SeEnableDelegationPrivilege;
176 extern const LUID SeManageVolumePrivilege;
177 extern const LUID SeImpersonatePrivilege;
178 extern const LUID SeCreateGlobalPrivilege;
179 extern const LUID SeTrustedCredmanPrivilege;
180 extern const LUID SeRelabelPrivilege;
181 extern const LUID SeIncreaseWorkingSetPrivilege;
182 extern const LUID SeTimeZonePrivilege;
183 extern const LUID SeCreateSymbolicLinkPrivilege;
184
185 /* DACLs */
186 extern PACL SePublicDefaultUnrestrictedDacl;
187 extern PACL SePublicOpenDacl;
188 extern PACL SePublicOpenUnrestrictedDacl;
189 extern PACL SeUnrestrictedDacl;
190
191 /* SDs */
192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
198
199
200 #define SepAcquireTokenLockExclusive(Token) \
201 { \
202 KeEnterCriticalRegion(); \
203 ExAcquireResourceExclusive(((PTOKEN)Token)->TokenLock, TRUE); \
204 }
205 #define SepAcquireTokenLockShared(Token) \
206 { \
207 KeEnterCriticalRegion(); \
208 ExAcquireResourceShared(((PTOKEN)Token)->TokenLock, TRUE); \
209 }
210
211 #define SepReleaseTokenLock(Token) \
212 { \
213 ExReleaseResource(((PTOKEN)Token)->TokenLock); \
214 KeLeaveCriticalRegion(); \
215 }
216
217 //
218 // Token Functions
219 //
220 BOOLEAN
221 NTAPI
222 SepTokenIsOwner(
223 IN PACCESS_TOKEN _Token,
224 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
225 IN BOOLEAN TokenLocked
226 );
227
228 BOOLEAN
229 NTAPI
230 SepSidInToken(
231 IN PACCESS_TOKEN _Token,
232 IN PSID Sid
233 );
234
235 BOOLEAN
236 NTAPI
237 SepSidInTokenEx(
238 IN PACCESS_TOKEN _Token,
239 IN PSID PrincipalSelfSid,
240 IN PSID _Sid,
241 IN BOOLEAN Deny,
242 IN BOOLEAN Restricted
243 );
244
245 /* Functions */
246 BOOLEAN
247 NTAPI
248 SeInitSystem(VOID);
249
250 VOID
251 NTAPI
252 ExpInitLuid(VOID);
253
254 VOID
255 NTAPI
256 SepInitPrivileges(VOID);
257
258 BOOLEAN
259 NTAPI
260 SepInitSecurityIDs(VOID);
261
262 BOOLEAN
263 NTAPI
264 SepInitDACLs(VOID);
265
266 BOOLEAN
267 NTAPI
268 SepInitSDs(VOID);
269
270 BOOLEAN
271 NTAPI
272 SeRmInitPhase1(VOID);
273
274 VOID
275 NTAPI
276 SeDeassignPrimaryToken(struct _EPROCESS *Process);
277
278 NTSTATUS
279 NTAPI
280 SeSubProcessToken(
281 IN PTOKEN Parent,
282 OUT PTOKEN *Token,
283 IN BOOLEAN InUse,
284 IN ULONG SessionId
285 );
286
287 NTSTATUS
288 NTAPI
289 SeInitializeProcessAuditName(
290 IN PFILE_OBJECT FileObject,
291 IN BOOLEAN DoAudit,
292 OUT POBJECT_NAME_INFORMATION *AuditInfo
293 );
294
295 NTSTATUS
296 NTAPI
297 SeCreateAccessStateEx(
298 IN PETHREAD Thread,
299 IN PEPROCESS Process,
300 IN OUT PACCESS_STATE AccessState,
301 IN PAUX_ACCESS_DATA AuxData,
302 IN ACCESS_MASK Access,
303 IN PGENERIC_MAPPING GenericMapping
304 );
305
306 NTSTATUS
307 NTAPI
308 SeIsTokenChild(
309 IN PTOKEN Token,
310 OUT PBOOLEAN IsChild
311 );
312
313 NTSTATUS
314 NTAPI
315 SepCreateImpersonationTokenDacl(
316 PTOKEN Token,
317 PTOKEN PrimaryToken,
318 PACL *Dacl
319 );
320
321 VOID
322 NTAPI
323 SepInitializeTokenImplementation(VOID);
324
325 PTOKEN
326 NTAPI
327 SepCreateSystemProcessToken(VOID);
328
329 BOOLEAN
330 NTAPI
331 SeDetailedAuditingWithToken(IN PTOKEN Token);
332
333 VOID
334 NTAPI
335 SeAuditProcessExit(IN PEPROCESS Process);
336
337 VOID
338 NTAPI
339 SeAuditProcessCreate(IN PEPROCESS Process);
340
341 NTSTATUS
342 NTAPI
343 SeExchangePrimaryToken(
344 struct _EPROCESS* Process,
345 PACCESS_TOKEN NewToken,
346 PACCESS_TOKEN* OldTokenP
347 );
348
349 VOID
350 NTAPI
351 SeCaptureSubjectContextEx(
352 IN PETHREAD Thread,
353 IN PEPROCESS Process,
354 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
355 );
356
357 NTSTATUS
358 NTAPI
359 SeCaptureLuidAndAttributesArray(
360 PLUID_AND_ATTRIBUTES Src,
361 ULONG PrivilegeCount,
362 KPROCESSOR_MODE PreviousMode,
363 PLUID_AND_ATTRIBUTES AllocatedMem,
364 ULONG AllocatedLength,
365 POOL_TYPE PoolType,
366 BOOLEAN CaptureIfKernel,
367 PLUID_AND_ATTRIBUTES* Dest,
368 PULONG Length
369 );
370
371 VOID
372 NTAPI
373 SeReleaseLuidAndAttributesArray(
374 PLUID_AND_ATTRIBUTES Privilege,
375 KPROCESSOR_MODE PreviousMode,
376 BOOLEAN CaptureIfKernel
377 );
378
379 BOOLEAN
380 NTAPI
381 SepPrivilegeCheck(
382 PTOKEN Token,
383 PLUID_AND_ATTRIBUTES Privileges,
384 ULONG PrivilegeCount,
385 ULONG PrivilegeControl,
386 KPROCESSOR_MODE PreviousMode
387 );
388
389 NTSTATUS
390 NTAPI
391 SePrivilegePolicyCheck(
392 _Inout_ PACCESS_MASK DesiredAccess,
393 _Inout_ PACCESS_MASK GrantedAccess,
394 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
395 _In_ PTOKEN Token,
396 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
397 _In_ KPROCESSOR_MODE PreviousMode);
398
399 BOOLEAN
400 NTAPI
401 SeCheckPrivilegedObject(
402 IN LUID PrivilegeValue,
403 IN HANDLE ObjectHandle,
404 IN ACCESS_MASK DesiredAccess,
405 IN KPROCESSOR_MODE PreviousMode
406 );
407
408 NTSTATUS
409 NTAPI
410 SepDuplicateToken(
411 PTOKEN Token,
412 POBJECT_ATTRIBUTES ObjectAttributes,
413 BOOLEAN EffectiveOnly,
414 TOKEN_TYPE TokenType,
415 SECURITY_IMPERSONATION_LEVEL Level,
416 KPROCESSOR_MODE PreviousMode,
417 PTOKEN* NewAccessToken
418 );
419
420 NTSTATUS
421 NTAPI
422 SepCaptureSecurityQualityOfService(
423 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
424 IN KPROCESSOR_MODE AccessMode,
425 IN POOL_TYPE PoolType,
426 IN BOOLEAN CaptureIfKernel,
427 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
428 OUT PBOOLEAN Present
429 );
430
431 VOID
432 NTAPI
433 SepReleaseSecurityQualityOfService(
434 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
435 IN KPROCESSOR_MODE AccessMode,
436 IN BOOLEAN CaptureIfKernel
437 );
438
439 NTSTATUS
440 NTAPI
441 SepCaptureSid(
442 IN PSID InputSid,
443 IN KPROCESSOR_MODE AccessMode,
444 IN POOL_TYPE PoolType,
445 IN BOOLEAN CaptureIfKernel,
446 OUT PSID *CapturedSid
447 );
448
449 VOID
450 NTAPI
451 SepReleaseSid(
452 IN PSID CapturedSid,
453 IN KPROCESSOR_MODE AccessMode,
454 IN BOOLEAN CaptureIfKernel
455 );
456
457 NTSTATUS
458 NTAPI
459 SeCaptureSidAndAttributesArray(
460 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
461 _In_ ULONG AttributeCount,
462 _In_ KPROCESSOR_MODE PreviousMode,
463 _In_opt_ PVOID AllocatedMem,
464 _In_ ULONG AllocatedLength,
465 _In_ POOL_TYPE PoolType,
466 _In_ BOOLEAN CaptureIfKernel,
467 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
468 _Out_ PULONG ResultLength);
469
470 VOID
471 NTAPI
472 SeReleaseSidAndAttributesArray(
473 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
474 _In_ KPROCESSOR_MODE AccessMode,
475 _In_ BOOLEAN CaptureIfKernel);
476
477 NTSTATUS
478 NTAPI
479 SepCaptureAcl(
480 IN PACL InputAcl,
481 IN KPROCESSOR_MODE AccessMode,
482 IN POOL_TYPE PoolType,
483 IN BOOLEAN CaptureIfKernel,
484 OUT PACL *CapturedAcl
485 );
486
487 VOID
488 NTAPI
489 SepReleaseAcl(
490 IN PACL CapturedAcl,
491 IN KPROCESSOR_MODE AccessMode,
492 IN BOOLEAN CaptureIfKernel
493 );
494
495 NTSTATUS
496 SepPropagateAcl(
497 _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
498 _Inout_ PULONG AclLength,
499 _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
500 _In_ PSID Owner,
501 _In_ PSID Group,
502 _In_ BOOLEAN IsInherited,
503 _In_ BOOLEAN IsDirectoryObject,
504 _In_ PGENERIC_MAPPING GenericMapping);
505
506 PACL
507 SepSelectAcl(
508 _In_opt_ PACL ExplicitAcl,
509 _In_ BOOLEAN ExplicitPresent,
510 _In_ BOOLEAN ExplicitDefaulted,
511 _In_opt_ PACL ParentAcl,
512 _In_opt_ PACL DefaultAcl,
513 _Out_ PULONG AclLength,
514 _In_ PSID Owner,
515 _In_ PSID Group,
516 _Out_ PBOOLEAN AclPresent,
517 _Out_ PBOOLEAN IsInherited,
518 _In_ BOOLEAN IsDirectoryObject,
519 _In_ PGENERIC_MAPPING GenericMapping);
520
521 NTSTATUS
522 NTAPI
523 SeDefaultObjectMethod(
524 PVOID Object,
525 SECURITY_OPERATION_CODE OperationType,
526 PSECURITY_INFORMATION SecurityInformation,
527 PSECURITY_DESCRIPTOR NewSecurityDescriptor,
528 PULONG ReturnLength,
529 PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
530 POOL_TYPE PoolType,
531 PGENERIC_MAPPING GenericMapping
532 );
533
534 NTSTATUS
535 NTAPI
536 SeSetWorldSecurityDescriptor(
537 SECURITY_INFORMATION SecurityInformation,
538 PISECURITY_DESCRIPTOR SecurityDescriptor,
539 PULONG BufferLength
540 );
541
542 NTSTATUS
543 NTAPI
544 SeCopyClientToken(
545 IN PACCESS_TOKEN Token,
546 IN SECURITY_IMPERSONATION_LEVEL Level,
547 IN KPROCESSOR_MODE PreviousMode,
548 OUT PACCESS_TOKEN* NewToken
549 );
550
551 VOID NTAPI
552 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
553 OUT PACCESS_MASK DesiredAccess);
554
555 VOID NTAPI
556 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
557 OUT PACCESS_MASK DesiredAccess);
558
559 BOOLEAN
560 NTAPI
561 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
562 IN PACCESS_STATE AccessState,
563 IN ACCESS_MASK DesiredAccess,
564 IN KPROCESSOR_MODE AccessMode);
565
566 BOOLEAN
567 NTAPI
568 SeCheckAuditPrivilege(
569 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
570 _In_ KPROCESSOR_MODE PreviousMode);
571
572 VOID
573 NTAPI
574 SePrivilegedServiceAuditAlarm(
575 _In_opt_ PUNICODE_STRING ServiceName,
576 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
577 _In_ PPRIVILEGE_SET PrivilegeSet,
578 _In_ BOOLEAN AccessGranted);
579
580 #endif
581
582 /* EOF */