projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[NTOSKRNL]
[reactos.git] / reactos / ntoskrnl / include / internal / se.h
1 #pragma once
2
3 typedef struct _KNOWN_ACE
4 {
5 ACE_HEADER Header;
6 ACCESS_MASK Mask;
7 ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12 ACE_HEADER Header;
13 ACCESS_MASK Mask;
14 ULONG Flags;
15 ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20 ACE_HEADER Header;
21 ACCESS_MASK Mask;
22 USHORT CompoundAceType;
23 USHORT Reserved;
24 ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33
34 if (Descriptor->Control & SE_SELF_RELATIVE)
35 {
36 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37 if (!SdRel->Group) return NULL;
38 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39 }
40 else
41 {
42 return Descriptor->Group;
43 }
44 }
45
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52
53 if (Descriptor->Control & SE_SELF_RELATIVE)
54 {
55 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56 if (!SdRel->Owner) return NULL;
57 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58 }
59 else
60 {
61 return Descriptor->Owner;
62 }
63 }
64
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71
72 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73
74 if (Descriptor->Control & SE_SELF_RELATIVE)
75 {
76 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77 if (!SdRel->Dacl) return NULL;
78 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79 }
80 else
81 {
82 return Descriptor->Dacl;
83 }
84 }
85
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92
93 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94
95 if (Descriptor->Control & SE_SELF_RELATIVE)
96 {
97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98 if (!SdRel->Sacl) return NULL;
99 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100 }
101 else
102 {
103 return Descriptor->Sacl;
104 }
105 }
106
107 #ifndef RTL_H
108
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146
147 /* Privileges */
148 extern const LUID SeCreateTokenPrivilege;
149 extern const LUID SeAssignPrimaryTokenPrivilege;
150 extern const LUID SeLockMemoryPrivilege;
151 extern const LUID SeIncreaseQuotaPrivilege;
152 extern const LUID SeUnsolicitedInputPrivilege;
153 extern const LUID SeTcbPrivilege;
154 extern const LUID SeSecurityPrivilege;
155 extern const LUID SeTakeOwnershipPrivilege;
156 extern const LUID SeLoadDriverPrivilege;
157 extern const LUID SeSystemProfilePrivilege;
158 extern const LUID SeSystemtimePrivilege;
159 extern const LUID SeProfileSingleProcessPrivilege;
160 extern const LUID SeIncreaseBasePriorityPrivilege;
161 extern const LUID SeCreatePagefilePrivilege;
162 extern const LUID SeCreatePermanentPrivilege;
163 extern const LUID SeBackupPrivilege;
164 extern const LUID SeRestorePrivilege;
165 extern const LUID SeShutdownPrivilege;
166 extern const LUID SeDebugPrivilege;
167 extern const LUID SeAuditPrivilege;
168 extern const LUID SeSystemEnvironmentPrivilege;
169 extern const LUID SeChangeNotifyPrivilege;
170 extern const LUID SeRemoteShutdownPrivilege;
171 extern const LUID SeUndockPrivilege;
172 extern const LUID SeSyncAgentPrivilege;
173 extern const LUID SeEnableDelegationPrivilege;
174 extern const LUID SeManageVolumePrivilege;
175 extern const LUID SeImpersonatePrivilege;
176 extern const LUID SeCreateGlobalPrivilege;
177 extern const LUID SeTrustedCredmanPrivilege;
178 extern const LUID SeRelabelPrivilege;
179 extern const LUID SeIncreaseWorkingSetPrivilege;
180 extern const LUID SeTimeZonePrivilege;
181 extern const LUID SeCreateSymbolicLinkPrivilege;
182
183 /* DACLs */
184 extern PACL SePublicDefaultUnrestrictedDacl;
185 extern PACL SePublicOpenDacl;
186 extern PACL SePublicOpenUnrestrictedDacl;
187 extern PACL SeUnrestrictedDacl;
188
189 /* SDs */
190 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
191 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
192 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
193 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
195 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
196
197
198 #define SepAcquireTokenLockExclusive(Token) \
199 { \
200 KeEnterCriticalRegion(); \
201 ExAcquireResourceExclusive(((PTOKEN)Token)->TokenLock, TRUE); \
202 }
203 #define SepAcquireTokenLockShared(Token) \
204 { \
205 KeEnterCriticalRegion(); \
206 ExAcquireResourceShared(((PTOKEN)Token)->TokenLock, TRUE); \
207 }
208
209 #define SepReleaseTokenLock(Token) \
210 { \
211 ExReleaseResource(((PTOKEN)Token)->TokenLock); \
212 KeLeaveCriticalRegion(); \
213 }
214
215 //
216 // Token Functions
217 //
218 BOOLEAN
219 NTAPI
220 SepTokenIsOwner(
221 IN PACCESS_TOKEN _Token,
222 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
223 IN BOOLEAN TokenLocked
224 );
225
226 BOOLEAN
227 NTAPI
228 SepSidInToken(
229 IN PACCESS_TOKEN _Token,
230 IN PSID Sid
231 );
232
233 BOOLEAN
234 NTAPI
235 SepSidInTokenEx(
236 IN PACCESS_TOKEN _Token,
237 IN PSID PrincipalSelfSid,
238 IN PSID _Sid,
239 IN BOOLEAN Deny,
240 IN BOOLEAN Restricted
241 );
242
243 /* Functions */
244 BOOLEAN
245 NTAPI
246 SeInitSystem(VOID);
247
248 VOID
249 NTAPI
250 ExpInitLuid(VOID);
251
252 VOID
253 NTAPI
254 SepInitPrivileges(VOID);
255
256 BOOLEAN
257 NTAPI
258 SepInitSecurityIDs(VOID);
259
260 BOOLEAN
261 NTAPI
262 SepInitDACLs(VOID);
263
264 BOOLEAN
265 NTAPI
266 SepInitSDs(VOID);
267
268 VOID
269 NTAPI
270 SeDeassignPrimaryToken(struct _EPROCESS *Process);
271
272 NTSTATUS
273 NTAPI
274 SeSubProcessToken(
275 IN PTOKEN Parent,
276 OUT PTOKEN *Token,
277 IN BOOLEAN InUse,
278 IN ULONG SessionId
279 );
280
281 NTSTATUS
282 NTAPI
283 SeInitializeProcessAuditName(
284 IN PFILE_OBJECT FileObject,
285 IN BOOLEAN DoAudit,
286 OUT POBJECT_NAME_INFORMATION *AuditInfo
287 );
288
289 NTSTATUS
290 NTAPI
291 SeCreateAccessStateEx(
292 IN PETHREAD Thread,
293 IN PEPROCESS Process,
294 IN OUT PACCESS_STATE AccessState,
295 IN PAUX_ACCESS_DATA AuxData,
296 IN ACCESS_MASK Access,
297 IN PGENERIC_MAPPING GenericMapping
298 );
299
300 NTSTATUS
301 NTAPI
302 SeIsTokenChild(
303 IN PTOKEN Token,
304 OUT PBOOLEAN IsChild
305 );
306
307 NTSTATUS
308 NTAPI
309 SepCreateImpersonationTokenDacl(
310 PTOKEN Token,
311 PTOKEN PrimaryToken,
312 PACL *Dacl
313 );
314
315 VOID
316 NTAPI
317 SepInitializeTokenImplementation(VOID);
318
319 PTOKEN
320 NTAPI
321 SepCreateSystemProcessToken(VOID);
322
323 BOOLEAN
324 NTAPI
325 SeDetailedAuditingWithToken(IN PTOKEN Token);
326
327 VOID
328 NTAPI
329 SeAuditProcessExit(IN PEPROCESS Process);
330
331 VOID
332 NTAPI
333 SeAuditProcessCreate(IN PEPROCESS Process);
334
335 NTSTATUS
336 NTAPI
337 SeExchangePrimaryToken(
338 struct _EPROCESS* Process,
339 PACCESS_TOKEN NewToken,
340 PACCESS_TOKEN* OldTokenP
341 );
342
343 VOID
344 NTAPI
345 SeCaptureSubjectContextEx(
346 IN PETHREAD Thread,
347 IN PEPROCESS Process,
348 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
349 );
350
351 NTSTATUS
352 NTAPI
353 SeCaptureLuidAndAttributesArray(
354 PLUID_AND_ATTRIBUTES Src,
355 ULONG PrivilegeCount,
356 KPROCESSOR_MODE PreviousMode,
357 PLUID_AND_ATTRIBUTES AllocatedMem,
358 ULONG AllocatedLength,
359 POOL_TYPE PoolType,
360 BOOLEAN CaptureIfKernel,
361 PLUID_AND_ATTRIBUTES* Dest,
362 PULONG Length
363 );
364
365 VOID
366 NTAPI
367 SeReleaseLuidAndAttributesArray(
368 PLUID_AND_ATTRIBUTES Privilege,
369 KPROCESSOR_MODE PreviousMode,
370 BOOLEAN CaptureIfKernel
371 );
372
373 BOOLEAN
374 NTAPI
375 SepPrivilegeCheck(
376 PTOKEN Token,
377 PLUID_AND_ATTRIBUTES Privileges,
378 ULONG PrivilegeCount,
379 ULONG PrivilegeControl,
380 KPROCESSOR_MODE PreviousMode
381 );
382
383 NTSTATUS
384 NTAPI
385 SePrivilegePolicyCheck(
386 _Inout_ PACCESS_MASK DesiredAccess,
387 _Inout_ PACCESS_MASK GrantedAccess,
388 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
389 _In_ PTOKEN Token,
390 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
391 _In_ KPROCESSOR_MODE PreviousMode);
392
393 BOOLEAN
394 NTAPI
395 SeCheckPrivilegedObject(
396 IN LUID PrivilegeValue,
397 IN HANDLE ObjectHandle,
398 IN ACCESS_MASK DesiredAccess,
399 IN KPROCESSOR_MODE PreviousMode
400 );
401
402 NTSTATUS
403 NTAPI
404 SepDuplicateToken(
405 PTOKEN Token,
406 POBJECT_ATTRIBUTES ObjectAttributes,
407 BOOLEAN EffectiveOnly,
408 TOKEN_TYPE TokenType,
409 SECURITY_IMPERSONATION_LEVEL Level,
410 KPROCESSOR_MODE PreviousMode,
411 PTOKEN* NewAccessToken
412 );
413
414 NTSTATUS
415 NTAPI
416 SepCaptureSecurityQualityOfService(
417 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
418 IN KPROCESSOR_MODE AccessMode,
419 IN POOL_TYPE PoolType,
420 IN BOOLEAN CaptureIfKernel,
421 OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
422 OUT PBOOLEAN Present
423 );
424
425 VOID
426 NTAPI
427 SepReleaseSecurityQualityOfService(
428 IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
429 IN KPROCESSOR_MODE AccessMode,
430 IN BOOLEAN CaptureIfKernel
431 );
432
433 NTSTATUS
434 NTAPI
435 SepCaptureSid(
436 IN PSID InputSid,
437 IN KPROCESSOR_MODE AccessMode,
438 IN POOL_TYPE PoolType,
439 IN BOOLEAN CaptureIfKernel,
440 OUT PSID *CapturedSid
441 );
442
443 VOID
444 NTAPI
445 SepReleaseSid(
446 IN PSID CapturedSid,
447 IN KPROCESSOR_MODE AccessMode,
448 IN BOOLEAN CaptureIfKernel
449 );
450
451 NTSTATUS
452 NTAPI
453 SeCaptureSidAndAttributesArray(
454 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
455 _In_ ULONG AttributeCount,
456 _In_ KPROCESSOR_MODE PreviousMode,
457 _In_opt_ PVOID AllocatedMem,
458 _In_ ULONG AllocatedLength,
459 _In_ POOL_TYPE PoolType,
460 _In_ BOOLEAN CaptureIfKernel,
461 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
462 _Out_ PULONG ResultLength);
463
464 VOID
465 NTAPI
466 SeReleaseSidAndAttributesArray(
467 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
468 _In_ KPROCESSOR_MODE AccessMode,
469 _In_ BOOLEAN CaptureIfKernel);
470
471 NTSTATUS
472 NTAPI
473 SepCaptureAcl(
474 IN PACL InputAcl,
475 IN KPROCESSOR_MODE AccessMode,
476 IN POOL_TYPE PoolType,
477 IN BOOLEAN CaptureIfKernel,
478 OUT PACL *CapturedAcl
479 );
480
481 VOID
482 NTAPI
483 SepReleaseAcl(
484 IN PACL CapturedAcl,
485 IN KPROCESSOR_MODE AccessMode,
486 IN BOOLEAN CaptureIfKernel
487 );
488
489 NTSTATUS
490 NTAPI
491 SeDefaultObjectMethod(
492 PVOID Object,
493 SECURITY_OPERATION_CODE OperationType,
494 PSECURITY_INFORMATION SecurityInformation,
495 PSECURITY_DESCRIPTOR NewSecurityDescriptor,
496 PULONG ReturnLength,
497 PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
498 POOL_TYPE PoolType,
499 PGENERIC_MAPPING GenericMapping
500 );
501
502 NTSTATUS
503 NTAPI
504 SeSetWorldSecurityDescriptor(
505 SECURITY_INFORMATION SecurityInformation,
506 PISECURITY_DESCRIPTOR SecurityDescriptor,
507 PULONG BufferLength
508 );
509
510 NTSTATUS
511 NTAPI
512 SeCopyClientToken(
513 IN PACCESS_TOKEN Token,
514 IN SECURITY_IMPERSONATION_LEVEL Level,
515 IN KPROCESSOR_MODE PreviousMode,
516 OUT PACCESS_TOKEN* NewToken
517 );
518
519 VOID NTAPI
520 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
521 OUT PACCESS_MASK DesiredAccess);
522
523 VOID NTAPI
524 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
525 OUT PACCESS_MASK DesiredAccess);
526
527 BOOLEAN
528 NTAPI
529 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
530 IN PACCESS_STATE AccessState,
531 IN ACCESS_MASK DesiredAccess,
532 IN KPROCESSOR_MODE AccessMode);
533
534 #endif
535
536 /* EOF */
A free Windows-compatible Operating System