3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
14 #include <internal/debug.h>
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitDACLs)
21 /* GLOBALS ******************************************************************/
23 PACL SePublicDefaultDacl
= NULL
;
24 PACL SeSystemDefaultDacl
= NULL
;
26 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
27 PACL SePublicOpenDacl
= NULL
;
28 PACL SePublicOpenUnrestrictedDacl
= NULL
;
29 PACL SeUnrestrictedDacl
= NULL
;
32 /* FUNCTIONS ****************************************************************/
41 /* create PublicDefaultDacl */
42 AclLength
= sizeof(ACL
) +
43 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
44 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
46 SePublicDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
49 if (SePublicDefaultDacl
== NULL
)
52 RtlCreateAcl(SePublicDefaultDacl
,
56 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
61 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
67 /* create PublicDefaultUnrestrictedDacl */
68 AclLength
= sizeof(ACL
) +
69 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
70 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
71 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
72 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
74 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
77 if (SePublicDefaultUnrestrictedDacl
== NULL
)
80 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
84 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
89 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
94 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
99 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
101 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
102 SeRestrictedCodeSid
);
104 /* create PublicOpenDacl */
105 AclLength
= sizeof(ACL
) +
106 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
107 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
108 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
110 SePublicOpenDacl
= ExAllocatePoolWithTag(PagedPool
,
113 if (SePublicOpenDacl
== NULL
)
116 RtlCreateAcl(SePublicOpenDacl
,
120 RtlAddAccessAllowedAce(SePublicOpenDacl
,
122 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
125 RtlAddAccessAllowedAce(SePublicOpenDacl
,
130 RtlAddAccessAllowedAce(SePublicOpenDacl
,
135 /* create PublicOpenUnrestrictedDacl */
136 AclLength
= sizeof(ACL
) +
137 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
138 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
139 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
140 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
142 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
145 if (SePublicOpenUnrestrictedDacl
== NULL
)
148 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
152 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
157 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
162 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
167 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
169 GENERIC_READ
| GENERIC_EXECUTE
,
170 SeRestrictedCodeSid
);
172 /* create SystemDefaultDacl */
173 AclLength
= sizeof(ACL
) +
174 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
175 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
177 SeSystemDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
180 if (SeSystemDefaultDacl
== NULL
)
183 RtlCreateAcl(SeSystemDefaultDacl
,
187 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
192 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
194 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
197 /* create UnrestrictedDacl */
198 AclLength
= sizeof(ACL
) +
199 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
200 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
202 SeUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
205 if (SeUnrestrictedDacl
== NULL
)
208 RtlCreateAcl(SeUnrestrictedDacl
,
212 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
217 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
219 GENERIC_READ
| GENERIC_EXECUTE
,
220 SeRestrictedCodeSid
);
226 SepCreateImpersonationTokenDacl(PTOKEN Token
,
235 AclLength
= sizeof(ACL
) +
236 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
237 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
238 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
239 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
240 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
242 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
243 if (TokenDacl
== NULL
)
245 return STATUS_INSUFFICIENT_RESOURCES
;
248 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
249 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
250 Token
->UserAndGroups
->Sid
);
251 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
252 PrimaryToken
->UserAndGroups
->Sid
);
253 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
255 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
260 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
262 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
263 SeRestrictedCodeSid
);
267 return STATUS_SUCCESS
;
272 SepCaptureAcl(IN PACL InputAcl
,
273 IN KPROCESSOR_MODE AccessMode
,
274 IN POOL_TYPE PoolType
,
275 IN BOOLEAN CaptureIfKernel
,
276 OUT PACL
*CapturedAcl
)
280 NTSTATUS Status
= STATUS_SUCCESS
;
284 if(AccessMode
!= KernelMode
)
288 ProbeForRead(InputAcl
,
291 AclSize
= InputAcl
->AclSize
;
292 ProbeForRead(InputAcl
,
298 Status
= _SEH_GetExceptionCode();
302 if(NT_SUCCESS(Status
))
304 NewAcl
= ExAllocatePool(PoolType
,
310 RtlCopyMemory(NewAcl
,
314 *CapturedAcl
= NewAcl
;
319 Status
= _SEH_GetExceptionCode();
325 Status
= STATUS_INSUFFICIENT_RESOURCES
;
329 else if(!CaptureIfKernel
)
331 *CapturedAcl
= InputAcl
;
335 AclSize
= InputAcl
->AclSize
;
337 NewAcl
= ExAllocatePool(PoolType
,
342 RtlCopyMemory(NewAcl
,
346 *CapturedAcl
= NewAcl
;
350 Status
= STATUS_INSUFFICIENT_RESOURCES
;
359 SepReleaseAcl(IN PACL CapturedAcl
,
360 IN KPROCESSOR_MODE AccessMode
,
361 IN BOOLEAN CaptureIfKernel
)
365 if(CapturedAcl
!= NULL
&&
366 (AccessMode
!= KernelMode
||
367 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
369 ExFreePool(CapturedAcl
);