projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- Implemented InterlockedBitTestAndReset, InterlockedBitTestAndSet, InterlockedExchan...
[reactos.git] / reactos / ntoskrnl / se / acl.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14 #include <internal/debug.h>
15
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitDACLs)
18 #endif
19
20
21 /* GLOBALS ******************************************************************/
22
23 PACL SePublicDefaultDacl = NULL;
24 PACL SeSystemDefaultDacl = NULL;
25
26 PACL SePublicDefaultUnrestrictedDacl = NULL;
27 PACL SePublicOpenDacl = NULL;
28 PACL SePublicOpenUnrestrictedDacl = NULL;
29 PACL SeUnrestrictedDacl = NULL;
30
31
32 /* FUNCTIONS ****************************************************************/
33
34 BOOLEAN
35 INIT_FUNCTION
36 NTAPI
37 SepInitDACLs(VOID)
38 {
39 ULONG AclLength;
40
41 /* create PublicDefaultDacl */
42 AclLength = sizeof(ACL) +
43 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
44 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
45
46 SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
47 AclLength,
48 TAG_ACL);
49 if (SePublicDefaultDacl == NULL)
50 return FALSE;
51
52 RtlCreateAcl(SePublicDefaultDacl,
53 AclLength,
54 ACL_REVISION);
55
56 RtlAddAccessAllowedAce(SePublicDefaultDacl,
57 ACL_REVISION,
58 GENERIC_EXECUTE,
59 SeWorldSid);
60
61 RtlAddAccessAllowedAce(SePublicDefaultDacl,
62 ACL_REVISION,
63 GENERIC_ALL,
64 SeLocalSystemSid);
65
66
67 /* create PublicDefaultUnrestrictedDacl */
68 AclLength = sizeof(ACL) +
69 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
70 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
71 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
72 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
73
74 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
75 AclLength,
76 TAG_ACL);
77 if (SePublicDefaultUnrestrictedDacl == NULL)
78 return FALSE;
79
80 RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
81 AclLength,
82 ACL_REVISION);
83
84 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
85 ACL_REVISION,
86 GENERIC_EXECUTE,
87 SeWorldSid);
88
89 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
90 ACL_REVISION,
91 GENERIC_ALL,
92 SeLocalSystemSid);
93
94 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
95 ACL_REVISION,
96 GENERIC_ALL,
97 SeAliasAdminsSid);
98
99 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
100 ACL_REVISION,
101 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
102 SeRestrictedCodeSid);
103
104 /* create PublicOpenDacl */
105 AclLength = sizeof(ACL) +
106 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
107 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
108 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
109
110 SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
111 AclLength,
112 TAG_ACL);
113 if (SePublicOpenDacl == NULL)
114 return FALSE;
115
116 RtlCreateAcl(SePublicOpenDacl,
117 AclLength,
118 ACL_REVISION);
119
120 RtlAddAccessAllowedAce(SePublicOpenDacl,
121 ACL_REVISION,
122 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
123 SeWorldSid);
124
125 RtlAddAccessAllowedAce(SePublicOpenDacl,
126 ACL_REVISION,
127 GENERIC_ALL,
128 SeLocalSystemSid);
129
130 RtlAddAccessAllowedAce(SePublicOpenDacl,
131 ACL_REVISION,
132 GENERIC_ALL,
133 SeAliasAdminsSid);
134
135 /* create PublicOpenUnrestrictedDacl */
136 AclLength = sizeof(ACL) +
137 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
138 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
139 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
140 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
141
142 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
143 AclLength,
144 TAG_ACL);
145 if (SePublicOpenUnrestrictedDacl == NULL)
146 return FALSE;
147
148 RtlCreateAcl(SePublicOpenUnrestrictedDacl,
149 AclLength,
150 ACL_REVISION);
151
152 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
153 ACL_REVISION,
154 GENERIC_ALL,
155 SeWorldSid);
156
157 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
158 ACL_REVISION,
159 GENERIC_ALL,
160 SeLocalSystemSid);
161
162 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
163 ACL_REVISION,
164 GENERIC_ALL,
165 SeAliasAdminsSid);
166
167 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
168 ACL_REVISION,
169 GENERIC_READ | GENERIC_EXECUTE,
170 SeRestrictedCodeSid);
171
172 /* create SystemDefaultDacl */
173 AclLength = sizeof(ACL) +
174 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
175 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
176
177 SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
178 AclLength,
179 TAG_ACL);
180 if (SeSystemDefaultDacl == NULL)
181 return FALSE;
182
183 RtlCreateAcl(SeSystemDefaultDacl,
184 AclLength,
185 ACL_REVISION);
186
187 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
188 ACL_REVISION,
189 GENERIC_ALL,
190 SeLocalSystemSid);
191
192 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
193 ACL_REVISION,
194 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
195 SeAliasAdminsSid);
196
197 /* create UnrestrictedDacl */
198 AclLength = sizeof(ACL) +
199 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
200 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
201
202 SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
203 AclLength,
204 TAG_ACL);
205 if (SeUnrestrictedDacl == NULL)
206 return FALSE;
207
208 RtlCreateAcl(SeUnrestrictedDacl,
209 AclLength,
210 ACL_REVISION);
211
212 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
213 ACL_REVISION,
214 GENERIC_ALL,
215 SeWorldSid);
216
217 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
218 ACL_REVISION,
219 GENERIC_READ | GENERIC_EXECUTE,
220 SeRestrictedCodeSid);
221
222 return(TRUE);
223 }
224
225 NTSTATUS STDCALL
226 SepCreateImpersonationTokenDacl(PTOKEN Token,
227 PTOKEN PrimaryToken,
228 PACL *Dacl)
229 {
230 ULONG AclLength;
231 PVOID TokenDacl;
232
233 PAGED_CODE();
234
235 AclLength = sizeof(ACL) +
236 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
237 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
238 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
239 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
240 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
241
242 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
243 if (TokenDacl == NULL)
244 {
245 return STATUS_INSUFFICIENT_RESOURCES;
246 }
247
248 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
249 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
250 Token->UserAndGroups->Sid);
251 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
252 PrimaryToken->UserAndGroups->Sid);
253 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
254 SeAliasAdminsSid);
255 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
256 SeLocalSystemSid);
257
258 /* FIXME */
259 #if 0
260 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
261 {
262 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
263 SeRestrictedCodeSid);
264 }
265 #endif
266
267 return STATUS_SUCCESS;
268 }
269
270 NTSTATUS
271 NTAPI
272 SepCaptureAcl(IN PACL InputAcl,
273 IN KPROCESSOR_MODE AccessMode,
274 IN POOL_TYPE PoolType,
275 IN BOOLEAN CaptureIfKernel,
276 OUT PACL *CapturedAcl)
277 {
278 PACL NewAcl;
279 ULONG AclSize = 0;
280 NTSTATUS Status = STATUS_SUCCESS;
281
282 PAGED_CODE();
283
284 if(AccessMode != KernelMode)
285 {
286 _SEH_TRY
287 {
288 ProbeForRead(InputAcl,
289 sizeof(ACL),
290 sizeof(ULONG));
291 AclSize = InputAcl->AclSize;
292 ProbeForRead(InputAcl,
293 AclSize,
294 sizeof(ULONG));
295 }
296 _SEH_HANDLE
297 {
298 Status = _SEH_GetExceptionCode();
299 }
300 _SEH_END;
301
302 if(NT_SUCCESS(Status))
303 {
304 NewAcl = ExAllocatePool(PoolType,
305 AclSize);
306 if(NewAcl != NULL)
307 {
308 _SEH_TRY
309 {
310 RtlCopyMemory(NewAcl,
311 InputAcl,
312 AclSize);
313
314 *CapturedAcl = NewAcl;
315 }
316 _SEH_HANDLE
317 {
318 ExFreePool(NewAcl);
319 Status = _SEH_GetExceptionCode();
320 }
321 _SEH_END;
322 }
323 else
324 {
325 Status = STATUS_INSUFFICIENT_RESOURCES;
326 }
327 }
328 }
329 else if(!CaptureIfKernel)
330 {
331 *CapturedAcl = InputAcl;
332 }
333 else
334 {
335 AclSize = InputAcl->AclSize;
336
337 NewAcl = ExAllocatePool(PoolType,
338 AclSize);
339
340 if(NewAcl != NULL)
341 {
342 RtlCopyMemory(NewAcl,
343 InputAcl,
344 AclSize);
345
346 *CapturedAcl = NewAcl;
347 }
348 else
349 {
350 Status = STATUS_INSUFFICIENT_RESOURCES;
351 }
352 }
353
354 return Status;
355 }
356
357 VOID
358 NTAPI
359 SepReleaseAcl(IN PACL CapturedAcl,
360 IN KPROCESSOR_MODE AccessMode,
361 IN BOOLEAN CaptureIfKernel)
362 {
363 PAGED_CODE();
364
365 if(CapturedAcl != NULL &&
366 (AccessMode != KernelMode ||
367 (AccessMode == KernelMode && CaptureIfKernel)))
368 {
369 ExFreePool(CapturedAcl);
370 }
371 }
372
373 /* EOF */
A free Windows-compatible Operating System