2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/acl.c
5 * PURPOSE: Security manager
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
10 /* INCLUDES *******************************************************************/
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitDACLs)
20 /* GLOBALS ********************************************************************/
22 PACL SePublicDefaultDacl
= NULL
;
23 PACL SeSystemDefaultDacl
= NULL
;
24 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
25 PACL SePublicOpenDacl
= NULL
;
26 PACL SePublicOpenUnrestrictedDacl
= NULL
;
27 PACL SeUnrestrictedDacl
= NULL
;
29 /* FUNCTIONS ******************************************************************/
38 /* create PublicDefaultDacl */
39 AclLength
= sizeof(ACL
) +
40 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
41 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
43 SePublicDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
46 if (SePublicDefaultDacl
== NULL
)
49 RtlCreateAcl(SePublicDefaultDacl
,
53 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
58 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
64 /* create PublicDefaultUnrestrictedDacl */
65 AclLength
= sizeof(ACL
) +
66 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
67 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
68 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
69 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
71 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
74 if (SePublicDefaultUnrestrictedDacl
== NULL
)
77 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
81 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
86 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
91 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
96 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
98 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
101 /* create PublicOpenDacl */
102 AclLength
= sizeof(ACL
) +
103 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
104 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
105 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
107 SePublicOpenDacl
= ExAllocatePoolWithTag(PagedPool
,
110 if (SePublicOpenDacl
== NULL
)
113 RtlCreateAcl(SePublicOpenDacl
,
117 RtlAddAccessAllowedAce(SePublicOpenDacl
,
119 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
122 RtlAddAccessAllowedAce(SePublicOpenDacl
,
127 RtlAddAccessAllowedAce(SePublicOpenDacl
,
132 /* create PublicOpenUnrestrictedDacl */
133 AclLength
= sizeof(ACL
) +
134 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
135 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
136 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
137 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
139 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
142 if (SePublicOpenUnrestrictedDacl
== NULL
)
145 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
149 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
154 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
159 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
164 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
166 GENERIC_READ
| GENERIC_EXECUTE
,
167 SeRestrictedCodeSid
);
169 /* create SystemDefaultDacl */
170 AclLength
= sizeof(ACL
) +
171 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
172 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
174 SeSystemDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
177 if (SeSystemDefaultDacl
== NULL
)
180 RtlCreateAcl(SeSystemDefaultDacl
,
184 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
189 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
191 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
194 /* create UnrestrictedDacl */
195 AclLength
= sizeof(ACL
) +
196 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
197 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
199 SeUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
202 if (SeUnrestrictedDacl
== NULL
)
205 RtlCreateAcl(SeUnrestrictedDacl
,
209 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
214 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
216 GENERIC_READ
| GENERIC_EXECUTE
,
217 SeRestrictedCodeSid
);
223 SepCreateImpersonationTokenDacl(PTOKEN Token
,
232 AclLength
= sizeof(ACL
) +
233 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
234 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
235 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
236 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
237 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
239 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
240 if (TokenDacl
== NULL
)
242 return STATUS_INSUFFICIENT_RESOURCES
;
245 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
246 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
247 Token
->UserAndGroups
->Sid
);
248 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
249 PrimaryToken
->UserAndGroups
->Sid
);
250 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
252 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
257 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
259 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
260 SeRestrictedCodeSid
);
264 return STATUS_SUCCESS
;
269 SepCaptureAcl(IN PACL InputAcl
,
270 IN KPROCESSOR_MODE AccessMode
,
271 IN POOL_TYPE PoolType
,
272 IN BOOLEAN CaptureIfKernel
,
273 OUT PACL
*CapturedAcl
)
277 NTSTATUS Status
= STATUS_SUCCESS
;
281 if (AccessMode
!= KernelMode
)
285 ProbeForRead(InputAcl
,
288 AclSize
= InputAcl
->AclSize
;
289 ProbeForRead(InputAcl
,
293 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
295 /* Return the exception code */
296 _SEH2_YIELD(return _SEH2_GetExceptionCode());
300 NewAcl
= ExAllocatePool(PoolType
,
306 RtlCopyMemory(NewAcl
,
310 *CapturedAcl
= NewAcl
;
312 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
314 /* Free the ACL and return the exception code */
316 _SEH2_YIELD(return _SEH2_GetExceptionCode());
322 Status
= STATUS_INSUFFICIENT_RESOURCES
;
325 else if(!CaptureIfKernel
)
327 *CapturedAcl
= InputAcl
;
331 AclSize
= InputAcl
->AclSize
;
333 NewAcl
= ExAllocatePool(PoolType
,
338 RtlCopyMemory(NewAcl
,
342 *CapturedAcl
= NewAcl
;
346 Status
= STATUS_INSUFFICIENT_RESOURCES
;
355 SepReleaseAcl(IN PACL CapturedAcl
,
356 IN KPROCESSOR_MODE AccessMode
,
357 IN BOOLEAN CaptureIfKernel
)
361 if(CapturedAcl
!= NULL
&&
362 (AccessMode
!= KernelMode
||
363 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
365 ExFreePool(CapturedAcl
);