projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge trunk head (r43756)
[reactos.git] / reactos / ntoskrnl / se / acl.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/acl.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitDACLs)
18 #endif
19
20 /* GLOBALS ********************************************************************/
21
22 PACL SePublicDefaultDacl = NULL;
23 PACL SeSystemDefaultDacl = NULL;
24 PACL SePublicDefaultUnrestrictedDacl = NULL;
25 PACL SePublicOpenDacl = NULL;
26 PACL SePublicOpenUnrestrictedDacl = NULL;
27 PACL SeUnrestrictedDacl = NULL;
28
29 /* FUNCTIONS ******************************************************************/
30
31 BOOLEAN
32 INIT_FUNCTION
33 NTAPI
34 SepInitDACLs(VOID)
35 {
36 ULONG AclLength;
37
38 /* create PublicDefaultDacl */
39 AclLength = sizeof(ACL) +
40 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
41 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
42
43 SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
44 AclLength,
45 TAG_ACL);
46 if (SePublicDefaultDacl == NULL)
47 return FALSE;
48
49 RtlCreateAcl(SePublicDefaultDacl,
50 AclLength,
51 ACL_REVISION);
52
53 RtlAddAccessAllowedAce(SePublicDefaultDacl,
54 ACL_REVISION,
55 GENERIC_EXECUTE,
56 SeWorldSid);
57
58 RtlAddAccessAllowedAce(SePublicDefaultDacl,
59 ACL_REVISION,
60 GENERIC_ALL,
61 SeLocalSystemSid);
62
63
64 /* create PublicDefaultUnrestrictedDacl */
65 AclLength = sizeof(ACL) +
66 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
67 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
68 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
69 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
70
71 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
72 AclLength,
73 TAG_ACL);
74 if (SePublicDefaultUnrestrictedDacl == NULL)
75 return FALSE;
76
77 RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
78 AclLength,
79 ACL_REVISION);
80
81 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
82 ACL_REVISION,
83 GENERIC_EXECUTE,
84 SeWorldSid);
85
86 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
87 ACL_REVISION,
88 GENERIC_ALL,
89 SeLocalSystemSid);
90
91 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
92 ACL_REVISION,
93 GENERIC_ALL,
94 SeAliasAdminsSid);
95
96 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
97 ACL_REVISION,
98 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
99 SeRestrictedCodeSid);
100
101 /* create PublicOpenDacl */
102 AclLength = sizeof(ACL) +
103 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
104 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
105 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
106
107 SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
108 AclLength,
109 TAG_ACL);
110 if (SePublicOpenDacl == NULL)
111 return FALSE;
112
113 RtlCreateAcl(SePublicOpenDacl,
114 AclLength,
115 ACL_REVISION);
116
117 RtlAddAccessAllowedAce(SePublicOpenDacl,
118 ACL_REVISION,
119 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
120 SeWorldSid);
121
122 RtlAddAccessAllowedAce(SePublicOpenDacl,
123 ACL_REVISION,
124 GENERIC_ALL,
125 SeLocalSystemSid);
126
127 RtlAddAccessAllowedAce(SePublicOpenDacl,
128 ACL_REVISION,
129 GENERIC_ALL,
130 SeAliasAdminsSid);
131
132 /* create PublicOpenUnrestrictedDacl */
133 AclLength = sizeof(ACL) +
134 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
135 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
136 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
137 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
138
139 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
140 AclLength,
141 TAG_ACL);
142 if (SePublicOpenUnrestrictedDacl == NULL)
143 return FALSE;
144
145 RtlCreateAcl(SePublicOpenUnrestrictedDacl,
146 AclLength,
147 ACL_REVISION);
148
149 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
150 ACL_REVISION,
151 GENERIC_ALL,
152 SeWorldSid);
153
154 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
155 ACL_REVISION,
156 GENERIC_ALL,
157 SeLocalSystemSid);
158
159 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
160 ACL_REVISION,
161 GENERIC_ALL,
162 SeAliasAdminsSid);
163
164 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
165 ACL_REVISION,
166 GENERIC_READ | GENERIC_EXECUTE,
167 SeRestrictedCodeSid);
168
169 /* create SystemDefaultDacl */
170 AclLength = sizeof(ACL) +
171 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
172 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
173
174 SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
175 AclLength,
176 TAG_ACL);
177 if (SeSystemDefaultDacl == NULL)
178 return FALSE;
179
180 RtlCreateAcl(SeSystemDefaultDacl,
181 AclLength,
182 ACL_REVISION);
183
184 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
185 ACL_REVISION,
186 GENERIC_ALL,
187 SeLocalSystemSid);
188
189 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
190 ACL_REVISION,
191 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
192 SeAliasAdminsSid);
193
194 /* create UnrestrictedDacl */
195 AclLength = sizeof(ACL) +
196 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
197 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
198
199 SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
200 AclLength,
201 TAG_ACL);
202 if (SeUnrestrictedDacl == NULL)
203 return FALSE;
204
205 RtlCreateAcl(SeUnrestrictedDacl,
206 AclLength,
207 ACL_REVISION);
208
209 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
210 ACL_REVISION,
211 GENERIC_ALL,
212 SeWorldSid);
213
214 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
215 ACL_REVISION,
216 GENERIC_READ | GENERIC_EXECUTE,
217 SeRestrictedCodeSid);
218
219 return(TRUE);
220 }
221
222 NTSTATUS NTAPI
223 SepCreateImpersonationTokenDacl(PTOKEN Token,
224 PTOKEN PrimaryToken,
225 PACL *Dacl)
226 {
227 ULONG AclLength;
228 PVOID TokenDacl;
229
230 PAGED_CODE();
231
232 AclLength = sizeof(ACL) +
233 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
234 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
235 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
236 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
237 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
238
239 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
240 if (TokenDacl == NULL)
241 {
242 return STATUS_INSUFFICIENT_RESOURCES;
243 }
244
245 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
246 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
247 Token->UserAndGroups->Sid);
248 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
249 PrimaryToken->UserAndGroups->Sid);
250 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
251 SeAliasAdminsSid);
252 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
253 SeLocalSystemSid);
254
255 /* FIXME */
256 #if 0
257 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
258 {
259 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
260 SeRestrictedCodeSid);
261 }
262 #endif
263
264 return STATUS_SUCCESS;
265 }
266
267 NTSTATUS
268 NTAPI
269 SepCaptureAcl(IN PACL InputAcl,
270 IN KPROCESSOR_MODE AccessMode,
271 IN POOL_TYPE PoolType,
272 IN BOOLEAN CaptureIfKernel,
273 OUT PACL *CapturedAcl)
274 {
275 PACL NewAcl;
276 ULONG AclSize = 0;
277 NTSTATUS Status = STATUS_SUCCESS;
278
279 PAGED_CODE();
280
281 if (AccessMode != KernelMode)
282 {
283 _SEH2_TRY
284 {
285 ProbeForRead(InputAcl,
286 sizeof(ACL),
287 sizeof(ULONG));
288 AclSize = InputAcl->AclSize;
289 ProbeForRead(InputAcl,
290 AclSize,
291 sizeof(ULONG));
292 }
293 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
294 {
295 /* Return the exception code */
296 _SEH2_YIELD(return _SEH2_GetExceptionCode());
297 }
298 _SEH2_END;
299
300 NewAcl = ExAllocatePool(PoolType,
301 AclSize);
302 if(NewAcl != NULL)
303 {
304 _SEH2_TRY
305 {
306 RtlCopyMemory(NewAcl,
307 InputAcl,
308 AclSize);
309
310 *CapturedAcl = NewAcl;
311 }
312 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
313 {
314 /* Free the ACL and return the exception code */
315 ExFreePool(NewAcl);
316 _SEH2_YIELD(return _SEH2_GetExceptionCode());
317 }
318 _SEH2_END;
319 }
320 else
321 {
322 Status = STATUS_INSUFFICIENT_RESOURCES;
323 }
324 }
325 else if(!CaptureIfKernel)
326 {
327 *CapturedAcl = InputAcl;
328 }
329 else
330 {
331 AclSize = InputAcl->AclSize;
332
333 NewAcl = ExAllocatePool(PoolType,
334 AclSize);
335
336 if(NewAcl != NULL)
337 {
338 RtlCopyMemory(NewAcl,
339 InputAcl,
340 AclSize);
341
342 *CapturedAcl = NewAcl;
343 }
344 else
345 {
346 Status = STATUS_INSUFFICIENT_RESOURCES;
347 }
348 }
349
350 return Status;
351 }
352
353 VOID
354 NTAPI
355 SepReleaseAcl(IN PACL CapturedAcl,
356 IN KPROCESSOR_MODE AccessMode,
357 IN BOOLEAN CaptureIfKernel)
358 {
359 PAGED_CODE();
360
361 if(CapturedAcl != NULL &&
362 (AccessMode != KernelMode ||
363 (AccessMode == KernelMode && CaptureIfKernel)))
364 {
365 ExFreePool(CapturedAcl);
366 }
367 }
368
369 /* EOF */
A free Windows-compatible Operating System