- use inlined probing macros for basic types
[reactos.git] / reactos / ntoskrnl / se / acl.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14 #include <internal/debug.h>
15
16 /* GLOBALS ******************************************************************/
17
18 PACL SePublicDefaultDacl = NULL;
19 PACL SeSystemDefaultDacl = NULL;
20
21 PACL SePublicDefaultUnrestrictedDacl = NULL;
22 PACL SePublicOpenDacl = NULL;
23 PACL SePublicOpenUnrestrictedDacl = NULL;
24 PACL SeUnrestrictedDacl = NULL;
25
26
27 /* FUNCTIONS ****************************************************************/
28
29 BOOLEAN INIT_FUNCTION
30 SepInitDACLs(VOID)
31 {
32 ULONG AclLength;
33
34 /* create PublicDefaultDacl */
35 AclLength = sizeof(ACL) +
36 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
37 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
38
39 SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
40 AclLength,
41 TAG_ACL);
42 if (SePublicDefaultDacl == NULL)
43 return FALSE;
44
45 RtlCreateAcl(SePublicDefaultDacl,
46 AclLength,
47 ACL_REVISION);
48
49 RtlAddAccessAllowedAce(SePublicDefaultDacl,
50 ACL_REVISION,
51 GENERIC_EXECUTE,
52 SeWorldSid);
53
54 RtlAddAccessAllowedAce(SePublicDefaultDacl,
55 ACL_REVISION,
56 GENERIC_ALL,
57 SeLocalSystemSid);
58
59
60 /* create PublicDefaultUnrestrictedDacl */
61 AclLength = sizeof(ACL) +
62 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
63 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
64 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
65 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
66
67 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
68 AclLength,
69 TAG_ACL);
70 if (SePublicDefaultUnrestrictedDacl == NULL)
71 return FALSE;
72
73 RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
74 AclLength,
75 ACL_REVISION);
76
77 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
78 ACL_REVISION,
79 GENERIC_EXECUTE,
80 SeWorldSid);
81
82 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
83 ACL_REVISION,
84 GENERIC_ALL,
85 SeLocalSystemSid);
86
87 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
88 ACL_REVISION,
89 GENERIC_ALL,
90 SeAliasAdminsSid);
91
92 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
93 ACL_REVISION,
94 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
95 SeRestrictedCodeSid);
96
97 /* create PublicOpenDacl */
98 AclLength = sizeof(ACL) +
99 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
100 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
101 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
102
103 SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
104 AclLength,
105 TAG_ACL);
106 if (SePublicOpenDacl == NULL)
107 return FALSE;
108
109 RtlCreateAcl(SePublicOpenDacl,
110 AclLength,
111 ACL_REVISION);
112
113 RtlAddAccessAllowedAce(SePublicOpenDacl,
114 ACL_REVISION,
115 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
116 SeWorldSid);
117
118 RtlAddAccessAllowedAce(SePublicOpenDacl,
119 ACL_REVISION,
120 GENERIC_ALL,
121 SeLocalSystemSid);
122
123 RtlAddAccessAllowedAce(SePublicOpenDacl,
124 ACL_REVISION,
125 GENERIC_ALL,
126 SeAliasAdminsSid);
127
128 /* create PublicOpenUnrestrictedDacl */
129 AclLength = sizeof(ACL) +
130 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
131 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
132 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
133 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
134
135 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
136 AclLength,
137 TAG_ACL);
138 if (SePublicOpenUnrestrictedDacl == NULL)
139 return FALSE;
140
141 RtlCreateAcl(SePublicOpenUnrestrictedDacl,
142 AclLength,
143 ACL_REVISION);
144
145 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
146 ACL_REVISION,
147 GENERIC_ALL,
148 SeWorldSid);
149
150 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
151 ACL_REVISION,
152 GENERIC_ALL,
153 SeLocalSystemSid);
154
155 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
156 ACL_REVISION,
157 GENERIC_ALL,
158 SeAliasAdminsSid);
159
160 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
161 ACL_REVISION,
162 GENERIC_READ | GENERIC_EXECUTE,
163 SeRestrictedCodeSid);
164
165 /* create SystemDefaultDacl */
166 AclLength = sizeof(ACL) +
167 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
168 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
169
170 SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
171 AclLength,
172 TAG_ACL);
173 if (SeSystemDefaultDacl == NULL)
174 return FALSE;
175
176 RtlCreateAcl(SeSystemDefaultDacl,
177 AclLength,
178 ACL_REVISION);
179
180 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
181 ACL_REVISION,
182 GENERIC_ALL,
183 SeLocalSystemSid);
184
185 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
186 ACL_REVISION,
187 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
188 SeAliasAdminsSid);
189
190 /* create UnrestrictedDacl */
191 AclLength = sizeof(ACL) +
192 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
193 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
194
195 SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
196 AclLength,
197 TAG_ACL);
198 if (SeUnrestrictedDacl == NULL)
199 return FALSE;
200
201 RtlCreateAcl(SeUnrestrictedDacl,
202 AclLength,
203 ACL_REVISION);
204
205 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
206 ACL_REVISION,
207 GENERIC_ALL,
208 SeWorldSid);
209
210 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
211 ACL_REVISION,
212 GENERIC_READ | GENERIC_EXECUTE,
213 SeRestrictedCodeSid);
214
215 return(TRUE);
216 }
217
218 NTSTATUS STDCALL
219 SepCreateImpersonationTokenDacl(PTOKEN Token,
220 PTOKEN PrimaryToken,
221 PACL *Dacl)
222 {
223 ULONG AclLength;
224 PVOID TokenDacl;
225
226 PAGED_CODE();
227
228 AclLength = sizeof(ACL) +
229 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
230 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
231 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
232 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
233 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
234
235 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
236 if (TokenDacl == NULL)
237 {
238 return STATUS_INSUFFICIENT_RESOURCES;
239 }
240
241 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
242 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
243 Token->UserAndGroups->Sid);
244 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
245 PrimaryToken->UserAndGroups->Sid);
246 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
247 SeAliasAdminsSid);
248 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
249 SeLocalSystemSid);
250
251 /* FIXME */
252 #if 0
253 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
254 {
255 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
256 SeRestrictedCodeSid);
257 }
258 #endif
259
260 return STATUS_SUCCESS;
261 }
262
263 NTSTATUS
264 SepCaptureAcl(IN PACL InputAcl,
265 IN KPROCESSOR_MODE AccessMode,
266 IN POOL_TYPE PoolType,
267 IN BOOLEAN CaptureIfKernel,
268 OUT PACL *CapturedAcl)
269 {
270 PACL NewAcl;
271 ULONG AclSize = 0;
272 NTSTATUS Status = STATUS_SUCCESS;
273
274 PAGED_CODE();
275
276 if(AccessMode != KernelMode)
277 {
278 _SEH_TRY
279 {
280 ProbeForRead(InputAcl,
281 sizeof(ACL),
282 sizeof(ULONG));
283 AclSize = InputAcl->AclSize;
284 ProbeForRead(InputAcl,
285 AclSize,
286 sizeof(ULONG));
287 }
288 _SEH_HANDLE
289 {
290 Status = _SEH_GetExceptionCode();
291 }
292 _SEH_END;
293
294 if(NT_SUCCESS(Status))
295 {
296 NewAcl = ExAllocatePool(PoolType,
297 AclSize);
298 if(NewAcl != NULL)
299 {
300 _SEH_TRY
301 {
302 RtlCopyMemory(NewAcl,
303 InputAcl,
304 AclSize);
305
306 *CapturedAcl = NewAcl;
307 }
308 _SEH_HANDLE
309 {
310 ExFreePool(NewAcl);
311 Status = _SEH_GetExceptionCode();
312 }
313 _SEH_END;
314 }
315 else
316 {
317 Status = STATUS_INSUFFICIENT_RESOURCES;
318 }
319 }
320 }
321 else if(!CaptureIfKernel)
322 {
323 *CapturedAcl = InputAcl;
324 }
325 else
326 {
327 AclSize = InputAcl->AclSize;
328
329 NewAcl = ExAllocatePool(PoolType,
330 AclSize);
331
332 if(NewAcl != NULL)
333 {
334 RtlCopyMemory(NewAcl,
335 InputAcl,
336 AclSize);
337
338 *CapturedAcl = NewAcl;
339 }
340 else
341 {
342 Status = STATUS_INSUFFICIENT_RESOURCES;
343 }
344 }
345
346 return Status;
347 }
348
349 VOID
350 SepReleaseAcl(IN PACL CapturedAcl,
351 IN KPROCESSOR_MODE AccessMode,
352 IN BOOLEAN CaptureIfKernel)
353 {
354 PAGED_CODE();
355
356 if(CapturedAcl != NULL &&
357 (AccessMode != KernelMode ||
358 (AccessMode == KernelMode && CaptureIfKernel)))
359 {
360 ExFreePool(CapturedAcl);
361 }
362 }
363
364 /* EOF */