3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
14 #include <internal/debug.h>
16 /* GLOBALS ******************************************************************/
18 PACL SePublicDefaultDacl
= NULL
;
19 PACL SeSystemDefaultDacl
= NULL
;
21 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
22 PACL SePublicOpenDacl
= NULL
;
23 PACL SePublicOpenUnrestrictedDacl
= NULL
;
24 PACL SeUnrestrictedDacl
= NULL
;
27 /* FUNCTIONS ****************************************************************/
36 /* create PublicDefaultDacl */
37 AclLength
= sizeof(ACL
) +
38 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
39 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
41 SePublicDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
44 if (SePublicDefaultDacl
== NULL
)
47 RtlCreateAcl(SePublicDefaultDacl
,
51 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
56 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
62 /* create PublicDefaultUnrestrictedDacl */
63 AclLength
= sizeof(ACL
) +
64 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
65 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
66 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
67 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
69 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
72 if (SePublicDefaultUnrestrictedDacl
== NULL
)
75 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
79 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
84 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
89 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
94 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
96 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
99 /* create PublicOpenDacl */
100 AclLength
= sizeof(ACL
) +
101 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
102 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
103 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
105 SePublicOpenDacl
= ExAllocatePoolWithTag(PagedPool
,
108 if (SePublicOpenDacl
== NULL
)
111 RtlCreateAcl(SePublicOpenDacl
,
115 RtlAddAccessAllowedAce(SePublicOpenDacl
,
117 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
120 RtlAddAccessAllowedAce(SePublicOpenDacl
,
125 RtlAddAccessAllowedAce(SePublicOpenDacl
,
130 /* create PublicOpenUnrestrictedDacl */
131 AclLength
= sizeof(ACL
) +
132 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
133 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
134 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
135 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
137 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
140 if (SePublicOpenUnrestrictedDacl
== NULL
)
143 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
147 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
152 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
157 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
162 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
164 GENERIC_READ
| GENERIC_EXECUTE
,
165 SeRestrictedCodeSid
);
167 /* create SystemDefaultDacl */
168 AclLength
= sizeof(ACL
) +
169 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
170 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
172 SeSystemDefaultDacl
= ExAllocatePoolWithTag(PagedPool
,
175 if (SeSystemDefaultDacl
== NULL
)
178 RtlCreateAcl(SeSystemDefaultDacl
,
182 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
187 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
189 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
192 /* create UnrestrictedDacl */
193 AclLength
= sizeof(ACL
) +
194 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
195 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
197 SeUnrestrictedDacl
= ExAllocatePoolWithTag(PagedPool
,
200 if (SeUnrestrictedDacl
== NULL
)
203 RtlCreateAcl(SeUnrestrictedDacl
,
207 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
212 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
214 GENERIC_READ
| GENERIC_EXECUTE
,
215 SeRestrictedCodeSid
);
221 SepCreateImpersonationTokenDacl(PTOKEN Token
,
230 AclLength
= sizeof(ACL
) +
231 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
232 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
233 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
234 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
235 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
237 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
238 if (TokenDacl
== NULL
)
240 return STATUS_INSUFFICIENT_RESOURCES
;
243 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
244 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
245 Token
->UserAndGroups
->Sid
);
246 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
247 PrimaryToken
->UserAndGroups
->Sid
);
248 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
250 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
255 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
257 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
258 SeRestrictedCodeSid
);
262 return STATUS_SUCCESS
;
267 SepCaptureAcl(IN PACL InputAcl
,
268 IN KPROCESSOR_MODE AccessMode
,
269 IN POOL_TYPE PoolType
,
270 IN BOOLEAN CaptureIfKernel
,
271 OUT PACL
*CapturedAcl
)
275 NTSTATUS Status
= STATUS_SUCCESS
;
279 if(AccessMode
!= KernelMode
)
283 ProbeForRead(InputAcl
,
286 AclSize
= InputAcl
->AclSize
;
287 ProbeForRead(InputAcl
,
293 Status
= _SEH_GetExceptionCode();
297 if(NT_SUCCESS(Status
))
299 NewAcl
= ExAllocatePool(PoolType
,
305 RtlCopyMemory(NewAcl
,
309 *CapturedAcl
= NewAcl
;
314 Status
= _SEH_GetExceptionCode();
320 Status
= STATUS_INSUFFICIENT_RESOURCES
;
324 else if(!CaptureIfKernel
)
326 *CapturedAcl
= InputAcl
;
330 AclSize
= InputAcl
->AclSize
;
332 NewAcl
= ExAllocatePool(PoolType
,
337 RtlCopyMemory(NewAcl
,
341 *CapturedAcl
= NewAcl
;
345 Status
= STATUS_INSUFFICIENT_RESOURCES
;
354 SepReleaseAcl(IN PACL CapturedAcl
,
355 IN KPROCESSOR_MODE AccessMode
,
356 IN BOOLEAN CaptureIfKernel
)
360 if(CapturedAcl
!= NULL
&&
361 (AccessMode
!= KernelMode
||
362 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
364 ExFreePool(CapturedAcl
);