projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Part 1 of <many> ntoskrnl header cleanups
[reactos.git] / reactos / ntoskrnl / se / acl.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14 #include <internal/debug.h>
15
16 /* GLOBALS ******************************************************************/
17
18 PACL SePublicDefaultDacl = NULL;
19 PACL SeSystemDefaultDacl = NULL;
20
21 PACL SePublicDefaultUnrestrictedDacl = NULL;
22 PACL SePublicOpenDacl = NULL;
23 PACL SePublicOpenUnrestrictedDacl = NULL;
24 PACL SeUnrestrictedDacl = NULL;
25
26
27 /* FUNCTIONS ****************************************************************/
28
29 BOOLEAN
30 INIT_FUNCTION
31 NTAPI
32 SepInitDACLs(VOID)
33 {
34 ULONG AclLength;
35
36 /* create PublicDefaultDacl */
37 AclLength = sizeof(ACL) +
38 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
39 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
40
41 SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
42 AclLength,
43 TAG_ACL);
44 if (SePublicDefaultDacl == NULL)
45 return FALSE;
46
47 RtlCreateAcl(SePublicDefaultDacl,
48 AclLength,
49 ACL_REVISION);
50
51 RtlAddAccessAllowedAce(SePublicDefaultDacl,
52 ACL_REVISION,
53 GENERIC_EXECUTE,
54 SeWorldSid);
55
56 RtlAddAccessAllowedAce(SePublicDefaultDacl,
57 ACL_REVISION,
58 GENERIC_ALL,
59 SeLocalSystemSid);
60
61
62 /* create PublicDefaultUnrestrictedDacl */
63 AclLength = sizeof(ACL) +
64 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
65 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
66 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
67 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
68
69 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
70 AclLength,
71 TAG_ACL);
72 if (SePublicDefaultUnrestrictedDacl == NULL)
73 return FALSE;
74
75 RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
76 AclLength,
77 ACL_REVISION);
78
79 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
80 ACL_REVISION,
81 GENERIC_EXECUTE,
82 SeWorldSid);
83
84 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
85 ACL_REVISION,
86 GENERIC_ALL,
87 SeLocalSystemSid);
88
89 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
90 ACL_REVISION,
91 GENERIC_ALL,
92 SeAliasAdminsSid);
93
94 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
95 ACL_REVISION,
96 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
97 SeRestrictedCodeSid);
98
99 /* create PublicOpenDacl */
100 AclLength = sizeof(ACL) +
101 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
102 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
103 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
104
105 SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
106 AclLength,
107 TAG_ACL);
108 if (SePublicOpenDacl == NULL)
109 return FALSE;
110
111 RtlCreateAcl(SePublicOpenDacl,
112 AclLength,
113 ACL_REVISION);
114
115 RtlAddAccessAllowedAce(SePublicOpenDacl,
116 ACL_REVISION,
117 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
118 SeWorldSid);
119
120 RtlAddAccessAllowedAce(SePublicOpenDacl,
121 ACL_REVISION,
122 GENERIC_ALL,
123 SeLocalSystemSid);
124
125 RtlAddAccessAllowedAce(SePublicOpenDacl,
126 ACL_REVISION,
127 GENERIC_ALL,
128 SeAliasAdminsSid);
129
130 /* create PublicOpenUnrestrictedDacl */
131 AclLength = sizeof(ACL) +
132 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
133 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
134 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
135 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
136
137 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
138 AclLength,
139 TAG_ACL);
140 if (SePublicOpenUnrestrictedDacl == NULL)
141 return FALSE;
142
143 RtlCreateAcl(SePublicOpenUnrestrictedDacl,
144 AclLength,
145 ACL_REVISION);
146
147 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
148 ACL_REVISION,
149 GENERIC_ALL,
150 SeWorldSid);
151
152 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
153 ACL_REVISION,
154 GENERIC_ALL,
155 SeLocalSystemSid);
156
157 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
158 ACL_REVISION,
159 GENERIC_ALL,
160 SeAliasAdminsSid);
161
162 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
163 ACL_REVISION,
164 GENERIC_READ | GENERIC_EXECUTE,
165 SeRestrictedCodeSid);
166
167 /* create SystemDefaultDacl */
168 AclLength = sizeof(ACL) +
169 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
170 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
171
172 SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
173 AclLength,
174 TAG_ACL);
175 if (SeSystemDefaultDacl == NULL)
176 return FALSE;
177
178 RtlCreateAcl(SeSystemDefaultDacl,
179 AclLength,
180 ACL_REVISION);
181
182 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
183 ACL_REVISION,
184 GENERIC_ALL,
185 SeLocalSystemSid);
186
187 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
188 ACL_REVISION,
189 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
190 SeAliasAdminsSid);
191
192 /* create UnrestrictedDacl */
193 AclLength = sizeof(ACL) +
194 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
195 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
196
197 SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
198 AclLength,
199 TAG_ACL);
200 if (SeUnrestrictedDacl == NULL)
201 return FALSE;
202
203 RtlCreateAcl(SeUnrestrictedDacl,
204 AclLength,
205 ACL_REVISION);
206
207 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
208 ACL_REVISION,
209 GENERIC_ALL,
210 SeWorldSid);
211
212 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
213 ACL_REVISION,
214 GENERIC_READ | GENERIC_EXECUTE,
215 SeRestrictedCodeSid);
216
217 return(TRUE);
218 }
219
220 NTSTATUS STDCALL
221 SepCreateImpersonationTokenDacl(PTOKEN Token,
222 PTOKEN PrimaryToken,
223 PACL *Dacl)
224 {
225 ULONG AclLength;
226 PVOID TokenDacl;
227
228 PAGED_CODE();
229
230 AclLength = sizeof(ACL) +
231 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
232 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
233 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
234 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
235 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
236
237 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
238 if (TokenDacl == NULL)
239 {
240 return STATUS_INSUFFICIENT_RESOURCES;
241 }
242
243 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
244 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
245 Token->UserAndGroups->Sid);
246 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
247 PrimaryToken->UserAndGroups->Sid);
248 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
249 SeAliasAdminsSid);
250 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
251 SeLocalSystemSid);
252
253 /* FIXME */
254 #if 0
255 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
256 {
257 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
258 SeRestrictedCodeSid);
259 }
260 #endif
261
262 return STATUS_SUCCESS;
263 }
264
265 NTSTATUS
266 NTAPI
267 SepCaptureAcl(IN PACL InputAcl,
268 IN KPROCESSOR_MODE AccessMode,
269 IN POOL_TYPE PoolType,
270 IN BOOLEAN CaptureIfKernel,
271 OUT PACL *CapturedAcl)
272 {
273 PACL NewAcl;
274 ULONG AclSize = 0;
275 NTSTATUS Status = STATUS_SUCCESS;
276
277 PAGED_CODE();
278
279 if(AccessMode != KernelMode)
280 {
281 _SEH_TRY
282 {
283 ProbeForRead(InputAcl,
284 sizeof(ACL),
285 sizeof(ULONG));
286 AclSize = InputAcl->AclSize;
287 ProbeForRead(InputAcl,
288 AclSize,
289 sizeof(ULONG));
290 }
291 _SEH_HANDLE
292 {
293 Status = _SEH_GetExceptionCode();
294 }
295 _SEH_END;
296
297 if(NT_SUCCESS(Status))
298 {
299 NewAcl = ExAllocatePool(PoolType,
300 AclSize);
301 if(NewAcl != NULL)
302 {
303 _SEH_TRY
304 {
305 RtlCopyMemory(NewAcl,
306 InputAcl,
307 AclSize);
308
309 *CapturedAcl = NewAcl;
310 }
311 _SEH_HANDLE
312 {
313 ExFreePool(NewAcl);
314 Status = _SEH_GetExceptionCode();
315 }
316 _SEH_END;
317 }
318 else
319 {
320 Status = STATUS_INSUFFICIENT_RESOURCES;
321 }
322 }
323 }
324 else if(!CaptureIfKernel)
325 {
326 *CapturedAcl = InputAcl;
327 }
328 else
329 {
330 AclSize = InputAcl->AclSize;
331
332 NewAcl = ExAllocatePool(PoolType,
333 AclSize);
334
335 if(NewAcl != NULL)
336 {
337 RtlCopyMemory(NewAcl,
338 InputAcl,
339 AclSize);
340
341 *CapturedAcl = NewAcl;
342 }
343 else
344 {
345 Status = STATUS_INSUFFICIENT_RESOURCES;
346 }
347 }
348
349 return Status;
350 }
351
352 VOID
353 NTAPI
354 SepReleaseAcl(IN PACL CapturedAcl,
355 IN KPROCESSOR_MODE AccessMode,
356 IN BOOLEAN CaptureIfKernel)
357 {
358 PAGED_CODE();
359
360 if(CapturedAcl != NULL &&
361 (AccessMode != KernelMode ||
362 (AccessMode == KernelMode && CaptureIfKernel)))
363 {
364 ExFreePool(CapturedAcl);
365 }
366 }
367
368 /* EOF */
A free Windows-compatible Operating System