3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
14 #include <internal/debug.h>
16 /* GLOBALS ******************************************************************/
18 PACL EXPORTED SePublicDefaultDacl
= NULL
;
19 PACL EXPORTED SeSystemDefaultDacl
= NULL
;
21 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
22 PACL SePublicOpenDacl
= NULL
;
23 PACL SePublicOpenUnrestrictedDacl
= NULL
;
24 PACL SeUnrestrictedDacl
= NULL
;
27 /* FUNCTIONS ****************************************************************/
34 /* create PublicDefaultDacl */
35 AclLength
= sizeof(ACL
) +
36 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
37 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
39 SePublicDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
42 if (SePublicDefaultDacl
== NULL
)
45 RtlCreateAcl(SePublicDefaultDacl
,
49 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
54 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
60 /* create PublicDefaultUnrestrictedDacl */
61 AclLength
= sizeof(ACL
) +
62 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
63 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
64 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
65 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
67 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
70 if (SePublicDefaultUnrestrictedDacl
== NULL
)
73 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
77 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
82 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
87 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
92 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
94 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
97 /* create PublicOpenDacl */
98 AclLength
= sizeof(ACL
) +
99 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
100 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
101 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
103 SePublicOpenDacl
= ExAllocatePoolWithTag(NonPagedPool
,
106 if (SePublicOpenDacl
== NULL
)
109 RtlCreateAcl(SePublicOpenDacl
,
113 RtlAddAccessAllowedAce(SePublicOpenDacl
,
115 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
118 RtlAddAccessAllowedAce(SePublicOpenDacl
,
123 RtlAddAccessAllowedAce(SePublicOpenDacl
,
128 /* create PublicOpenUnrestrictedDacl */
129 AclLength
= sizeof(ACL
) +
130 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
131 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
132 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
133 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
135 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
138 if (SePublicOpenUnrestrictedDacl
== NULL
)
141 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
145 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
150 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
155 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
160 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
162 GENERIC_READ
| GENERIC_EXECUTE
,
163 SeRestrictedCodeSid
);
165 /* create SystemDefaultDacl */
166 AclLength
= sizeof(ACL
) +
167 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
168 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
170 SeSystemDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
173 if (SeSystemDefaultDacl
== NULL
)
176 RtlCreateAcl(SeSystemDefaultDacl
,
180 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
185 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
187 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
190 /* create UnrestrictedDacl */
191 AclLength
= sizeof(ACL
) +
192 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
193 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
195 SeUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
198 if (SeUnrestrictedDacl
== NULL
)
201 RtlCreateAcl(SeUnrestrictedDacl
,
205 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
210 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
212 GENERIC_READ
| GENERIC_EXECUTE
,
213 SeRestrictedCodeSid
);
219 SepCreateImpersonationTokenDacl(PTOKEN Token
,
228 AclLength
= sizeof(ACL
) +
229 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
230 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
231 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
232 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
233 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
235 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
236 if (TokenDacl
== NULL
)
238 return STATUS_INSUFFICIENT_RESOURCES
;
241 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
242 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
243 Token
->UserAndGroups
->Sid
);
244 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
245 PrimaryToken
->UserAndGroups
->Sid
);
246 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
248 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
253 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
255 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
256 SeRestrictedCodeSid
);
260 return STATUS_SUCCESS
;
264 SepCaptureAcl(IN PACL InputAcl
,
265 IN KPROCESSOR_MODE AccessMode
,
266 IN POOL_TYPE PoolType
,
267 IN BOOLEAN CaptureIfKernel
,
268 OUT PACL
*CapturedAcl
)
272 NTSTATUS Status
= STATUS_SUCCESS
;
276 if(AccessMode
!= KernelMode
)
280 ProbeForRead(InputAcl
,
283 AclSize
= InputAcl
->AclSize
;
284 ProbeForRead(InputAcl
,
290 Status
= _SEH_GetExceptionCode();
294 if(NT_SUCCESS(Status
))
296 NewAcl
= ExAllocatePool(PoolType
,
302 RtlCopyMemory(NewAcl
,
306 *CapturedAcl
= NewAcl
;
311 Status
= _SEH_GetExceptionCode();
317 Status
= STATUS_INSUFFICIENT_RESOURCES
;
321 else if(!CaptureIfKernel
)
323 *CapturedAcl
= InputAcl
;
327 AclSize
= InputAcl
->AclSize
;
329 NewAcl
= ExAllocatePool(PoolType
,
334 RtlCopyMemory(NewAcl
,
338 *CapturedAcl
= NewAcl
;
342 Status
= STATUS_INSUFFICIENT_RESOURCES
;
350 SepReleaseAcl(IN PACL CapturedAcl
,
351 IN KPROCESSOR_MODE AccessMode
,
352 IN BOOLEAN CaptureIfKernel
)
356 if(CapturedAcl
!= NULL
&&
357 (AccessMode
== UserMode
||
358 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
360 ExFreePool(CapturedAcl
);