projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge 14981:15268 from trunk
[reactos.git] / reactos / ntoskrnl / se / acl.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14 #include <internal/debug.h>
15
16 #define TAG_ACL TAG('A', 'C', 'L', 'T')
17
18
19 /* GLOBALS ******************************************************************/
20
21 PACL EXPORTED SePublicDefaultDacl = NULL;
22 PACL EXPORTED SeSystemDefaultDacl = NULL;
23
24 PACL SePublicDefaultUnrestrictedDacl = NULL;
25 PACL SePublicOpenDacl = NULL;
26 PACL SePublicOpenUnrestrictedDacl = NULL;
27 PACL SeUnrestrictedDacl = NULL;
28
29
30 /* FUNCTIONS ****************************************************************/
31
32 BOOLEAN INIT_FUNCTION
33 SepInitDACLs(VOID)
34 {
35 ULONG AclLength;
36
37 /* create PublicDefaultDacl */
38 AclLength = sizeof(ACL) +
39 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
40 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
41
42 SePublicDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
43 AclLength,
44 TAG_ACL);
45 if (SePublicDefaultDacl == NULL)
46 return FALSE;
47
48 RtlCreateAcl(SePublicDefaultDacl,
49 AclLength,
50 ACL_REVISION);
51
52 RtlAddAccessAllowedAce(SePublicDefaultDacl,
53 ACL_REVISION,
54 GENERIC_EXECUTE,
55 SeWorldSid);
56
57 RtlAddAccessAllowedAce(SePublicDefaultDacl,
58 ACL_REVISION,
59 GENERIC_ALL,
60 SeLocalSystemSid);
61
62
63 /* create PublicDefaultUnrestrictedDacl */
64 AclLength = sizeof(ACL) +
65 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
66 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
67 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
68 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
69
70 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
71 AclLength,
72 TAG_ACL);
73 if (SePublicDefaultUnrestrictedDacl == NULL)
74 return FALSE;
75
76 RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
77 AclLength,
78 ACL_REVISION);
79
80 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
81 ACL_REVISION,
82 GENERIC_EXECUTE,
83 SeWorldSid);
84
85 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
86 ACL_REVISION,
87 GENERIC_ALL,
88 SeLocalSystemSid);
89
90 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
91 ACL_REVISION,
92 GENERIC_ALL,
93 SeAliasAdminsSid);
94
95 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
96 ACL_REVISION,
97 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
98 SeRestrictedCodeSid);
99
100 /* create PublicOpenDacl */
101 AclLength = sizeof(ACL) +
102 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
103 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
104 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
105
106 SePublicOpenDacl = ExAllocatePoolWithTag(NonPagedPool,
107 AclLength,
108 TAG_ACL);
109 if (SePublicOpenDacl == NULL)
110 return FALSE;
111
112 RtlCreateAcl(SePublicOpenDacl,
113 AclLength,
114 ACL_REVISION);
115
116 RtlAddAccessAllowedAce(SePublicOpenDacl,
117 ACL_REVISION,
118 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
119 SeWorldSid);
120
121 RtlAddAccessAllowedAce(SePublicOpenDacl,
122 ACL_REVISION,
123 GENERIC_ALL,
124 SeLocalSystemSid);
125
126 RtlAddAccessAllowedAce(SePublicOpenDacl,
127 ACL_REVISION,
128 GENERIC_ALL,
129 SeAliasAdminsSid);
130
131 /* create PublicOpenUnrestrictedDacl */
132 AclLength = sizeof(ACL) +
133 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
134 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
135 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
136 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
137
138 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
139 AclLength,
140 TAG_ACL);
141 if (SePublicOpenUnrestrictedDacl == NULL)
142 return FALSE;
143
144 RtlCreateAcl(SePublicOpenUnrestrictedDacl,
145 AclLength,
146 ACL_REVISION);
147
148 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
149 ACL_REVISION,
150 GENERIC_ALL,
151 SeWorldSid);
152
153 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
154 ACL_REVISION,
155 GENERIC_ALL,
156 SeLocalSystemSid);
157
158 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
159 ACL_REVISION,
160 GENERIC_ALL,
161 SeAliasAdminsSid);
162
163 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
164 ACL_REVISION,
165 GENERIC_READ | GENERIC_EXECUTE,
166 SeRestrictedCodeSid);
167
168 /* create SystemDefaultDacl */
169 AclLength = sizeof(ACL) +
170 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
171 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
172
173 SeSystemDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
174 AclLength,
175 TAG_ACL);
176 if (SeSystemDefaultDacl == NULL)
177 return FALSE;
178
179 RtlCreateAcl(SeSystemDefaultDacl,
180 AclLength,
181 ACL_REVISION);
182
183 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
184 ACL_REVISION,
185 GENERIC_ALL,
186 SeLocalSystemSid);
187
188 RtlAddAccessAllowedAce(SeSystemDefaultDacl,
189 ACL_REVISION,
190 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
191 SeAliasAdminsSid);
192
193 /* create UnrestrictedDacl */
194 AclLength = sizeof(ACL) +
195 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
196 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
197
198 SeUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
199 AclLength,
200 TAG_ACL);
201 if (SeUnrestrictedDacl == NULL)
202 return FALSE;
203
204 RtlCreateAcl(SeUnrestrictedDacl,
205 AclLength,
206 ACL_REVISION);
207
208 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
209 ACL_REVISION,
210 GENERIC_ALL,
211 SeWorldSid);
212
213 RtlAddAccessAllowedAce(SeUnrestrictedDacl,
214 ACL_REVISION,
215 GENERIC_READ | GENERIC_EXECUTE,
216 SeRestrictedCodeSid);
217
218 return(TRUE);
219 }
220
221 NTSTATUS STDCALL
222 SepCreateImpersonationTokenDacl(PTOKEN Token,
223 PTOKEN PrimaryToken,
224 PACL *Dacl)
225 {
226 ULONG AclLength;
227 PVOID TokenDacl;
228
229 PAGED_CODE();
230
231 AclLength = sizeof(ACL) +
232 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
233 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
234 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
235 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
236 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
237
238 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
239 if (TokenDacl == NULL)
240 {
241 return STATUS_INSUFFICIENT_RESOURCES;
242 }
243
244 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
245 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
246 Token->UserAndGroups->Sid);
247 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
248 PrimaryToken->UserAndGroups->Sid);
249 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
250 SeAliasAdminsSid);
251 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
252 SeLocalSystemSid);
253
254 /* FIXME */
255 #if 0
256 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
257 {
258 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
259 SeRestrictedCodeSid);
260 }
261 #endif
262
263 return STATUS_SUCCESS;
264 }
265
266 NTSTATUS
267 SepCaptureAcl(IN PACL InputAcl,
268 IN KPROCESSOR_MODE AccessMode,
269 IN POOL_TYPE PoolType,
270 IN BOOLEAN CaptureIfKernel,
271 OUT PACL *CapturedAcl)
272 {
273 PACL NewAcl;
274 ULONG AclSize = 0;
275 NTSTATUS Status = STATUS_SUCCESS;
276
277 PAGED_CODE();
278
279 if(AccessMode != KernelMode)
280 {
281 _SEH_TRY
282 {
283 ProbeForRead(InputAcl,
284 sizeof(ACL),
285 sizeof(ULONG));
286 AclSize = InputAcl->AclSize;
287 ProbeForRead(InputAcl,
288 AclSize,
289 sizeof(ULONG));
290 }
291 _SEH_HANDLE
292 {
293 Status = _SEH_GetExceptionCode();
294 }
295 _SEH_END;
296
297 if(NT_SUCCESS(Status))
298 {
299 NewAcl = ExAllocatePool(PoolType,
300 AclSize);
301 if(NewAcl != NULL)
302 {
303 _SEH_TRY
304 {
305 RtlCopyMemory(NewAcl,
306 InputAcl,
307 AclSize);
308
309 *CapturedAcl = NewAcl;
310 }
311 _SEH_HANDLE
312 {
313 ExFreePool(NewAcl);
314 Status = _SEH_GetExceptionCode();
315 }
316 _SEH_END;
317 }
318 else
319 {
320 Status = STATUS_INSUFFICIENT_RESOURCES;
321 }
322 }
323 }
324 else if(!CaptureIfKernel)
325 {
326 *CapturedAcl = InputAcl;
327 }
328 else
329 {
330 AclSize = InputAcl->AclSize;
331
332 NewAcl = ExAllocatePool(PoolType,
333 AclSize);
334
335 if(NewAcl != NULL)
336 {
337 RtlCopyMemory(NewAcl,
338 InputAcl,
339 AclSize);
340
341 *CapturedAcl = NewAcl;
342 }
343 else
344 {
345 Status = STATUS_INSUFFICIENT_RESOURCES;
346 }
347 }
348
349 return Status;
350 }
351
352 VOID
353 SepReleaseAcl(IN PACL CapturedAcl,
354 IN KPROCESSOR_MODE AccessMode,
355 IN BOOLEAN CaptureIfKernel)
356 {
357 PAGED_CODE();
358
359 if(CapturedAcl != NULL &&
360 (AccessMode == UserMode ||
361 (AccessMode == KernelMode && CaptureIfKernel)))
362 {
363 ExFreePool(CapturedAcl);
364 }
365 }
366
367 /* EOF */
A free Windows-compatible Operating System