3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/acl.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
14 #include <internal/debug.h>
16 #define TAG_ACL TAG('A', 'C', 'L', 'T')
19 /* GLOBALS ******************************************************************/
21 PACL EXPORTED SePublicDefaultDacl
= NULL
;
22 PACL EXPORTED SeSystemDefaultDacl
= NULL
;
24 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
25 PACL SePublicOpenDacl
= NULL
;
26 PACL SePublicOpenUnrestrictedDacl
= NULL
;
27 PACL SeUnrestrictedDacl
= NULL
;
30 /* FUNCTIONS ****************************************************************/
37 /* create PublicDefaultDacl */
38 AclLength
= sizeof(ACL
) +
39 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
40 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
42 SePublicDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
45 if (SePublicDefaultDacl
== NULL
)
48 RtlCreateAcl(SePublicDefaultDacl
,
52 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
57 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
63 /* create PublicDefaultUnrestrictedDacl */
64 AclLength
= sizeof(ACL
) +
65 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
66 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
67 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
68 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
70 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
73 if (SePublicDefaultUnrestrictedDacl
== NULL
)
76 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
80 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
85 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
90 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
95 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
97 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
100 /* create PublicOpenDacl */
101 AclLength
= sizeof(ACL
) +
102 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
103 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
104 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
106 SePublicOpenDacl
= ExAllocatePoolWithTag(NonPagedPool
,
109 if (SePublicOpenDacl
== NULL
)
112 RtlCreateAcl(SePublicOpenDacl
,
116 RtlAddAccessAllowedAce(SePublicOpenDacl
,
118 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
121 RtlAddAccessAllowedAce(SePublicOpenDacl
,
126 RtlAddAccessAllowedAce(SePublicOpenDacl
,
131 /* create PublicOpenUnrestrictedDacl */
132 AclLength
= sizeof(ACL
) +
133 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
134 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
135 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
136 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
138 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
141 if (SePublicOpenUnrestrictedDacl
== NULL
)
144 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
148 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
153 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
158 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
163 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
165 GENERIC_READ
| GENERIC_EXECUTE
,
166 SeRestrictedCodeSid
);
168 /* create SystemDefaultDacl */
169 AclLength
= sizeof(ACL
) +
170 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
171 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
173 SeSystemDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
176 if (SeSystemDefaultDacl
== NULL
)
179 RtlCreateAcl(SeSystemDefaultDacl
,
183 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
188 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
190 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
193 /* create UnrestrictedDacl */
194 AclLength
= sizeof(ACL
) +
195 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
196 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
198 SeUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
201 if (SeUnrestrictedDacl
== NULL
)
204 RtlCreateAcl(SeUnrestrictedDacl
,
208 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
213 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
215 GENERIC_READ
| GENERIC_EXECUTE
,
216 SeRestrictedCodeSid
);
222 SepCreateImpersonationTokenDacl(PTOKEN Token
,
231 AclLength
= sizeof(ACL
) +
232 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
233 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
234 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
235 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
236 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
238 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
239 if (TokenDacl
== NULL
)
241 return STATUS_INSUFFICIENT_RESOURCES
;
244 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
245 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
246 Token
->UserAndGroups
->Sid
);
247 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
248 PrimaryToken
->UserAndGroups
->Sid
);
249 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
251 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
256 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
258 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
259 SeRestrictedCodeSid
);
263 return STATUS_SUCCESS
;
267 SepCaptureAcl(IN PACL InputAcl
,
268 IN KPROCESSOR_MODE AccessMode
,
269 IN POOL_TYPE PoolType
,
270 IN BOOLEAN CaptureIfKernel
,
271 OUT PACL
*CapturedAcl
)
275 NTSTATUS Status
= STATUS_SUCCESS
;
279 if(AccessMode
!= KernelMode
)
283 ProbeForRead(InputAcl
,
286 AclSize
= InputAcl
->AclSize
;
287 ProbeForRead(InputAcl
,
293 Status
= _SEH_GetExceptionCode();
297 if(NT_SUCCESS(Status
))
299 NewAcl
= ExAllocatePool(PoolType
,
305 RtlCopyMemory(NewAcl
,
309 *CapturedAcl
= NewAcl
;
314 Status
= _SEH_GetExceptionCode();
320 Status
= STATUS_INSUFFICIENT_RESOURCES
;
324 else if(!CaptureIfKernel
)
326 *CapturedAcl
= InputAcl
;
330 AclSize
= InputAcl
->AclSize
;
332 NewAcl
= ExAllocatePool(PoolType
,
337 RtlCopyMemory(NewAcl
,
341 *CapturedAcl
= NewAcl
;
345 Status
= STATUS_INSUFFICIENT_RESOURCES
;
353 SepReleaseAcl(IN PACL CapturedAcl
,
354 IN KPROCESSOR_MODE AccessMode
,
355 IN BOOLEAN CaptureIfKernel
)
359 if(CapturedAcl
!= NULL
&&
360 (AccessMode
== UserMode
||
361 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
363 ExFreePool(CapturedAcl
);