reactos/ntoskrnl/se/acl.c

   1 /* $Id$
   2  *
   3  * COPYRIGHT:         See COPYING in the top level directory
   4  * PROJECT:           ReactOS kernel
   5  * PURPOSE:           Security manager
   6  * FILE:              kernel/se/acl.c
   7  * PROGRAMER:         David Welch <welch@cwcom.net>
   8  * REVISION HISTORY:
   9  *                 26/07/98: Added stubs for security functions
  10  */
  11
  12 /* INCLUDES *****************************************************************/
  13
  14 #include <ntoskrnl.h>
  15 #include <internal/debug.h>
  16
  17 #define TAG_ACL    TAG('A', 'C', 'L', 'T')
  18
  19
  20 /* GLOBALS ******************************************************************/
  21
  22 PACL EXPORTED SePublicDefaultDacl = NULL;
  23 PACL EXPORTED SeSystemDefaultDacl = NULL;
  24
  25 PACL SePublicDefaultUnrestrictedDacl = NULL;
  26 PACL SePublicOpenDacl = NULL;
  27 PACL SePublicOpenUnrestrictedDacl = NULL;
  28 PACL SeUnrestrictedDacl = NULL;
  29
  30
  31 /* FUNCTIONS ****************************************************************/
  32
  33 BOOLEAN INIT_FUNCTION
  34 SepInitDACLs(VOID)
  35 {
  36   ULONG AclLength;
  37
  38   /* create PublicDefaultDacl */
  39   AclLength = sizeof(ACL) +
  40               (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
  41               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
  42
  43   SePublicDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
  44                                               AclLength,
  45                                               TAG_ACL);
  46   if (SePublicDefaultDacl == NULL)
  47     return FALSE;
  48
  49   RtlCreateAcl(SePublicDefaultDacl,
  50                AclLength,
  51                ACL_REVISION);
  52
  53   RtlAddAccessAllowedAce(SePublicDefaultDacl,
  54                          ACL_REVISION,
  55                          GENERIC_EXECUTE,
  56                          SeWorldSid);
  57
  58   RtlAddAccessAllowedAce(SePublicDefaultDacl,
  59                          ACL_REVISION,
  60                          GENERIC_ALL,
  61                          SeLocalSystemSid);
  62
  63
  64   /* create PublicDefaultUnrestrictedDacl */
  65   AclLength = sizeof(ACL) +
  66               (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
  67               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
  68               (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
  69               (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
  70
  71   SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
  72                                                           AclLength,
  73                                                           TAG_ACL);
  74   if (SePublicDefaultUnrestrictedDacl == NULL)
  75     return FALSE;
  76
  77   RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
  78                AclLength,
  79                ACL_REVISION);
  80
  81   RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
  82                          ACL_REVISION,
  83                          GENERIC_EXECUTE,
  84                          SeWorldSid);
  85
  86   RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
  87                          ACL_REVISION,
  88                          GENERIC_ALL,
  89                          SeLocalSystemSid);
  90
  91   RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
  92                          ACL_REVISION,
  93                          GENERIC_ALL,
  94                          SeAliasAdminsSid);
  95
  96   RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
  97                          ACL_REVISION,
  98                          GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
  99                          SeRestrictedCodeSid);
 100
 101   /* create PublicOpenDacl */
 102   AclLength = sizeof(ACL) +
 103               (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
 104               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
 105               (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
 106
 107   SePublicOpenDacl = ExAllocatePoolWithTag(NonPagedPool,
 108                                            AclLength,
 109                                            TAG_ACL);
 110   if (SePublicOpenDacl == NULL)
 111     return FALSE;
 112
 113   RtlCreateAcl(SePublicOpenDacl,
 114                AclLength,
 115                ACL_REVISION);
 116
 117   RtlAddAccessAllowedAce(SePublicOpenDacl,
 118                          ACL_REVISION,
 119                          GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
 120                          SeWorldSid);
 121
 122   RtlAddAccessAllowedAce(SePublicOpenDacl,
 123                          ACL_REVISION,
 124                          GENERIC_ALL,
 125                          SeLocalSystemSid);
 126
 127   RtlAddAccessAllowedAce(SePublicOpenDacl,
 128                          ACL_REVISION,
 129                          GENERIC_ALL,
 130                          SeAliasAdminsSid);
 131
 132   /* create PublicOpenUnrestrictedDacl */
 133   AclLength = sizeof(ACL) +
 134               (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
 135               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
 136               (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
 137               (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
 138
 139   SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
 140                                                        AclLength,
 141                                                        TAG_ACL);
 142   if (SePublicOpenUnrestrictedDacl == NULL)
 143     return FALSE;
 144
 145   RtlCreateAcl(SePublicOpenUnrestrictedDacl,
 146                AclLength,
 147                ACL_REVISION);
 148
 149   RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
 150                          ACL_REVISION,
 151                          GENERIC_ALL,
 152                          SeWorldSid);
 153
 154   RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
 155                          ACL_REVISION,
 156                          GENERIC_ALL,
 157                          SeLocalSystemSid);
 158
 159   RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
 160                          ACL_REVISION,
 161                          GENERIC_ALL,
 162                          SeAliasAdminsSid);
 163
 164   RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
 165                          ACL_REVISION,
 166                          GENERIC_READ | GENERIC_EXECUTE,
 167                          SeRestrictedCodeSid);
 168
 169   /* create SystemDefaultDacl */
 170   AclLength = sizeof(ACL) +
 171               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
 172               (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
 173
 174   SeSystemDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
 175                                               AclLength,
 176                                               TAG_ACL);
 177   if (SeSystemDefaultDacl == NULL)
 178     return FALSE;
 179
 180   RtlCreateAcl(SeSystemDefaultDacl,
 181                AclLength,
 182                ACL_REVISION);
 183
 184   RtlAddAccessAllowedAce(SeSystemDefaultDacl,
 185                          ACL_REVISION,
 186                          GENERIC_ALL,
 187                          SeLocalSystemSid);
 188
 189   RtlAddAccessAllowedAce(SeSystemDefaultDacl,
 190                          ACL_REVISION,
 191                          GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
 192                          SeAliasAdminsSid);
 193
 194   /* create UnrestrictedDacl */
 195   AclLength = sizeof(ACL) +
 196               (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
 197               (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
 198
 199   SeUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
 200                                              AclLength,
 201                                              TAG_ACL);
 202   if (SeUnrestrictedDacl == NULL)
 203     return FALSE;
 204
 205   RtlCreateAcl(SeUnrestrictedDacl,
 206                AclLength,
 207                ACL_REVISION);
 208
 209   RtlAddAccessAllowedAce(SeUnrestrictedDacl,
 210                          ACL_REVISION,
 211                          GENERIC_ALL,
 212                          SeWorldSid);
 213
 214   RtlAddAccessAllowedAce(SeUnrestrictedDacl,
 215                          ACL_REVISION,
 216                          GENERIC_READ | GENERIC_EXECUTE,
 217                          SeRestrictedCodeSid);
 218
 219   return(TRUE);
 220 }
 221
 222 NTSTATUS STDCALL
 223 SepCreateImpersonationTokenDacl(PACCESS_TOKEN Token,
 224                                 PACCESS_TOKEN PrimaryToken,
 225                                 PACL *Dacl)
 226 {
 227   ULONG AclLength;
 228   PVOID TokenDacl;
 229
 230   AclLength = sizeof(ACL) +
 231               (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
 232               (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
 233               (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
 234               (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
 235               (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
 236
 237   TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
 238   if (TokenDacl == NULL)
 239     {
 240       return STATUS_INSUFFICIENT_RESOURCES;
 241     }
 242
 243   RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
 244   RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
 245                          Token->UserAndGroups->Sid);
 246   RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
 247                          PrimaryToken->UserAndGroups->Sid);
 248   RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
 249                          SeAliasAdminsSid);
 250   RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
 251                          SeLocalSystemSid);
 252
 253   /* FIXME */
 254 #if 0
 255   if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
 256     {
 257       RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
 258                              SeRestrictedCodeSid);
 259     }
 260 #endif
 261
 262   return STATUS_SUCCESS;
 263 }
 264
 265 /* EOF */