3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/acl.c
7 * PROGRAMER: David Welch <welch@cwcom.net>
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
15 #include <internal/debug.h>
17 #define TAG_ACL TAG('A', 'C', 'L', 'T')
20 /* GLOBALS ******************************************************************/
22 PACL EXPORTED SePublicDefaultDacl
= NULL
;
23 PACL EXPORTED SeSystemDefaultDacl
= NULL
;
25 PACL SePublicDefaultUnrestrictedDacl
= NULL
;
26 PACL SePublicOpenDacl
= NULL
;
27 PACL SePublicOpenUnrestrictedDacl
= NULL
;
28 PACL SeUnrestrictedDacl
= NULL
;
31 /* FUNCTIONS ****************************************************************/
38 /* create PublicDefaultDacl */
39 AclLength
= sizeof(ACL
) +
40 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
41 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
));
43 SePublicDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
46 if (SePublicDefaultDacl
== NULL
)
49 RtlCreateAcl(SePublicDefaultDacl
,
53 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
58 RtlAddAccessAllowedAce(SePublicDefaultDacl
,
64 /* create PublicDefaultUnrestrictedDacl */
65 AclLength
= sizeof(ACL
) +
66 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
67 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
68 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
69 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
71 SePublicDefaultUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
74 if (SePublicDefaultUnrestrictedDacl
== NULL
)
77 RtlCreateAcl(SePublicDefaultUnrestrictedDacl
,
81 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
86 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
91 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
96 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl
,
98 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
101 /* create PublicOpenDacl */
102 AclLength
= sizeof(ACL
) +
103 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
104 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
105 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
107 SePublicOpenDacl
= ExAllocatePoolWithTag(NonPagedPool
,
110 if (SePublicOpenDacl
== NULL
)
113 RtlCreateAcl(SePublicOpenDacl
,
117 RtlAddAccessAllowedAce(SePublicOpenDacl
,
119 GENERIC_READ
| GENERIC_WRITE
| GENERIC_EXECUTE
,
122 RtlAddAccessAllowedAce(SePublicOpenDacl
,
127 RtlAddAccessAllowedAce(SePublicOpenDacl
,
132 /* create PublicOpenUnrestrictedDacl */
133 AclLength
= sizeof(ACL
) +
134 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
135 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
136 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
137 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
139 SePublicOpenUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
142 if (SePublicOpenUnrestrictedDacl
== NULL
)
145 RtlCreateAcl(SePublicOpenUnrestrictedDacl
,
149 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
154 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
159 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
164 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl
,
166 GENERIC_READ
| GENERIC_EXECUTE
,
167 SeRestrictedCodeSid
);
169 /* create SystemDefaultDacl */
170 AclLength
= sizeof(ACL
) +
171 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
172 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
));
174 SeSystemDefaultDacl
= ExAllocatePoolWithTag(NonPagedPool
,
177 if (SeSystemDefaultDacl
== NULL
)
180 RtlCreateAcl(SeSystemDefaultDacl
,
184 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
189 RtlAddAccessAllowedAce(SeSystemDefaultDacl
,
191 GENERIC_READ
| GENERIC_EXECUTE
| READ_CONTROL
,
194 /* create UnrestrictedDacl */
195 AclLength
= sizeof(ACL
) +
196 (sizeof(ACE
) + RtlLengthSid(SeWorldSid
)) +
197 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
));
199 SeUnrestrictedDacl
= ExAllocatePoolWithTag(NonPagedPool
,
202 if (SeUnrestrictedDacl
== NULL
)
205 RtlCreateAcl(SeUnrestrictedDacl
,
209 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
214 RtlAddAccessAllowedAce(SeUnrestrictedDacl
,
216 GENERIC_READ
| GENERIC_EXECUTE
,
217 SeRestrictedCodeSid
);
223 SepCreateImpersonationTokenDacl(PACCESS_TOKEN Token
,
224 PACCESS_TOKEN PrimaryToken
,
230 AclLength
= sizeof(ACL
) +
231 (sizeof(ACE
) + RtlLengthSid(SeAliasAdminsSid
)) +
232 (sizeof(ACE
) + RtlLengthSid(SeRestrictedCodeSid
)) +
233 (sizeof(ACE
) + RtlLengthSid(SeLocalSystemSid
)) +
234 (sizeof(ACE
) + RtlLengthSid(Token
->UserAndGroups
->Sid
)) +
235 (sizeof(ACE
) + RtlLengthSid(PrimaryToken
->UserAndGroups
->Sid
));
237 TokenDacl
= ExAllocatePoolWithTag(PagedPool
, AclLength
, TAG_ACL
);
238 if (TokenDacl
== NULL
)
240 return STATUS_INSUFFICIENT_RESOURCES
;
243 RtlCreateAcl(TokenDacl
, AclLength
, ACL_REVISION
);
244 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
245 Token
->UserAndGroups
->Sid
);
246 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
247 PrimaryToken
->UserAndGroups
->Sid
);
248 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
250 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
255 if (Token
->RestrictedSids
!= NULL
|| PrimaryToken
->RestrictedSids
!= NULL
)
257 RtlAddAccessAllowedAce(TokenDacl
, ACL_REVISION
, GENERIC_ALL
,
258 SeRestrictedCodeSid
);
262 return STATUS_SUCCESS
;