1 /* $Id: sd.c,v 1.9 2003/02/15 21:07:49 ekohl Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
7 * PROGRAMER: David Welch <welch@cwcom.net>
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/se.h>
17 #include <internal/debug.h>
19 /* GLOBALS ******************************************************************/
21 PSECURITY_DESCRIPTOR SePublicDefaultSd
= NULL
;
22 PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd
= NULL
;
23 PSECURITY_DESCRIPTOR SePublicOpenSd
= NULL
;
24 PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd
= NULL
;
25 PSECURITY_DESCRIPTOR SeSystemDefaultSd
= NULL
;
26 PSECURITY_DESCRIPTOR SeUnrestrictedSd
= NULL
;
28 /* FUNCTIONS ***************************************************************/
33 /* Create PublicDefaultSd */
34 SePublicDefaultSd
= ExAllocatePool(NonPagedPool
,
35 sizeof(SECURITY_DESCRIPTOR
));
36 if (SePublicDefaultSd
== NULL
)
39 RtlCreateSecurityDescriptor(SePublicDefaultSd
,
40 SECURITY_DESCRIPTOR_REVISION
);
41 RtlSetDaclSecurityDescriptor(SePublicDefaultSd
,
46 /* Create PublicDefaultUnrestrictedSd */
47 SePublicDefaultUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
48 sizeof(SECURITY_DESCRIPTOR
));
49 if (SePublicDefaultUnrestrictedSd
== NULL
)
52 RtlCreateSecurityDescriptor(SePublicDefaultUnrestrictedSd
,
53 SECURITY_DESCRIPTOR_REVISION
);
54 RtlSetDaclSecurityDescriptor(SePublicDefaultUnrestrictedSd
,
56 SePublicDefaultUnrestrictedDacl
,
59 /* Create PublicOpenSd */
60 SePublicOpenSd
= ExAllocatePool(NonPagedPool
,
61 sizeof(SECURITY_DESCRIPTOR
));
62 if (SePublicOpenSd
== NULL
)
65 RtlCreateSecurityDescriptor(SePublicOpenSd
,
66 SECURITY_DESCRIPTOR_REVISION
);
67 RtlSetDaclSecurityDescriptor(SePublicOpenSd
,
72 /* Create PublicOpenUnrestrictedSd */
73 SePublicOpenUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
74 sizeof(SECURITY_DESCRIPTOR
));
75 if (SePublicOpenUnrestrictedSd
== NULL
)
78 RtlCreateSecurityDescriptor(SePublicOpenUnrestrictedSd
,
79 SECURITY_DESCRIPTOR_REVISION
);
80 RtlSetDaclSecurityDescriptor(SePublicOpenUnrestrictedSd
,
82 SePublicOpenUnrestrictedDacl
,
85 /* Create SystemDefaultSd */
86 SeSystemDefaultSd
= ExAllocatePool(NonPagedPool
,
87 sizeof(SECURITY_DESCRIPTOR
));
88 if (SeSystemDefaultSd
== NULL
)
91 RtlCreateSecurityDescriptor(SeSystemDefaultSd
,
92 SECURITY_DESCRIPTOR_REVISION
);
93 RtlSetDaclSecurityDescriptor(SeSystemDefaultSd
,
98 /* Create UnrestrictedSd */
99 SeUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
100 sizeof(SECURITY_DESCRIPTOR
));
101 if (SeUnrestrictedSd
== NULL
)
104 RtlCreateSecurityDescriptor(SeUnrestrictedSd
,
105 SECURITY_DESCRIPTOR_REVISION
);
106 RtlSetDaclSecurityDescriptor(SeUnrestrictedSd
,
116 RtlCreateSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
119 if (Revision
!= SECURITY_DESCRIPTOR_REVISION
)
120 return(STATUS_UNSUCCESSFUL
);
122 SecurityDescriptor
->Revision
= SECURITY_DESCRIPTOR_REVISION
;
123 SecurityDescriptor
->Sbz1
= 0;
124 SecurityDescriptor
->Control
= 0;
125 SecurityDescriptor
->Owner
= NULL
;
126 SecurityDescriptor
->Group
= NULL
;
127 SecurityDescriptor
->Sacl
= NULL
;
128 SecurityDescriptor
->Dacl
= NULL
;
130 return(STATUS_SUCCESS
);
135 RtlLengthSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
)
143 Length
= sizeof(SECURITY_DESCRIPTOR
);
145 if (SecurityDescriptor
->Owner
!= NULL
)
147 Owner
= SecurityDescriptor
->Owner
;
148 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
150 Owner
= (PSID
)((ULONG
)Owner
+
151 (ULONG
)SecurityDescriptor
);
153 Length
= Length
+ ((sizeof(SID
) + (Owner
->SubAuthorityCount
- 1) *
154 sizeof(ULONG
) + 3) & 0xfc);
157 if (SecurityDescriptor
->Group
!= NULL
)
159 Group
= SecurityDescriptor
->Group
;
160 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
162 Group
= (PSID
)((ULONG
)Group
+ (ULONG
)SecurityDescriptor
);
164 Length
= Length
+ ((sizeof(SID
) + (Group
->SubAuthorityCount
- 1) *
165 sizeof(ULONG
) + 3) & 0xfc);
168 if (SecurityDescriptor
->Control
& SE_DACL_PRESENT
&&
169 SecurityDescriptor
->Dacl
!= NULL
)
171 Dacl
= SecurityDescriptor
->Dacl
;
172 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
174 Dacl
= (PACL
)((ULONG
)Dacl
+ (PVOID
)SecurityDescriptor
);
176 Length
= Length
+ ((Dacl
->AclSize
+ 3) & 0xfc);
179 if (SecurityDescriptor
->Control
& SE_SACL_PRESENT
&&
180 SecurityDescriptor
->Sacl
!= NULL
)
182 Sacl
= SecurityDescriptor
->Sacl
;
183 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
185 Sacl
= (PACL
)((ULONG
)Sacl
+ (PVOID
)SecurityDescriptor
);
187 Length
= Length
+ ((Sacl
->AclSize
+ 3) & 0xfc);
195 RtlGetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
196 PBOOLEAN DaclPresent
,
198 PBOOLEAN DaclDefaulted
)
200 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
202 return(STATUS_UNSUCCESSFUL
);
205 if (!(SecurityDescriptor
->Control
& SE_DACL_PRESENT
))
207 *DaclPresent
= FALSE
;
208 return(STATUS_SUCCESS
);
212 if (SecurityDescriptor
->Dacl
== NULL
)
218 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
220 *Dacl
= (PACL
)((ULONG
)SecurityDescriptor
->Dacl
+
221 (PVOID
)SecurityDescriptor
);
225 *Dacl
= SecurityDescriptor
->Dacl
;
229 if (SecurityDescriptor
->Control
& SE_DACL_DEFAULTED
)
231 *DaclDefaulted
= TRUE
;
235 *DaclDefaulted
= FALSE
;
238 return(STATUS_SUCCESS
);
243 RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
246 BOOLEAN DaclDefaulted
)
248 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
250 return(STATUS_UNSUCCESSFUL
);
253 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
255 return(STATUS_UNSUCCESSFUL
);
260 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_DACL_PRESENT
);
261 return(STATUS_SUCCESS
);
264 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_DACL_PRESENT
;
265 SecurityDescriptor
->Dacl
= Dacl
;
266 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_DACL_DEFAULTED
);
270 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_DACL_DEFAULTED
;
273 return(STATUS_SUCCESS
);
278 RtlValidSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
)
285 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
290 Owner
= SecurityDescriptor
->Owner
;
291 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
293 Owner
= (PSID
)((ULONG
)Owner
+ (ULONG
)SecurityDescriptor
);
296 if (!RtlValidSid(Owner
))
301 Group
= SecurityDescriptor
->Group
;
302 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
304 Group
= (PSID
)((ULONG
)Group
+ (ULONG
)SecurityDescriptor
);
307 if (!RtlValidSid(Group
))
312 if (SecurityDescriptor
->Control
& SE_DACL_PRESENT
&&
313 SecurityDescriptor
->Dacl
!= NULL
)
315 Dacl
= SecurityDescriptor
->Dacl
;
316 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
318 Dacl
= (PACL
)((ULONG
)Dacl
+ (ULONG
)SecurityDescriptor
);
321 if (!RtlValidAcl(Dacl
))
327 if (SecurityDescriptor
->Control
& SE_SACL_PRESENT
&&
328 SecurityDescriptor
->Sacl
!= NULL
)
330 Sacl
= SecurityDescriptor
->Sacl
;
331 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
333 Sacl
= (PACL
)((ULONG
)Sacl
+ (ULONG
)SecurityDescriptor
);
336 if (!RtlValidAcl(Sacl
))
347 RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
349 BOOLEAN OwnerDefaulted
)
351 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
353 return(STATUS_UNSUCCESSFUL
);
356 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
358 return(STATUS_UNSUCCESSFUL
);
361 SecurityDescriptor
->Owner
= Owner
;
362 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_OWNER_DEFAULTED
);
366 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_OWNER_DEFAULTED
;
369 return(STATUS_SUCCESS
);
374 RtlGetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
376 PBOOLEAN OwnerDefaulted
)
378 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
380 return(STATUS_UNSUCCESSFUL
);
383 if (SecurityDescriptor
->Owner
!= NULL
)
385 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
387 *Owner
= (PSID
)((ULONG
)SecurityDescriptor
->Owner
+
388 (PVOID
)SecurityDescriptor
);
392 *Owner
= SecurityDescriptor
->Owner
;
399 if (SecurityDescriptor
->Control
& SE_OWNER_DEFAULTED
)
407 return(STATUS_SUCCESS
);
412 RtlSetGroupSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
414 BOOLEAN GroupDefaulted
)
416 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
418 return(STATUS_UNSUCCESSFUL
);
421 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
423 return(STATUS_UNSUCCESSFUL
);
426 SecurityDescriptor
->Group
= Group
;
427 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_GROUP_DEFAULTED
);
431 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_GROUP_DEFAULTED
;
434 return(STATUS_SUCCESS
);
439 RtlGetGroupSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
441 PBOOLEAN GroupDefaulted
)
443 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
445 return(STATUS_UNSUCCESSFUL
);
448 if (SecurityDescriptor
->Group
!= NULL
)
450 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
452 *Group
= (PSID
)((ULONG
)SecurityDescriptor
->Group
+
453 (PVOID
)SecurityDescriptor
);
457 *Group
= SecurityDescriptor
->Group
;
465 if (SecurityDescriptor
->Control
& SE_GROUP_DEFAULTED
)
467 *GroupDefaulted
= TRUE
;
471 *GroupDefaulted
= FALSE
;
474 return(STATUS_SUCCESS
);
479 RtlGetSaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
480 PBOOLEAN SaclPresent
,
482 PBOOLEAN SaclDefaulted
)
484 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
486 return(STATUS_UNSUCCESSFUL
);
489 if (!(SecurityDescriptor
->Control
& SE_SACL_PRESENT
))
491 *SaclPresent
= FALSE
;
492 return(STATUS_SUCCESS
);
496 if (SecurityDescriptor
->Sacl
== NULL
)
502 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
504 *Sacl
= (PACL
)((ULONG
)SecurityDescriptor
->Sacl
+
505 (PVOID
)SecurityDescriptor
);
509 *Sacl
= SecurityDescriptor
->Sacl
;
513 if (SecurityDescriptor
->Control
& SE_SACL_DEFAULTED
)
515 *SaclDefaulted
= TRUE
;
519 *SaclDefaulted
= FALSE
;
522 return(STATUS_SUCCESS
);
527 RtlSetSaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
530 BOOLEAN SaclDefaulted
)
532 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
534 return(STATUS_UNSUCCESSFUL
);
536 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
538 return(STATUS_UNSUCCESSFUL
);
543 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_SACL_PRESENT
);
544 return(STATUS_SUCCESS
);
547 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_SACL_PRESENT
;
548 SecurityDescriptor
->Sacl
= Sacl
;
549 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_SACL_DEFAULTED
);
553 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_SACL_DEFAULTED
;
556 return(STATUS_SUCCESS
);
561 RtlpQuerySecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
571 if (SecurityDescriptor
->Owner
== NULL
)
577 *Owner
= SecurityDescriptor
->Owner
;
578 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
580 *Owner
= (PSID
)((ULONG
)*Owner
+ (ULONG
)SecurityDescriptor
);
586 *OwnerLength
= (RtlLengthSid(*Owner
) + 3) & ~3;
593 if ((SecurityDescriptor
->Control
& SE_DACL_PRESENT
) &&
594 SecurityDescriptor
->Dacl
!= NULL
)
596 *Dacl
= SecurityDescriptor
->Dacl
;
597 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
599 *Dacl
= (PACL
)((ULONG
)*Dacl
+ (ULONG
)SecurityDescriptor
);
609 *DaclLength
= ((*Dacl
)->AclSize
+ 3) & ~3;
616 if (SecurityDescriptor
->Group
!= NULL
)
622 *Group
= SecurityDescriptor
->Group
;
623 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
625 *Group
= (PSID
)((ULONG
)*Group
+ (ULONG
)SecurityDescriptor
);
631 *GroupLength
= (RtlLengthSid(*Group
) + 3) & ~3;
638 if ((SecurityDescriptor
->Control
& SE_SACL_PRESENT
) &&
639 SecurityDescriptor
->Sacl
!= NULL
)
641 *Sacl
= SecurityDescriptor
->Sacl
;
642 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
644 *Sacl
= (PACL
)((ULONG
)*Sacl
+ (ULONG
)SecurityDescriptor
);
654 *SaclLength
= ((*Sacl
)->AclSize
+ 3) & ~3;
660 RtlAbsoluteToSelfRelativeSD(PSECURITY_DESCRIPTOR AbsSD
,
661 PSECURITY_DESCRIPTOR RelSD
,
675 if (AbsSD
->Control
& SE_SELF_RELATIVE
)
677 return(STATUS_BAD_DESCRIPTOR_FORMAT
);
680 RtlpQuerySecurityDescriptor(AbsSD
,
690 TotalLength
= OwnerLength
+ GroupLength
+ SaclLength
+
691 DaclLength
+ sizeof(SECURITY_DESCRIPTOR
);
692 if (*BufferLength
< TotalLength
)
694 return(STATUS_BUFFER_TOO_SMALL
);
701 sizeof(SECURITY_DESCRIPTOR
));
702 Current
= (ULONG
)RelSD
+ sizeof(SECURITY_DESCRIPTOR
);
706 memmove((PVOID
)Current
,
709 RelSD
->Sacl
= (PACL
)((ULONG
)Current
- (ULONG
)RelSD
);
710 Current
+= SaclLength
;
715 memmove((PVOID
)Current
,
718 RelSD
->Dacl
= (PACL
)((ULONG
)Current
- (ULONG
)RelSD
);
719 Current
+= DaclLength
;
722 if (OwnerLength
!= 0)
724 memmove((PVOID
)Current
,
727 RelSD
->Owner
= (PSID
)((ULONG
)Current
- (ULONG
)RelSD
);
728 Current
+= OwnerLength
;
731 if (GroupLength
!= 0)
733 memmove((PVOID
)Current
,
736 RelSD
->Group
= (PSID
)((ULONG
)Current
- (ULONG
)RelSD
);
739 RelSD
->Control
|= SE_SELF_RELATIVE
;
741 return(STATUS_SUCCESS
);