[NTOSKRNL]
[reactos.git] / reactos / ntoskrnl / se / semgr.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/semgr.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: No programmer listed.
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 /* GLOBALS ********************************************************************/
17
18 PSE_EXPORTS SeExports = NULL;
19 SE_EXPORTS SepExports;
20 ULONG SidInTokenCalls = 0;
21
22 extern ULONG ExpInitializationPhase;
23 extern ERESOURCE SepSubjectContextLock;
24
25 /* PRIVATE FUNCTIONS **********************************************************/
26
27 static BOOLEAN
28 INIT_FUNCTION
29 SepInitExports(VOID)
30 {
31 SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
32 SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
33 SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
34 SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
35 SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
36 SepExports.SeTcbPrivilege = SeTcbPrivilege;
37 SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
38 SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
39 SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
40 SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
41 SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
42 SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
43 SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
44 SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
45 SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
46 SepExports.SeBackupPrivilege = SeBackupPrivilege;
47 SepExports.SeRestorePrivilege = SeRestorePrivilege;
48 SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
49 SepExports.SeDebugPrivilege = SeDebugPrivilege;
50 SepExports.SeAuditPrivilege = SeAuditPrivilege;
51 SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
52 SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
53 SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
54
55 SepExports.SeNullSid = SeNullSid;
56 SepExports.SeWorldSid = SeWorldSid;
57 SepExports.SeLocalSid = SeLocalSid;
58 SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
59 SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
60 SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
61 SepExports.SeDialupSid = SeDialupSid;
62 SepExports.SeNetworkSid = SeNetworkSid;
63 SepExports.SeBatchSid = SeBatchSid;
64 SepExports.SeInteractiveSid = SeInteractiveSid;
65 SepExports.SeLocalSystemSid = SeLocalSystemSid;
66 SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
67 SepExports.SeAliasUsersSid = SeAliasUsersSid;
68 SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
69 SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
70 SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
71 SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
72 SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
73 SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
74 SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
75 SepExports.SeRestrictedSid = SeRestrictedSid;
76 SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
77
78 SepExports.SeUndockPrivilege = SeUndockPrivilege;
79 SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
80 SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
81
82 SeExports = &SepExports;
83 return TRUE;
84 }
85
86
87 BOOLEAN
88 NTAPI
89 INIT_FUNCTION
90 SepInitializationPhase0(VOID)
91 {
92 PAGED_CODE();
93
94 ExpInitLuid();
95 if (!SepInitSecurityIDs()) return FALSE;
96 if (!SepInitDACLs()) return FALSE;
97 if (!SepInitSDs()) return FALSE;
98 SepInitPrivileges();
99 if (!SepInitExports()) return FALSE;
100
101 /* Initialize the subject context lock */
102 ExInitializeResource(&SepSubjectContextLock);
103
104 /* Initialize token objects */
105 SepInitializeTokenImplementation();
106
107 /* Clear impersonation info for the idle thread */
108 PsGetCurrentThread()->ImpersonationInfo = NULL;
109 PspClearCrossThreadFlag(PsGetCurrentThread(),
110 CT_ACTIVE_IMPERSONATION_INFO_BIT);
111
112 /* Initialize the boot token */
113 ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
114 ObInitializeFastReference(&PsGetCurrentProcess()->Token,
115 SepCreateSystemProcessToken());
116 return TRUE;
117 }
118
119 BOOLEAN
120 NTAPI
121 INIT_FUNCTION
122 SepInitializationPhase1(VOID)
123 {
124 OBJECT_ATTRIBUTES ObjectAttributes;
125 UNICODE_STRING Name;
126 HANDLE SecurityHandle;
127 HANDLE EventHandle;
128 NTSTATUS Status;
129
130 PAGED_CODE();
131
132 /* Insert the system token into the tree */
133 Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
134 ~MAX_FAST_REFS),
135 NULL,
136 0,
137 0,
138 NULL,
139 NULL);
140 ASSERT(NT_SUCCESS(Status));
141
142 /* TODO: Create a security desscriptor for the directory */
143
144 /* Create '\Security' directory */
145 RtlInitUnicodeString(&Name, L"\\Security");
146 InitializeObjectAttributes(&ObjectAttributes,
147 &Name,
148 OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
149 0,
150 NULL);
151
152 Status = ZwCreateDirectoryObject(&SecurityHandle,
153 DIRECTORY_ALL_ACCESS,
154 &ObjectAttributes);
155 ASSERT(NT_SUCCESS(Status));
156
157 /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
158 RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
159 InitializeObjectAttributes(&ObjectAttributes,
160 &Name,
161 OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
162 SecurityHandle,
163 SePublicDefaultSd);
164
165 Status = ZwCreateEvent(&EventHandle,
166 GENERIC_WRITE,
167 &ObjectAttributes,
168 NotificationEvent,
169 FALSE);
170 ASSERT(NT_SUCCESS(Status));
171
172 Status = ZwClose(EventHandle);
173 ASSERT(NT_SUCCESS(Status));
174
175 Status = ZwClose(SecurityHandle);
176 ASSERT(NT_SUCCESS(Status));
177
178 return TRUE;
179 }
180
181 BOOLEAN
182 NTAPI
183 INIT_FUNCTION
184 SeInitSystem(VOID)
185 {
186 /* Check the initialization phase */
187 switch (ExpInitializationPhase)
188 {
189 case 0:
190
191 /* Do Phase 0 */
192 return SepInitializationPhase0();
193
194 case 1:
195
196 /* Do Phase 1 */
197 return SepInitializationPhase1();
198
199 default:
200
201 /* Don't know any other phase! Bugcheck! */
202 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
203 0,
204 ExpInitializationPhase,
205 0,
206 0);
207 return FALSE;
208 }
209 }
210
211 NTSTATUS
212 NTAPI
213 SeDefaultObjectMethod(IN PVOID Object,
214 IN SECURITY_OPERATION_CODE OperationType,
215 IN PSECURITY_INFORMATION SecurityInformation,
216 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
217 IN OUT PULONG ReturnLength OPTIONAL,
218 IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
219 IN POOL_TYPE PoolType,
220 IN PGENERIC_MAPPING GenericMapping)
221 {
222 PAGED_CODE();
223
224 /* Select the operation type */
225 switch (OperationType)
226 {
227 /* Setting a new descriptor */
228 case SetSecurityDescriptor:
229
230 /* Sanity check */
231 ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
232
233 /* Set the information */
234 return ObSetSecurityDescriptorInfo(Object,
235 SecurityInformation,
236 SecurityDescriptor,
237 OldSecurityDescriptor,
238 PoolType,
239 GenericMapping);
240
241 case QuerySecurityDescriptor:
242
243 /* Query the information */
244 return ObQuerySecurityDescriptorInfo(Object,
245 SecurityInformation,
246 SecurityDescriptor,
247 ReturnLength,
248 OldSecurityDescriptor);
249
250 case DeleteSecurityDescriptor:
251
252 /* De-assign it */
253 return ObDeassignSecurity(OldSecurityDescriptor);
254
255 case AssignSecurityDescriptor:
256
257 /* Assign it */
258 ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
259 return STATUS_SUCCESS;
260
261 default:
262
263 /* Bug check */
264 KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
265 }
266
267 /* Should never reach here */
268 ASSERT(FALSE);
269 return STATUS_SUCCESS;
270 }
271
272 VOID
273 NTAPI
274 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
275 OUT PACCESS_MASK DesiredAccess)
276 {
277 *DesiredAccess = 0;
278
279 if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
280 GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
281 {
282 *DesiredAccess |= READ_CONTROL;
283 }
284
285 if (SecurityInformation & SACL_SECURITY_INFORMATION)
286 {
287 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
288 }
289 }
290
291 VOID
292 NTAPI
293 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
294 OUT PACCESS_MASK DesiredAccess)
295 {
296 *DesiredAccess = 0;
297
298 if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
299 {
300 *DesiredAccess |= WRITE_OWNER;
301 }
302
303 if (SecurityInformation & DACL_SECURITY_INFORMATION)
304 {
305 *DesiredAccess |= WRITE_DAC;
306 }
307
308 if (SecurityInformation & SACL_SECURITY_INFORMATION)
309 {
310 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
311 }
312 }
313
314 /* EOF */