1 /* $Id: semgr.c,v 1.25 2003/07/11 01:23:16 royce Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/semgr.c
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/ps.h>
16 #include <internal/se.h>
18 #include <internal/debug.h>
20 #define TAG_SXPT TAG('S', 'X', 'P', 'T')
23 /* GLOBALS ******************************************************************/
25 PSE_EXPORTS EXPORTED SeExports
= NULL
;
28 /* PROTOTYPES ***************************************************************/
30 static BOOLEAN
SepInitExports(VOID
);
32 /* FUNCTIONS ****************************************************************/
40 if (!SepInitSecurityIDs())
51 if (!SepInitExports())
61 SepInitializeTokenImplementation();
70 OBJECT_ATTRIBUTES ObjectAttributes
;
72 HANDLE DirectoryHandle
;
76 /* Create '\Security' directory */
77 RtlInitUnicodeString(&Name
,
79 InitializeObjectAttributes(&ObjectAttributes
,
84 Status
= NtCreateDirectoryObject(&DirectoryHandle
,
87 if (!NT_SUCCESS(Status
))
89 DPRINT1("Failed to create 'Security' directory!\n");
93 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
94 RtlInitUnicodeString(&Name
,
95 L
"\\LSA_AUTHENTICATION_INITALIZED");
96 InitializeObjectAttributes(&ObjectAttributes
,
101 Status
= NtCreateEvent(&EventHandle
,
106 if (!NT_SUCCESS(Status
))
108 DPRINT1("Failed to create 'Security' directory!\n");
109 NtClose(DirectoryHandle
);
113 NtClose(EventHandle
);
114 NtClose(DirectoryHandle
);
116 /* FIXME: Create SRM port and listener thread */
125 SeExports
= ExAllocatePoolWithTag(NonPagedPool
,
128 if (SeExports
== NULL
)
131 SeExports
->SeCreateTokenPrivilege
= SeCreateTokenPrivilege
;
132 SeExports
->SeAssignPrimaryTokenPrivilege
= SeAssignPrimaryTokenPrivilege
;
133 SeExports
->SeLockMemoryPrivilege
= SeLockMemoryPrivilege
;
134 SeExports
->SeIncreaseQuotaPrivilege
= SeIncreaseQuotaPrivilege
;
135 SeExports
->SeUnsolicitedInputPrivilege
= SeUnsolicitedInputPrivilege
;
136 SeExports
->SeTcbPrivilege
= SeTcbPrivilege
;
137 SeExports
->SeSecurityPrivilege
= SeSecurityPrivilege
;
138 SeExports
->SeTakeOwnershipPrivilege
= SeTakeOwnershipPrivilege
;
139 SeExports
->SeLoadDriverPrivilege
= SeLoadDriverPrivilege
;
140 SeExports
->SeCreatePagefilePrivilege
= SeCreatePagefilePrivilege
;
141 SeExports
->SeIncreaseBasePriorityPrivilege
= SeIncreaseBasePriorityPrivilege
;
142 SeExports
->SeSystemProfilePrivilege
= SeSystemProfilePrivilege
;
143 SeExports
->SeSystemtimePrivilege
= SeSystemtimePrivilege
;
144 SeExports
->SeProfileSingleProcessPrivilege
= SeProfileSingleProcessPrivilege
;
145 SeExports
->SeCreatePermanentPrivilege
= SeCreatePermanentPrivilege
;
146 SeExports
->SeBackupPrivilege
= SeBackupPrivilege
;
147 SeExports
->SeRestorePrivilege
= SeRestorePrivilege
;
148 SeExports
->SeShutdownPrivilege
= SeShutdownPrivilege
;
149 SeExports
->SeDebugPrivilege
= SeDebugPrivilege
;
150 SeExports
->SeAuditPrivilege
= SeAuditPrivilege
;
151 SeExports
->SeSystemEnvironmentPrivilege
= SeSystemEnvironmentPrivilege
;
152 SeExports
->SeChangeNotifyPrivilege
= SeChangeNotifyPrivilege
;
153 SeExports
->SeRemoteShutdownPrivilege
= SeRemoteShutdownPrivilege
;
155 SeExports
->SeNullSid
= SeNullSid
;
156 SeExports
->SeWorldSid
= SeWorldSid
;
157 SeExports
->SeLocalSid
= SeLocalSid
;
158 SeExports
->SeCreatorOwnerSid
= SeCreatorOwnerSid
;
159 SeExports
->SeCreatorGroupSid
= SeCreatorGroupSid
;
160 SeExports
->SeNtAuthoritySid
= SeNtAuthoritySid
;
161 SeExports
->SeDialupSid
= SeDialupSid
;
162 SeExports
->SeNetworkSid
= SeNetworkSid
;
163 SeExports
->SeBatchSid
= SeBatchSid
;
164 SeExports
->SeInteractiveSid
= SeInteractiveSid
;
165 SeExports
->SeLocalSystemSid
= SeLocalSystemSid
;
166 SeExports
->SeAliasAdminsSid
= SeAliasAdminsSid
;
167 SeExports
->SeAliasUsersSid
= SeAliasUsersSid
;
168 SeExports
->SeAliasGuestsSid
= SeAliasGuestsSid
;
169 SeExports
->SeAliasPowerUsersSid
= SeAliasPowerUsersSid
;
170 SeExports
->SeAliasAccountOpsSid
= SeAliasAccountOpsSid
;
171 SeExports
->SeAliasSystemOpsSid
= SeAliasSystemOpsSid
;
172 SeExports
->SeAliasPrintOpsSid
= SeAliasPrintOpsSid
;
173 SeExports
->SeAliasBackupOpsSid
= SeAliasBackupOpsSid
;
179 VOID
SepReferenceLogonSession(PLUID AuthenticationId
)
184 VOID
SepDeReferenceLogonSession(PLUID AuthenticationId
)
190 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName
,
191 IN PUNICODE_STRING ServiceName
,
192 IN HANDLE ClientToken
,
193 IN PPRIVILEGE_SET Privileges
,
194 IN BOOLEAN AccessGranted
)
201 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
203 IN HANDLE ClientToken
,
204 IN ULONG DesiredAccess
,
205 IN PPRIVILEGE_SET Privileges
,
206 IN BOOLEAN AccessGranted
)
213 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
215 IN POBJECT_ATTRIBUTES ObjectAttributes
,
216 IN HANDLE ClientToken
,
217 IN ULONG DesiredAccess
,
218 IN ULONG GrantedAccess
,
219 IN PPRIVILEGE_SET Privileges
,
220 IN BOOLEAN ObjectCreation
,
221 IN BOOLEAN AccessGranted
,
222 OUT PBOOLEAN GenerateOnClose
)
229 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
230 IN PHANDLE ObjectHandle
,
231 IN POBJECT_ATTRIBUTES ObjectAttributes
,
232 IN ACCESS_MASK DesiredAccess
,
233 IN PGENERIC_MAPPING GenericMapping
,
234 IN BOOLEAN ObjectCreation
,
235 OUT PULONG GrantedAccess
,
236 OUT PBOOLEAN AccessStatus
,
237 OUT PBOOLEAN GenerateOnClose
248 NtAllocateUuids(PULARGE_INTEGER Time
,
257 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
259 IN BOOLEAN GenerateOnClose
)
266 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
267 IN HANDLE ClientToken
,
268 IN ACCESS_MASK DesiredAccess
,
269 IN PGENERIC_MAPPING GenericMapping
,
270 OUT PPRIVILEGE_SET PrivilegeSet
,
271 OUT PULONG ReturnLength
,
272 OUT PULONG GrantedAccess
,
273 OUT PBOOLEAN AccessStatus
)
280 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
282 IN BOOLEAN GenerateOnClose
)
292 VOID STDCALL
SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext
)
294 ObDereferenceObject(SubjectContext
->PrimaryToken
);
295 if (SubjectContext
->ClientToken
!= NULL
)
297 ObDereferenceObject(SubjectContext
->ClientToken
);
304 VOID STDCALL
SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext
)
310 Process
= PsGetCurrentThread()->ThreadsProcess
;
312 SubjectContext
->ProcessAuditId
= Process
;
313 SubjectContext
->ClientToken
=
314 PsReferenceImpersonationToken(PsGetCurrentThread(),
317 &SubjectContext
->ImpersonationLevel
);
318 SubjectContext
->PrimaryToken
= PsReferencePrimaryToken(Process
);
326 SeDeassignSecurity(PSECURITY_DESCRIPTOR
* SecurityDescriptor
)
328 if ((*SecurityDescriptor
) != NULL
)
330 ExFreePool(*SecurityDescriptor
);
331 (*SecurityDescriptor
) = NULL
;
333 return(STATUS_SUCCESS
);
338 VOID
SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext
,
342 PSID
* ProcessPrimaryGroup
,
347 if (SubjectContext
->ClientToken
!= NULL
)
349 Token
= SubjectContext
->ClientToken
;
353 Token
= SubjectContext
->PrimaryToken
;
355 *Owner
= Token
->UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
356 *PrimaryGroup
= Token
->PrimaryGroup
;
357 *DefaultDacl
= Token
->DefaultDacl
;
358 *ProcessOwner
= SubjectContext
->PrimaryToken
->
359 UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
360 *ProcessPrimaryGroup
= SubjectContext
->PrimaryToken
->PrimaryGroup
;
363 NTSTATUS
SepInheritAcl(PACL Acl
,
364 BOOLEAN IsDirectoryObject
,
370 PGENERIC_MAPPING GenericMapping
)
374 return(STATUS_UNSUCCESSFUL
);
376 if (Acl
->AclRevision
!= 2 &&
377 Acl
->AclRevision
!= 3 )
379 return(STATUS_UNSUCCESSFUL
);
389 SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor
,
390 PSECURITY_DESCRIPTOR ExplicitDescriptor
,
391 PSECURITY_DESCRIPTOR
* NewDescriptor
,
392 BOOLEAN IsDirectoryObject
,
393 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
394 PGENERIC_MAPPING GenericMapping
,
398 PSECURITY_DESCRIPTOR Descriptor
;
403 PSID ProcessPrimaryGroup
;
406 if (ExplicitDescriptor
== NULL
)
408 RtlCreateSecurityDescriptor(&Descriptor
, 1);
412 Descriptor
= ExplicitDescriptor
;
414 SeLockSubjectContext(SubjectContext
);
415 SepGetDefaultsSubjectContext(SubjectContext
,
420 &ProcessPrimaryGroup
);
421 if (Descriptor
->Control
& SE_SACL_PRESENT
||
422 Descriptor
->Control
& SE_SACL_DEFAULTED
)
424 if (ParentDescriptor
== NULL
)
427 if (Descriptor
->Control
& SE_SACL_PRESENT
||
428 Descriptor
->Sacl
== NULL
||)
434 Sacl
= Descriptor
->Sacl
;
435 if (Descriptor
->Control
& SE_SELF_RELATIVE
)
437 Sacl
= (PACL
)(((PVOID
)Sacl
) + (PVOID
)Descriptor
);
453 BOOLEAN
SepSidInToken(PACCESS_TOKEN Token
,
458 if (Token
->UserAndGroupCount
== 0)
463 for (i
=0; i
<Token
->UserAndGroupCount
; i
++)
465 if (RtlEqualSid(Sid
, Token
->UserAndGroups
[i
].Sid
))
468 (!(Token
->UserAndGroups
[i
].Attributes
& SE_GROUP_ENABLED
)))
483 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
484 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
,
485 IN BOOLEAN SubjectContextLocked
,
486 IN ACCESS_MASK DesiredAccess
,
487 IN ACCESS_MASK PreviouslyGrantedAccess
,
488 OUT PPRIVILEGE_SET
* Privileges
,
489 IN PGENERIC_MAPPING GenericMapping
,
490 IN KPROCESSOR_MODE AccessMode
,
491 OUT PACCESS_MODE GrantedAccess
,
492 OUT PNTSTATUS AccessStatus
)
494 * FUNCTION: Determines whether the requested access rights can be granted
495 * to an object protected by a security descriptor and an object owner
497 * SecurityDescriptor = Security descriptor protecting the object
498 * SubjectSecurityContext = Subject's captured security context
499 * SubjectContextLocked = Indicates the user's subject context is locked
500 * DesiredAccess = Access rights the caller is trying to acquire
501 * PreviouslyGrantedAccess = Specified the access rights already granted
503 * GenericMapping = Generic mapping associated with the object
504 * AccessMode = Access mode used for the check
505 * GrantedAccess (OUT) = On return specifies the access granted
506 * AccessStatus (OUT) = Status indicating why access was denied
507 * RETURNS: If access was granted, returns TRUE
517 ACCESS_MASK CurrentAccess
;
519 CurrentAccess
= PreviouslyGrantedAccess
;
522 * Ignore the SACL for now
528 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
532 if (!NT_SUCCESS(Status
))
537 CurrentAce
= (PACE
)(Dacl
+ 1);
538 for (i
= 0; i
< Dacl
->AceCount
; i
++)
540 Sid
= (PSID
)(CurrentAce
+ 1);
541 if (CurrentAce
->Header
.AceType
== ACCESS_DENIED_ACE_TYPE
)
543 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
545 *AccessStatus
= STATUS_ACCESS_DENIED
;
547 return(STATUS_SUCCESS
);
550 if (CurrentAce
->Header
.AceType
== ACCESS_ALLOWED_ACE_TYPE
)
552 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
554 CurrentAccess
= CurrentAccess
|
555 CurrentAce
->AccessMask
;
559 if (!(CurrentAccess
& DesiredAccess
) &&
560 !((~CurrentAccess
) & DesiredAccess
))
562 *AccessStatus
= STATUS_ACCESS_DENIED
;
566 *AccessStatus
= STATUS_SUCCESS
;
568 *GrantedAccess
= CurrentAccess
;
570 return(STATUS_SUCCESS
);