1 /* $Id: semgr.c,v 1.31 2004/07/12 12:04:17 ekohl Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/semgr.c
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/ps.h>
16 #include <internal/se.h>
18 #include <internal/debug.h>
20 #define TAG_SXPT TAG('S', 'X', 'P', 'T')
23 /* GLOBALS ******************************************************************/
25 PSE_EXPORTS EXPORTED SeExports
= NULL
;
28 /* PROTOTYPES ***************************************************************/
30 static BOOLEAN
SepInitExports(VOID
);
32 /* FUNCTIONS ****************************************************************/
40 if (!SepInitSecurityIDs())
51 if (!SepInitExports())
61 SepInitializeTokenImplementation();
70 OBJECT_ATTRIBUTES ObjectAttributes
;
72 HANDLE DirectoryHandle
;
76 /* Create '\Security' directory */
77 RtlInitUnicodeString(&Name
,
79 InitializeObjectAttributes(&ObjectAttributes
,
84 Status
= NtCreateDirectoryObject(&DirectoryHandle
,
87 if (!NT_SUCCESS(Status
))
89 DPRINT1("Failed to create 'Security' directory!\n");
93 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
94 RtlInitUnicodeString(&Name
,
95 L
"\\LSA_AUTHENTICATION_INITALIZED");
96 InitializeObjectAttributes(&ObjectAttributes
,
101 Status
= NtCreateEvent(&EventHandle
,
106 if (!NT_SUCCESS(Status
))
108 DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
109 NtClose(DirectoryHandle
);
113 NtClose(EventHandle
);
114 NtClose(DirectoryHandle
);
116 /* FIXME: Create SRM port and listener thread */
122 static BOOLEAN INIT_FUNCTION
125 SeExports
= ExAllocatePoolWithTag(NonPagedPool
,
128 if (SeExports
== NULL
)
131 SeExports
->SeCreateTokenPrivilege
= SeCreateTokenPrivilege
;
132 SeExports
->SeAssignPrimaryTokenPrivilege
= SeAssignPrimaryTokenPrivilege
;
133 SeExports
->SeLockMemoryPrivilege
= SeLockMemoryPrivilege
;
134 SeExports
->SeIncreaseQuotaPrivilege
= SeIncreaseQuotaPrivilege
;
135 SeExports
->SeUnsolicitedInputPrivilege
= SeUnsolicitedInputPrivilege
;
136 SeExports
->SeTcbPrivilege
= SeTcbPrivilege
;
137 SeExports
->SeSecurityPrivilege
= SeSecurityPrivilege
;
138 SeExports
->SeTakeOwnershipPrivilege
= SeTakeOwnershipPrivilege
;
139 SeExports
->SeLoadDriverPrivilege
= SeLoadDriverPrivilege
;
140 SeExports
->SeCreatePagefilePrivilege
= SeCreatePagefilePrivilege
;
141 SeExports
->SeIncreaseBasePriorityPrivilege
= SeIncreaseBasePriorityPrivilege
;
142 SeExports
->SeSystemProfilePrivilege
= SeSystemProfilePrivilege
;
143 SeExports
->SeSystemtimePrivilege
= SeSystemtimePrivilege
;
144 SeExports
->SeProfileSingleProcessPrivilege
= SeProfileSingleProcessPrivilege
;
145 SeExports
->SeCreatePermanentPrivilege
= SeCreatePermanentPrivilege
;
146 SeExports
->SeBackupPrivilege
= SeBackupPrivilege
;
147 SeExports
->SeRestorePrivilege
= SeRestorePrivilege
;
148 SeExports
->SeShutdownPrivilege
= SeShutdownPrivilege
;
149 SeExports
->SeDebugPrivilege
= SeDebugPrivilege
;
150 SeExports
->SeAuditPrivilege
= SeAuditPrivilege
;
151 SeExports
->SeSystemEnvironmentPrivilege
= SeSystemEnvironmentPrivilege
;
152 SeExports
->SeChangeNotifyPrivilege
= SeChangeNotifyPrivilege
;
153 SeExports
->SeRemoteShutdownPrivilege
= SeRemoteShutdownPrivilege
;
155 SeExports
->SeNullSid
= SeNullSid
;
156 SeExports
->SeWorldSid
= SeWorldSid
;
157 SeExports
->SeLocalSid
= SeLocalSid
;
158 SeExports
->SeCreatorOwnerSid
= SeCreatorOwnerSid
;
159 SeExports
->SeCreatorGroupSid
= SeCreatorGroupSid
;
160 SeExports
->SeNtAuthoritySid
= SeNtAuthoritySid
;
161 SeExports
->SeDialupSid
= SeDialupSid
;
162 SeExports
->SeNetworkSid
= SeNetworkSid
;
163 SeExports
->SeBatchSid
= SeBatchSid
;
164 SeExports
->SeInteractiveSid
= SeInteractiveSid
;
165 SeExports
->SeLocalSystemSid
= SeLocalSystemSid
;
166 SeExports
->SeAliasAdminsSid
= SeAliasAdminsSid
;
167 SeExports
->SeAliasUsersSid
= SeAliasUsersSid
;
168 SeExports
->SeAliasGuestsSid
= SeAliasGuestsSid
;
169 SeExports
->SeAliasPowerUsersSid
= SeAliasPowerUsersSid
;
170 SeExports
->SeAliasAccountOpsSid
= SeAliasAccountOpsSid
;
171 SeExports
->SeAliasSystemOpsSid
= SeAliasSystemOpsSid
;
172 SeExports
->SeAliasPrintOpsSid
= SeAliasPrintOpsSid
;
173 SeExports
->SeAliasBackupOpsSid
= SeAliasBackupOpsSid
;
179 VOID
SepReferenceLogonSession(PLUID AuthenticationId
)
184 VOID
SepDeReferenceLogonSession(PLUID AuthenticationId
)
195 NtAllocateUuids(PULARGE_INTEGER Time
,
200 return(STATUS_NOT_IMPLEMENTED
);
205 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
206 IN HANDLE ClientToken
,
207 IN ACCESS_MASK DesiredAccess
,
208 IN PGENERIC_MAPPING GenericMapping
,
209 OUT PPRIVILEGE_SET PrivilegeSet
,
210 OUT PULONG ReturnLength
,
211 OUT PACCESS_MASK GrantedAccess
,
212 OUT PNTSTATUS AccessStatus
)
215 return(STATUS_NOT_IMPLEMENTED
);
223 SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
)
227 BOOLEAN EffectiveOnly
;
229 Process
= PsGetCurrentThread ()->ThreadsProcess
;
231 SubjectContext
->ProcessAuditId
= Process
;
232 SubjectContext
->ClientToken
=
233 PsReferenceImpersonationToken (PsGetCurrentThread(),
236 &SubjectContext
->ImpersonationLevel
);
237 SubjectContext
->PrimaryToken
= PsReferencePrimaryToken (Process
);
245 SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
255 SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
257 ObDereferenceObject (SubjectContext
->PrimaryToken
);
258 if (SubjectContext
->ClientToken
!= NULL
)
260 ObDereferenceObject (SubjectContext
->ClientToken
);
269 SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
279 SeDeassignSecurity(PSECURITY_DESCRIPTOR
* SecurityDescriptor
)
281 if ((*SecurityDescriptor
) != NULL
)
283 ExFreePool(*SecurityDescriptor
);
284 (*SecurityDescriptor
) = NULL
;
286 return(STATUS_SUCCESS
);
291 VOID
SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext
,
295 PSID
* ProcessPrimaryGroup
,
300 if (SubjectContext
->ClientToken
!= NULL
)
302 Token
= SubjectContext
->ClientToken
;
306 Token
= SubjectContext
->PrimaryToken
;
308 *Owner
= Token
->UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
309 *PrimaryGroup
= Token
->PrimaryGroup
;
310 *DefaultDacl
= Token
->DefaultDacl
;
311 *ProcessOwner
= SubjectContext
->PrimaryToken
->
312 UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
313 *ProcessPrimaryGroup
= SubjectContext
->PrimaryToken
->PrimaryGroup
;
316 NTSTATUS
SepInheritAcl(PACL Acl
,
317 BOOLEAN IsDirectoryObject
,
323 PGENERIC_MAPPING GenericMapping
)
327 return(STATUS_UNSUCCESSFUL
);
329 if (Acl
->AclRevision
!= 2 &&
330 Acl
->AclRevision
!= 3 )
332 return(STATUS_UNSUCCESSFUL
);
342 SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor
,
343 PSECURITY_DESCRIPTOR ExplicitDescriptor
,
344 PSECURITY_DESCRIPTOR
* NewDescriptor
,
345 BOOLEAN IsDirectoryObject
,
346 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
347 PGENERIC_MAPPING GenericMapping
,
351 PSECURITY_DESCRIPTOR Descriptor
;
356 PSID ProcessPrimaryGroup
;
359 if (ExplicitDescriptor
== NULL
)
361 RtlCreateSecurityDescriptor(&Descriptor
, 1);
365 Descriptor
= ExplicitDescriptor
;
367 SeLockSubjectContext(SubjectContext
);
368 SepGetDefaultsSubjectContext(SubjectContext
,
373 &ProcessPrimaryGroup
);
374 if (Descriptor
->Control
& SE_SACL_PRESENT
||
375 Descriptor
->Control
& SE_SACL_DEFAULTED
)
377 if (ParentDescriptor
== NULL
)
380 if (Descriptor
->Control
& SE_SACL_PRESENT
||
381 Descriptor
->Sacl
== NULL
||)
387 Sacl
= Descriptor
->Sacl
;
388 if (Descriptor
->Control
& SE_SELF_RELATIVE
)
390 Sacl
= (PACL
)(((PVOID
)Sacl
) + (PVOID
)Descriptor
);
403 return(STATUS_NOT_IMPLEMENTED
);
407 BOOLEAN
SepSidInToken(PACCESS_TOKEN Token
,
412 if (Token
->UserAndGroupCount
== 0)
417 for (i
=0; i
<Token
->UserAndGroupCount
; i
++)
419 if (RtlEqualSid(Sid
, Token
->UserAndGroups
[i
].Sid
))
422 (!(Token
->UserAndGroups
[i
].Attributes
& SE_GROUP_ENABLED
)))
437 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
438 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
,
439 IN BOOLEAN SubjectContextLocked
,
440 IN ACCESS_MASK DesiredAccess
,
441 IN ACCESS_MASK PreviouslyGrantedAccess
,
442 OUT PPRIVILEGE_SET
* Privileges
,
443 IN PGENERIC_MAPPING GenericMapping
,
444 IN KPROCESSOR_MODE AccessMode
,
445 OUT PACCESS_MODE GrantedAccess
,
446 OUT PNTSTATUS AccessStatus
)
448 * FUNCTION: Determines whether the requested access rights can be granted
449 * to an object protected by a security descriptor and an object owner
451 * SecurityDescriptor = Security descriptor protecting the object
452 * SubjectSecurityContext = Subject's captured security context
453 * SubjectContextLocked = Indicates the user's subject context is locked
454 * DesiredAccess = Access rights the caller is trying to acquire
455 * PreviouslyGrantedAccess = Specified the access rights already granted
457 * GenericMapping = Generic mapping associated with the object
458 * AccessMode = Access mode used for the check
459 * GrantedAccess (OUT) = On return specifies the access granted
460 * AccessStatus (OUT) = Status indicating why access was denied
461 * RETURNS: If access was granted, returns TRUE
471 ACCESS_MASK CurrentAccess
;
473 CurrentAccess
= PreviouslyGrantedAccess
;
476 * Ignore the SACL for now
482 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
486 if (!NT_SUCCESS(Status
))
491 CurrentAce
= (PACE
)(Dacl
+ 1);
492 for (i
= 0; i
< Dacl
->AceCount
; i
++)
494 Sid
= (PSID
)(CurrentAce
+ 1);
495 if (CurrentAce
->Header
.AceType
== ACCESS_DENIED_ACE_TYPE
)
497 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
499 *AccessStatus
= STATUS_ACCESS_DENIED
;
501 return(STATUS_SUCCESS
);
504 if (CurrentAce
->Header
.AceType
== ACCESS_ALLOWED_ACE_TYPE
)
506 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
508 CurrentAccess
= CurrentAccess
|
509 CurrentAce
->AccessMask
;
513 if (!(CurrentAccess
& DesiredAccess
) &&
514 !((~CurrentAccess
) & DesiredAccess
))
516 *AccessStatus
= STATUS_ACCESS_DENIED
;
520 *AccessStatus
= STATUS_SUCCESS
;
522 *GrantedAccess
= CurrentAccess
;
524 return(STATUS_SUCCESS
);