3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/semgr.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: No programmer listed.
11 /* INCLUDES *****************************************************************/
15 #include <internal/debug.h>
17 /* GLOBALS ******************************************************************/
19 PSE_EXPORTS SeExports
= NULL
;
20 SE_EXPORTS SepExports
;
22 static ERESOURCE SepSubjectContextLock
;
23 extern ULONG ExpInitializationPhase
;
26 /* PROTOTYPES ***************************************************************/
28 static BOOLEAN
SepInitExports(VOID
);
30 /* FUNCTIONS ****************************************************************/
34 SepInitializationPhase0(VOID
)
36 DPRINT1("FIXME: SeAccessCheck has been HACKED to always grant access!\n");
37 DPRINT1("FIXME: Please fix all the code that doesn't get proper rights!\n");
40 if (!SepInitSecurityIDs()) return FALSE
;
41 if (!SepInitDACLs()) return FALSE
;
42 if (!SepInitSDs()) return FALSE
;
44 if (!SepInitExports()) return FALSE
;
46 /* Initialize the subject context lock */
47 ExInitializeResource(&SepSubjectContextLock
);
49 /* Initialize token objects */
50 SepInitializeTokenImplementation();
52 /* Clear impersonation info for the idle thread */
53 PsGetCurrentThread()->ImpersonationInfo
= NULL
;
54 PspClearCrossThreadFlag(PsGetCurrentThread(),
55 CT_ACTIVE_IMPERSONATION_INFO_BIT
);
57 /* Initialize the boot token */
58 ObInitializeFastReference(&PsGetCurrentProcess()->Token
, NULL
);
59 ObInitializeFastReference(&PsGetCurrentProcess()->Token
,
60 SepCreateSystemProcessToken());
66 SepInitializationPhase1(VOID
)
71 /* Insert the system token into the tree */
72 Status
= ObInsertObject((PVOID
)(PsGetCurrentProcess()->Token
.Value
&
79 ASSERT(NT_SUCCESS(Status
));
81 /* FIXME: TODO \\ Security directory */
89 /* Check the initialization phase */
90 switch (ExpInitializationPhase
)
95 return SepInitializationPhase0();
100 return SepInitializationPhase1();
104 /* Don't know any other phase! Bugcheck! */
105 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL
,
107 ExpInitializationPhase
,
118 OBJECT_ATTRIBUTES ObjectAttributes
;
120 HANDLE DirectoryHandle
;
124 /* Create '\Security' directory */
125 RtlInitUnicodeString(&Name
,
127 InitializeObjectAttributes(&ObjectAttributes
,
132 Status
= ZwCreateDirectoryObject(&DirectoryHandle
,
133 DIRECTORY_ALL_ACCESS
,
135 if (!NT_SUCCESS(Status
))
137 DPRINT1("Failed to create 'Security' directory!\n");
141 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
142 RtlInitUnicodeString(&Name
,
143 L
"\\LSA_AUTHENTICATION_INITALIZED");
144 InitializeObjectAttributes(&ObjectAttributes
,
149 Status
= ZwCreateEvent(&EventHandle
,
152 SynchronizationEvent
,
154 if (!NT_SUCCESS(Status
))
156 DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
157 NtClose(DirectoryHandle
);
161 ZwClose(EventHandle
);
162 ZwClose(DirectoryHandle
);
164 /* FIXME: Create SRM port and listener thread */
170 static BOOLEAN INIT_FUNCTION
173 SepExports
.SeCreateTokenPrivilege
= SeCreateTokenPrivilege
;
174 SepExports
.SeAssignPrimaryTokenPrivilege
= SeAssignPrimaryTokenPrivilege
;
175 SepExports
.SeLockMemoryPrivilege
= SeLockMemoryPrivilege
;
176 SepExports
.SeIncreaseQuotaPrivilege
= SeIncreaseQuotaPrivilege
;
177 SepExports
.SeUnsolicitedInputPrivilege
= SeUnsolicitedInputPrivilege
;
178 SepExports
.SeTcbPrivilege
= SeTcbPrivilege
;
179 SepExports
.SeSecurityPrivilege
= SeSecurityPrivilege
;
180 SepExports
.SeTakeOwnershipPrivilege
= SeTakeOwnershipPrivilege
;
181 SepExports
.SeLoadDriverPrivilege
= SeLoadDriverPrivilege
;
182 SepExports
.SeCreatePagefilePrivilege
= SeCreatePagefilePrivilege
;
183 SepExports
.SeIncreaseBasePriorityPrivilege
= SeIncreaseBasePriorityPrivilege
;
184 SepExports
.SeSystemProfilePrivilege
= SeSystemProfilePrivilege
;
185 SepExports
.SeSystemtimePrivilege
= SeSystemtimePrivilege
;
186 SepExports
.SeProfileSingleProcessPrivilege
= SeProfileSingleProcessPrivilege
;
187 SepExports
.SeCreatePermanentPrivilege
= SeCreatePermanentPrivilege
;
188 SepExports
.SeBackupPrivilege
= SeBackupPrivilege
;
189 SepExports
.SeRestorePrivilege
= SeRestorePrivilege
;
190 SepExports
.SeShutdownPrivilege
= SeShutdownPrivilege
;
191 SepExports
.SeDebugPrivilege
= SeDebugPrivilege
;
192 SepExports
.SeAuditPrivilege
= SeAuditPrivilege
;
193 SepExports
.SeSystemEnvironmentPrivilege
= SeSystemEnvironmentPrivilege
;
194 SepExports
.SeChangeNotifyPrivilege
= SeChangeNotifyPrivilege
;
195 SepExports
.SeRemoteShutdownPrivilege
= SeRemoteShutdownPrivilege
;
197 SepExports
.SeNullSid
= SeNullSid
;
198 SepExports
.SeWorldSid
= SeWorldSid
;
199 SepExports
.SeLocalSid
= SeLocalSid
;
200 SepExports
.SeCreatorOwnerSid
= SeCreatorOwnerSid
;
201 SepExports
.SeCreatorGroupSid
= SeCreatorGroupSid
;
202 SepExports
.SeNtAuthoritySid
= SeNtAuthoritySid
;
203 SepExports
.SeDialupSid
= SeDialupSid
;
204 SepExports
.SeNetworkSid
= SeNetworkSid
;
205 SepExports
.SeBatchSid
= SeBatchSid
;
206 SepExports
.SeInteractiveSid
= SeInteractiveSid
;
207 SepExports
.SeLocalSystemSid
= SeLocalSystemSid
;
208 SepExports
.SeAliasAdminsSid
= SeAliasAdminsSid
;
209 SepExports
.SeAliasUsersSid
= SeAliasUsersSid
;
210 SepExports
.SeAliasGuestsSid
= SeAliasGuestsSid
;
211 SepExports
.SeAliasPowerUsersSid
= SeAliasPowerUsersSid
;
212 SepExports
.SeAliasAccountOpsSid
= SeAliasAccountOpsSid
;
213 SepExports
.SeAliasSystemOpsSid
= SeAliasSystemOpsSid
;
214 SepExports
.SeAliasPrintOpsSid
= SeAliasPrintOpsSid
;
215 SepExports
.SeAliasBackupOpsSid
= SeAliasBackupOpsSid
;
216 SepExports
.SeAuthenticatedUsersSid
= SeAuthenticatedUsersSid
;
217 SepExports
.SeRestrictedSid
= SeRestrictedSid
;
218 SepExports
.SeAnonymousLogonSid
= SeAnonymousLogonSid
;
220 SepExports
.SeUndockPrivilege
= SeUndockPrivilege
;
221 SepExports
.SeSyncAgentPrivilege
= SeSyncAgentPrivilege
;
222 SepExports
.SeEnableDelegationPrivilege
= SeEnableDelegationPrivilege
;
224 SeExports
= &SepExports
;
229 VOID
SepReferenceLogonSession(PLUID AuthenticationId
)
234 VOID
SepDeReferenceLogonSession(PLUID AuthenticationId
)
241 SeDefaultObjectMethod(PVOID Object
,
242 SECURITY_OPERATION_CODE OperationType
,
243 PSECURITY_INFORMATION _SecurityInformation
,
244 PSECURITY_DESCRIPTOR _SecurityDescriptor
,
246 PSECURITY_DESCRIPTOR
*OldSecurityDescriptor
,
248 PGENERIC_MAPPING GenericMapping
)
250 PISECURITY_DESCRIPTOR ObjectSd
;
251 PISECURITY_DESCRIPTOR NewSd
;
252 PISECURITY_DESCRIPTOR SecurityDescriptor
= _SecurityDescriptor
;
253 POBJECT_HEADER Header
= OBJECT_TO_OBJECT_HEADER(Object
);
258 ULONG OwnerLength
= 0;
259 ULONG GroupLength
= 0;
260 ULONG DaclLength
= 0;
261 ULONG SaclLength
= 0;
265 SECURITY_INFORMATION SecurityInformation
;
267 if (OperationType
== SetSecurityDescriptor
)
269 ObjectSd
= Header
->SecurityDescriptor
;
270 SecurityInformation
= *_SecurityInformation
;
272 /* Get owner and owner size */
273 if (SecurityInformation
& OWNER_SECURITY_INFORMATION
)
275 if (SecurityDescriptor
->Owner
!= NULL
)
277 if( SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
278 Owner
= (PSID
)((ULONG_PTR
)SecurityDescriptor
->Owner
+
279 (ULONG_PTR
)SecurityDescriptor
);
281 Owner
= (PSID
)SecurityDescriptor
->Owner
;
282 OwnerLength
= ROUND_UP(RtlLengthSid(Owner
), 4);
284 Control
|= (SecurityDescriptor
->Control
& SE_OWNER_DEFAULTED
);
288 if (ObjectSd
->Owner
!= NULL
)
290 Owner
= (PSID
)((ULONG_PTR
)ObjectSd
->Owner
+ (ULONG_PTR
)ObjectSd
);
291 OwnerLength
= ROUND_UP(RtlLengthSid(Owner
), 4);
293 Control
|= (ObjectSd
->Control
& SE_OWNER_DEFAULTED
);
296 /* Get group and group size */
297 if (SecurityInformation
& GROUP_SECURITY_INFORMATION
)
299 if (SecurityDescriptor
->Group
!= NULL
)
301 if( SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
302 Group
= (PSID
)((ULONG_PTR
)SecurityDescriptor
->Group
+
303 (ULONG_PTR
)SecurityDescriptor
);
305 Group
= (PSID
)SecurityDescriptor
->Group
;
306 GroupLength
= ROUND_UP(RtlLengthSid(Group
), 4);
308 Control
|= (SecurityDescriptor
->Control
& SE_GROUP_DEFAULTED
);
312 if (ObjectSd
->Group
!= NULL
)
314 Group
= (PSID
)((ULONG_PTR
)ObjectSd
->Group
+ (ULONG_PTR
)ObjectSd
);
315 GroupLength
= ROUND_UP(RtlLengthSid(Group
), 4);
317 Control
|= (ObjectSd
->Control
& SE_GROUP_DEFAULTED
);
320 /* Get DACL and DACL size */
321 if (SecurityInformation
& DACL_SECURITY_INFORMATION
)
323 if ((SecurityDescriptor
->Control
& SE_DACL_PRESENT
) &&
324 (SecurityDescriptor
->Dacl
!= NULL
))
326 if( SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
327 Dacl
= (PACL
)((ULONG_PTR
)SecurityDescriptor
->Dacl
+
328 (ULONG_PTR
)SecurityDescriptor
);
330 Dacl
= (PACL
)SecurityDescriptor
->Dacl
;
332 DaclLength
= ROUND_UP((ULONG
)Dacl
->AclSize
, 4);
334 Control
|= (SecurityDescriptor
->Control
& (SE_DACL_DEFAULTED
| SE_DACL_PRESENT
));
338 if ((ObjectSd
->Control
& SE_DACL_PRESENT
) &&
339 (ObjectSd
->Dacl
!= NULL
))
341 Dacl
= (PACL
)((ULONG_PTR
)ObjectSd
->Dacl
+ (ULONG_PTR
)ObjectSd
);
342 DaclLength
= ROUND_UP((ULONG
)Dacl
->AclSize
, 4);
344 Control
|= (ObjectSd
->Control
& (SE_DACL_DEFAULTED
| SE_DACL_PRESENT
));
347 /* Get SACL and SACL size */
348 if (SecurityInformation
& SACL_SECURITY_INFORMATION
)
350 if ((SecurityDescriptor
->Control
& SE_SACL_PRESENT
) &&
351 (SecurityDescriptor
->Sacl
!= NULL
))
353 if( SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
354 Sacl
= (PACL
)((ULONG_PTR
)SecurityDescriptor
->Sacl
+
355 (ULONG_PTR
)SecurityDescriptor
);
357 Sacl
= (PACL
)SecurityDescriptor
->Sacl
;
358 SaclLength
= ROUND_UP((ULONG
)Sacl
->AclSize
, 4);
360 Control
|= (SecurityDescriptor
->Control
& (SE_SACL_DEFAULTED
| SE_SACL_PRESENT
));
364 if ((ObjectSd
->Control
& SE_SACL_PRESENT
) &&
365 (ObjectSd
->Sacl
!= NULL
))
367 Sacl
= (PACL
)((ULONG_PTR
)ObjectSd
->Sacl
+ (ULONG_PTR
)ObjectSd
);
368 SaclLength
= ROUND_UP((ULONG
)Sacl
->AclSize
, 4);
370 Control
|= (ObjectSd
->Control
& (SE_SACL_DEFAULTED
| SE_SACL_PRESENT
));
373 NewSd
= ExAllocatePool(NonPagedPool
,
374 sizeof(SECURITY_DESCRIPTOR
) + OwnerLength
+ GroupLength
+
375 DaclLength
+ SaclLength
);
378 ObDereferenceObject(Object
);
379 return STATUS_INSUFFICIENT_RESOURCES
;
382 RtlCreateSecurityDescriptor(NewSd
,
383 SECURITY_DESCRIPTOR_REVISION1
);
384 /* We always build a self-relative descriptor */
385 NewSd
->Control
= (USHORT
)Control
| SE_SELF_RELATIVE
;
387 Current
= (ULONG_PTR
)NewSd
+ sizeof(SECURITY_DESCRIPTOR
);
389 if (OwnerLength
!= 0)
391 RtlCopyMemory((PVOID
)Current
,
394 NewSd
->Owner
= (PSID
)(Current
- (ULONG_PTR
)NewSd
);
395 Current
+= OwnerLength
;
398 if (GroupLength
!= 0)
400 RtlCopyMemory((PVOID
)Current
,
403 NewSd
->Group
= (PSID
)(Current
- (ULONG_PTR
)NewSd
);
404 Current
+= GroupLength
;
409 RtlCopyMemory((PVOID
)Current
,
412 NewSd
->Dacl
= (PACL
)(Current
- (ULONG_PTR
)NewSd
);
413 Current
+= DaclLength
;
418 RtlCopyMemory((PVOID
)Current
,
421 NewSd
->Sacl
= (PACL
)(Current
- (ULONG_PTR
)NewSd
);
422 Current
+= SaclLength
;
426 Status
= ObpAddSecurityDescriptor(NewSd
,
427 &Header
->SecurityDescriptor
);
428 if (NT_SUCCESS(Status
))
430 /* Remove the old security descriptor */
431 ObpRemoveSecurityDescriptor(ObjectSd
);
435 /* Restore the old security descriptor */
436 Header
->SecurityDescriptor
= ObjectSd
;
441 else if (OperationType
== QuerySecurityDescriptor
)
443 Status
= SeQuerySecurityDescriptorInfo(_SecurityInformation
,
446 &Header
->SecurityDescriptor
);
448 else if (OperationType
== AssignSecurityDescriptor
)
450 /* Assign the security descriptor to the object header */
451 Status
= ObpAddSecurityDescriptor(SecurityDescriptor
,
452 &Header
->SecurityDescriptor
);
456 return STATUS_SUCCESS
;
461 SeCaptureSubjectContextEx(IN PETHREAD Thread
,
462 IN PEPROCESS Process
,
463 OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
)
465 BOOLEAN CopyOnOpen
, EffectiveOnly
;
468 /* Save the unique ID */
469 SubjectContext
->ProcessAuditId
= Process
->UniqueProcessId
;
471 /* Check if we have a thread */
474 /* We don't, so no token */
475 SubjectContext
->ClientToken
= NULL
;
479 /* Get the impersonation token */
480 SubjectContext
->ClientToken
=
481 PsReferenceImpersonationToken(Thread
,
484 &SubjectContext
->ImpersonationLevel
);
487 /* Get the primary token */
488 SubjectContext
->PrimaryToken
= PsReferencePrimaryToken(Process
);
496 SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
)
498 /* Call the internal API */
499 SeCaptureSubjectContextEx(PsGetCurrentThread(),
500 PsGetCurrentProcess(),
509 SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
513 KeEnterCriticalRegion();
514 ExAcquireResourceExclusiveLite(&SepSubjectContextLock
, TRUE
);
522 SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
526 ExReleaseResourceLite(&SepSubjectContextLock
);
527 KeLeaveCriticalRegion();
535 SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
539 if (SubjectContext
->PrimaryToken
!= NULL
)
541 ObFastDereferenceObject(&PsGetCurrentProcess()->Token
, SubjectContext
->PrimaryToken
);
544 if (SubjectContext
->ClientToken
!= NULL
)
546 ObDereferenceObject(SubjectContext
->ClientToken
);
555 SeDeassignSecurity(PSECURITY_DESCRIPTOR
*SecurityDescriptor
)
559 if (*SecurityDescriptor
!= NULL
)
561 ExFreePool(*SecurityDescriptor
);
562 *SecurityDescriptor
= NULL
;
565 return STATUS_SUCCESS
;
573 SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL
,
574 IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL
,
575 OUT PSECURITY_DESCRIPTOR
*NewDescriptor
,
576 IN GUID
*ObjectType OPTIONAL
,
577 IN BOOLEAN IsDirectoryObject
,
578 IN ULONG AutoInheritFlags
,
579 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
580 IN PGENERIC_MAPPING GenericMapping
,
581 IN POOL_TYPE PoolType
)
584 return STATUS_NOT_IMPLEMENTED
;
589 * FUNCTION: Creates a security descriptor for a new object.
592 * ExplicitDescriptor =
594 * IsDirectoryObject =
603 SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL
,
604 PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL
,
605 PSECURITY_DESCRIPTOR
*NewDescriptor
,
606 BOOLEAN IsDirectoryObject
,
607 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
608 PGENERIC_MAPPING GenericMapping
,
611 PISECURITY_DESCRIPTOR ParentDescriptor
= _ParentDescriptor
;
612 PISECURITY_DESCRIPTOR ExplicitDescriptor
= _ExplicitDescriptor
;
613 PISECURITY_DESCRIPTOR Descriptor
;
615 ULONG OwnerLength
= 0;
616 ULONG GroupLength
= 0;
617 ULONG DaclLength
= 0;
618 ULONG SaclLength
= 0;
629 /* Lock subject context */
630 SeLockSubjectContext(SubjectContext
);
632 if (SubjectContext
->ClientToken
!= NULL
)
634 Token
= SubjectContext
->ClientToken
;
638 Token
= SubjectContext
->PrimaryToken
;
642 /* Inherit the Owner SID */
643 if (ExplicitDescriptor
!= NULL
&& ExplicitDescriptor
->Owner
!= NULL
)
645 DPRINT("Use explicit owner sid!\n");
646 Owner
= ExplicitDescriptor
->Owner
;
648 if (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
)
650 Owner
= (PSID
)(((ULONG_PTR
)Owner
) + (ULONG_PTR
)ExplicitDescriptor
);
658 DPRINT("Use token owner sid!\n");
659 Owner
= Token
->UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
663 DPRINT("Use default owner sid!\n");
664 Owner
= SeLocalSystemSid
;
667 Control
|= SE_OWNER_DEFAULTED
;
670 OwnerLength
= ROUND_UP(RtlLengthSid(Owner
), 4);
673 /* Inherit the Group SID */
674 if (ExplicitDescriptor
!= NULL
&& ExplicitDescriptor
->Group
!= NULL
)
676 DPRINT("Use explicit group sid!\n");
677 Group
= ExplicitDescriptor
->Group
;
678 if (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
)
680 Group
= (PSID
)(((ULONG_PTR
)Group
) + (ULONG_PTR
)ExplicitDescriptor
);
687 DPRINT("Use token group sid!\n");
688 Group
= Token
->PrimaryGroup
;
692 DPRINT("Use default group sid!\n");
693 Group
= SeLocalSystemSid
;
696 Control
|= SE_OWNER_DEFAULTED
;
699 GroupLength
= ROUND_UP(RtlLengthSid(Group
), 4);
702 /* Inherit the DACL */
703 if (ExplicitDescriptor
!= NULL
&&
704 (ExplicitDescriptor
->Control
& SE_DACL_PRESENT
) &&
705 !(ExplicitDescriptor
->Control
& SE_DACL_DEFAULTED
))
707 DPRINT("Use explicit DACL!\n");
708 Dacl
= ExplicitDescriptor
->Dacl
;
709 if (Dacl
!= NULL
&& (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
))
711 Dacl
= (PACL
)(((ULONG_PTR
)Dacl
) + (ULONG_PTR
)ExplicitDescriptor
);
714 Control
|= SE_DACL_PRESENT
;
716 else if (ParentDescriptor
!= NULL
&&
717 (ParentDescriptor
->Control
& SE_DACL_PRESENT
))
719 DPRINT("Use parent DACL!\n");
721 Dacl
= ParentDescriptor
->Dacl
;
722 if (Dacl
!= NULL
&& (ParentDescriptor
->Control
& SE_SELF_RELATIVE
))
724 Dacl
= (PACL
)(((ULONG_PTR
)Dacl
) + (ULONG_PTR
)ParentDescriptor
);
726 Control
|= (SE_DACL_PRESENT
| SE_DACL_DEFAULTED
);
728 else if (Token
!= NULL
&& Token
->DefaultDacl
!= NULL
)
730 DPRINT("Use token default DACL!\n");
732 Dacl
= Token
->DefaultDacl
;
733 Control
|= (SE_DACL_PRESENT
| SE_DACL_DEFAULTED
);
737 DPRINT("Use NULL DACL!\n");
739 Control
|= (SE_DACL_PRESENT
| SE_DACL_DEFAULTED
);
742 DaclLength
= (Dacl
!= NULL
) ? ROUND_UP(Dacl
->AclSize
, 4) : 0;
745 /* Inherit the SACL */
746 if (ExplicitDescriptor
!= NULL
&&
747 (ExplicitDescriptor
->Control
& SE_SACL_PRESENT
) &&
748 !(ExplicitDescriptor
->Control
& SE_SACL_DEFAULTED
))
750 DPRINT("Use explicit SACL!\n");
751 Sacl
= ExplicitDescriptor
->Sacl
;
752 if (Sacl
!= NULL
&& (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
))
754 Sacl
= (PACL
)(((ULONG_PTR
)Sacl
) + (ULONG_PTR
)ExplicitDescriptor
);
757 Control
|= SE_SACL_PRESENT
;
759 else if (ParentDescriptor
!= NULL
&&
760 (ParentDescriptor
->Control
& SE_SACL_PRESENT
))
762 DPRINT("Use parent SACL!\n");
764 Sacl
= ParentDescriptor
->Sacl
;
765 if (Sacl
!= NULL
&& (ParentDescriptor
->Control
& SE_SELF_RELATIVE
))
767 Sacl
= (PACL
)(((ULONG_PTR
)Sacl
) + (ULONG_PTR
)ParentDescriptor
);
769 Control
|= (SE_SACL_PRESENT
| SE_SACL_DEFAULTED
);
772 SaclLength
= (Sacl
!= NULL
) ? ROUND_UP(Sacl
->AclSize
, 4) : 0;
775 /* Allocate and initialize the new security descriptor */
776 Length
= sizeof(SECURITY_DESCRIPTOR
) +
777 OwnerLength
+ GroupLength
+ DaclLength
+ SaclLength
;
779 DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
780 sizeof(SECURITY_DESCRIPTOR
),
786 Descriptor
= ExAllocatePool(PagedPool
,
788 if (Descriptor
== NULL
)
790 DPRINT1("ExAlloctePool() failed\n");
791 /* FIXME: Unlock subject context */
792 return STATUS_INSUFFICIENT_RESOURCES
;
795 RtlZeroMemory( Descriptor
, Length
);
796 RtlCreateSecurityDescriptor(Descriptor
,
797 SECURITY_DESCRIPTOR_REVISION
);
799 Descriptor
->Control
= (USHORT
)Control
| SE_SELF_RELATIVE
;
801 Current
= (ULONG_PTR
)Descriptor
+ sizeof(SECURITY_DESCRIPTOR
);
805 RtlCopyMemory((PVOID
)Current
,
808 Descriptor
->Sacl
= (PACL
)((ULONG_PTR
)Current
- (ULONG_PTR
)Descriptor
);
809 Current
+= SaclLength
;
814 RtlCopyMemory((PVOID
)Current
,
817 Descriptor
->Dacl
= (PACL
)((ULONG_PTR
)Current
- (ULONG_PTR
)Descriptor
);
818 Current
+= DaclLength
;
821 if (OwnerLength
!= 0)
823 RtlCopyMemory((PVOID
)Current
,
826 Descriptor
->Owner
= (PSID
)((ULONG_PTR
)Current
- (ULONG_PTR
)Descriptor
);
827 Current
+= OwnerLength
;
828 DPRINT("Owner of %x at %x\n", Descriptor
, Descriptor
->Owner
);
831 DPRINT("Owner of %x is zero length\n", Descriptor
);
833 if (GroupLength
!= 0)
835 memmove((PVOID
)Current
,
838 Descriptor
->Group
= (PSID
)((ULONG_PTR
)Current
- (ULONG_PTR
)Descriptor
);
841 /* Unlock subject context */
842 SeUnlockSubjectContext(SubjectContext
);
844 *NewDescriptor
= Descriptor
;
846 DPRINT("Descrptor %x\n", Descriptor
);
847 ASSERT(RtlLengthSecurityDescriptor(Descriptor
));
849 return STATUS_SUCCESS
;
854 SepSidInToken(PACCESS_TOKEN _Token
,
858 PTOKEN Token
= (PTOKEN
)_Token
;
862 if (Token
->UserAndGroupCount
== 0)
867 for (i
=0; i
<Token
->UserAndGroupCount
; i
++)
869 if (RtlEqualSid(Sid
, Token
->UserAndGroups
[i
].Sid
))
871 if (Token
->UserAndGroups
[i
].Attributes
& SE_GROUP_ENABLED
)
885 * FUNCTION: Determines whether the requested access rights can be granted
886 * to an object protected by a security descriptor and an object owner
888 * SecurityDescriptor = Security descriptor protecting the object
889 * SubjectSecurityContext = Subject's captured security context
890 * SubjectContextLocked = Indicates the user's subject context is locked
891 * DesiredAccess = Access rights the caller is trying to acquire
892 * PreviouslyGrantedAccess = Specified the access rights already granted
894 * GenericMapping = Generic mapping associated with the object
895 * AccessMode = Access mode used for the check
896 * GrantedAccess (OUT) = On return specifies the access granted
897 * AccessStatus (OUT) = Status indicating why access was denied
898 * RETURNS: If access was granted, returns TRUE
903 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
904 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
,
905 IN BOOLEAN SubjectContextLocked
,
906 IN ACCESS_MASK DesiredAccess
,
907 IN ACCESS_MASK PreviouslyGrantedAccess
,
908 OUT PPRIVILEGE_SET
* Privileges
,
909 IN PGENERIC_MAPPING GenericMapping
,
910 IN KPROCESSOR_MODE AccessMode
,
911 OUT PACCESS_MASK GrantedAccess
,
912 OUT PNTSTATUS AccessStatus
)
914 LUID_AND_ATTRIBUTES Privilege
;
915 ACCESS_MASK CurrentAccess
;
927 /* Check if we didn't get an SD */
928 if (!SecurityDescriptor
)
930 /* Automatic failure */
931 *AccessStatus
= STATUS_ACCESS_DENIED
;
935 CurrentAccess
= PreviouslyGrantedAccess
;
937 if (SubjectContextLocked
== FALSE
)
939 SeLockSubjectContext(SubjectSecurityContext
);
942 Token
= SubjectSecurityContext
->ClientToken
?
943 SubjectSecurityContext
->ClientToken
: SubjectSecurityContext
->PrimaryToken
;
946 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
950 if (!NT_SUCCESS(Status
))
952 if (SubjectContextLocked
== FALSE
)
954 SeUnlockSubjectContext(SubjectSecurityContext
);
957 *AccessStatus
= Status
;
961 /* RULE 1: Grant desired access if the object is unprotected */
962 if (Present
== TRUE
&& Dacl
== NULL
)
964 if (SubjectContextLocked
== FALSE
)
966 SeUnlockSubjectContext(SubjectSecurityContext
);
969 *GrantedAccess
= DesiredAccess
;
970 *AccessStatus
= STATUS_SUCCESS
;
974 CurrentAccess
= PreviouslyGrantedAccess
;
976 /* RULE 2: Check token for 'take ownership' privilege */
977 Privilege
.Luid
= SeTakeOwnershipPrivilege
;
978 Privilege
.Attributes
= SE_PRIVILEGE_ENABLED
;
980 if (SepPrivilegeCheck(Token
,
983 PRIVILEGE_SET_ALL_NECESSARY
,
986 CurrentAccess
|= WRITE_OWNER
;
987 if (DesiredAccess
== CurrentAccess
)
989 if (SubjectContextLocked
== FALSE
)
991 SeUnlockSubjectContext(SubjectSecurityContext
);
994 *GrantedAccess
= CurrentAccess
;
995 *AccessStatus
= STATUS_SUCCESS
;
1000 /* RULE 3: Check whether the token is the owner */
1001 Status
= RtlGetOwnerSecurityDescriptor(SecurityDescriptor
,
1004 if (!NT_SUCCESS(Status
))
1006 DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status
);
1007 if (SubjectContextLocked
== FALSE
)
1009 SeUnlockSubjectContext(SubjectSecurityContext
);
1012 *AccessStatus
= Status
;
1016 if (Sid
&& SepSidInToken(Token
, Sid
))
1018 CurrentAccess
|= (READ_CONTROL
| WRITE_DAC
);
1019 if (DesiredAccess
== CurrentAccess
)
1021 if (SubjectContextLocked
== FALSE
)
1023 SeUnlockSubjectContext(SubjectSecurityContext
);
1026 *GrantedAccess
= CurrentAccess
;
1027 *AccessStatus
= STATUS_SUCCESS
;
1032 /* Fail if DACL is absent */
1033 if (Present
== FALSE
)
1035 if (SubjectContextLocked
== FALSE
)
1037 SeUnlockSubjectContext(SubjectSecurityContext
);
1041 *AccessStatus
= STATUS_ACCESS_DENIED
;
1045 /* RULE 4: Grant rights according to the DACL */
1046 CurrentAce
= (PACE
)(Dacl
+ 1);
1047 for (i
= 0; i
< Dacl
->AceCount
; i
++)
1049 Sid
= (PSID
)(CurrentAce
+ 1);
1050 if (CurrentAce
->Header
.AceType
== ACCESS_DENIED_ACE_TYPE
)
1052 if (SepSidInToken(Token
, Sid
))
1054 if (SubjectContextLocked
== FALSE
)
1056 SeUnlockSubjectContext(SubjectSecurityContext
);
1060 *AccessStatus
= STATUS_ACCESS_DENIED
;
1065 else if (CurrentAce
->Header
.AceType
== ACCESS_ALLOWED_ACE_TYPE
)
1067 if (SepSidInToken(Token
, Sid
))
1069 CurrentAccess
|= CurrentAce
->AccessMask
;
1073 DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce
->Header
.AceType
);
1074 CurrentAce
= (PACE
)((ULONG_PTR
)CurrentAce
+ CurrentAce
->Header
.AceSize
);
1077 if (SubjectContextLocked
== FALSE
)
1079 SeUnlockSubjectContext(SubjectSecurityContext
);
1082 DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
1083 CurrentAccess
, DesiredAccess
);
1085 *GrantedAccess
= CurrentAccess
& DesiredAccess
;
1087 if (*GrantedAccess
== DesiredAccess
)
1089 *AccessStatus
= STATUS_SUCCESS
;
1094 *AccessStatus
= STATUS_SUCCESS
;
1095 DPRINT("FIX caller rights (granted 0x%lx, desired 0x%lx)!\n",
1096 *GrantedAccess
, DesiredAccess
);
1097 return TRUE
; /* FIXME: should be FALSE */
1103 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1104 IN HANDLE TokenHandle
,
1105 IN ACCESS_MASK DesiredAccess
,
1106 IN PGENERIC_MAPPING GenericMapping
,
1107 OUT PPRIVILEGE_SET PrivilegeSet
,
1108 OUT PULONG ReturnLength
,
1109 OUT PACCESS_MASK GrantedAccess
,
1110 OUT PNTSTATUS AccessStatus
)
1112 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext
= {0};
1113 KPROCESSOR_MODE PreviousMode
;
1119 DPRINT("NtAccessCheck() called\n");
1121 PreviousMode
= KeGetPreviousMode();
1122 if (PreviousMode
== KernelMode
)
1124 *GrantedAccess
= DesiredAccess
;
1125 *AccessStatus
= STATUS_SUCCESS
;
1126 return STATUS_SUCCESS
;
1129 Status
= ObReferenceObjectByHandle(TokenHandle
,
1135 if (!NT_SUCCESS(Status
))
1137 DPRINT1("Failed to reference token (Status %lx)\n", Status
);
1141 /* Check token type */
1142 if (Token
->TokenType
!= TokenImpersonation
)
1144 DPRINT1("No impersonation token\n");
1145 ObDereferenceObject(Token
);
1146 return STATUS_ACCESS_VIOLATION
;
1149 /* Check impersonation level */
1150 if (Token
->ImpersonationLevel
< SecurityAnonymous
)
1152 DPRINT1("Invalid impersonation level\n");
1153 ObDereferenceObject(Token
);
1154 return STATUS_ACCESS_VIOLATION
;
1157 SubjectSecurityContext
.ClientToken
= Token
;
1158 SubjectSecurityContext
.ImpersonationLevel
= Token
->ImpersonationLevel
;
1160 /* Lock subject context */
1161 SeLockSubjectContext(&SubjectSecurityContext
);
1163 if (SeAccessCheck(SecurityDescriptor
,
1164 &SubjectSecurityContext
,
1174 Status
= *AccessStatus
;
1178 Status
= STATUS_ACCESS_DENIED
;
1181 /* Unlock subject context */
1182 SeUnlockSubjectContext(&SubjectSecurityContext
);
1184 ObDereferenceObject(Token
);
1186 DPRINT("NtAccessCheck() done\n");
1193 NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1194 IN PSID PrincipalSelfSid
,
1195 IN HANDLE ClientToken
,
1196 IN ACCESS_MASK DesiredAccess
,
1197 IN POBJECT_TYPE_LIST ObjectTypeList
,
1198 IN ULONG ObjectTypeLength
,
1199 IN PGENERIC_MAPPING GenericMapping
,
1200 IN PPRIVILEGE_SET PrivilegeSet
,
1201 IN ULONG PrivilegeSetLength
,
1202 OUT PACCESS_MASK GrantedAccess
,
1203 OUT PNTSTATUS AccessStatus
)
1206 return STATUS_NOT_IMPLEMENTED
;
1211 NtAccessCheckByTypeAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
1213 IN PUNICODE_STRING ObjectTypeName
,
1214 IN PUNICODE_STRING ObjectName
,
1215 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1216 IN PSID PrincipalSelfSid
,
1217 IN ACCESS_MASK DesiredAccess
,
1218 IN AUDIT_EVENT_TYPE AuditType
,
1220 IN POBJECT_TYPE_LIST ObjectTypeList
,
1221 IN ULONG ObjectTypeLength
,
1222 IN PGENERIC_MAPPING GenericMapping
,
1223 IN BOOLEAN ObjectCreation
,
1224 OUT PACCESS_MASK GrantedAccess
,
1225 OUT PNTSTATUS AccessStatus
,
1226 OUT PBOOLEAN GenerateOnClose
)
1229 return STATUS_NOT_IMPLEMENTED
;
1234 NtAccessCheckByTypeResultList(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1235 IN PSID PrincipalSelfSid
,
1236 IN HANDLE ClientToken
,
1237 IN ACCESS_MASK DesiredAccess
,
1238 IN POBJECT_TYPE_LIST ObjectTypeList
,
1239 IN ULONG ObjectTypeLength
,
1240 IN PGENERIC_MAPPING GenericMapping
,
1241 IN PPRIVILEGE_SET PrivilegeSet
,
1242 IN ULONG PrivilegeSetLength
,
1243 OUT PACCESS_MASK GrantedAccess
,
1244 OUT PNTSTATUS AccessStatus
)
1247 return STATUS_NOT_IMPLEMENTED
;
1252 NtAccessCheckByTypeResultListAndAuditAlarm(IN PUNICODE_STRING SubsystemName
,
1254 IN PUNICODE_STRING ObjectTypeName
,
1255 IN PUNICODE_STRING ObjectName
,
1256 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1257 IN PSID PrincipalSelfSid
,
1258 IN ACCESS_MASK DesiredAccess
,
1259 IN AUDIT_EVENT_TYPE AuditType
,
1261 IN POBJECT_TYPE_LIST ObjectTypeList
,
1262 IN ULONG ObjectTypeLength
,
1263 IN PGENERIC_MAPPING GenericMapping
,
1264 IN BOOLEAN ObjectCreation
,
1265 OUT PACCESS_MASK GrantedAccess
,
1266 OUT PNTSTATUS AccessStatus
,
1267 OUT PBOOLEAN GenerateOnClose
)
1270 return STATUS_NOT_IMPLEMENTED
;
1275 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(IN PUNICODE_STRING SubsystemName
,
1277 IN HANDLE ClientToken
,
1278 IN PUNICODE_STRING ObjectTypeName
,
1279 IN PUNICODE_STRING ObjectName
,
1280 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
1281 IN PSID PrincipalSelfSid
,
1282 IN ACCESS_MASK DesiredAccess
,
1283 IN AUDIT_EVENT_TYPE AuditType
,
1285 IN POBJECT_TYPE_LIST ObjectTypeList
,
1286 IN ULONG ObjectTypeLength
,
1287 IN PGENERIC_MAPPING GenericMapping
,
1288 IN BOOLEAN ObjectCreation
,
1289 OUT PACCESS_MASK GrantedAccess
,
1290 OUT PNTSTATUS AccessStatus
,
1291 OUT PBOOLEAN GenerateOnClose
)
1294 return STATUS_NOT_IMPLEMENTED
;
1298 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation
,
1299 OUT PACCESS_MASK DesiredAccess
)
1301 if (SecurityInformation
& (OWNER_SECURITY_INFORMATION
|
1302 GROUP_SECURITY_INFORMATION
| DACL_SECURITY_INFORMATION
))
1304 *DesiredAccess
|= READ_CONTROL
;
1306 if (SecurityInformation
& SACL_SECURITY_INFORMATION
)
1308 *DesiredAccess
|= ACCESS_SYSTEM_SECURITY
;
1313 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation
,
1314 OUT PACCESS_MASK DesiredAccess
)
1316 if (SecurityInformation
& (OWNER_SECURITY_INFORMATION
| GROUP_SECURITY_INFORMATION
))
1318 *DesiredAccess
|= WRITE_OWNER
;
1320 if (SecurityInformation
& DACL_SECURITY_INFORMATION
)
1322 *DesiredAccess
|= WRITE_DAC
;
1324 if (SecurityInformation
& SACL_SECURITY_INFORMATION
)
1326 *DesiredAccess
|= ACCESS_SYSTEM_SECURITY
;
projects / reactos.git / blob