1 /* $Id: semgr.c,v 1.17 2000/09/03 14:53:13 ekohl Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/semgr.c
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/ps.h>
17 #include <internal/debug.h>
19 /* FUNCTIONS ***************************************************************/
21 VOID
SepReferenceLogonSession(PLUID AuthenticationId
)
26 VOID
SepDeReferenceLogonSession(PLUID AuthenticationId
)
31 NTSTATUS STDCALL
NtPrivilegedServiceAuditAlarm(
32 IN PUNICODE_STRING SubsystemName
,
33 IN PUNICODE_STRING ServiceName
,
34 IN HANDLE ClientToken
,
35 IN PPRIVILEGE_SET Privileges
,
36 IN BOOLEAN AccessGranted
)
44 NtPrivilegeObjectAuditAlarm (
45 IN PUNICODE_STRING SubsystemName
,
47 IN HANDLE ClientToken
,
48 IN ULONG DesiredAccess
,
49 IN PPRIVILEGE_SET Privileges
,
50 IN BOOLEAN AccessGranted
59 NtOpenObjectAuditAlarm (
60 IN PUNICODE_STRING SubsystemName
,
62 IN POBJECT_ATTRIBUTES ObjectAttributes
,
63 IN HANDLE ClientToken
,
64 IN ULONG DesiredAccess
,
65 IN ULONG GrantedAccess
,
66 IN PPRIVILEGE_SET Privileges
,
67 IN BOOLEAN ObjectCreation
,
68 IN BOOLEAN AccessGranted
,
69 OUT PBOOLEAN GenerateOnClose
77 NtAccessCheckAndAuditAlarm (
78 IN PUNICODE_STRING SubsystemName
,
79 IN PHANDLE ObjectHandle
,
80 IN POBJECT_ATTRIBUTES ObjectAttributes
,
81 IN ACCESS_MASK DesiredAccess
,
82 IN PGENERIC_MAPPING GenericMapping
,
83 IN BOOLEAN ObjectCreation
,
84 OUT PULONG GrantedAccess
,
85 OUT PBOOLEAN AccessStatus
,
86 OUT PBOOLEAN GenerateOnClose
105 NTSTATUS STDCALL
NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName
,
107 IN BOOLEAN GenerateOnClose
)
112 NTSTATUS STDCALL
NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
113 IN HANDLE ClientToken
,
114 IN ACCESS_MASK DesiredAccess
,
115 IN PGENERIC_MAPPING GenericMapping
,
116 OUT PPRIVILEGE_SET PrivilegeSet
,
117 OUT PULONG ReturnLength
,
118 OUT PULONG GrantedAccess
,
119 OUT PBOOLEAN AccessStatus
)
127 NtDeleteObjectAuditAlarm (
128 IN PUNICODE_STRING SubsystemName
,
130 IN BOOLEAN GenerateOnClose
138 VOID STDCALL
SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext
)
140 ObDereferenceObject(SubjectContext
->PrimaryToken
);
141 if (SubjectContext
->ClientToken
!= NULL
)
143 ObDereferenceObject(SubjectContext
->ClientToken
);
147 VOID STDCALL
SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext
)
153 Process
= PsGetCurrentThread()->ThreadsProcess
;
155 SubjectContext
->ProcessAuditId
= Process
;
156 SubjectContext
->ClientToken
=
157 PsReferenceImpersonationToken(PsGetCurrentThread(),
160 &SubjectContext
->ImpersonationLevel
);
161 SubjectContext
->PrimaryToken
= PsReferencePrimaryToken(Process
);
164 NTSTATUS STDCALL
SeDeassignSecurity(PSECURITY_DESCRIPTOR
* SecurityDescriptor
)
166 if ((*SecurityDescriptor
) != NULL
)
168 ExFreePool(*SecurityDescriptor
);
169 (*SecurityDescriptor
) = NULL
;
171 return(STATUS_SUCCESS
);
175 VOID
SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext
,
179 PSID
* ProcessPrimaryGroup
,
184 if (SubjectContext
->ClientToken
!= NULL
)
186 Token
= SubjectContext
->ClientToken
;
190 Token
= SubjectContext
->PrimaryToken
;
192 *Owner
= Token
->UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
193 *PrimaryGroup
= Token
->PrimaryGroup
;
194 *DefaultDacl
= Token
->DefaultDacl
;
195 *ProcessOwner
= SubjectContext
->PrimaryToken
->
196 UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
197 *ProcessPrimaryGroup
= SubjectContext
->PrimaryToken
->PrimaryGroup
;
200 NTSTATUS
SepInheritAcl(PACL Acl
,
201 BOOLEAN IsDirectoryObject
,
207 PGENERIC_MAPPING GenericMapping
)
211 return(STATUS_UNSUCCESSFUL
);
213 if (Acl
->AclRevision
!= 2 &&
214 Acl
->AclRevision
!= 3 )
216 return(STATUS_UNSUCCESSFUL
);
222 NTSTATUS STDCALL
SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor
,
223 PSECURITY_DESCRIPTOR ExplicitDescriptor
,
224 PSECURITY_DESCRIPTOR
* NewDescriptor
,
225 BOOLEAN IsDirectoryObject
,
226 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
227 PGENERIC_MAPPING GenericMapping
,
231 PSECURITY_DESCRIPTOR Descriptor
;
236 PSID ProcessPrimaryGroup
;
239 if (ExplicitDescriptor
== NULL
)
241 RtlCreateSecurityDescriptor(&Descriptor
, 1);
245 Descriptor
= ExplicitDescriptor
;
247 SeLockSubjectContext(SubjectContext
);
248 SepGetDefaultsSubjectContext(SubjectContext
,
253 &ProcessPrimaryGroup
);
254 if (Descriptor
->Control
& SE_SACL_PRESENT
||
255 Descriptor
->Control
& SE_SACL_DEFAULTED
)
257 if (ParentDescriptor
== NULL
)
260 if (Descriptor
->Control
& SE_SACL_PRESENT
||
261 Descriptor
->Sacl
== NULL
||)
267 Sacl
= Descriptor
->Sacl
;
268 if (Descriptor
->Control
& SE_SELF_RELATIVE
)
270 Sacl
= (PACL
)(((PVOID
)Sacl
) + (PVOID
)Descriptor
);
286 BOOLEAN
SepSidInToken(PACCESS_TOKEN Token
,
291 if (Token
->UserAndGroupCount
== 0)
296 for (i
=0; i
<Token
->UserAndGroupCount
; i
++)
298 if (RtlEqualSid(Sid
, Token
->UserAndGroups
[i
].Sid
))
301 (!(Token
->UserAndGroups
[i
].Attributes
& SE_GROUP_ENABLED
)))
311 BOOLEAN STDCALL
SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
312 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
,
313 IN BOOLEAN SubjectContextLocked
,
314 IN ACCESS_MASK DesiredAccess
,
315 IN ACCESS_MASK PreviouslyGrantedAccess
,
316 OUT PPRIVILEGE_SET
* Privileges
,
317 IN PGENERIC_MAPPING GenericMapping
,
318 IN KPROCESSOR_MODE AccessMode
,
319 OUT PACCESS_MODE GrantedAccess
,
320 OUT PNTSTATUS AccessStatus
)
322 * FUNCTION: Determines whether the requested access rights can be granted
323 * to an object protected by a security descriptor and an object owner
325 * SecurityDescriptor = Security descriptor protecting the object
326 * SubjectSecurityContext = Subject's captured security context
327 * SubjectContextLocked = Indicates the user's subject context is locked
328 * DesiredAccess = Access rights the caller is trying to acquire
329 * PreviouslyGrantedAccess = Specified the access rights already granted
331 * GenericMapping = Generic mapping associated with the object
332 * AccessMode = Access mode used for the check
333 * GrantedAccess (OUT) = On return specifies the access granted
334 * AccessStatus (OUT) = Status indicating why access was denied
335 * RETURNS: If access was granted, returns TRUE
345 ACCESS_MASK CurrentAccess
;
347 CurrentAccess
= PreviouslyGrantedAccess
;
350 * Ignore the SACL for now
356 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
360 if (!NT_SUCCESS(Status
))
365 CurrentAce
= (PACE
)(Dacl
+ 1);
366 for (i
= 0; i
< Dacl
->AceCount
; i
++)
368 Sid
= (PSID
)(CurrentAce
+ 1);
369 if (CurrentAce
->Header
.AceType
== ACCESS_DENIED_ACE_TYPE
)
371 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
373 *AccessStatus
= STATUS_ACCESS_DENIED
;
375 return(STATUS_SUCCESS
);
378 if (CurrentAce
->Header
.AceType
== ACCESS_ALLOWED_ACE_TYPE
)
380 if (SepSidInToken(SubjectSecurityContext
->ClientToken
, Sid
))
382 CurrentAccess
= CurrentAccess
|
383 CurrentAce
->Header
.AccessMask
;
387 if (!(CurrentAccess
& DesiredAccess
) &&
388 !((~CurrentAccess
) & DesiredAccess
))
390 *AccessStatus
= STATUS_ACCESS_DENIED
;
394 *AccessStatus
= STATUS_SUCCESS
;
396 *GrantedAccess
= CurrentAccess
;
398 return(STATUS_SUCCESS
);