1 /* $Id: semgr.c,v 1.39 2004/08/03 19:20:39 ion Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/semgr.c
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/ps.h>
16 #include <internal/se.h>
19 #include <internal/debug.h>
21 #define TAG_SXPT TAG('S', 'X', 'P', 'T')
24 /* GLOBALS ******************************************************************/
26 PSE_EXPORTS EXPORTED SeExports
= NULL
;
29 /* PROTOTYPES ***************************************************************/
31 static BOOLEAN
SepInitExports(VOID
);
33 /* FUNCTIONS ****************************************************************/
41 if (!SepInitSecurityIDs())
52 if (!SepInitExports())
62 SepInitializeTokenImplementation();
71 OBJECT_ATTRIBUTES ObjectAttributes
;
73 HANDLE DirectoryHandle
;
77 /* Create '\Security' directory */
78 RtlInitUnicodeString(&Name
,
80 InitializeObjectAttributes(&ObjectAttributes
,
85 Status
= NtCreateDirectoryObject(&DirectoryHandle
,
88 if (!NT_SUCCESS(Status
))
90 DPRINT1("Failed to create 'Security' directory!\n");
94 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
95 RtlInitUnicodeString(&Name
,
96 L
"\\LSA_AUTHENTICATION_INITALIZED");
97 InitializeObjectAttributes(&ObjectAttributes
,
102 Status
= NtCreateEvent(&EventHandle
,
107 if (!NT_SUCCESS(Status
))
109 DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
110 NtClose(DirectoryHandle
);
114 NtClose(EventHandle
);
115 NtClose(DirectoryHandle
);
117 /* FIXME: Create SRM port and listener thread */
123 static BOOLEAN INIT_FUNCTION
126 SeExports
= ExAllocatePoolWithTag(NonPagedPool
,
129 if (SeExports
== NULL
)
132 SeExports
->SeCreateTokenPrivilege
= SeCreateTokenPrivilege
;
133 SeExports
->SeAssignPrimaryTokenPrivilege
= SeAssignPrimaryTokenPrivilege
;
134 SeExports
->SeLockMemoryPrivilege
= SeLockMemoryPrivilege
;
135 SeExports
->SeIncreaseQuotaPrivilege
= SeIncreaseQuotaPrivilege
;
136 SeExports
->SeUnsolicitedInputPrivilege
= SeUnsolicitedInputPrivilege
;
137 SeExports
->SeTcbPrivilege
= SeTcbPrivilege
;
138 SeExports
->SeSecurityPrivilege
= SeSecurityPrivilege
;
139 SeExports
->SeTakeOwnershipPrivilege
= SeTakeOwnershipPrivilege
;
140 SeExports
->SeLoadDriverPrivilege
= SeLoadDriverPrivilege
;
141 SeExports
->SeCreatePagefilePrivilege
= SeCreatePagefilePrivilege
;
142 SeExports
->SeIncreaseBasePriorityPrivilege
= SeIncreaseBasePriorityPrivilege
;
143 SeExports
->SeSystemProfilePrivilege
= SeSystemProfilePrivilege
;
144 SeExports
->SeSystemtimePrivilege
= SeSystemtimePrivilege
;
145 SeExports
->SeProfileSingleProcessPrivilege
= SeProfileSingleProcessPrivilege
;
146 SeExports
->SeCreatePermanentPrivilege
= SeCreatePermanentPrivilege
;
147 SeExports
->SeBackupPrivilege
= SeBackupPrivilege
;
148 SeExports
->SeRestorePrivilege
= SeRestorePrivilege
;
149 SeExports
->SeShutdownPrivilege
= SeShutdownPrivilege
;
150 SeExports
->SeDebugPrivilege
= SeDebugPrivilege
;
151 SeExports
->SeAuditPrivilege
= SeAuditPrivilege
;
152 SeExports
->SeSystemEnvironmentPrivilege
= SeSystemEnvironmentPrivilege
;
153 SeExports
->SeChangeNotifyPrivilege
= SeChangeNotifyPrivilege
;
154 SeExports
->SeRemoteShutdownPrivilege
= SeRemoteShutdownPrivilege
;
156 SeExports
->SeNullSid
= SeNullSid
;
157 SeExports
->SeWorldSid
= SeWorldSid
;
158 SeExports
->SeLocalSid
= SeLocalSid
;
159 SeExports
->SeCreatorOwnerSid
= SeCreatorOwnerSid
;
160 SeExports
->SeCreatorGroupSid
= SeCreatorGroupSid
;
161 SeExports
->SeNtAuthoritySid
= SeNtAuthoritySid
;
162 SeExports
->SeDialupSid
= SeDialupSid
;
163 SeExports
->SeNetworkSid
= SeNetworkSid
;
164 SeExports
->SeBatchSid
= SeBatchSid
;
165 SeExports
->SeInteractiveSid
= SeInteractiveSid
;
166 SeExports
->SeLocalSystemSid
= SeLocalSystemSid
;
167 SeExports
->SeAliasAdminsSid
= SeAliasAdminsSid
;
168 SeExports
->SeAliasUsersSid
= SeAliasUsersSid
;
169 SeExports
->SeAliasGuestsSid
= SeAliasGuestsSid
;
170 SeExports
->SeAliasPowerUsersSid
= SeAliasPowerUsersSid
;
171 SeExports
->SeAliasAccountOpsSid
= SeAliasAccountOpsSid
;
172 SeExports
->SeAliasSystemOpsSid
= SeAliasSystemOpsSid
;
173 SeExports
->SeAliasPrintOpsSid
= SeAliasPrintOpsSid
;
174 SeExports
->SeAliasBackupOpsSid
= SeAliasBackupOpsSid
;
180 VOID
SepReferenceLogonSession(PLUID AuthenticationId
)
185 VOID
SepDeReferenceLogonSession(PLUID AuthenticationId
)
196 NtAllocateUuids(PULARGE_INTEGER Time
,
201 return(STATUS_NOT_IMPLEMENTED
);
209 SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
)
213 BOOLEAN EffectiveOnly
;
215 Thread
= PsGetCurrentThread();
218 SubjectContext
->ProcessAuditId
= 0;
219 SubjectContext
->PrimaryToken
= NULL
;
220 SubjectContext
->ClientToken
= NULL
;
221 SubjectContext
->ImpersonationLevel
= 0;
225 SubjectContext
->ProcessAuditId
= Thread
->ThreadsProcess
;
226 SubjectContext
->ClientToken
=
227 PsReferenceImpersonationToken(Thread
,
230 &SubjectContext
->ImpersonationLevel
);
231 SubjectContext
->PrimaryToken
= PsReferencePrimaryToken(Thread
->ThreadsProcess
);
240 SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
250 SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
252 if (SubjectContext
->PrimaryToken
!= NULL
)
254 ObDereferenceObject(SubjectContext
->PrimaryToken
);
257 if (SubjectContext
->ClientToken
!= NULL
)
259 ObDereferenceObject(SubjectContext
->ClientToken
);
268 SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext
)
278 SeDeassignSecurity(PSECURITY_DESCRIPTOR
*SecurityDescriptor
)
280 if (*SecurityDescriptor
!= NULL
)
282 ExFreePool(*SecurityDescriptor
);
283 *SecurityDescriptor
= NULL
;
286 return STATUS_SUCCESS
;
295 IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL
,
296 IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL
,
297 OUT PSECURITY_DESCRIPTOR
*NewDescriptor
,
298 IN GUID
*ObjectType OPTIONAL
,
299 IN BOOLEAN IsDirectoryObject
,
300 IN ULONG AutoInheritFlags
,
301 IN PSECURITY_SUBJECT_CONTEXT SubjectContext
,
302 IN PGENERIC_MAPPING GenericMapping
,
303 IN POOL_TYPE PoolType
307 return STATUS_NOT_IMPLEMENTED
;
311 * FUNCTION: Creates a security descriptor for a new object.
314 * ExplicitDescriptor =
316 * IsDirectoryObject =
325 SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL
,
326 PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL
,
327 PSECURITY_DESCRIPTOR
*NewDescriptor
,
328 BOOLEAN IsDirectoryObject
,
329 PSECURITY_SUBJECT_CONTEXT SubjectContext
,
330 PGENERIC_MAPPING GenericMapping
,
333 PSECURITY_DESCRIPTOR Descriptor
;
335 ULONG OwnerLength
= 0;
336 ULONG GroupLength
= 0;
337 ULONG DaclLength
= 0;
338 ULONG SaclLength
= 0;
347 /* FIXME: Lock subject context */
349 if (SubjectContext
->ClientToken
!= NULL
)
351 Token
= SubjectContext
->ClientToken
;
355 Token
= SubjectContext
->PrimaryToken
;
359 /* Inherit the Owner SID */
360 if (ExplicitDescriptor
!= NULL
&& ExplicitDescriptor
->Owner
!= NULL
)
362 DPRINT("Use explicit owner sid!\n");
363 Owner
= ExplicitDescriptor
->Owner
;
364 if (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
)
366 Owner
= (PSID
)(((ULONG_PTR
)Owner
) + (ULONG_PTR
)ExplicitDescriptor
);
373 DPRINT("Use token owner sid!\n");
374 Owner
= Token
->UserAndGroups
[Token
->DefaultOwnerIndex
].Sid
;
378 DPRINT("Use default owner sid!\n");
379 Owner
= SeLocalSystemSid
;
382 Control
|= SE_OWNER_DEFAULTED
;
385 OwnerLength
= ROUND_UP(RtlLengthSid(Owner
), 4);
388 /* Inherit the Group SID */
389 if (ExplicitDescriptor
!= NULL
&& ExplicitDescriptor
->Group
!= NULL
)
391 DPRINT("Use explicit group sid!\n");
392 Group
= ExplicitDescriptor
->Group
;
393 if (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
)
395 Group
= (PSID
)(((ULONG_PTR
)Group
) + (ULONG_PTR
)ExplicitDescriptor
);
402 DPRINT("Use token group sid!\n");
403 Group
= Token
->PrimaryGroup
;
407 DPRINT("Use default group sid!\n");
408 Group
= SeLocalSystemSid
;
411 Control
|= SE_OWNER_DEFAULTED
;
414 GroupLength
= ROUND_UP(RtlLengthSid(Group
), 4);
417 /* Inherit the DACL */
418 if (ExplicitDescriptor
!= NULL
&&
419 (ExplicitDescriptor
->Control
& SE_DACL_PRESENT
) &&
420 !(ExplicitDescriptor
->Control
& SE_DACL_DEFAULTED
))
422 DPRINT("Use explicit DACL!\n");
423 Dacl
= ExplicitDescriptor
->Dacl
;
424 if (Dacl
!= NULL
&& (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
))
426 Dacl
= (PACL
)(((ULONG_PTR
)Dacl
) + (ULONG_PTR
)ExplicitDescriptor
);
429 Control
|= SE_DACL_PRESENT
;
431 else if (ParentDescriptor
!= NULL
&&
432 (ParentDescriptor
->Control
& SE_DACL_PRESENT
))
434 DPRINT("Use parent DACL!\n");
436 Dacl
= ParentDescriptor
->Dacl
;
437 if (Dacl
!= NULL
&& (ParentDescriptor
->Control
& SE_SELF_RELATIVE
))
439 Dacl
= (PACL
)(((ULONG_PTR
)Dacl
) + (ULONG_PTR
)ParentDescriptor
);
441 Control
|= (SE_DACL_PRESENT
& SE_DACL_DEFAULTED
);
443 else if (Token
!= NULL
&& Token
->DefaultDacl
!= NULL
)
445 DPRINT("Use token default DACL!\n");
447 Dacl
= Token
->DefaultDacl
;
448 Control
|= (SE_DACL_PRESENT
& SE_DACL_DEFAULTED
);
452 DPRINT("Use NULL DACL!\n");
454 Control
|= (SE_DACL_PRESENT
& SE_DACL_DEFAULTED
);
457 DaclLength
= (Dacl
!= NULL
) ? ROUND_UP(Dacl
->AclSize
, 4) : 0;
460 /* Inherit the SACL */
461 if (ExplicitDescriptor
!= NULL
&&
462 (ExplicitDescriptor
->Control
& SE_SACL_PRESENT
) &&
463 !(ExplicitDescriptor
->Control
& SE_SACL_DEFAULTED
))
465 DPRINT("Use explicit SACL!\n");
466 Sacl
= ExplicitDescriptor
->Sacl
;
467 if (Sacl
!= NULL
&& (ExplicitDescriptor
->Control
& SE_SELF_RELATIVE
))
469 Sacl
= (PACL
)(((ULONG_PTR
)Sacl
) + (ULONG_PTR
)ExplicitDescriptor
);
472 Control
|= SE_SACL_PRESENT
;
474 else if (ParentDescriptor
!= NULL
&&
475 (ParentDescriptor
->Control
& SE_SACL_PRESENT
))
477 DPRINT("Use parent SACL!\n");
479 Sacl
= ParentDescriptor
->Sacl
;
480 if (Sacl
!= NULL
&& (ParentDescriptor
->Control
& SE_SELF_RELATIVE
))
482 Sacl
= (PACL
)(((ULONG_PTR
)Sacl
) + (ULONG_PTR
)ParentDescriptor
);
484 Control
|= (SE_SACL_PRESENT
& SE_SACL_DEFAULTED
);
487 SaclLength
= (Sacl
!= NULL
) ? ROUND_UP(Sacl
->AclSize
, 4) : 0;
490 /* Allocate and initialize the new security descriptor */
491 Length
= sizeof(SECURITY_DESCRIPTOR
) + OwnerLength
+ GroupLength
+ DaclLength
+ SaclLength
;
493 Descriptor
= ExAllocatePool(NonPagedPool
,
495 if (Descriptor
== NULL
)
497 DPRINT1("ExAlloctePool() failed\n");
498 /* FIXME: Unlock subject context */
499 return STATUS_INSUFFICIENT_RESOURCES
;
502 RtlCreateSecurityDescriptor(Descriptor
,
503 SECURITY_DESCRIPTOR_REVISION
);
505 Descriptor
->Control
= Control
| SE_SELF_RELATIVE
;
507 Current
= (ULONG
)Descriptor
+ sizeof(SECURITY_DESCRIPTOR
);
511 RtlCopyMemory((PVOID
)Current
,
514 Descriptor
->Sacl
= (PACL
)((ULONG
)Current
- (ULONG
)Descriptor
);
515 Current
+= SaclLength
;
520 RtlCopyMemory((PVOID
)Current
,
523 Descriptor
->Dacl
= (PACL
)((ULONG
)Current
- (ULONG
)Descriptor
);
524 Current
+= DaclLength
;
527 if (OwnerLength
!= 0)
529 RtlCopyMemory((PVOID
)Current
,
532 Descriptor
->Owner
= (PSID
)((ULONG
)Current
- (ULONG
)Descriptor
);
533 Current
+= OwnerLength
;
536 if (GroupLength
!= 0)
538 memmove((PVOID
)Current
,
541 Descriptor
->Group
= (PSID
)((ULONG
)Current
- (ULONG
)Descriptor
);
544 /* FIXME: Unlock subject context */
546 *NewDescriptor
= Descriptor
;
548 return STATUS_SUCCESS
;
553 SepSidInToken(PACCESS_TOKEN Token
,
558 if (Token
->UserAndGroupCount
== 0)
563 for (i
=0; i
<Token
->UserAndGroupCount
; i
++)
565 if (RtlEqualSid(Sid
, Token
->UserAndGroups
[i
].Sid
))
567 if (Token
->UserAndGroups
[i
].Attributes
& SE_GROUP_ENABLED
)
581 * FUNCTION: Determines whether the requested access rights can be granted
582 * to an object protected by a security descriptor and an object owner
584 * SecurityDescriptor = Security descriptor protecting the object
585 * SubjectSecurityContext = Subject's captured security context
586 * SubjectContextLocked = Indicates the user's subject context is locked
587 * DesiredAccess = Access rights the caller is trying to acquire
588 * PreviouslyGrantedAccess = Specified the access rights already granted
590 * GenericMapping = Generic mapping associated with the object
591 * AccessMode = Access mode used for the check
592 * GrantedAccess (OUT) = On return specifies the access granted
593 * AccessStatus (OUT) = Status indicating why access was denied
594 * RETURNS: If access was granted, returns TRUE
599 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
600 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
,
601 IN BOOLEAN SubjectContextLocked
,
602 IN ACCESS_MASK DesiredAccess
,
603 IN ACCESS_MASK PreviouslyGrantedAccess
,
604 OUT PPRIVILEGE_SET
* Privileges
,
605 IN PGENERIC_MAPPING GenericMapping
,
606 IN KPROCESSOR_MODE AccessMode
,
607 OUT PACCESS_MASK GrantedAccess
,
608 OUT PNTSTATUS AccessStatus
)
610 LUID_AND_ATTRIBUTES Privilege
;
611 ACCESS_MASK CurrentAccess
;
621 CurrentAccess
= PreviouslyGrantedAccess
;
623 Token
= SubjectSecurityContext
->ClientToken
?
624 SubjectSecurityContext
->ClientToken
: SubjectSecurityContext
->PrimaryToken
;
627 Status
= RtlGetDaclSecurityDescriptor(SecurityDescriptor
,
631 if (!NT_SUCCESS(Status
))
633 *AccessStatus
= Status
;
637 /* RULE 1: Grant desired access if the object is unprotected */
640 *GrantedAccess
= DesiredAccess
;
641 *AccessStatus
= STATUS_SUCCESS
;
645 CurrentAccess
= PreviouslyGrantedAccess
;
647 /* RULE 2: Check token for 'take ownership' privilege */
648 Privilege
.Luid
= SeTakeOwnershipPrivilege
;
649 Privilege
.Attributes
= SE_PRIVILEGE_ENABLED
;
651 if (SepPrivilegeCheck(Token
,
654 PRIVILEGE_SET_ALL_NECESSARY
,
657 CurrentAccess
|= WRITE_OWNER
;
658 if (DesiredAccess
== CurrentAccess
)
660 *GrantedAccess
= CurrentAccess
;
661 *AccessStatus
= STATUS_SUCCESS
;
666 /* RULE 3: Check whether the token is the owner */
667 Status
= RtlGetOwnerSecurityDescriptor(SecurityDescriptor
,
670 if (!NT_SUCCESS(Status
))
672 DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status
);
673 *AccessStatus
= Status
;
677 if (SepSidInToken(Token
, Sid
))
679 CurrentAccess
|= (READ_CONTROL
| WRITE_DAC
);
680 if (DesiredAccess
== CurrentAccess
)
682 *GrantedAccess
= CurrentAccess
;
683 *AccessStatus
= STATUS_SUCCESS
;
688 /* RULE 4: Grant rights according to the DACL */
689 CurrentAce
= (PACE
)(Dacl
+ 1);
690 for (i
= 0; i
< Dacl
->AceCount
; i
++)
692 Sid
= (PSID
)(CurrentAce
+ 1);
693 if (CurrentAce
->Header
.AceType
== ACCESS_DENIED_ACE_TYPE
)
695 if (SepSidInToken(Token
, Sid
))
698 *AccessStatus
= STATUS_ACCESS_DENIED
;
703 if (CurrentAce
->Header
.AceType
== ACCESS_ALLOWED_ACE_TYPE
)
705 if (SepSidInToken(Token
, Sid
))
707 CurrentAccess
|= CurrentAce
->AccessMask
;
712 DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
713 CurrentAccess
, DesiredAccess
);
715 *GrantedAccess
= CurrentAccess
& DesiredAccess
;
718 (*GrantedAccess
== DesiredAccess
) ? STATUS_SUCCESS
: STATUS_ACCESS_DENIED
;
725 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
726 IN HANDLE TokenHandle
,
727 IN ACCESS_MASK DesiredAccess
,
728 IN PGENERIC_MAPPING GenericMapping
,
729 OUT PPRIVILEGE_SET PrivilegeSet
,
730 OUT PULONG ReturnLength
,
731 OUT PACCESS_MASK GrantedAccess
,
732 OUT PNTSTATUS AccessStatus
)
734 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext
;
735 KPROCESSOR_MODE PreviousMode
;
739 DPRINT("NtAccessCheck() called\n");
741 PreviousMode
= KeGetPreviousMode();
742 if (PreviousMode
== KernelMode
)
744 *GrantedAccess
= DesiredAccess
;
745 *AccessStatus
= STATUS_SUCCESS
;
746 return STATUS_SUCCESS
;
749 Status
= ObReferenceObjectByHandle(TokenHandle
,
755 if (!NT_SUCCESS(Status
))
757 DPRINT1("Failed to reference token (Status %lx)\n", Status
);
761 /* Check token type */
762 if (Token
->TokenType
!= TokenImpersonation
)
764 DPRINT1("No impersonation token\n");
765 ObDereferenceObject(Token
);
766 return STATUS_ACCESS_VIOLATION
;
769 /* Check impersonation level */
770 if (Token
->ImpersonationLevel
< SecurityAnonymous
)
772 DPRINT1("Invalid impersonation level\n");
773 ObDereferenceObject(Token
);
774 return STATUS_ACCESS_VIOLATION
;
777 RtlZeroMemory(&SubjectSecurityContext
,
778 sizeof(SECURITY_SUBJECT_CONTEXT
));
779 SubjectSecurityContext
.ClientToken
= Token
;
780 SubjectSecurityContext
.ImpersonationLevel
= Token
->ImpersonationLevel
;
782 /* FIXME: Lock subject context */
784 if (!SeAccessCheck(SecurityDescriptor
,
785 &SubjectSecurityContext
,
795 Status
= *AccessStatus
;
799 Status
= STATUS_ACCESS_DENIED
;
802 /* FIXME: Unlock subject context */
804 ObDereferenceObject(Token
);
806 DPRINT("NtAccessCheck() done\n");