reactos/ntoskrnl/se/semgr.c

   1 /* $Id: semgr.c,v 1.15 2000/01/26 10:07:30 dwelch Exp $
   2  *
   3  * COPYRIGHT:         See COPYING in the top level directory
   4  * PROJECT:           ReactOS kernel
   5  * PURPOSE:           Security manager
   6  * FILE:              kernel/se/semgr.c
   7  * PROGRAMER:         ?
   8  * REVISION HISTORY:
   9  *                 26/07/98: Added stubs for security functions
  10  */
  11
  12 /* INCLUDES *****************************************************************/
  13
  14 #include <ddk/ntddk.h>
  15
  16 #include <internal/debug.h>
  17
  18 /* FUNCTIONS ***************************************************************/
  19
  20 VOID SepReferenceLogonSession(PLUID AuthenticationId)
  21 {
  22    UNIMPLEMENTED;
  23 }
  24
  25 VOID SepDeReferenceLogonSession(PLUID AuthenticationId)
  26 {
  27    UNIMPLEMENTED;
  28 }
  29
  30 NTSTATUS STDCALL NtPrivilegedServiceAuditAlarm(
  31                                              IN PUNICODE_STRING SubsystemName,
  32                                              IN PUNICODE_STRING ServiceName,
  33                                              IN HANDLE          ClientToken,
  34                                              IN PPRIVILEGE_SET  Privileges,
  35                                              IN BOOLEAN         AccessGranted)
  36 {
  37    UNIMPLEMENTED;
  38 }
  39
  40
  41 NTSTATUS
  42 STDCALL
  43 NtPrivilegeObjectAuditAlarm (
  44         IN      PUNICODE_STRING SubsystemName,
  45         IN      PVOID           HandleId,
  46         IN      HANDLE          ClientToken,
  47         IN      ULONG           DesiredAccess,
  48         IN      PPRIVILEGE_SET  Privileges,
  49         IN      BOOLEAN         AccessGranted
  50         )
  51 {
  52         UNIMPLEMENTED;
  53 }
  54
  55
  56 NTSTATUS
  57 STDCALL
  58 NtOpenObjectAuditAlarm (
  59         IN      PUNICODE_STRING         SubsystemName,
  60         IN      PVOID                   HandleId,
  61         IN      POBJECT_ATTRIBUTES      ObjectAttributes,
  62         IN      HANDLE                  ClientToken,
  63         IN      ULONG                   DesiredAccess,
  64         IN      ULONG                   GrantedAccess,
  65         IN      PPRIVILEGE_SET          Privileges,
  66         IN      BOOLEAN                 ObjectCreation,
  67         IN      BOOLEAN                 AccessGranted,
  68         OUT     PBOOLEAN                GenerateOnClose
  69         )
  70 {
  71         UNIMPLEMENTED;
  72 }
  73
  74 NTSTATUS
  75 STDCALL
  76 NtAccessCheckAndAuditAlarm (
  77         IN PUNICODE_STRING SubsystemName,
  78         IN PHANDLE ObjectHandle,
  79         IN POBJECT_ATTRIBUTES ObjectAttributes,
  80         IN ACCESS_MASK DesiredAccess,
  81         IN PGENERIC_MAPPING GenericMapping,
  82         IN BOOLEAN ObjectCreation,
  83         OUT PULONG GrantedAccess,
  84         OUT PBOOLEAN AccessStatus,
  85         OUT PBOOLEAN GenerateOnClose
  86         )
  87 {
  88    UNIMPLEMENTED;
  89 }
  90
  91
  92 NTSTATUS
  93 STDCALL
  94 NtAllocateUuids (
  95         PLARGE_INTEGER  Time,
  96         PULONG          Version, // ???
  97         PULONG          ClockCycle
  98         )
  99 {
 100    UNIMPLEMENTED;
 101 }
 102
 103
 104 NTSTATUS STDCALL NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
 105                                          IN PVOID HandleId,
 106                                          IN BOOLEAN GenerateOnClose)
 107 {
 108    UNIMPLEMENTED;
 109 }
 110
 111 NTSTATUS STDCALL NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
 112                                IN HANDLE ClientToken,
 113                                IN ACCESS_MASK DesiredAccess,
 114                                IN PGENERIC_MAPPING GenericMapping,
 115                                OUT PPRIVILEGE_SET PrivilegeSet,
 116                                OUT PULONG ReturnLength,
 117                                OUT PULONG GrantedAccess,
 118                                OUT PBOOLEAN AccessStatus)
 119 {
 120    UNIMPLEMENTED;
 121 }
 122
 123
 124 NTSTATUS
 125 STDCALL
 126 NtDeleteObjectAuditAlarm (
 127         IN PUNICODE_STRING SubsystemName,
 128         IN PVOID HandleId,
 129         IN BOOLEAN GenerateOnClose
 130         )
 131 {
 132  UNIMPLEMENTED;
 133 }
 134
 135
 136
 137 VOID STDCALL SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext)
 138 {
 139    ObDereferenceObject(SubjectContext->PrimaryToken);
 140    if (SubjectContext->ClientToken != NULL)
 141      {
 142         ObDereferenceObject(SubjectContext->ClientToken);
 143      }
 144 }
 145
 146 VOID STDCALL SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext)
 147 {
 148    PEPROCESS Process;
 149    ULONG a;
 150    ULONG b;
 151
 152    Process = PsGetCurrentThread()->ThreadsProcess;
 153
 154    SubjectContext->ProcessAuditId = Process;
 155    SubjectContext->ClientToken =
 156      PsReferenceImpersonationToken(PsGetCurrentThread(),
 157                                    &a,
 158                                    &b,
 159                                    &SubjectContext->ImpersonationLevel);
 160    SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
 161 }
 162
 163 NTSTATUS STDCALL SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor)
 164 {
 165    if ((*SecurityDescriptor) != NULL)
 166      {
 167         ExFreePool(*SecurityDescriptor);
 168         (*SecurityDescriptor) = NULL;
 169      }
 170    return(STATUS_SUCCESS);
 171 }
 172
 173 #if 0
 174 VOID SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext,
 175                                   PSID* Owner,
 176                                   PSID* PrimaryGroup,
 177                                   PSID* ProcessOwner,
 178                                   PSID* ProcessPrimaryGroup,
 179                                   PACL* DefaultDacl)
 180 {
 181    PACCESS_TOKEN Token;
 182
 183    if (SubjectContext->ClientToken != NULL)
 184      {
 185         Token = SubjectContext->ClientToken;
 186      }
 187    else
 188      {
 189         Token = SubjectContext->PrimaryToken;
 190      }
 191    *Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
 192    *PrimaryGroup = Token->PrimaryGroup;
 193    *DefaultDacl = Token->DefaultDacl;
 194    *ProcessOwner = SubjectContext->PrimaryToken->
 195      UserAndGroups[Token->DefaultOwnerIndex].Sid;
 196    *ProcessPrimaryGroup = SubjectContext->PrimaryToken->PrimaryGroup;
 197 }
 198
 199 NTSTATUS SepInheritAcl(PACL Acl,
 200                        BOOLEAN IsDirectoryObject,
 201                        PSID Owner,
 202                        PSID PrimaryGroup,
 203                        PACL DefaultAcl,
 204                        PSID ProcessOwner,
 205                        PSID ProcessGroup,
 206                        PGENERIC_MAPPING GenericMapping)
 207 {
 208    if (Acl == NULL)
 209      {
 210         return(STATUS_UNSUCCESSFUL);
 211      }
 212    if (Acl->AclRevision != 2 &&
 213        Acl->AclRevision != 3 )
 214      {
 215         return(STATUS_UNSUCCESSFUL);
 216      }
 217
 218 }
 219 #endif
 220
 221 NTSTATUS STDCALL SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor,
 222                                   PSECURITY_DESCRIPTOR ExplicitDescriptor,
 223                                   PSECURITY_DESCRIPTOR* NewDescriptor,
 224                                   BOOLEAN IsDirectoryObject,
 225                                   PSECURITY_SUBJECT_CONTEXT SubjectContext,
 226                                   PGENERIC_MAPPING GenericMapping,
 227                                   POOL_TYPE PoolType)
 228 {
 229 #if 0
 230    PSECURITY_DESCRIPTOR Descriptor;
 231    PSID Owner;
 232    PSID PrimaryGroup;
 233    PACL DefaultDacl;
 234    PSID ProcessOwner;
 235    PSID ProcessPrimaryGroup;
 236    PACL Sacl;
 237
 238    if (ExplicitDescriptor == NULL)
 239      {
 240         RtlCreateSecurityDescriptor(&Descriptor, 1);
 241      }
 242    else
 243      {
 244         Descriptor = ExplicitDescriptor;
 245      }
 246    SeLockSubjectContext(SubjectContext);
 247    SepGetDefaultsSubjectContext(SubjectContext,
 248                                 &Owner,
 249                                 &PrimaryGroup,
 250                                 &DefaultDacl,
 251                                 &ProcessOwner,
 252                                 &ProcessPrimaryGroup);
 253    if (Descriptor->Control & SE_SACL_PRESENT ||
 254        Descriptor->Control & SE_SACL_DEFAULTED)
 255      {
 256         if (ParentDescriptor == NULL)
 257           {
 258           }
 259         if (Descriptor->Control & SE_SACL_PRESENT ||
 260             Descriptor->Sacl == NULL ||)
 261           {
 262              Sacl = NULL;
 263           }
 264         else
 265           {
 266              Sacl = Descriptor->Sacl;
 267              if (Descriptor->Control & SE_SELF_RELATIVE)
 268                {
 269                   Sacl = (PACL)(((PVOID)Sacl) + (PVOID)Descriptor);
 270                }
 271           }
 272         SepInheritAcl(Sacl,
 273                       IsDirectoryObject,
 274                       Owner,
 275                       PrimaryGroup,
 276                       DefaultDacl,
 277                       ProcessOwner,
 278                       GenericMapping);
 279      }
 280 #else
 281   UNIMPLEMENTED;
 282 #endif
 283 }
 284
 285 BOOLEAN SepSidInToken(PACCESS_TOKEN Token,
 286                       PSID Sid)
 287 {
 288    ULONG i;
 289
 290    if (Token->UserAndGroupCount == 0)
 291      {
 292         return(FALSE);
 293      }
 294
 295    for (i=0; i<Token->UserAndGroupCount; i++)
 296      {
 297         if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
 298           {
 299              if (i == 0 ||
 300                  (!(Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)))
 301                {
 302                   return(TRUE);
 303                }
 304              return(FALSE);
 305           }
 306      }
 307    return(FALSE);
 308 }
 309
 310 BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor,
 311                       IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
 312                       IN BOOLEAN SubjectContextLocked,
 313                       IN ACCESS_MASK DesiredAccess,
 314                       IN ACCESS_MASK PreviouslyGrantedAccess,
 315                       OUT PPRIVILEGE_SET* Privileges,
 316                       IN PGENERIC_MAPPING GenericMapping,
 317                       IN KPROCESSOR_MODE AccessMode,
 318                       OUT PACCESS_MODE GrantedAccess,
 319                       OUT PNTSTATUS AccessStatus)
 320 /*
 321  * FUNCTION: Determines whether the requested access rights can be granted
 322  * to an object protected by a security descriptor and an object owner
 323  * ARGUMENTS:
 324  *      SecurityDescriptor = Security descriptor protecting the object
 325  *      SubjectSecurityContext = Subject's captured security context
 326  *      SubjectContextLocked = Indicates the user's subject context is locked
 327  *      DesiredAccess = Access rights the caller is trying to acquire
 328  *      PreviouslyGrantedAccess = Specified the access rights already granted
 329  *      Privileges = ?
 330  *      GenericMapping = Generic mapping associated with the object
 331  *      AccessMode = Access mode used for the check
 332  *      GrantedAccess (OUT) = On return specifies the access granted
 333  *      AccessStatus (OUT) = Status indicating why access was denied
 334  * RETURNS: If access was granted, returns TRUE
 335  */
 336 {
 337    ULONG i;
 338    PACL Dacl;
 339    BOOLEAN Present;
 340    BOOLEAN Defaulted;
 341    NTSTATUS Status;
 342    PACE CurrentAce;
 343    PSID Sid;
 344    ACCESS_MASK CurrentAccess;
 345
 346    CurrentAccess = PreviouslyGrantedAccess;
 347
 348    /*
 349     * Ignore the SACL for now
 350     */
 351
 352    /*
 353     * Check the DACL
 354     */
 355    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
 356                                          &Present,
 357                                          &Dacl,
 358                                          &Defaulted);
 359    if (!NT_SUCCESS(Status))
 360      {
 361         return(Status);
 362      }
 363
 364    CurrentAce = (PACE)(Dacl + 1);
 365    for (i = 0; i < Dacl->AceCount; i++)
 366      {
 367         Sid = (PSID)(CurrentAce + 1);
 368         if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
 369           {
 370              if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid))
 371                {
 372                   *AccessStatus = STATUS_ACCESS_DENIED;
 373                   *GrantedAccess = 0;
 374                   return(STATUS_SUCCESS);
 375                }
 376           }
 377         if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
 378           {
 379              if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid))
 380                {
 381                   CurrentAccess = CurrentAccess |
 382                     CurrentAce->Header.AccessMask;
 383                }
 384           }
 385      }
 386    if (!(CurrentAccess & DesiredAccess) &&
 387        !((~CurrentAccess) & DesiredAccess))
 388      {
 389         *AccessStatus = STATUS_ACCESS_DENIED;
 390      }
 391    else
 392      {
 393         *AccessStatus = STATUS_SUCCESS;
 394      }
 395    *GrantedAccess = CurrentAccess;
 396
 397    return(STATUS_SUCCESS);
 398 }
 399
 400
 401 /* EOF */