projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Remove a hack from NtAccessCheck(). Bug #4169.
[reactos.git] / reactos / ntoskrnl / se / semgr.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/semgr.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: No programmer listed.
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 /* GLOBALS ********************************************************************/
17
18 PSE_EXPORTS SeExports = NULL;
19 SE_EXPORTS SepExports;
20
21 extern ULONG ExpInitializationPhase;
22 extern ERESOURCE SepSubjectContextLock;
23
24 /* PRIVATE FUNCTIONS **********************************************************/
25
26 static BOOLEAN INIT_FUNCTION
27 SepInitExports(VOID)
28 {
29 SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
30 SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
31 SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
32 SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
33 SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
34 SepExports.SeTcbPrivilege = SeTcbPrivilege;
35 SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
36 SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
37 SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
38 SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
39 SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
40 SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
41 SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
42 SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
43 SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
44 SepExports.SeBackupPrivilege = SeBackupPrivilege;
45 SepExports.SeRestorePrivilege = SeRestorePrivilege;
46 SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
47 SepExports.SeDebugPrivilege = SeDebugPrivilege;
48 SepExports.SeAuditPrivilege = SeAuditPrivilege;
49 SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
50 SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
51 SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
52
53 SepExports.SeNullSid = SeNullSid;
54 SepExports.SeWorldSid = SeWorldSid;
55 SepExports.SeLocalSid = SeLocalSid;
56 SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
57 SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
58 SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
59 SepExports.SeDialupSid = SeDialupSid;
60 SepExports.SeNetworkSid = SeNetworkSid;
61 SepExports.SeBatchSid = SeBatchSid;
62 SepExports.SeInteractiveSid = SeInteractiveSid;
63 SepExports.SeLocalSystemSid = SeLocalSystemSid;
64 SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
65 SepExports.SeAliasUsersSid = SeAliasUsersSid;
66 SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
67 SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
68 SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
69 SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
70 SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
71 SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
72 SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
73 SepExports.SeRestrictedSid = SeRestrictedSid;
74 SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
75
76 SepExports.SeUndockPrivilege = SeUndockPrivilege;
77 SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
78 SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
79
80 SeExports = &SepExports;
81 return TRUE;
82 }
83
84
85 BOOLEAN
86 NTAPI
87 SepInitializationPhase0(VOID)
88 {
89 ExpInitLuid();
90 if (!SepInitSecurityIDs()) return FALSE;
91 if (!SepInitDACLs()) return FALSE;
92 if (!SepInitSDs()) return FALSE;
93 SepInitPrivileges();
94 if (!SepInitExports()) return FALSE;
95
96 /* Initialize the subject context lock */
97 ExInitializeResource(&SepSubjectContextLock);
98
99 /* Initialize token objects */
100 SepInitializeTokenImplementation();
101
102 /* Clear impersonation info for the idle thread */
103 PsGetCurrentThread()->ImpersonationInfo = NULL;
104 PspClearCrossThreadFlag(PsGetCurrentThread(),
105 CT_ACTIVE_IMPERSONATION_INFO_BIT);
106
107 /* Initialize the boot token */
108 ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
109 ObInitializeFastReference(&PsGetCurrentProcess()->Token,
110 SepCreateSystemProcessToken());
111 return TRUE;
112 }
113
114 BOOLEAN
115 NTAPI
116 SepInitializationPhase1(VOID)
117 {
118 NTSTATUS Status;
119 PAGED_CODE();
120
121 /* Insert the system token into the tree */
122 Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
123 ~MAX_FAST_REFS),
124 NULL,
125 0,
126 0,
127 NULL,
128 NULL);
129 ASSERT(NT_SUCCESS(Status));
130
131 /* FIXME: TODO \\ Security directory */
132 return TRUE;
133 }
134
135 BOOLEAN
136 NTAPI
137 SeInitSystem(VOID)
138 {
139 /* Check the initialization phase */
140 switch (ExpInitializationPhase)
141 {
142 case 0:
143
144 /* Do Phase 0 */
145 return SepInitializationPhase0();
146
147 case 1:
148
149 /* Do Phase 1 */
150 return SepInitializationPhase1();
151
152 default:
153
154 /* Don't know any other phase! Bugcheck! */
155 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
156 0,
157 ExpInitializationPhase,
158 0,
159 0);
160 return FALSE;
161 }
162 }
163
164 BOOLEAN
165 NTAPI
166 SeInitSRM(VOID)
167 {
168 OBJECT_ATTRIBUTES ObjectAttributes;
169 UNICODE_STRING Name;
170 HANDLE DirectoryHandle;
171 HANDLE EventHandle;
172 NTSTATUS Status;
173
174 /* Create '\Security' directory */
175 RtlInitUnicodeString(&Name,
176 L"\\Security");
177 InitializeObjectAttributes(&ObjectAttributes,
178 &Name,
179 OBJ_PERMANENT,
180 0,
181 NULL);
182 Status = ZwCreateDirectoryObject(&DirectoryHandle,
183 DIRECTORY_ALL_ACCESS,
184 &ObjectAttributes);
185 if (!NT_SUCCESS(Status))
186 {
187 DPRINT1("Failed to create 'Security' directory!\n");
188 return FALSE;
189 }
190
191 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
192 RtlInitUnicodeString(&Name,
193 L"\\LSA_AUTHENTICATION_INITALIZED");
194 InitializeObjectAttributes(&ObjectAttributes,
195 &Name,
196 OBJ_PERMANENT,
197 DirectoryHandle,
198 SePublicDefaultSd);
199 Status = ZwCreateEvent(&EventHandle,
200 EVENT_ALL_ACCESS,
201 &ObjectAttributes,
202 SynchronizationEvent,
203 FALSE);
204 if (!NT_SUCCESS(Status))
205 {
206 DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
207 NtClose(DirectoryHandle);
208 return FALSE;
209 }
210
211 ZwClose(EventHandle);
212 ZwClose(DirectoryHandle);
213
214 /* FIXME: Create SRM port and listener thread */
215
216 return TRUE;
217 }
218
219 NTSTATUS
220 NTAPI
221 SeDefaultObjectMethod(IN PVOID Object,
222 IN SECURITY_OPERATION_CODE OperationType,
223 IN PSECURITY_INFORMATION SecurityInformation,
224 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
225 IN OUT PULONG ReturnLength OPTIONAL,
226 IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
227 IN POOL_TYPE PoolType,
228 IN PGENERIC_MAPPING GenericMapping)
229 {
230 PAGED_CODE();
231
232 /* Select the operation type */
233 switch (OperationType)
234 {
235 /* Setting a new descriptor */
236 case SetSecurityDescriptor:
237
238 /* Sanity check */
239 ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
240
241 /* Set the information */
242 return ObSetSecurityDescriptorInfo(Object,
243 SecurityInformation,
244 SecurityDescriptor,
245 OldSecurityDescriptor,
246 PoolType,
247 GenericMapping);
248
249 case QuerySecurityDescriptor:
250
251 /* Query the information */
252 return ObQuerySecurityDescriptorInfo(Object,
253 SecurityInformation,
254 SecurityDescriptor,
255 ReturnLength,
256 OldSecurityDescriptor);
257
258 case DeleteSecurityDescriptor:
259
260 /* De-assign it */
261 return ObDeassignSecurity(OldSecurityDescriptor);
262
263 case AssignSecurityDescriptor:
264
265 /* Assign it */
266 ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
267 return STATUS_SUCCESS;
268
269 default:
270
271 /* Bug check */
272 KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
273 }
274
275 /* Should never reach here */
276 ASSERT(FALSE);
277 return STATUS_SUCCESS;
278 }
279
280
281 static BOOLEAN
282 SepSidInToken(PACCESS_TOKEN _Token,
283 PSID Sid)
284 {
285 ULONG i;
286 PTOKEN Token = (PTOKEN)_Token;
287
288 PAGED_CODE();
289
290 if (Token->UserAndGroupCount == 0)
291 {
292 return FALSE;
293 }
294
295 for (i=0; i<Token->UserAndGroupCount; i++)
296 {
297 if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
298 {
299 if (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)
300 {
301 return TRUE;
302 }
303
304 return FALSE;
305 }
306 }
307
308 return FALSE;
309 }
310
311
312 VOID NTAPI
313 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
314 OUT PACCESS_MASK DesiredAccess)
315 {
316 *DesiredAccess = 0;
317
318 if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
319 GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
320 {
321 *DesiredAccess |= READ_CONTROL;
322 }
323 if (SecurityInformation & SACL_SECURITY_INFORMATION)
324 {
325 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
326 }
327 }
328
329 VOID NTAPI
330 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
331 OUT PACCESS_MASK DesiredAccess)
332 {
333 *DesiredAccess = 0;
334
335 if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
336 {
337 *DesiredAccess |= WRITE_OWNER;
338 }
339 if (SecurityInformation & DACL_SECURITY_INFORMATION)
340 {
341 *DesiredAccess |= WRITE_DAC;
342 }
343 if (SecurityInformation & SACL_SECURITY_INFORMATION)
344 {
345 *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
346 }
347 }
348
349 /* PUBLIC FUNCTIONS ***********************************************************/
350
351 /*
352 * @implemented
353 */
354 BOOLEAN NTAPI
355 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
356 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
357 IN BOOLEAN SubjectContextLocked,
358 IN ACCESS_MASK DesiredAccess,
359 IN ACCESS_MASK PreviouslyGrantedAccess,
360 OUT PPRIVILEGE_SET* Privileges,
361 IN PGENERIC_MAPPING GenericMapping,
362 IN KPROCESSOR_MODE AccessMode,
363 OUT PACCESS_MASK GrantedAccess,
364 OUT PNTSTATUS AccessStatus)
365 {
366 LUID_AND_ATTRIBUTES Privilege;
367 ACCESS_MASK CurrentAccess, AccessMask;
368 PACCESS_TOKEN Token;
369 ULONG i;
370 PACL Dacl;
371 BOOLEAN Present;
372 BOOLEAN Defaulted;
373 PACE CurrentAce;
374 PSID Sid;
375 NTSTATUS Status;
376 PAGED_CODE();
377
378 /* Check if this is kernel mode */
379 if (AccessMode == KernelMode)
380 {
381 /* Check if kernel wants everything */
382 if (DesiredAccess & MAXIMUM_ALLOWED)
383 {
384 /* Give it */
385 *GrantedAccess = GenericMapping->GenericAll;
386 *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
387 *GrantedAccess |= PreviouslyGrantedAccess;
388 }
389 else
390 {
391 /* Give the desired and previous access */
392 *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
393 }
394
395 /* Success */
396 *AccessStatus = STATUS_SUCCESS;
397 return TRUE;
398 }
399
400 /* Check if we didn't get an SD */
401 if (!SecurityDescriptor)
402 {
403 /* Automatic failure */
404 *AccessStatus = STATUS_ACCESS_DENIED;
405 return FALSE;
406 }
407
408 /* Check for invalid impersonation */
409 if ((SubjectSecurityContext->ClientToken) &&
410 (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
411 {
412 *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
413 return FALSE;
414 }
415
416 /* Check for no access desired */
417 if (!DesiredAccess)
418 {
419 /* Check if we had no previous access */
420 if (!PreviouslyGrantedAccess)
421 {
422 /* Then there's nothing to give */
423 *AccessStatus = STATUS_ACCESS_DENIED;
424 return FALSE;
425 }
426
427 /* Return the previous access only */
428 *GrantedAccess = PreviouslyGrantedAccess;
429 *AccessStatus = STATUS_SUCCESS;
430 *Privileges = NULL;
431 return TRUE;
432 }
433
434 /* Acquire the lock if needed */
435 if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
436
437 /* Map given accesses */
438 RtlMapGenericMask(&DesiredAccess, GenericMapping);
439 if (PreviouslyGrantedAccess)
440 RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
441
442
443
444 CurrentAccess = PreviouslyGrantedAccess;
445
446
447
448 Token = SubjectSecurityContext->ClientToken ?
449 SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
450
451 /* Get the DACL */
452 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
453 &Present,
454 &Dacl,
455 &Defaulted);
456 if (!NT_SUCCESS(Status))
457 {
458 if (SubjectContextLocked == FALSE)
459 {
460 SeUnlockSubjectContext(SubjectSecurityContext);
461 }
462
463 *AccessStatus = Status;
464 return FALSE;
465 }
466
467 /* RULE 1: Grant desired access if the object is unprotected */
468 if (Present == TRUE && Dacl == NULL)
469 {
470 if (SubjectContextLocked == FALSE)
471 {
472 SeUnlockSubjectContext(SubjectSecurityContext);
473 }
474
475 *GrantedAccess = DesiredAccess;
476 *AccessStatus = STATUS_SUCCESS;
477 return TRUE;
478 }
479
480 CurrentAccess = PreviouslyGrantedAccess;
481
482 /* RULE 2: Check token for 'take ownership' privilege */
483 Privilege.Luid = SeTakeOwnershipPrivilege;
484 Privilege.Attributes = SE_PRIVILEGE_ENABLED;
485
486 if (SepPrivilegeCheck(Token,
487 &Privilege,
488 1,
489 PRIVILEGE_SET_ALL_NECESSARY,
490 AccessMode))
491 {
492 CurrentAccess |= WRITE_OWNER;
493 if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
494 (CurrentAccess & ~VALID_INHERIT_FLAGS))
495 {
496 if (SubjectContextLocked == FALSE)
497 {
498 SeUnlockSubjectContext(SubjectSecurityContext);
499 }
500
501 *GrantedAccess = CurrentAccess;
502 *AccessStatus = STATUS_SUCCESS;
503 return TRUE;
504 }
505 }
506
507 /* RULE 3: Check whether the token is the owner */
508 Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
509 &Sid,
510 &Defaulted);
511 if (!NT_SUCCESS(Status))
512 {
513 DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
514 if (SubjectContextLocked == FALSE)
515 {
516 SeUnlockSubjectContext(SubjectSecurityContext);
517 }
518
519 *AccessStatus = Status;
520 return FALSE;
521 }
522
523 if (Sid && SepSidInToken(Token, Sid))
524 {
525 CurrentAccess |= (READ_CONTROL | WRITE_DAC);
526 if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
527 (CurrentAccess & ~VALID_INHERIT_FLAGS))
528 {
529 if (SubjectContextLocked == FALSE)
530 {
531 SeUnlockSubjectContext(SubjectSecurityContext);
532 }
533
534 *GrantedAccess = CurrentAccess;
535 *AccessStatus = STATUS_SUCCESS;
536 return TRUE;
537 }
538 }
539
540 /* Fail if DACL is absent */
541 if (Present == FALSE)
542 {
543 if (SubjectContextLocked == FALSE)
544 {
545 SeUnlockSubjectContext(SubjectSecurityContext);
546 }
547
548 *GrantedAccess = 0;
549 *AccessStatus = STATUS_ACCESS_DENIED;
550 return FALSE;
551 }
552
553 /* RULE 4: Grant rights according to the DACL */
554 CurrentAce = (PACE)(Dacl + 1);
555 for (i = 0; i < Dacl->AceCount; i++)
556 {
557 Sid = (PSID)(CurrentAce + 1);
558 if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
559 {
560 if (SepSidInToken(Token, Sid))
561 {
562 if (SubjectContextLocked == FALSE)
563 {
564 SeUnlockSubjectContext(SubjectSecurityContext);
565 }
566
567 *GrantedAccess = 0;
568 *AccessStatus = STATUS_ACCESS_DENIED;
569 return FALSE;
570 }
571 }
572
573 else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
574 {
575 if (SepSidInToken(Token, Sid))
576 {
577 AccessMask = CurrentAce->AccessMask;
578 RtlMapGenericMask(&AccessMask, GenericMapping);
579 CurrentAccess |= AccessMask;
580 }
581 }
582 else
583 {
584 DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
585 }
586 CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
587 }
588
589 if (SubjectContextLocked == FALSE)
590 {
591 SeUnlockSubjectContext(SubjectSecurityContext);
592 }
593
594 DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
595 CurrentAccess, DesiredAccess);
596
597 *GrantedAccess = CurrentAccess & DesiredAccess;
598
599 if (DesiredAccess & MAXIMUM_ALLOWED)
600 {
601 *GrantedAccess = CurrentAccess;
602 *AccessStatus = STATUS_SUCCESS;
603 return TRUE;
604 }
605 else if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
606 (DesiredAccess & ~VALID_INHERIT_FLAGS))
607 {
608 *AccessStatus = STATUS_SUCCESS;
609 return TRUE;
610 }
611 else
612 {
613 DPRINT1("Denying access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p)\n",
614 *GrantedAccess, DesiredAccess, GenericMapping);
615 *AccessStatus = STATUS_ACCESS_DENIED;
616 return FALSE;
617 }
618 }
619
620 /* SYSTEM CALLS ***************************************************************/
621
622 /*
623 * @implemented
624 */
625 NTSTATUS
626 NTAPI
627 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
628 IN HANDLE TokenHandle,
629 IN ACCESS_MASK DesiredAccess,
630 IN PGENERIC_MAPPING GenericMapping,
631 OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
632 IN OUT PULONG PrivilegeSetLength,
633 OUT PACCESS_MASK GrantedAccess,
634 OUT PNTSTATUS AccessStatus)
635 {
636 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
637 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
638 PTOKEN Token;
639 NTSTATUS Status;
640 PAGED_CODE();
641
642 /* Check if this is kernel mode */
643 if (PreviousMode == KernelMode)
644 {
645 /* Check if kernel wants everything */
646 if (DesiredAccess & MAXIMUM_ALLOWED)
647 {
648 /* Give it */
649 *GrantedAccess = GenericMapping->GenericAll;
650 *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
651 }
652 else
653 {
654 /* Just give the desired access */
655 *GrantedAccess = DesiredAccess;
656 }
657
658 /* Success */
659 *AccessStatus = STATUS_SUCCESS;
660 return STATUS_SUCCESS;
661 }
662
663 /* Reference the token */
664 Status = ObReferenceObjectByHandle(TokenHandle,
665 TOKEN_QUERY,
666 SepTokenObjectType,
667 PreviousMode,
668 (PVOID*)&Token,
669 NULL);
670 if (!NT_SUCCESS(Status))
671 {
672 DPRINT1("Failed to reference token (Status %lx)\n", Status);
673 return Status;
674 }
675
676 /* Check token type */
677 if (Token->TokenType != TokenImpersonation)
678 {
679 DPRINT1("No impersonation token\n");
680 ObDereferenceObject(Token);
681 return STATUS_ACCESS_DENIED;
682 }
683
684 /* Set up the subject context, and lock it */
685 SubjectSecurityContext.ClientToken = Token;
686 SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
687 SubjectSecurityContext.PrimaryToken = NULL;
688 SubjectSecurityContext.ProcessAuditId = NULL;
689 SeLockSubjectContext(&SubjectSecurityContext);
690
691 /* Now perform the access check */
692 SeAccessCheck(SecurityDescriptor,
693 &SubjectSecurityContext,
694 TRUE,
695 DesiredAccess,
696 0,
697 &PrivilegeSet, //FIXME
698 GenericMapping,
699 PreviousMode,
700 GrantedAccess,
701 AccessStatus);
702
703 /* Unlock subject context and dereference the token */
704 SeUnlockSubjectContext(&SubjectSecurityContext);
705 ObDereferenceObject(Token);
706
707 /* Check succeeded */
708 return STATUS_SUCCESS;
709 }
710
711
712 NTSTATUS
713 NTAPI
714 NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
715 IN PSID PrincipalSelfSid,
716 IN HANDLE ClientToken,
717 IN ACCESS_MASK DesiredAccess,
718 IN POBJECT_TYPE_LIST ObjectTypeList,
719 IN ULONG ObjectTypeLength,
720 IN PGENERIC_MAPPING GenericMapping,
721 IN PPRIVILEGE_SET PrivilegeSet,
722 IN ULONG PrivilegeSetLength,
723 OUT PACCESS_MASK GrantedAccess,
724 OUT PNTSTATUS AccessStatus)
725 {
726 UNIMPLEMENTED;
727 return STATUS_NOT_IMPLEMENTED;
728 }
729
730 NTSTATUS
731 NTAPI
732 NtAccessCheckByTypeAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
733 IN HANDLE HandleId,
734 IN PUNICODE_STRING ObjectTypeName,
735 IN PUNICODE_STRING ObjectName,
736 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
737 IN PSID PrincipalSelfSid,
738 IN ACCESS_MASK DesiredAccess,
739 IN AUDIT_EVENT_TYPE AuditType,
740 IN ULONG Flags,
741 IN POBJECT_TYPE_LIST ObjectTypeList,
742 IN ULONG ObjectTypeLength,
743 IN PGENERIC_MAPPING GenericMapping,
744 IN BOOLEAN ObjectCreation,
745 OUT PACCESS_MASK GrantedAccess,
746 OUT PNTSTATUS AccessStatus,
747 OUT PBOOLEAN GenerateOnClose)
748 {
749 UNIMPLEMENTED;
750 return STATUS_NOT_IMPLEMENTED;
751 }
752
753 NTSTATUS
754 NTAPI
755 NtAccessCheckByTypeResultList(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
756 IN PSID PrincipalSelfSid,
757 IN HANDLE ClientToken,
758 IN ACCESS_MASK DesiredAccess,
759 IN POBJECT_TYPE_LIST ObjectTypeList,
760 IN ULONG ObjectTypeLength,
761 IN PGENERIC_MAPPING GenericMapping,
762 IN PPRIVILEGE_SET PrivilegeSet,
763 IN ULONG PrivilegeSetLength,
764 OUT PACCESS_MASK GrantedAccess,
765 OUT PNTSTATUS AccessStatus)
766 {
767 UNIMPLEMENTED;
768 return STATUS_NOT_IMPLEMENTED;
769 }
770
771 NTSTATUS
772 NTAPI
773 NtAccessCheckByTypeResultListAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
774 IN HANDLE HandleId,
775 IN PUNICODE_STRING ObjectTypeName,
776 IN PUNICODE_STRING ObjectName,
777 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
778 IN PSID PrincipalSelfSid,
779 IN ACCESS_MASK DesiredAccess,
780 IN AUDIT_EVENT_TYPE AuditType,
781 IN ULONG Flags,
782 IN POBJECT_TYPE_LIST ObjectTypeList,
783 IN ULONG ObjectTypeLength,
784 IN PGENERIC_MAPPING GenericMapping,
785 IN BOOLEAN ObjectCreation,
786 OUT PACCESS_MASK GrantedAccess,
787 OUT PNTSTATUS AccessStatus,
788 OUT PBOOLEAN GenerateOnClose)
789 {
790 UNIMPLEMENTED;
791 return STATUS_NOT_IMPLEMENTED;
792 }
793
794 NTSTATUS
795 NTAPI
796 NtAccessCheckByTypeResultListAndAuditAlarmByHandle(IN PUNICODE_STRING SubsystemName,
797 IN HANDLE HandleId,
798 IN HANDLE ClientToken,
799 IN PUNICODE_STRING ObjectTypeName,
800 IN PUNICODE_STRING ObjectName,
801 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
802 IN PSID PrincipalSelfSid,
803 IN ACCESS_MASK DesiredAccess,
804 IN AUDIT_EVENT_TYPE AuditType,
805 IN ULONG Flags,
806 IN POBJECT_TYPE_LIST ObjectTypeList,
807 IN ULONG ObjectTypeLength,
808 IN PGENERIC_MAPPING GenericMapping,
809 IN BOOLEAN ObjectCreation,
810 OUT PACCESS_MASK GrantedAccess,
811 OUT PNTSTATUS AccessStatus,
812 OUT PBOOLEAN GenerateOnClose)
813 {
814 UNIMPLEMENTED;
815 return STATUS_NOT_IMPLEMENTED;
816 }
817
818 /* EOF */
A free Windows-compatible Operating System