- use inlined probing macros for basic types
[reactos.git] / reactos / ntoskrnl / se / sid.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14
15 #define NDEBUG
16 #include <internal/debug.h>
17
18 /* GLOBALS ******************************************************************/
19
20 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
21 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
22 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
23 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
24 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
25
26 PSID SeNullSid = NULL;
27 PSID SeWorldSid = NULL;
28 PSID SeLocalSid = NULL;
29 PSID SeCreatorOwnerSid = NULL;
30 PSID SeCreatorGroupSid = NULL;
31 PSID SeCreatorOwnerServerSid = NULL;
32 PSID SeCreatorGroupServerSid = NULL;
33 PSID SeNtAuthoritySid = NULL;
34 PSID SeDialupSid = NULL;
35 PSID SeNetworkSid = NULL;
36 PSID SeBatchSid = NULL;
37 PSID SeInteractiveSid = NULL;
38 PSID SeServiceSid = NULL;
39 PSID SePrincipalSelfSid = NULL;
40 PSID SeLocalSystemSid = NULL;
41 PSID SeAuthenticatedUserSid = NULL;
42 PSID SeRestrictedCodeSid = NULL;
43 PSID SeAliasAdminsSid = NULL;
44 PSID SeAliasUsersSid = NULL;
45 PSID SeAliasGuestsSid = NULL;
46 PSID SeAliasPowerUsersSid = NULL;
47 PSID SeAliasAccountOpsSid = NULL;
48 PSID SeAliasSystemOpsSid = NULL;
49 PSID SeAliasPrintOpsSid = NULL;
50 PSID SeAliasBackupOpsSid = NULL;
51 PSID SeAuthenticatedUsersSid = NULL;
52 PSID SeRestrictedSid = NULL;
53 PSID SeAnonymousLogonSid = NULL;
54
55
56 /* FUNCTIONS ****************************************************************/
57
58
59 BOOLEAN INIT_FUNCTION
60 SepInitSecurityIDs(VOID)
61 {
62 ULONG SidLength0;
63 ULONG SidLength1;
64 ULONG SidLength2;
65 PULONG SubAuthority;
66
67 SidLength0 = RtlLengthRequiredSid(0);
68 SidLength1 = RtlLengthRequiredSid(1);
69 SidLength2 = RtlLengthRequiredSid(2);
70
71 /* create NullSid */
72 SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
73 SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
74 SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
75 SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
76 SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
77 SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
78 SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
79 SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
80 SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
81 SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
82 SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
83 SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
84 SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
85 SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
86 SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
87 SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
88 SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
89 SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
90 SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
91 SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
92 SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
93 SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
94 SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
95 SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
96 SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
97 SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
98 SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
99 SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
100
101 if (SeNullSid == NULL || SeNullSid == NULL || SeWorldSid == NULL ||
102 SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
103 SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
104 SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
105 SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
106 SeInteractiveSid == NULL || SeServiceSid == NULL ||
107 SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
108 SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
109 SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
110 SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
111 SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
112 SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
113 SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
114 SeAnonymousLogonSid == NULL)
115 {
116 /* FIXME: We're leaking memory here. */
117 return(FALSE);
118 }
119
120 RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
121 RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
122 RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
123 RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
124 RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
125 RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
126 RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
127 RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
128 RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
129 RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
130 RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
131 RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
132 RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
133 RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
134 RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
135 RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
136 RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
137 RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
138 RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
139 RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
140 RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
141 RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
142 RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
143 RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
144 RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
145 RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
146 RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
147 RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
148
149 SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
150 *SubAuthority = SECURITY_NULL_RID;
151 SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
152 *SubAuthority = SECURITY_WORLD_RID;
153 SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
154 *SubAuthority = SECURITY_LOCAL_RID;
155 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
156 *SubAuthority = SECURITY_CREATOR_OWNER_RID;
157 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
158 *SubAuthority = SECURITY_CREATOR_GROUP_RID;
159 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
160 *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
161 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
162 *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
163 SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
164 *SubAuthority = SECURITY_DIALUP_RID;
165 SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
166 *SubAuthority = SECURITY_NETWORK_RID;
167 SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
168 *SubAuthority = SECURITY_BATCH_RID;
169 SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
170 *SubAuthority = SECURITY_INTERACTIVE_RID;
171 SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
172 *SubAuthority = SECURITY_SERVICE_RID;
173 SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
174 *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
175 SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
176 *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
177 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
178 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
179 SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
180 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
181 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
182 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
183 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
184 *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
185 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
186 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
187 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
188 *SubAuthority = DOMAIN_ALIAS_RID_USERS;
189 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
190 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
191 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
192 *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
193 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
194 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
195 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
196 *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
197 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
198 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
199 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
200 *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
201 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
202 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
203 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
204 *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
205 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
206 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
207 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
208 *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
209 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
210 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
211 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
212 *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
213 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
214 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
215 SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
216 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
217 SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
218 *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
219
220 return(TRUE);
221 }
222
223 NTSTATUS
224 SepCaptureSid(IN PSID InputSid,
225 IN KPROCESSOR_MODE AccessMode,
226 IN POOL_TYPE PoolType,
227 IN BOOLEAN CaptureIfKernel,
228 OUT PSID *CapturedSid)
229 {
230 ULONG SidSize = 0;
231 PISID NewSid, Sid = (PISID)InputSid;
232 NTSTATUS Status = STATUS_SUCCESS;
233
234 PAGED_CODE();
235
236 if(AccessMode != KernelMode)
237 {
238 _SEH_TRY
239 {
240 ProbeForRead(Sid,
241 sizeof(*Sid) - sizeof(Sid->SubAuthority),
242 sizeof(UCHAR));
243 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
244 ProbeForRead(Sid,
245 SidSize,
246 sizeof(UCHAR));
247 }
248 _SEH_HANDLE
249 {
250 Status = _SEH_GetExceptionCode();
251 }
252 _SEH_END;
253
254 if(NT_SUCCESS(Status))
255 {
256 /* allocate a SID and copy it */
257 NewSid = ExAllocatePool(PoolType,
258 SidSize);
259 if(NewSid != NULL)
260 {
261 _SEH_TRY
262 {
263 RtlCopyMemory(NewSid,
264 Sid,
265 SidSize);
266
267 *CapturedSid = NewSid;
268 }
269 _SEH_HANDLE
270 {
271 ExFreePool(NewSid);
272 Status = _SEH_GetExceptionCode();
273 }
274 _SEH_END;
275 }
276 else
277 {
278 Status = STATUS_INSUFFICIENT_RESOURCES;
279 }
280 }
281 }
282 else if(!CaptureIfKernel)
283 {
284 *CapturedSid = InputSid;
285 return STATUS_SUCCESS;
286 }
287 else
288 {
289 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
290
291 /* allocate a SID and copy it */
292 NewSid = ExAllocatePool(PoolType,
293 SidSize);
294 if(NewSid != NULL)
295 {
296 RtlCopyMemory(NewSid,
297 Sid,
298 SidSize);
299
300 *CapturedSid = NewSid;
301 }
302 else
303 {
304 Status = STATUS_INSUFFICIENT_RESOURCES;
305 }
306 }
307
308 return Status;
309 }
310
311 VOID
312 SepReleaseSid(IN PSID CapturedSid,
313 IN KPROCESSOR_MODE AccessMode,
314 IN BOOLEAN CaptureIfKernel)
315 {
316 PAGED_CODE();
317
318 if(CapturedSid != NULL &&
319 (AccessMode != KernelMode ||
320 (AccessMode == KernelMode && CaptureIfKernel)))
321 {
322 ExFreePool(CapturedSid);
323 }
324 }
325
326 /* EOF */