/* PRIVATE FUNCTIONS *********************************************************/
+INIT_FUNCTION
NTSTATUS
NTAPI
-INIT_FUNCTION
-ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
+ObpGetDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
{
- PSECURITY_DESCRIPTOR Sd = NULL;
PACL Dacl;
- ULONG AclSize, SdSize;
+ ULONG AclSize;
NTSTATUS Status;
- AclSize = sizeof(ACL) +
- sizeof(ACE) + RtlLengthSid(SeWorldSid) +
- sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
- sizeof(ACE) + RtlLengthSid(SeWorldSid) +
- sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
- sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
- sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
-
- SdSize = sizeof(SECURITY_DESCRIPTOR) + AclSize;
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
- /* Allocate the SD and ACL */
- Sd = ExAllocatePoolWithTag(PagedPool, SdSize, TAG_SD);
- if (Sd == NULL)
+ if (ObpProtectionMode & 1)
{
- return STATUS_INSUFFICIENT_RESOURCES;
- }
+ AclSize = sizeof(ACL) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
+
+ /* Allocate the ACL */
+ Dacl = ExAllocatePoolWithTag(PagedPool, AclSize, 'lcaD');
+ if (Dacl == NULL)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
- /* Initialize the SD */
- Status = RtlCreateSecurityDescriptor(Sd,
- SECURITY_DESCRIPTOR_REVISION);
- if (!NT_SUCCESS(Status))
- return Status;
+ /* Initialize the DACL */
+ Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* Add the ACEs */
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_EXECUTE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeAliasAdminsSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeCreatorOwnerSid);
+ ASSERT(NT_SUCCESS(Status));
+ }
+ else
+ {
+ AclSize = sizeof(ACL) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
+ sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
+
+ /* Allocate the ACL */
+ Dacl = ExAllocatePoolWithTag(PagedPool, AclSize, 'lcaD');
+ if (Dacl == NULL)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
- Dacl = (PACL)((INT_PTR)Sd + sizeof(SECURITY_DESCRIPTOR));
-
- /* Initialize the DACL */
- RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
-
- /* Add the ACEs */
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_READ | GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAce(Dacl,
- ACL_REVISION,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_EXECUTE,
- SeWorldSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeAliasAdminsSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeLocalSystemSid);
-
- RtlAddAccessAllowedAceEx(Dacl,
- ACL_REVISION,
- INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
- GENERIC_ALL,
- SeCreatorOwnerSid);
+ /* Initialize the DACL */
+ Status = RtlCreateAcl(Dacl, AclSize, ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* Add the ACEs */
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ Status = RtlAddAccessAllowedAceEx(Dacl,
+ ACL_REVISION,
+ INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
+ GENERIC_ALL,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+ }
/* Attach the DACL to the SD */
- Status = RtlSetDaclSecurityDescriptor(Sd,
- TRUE,
- Dacl,
- FALSE);
- if (!NT_SUCCESS(Status))
- goto done;
+ Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor, TRUE, Dacl, FALSE);
+ ASSERT(NT_SUCCESS(Status));
- *SecurityDescriptor = Sd;
+ return STATUS_SUCCESS;
+}
-done:
- if (!NT_SUCCESS(Status))
- {
- if (Sd != NULL)
- ExFreePoolWithTag(Sd, TAG_SD);
- }
+INIT_FUNCTION
+VOID
+NTAPI
+ObpFreeDosDevicesProtection(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+ PACL Dacl;
+ NTSTATUS Status;
+ BOOLEAN DaclPresent, DaclDefaulted;
- return Status;
+ Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, &DaclPresent, &Dacl, &DaclDefaulted);
+ ASSERT(NT_SUCCESS(Status));
+ ASSERT(DaclPresent);
+ ASSERT(Dacl != NULL);
+ ExFreePoolWithTag(Dacl, 'lcaD');
}
+INIT_FUNCTION
NTSTATUS
NTAPI
-INIT_FUNCTION
ObpCreateDosDevicesDirectory(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RootName, TargetName, LinkName;
HANDLE Handle, SymHandle;
- PSECURITY_DESCRIPTOR DosDevicesSD = NULL;
+ SECURITY_DESCRIPTOR DosDevicesSD;
NTSTATUS Status;
+ /*
+ * Enable LUID mappings only if not explicitely disabled
+ * and if protection mode is set
+ */
+ if (ObpProtectionMode == 0 || ObpLUIDDeviceMapsDisabled != 0)
+ ObpLUIDDeviceMapsEnabled = 0;
+ else
+ ObpLUIDDeviceMapsEnabled = 1;
+
/* Create a custom security descriptor for the global DosDevices directory */
- Status = ObpCreateGlobalDosDevicesSD(&DosDevicesSD);
+ Status = ObpGetDosDevicesProtection(&DosDevicesSD);
if (!NT_SUCCESS(Status))
return Status;
&RootName,
OBJ_PERMANENT,
NULL,
- DosDevicesSD);
+ &DosDevicesSD);
Status = NtCreateDirectoryObject(&Handle,
DIRECTORY_ALL_ACCESS,
&ObjectAttributes);
- ExFreePoolWithTag(DosDevicesSD, TAG_SD);
- if (!NT_SUCCESS(Status)) return Status;
+ if (!NT_SUCCESS(Status))
+ goto done;
/* Create the system device map */
- Status = ObpCreateDeviceMap(Handle);
+ Status = ObSetDeviceMap(NULL, Handle);
if (!NT_SUCCESS(Status))
- return Status;
+ goto done;
/*********************************************\
|*** HACK until we support device mappings ***|
&LinkName,
OBJ_PERMANENT,
NULL,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&LinkName,
OBJ_PERMANENT,
Handle,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&LinkName,
OBJ_PERMANENT,
Handle,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
/* Close the directory handle */
NtClose(Handle);
- if (!NT_SUCCESS(Status)) return Status;
+ if (!NT_SUCCESS(Status))
+ goto done;
/*
* Initialize the \DosDevices symbolic link pointing to the global
&LinkName,
OBJ_PERMANENT,
NULL,
- NULL);
+ &DosDevicesSD);
Status = NtCreateSymbolicLinkObject(&SymHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes,
&RootName);
if (NT_SUCCESS(Status)) NtClose(SymHandle);
+done:
+ ObpFreeDosDevicesProtection(&DosDevicesSD);
+
/* Return status */
return Status;
}
/* Get the object header */
ObjectHeader = OBJECT_TO_OBJECT_HEADER(InsertObject);
- /* FIXME: Check if this is a Section Object or Sym Link */
- /* FIXME: If it is, then check if this isn't session 0 */
- /* FIXME: If it isn't, check for SeCreateGlobalPrivilege */
- /* FIXME: If privilege isn't there, check for unsecure name */
- /* FIXME: If it isn't a known unsecure name, then fail */
+ /*
+ * Deny object creation if:
+ * That's a section object or a symbolic link
+ * Which isn't in the same section that root directory
+ * That doesn't have the SeCreateGlobalPrivilege
+ * And that is not a known unsecure name
+ */
+ if (RootDirectory->SessionId != -1)
+ {
+ if (ObjectHeader->Type == MmSectionObjectType ||
+ ObjectHeader->Type == ObpSymbolicLinkObjectType)
+ {
+ if (RootDirectory->SessionId != PsGetCurrentProcessSessionId() &&
+ !SeSinglePrivilegeCheck(SeCreateGlobalPrivilege, AccessCheckMode) &&
+ !ObpIsUnsecureName(&ComponentName, BooleanFlagOn(Attributes, OBJ_CASE_INSENSITIVE)))
+ {
+ Status = STATUS_ACCESS_DENIED;
+ break;
+ }
+ }
+ }
/* Create Object Name */
NewName = ExAllocatePoolWithTag(PagedPool,