/* PRIVATE FUNCTIONS **********************************************************/
-static BOOLEAN
+static
INIT_FUNCTION
+BOOLEAN
SepInitExports(VOID)
{
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
}
+INIT_FUNCTION
BOOLEAN
NTAPI
-INIT_FUNCTION
SepInitializationPhase0(VOID)
{
PAGED_CODE();
- ExpInitLuid();
+ if (!ExLuidInitialization()) return FALSE;
if (!SepInitSecurityIDs()) return FALSE;
if (!SepInitDACLs()) return FALSE;
if (!SepInitSDs()) return FALSE;
/* Initialize token objects */
SepInitializeTokenImplementation();
+ /* Initialize logon sessions */
+ if (!SeRmInitPhase0()) return FALSE;
+
/* Clear impersonation info for the idle thread */
PsGetCurrentThread()->ImpersonationInfo = NULL;
PspClearCrossThreadFlag(PsGetCurrentThread(),
return TRUE;
}
+INIT_FUNCTION
BOOLEAN
NTAPI
-INIT_FUNCTION
SepInitializationPhase1(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE SecurityHandle;
HANDLE EventHandle;
NTSTATUS Status;
+ SECURITY_DESCRIPTOR SecurityDescriptor;
+ PACL Dacl;
+ ULONG DaclLength;
PAGED_CODE();
NULL);
ASSERT(NT_SUCCESS(Status));
- /* TODO: Create a security desscriptor for the directory */
+ /* Create a security descriptor for the directory */
+ RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
+
+ /* Setup the ACL */
+ DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
+ RtlLengthSid(SeLocalSystemSid) +
+ RtlLengthSid(SeAliasAdminsSid) +
+ RtlLengthSid(SeWorldSid);
+ Dacl = ExAllocatePoolWithTag(NonPagedPool, DaclLength, TAG_SE);
+ if (Dacl == NULL)
+ {
+ return FALSE;
+ }
+
+ Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* Grant full access to SYSTEM */
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DIRECTORY_ALL_ACCESS,
+ SeLocalSystemSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* Allow admins to traverse and query */
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
+ SeAliasAdminsSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* Allow anyone to traverse */
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DIRECTORY_TRAVERSE,
+ SeWorldSid);
+ ASSERT(NT_SUCCESS(Status));
+
+ /* And link ACL and SD */
+ Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl, FALSE);
+ ASSERT(NT_SUCCESS(Status));
/* Create '\Security' directory */
RtlInitUnicodeString(&Name, L"\\Security");
&Name,
OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
0,
- NULL);
+ &SecurityDescriptor);
Status = ZwCreateDirectoryObject(&SecurityHandle,
DIRECTORY_ALL_ACCESS,
&ObjectAttributes);
ASSERT(NT_SUCCESS(Status));
+ /* Free the DACL */
+ ExFreePoolWithTag(Dacl, TAG_SE);
+
/* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
InitializeObjectAttributes(&ObjectAttributes,
return TRUE;
}
+INIT_FUNCTION
BOOLEAN
NTAPI
-INIT_FUNCTION
SeInitSystem(VOID)
{
/* Check the initialization phase */
projects / reactos.git / blobdiff