PSE_EXPORTS SeExports = NULL;
SE_EXPORTS SepExports;
+ULONG SidInTokenCalls = 0;
extern ULONG ExpInitializationPhase;
extern ERESOURCE SepSubjectContextLock;
/* PRIVATE FUNCTIONS **********************************************************/
-static BOOLEAN INIT_FUNCTION
+static BOOLEAN
+INIT_FUNCTION
SepInitExports(VOID)
{
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
BOOLEAN
NTAPI
+INIT_FUNCTION
SepInitializationPhase0(VOID)
{
PAGED_CODE();
BOOLEAN
NTAPI
+INIT_FUNCTION
SepInitializationPhase1(VOID)
{
NTSTATUS Status;
+
PAGED_CODE();
/* Insert the system token into the tree */
BOOLEAN
NTAPI
+INIT_FUNCTION
SeInitSystem(VOID)
{
/* Check the initialization phase */
BOOLEAN
NTAPI
+INIT_FUNCTION
SeInitSRM(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
return STATUS_SUCCESS;
}
-ULONG SidInTokenCalls = 0;
-
-static BOOLEAN
-SepSidInToken(PACCESS_TOKEN _Token,
- PSID Sid)
-{
- ULONG i;
- PTOKEN Token = (PTOKEN)_Token;
-
- PAGED_CODE();
-
- SidInTokenCalls++;
- if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
-
- if (Token->UserAndGroupCount == 0)
- {
- return FALSE;
- }
-
- for (i=0; i<Token->UserAndGroupCount; i++)
- {
- if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
- {
- if ((i == 0)|| (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED))
- {
- return TRUE;
- }
-
- return FALSE;
- }
- }
-
- return FALSE;
-}
-
-static BOOLEAN
-SepTokenIsOwner(PACCESS_TOKEN Token,
- PSECURITY_DESCRIPTOR SecurityDescriptor)
-{
- NTSTATUS Status;
- PSID Sid = NULL;
- BOOLEAN Defaulted;
-
- Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
- &Sid,
- &Defaulted);
- if (!NT_SUCCESS(Status))
- {
- DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
- return FALSE;
- }
-
- if (Sid == NULL)
- {
- DPRINT1("Owner Sid is NULL\n");
- return FALSE;
- }
-
- return SepSidInToken(Token, Sid);
-}
-
-VOID NTAPI
+VOID
+NTAPI
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
{
*DesiredAccess |= READ_CONTROL;
}
+
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
-VOID NTAPI
+VOID
+NTAPI
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
{
*DesiredAccess |= WRITE_OWNER;
}
+
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
*DesiredAccess |= WRITE_DAC;
}
+
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
{
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
}
-
+
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
*GrantedAccess, DesiredAccess, GenericMapping);
//*AccessStatus = STATUS_ACCESS_DENIED;
//return FALSE;
+ *GrantedAccess = DesiredAccess;
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
/*
* @implemented
*/
-BOOLEAN NTAPI
+BOOLEAN
+NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
if (SepTokenIsOwner(Token,
- SecurityDescriptor))
+ SecurityDescriptor,
+ FALSE))
{
if (DesiredAccess & MAXIMUM_ALLOWED)
PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
/* Reference the token */
Status = ObReferenceObjectByHandle(TokenHandle,
TOKEN_QUERY,
- SepTokenObjectType,
+ SeTokenObjectType,
PreviousMode,
(PVOID*)&Token,
NULL);
}
/* Set up the subject context, and lock it */
- SubjectSecurityContext.ClientToken = Token;
- SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
- SubjectSecurityContext.PrimaryToken = NULL;
- SubjectSecurityContext.ProcessAuditId = NULL;
- SeLockSubjectContext(&SubjectSecurityContext);
+ SeCaptureSubjectContext(&SubjectSecurityContext);
+
+ /* Lock the token */
+ SepAcquireTokenLockShared(Token);
/* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
{
- if (SepTokenIsOwner(Token, SecurityDescriptor)) // FIXME: use CapturedSecurityDescriptor
+ if (SepTokenIsOwner(Token, SecurityDescriptor, FALSE)) // FIXME: use CapturedSecurityDescriptor
{
if (DesiredAccess & MAXIMUM_ALLOWED)
PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
AccessStatus);
}
- /* Unlock subject context */
- SeUnlockSubjectContext(&SubjectSecurityContext);
+ /* Release subject context and unlock the token */
+ SeReleaseSubjectContext(&SubjectSecurityContext);
+ SepReleaseTokenLock(Token);
/* Release the captured security descriptor */
SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
IN ULONG ObjectTypeLength,
IN PGENERIC_MAPPING GenericMapping,
IN PPRIVILEGE_SET PrivilegeSet,
- IN ULONG PrivilegeSetLength,
+ IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
IN ULONG ObjectTypeLength,
IN PGENERIC_MAPPING GenericMapping,
IN PPRIVILEGE_SET PrivilegeSet,
- IN ULONG PrivilegeSetLength,
+ IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
projects / reactos.git / blobdiff