-/* $Id: acl.c,v 1.19 2004/08/05 18:17:37 ion Exp $
+/* $Id$
*
- * COPYRIGHT: See COPYING in the top level directory
- * PROJECT: ReactOS kernel
- * PURPOSE: Security manager
- * FILE: kernel/se/acl.c
- * PROGRAMER: David Welch <welch@cwcom.net>
- * REVISION HISTORY:
- * 26/07/98: Added stubs for security functions
+ * COPYRIGHT: See COPYING in the top level directory
+ * PROJECT: ReactOS kernel
+ * FILE: ntoskrnl/se/acl.c
+ * PURPOSE: Security manager
+ *
+ * PROGRAMMERS: David Welch <welch@cwcom.net>
*/
/* INCLUDES *****************************************************************/
-#include <ddk/ntddk.h>
-#include <internal/se.h>
-
+#include <ntoskrnl.h>
#include <internal/debug.h>
-#define TAG_ACL TAG('A', 'C', 'L', 'T')
+#if defined (ALLOC_PRAGMA)
+#pragma alloc_text(INIT, SepInitDACLs)
+#endif
/* GLOBALS ******************************************************************/
-PACL EXPORTED SePublicDefaultDacl = NULL;
-PACL EXPORTED SeSystemDefaultDacl = NULL;
+PACL SePublicDefaultDacl = NULL;
+PACL SeSystemDefaultDacl = NULL;
PACL SePublicDefaultUnrestrictedDacl = NULL;
PACL SePublicOpenDacl = NULL;
/* FUNCTIONS ****************************************************************/
-BOOLEAN INIT_FUNCTION
+BOOLEAN
+INIT_FUNCTION
+NTAPI
SepInitDACLs(VOID)
{
- ULONG AclLength2;
- ULONG AclLength3;
- ULONG AclLength4;
-
- AclLength2 = sizeof(ACL) +
- 2 * (RtlLengthRequiredSid(1) + sizeof(ACE));
- AclLength3 = sizeof(ACL) +
- 3 * (RtlLengthRequiredSid(1) + sizeof(ACE));
- AclLength4 = sizeof(ACL) +
- 4 * (RtlLengthRequiredSid(1) + sizeof(ACE));
+ ULONG AclLength;
/* create PublicDefaultDacl */
- SePublicDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength2,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
+
+ SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SePublicDefaultDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicDefaultDacl,
- AclLength2,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultDacl,
/* create PublicDefaultUnrestrictedDacl */
- SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength4,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
+
+ SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SePublicDefaultUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
- AclLength4,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
SeRestrictedCodeSid);
/* create PublicOpenDacl */
- SePublicOpenDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength3,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
+
+ SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SePublicOpenDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicOpenDacl,
- AclLength3,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenDacl,
SeAliasAdminsSid);
/* create PublicOpenUnrestrictedDacl */
- SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength4,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
+
+ SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SePublicOpenUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
- AclLength4,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
SeRestrictedCodeSid);
/* create SystemDefaultDacl */
- SeSystemDefaultDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength2,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
+
+ SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SeSystemDefaultDacl == NULL)
return FALSE;
RtlCreateAcl(SeSystemDefaultDacl,
- AclLength2,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
SeAliasAdminsSid);
/* create UnrestrictedDacl */
- SeUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool,
- AclLength2,
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
+
+ SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
TAG_ACL);
if (SeUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SeUnrestrictedDacl,
- AclLength2,
+ AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
return(TRUE);
}
+NTSTATUS STDCALL
+SepCreateImpersonationTokenDacl(PTOKEN Token,
+ PTOKEN PrimaryToken,
+ PACL *Dacl)
+{
+ ULONG AclLength;
+ PVOID TokenDacl;
+
+ PAGED_CODE();
+
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
+ (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
+ (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
+
+ TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
+ if (TokenDacl == NULL)
+ {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+ RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
+ RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
+ Token->UserAndGroups->Sid);
+ RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
+ PrimaryToken->UserAndGroups->Sid);
+ RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
+ SeAliasAdminsSid);
+ RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
+ SeLocalSystemSid);
+
+ /* FIXME */
+#if 0
+ if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
+ {
+ RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
+ SeRestrictedCodeSid);
+ }
+#endif
+
+ return STATUS_SUCCESS;
+}
+
+NTSTATUS
+NTAPI
+SepCaptureAcl(IN PACL InputAcl,
+ IN KPROCESSOR_MODE AccessMode,
+ IN POOL_TYPE PoolType,
+ IN BOOLEAN CaptureIfKernel,
+ OUT PACL *CapturedAcl)
+{
+ PACL NewAcl;
+ ULONG AclSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ PAGED_CODE();
+
+ if(AccessMode != KernelMode)
+ {
+ _SEH_TRY
+ {
+ ProbeForRead(InputAcl,
+ sizeof(ACL),
+ sizeof(ULONG));
+ AclSize = InputAcl->AclSize;
+ ProbeForRead(InputAcl,
+ AclSize,
+ sizeof(ULONG));
+ }
+ _SEH_HANDLE
+ {
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+
+ if(NT_SUCCESS(Status))
+ {
+ NewAcl = ExAllocatePool(PoolType,
+ AclSize);
+ if(NewAcl != NULL)
+ {
+ _SEH_TRY
+ {
+ RtlCopyMemory(NewAcl,
+ InputAcl,
+ AclSize);
+
+ *CapturedAcl = NewAcl;
+ }
+ _SEH_HANDLE
+ {
+ ExFreePool(NewAcl);
+ Status = _SEH_GetExceptionCode();
+ }
+ _SEH_END;
+ }
+ else
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ }
+ }
+ }
+ else if(!CaptureIfKernel)
+ {
+ *CapturedAcl = InputAcl;
+ }
+ else
+ {
+ AclSize = InputAcl->AclSize;
+
+ NewAcl = ExAllocatePool(PoolType,
+ AclSize);
+
+ if(NewAcl != NULL)
+ {
+ RtlCopyMemory(NewAcl,
+ InputAcl,
+ AclSize);
+
+ *CapturedAcl = NewAcl;
+ }
+ else
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ }
+ }
+
+ return Status;
+}
+
+VOID
+NTAPI
+SepReleaseAcl(IN PACL CapturedAcl,
+ IN KPROCESSOR_MODE AccessMode,
+ IN BOOLEAN CaptureIfKernel)
+{
+ PAGED_CODE();
+
+ if(CapturedAcl != NULL &&
+ (AccessMode != KernelMode ||
+ (AccessMode == KernelMode && CaptureIfKernel)))
+ {
+ ExFreePool(CapturedAcl);
+ }
+}
+
/* EOF */