/* PRIVATE FUNCTIONS **********************************************************/
-PSID
-FORCEINLINE
-SepGetGroupFromDescriptor(PVOID _Descriptor)
-{
- PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
- PISECURITY_DESCRIPTOR_RELATIVE SdRel;
-
- if (Descriptor->Control & SE_SELF_RELATIVE)
- {
- SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
- if (!SdRel->Group) return NULL;
- return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
- }
- else
- {
- return Descriptor->Group;
- }
-}
-
-PSID
-FORCEINLINE
-SepGetOwnerFromDescriptor(PVOID _Descriptor)
-{
- PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
- PISECURITY_DESCRIPTOR_RELATIVE SdRel;
-
- if (Descriptor->Control & SE_SELF_RELATIVE)
- {
- SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
- if (!SdRel->Owner) return NULL;
- return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
- }
- else
- {
- return Descriptor->Owner;
- }
-}
-
-PACL
-FORCEINLINE
-SepGetDaclFromDescriptor(PVOID _Descriptor)
-{
- PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
- PISECURITY_DESCRIPTOR_RELATIVE SdRel;
-
- if (Descriptor->Control & SE_SELF_RELATIVE)
- {
- SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
- if (!SdRel->Dacl) return NULL;
- return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
- }
- else
- {
- return Descriptor->Dacl;
- }
-}
-
-PACL
-FORCEINLINE
-SepGetSaclFromDescriptor(PVOID _Descriptor)
-{
- PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
- PISECURITY_DESCRIPTOR_RELATIVE SdRel;
-
- if (Descriptor->Control & SE_SELF_RELATIVE)
- {
- SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
- if (!SdRel->Sacl) return NULL;
- return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
- }
- else
- {
- return Descriptor->Sacl;
- }
-}
-
BOOLEAN
INIT_FUNCTION
NTAPI
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeQuerySecurityDescriptorInfo(IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG Length,
- IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor OPTIONAL)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeQuerySecurityDescriptorInfo(
+ _In_ PSECURITY_INFORMATION SecurityInformation,
+ _Out_writes_bytes_(*Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Inout_ PULONG Length,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
{
PISECURITY_DESCRIPTOR ObjectSd;
PISECURITY_DESCRIPTOR_RELATIVE RelSD;
ULONG_PTR Current;
ULONG SdLength;
+ PAGED_CODE();
+
RelSD = (PISECURITY_DESCRIPTOR_RELATIVE)SecurityDescriptor;
if (*ObjectsSecurityDescriptor == NULL)
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeSetSecurityDescriptorInfo(IN PVOID Object OPTIONAL,
- IN PSECURITY_INFORMATION _SecurityInformation,
- IN PSECURITY_DESCRIPTOR _SecurityDescriptor,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeSetSecurityDescriptorInfo(
+ _In_opt_ PVOID Object,
+ _In_ PSECURITY_INFORMATION SecurityInformation,
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+ _In_ POOL_TYPE PoolType,
+ _In_ PGENERIC_MAPPING GenericMapping)
+{
+ PAGED_CODE();
+
+ return SeSetSecurityDescriptorInfoEx(Object,
+ SecurityInformation,
+ SecurityDescriptor,
+ ObjectsSecurityDescriptor,
+ 0,
+ PoolType,
+ GenericMapping);
+}
+
+/*
+ * @implemented
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeSetSecurityDescriptorInfoEx(
+ _In_opt_ PVOID Object,
+ _In_ PSECURITY_INFORMATION _SecurityInformation,
+ _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor,
+ _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
+ _In_ ULONG AutoInheritFlags,
+ _In_ POOL_TYPE PoolType,
+ _In_ PGENERIC_MAPPING GenericMapping)
{
PISECURITY_DESCRIPTOR_RELATIVE ObjectSd;
PISECURITY_DESCRIPTOR_RELATIVE NewSd;
ULONG Current;
SECURITY_INFORMATION SecurityInformation;
+ PAGED_CODE();
+
ObjectSd = *ObjectsSecurityDescriptor;
/* The object does not have a security descriptor. */
return STATUS_SUCCESS;
}
-/*
- * @unimplemented
- */
-NTSTATUS
-NTAPI
-SeSetSecurityDescriptorInfoEx(IN PVOID Object OPTIONAL,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN PSECURITY_DESCRIPTOR ModificationDescriptor,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN ULONG AutoInheritFlags,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping)
-{
- PISECURITY_DESCRIPTOR ObjectSd = *ObjectsSecurityDescriptor;
-
- /* The object does not have a security descriptor. */
- if (!ObjectSd)
- return STATUS_NO_SECURITY_ON_OBJECT;
-
- UNIMPLEMENTED;
- return STATUS_NOT_IMPLEMENTED;
-}
-
/*
* @implemented
}
Acl = (PACL)((ULONG_PTR)SecurityDescriptor + SecurityDescriptor->Dacl);
- if ((Acl->AclRevision < MIN_ACL_REVISION) &&
+ if ((Acl->AclRevision < MIN_ACL_REVISION) ||
(Acl->AclRevision > MAX_ACL_REVISION))
{
DPRINT1("Invalid DACL revision\n");
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeDeassignSecurity(
+ _Inout_ PSECURITY_DESCRIPTOR *SecurityDescriptor)
{
PAGED_CODE();
}
-
-/*
- * @unimplemented
- */
-NTSTATUS NTAPI
-SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
- IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
- OUT PSECURITY_DESCRIPTOR *NewDescriptor,
- IN GUID *ObjectType OPTIONAL,
- IN BOOLEAN IsDirectoryObject,
- IN ULONG AutoInheritFlags,
- IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
- IN PGENERIC_MAPPING GenericMapping,
- IN POOL_TYPE PoolType)
-{
- UNIMPLEMENTED;
- return STATUS_NOT_IMPLEMENTED;
-}
-
/*
* @implemented
*/
-NTSTATUS NTAPI
-SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR *NewDescriptor,
- BOOLEAN IsDirectoryObject,
- PSECURITY_SUBJECT_CONTEXT SubjectContext,
- PGENERIC_MAPPING GenericMapping,
- POOL_TYPE PoolType)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeAssignSecurityEx(
+ _In_opt_ PSECURITY_DESCRIPTOR _ParentDescriptor,
+ _In_opt_ PSECURITY_DESCRIPTOR _ExplicitDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
+ _In_opt_ GUID *ObjectType,
+ _In_ BOOLEAN IsDirectoryObject,
+ _In_ ULONG AutoInheritFlags,
+ _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _In_ POOL_TYPE PoolType)
{
PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
PISECURITY_DESCRIPTOR_RELATIVE Descriptor;
PTOKEN Token;
- ULONG OwnerLength = 0;
- ULONG GroupLength = 0;
- ULONG DaclLength = 0;
- ULONG SaclLength = 0;
- ULONG Length = 0;
- ULONG Control = 0;
+ ULONG OwnerLength;
+ ULONG GroupLength;
+ ULONG DaclLength;
+ ULONG SaclLength;
+ ULONG Length;
+ SECURITY_DESCRIPTOR_CONTROL Control = 0;
ULONG Current;
PSID Owner = NULL;
PSID Group = NULL;
PACL Dacl = NULL;
PACL Sacl = NULL;
+ DBG_UNREFERENCED_PARAMETER(ObjectType);
+ DBG_UNREFERENCED_PARAMETER(AutoInheritFlags);
+ DBG_UNREFERENCED_PARAMETER(GenericMapping);
+ UNREFERENCED_PARAMETER(PoolType);
+
PAGED_CODE();
+ *NewDescriptor = NULL;
+
+ if (!ARGUMENT_PRESENT(SubjectContext))
+ {
+ return STATUS_NO_TOKEN;
+ }
+
/* Lock subject context */
SeLockSubjectContext(SubjectContext);
DPRINT("Use explicit owner sid!\n");
Owner = SepGetOwnerFromDescriptor(ExplicitDescriptor);
}
-
if (!Owner)
{
- if (Token != NULL)
- {
- DPRINT("Use token owner sid!\n");
- Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
- }
- else
- {
- DPRINT("Use default owner sid!\n");
- Owner = SeLocalSystemSid;
- }
-
- Control |= SE_OWNER_DEFAULTED;
+ DPRINT("Use token owner sid!\n");
+ Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
}
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
+ OwnerLength = RtlLengthSid(Owner);
+ NT_ASSERT(OwnerLength % sizeof(ULONG) == 0);
/* Inherit the Group SID */
if (ExplicitDescriptor != NULL)
{
Group = SepGetGroupFromDescriptor(ExplicitDescriptor);
}
-
if (!Group)
{
- if (Token != NULL)
- {
- DPRINT("Use token group sid!\n");
- Group = Token->PrimaryGroup;
- }
- else
- {
- DPRINT("Use default group sid!\n");
- Group = SeLocalSystemSid;
- }
-
- Control |= SE_GROUP_DEFAULTED;
+ DPRINT("Use token group sid!\n");
+ Group = Token->PrimaryGroup;
+ }
+ if (!Group)
+ {
+ SeUnlockSubjectContext(SubjectContext);
+ return STATUS_INVALID_PRIMARY_GROUP;
}
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
+ GroupLength = RtlLengthSid(Group);
+ NT_ASSERT(GroupLength % sizeof(ULONG) == 0);
/* Inherit the DACL */
if (ExplicitDescriptor != NULL &&
DPRINT("Use parent DACL!\n");
/* FIXME: Inherit */
Dacl = SepGetDaclFromDescriptor(ParentDescriptor);
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+ Control |= SE_DACL_PRESENT;
}
- else if (Token != NULL && Token->DefaultDacl != NULL)
+ else if (Token->DefaultDacl)
{
DPRINT("Use token default DACL!\n");
- /* FIXME: Inherit */
Dacl = Token->DefaultDacl;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
- }
- else
- {
- DPRINT("Use NULL DACL!\n");
- Dacl = NULL;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+ Control |= SE_DACL_PRESENT;
}
- DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
+ DaclLength = (Dacl != NULL) ? Dacl->AclSize : 0;
+ NT_ASSERT(DaclLength % sizeof(ULONG) == 0);
/* Inherit the SACL */
if (ExplicitDescriptor != NULL &&
DPRINT("Use parent SACL!\n");
/* FIXME: Inherit */
Sacl = SepGetSaclFromDescriptor(ParentDescriptor);
- Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
+ Control |= SE_SACL_PRESENT;
}
- SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
+ SaclLength = (Sacl != NULL) ? Sacl->AclSize : 0;
+ NT_ASSERT(SaclLength % sizeof(ULONG) == 0);
/* Allocate and initialize the new security descriptor */
Length = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
OwnerLength + GroupLength + DaclLength + SaclLength;
- DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
+ DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %u OwnerLength %lu GroupLength %lu DaclLength %lu SaclLength %lu\n",
sizeof(SECURITY_DESCRIPTOR),
OwnerLength,
GroupLength,
if (Descriptor == NULL)
{
DPRINT1("ExAlloctePool() failed\n");
- /* FIXME: Unlock subject context */
+ SeUnlockSubjectContext(SubjectContext);
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory(Descriptor, Length);
RtlCreateSecurityDescriptor(Descriptor, SECURITY_DESCRIPTOR_REVISION);
- Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
+ Descriptor->Control = Control | SE_SELF_RELATIVE;
Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
RtlCopyMemory((PUCHAR)Descriptor + Current, Owner, OwnerLength);
Descriptor->Owner = Current;
Current += OwnerLength;
- DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
+ DPRINT("Owner of %p at %x\n", Descriptor, Descriptor->Owner);
}
else
{
- DPRINT("Owner of %x is zero length\n", Descriptor);
+ DPRINT("Owner of %p is zero length\n", Descriptor);
}
if (GroupLength != 0)
*NewDescriptor = Descriptor;
- DPRINT("Descrptor %x\n", Descriptor);
+ DPRINT("Descriptor %p\n", Descriptor);
ASSERT(RtlLengthSecurityDescriptor(Descriptor));
return STATUS_SUCCESS;
}
+/*
+ * @implemented
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS
+NTAPI
+SeAssignSecurity(
+ _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
+ _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
+ _In_ BOOLEAN IsDirectoryObject,
+ _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _In_ POOL_TYPE PoolType)
+{
+ PAGED_CODE();
+
+ return SeAssignSecurityEx(ParentDescriptor,
+ ExplicitDescriptor,
+ NewDescriptor,
+ NULL,
+ IsDirectoryObject,
+ 0,
+ SubjectContext,
+ GenericMapping,
+ PoolType);
+}
+
/* EOF */