-/* $Id$
- *
+/*
* COPYRIGHT: See COPYING in the top level directory
* PROJECT: ReactOS kernel
* FILE: ntoskrnl/se/semgr.c
* PROGRAMMERS: No programmer listed.
*/
-/* INCLUDES *****************************************************************/
+/* INCLUDES *******************************************************************/
#include <ntoskrnl.h>
#define NDEBUG
-#include <internal/debug.h>
+#include <debug.h>
-/* GLOBALS ******************************************************************/
+/* GLOBALS ********************************************************************/
PSE_EXPORTS SeExports = NULL;
SE_EXPORTS SepExports;
-static ERESOURCE SepSubjectContextLock;
extern ULONG ExpInitializationPhase;
+extern ERESOURCE SepSubjectContextLock;
+/* PRIVATE FUNCTIONS **********************************************************/
-/* PROTOTYPES ***************************************************************/
-
-static BOOLEAN SepInitExports(VOID);
+static BOOLEAN INIT_FUNCTION
+SepInitExports(VOID)
+{
+ SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
+ SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
+ SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
+ SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
+ SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
+ SepExports.SeTcbPrivilege = SeTcbPrivilege;
+ SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
+ SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
+ SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
+ SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
+ SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
+ SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
+ SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
+ SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
+ SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
+ SepExports.SeBackupPrivilege = SeBackupPrivilege;
+ SepExports.SeRestorePrivilege = SeRestorePrivilege;
+ SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
+ SepExports.SeDebugPrivilege = SeDebugPrivilege;
+ SepExports.SeAuditPrivilege = SeAuditPrivilege;
+ SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
+ SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
+ SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
+
+ SepExports.SeNullSid = SeNullSid;
+ SepExports.SeWorldSid = SeWorldSid;
+ SepExports.SeLocalSid = SeLocalSid;
+ SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
+ SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
+ SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
+ SepExports.SeDialupSid = SeDialupSid;
+ SepExports.SeNetworkSid = SeNetworkSid;
+ SepExports.SeBatchSid = SeBatchSid;
+ SepExports.SeInteractiveSid = SeInteractiveSid;
+ SepExports.SeLocalSystemSid = SeLocalSystemSid;
+ SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
+ SepExports.SeAliasUsersSid = SeAliasUsersSid;
+ SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
+ SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
+ SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
+ SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
+ SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
+ SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
+ SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
+ SepExports.SeRestrictedSid = SeRestrictedSid;
+ SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
+
+ SepExports.SeUndockPrivilege = SeUndockPrivilege;
+ SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
+ SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
+
+ SeExports = &SepExports;
+ return TRUE;
+}
-/* FUNCTIONS ****************************************************************/
BOOLEAN
NTAPI
SepInitializationPhase0(VOID)
{
- DPRINT1("FIXME: SeAccessCheck has been HACKED to always grant access!\n");
- DPRINT1("FIXME: Please fix all the code that doesn't get proper rights!\n");
+ PAGED_CODE();
- SepInitLuid();
+ ExpInitLuid();
if (!SepInitSecurityIDs()) return FALSE;
if (!SepInitDACLs()) return FALSE;
if (!SepInitSDs()) return FALSE;
BOOLEAN
NTAPI
-SeInit(VOID)
+SeInitSystem(VOID)
{
/* Check the initialization phase */
switch (ExpInitializationPhase)
{
- case 0:
+ case 0:
- /* Do Phase 0 */
- return SepInitializationPhase0();
+ /* Do Phase 0 */
+ return SepInitializationPhase0();
- case 1:
+ case 1:
- /* Do Phase 1 */
- return SepInitializationPhase1();
+ /* Do Phase 1 */
+ return SepInitializationPhase1();
- default:
+ default:
- /* Don't know any other phase! Bugcheck! */
- KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
- 0,
- ExpInitializationPhase,
- 0,
- 0);
- return FALSE;
+ /* Don't know any other phase! Bugcheck! */
+ KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
+ 0,
+ ExpInitializationPhase,
+ 0,
+ 0);
+ return FALSE;
}
}
NTAPI
SeInitSRM(VOID)
{
- OBJECT_ATTRIBUTES ObjectAttributes;
- UNICODE_STRING Name;
- HANDLE DirectoryHandle;
- HANDLE EventHandle;
- NTSTATUS Status;
-
- /* Create '\Security' directory */
- RtlInitUnicodeString(&Name,
- L"\\Security");
- InitializeObjectAttributes(&ObjectAttributes,
- &Name,
- OBJ_PERMANENT,
- 0,
- NULL);
- Status = ZwCreateDirectoryObject(&DirectoryHandle,
- DIRECTORY_ALL_ACCESS,
- &ObjectAttributes);
- if (!NT_SUCCESS(Status))
- {
- DPRINT1("Failed to create 'Security' directory!\n");
- return FALSE;
- }
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ UNICODE_STRING Name;
+ HANDLE DirectoryHandle;
+ HANDLE EventHandle;
+ NTSTATUS Status;
- /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
- RtlInitUnicodeString(&Name,
- L"\\LSA_AUTHENTICATION_INITALIZED");
- InitializeObjectAttributes(&ObjectAttributes,
- &Name,
- OBJ_PERMANENT,
- DirectoryHandle,
- SePublicDefaultSd);
- Status = ZwCreateEvent(&EventHandle,
- EVENT_ALL_ACCESS,
- &ObjectAttributes,
- SynchronizationEvent,
- FALSE);
- if (!NT_SUCCESS(Status))
- {
- DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
- NtClose(DirectoryHandle);
- return FALSE;
+ /* Create '\Security' directory */
+ RtlInitUnicodeString(&Name,
+ L"\\Security");
+ InitializeObjectAttributes(&ObjectAttributes,
+ &Name,
+ OBJ_PERMANENT,
+ 0,
+ NULL);
+ Status = ZwCreateDirectoryObject(&DirectoryHandle,
+ DIRECTORY_ALL_ACCESS,
+ &ObjectAttributes);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("Failed to create 'Security' directory!\n");
+ return FALSE;
}
- ZwClose(EventHandle);
- ZwClose(DirectoryHandle);
-
- /* FIXME: Create SRM port and listener thread */
-
- return TRUE;
-}
-
+ /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
+ RtlInitUnicodeString(&Name,
+ L"\\LSA_AUTHENTICATION_INITALIZED");
+ InitializeObjectAttributes(&ObjectAttributes,
+ &Name,
+ OBJ_PERMANENT,
+ DirectoryHandle,
+ SePublicDefaultSd);
+ Status = ZwCreateEvent(&EventHandle,
+ EVENT_ALL_ACCESS,
+ &ObjectAttributes,
+ SynchronizationEvent,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("Failed to create 'LSA_AUTHENTICATION_INITALIZED' event!\n");
+ NtClose(DirectoryHandle);
+ return FALSE;
+ }
-static BOOLEAN INIT_FUNCTION
-SepInitExports(VOID)
-{
- SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
- SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
- SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
- SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
- SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
- SepExports.SeTcbPrivilege = SeTcbPrivilege;
- SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
- SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
- SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
- SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
- SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
- SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
- SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
- SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
- SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
- SepExports.SeBackupPrivilege = SeBackupPrivilege;
- SepExports.SeRestorePrivilege = SeRestorePrivilege;
- SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
- SepExports.SeDebugPrivilege = SeDebugPrivilege;
- SepExports.SeAuditPrivilege = SeAuditPrivilege;
- SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
- SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
- SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
-
- SepExports.SeNullSid = SeNullSid;
- SepExports.SeWorldSid = SeWorldSid;
- SepExports.SeLocalSid = SeLocalSid;
- SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
- SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
- SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
- SepExports.SeDialupSid = SeDialupSid;
- SepExports.SeNetworkSid = SeNetworkSid;
- SepExports.SeBatchSid = SeBatchSid;
- SepExports.SeInteractiveSid = SeInteractiveSid;
- SepExports.SeLocalSystemSid = SeLocalSystemSid;
- SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
- SepExports.SeAliasUsersSid = SeAliasUsersSid;
- SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
- SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
- SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
- SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
- SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
- SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
- SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
- SepExports.SeRestrictedSid = SeRestrictedSid;
- SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
-
- SepExports.SeUndockPrivilege = SeUndockPrivilege;
- SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
- SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
-
- SeExports = &SepExports;
- return TRUE;
-}
+ ZwClose(EventHandle);
+ ZwClose(DirectoryHandle);
+ /* FIXME: Create SRM port and listener thread */
-VOID SepReferenceLogonSession(PLUID AuthenticationId)
-{
- UNIMPLEMENTED;
-}
-
-VOID SepDeReferenceLogonSession(PLUID AuthenticationId)
-{
- UNIMPLEMENTED;
+ return TRUE;
}
NTSTATUS
-STDCALL
-SeDefaultObjectMethod(PVOID Object,
- SECURITY_OPERATION_CODE OperationType,
- PSECURITY_INFORMATION _SecurityInformation,
- PSECURITY_DESCRIPTOR _SecurityDescriptor,
- PULONG ReturnLength,
- PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
- POOL_TYPE PoolType,
- PGENERIC_MAPPING GenericMapping)
+NTAPI
+SeDefaultObjectMethod(IN PVOID Object,
+ IN SECURITY_OPERATION_CODE OperationType,
+ IN PSECURITY_INFORMATION SecurityInformation,
+ IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
+ IN OUT PULONG ReturnLength OPTIONAL,
+ IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
+ IN POOL_TYPE PoolType,
+ IN PGENERIC_MAPPING GenericMapping)
{
- PISECURITY_DESCRIPTOR ObjectSd;
- PISECURITY_DESCRIPTOR NewSd;
- PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
- POBJECT_HEADER Header = OBJECT_TO_OBJECT_HEADER(Object);
- PSID Owner = 0;
- PSID Group = 0;
- PACL Dacl = 0;
- PACL Sacl = 0;
- ULONG OwnerLength = 0;
- ULONG GroupLength = 0;
- ULONG DaclLength = 0;
- ULONG SaclLength = 0;
- ULONG Control = 0;
- ULONG_PTR Current;
- NTSTATUS Status;
- SECURITY_INFORMATION SecurityInformation;
-
- if (OperationType == SetSecurityDescriptor)
- {
- ObjectSd = Header->SecurityDescriptor;
- SecurityInformation = *_SecurityInformation;
-
- /* Get owner and owner size */
- if (SecurityInformation & OWNER_SECURITY_INFORMATION)
- {
- if (SecurityDescriptor->Owner != NULL)
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
- (ULONG_PTR)SecurityDescriptor);
- else
- Owner = (PSID)SecurityDescriptor->Owner;
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
- }
- Control |= (SecurityDescriptor->Control & SE_OWNER_DEFAULTED);
- }
- else
- {
- if (ObjectSd->Owner != NULL)
- {
- Owner = (PSID)((ULONG_PTR)ObjectSd->Owner + (ULONG_PTR)ObjectSd);
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
- }
- Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
- }
-
- /* Get group and group size */
- if (SecurityInformation & GROUP_SECURITY_INFORMATION)
- {
- if (SecurityDescriptor->Group != NULL)
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
- (ULONG_PTR)SecurityDescriptor);
- else
- Group = (PSID)SecurityDescriptor->Group;
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
- }
- Control |= (SecurityDescriptor->Control & SE_GROUP_DEFAULTED);
- }
- else
- {
- if (ObjectSd->Group != NULL)
- {
- Group = (PSID)((ULONG_PTR)ObjectSd->Group + (ULONG_PTR)ObjectSd);
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
- }
- Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
- }
-
- /* Get DACL and DACL size */
- if (SecurityInformation & DACL_SECURITY_INFORMATION)
- {
- if ((SecurityDescriptor->Control & SE_DACL_PRESENT) &&
- (SecurityDescriptor->Dacl != NULL))
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Dacl = (PACL)((ULONG_PTR)SecurityDescriptor->Dacl +
- (ULONG_PTR)SecurityDescriptor);
- else
- Dacl = (PACL)SecurityDescriptor->Dacl;
+ PAGED_CODE();
- DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
- }
- Control |= (SecurityDescriptor->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
- }
- else
- {
- if ((ObjectSd->Control & SE_DACL_PRESENT) &&
- (ObjectSd->Dacl != NULL))
- {
- Dacl = (PACL)((ULONG_PTR)ObjectSd->Dacl + (ULONG_PTR)ObjectSd);
- DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
- }
- Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
- }
+ /* Select the operation type */
+ switch (OperationType)
+ {
+ /* Setting a new descriptor */
+ case SetSecurityDescriptor:
- /* Get SACL and SACL size */
- if (SecurityInformation & SACL_SECURITY_INFORMATION)
- {
- if ((SecurityDescriptor->Control & SE_SACL_PRESENT) &&
- (SecurityDescriptor->Sacl != NULL))
- {
- if( SecurityDescriptor->Control & SE_SELF_RELATIVE )
- Sacl = (PACL)((ULONG_PTR)SecurityDescriptor->Sacl +
- (ULONG_PTR)SecurityDescriptor);
- else
- Sacl = (PACL)SecurityDescriptor->Sacl;
- SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
- }
- Control |= (SecurityDescriptor->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
- }
- else
- {
- if ((ObjectSd->Control & SE_SACL_PRESENT) &&
- (ObjectSd->Sacl != NULL))
- {
- Sacl = (PACL)((ULONG_PTR)ObjectSd->Sacl + (ULONG_PTR)ObjectSd);
- SaclLength = ROUND_UP((ULONG)Sacl->AclSize, 4);
- }
- Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
- }
+ /* Sanity check */
+ ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
- NewSd = ExAllocatePool(NonPagedPool,
- sizeof(SECURITY_DESCRIPTOR) + OwnerLength + GroupLength +
- DaclLength + SaclLength);
- if (NewSd == NULL)
- {
- ObDereferenceObject(Object);
- return STATUS_INSUFFICIENT_RESOURCES;
- }
+ /* Set the information */
+ return ObSetSecurityDescriptorInfo(Object,
+ SecurityInformation,
+ SecurityDescriptor,
+ OldSecurityDescriptor,
+ PoolType,
+ GenericMapping);
- RtlCreateSecurityDescriptor(NewSd,
- SECURITY_DESCRIPTOR_REVISION1);
- /* We always build a self-relative descriptor */
- NewSd->Control = (USHORT)Control | SE_SELF_RELATIVE;
+ case QuerySecurityDescriptor:
- Current = (ULONG_PTR)NewSd + sizeof(SECURITY_DESCRIPTOR);
+ /* Query the information */
+ return ObQuerySecurityDescriptorInfo(Object,
+ SecurityInformation,
+ SecurityDescriptor,
+ ReturnLength,
+ OldSecurityDescriptor);
- if (OwnerLength != 0)
- {
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- NewSd->Owner = (PSID)(Current - (ULONG_PTR)NewSd);
- Current += OwnerLength;
- }
+ case DeleteSecurityDescriptor:
- if (GroupLength != 0)
- {
- RtlCopyMemory((PVOID)Current,
- Group,
- GroupLength);
- NewSd->Group = (PSID)(Current - (ULONG_PTR)NewSd);
- Current += GroupLength;
- }
+ /* De-assign it */
+ return ObDeassignSecurity(OldSecurityDescriptor);
- if (DaclLength != 0)
- {
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- NewSd->Dacl = (PACL)(Current - (ULONG_PTR)NewSd);
- Current += DaclLength;
- }
+ case AssignSecurityDescriptor:
- if (SaclLength != 0)
- {
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- NewSd->Sacl = (PACL)(Current - (ULONG_PTR)NewSd);
- Current += SaclLength;
- }
+ /* Assign it */
+ ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
+ return STATUS_SUCCESS;
- /* Add the new SD */
- Status = ObpAddSecurityDescriptor(NewSd,
- &Header->SecurityDescriptor);
- if (NT_SUCCESS(Status))
- {
- /* Remove the old security descriptor */
- ObpRemoveSecurityDescriptor(ObjectSd);
- }
- else
- {
- /* Restore the old security descriptor */
- Header->SecurityDescriptor = ObjectSd;
- }
+ default:
- ExFreePool(NewSd);
+ /* Bug check */
+ KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
}
- else if (OperationType == QuerySecurityDescriptor)
- {
- Status = SeQuerySecurityDescriptorInfo(_SecurityInformation,
- SecurityDescriptor,
- ReturnLength,
- &Header->SecurityDescriptor);
- }
- else if (OperationType == AssignSecurityDescriptor)
- {
- /* Assign the security descriptor to the object header */
- Status = ObpAddSecurityDescriptor(SecurityDescriptor,
- &Header->SecurityDescriptor);
- }
-
+ /* Should never reach here */
+ ASSERT(FALSE);
return STATUS_SUCCESS;
}
-VOID
-NTAPI
-SeCaptureSubjectContextEx(IN PETHREAD Thread,
- IN PEPROCESS Process,
- OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
+ULONG SidInTokenCalls = 0;
+
+static BOOLEAN
+SepSidInToken(PACCESS_TOKEN _Token,
+ PSID Sid)
{
- BOOLEAN CopyOnOpen, EffectiveOnly;
- PAGED_CODE();
+ ULONG i;
+ PTOKEN Token = (PTOKEN)_Token;
- /* Save the unique ID */
- SubjectContext->ProcessAuditId = Process->UniqueProcessId;
+ PAGED_CODE();
- /* Check if we have a thread */
- if (!Thread)
+ SidInTokenCalls++;
+ if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
+
+ if (Token->UserAndGroupCount == 0)
{
- /* We don't, so no token */
- SubjectContext->ClientToken = NULL;
+ return FALSE;
}
- else
+
+ for (i=0; i<Token->UserAndGroupCount; i++)
{
- /* Get the impersonation token */
- SubjectContext->ClientToken =
- PsReferenceImpersonationToken(Thread,
- &CopyOnOpen,
- &EffectiveOnly,
- &SubjectContext->ImpersonationLevel);
- }
+ if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
+ {
+ if ((i == 0)|| (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED))
+ {
+ return TRUE;
+ }
- /* Get the primary token */
- SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
-}
+ return FALSE;
+ }
+ }
-/*
- * @implemented
- */
-VOID
-NTAPI
-SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
- /* Call the internal API */
- SeCaptureSubjectContextEx(PsGetCurrentThread(),
- PsGetCurrentProcess(),
- SubjectContext);
+ return FALSE;
}
-
-/*
- * @implemented
- */
-VOID STDCALL
-SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+static BOOLEAN
+SepTokenIsOwner(PACCESS_TOKEN Token,
+ PSECURITY_DESCRIPTOR SecurityDescriptor)
{
- PAGED_CODE();
-
- KeEnterCriticalRegion();
- ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
-}
+ NTSTATUS Status;
+ PSID Sid = NULL;
+ BOOLEAN Defaulted;
+ Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
+ &Sid,
+ &Defaulted);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
+ return FALSE;
+ }
-/*
- * @implemented
- */
-VOID STDCALL
-SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
-{
- PAGED_CODE();
+ if (Sid == NULL)
+ {
+ DPRINT1("Owner Sid is NULL\n");
+ return FALSE;
+ }
- ExReleaseResourceLite(&SepSubjectContextLock);
- KeLeaveCriticalRegion();
+ return SepSidInToken(Token, Sid);
}
-
-/*
- * @implemented
- */
-VOID STDCALL
-SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
+VOID NTAPI
+SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+ OUT PACCESS_MASK DesiredAccess)
{
- PAGED_CODE();
+ *DesiredAccess = 0;
- if (SubjectContext->PrimaryToken != NULL)
+ if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
+ GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
{
- ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
+ *DesiredAccess |= READ_CONTROL;
}
-
- if (SubjectContext->ClientToken != NULL)
+ if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
- ObDereferenceObject(SubjectContext->ClientToken);
+ *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
-
-/*
- * @implemented
- */
-NTSTATUS STDCALL
-SeDeassignSecurity(PSECURITY_DESCRIPTOR *SecurityDescriptor)
+VOID NTAPI
+SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
+ OUT PACCESS_MASK DesiredAccess)
{
- PAGED_CODE();
+ *DesiredAccess = 0;
- if (*SecurityDescriptor != NULL)
+ if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
{
- ExFreePool(*SecurityDescriptor);
- *SecurityDescriptor = NULL;
+ *DesiredAccess |= WRITE_OWNER;
}
-
- return STATUS_SUCCESS;
-}
-
-
-/*
- * @unimplemented
- */
-NTSTATUS STDCALL
-SeAssignSecurityEx(IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
- IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
- OUT PSECURITY_DESCRIPTOR *NewDescriptor,
- IN GUID *ObjectType OPTIONAL,
- IN BOOLEAN IsDirectoryObject,
- IN ULONG AutoInheritFlags,
- IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
- IN PGENERIC_MAPPING GenericMapping,
- IN POOL_TYPE PoolType)
-{
- UNIMPLEMENTED;
- return STATUS_NOT_IMPLEMENTED;
-}
-
-
-/*
- * FUNCTION: Creates a security descriptor for a new object.
- * ARGUMENTS:
- * ParentDescriptor =
- * ExplicitDescriptor =
- * NewDescriptor =
- * IsDirectoryObject =
- * SubjectContext =
- * GeneralMapping =
- * PoolType =
- * RETURNS: Status
- *
- * @implemented
- */
-NTSTATUS STDCALL
-SeAssignSecurity(PSECURITY_DESCRIPTOR _ParentDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR _ExplicitDescriptor OPTIONAL,
- PSECURITY_DESCRIPTOR *NewDescriptor,
- BOOLEAN IsDirectoryObject,
- PSECURITY_SUBJECT_CONTEXT SubjectContext,
- PGENERIC_MAPPING GenericMapping,
- POOL_TYPE PoolType)
-{
- PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
- PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
- PISECURITY_DESCRIPTOR Descriptor;
- PTOKEN Token;
- ULONG OwnerLength = 0;
- ULONG GroupLength = 0;
- ULONG DaclLength = 0;
- ULONG SaclLength = 0;
- ULONG Length = 0;
- ULONG Control = 0;
- ULONG_PTR Current;
- PSID Owner = NULL;
- PSID Group = NULL;
- PACL Dacl = NULL;
- PACL Sacl = NULL;
-
- PAGED_CODE();
-
- /* Lock subject context */
- SeLockSubjectContext(SubjectContext);
-
- if (SubjectContext->ClientToken != NULL)
+ if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
- Token = SubjectContext->ClientToken;
+ *DesiredAccess |= WRITE_DAC;
}
- else
+ if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
- Token = SubjectContext->PrimaryToken;
+ *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
+}
+BOOLEAN NTAPI
+SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+ IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+ IN ACCESS_MASK DesiredAccess,
+ IN ACCESS_MASK PreviouslyGrantedAccess,
+ OUT PPRIVILEGE_SET* Privileges,
+ IN PGENERIC_MAPPING GenericMapping,
+ IN KPROCESSOR_MODE AccessMode,
+ OUT PACCESS_MASK GrantedAccess,
+ OUT PNTSTATUS AccessStatus)
+{
+ LUID_AND_ATTRIBUTES Privilege;
+ ACCESS_MASK CurrentAccess, AccessMask;
+ PACCESS_TOKEN Token;
+ ULONG i;
+ PACL Dacl;
+ BOOLEAN Present;
+ BOOLEAN Defaulted;
+ PACE CurrentAce;
+ PSID Sid;
+ NTSTATUS Status;
+ PAGED_CODE();
- /* Inherit the Owner SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Owner != NULL)
- {
- DPRINT("Use explicit owner sid!\n");
- Owner = ExplicitDescriptor->Owner;
-
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Owner = (PSID)(((ULONG_PTR)Owner) + (ULONG_PTR)ExplicitDescriptor);
-
- }
- }
- else
+ /* Check for no access desired */
+ if (!DesiredAccess)
{
- if (Token != NULL)
- {
- DPRINT("Use token owner sid!\n");
- Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
- }
- else
+ /* Check if we had no previous access */
+ if (!PreviouslyGrantedAccess)
{
- DPRINT("Use default owner sid!\n");
- Owner = SeLocalSystemSid;
+ /* Then there's nothing to give */
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
}
- Control |= SE_OWNER_DEFAULTED;
+ /* Return the previous access only */
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ *Privileges = NULL;
+ return TRUE;
}
- OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
+ /* Map given accesses */
+ RtlMapGenericMask(&DesiredAccess, GenericMapping);
+ if (PreviouslyGrantedAccess)
+ RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
+
+
+ CurrentAccess = PreviouslyGrantedAccess;
- /* Inherit the Group SID */
- if (ExplicitDescriptor != NULL && ExplicitDescriptor->Group != NULL)
+
+
+ Token = SubjectSecurityContext->ClientToken ?
+ SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
+
+ /* Get the DACL */
+ Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+ &Present,
+ &Dacl,
+ &Defaulted);
+ if (!NT_SUCCESS(Status))
{
- DPRINT("Use explicit group sid!\n");
- Group = ExplicitDescriptor->Group;
- if (ExplicitDescriptor->Control & SE_SELF_RELATIVE)
- {
- Group = (PSID)(((ULONG_PTR)Group) + (ULONG_PTR)ExplicitDescriptor);
- }
+ *AccessStatus = Status;
+ return FALSE;
}
- else
+
+ /* RULE 1: Grant desired access if the object is unprotected */
+ if (Present == FALSE || Dacl == NULL)
{
- if (Token != NULL)
+ if (DesiredAccess & MAXIMUM_ALLOWED)
{
- DPRINT("Use token group sid!\n");
- Group = Token->PrimaryGroup;
+ *GrantedAccess = GenericMapping->GenericAll;
+ *GrantedAccess |= (DesiredAccess & ~MAXIMUM_ALLOWED);
}
- else
+ else
{
- DPRINT("Use default group sid!\n");
- Group = SeLocalSystemSid;
+ *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
}
-
- Control |= SE_OWNER_DEFAULTED;
+
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
}
- GroupLength = ROUND_UP(RtlLengthSid(Group), 4);
-
+ CurrentAccess = PreviouslyGrantedAccess;
- /* Inherit the DACL */
- if (ExplicitDescriptor != NULL &&
- (ExplicitDescriptor->Control & SE_DACL_PRESENT) &&
- !(ExplicitDescriptor->Control & SE_DACL_DEFAULTED))
+ /* RULE 2: Check token for 'take ownership' privilege */
+ if (DesiredAccess & WRITE_OWNER)
{
- DPRINT("Use explicit DACL!\n");
- Dacl = ExplicitDescriptor->Dacl;
- if (Dacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
- {
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ExplicitDescriptor);
- }
+ Privilege.Luid = SeTakeOwnershipPrivilege;
+ Privilege.Attributes = SE_PRIVILEGE_ENABLED;
- Control |= SE_DACL_PRESENT;
- }
- else if (ParentDescriptor != NULL &&
- (ParentDescriptor->Control & SE_DACL_PRESENT))
- {
- DPRINT("Use parent DACL!\n");
- /* FIXME: Inherit */
- Dacl = ParentDescriptor->Dacl;
- if (Dacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
+ if (SepPrivilegeCheck(Token,
+ &Privilege,
+ 1,
+ PRIVILEGE_SET_ALL_NECESSARY,
+ AccessMode))
{
- Dacl = (PACL)(((ULONG_PTR)Dacl) + (ULONG_PTR)ParentDescriptor);
+ CurrentAccess |= WRITE_OWNER;
+ if ((DesiredAccess & ~VALID_INHERIT_FLAGS) ==
+ (CurrentAccess & ~VALID_INHERIT_FLAGS))
+ {
+ *GrantedAccess = CurrentAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
+ }
}
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
}
- else if (Token != NULL && Token->DefaultDacl != NULL)
+
+ /* Deny access if the DACL is empty */
+ if (Dacl->AceCount == 0)
{
- DPRINT("Use token default DACL!\n");
- /* FIXME: Inherit */
- Dacl = Token->DefaultDacl;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
}
- else
+
+ /* Fail if DACL is absent */
+ if (Present == FALSE)
{
- DPRINT("Use NULL DACL!\n");
- Dacl = NULL;
- Control |= (SE_DACL_PRESENT | SE_DACL_DEFAULTED);
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
}
- DaclLength = (Dacl != NULL) ? ROUND_UP(Dacl->AclSize, 4) : 0;
-
-
- /* Inherit the SACL */
- if (ExplicitDescriptor != NULL &&
- (ExplicitDescriptor->Control & SE_SACL_PRESENT) &&
- !(ExplicitDescriptor->Control & SE_SACL_DEFAULTED))
+ /* RULE 4: Grant rights according to the DACL */
+ CurrentAce = (PACE)(Dacl + 1);
+ for (i = 0; i < Dacl->AceCount; i++)
{
- DPRINT("Use explicit SACL!\n");
- Sacl = ExplicitDescriptor->Sacl;
- if (Sacl != NULL && (ExplicitDescriptor->Control & SE_SELF_RELATIVE))
+ Sid = (PSID)(CurrentAce + 1);
+ if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
{
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ExplicitDescriptor);
+ if (SepSidInToken(Token, Sid))
+ {
+ *GrantedAccess = 0;
+ *AccessStatus = STATUS_ACCESS_DENIED;
+ return FALSE;
+ }
}
- Control |= SE_SACL_PRESENT;
- }
- else if (ParentDescriptor != NULL &&
- (ParentDescriptor->Control & SE_SACL_PRESENT))
- {
- DPRINT("Use parent SACL!\n");
- /* FIXME: Inherit */
- Sacl = ParentDescriptor->Sacl;
- if (Sacl != NULL && (ParentDescriptor->Control & SE_SELF_RELATIVE))
+ else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
{
- Sacl = (PACL)(((ULONG_PTR)Sacl) + (ULONG_PTR)ParentDescriptor);
+ if (SepSidInToken(Token, Sid))
+ {
+ AccessMask = CurrentAce->AccessMask;
+ RtlMapGenericMask(&AccessMask, GenericMapping);
+ CurrentAccess |= AccessMask;
+ }
}
- Control |= (SE_SACL_PRESENT | SE_SACL_DEFAULTED);
- }
-
- SaclLength = (Sacl != NULL) ? ROUND_UP(Sacl->AclSize, 4) : 0;
-
-
- /* Allocate and initialize the new security descriptor */
- Length = sizeof(SECURITY_DESCRIPTOR) +
- OwnerLength + GroupLength + DaclLength + SaclLength;
-
- DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %d OwnerLength %d GroupLength %d DaclLength %d SaclLength %d\n",
- sizeof(SECURITY_DESCRIPTOR),
- OwnerLength,
- GroupLength,
- DaclLength,
- SaclLength);
-
- Descriptor = ExAllocatePool(PagedPool,
- Length);
- if (Descriptor == NULL)
- {
- DPRINT1("ExAlloctePool() failed\n");
- /* FIXME: Unlock subject context */
- return STATUS_INSUFFICIENT_RESOURCES;
+ else
+ {
+ DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
+ }
+ CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
}
- RtlZeroMemory( Descriptor, Length );
- RtlCreateSecurityDescriptor(Descriptor,
- SECURITY_DESCRIPTOR_REVISION);
-
- Descriptor->Control = (USHORT)Control | SE_SELF_RELATIVE;
-
- Current = (ULONG_PTR)Descriptor + sizeof(SECURITY_DESCRIPTOR);
+ DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
+ CurrentAccess, DesiredAccess);
- if (SaclLength != 0)
- {
- RtlCopyMemory((PVOID)Current,
- Sacl,
- SaclLength);
- Descriptor->Sacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
- Current += SaclLength;
- }
+ *GrantedAccess = CurrentAccess & DesiredAccess;
- if (DaclLength != 0)
+ if (DesiredAccess & MAXIMUM_ALLOWED)
{
- RtlCopyMemory((PVOID)Current,
- Dacl,
- DaclLength);
- Descriptor->Dacl = (PACL)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
- Current += DaclLength;
+ *GrantedAccess = CurrentAccess;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
}
-
- if (OwnerLength != 0)
+ else if ((*GrantedAccess & ~VALID_INHERIT_FLAGS) ==
+ (DesiredAccess & ~VALID_INHERIT_FLAGS))
{
- RtlCopyMemory((PVOID)Current,
- Owner,
- OwnerLength);
- Descriptor->Owner = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
- Current += OwnerLength;
- DPRINT("Owner of %x at %x\n", Descriptor, Descriptor->Owner);
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
}
- else
- DPRINT("Owner of %x is zero length\n", Descriptor);
-
- if (GroupLength != 0)
+ else
{
- memmove((PVOID)Current,
- Group,
- GroupLength);
- Descriptor->Group = (PSID)((ULONG_PTR)Current - (ULONG_PTR)Descriptor);
+ DPRINT1("HACK: Should deny access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p).\n",
+ *GrantedAccess, DesiredAccess, GenericMapping);
+ //*AccessStatus = STATUS_ACCESS_DENIED;
+ //return FALSE;
+ *AccessStatus = STATUS_SUCCESS;
+ return TRUE;
}
-
- /* Unlock subject context */
- SeUnlockSubjectContext(SubjectContext);
-
- *NewDescriptor = Descriptor;
-
- DPRINT("Descrptor %x\n", Descriptor);
- ASSERT(RtlLengthSecurityDescriptor(Descriptor));
-
- return STATUS_SUCCESS;
}
-
-static BOOLEAN
-SepSidInToken(PACCESS_TOKEN _Token,
- PSID Sid)
+static PSID
+SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
{
- ULONG i;
- PTOKEN Token = (PTOKEN)_Token;
+ PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PSID Owner;
- PAGED_CODE();
+ if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+ Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
+ (ULONG_PTR)SecurityDescriptor);
+ else
+ Owner = (PSID)SecurityDescriptor->Owner;
- if (Token->UserAndGroupCount == 0)
- {
- return FALSE;
- }
+ return Owner;
+}
- for (i=0; i<Token->UserAndGroupCount; i++)
- {
- if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
- {
- if (Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)
- {
- return TRUE;
- }
+static PSID
+SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
+{
+ PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
+ PSID Group;
- return FALSE;
- }
- }
+ if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
+ Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
+ (ULONG_PTR)SecurityDescriptor);
+ else
+ Group = (PSID)SecurityDescriptor->Group;
- return FALSE;
+ return Group;
}
+/* PUBLIC FUNCTIONS ***********************************************************/
+
/*
- * FUNCTION: Determines whether the requested access rights can be granted
- * to an object protected by a security descriptor and an object owner
- * ARGUMENTS:
- * SecurityDescriptor = Security descriptor protecting the object
- * SubjectSecurityContext = Subject's captured security context
- * SubjectContextLocked = Indicates the user's subject context is locked
- * DesiredAccess = Access rights the caller is trying to acquire
- * PreviouslyGrantedAccess = Specified the access rights already granted
- * Privileges = ?
- * GenericMapping = Generic mapping associated with the object
- * AccessMode = Access mode used for the check
- * GrantedAccess (OUT) = On return specifies the access granted
- * AccessStatus (OUT) = Status indicating why access was denied
- * RETURNS: If access was granted, returns TRUE
- *
* @implemented
*/
-BOOLEAN STDCALL
+BOOLEAN NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,
OUT PACCESS_MASK GrantedAccess,
OUT PNTSTATUS AccessStatus)
{
- LUID_AND_ATTRIBUTES Privilege;
- ACCESS_MASK CurrentAccess, AccessMask;
- PACCESS_TOKEN Token;
- ULONG i;
- PACL Dacl;
- BOOLEAN Present;
- BOOLEAN Defaulted;
- PACE CurrentAce;
- PSID Sid;
- NTSTATUS Status;
+ BOOLEAN ret;
+
PAGED_CODE();
/* Check if this is kernel mode */
return FALSE;
}
- /* Check for no access desired */
- if (!DesiredAccess)
+ /* Acquire the lock if needed */
+ if (!SubjectContextLocked)
+ SeLockSubjectContext(SubjectSecurityContext);
+
+ /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
+ if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
{
- /* Check if we had no previous access */
- if (!PreviouslyGrantedAccess)
+ PACCESS_TOKEN Token = SubjectSecurityContext->ClientToken ?
+ SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
+
+ if (SepTokenIsOwner(Token,
+ SecurityDescriptor))
{
- /* Then there's nothing to give */
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
+ else
+ PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
+
+ DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
}
+ }
- /* Return the previous access only */
+ if (DesiredAccess == 0)
+ {
*GrantedAccess = PreviouslyGrantedAccess;
*AccessStatus = STATUS_SUCCESS;
- *Privileges = NULL;
- return TRUE;
+ ret = TRUE;
+ }
+ else
+ {
+ /* Call the internal function */
+ ret = SepAccessCheck(SecurityDescriptor,
+ SubjectSecurityContext,
+ DesiredAccess,
+ PreviouslyGrantedAccess,
+ Privileges,
+ GenericMapping,
+ AccessMode,
+ GrantedAccess,
+ AccessStatus);
}
- /* Acquire the lock if needed */
- if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
-
- /* Map given accesses */
- RtlMapGenericMask(&DesiredAccess, GenericMapping);
- if (PreviouslyGrantedAccess)
- RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
-
-
-
- CurrentAccess = PreviouslyGrantedAccess;
+ /* Release the lock if needed */
+ if (!SubjectContextLocked)
+ SeUnlockSubjectContext(SubjectSecurityContext);
+ return ret;
+}
+/* SYSTEM CALLS ***************************************************************/
- Token = SubjectSecurityContext->ClientToken ?
- SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
+NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+ IN HANDLE TokenHandle,
+ IN ACCESS_MASK DesiredAccess,
+ IN PGENERIC_MAPPING GenericMapping,
+ OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
+ IN OUT PULONG PrivilegeSetLength,
+ OUT PACCESS_MASK GrantedAccess,
+ OUT PNTSTATUS AccessStatus)
+{
+ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor = NULL;
+ SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
+ KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
+ ACCESS_MASK PreviouslyGrantedAccess = 0;
+ PTOKEN Token;
+ NTSTATUS Status;
+ PAGED_CODE();
- /* Get the DACL */
- Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
- &Present,
- &Dacl,
- &Defaulted);
- if (!NT_SUCCESS(Status))
+ /* Check if this is kernel mode */
+ if (PreviousMode == KernelMode)
{
- if (SubjectContextLocked == FALSE)
+ /* Check if kernel wants everything */
+ if (DesiredAccess & MAXIMUM_ALLOWED)
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ /* Give it */
+ *GrantedAccess = GenericMapping->GenericAll;
+ *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
}
-
- *AccessStatus = Status;
- return FALSE;
- }
-
- /* RULE 1: Grant desired access if the object is unprotected */
- if (Present == TRUE && Dacl == NULL)
- {
- if (SubjectContextLocked == FALSE)
+ else
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ /* Just give the desired access */
+ *GrantedAccess = DesiredAccess;
}
- *GrantedAccess = DesiredAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
+ /* Success */
+ *AccessStatus = STATUS_SUCCESS;
+ return STATUS_SUCCESS;
}
- CurrentAccess = PreviouslyGrantedAccess;
-
- /* RULE 2: Check token for 'take ownership' privilege */
- Privilege.Luid = SeTakeOwnershipPrivilege;
- Privilege.Attributes = SE_PRIVILEGE_ENABLED;
-
- if (SepPrivilegeCheck(Token,
- &Privilege,
- 1,
- PRIVILEGE_SET_ALL_NECESSARY,
- AccessMode))
+ /* Protect probe in SEH */
+ _SEH2_TRY
{
- CurrentAccess |= WRITE_OWNER;
- if (DesiredAccess == CurrentAccess)
- {
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
+ /* Probe all pointers */
+ ProbeForRead(GenericMapping, sizeof(GENERIC_MAPPING), sizeof(ULONG));
+ ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
+ ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
+ ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
+ ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
}
-
- /* RULE 3: Check whether the token is the owner */
- Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
- &Sid,
- &Defaulted);
- if (!NT_SUCCESS(Status))
+ _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
- DPRINT1("RtlGetOwnerSecurityDescriptor() failed (Status %lx)\n", Status);
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
+ /* Return the exception code */
+ _SEH2_YIELD(return _SEH2_GetExceptionCode());
+ }
+ _SEH2_END;
- *AccessStatus = Status;
- return FALSE;
- }
+ /* Check for unmapped access rights */
+ if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
+ return STATUS_GENERIC_NOT_MAPPED;
- if (Sid && SepSidInToken(Token, Sid))
+ /* Reference the token */
+ Status = ObReferenceObjectByHandle(TokenHandle,
+ TOKEN_QUERY,
+ SepTokenObjectType,
+ PreviousMode,
+ (PVOID*)&Token,
+ NULL);
+ if (!NT_SUCCESS(Status))
{
- CurrentAccess |= (READ_CONTROL | WRITE_DAC);
- if (DesiredAccess == CurrentAccess)
- {
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
+ DPRINT("Failed to reference token (Status %lx)\n", Status);
+ return Status;
}
- /* Fail if DACL is absent */
- if (Present == FALSE)
+ /* Check token type */
+ if (Token->TokenType != TokenImpersonation)
{
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
+ DPRINT("No impersonation token\n");
+ ObDereferenceObject(Token);
+ return STATUS_NO_IMPERSONATION_TOKEN;
}
- /* RULE 4: Grant rights according to the DACL */
- CurrentAce = (PACE)(Dacl + 1);
- for (i = 0; i < Dacl->AceCount; i++)
+ /* Check the impersonation level */
+ if (Token->ImpersonationLevel < SecurityIdentification)
{
- Sid = (PSID)(CurrentAce + 1);
- if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- if (SubjectContextLocked == FALSE)
- {
- SeUnlockSubjectContext(SubjectSecurityContext);
- }
-
- *GrantedAccess = 0;
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
- }
- }
-
- else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
- {
- if (SepSidInToken(Token, Sid))
- {
- AccessMask = CurrentAce->AccessMask;
- RtlMapGenericMask(&AccessMask, GenericMapping);
- CurrentAccess |= AccessMask;
- }
- }
- else
- {
- DPRINT1("Unknown Ace type 0x%lx\n", CurrentAce->Header.AceType);
- }
- CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
+ DPRINT("Impersonation level < SecurityIdentification\n");
+ ObDereferenceObject(Token);
+ return STATUS_BAD_IMPERSONATION_LEVEL;
}
- if (SubjectContextLocked == FALSE)
+ /* Capture the security descriptor */
+ Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
+ PreviousMode,
+ PagedPool,
+ FALSE,
+ &CapturedSecurityDescriptor);
+ if (!NT_SUCCESS(Status))
{
- SeUnlockSubjectContext(SubjectSecurityContext);
+ DPRINT("Failed to capture the Security Descriptor\n");
+ ObDereferenceObject(Token);
+ return Status;
}
- DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
- CurrentAccess, DesiredAccess);
-
- *GrantedAccess = CurrentAccess & DesiredAccess;
-
- if (DesiredAccess & MAXIMUM_ALLOWED)
- {
- *GrantedAccess = CurrentAccess;
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
- else if (*GrantedAccess == DesiredAccess)
- {
- *AccessStatus = STATUS_SUCCESS;
- return TRUE;
- }
- else
+ /* Check the captured security descriptor */
+ if (CapturedSecurityDescriptor == NULL)
{
-#if 1
- *AccessStatus = STATUS_SUCCESS;
- DPRINT1("FIX caller rights (granted 0x%lx, desired 0x%lx, generic mapping %p)!\n",
- *GrantedAccess, DesiredAccess, GenericMapping);
- return TRUE;
-#else
- DPRINT1("Denying access for caller: granted 0x%lx, desired 0x%lx (generic mapping %p)\n",
- *GrantedAccess, DesiredAccess, GenericMapping);
- *AccessStatus = STATUS_ACCESS_DENIED;
- return FALSE;
-#endif
+ DPRINT("Security Descriptor is NULL\n");
+ ObDereferenceObject(Token);
+ return STATUS_INVALID_SECURITY_DESCR;
}
-}
-
-
-NTSTATUS STDCALL
-NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN HANDLE TokenHandle,
- IN ACCESS_MASK DesiredAccess,
- IN PGENERIC_MAPPING GenericMapping,
- OUT PPRIVILEGE_SET PrivilegeSet,
- OUT PULONG ReturnLength,
- OUT PACCESS_MASK GrantedAccess,
- OUT PNTSTATUS AccessStatus)
-{
- SECURITY_SUBJECT_CONTEXT SubjectSecurityContext = {0};
- KPROCESSOR_MODE PreviousMode;
- PTOKEN Token;
- NTSTATUS Status;
-
- PAGED_CODE();
- DPRINT("NtAccessCheck() called\n");
-
- PreviousMode = KeGetPreviousMode();
- if (PreviousMode == KernelMode)
+ /* Check security descriptor for valid owner and group */
+ if (SepGetSDOwner(SecurityDescriptor) == NULL || // FIXME: use CapturedSecurityDescriptor
+ SepGetSDGroup(SecurityDescriptor) == NULL) // FIXME: use CapturedSecurityDescriptor
{
- *GrantedAccess = DesiredAccess;
- *AccessStatus = STATUS_SUCCESS;
- return STATUS_SUCCESS;
+ DPRINT("Security Descriptor does not have a valid group or owner\n");
+ SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
+ PreviousMode,
+ FALSE);
+ ObDereferenceObject(Token);
+ return STATUS_INVALID_SECURITY_DESCR;
}
- Status = ObReferenceObjectByHandle(TokenHandle,
- TOKEN_QUERY,
- SepTokenObjectType,
- PreviousMode,
- (PVOID*)&Token,
- NULL);
- if (!NT_SUCCESS(Status))
- {
- DPRINT1("Failed to reference token (Status %lx)\n", Status);
- return Status;
- }
+ /* Set up the subject context, and lock it */
+ SubjectSecurityContext.ClientToken = Token;
+ SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
+ SubjectSecurityContext.PrimaryToken = NULL;
+ SubjectSecurityContext.ProcessAuditId = NULL;
+ SeLockSubjectContext(&SubjectSecurityContext);
- /* Check token type */
- if (Token->TokenType != TokenImpersonation)
+ /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
+ if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
{
- DPRINT1("No impersonation token\n");
- ObDereferenceObject(Token);
- return STATUS_ACCESS_VIOLATION;
- }
+ if (SepTokenIsOwner(Token, SecurityDescriptor)) // FIXME: use CapturedSecurityDescriptor
+ {
+ if (DesiredAccess & MAXIMUM_ALLOWED)
+ PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
+ else
+ PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
- /* Check impersonation level */
- if (Token->ImpersonationLevel < SecurityAnonymous)
- {
- DPRINT1("Invalid impersonation level\n");
- ObDereferenceObject(Token);
- return STATUS_ACCESS_VIOLATION;
+ DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
+ }
}
- SubjectSecurityContext.ClientToken = Token;
- SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
-
- /* Lock subject context */
- SeLockSubjectContext(&SubjectSecurityContext);
-
- if (SeAccessCheck(SecurityDescriptor,
- &SubjectSecurityContext,
- TRUE,
- DesiredAccess,
- 0,
- &PrivilegeSet,
- GenericMapping,
- PreviousMode,
- GrantedAccess,
- AccessStatus))
+ if (DesiredAccess == 0)
{
- Status = *AccessStatus;
+ *GrantedAccess = PreviouslyGrantedAccess;
+ *AccessStatus = STATUS_SUCCESS;
}
- else
+ else
{
- Status = STATUS_ACCESS_DENIED;
+ /* Now perform the access check */
+ SepAccessCheck(SecurityDescriptor, // FIXME: use CapturedSecurityDescriptor
+ &SubjectSecurityContext,
+ DesiredAccess,
+ PreviouslyGrantedAccess,
+ &PrivilegeSet, //FIXME
+ GenericMapping,
+ PreviousMode,
+ GrantedAccess,
+ AccessStatus);
}
- /* Unlock subject context */
- SeUnlockSubjectContext(&SubjectSecurityContext);
+ /* Unlock subject context */
+ SeUnlockSubjectContext(&SubjectSecurityContext);
- ObDereferenceObject(Token);
+ /* Release the captured security descriptor */
+ SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
+ PreviousMode,
+ FALSE);
- DPRINT("NtAccessCheck() done\n");
+ /* Dereference the token */
+ ObDereferenceObject(Token);
- return Status;
+ /* Check succeeded */
+ return STATUS_SUCCESS;
}
+
NTSTATUS
NTAPI
NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
return STATUS_NOT_IMPLEMENTED;
}
-VOID STDCALL
-SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
- OUT PACCESS_MASK DesiredAccess)
-{
- if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
- GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
- {
- *DesiredAccess |= READ_CONTROL;
- }
- if (SecurityInformation & SACL_SECURITY_INFORMATION)
- {
- *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
- }
-}
-
-VOID STDCALL
-SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
- OUT PACCESS_MASK DesiredAccess)
-{
- if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
- {
- *DesiredAccess |= WRITE_OWNER;
- }
- if (SecurityInformation & DACL_SECURITY_INFORMATION)
- {
- *DesiredAccess |= WRITE_DAC;
- }
- if (SecurityInformation & SACL_SECURITY_INFORMATION)
- {
- *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
- }
-}
-
/* EOF */
projects / reactos.git / blobdiff