projects / reactos.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[ntoskrnl/se]
[reactos.git] / reactos / ntoskrnl / se / semgr.c
diff --git a/reactos/ntoskrnl/se/semgr.c b/reactos/ntoskrnl/se/semgr.c
index 99f978e..85cbead 100644 (file)
--- a/reactos/ntoskrnl/se/semgr.c
+++ b/reactos/ntoskrnl/se/semgr.c
@@ -49,7 +49,7 @@ SepInitExports(VOID)
     SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
     SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
     SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
-    
+
     SepExports.SeNullSid = SeNullSid;
     SepExports.SeWorldSid = SeWorldSid;
     SepExports.SeLocalSid = SeLocalSid;
@@ -72,11 +72,11 @@ SepInitExports(VOID)
     SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
     SepExports.SeRestrictedSid = SeRestrictedSid;
     SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
-    
+
     SepExports.SeUndockPrivilege = SeUndockPrivilege;
     SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
     SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
-    
+
     SeExports = &SepExports;
     return TRUE;
 }
@@ -86,24 +86,26 @@ BOOLEAN
 NTAPI
 SepInitializationPhase0(VOID)
 {
+    PAGED_CODE();
+
     ExpInitLuid();
     if (!SepInitSecurityIDs()) return FALSE;
     if (!SepInitDACLs()) return FALSE;
     if (!SepInitSDs()) return FALSE;
     SepInitPrivileges();
     if (!SepInitExports()) return FALSE;
-    
+
     /* Initialize the subject context lock */
     ExInitializeResource(&SepSubjectContextLock);
-    
+
     /* Initialize token objects */
     SepInitializeTokenImplementation();
-    
+
     /* Clear impersonation info for the idle thread */
     PsGetCurrentThread()->ImpersonationInfo = NULL;
     PspClearCrossThreadFlag(PsGetCurrentThread(),
                             CT_ACTIVE_IMPERSONATION_INFO_BIT);
-    
+
     /* Initialize the boot token */
     ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
     ObInitializeFastReference(&PsGetCurrentProcess()->Token,
@@ -117,7 +119,7 @@ SepInitializationPhase1(VOID)
 {
     NTSTATUS Status;
     PAGED_CODE();
-    
+
     /* Insert the system token into the tree */
     Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
                                     ~MAX_FAST_REFS),
@@ -127,7 +129,7 @@ SepInitializationPhase1(VOID)
                             NULL,
                             NULL);
     ASSERT(NT_SUCCESS(Status));
-    
+
     /* FIXME: TODO \\ Security directory */
     return TRUE;
 }
@@ -140,17 +142,17 @@ SeInitSystem(VOID)
     switch (ExpInitializationPhase)
     {
         case 0:
-            
+
             /* Do Phase 0 */
             return SepInitializationPhase0();
-            
+
         case 1:
-            
+
             /* Do Phase 1 */
             return SepInitializationPhase1();
-            
+
         default:
-            
+
             /* Don't know any other phase! Bugcheck! */
             KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
                          0,
@@ -170,7 +172,7 @@ SeInitSRM(VOID)
     HANDLE DirectoryHandle;
     HANDLE EventHandle;
     NTSTATUS Status;
-    
+
     /* Create '\Security' directory */
     RtlInitUnicodeString(&Name,
                          L"\\Security");
@@ -187,7 +189,7 @@ SeInitSRM(VOID)
         DPRINT1("Failed to create 'Security' directory!\n");
         return FALSE;
     }
-    
+
     /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
     RtlInitUnicodeString(&Name,
                          L"\\LSA_AUTHENTICATION_INITALIZED");
@@ -207,12 +209,12 @@ SeInitSRM(VOID)
         NtClose(DirectoryHandle);
         return FALSE;
     }
-    
+
     ZwClose(EventHandle);
     ZwClose(DirectoryHandle);
-    
+
     /* FIXME: Create SRM port and listener thread */
-    
+
     return TRUE;
 }
 
@@ -228,16 +230,16 @@ SeDefaultObjectMethod(IN PVOID Object,
                       IN PGENERIC_MAPPING GenericMapping)
 {
     PAGED_CODE();
-    
+
     /* Select the operation type */
     switch (OperationType)
     {
             /* Setting a new descriptor */
         case SetSecurityDescriptor:
-            
+
             /* Sanity check */
             ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
-            
+
             /* Set the information */
             return ObSetSecurityDescriptorInfo(Object,
                                                SecurityInformation,
@@ -245,33 +247,33 @@ SeDefaultObjectMethod(IN PVOID Object,
                                                OldSecurityDescriptor,
                                                PoolType,
                                                GenericMapping);
-            
+
         case QuerySecurityDescriptor:
-            
+
             /* Query the information */
             return ObQuerySecurityDescriptorInfo(Object,
                                                  SecurityInformation,
                                                  SecurityDescriptor,
                                                  ReturnLength,
                                                  OldSecurityDescriptor);
-            
+
         case DeleteSecurityDescriptor:
-            
+
             /* De-assign it */
             return ObDeassignSecurity(OldSecurityDescriptor);
-            
+
         case AssignSecurityDescriptor:
-            
+
             /* Assign it */
             ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
             return STATUS_SUCCESS;
-            
+
         default:
-            
+
             /* Bug check */
             KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
     }
-    
+
     /* Should never reach here */
     ASSERT(FALSE);
     return STATUS_SUCCESS;
@@ -284,14 +286,14 @@ SepSidInToken(PACCESS_TOKEN _Token,
 {
     ULONG i;
     PTOKEN Token = (PTOKEN)_Token;
-    
+
     PAGED_CODE();
-    
+
     if (Token->UserAndGroupCount == 0)
     {
         return FALSE;
     }
-    
+
     for (i=0; i<Token->UserAndGroupCount; i++)
     {
         if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
@@ -300,11 +302,11 @@ SepSidInToken(PACCESS_TOKEN _Token,
             {
                 return TRUE;
             }
-            
+
             return FALSE;
         }
     }
-    
+
     return FALSE;
 }
 
@@ -314,7 +316,7 @@ SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
                           OUT PACCESS_MASK DesiredAccess)
 {
     *DesiredAccess = 0;
-    
+
     if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
                                GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
     {
@@ -331,7 +333,7 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
                         OUT PACCESS_MASK DesiredAccess)
 {
     *DesiredAccess = 0;
-    
+
     if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
     {
         *DesiredAccess |= WRITE_OWNER;
@@ -346,22 +348,18 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
     }
 }
 
-/* PUBLIC FUNCTIONS ***********************************************************/
-
-/*
- * @implemented
- */
 BOOLEAN NTAPI
-SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
-              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
-              IN BOOLEAN SubjectContextLocked,
-              IN ACCESS_MASK DesiredAccess,
-              IN ACCESS_MASK PreviouslyGrantedAccess,
-              OUT PPRIVILEGE_SET* Privileges,
-              IN PGENERIC_MAPPING GenericMapping,
-              IN KPROCESSOR_MODE AccessMode,
-              OUT PACCESS_MASK GrantedAccess,
-              OUT PNTSTATUS AccessStatus)
+SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+               IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+               IN BOOLEAN SubjectContextLocked,
+               IN ACCESS_MASK DesiredAccess,
+               IN ACCESS_MASK PreviouslyGrantedAccess,
+               OUT PPRIVILEGE_SET* Privileges,
+               IN PGENERIC_MAPPING GenericMapping,
+               IN KPROCESSOR_MODE AccessMode,
+               OUT PACCESS_MASK GrantedAccess,
+               OUT PNTSTATUS AccessStatus,
+               SECURITY_IMPERSONATION_LEVEL LowestImpersonationLevel)
 {
     LUID_AND_ATTRIBUTES Privilege;
     ACCESS_MASK CurrentAccess, AccessMask;
@@ -374,7 +372,7 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
     PSID Sid;
     NTSTATUS Status;
     PAGED_CODE();
-    
+
     /* Check if this is kernel mode */
     if (AccessMode == KernelMode)
     {
@@ -391,12 +389,12 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             /* Give the desired and previous access */
             *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
         }
-        
+
         /* Success */
         *AccessStatus = STATUS_SUCCESS;
         return TRUE;
     }
-    
+
     /* Check if we didn't get an SD */
     if (!SecurityDescriptor)
     {
@@ -404,15 +402,15 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         *AccessStatus = STATUS_ACCESS_DENIED;
         return FALSE;
     }
-    
+
     /* Check for invalid impersonation */
     if ((SubjectSecurityContext->ClientToken) &&
-        (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
+        (SubjectSecurityContext->ImpersonationLevel < LowestImpersonationLevel))
     {
         *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
         return FALSE;
     }
-    
+
     /* Check for no access desired */
     if (!DesiredAccess)
     {
@@ -423,31 +421,31 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             *AccessStatus = STATUS_ACCESS_DENIED;
             return FALSE;
         }
-        
+
         /* Return the previous access only */
         *GrantedAccess = PreviouslyGrantedAccess;
         *AccessStatus = STATUS_SUCCESS;
         *Privileges = NULL;
         return TRUE;
     }
-    
+
     /* Acquire the lock if needed */
     if (!SubjectContextLocked) SeLockSubjectContext(SubjectSecurityContext);
-    
+
     /* Map given accesses */
     RtlMapGenericMask(&DesiredAccess, GenericMapping);
     if (PreviouslyGrantedAccess)
         RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
-    
-    
-    
+
+
+
     CurrentAccess = PreviouslyGrantedAccess;
-    
-    
-    
+
+
+
     Token = SubjectSecurityContext->ClientToken ?
     SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
-    
+
     /* Get the DACL */
     Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
                                           &Present,
@@ -459,11 +457,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         {
             SeUnlockSubjectContext(SubjectSecurityContext);
         }
-        
+
         *AccessStatus = Status;
         return FALSE;
     }
-    
+
     /* RULE 1: Grant desired access if the object is unprotected */
     if (Present == TRUE && Dacl == NULL)
     {
@@ -471,18 +469,18 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         {
             SeUnlockSubjectContext(SubjectSecurityContext);
         }
-        
+
         *GrantedAccess = DesiredAccess;
         *AccessStatus = STATUS_SUCCESS;
         return TRUE;
     }
-    
+
     CurrentAccess = PreviouslyGrantedAccess;
-    
+
     /* RULE 2: Check token for 'take ownership' privilege */
     Privilege.Luid = SeTakeOwnershipPrivilege;
     Privilege.Attributes = SE_PRIVILEGE_ENABLED;
-    
+
     if (SepPrivilegeCheck(Token,
                           &Privilege,
                           1,
@@ -497,13 +495,13 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             {
                 SeUnlockSubjectContext(SubjectSecurityContext);
             }
-            
+
             *GrantedAccess = CurrentAccess;
             *AccessStatus = STATUS_SUCCESS;
             return TRUE;
         }
     }
-    
+
     /* RULE 3: Check whether the token is the owner */
     Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
                                            &Sid,
@@ -515,11 +513,11 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         {
             SeUnlockSubjectContext(SubjectSecurityContext);
         }
-        
+
         *AccessStatus = Status;
         return FALSE;
     }
-    
+
     if (Sid && SepSidInToken(Token, Sid))
     {
         CurrentAccess |= (READ_CONTROL | WRITE_DAC);
@@ -530,13 +528,13 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
             {
                 SeUnlockSubjectContext(SubjectSecurityContext);
             }
-            
+
             *GrantedAccess = CurrentAccess;
             *AccessStatus = STATUS_SUCCESS;
             return TRUE;
         }
     }
-    
+
     /* Fail if DACL is absent */
     if (Present == FALSE)
     {
@@ -544,12 +542,12 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         {
             SeUnlockSubjectContext(SubjectSecurityContext);
         }
-        
+
         *GrantedAccess = 0;
         *AccessStatus = STATUS_ACCESS_DENIED;
         return FALSE;
     }
-    
+
     /* RULE 4: Grant rights according to the DACL */
     CurrentAce = (PACE)(Dacl + 1);
     for (i = 0; i < Dacl->AceCount; i++)
@@ -563,13 +561,13 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
                 {
                     SeUnlockSubjectContext(SubjectSecurityContext);
                 }
-                
+
                 *GrantedAccess = 0;
                 *AccessStatus = STATUS_ACCESS_DENIED;
                 return FALSE;
             }
         }
-        
+
         else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
         {
             if (SepSidInToken(Token, Sid))
@@ -585,17 +583,17 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         }
         CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
     }
-    
+
     if (SubjectContextLocked == FALSE)
     {
         SeUnlockSubjectContext(SubjectSecurityContext);
     }
-    
+
     DPRINT("CurrentAccess %08lx\n DesiredAccess %08lx\n",
            CurrentAccess, DesiredAccess);
-    
+
     *GrantedAccess = CurrentAccess & DesiredAccess;
-    
+
     if (DesiredAccess & MAXIMUM_ALLOWED)
     {
         *GrantedAccess = CurrentAccess;
@@ -617,35 +615,81 @@ SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
     }
 }
 
+/* PUBLIC FUNCTIONS ***********************************************************/
+
+/*
+ * @implemented
+ */
+BOOLEAN NTAPI
+SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
+              IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
+              IN BOOLEAN SubjectContextLocked,
+              IN ACCESS_MASK DesiredAccess,
+              IN ACCESS_MASK PreviouslyGrantedAccess,
+              OUT PPRIVILEGE_SET* Privileges,
+              IN PGENERIC_MAPPING GenericMapping,
+              IN KPROCESSOR_MODE AccessMode,
+              OUT PACCESS_MASK GrantedAccess,
+              OUT PNTSTATUS AccessStatus)
+{
+    /* Call the internal function */
+    return SepAccessCheck(SecurityDescriptor,
+                          SubjectSecurityContext,
+                          SubjectContextLocked,
+                          DesiredAccess,
+                          PreviouslyGrantedAccess,
+                          Privileges,
+                          GenericMapping,
+                          AccessMode,
+                          GrantedAccess,
+                          AccessStatus,
+                          SecurityImpersonation);
+}
+
 /* SYSTEM CALLS ***************************************************************/
 
-NTSTATUS NTAPI
+/*
+ * @implemented
+ */
+NTSTATUS
+NTAPI
 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
               IN HANDLE TokenHandle,
               IN ACCESS_MASK DesiredAccess,
               IN PGENERIC_MAPPING GenericMapping,
-              OUT PPRIVILEGE_SET PrivilegeSet,
-              OUT PULONG ReturnLength,
+              OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
+              IN OUT PULONG PrivilegeSetLength,
               OUT PACCESS_MASK GrantedAccess,
               OUT PNTSTATUS AccessStatus)
 {
-    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext = { NULL, 0, NULL, NULL };
-    KPROCESSOR_MODE PreviousMode;
+    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
+    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
     PTOKEN Token;
     NTSTATUS Status;
-    
     PAGED_CODE();
-    
-    DPRINT("NtAccessCheck() called\n");
-    
-    PreviousMode = KeGetPreviousMode();
+
+    /* Check if this is kernel mode */
     if (PreviousMode == KernelMode)
     {
-        *GrantedAccess = DesiredAccess;
+        /* Check if kernel wants everything */
+        if (DesiredAccess & MAXIMUM_ALLOWED)
+        {
+            /* Give it */
+            *GrantedAccess = GenericMapping->GenericAll;
+            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
+        }
+        else
+        {
+            /* Just give the desired access */
+            *GrantedAccess = DesiredAccess;
+        }
+
+        /* Success */
         *AccessStatus = STATUS_SUCCESS;
         return STATUS_SUCCESS;
     }
-    
+
+    /* Reference the token */
     Status = ObReferenceObjectByHandle(TokenHandle,
                                        TOKEN_QUERY,
                                        SepTokenObjectType,
@@ -657,57 +701,44 @@ NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
         DPRINT1("Failed to reference token (Status %lx)\n", Status);
         return Status;
     }
-    
+
     /* Check token type */
     if (Token->TokenType != TokenImpersonation)
     {
         DPRINT1("No impersonation token\n");
         ObDereferenceObject(Token);
-        return STATUS_ACCESS_VIOLATION;
+        return STATUS_ACCESS_DENIED;
     }
-    
-    /* Check impersonation level */
-    if (Token->ImpersonationLevel < SecurityIdentification)
-    {
-        DPRINT1("Invalid impersonation level\n");
-        ObDereferenceObject(Token);
-        return STATUS_ACCESS_VIOLATION;
-    }
-    
+
+    /* Set up the subject context, and lock it */
     SubjectSecurityContext.ClientToken = Token;
     SubjectSecurityContext.ImpersonationLevel = Token->ImpersonationLevel;
-    
-    /* Lock subject context */
+    SubjectSecurityContext.PrimaryToken = NULL;
+    SubjectSecurityContext.ProcessAuditId = NULL;
     SeLockSubjectContext(&SubjectSecurityContext);
-    
-    if (SeAccessCheck(SecurityDescriptor,
-                      &SubjectSecurityContext,
-                      TRUE,
-                      DesiredAccess,
-                      0,
-                      &PrivilegeSet,
-                      GenericMapping,
-                      PreviousMode,
-                      GrantedAccess,
-                      AccessStatus))
-    {
-        Status = *AccessStatus;
-    }
-    else
-    {
-        Status = STATUS_ACCESS_DENIED;
-    }
-    
-    /* Unlock subject context */
+
+    /* Now perform the access check */
+    SepAccessCheck(SecurityDescriptor,
+                   &SubjectSecurityContext,
+                   TRUE,
+                   DesiredAccess,
+                   0,
+                   &PrivilegeSet, //FIXME
+                   GenericMapping,
+                   PreviousMode,
+                   GrantedAccess,
+                   AccessStatus,
+                   SecurityIdentification);
+
+    /* Unlock subject context and dereference the token */
     SeUnlockSubjectContext(&SubjectSecurityContext);
-    
     ObDereferenceObject(Token);
-    
-    DPRINT("NtAccessCheck() done\n");
-    
-    return Status;
+
+    /* Check succeeded */
+    return STATUS_SUCCESS;
 }
 
+
 NTSTATUS
 NTAPI
 NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
A free Windows-compatible Operating System