X-Git-Url: https://git.reactos.org/?p=reactos.git;a=blobdiff_plain;f=reactos%2Fntoskrnl%2Fse%2Facl.c;h=2ed354128927eaf3e867591e0d9fcfc06b982197;hp=f60fb8c5146ff9f57c7752872da8a68c04cc8c34;hb=f0ac5c50825ea205077e71695753edffdd9e218f;hpb=3c1d3121074290ed5847e0f15f47fdc717d4018f diff --git a/reactos/ntoskrnl/se/acl.c b/reactos/ntoskrnl/se/acl.c index f60fb8c5146..2ed35412892 100644 --- a/reactos/ntoskrnl/se/acl.c +++ b/reactos/ntoskrnl/se/acl.c @@ -1,28 +1,27 @@ -/* $Id: acl.c,v 1.19 2004/08/05 18:17:37 ion Exp $ +/* $Id$ * - * COPYRIGHT: See COPYING in the top level directory - * PROJECT: ReactOS kernel - * PURPOSE: Security manager - * FILE: kernel/se/acl.c - * PROGRAMER: David Welch - * REVISION HISTORY: - * 26/07/98: Added stubs for security functions + * COPYRIGHT: See COPYING in the top level directory + * PROJECT: ReactOS kernel + * FILE: ntoskrnl/se/acl.c + * PURPOSE: Security manager + * + * PROGRAMMERS: David Welch */ /* INCLUDES *****************************************************************/ -#include -#include - +#include #include -#define TAG_ACL TAG('A', 'C', 'L', 'T') +#if defined (ALLOC_PRAGMA) +#pragma alloc_text(INIT, SepInitDACLs) +#endif /* GLOBALS ******************************************************************/ -PACL EXPORTED SePublicDefaultDacl = NULL; -PACL EXPORTED SeSystemDefaultDacl = NULL; +PACL SePublicDefaultDacl = NULL; +PACL SeSystemDefaultDacl = NULL; PACL SePublicDefaultUnrestrictedDacl = NULL; PACL SePublicOpenDacl = NULL; @@ -32,29 +31,26 @@ PACL SeUnrestrictedDacl = NULL; /* FUNCTIONS ****************************************************************/ -BOOLEAN INIT_FUNCTION +BOOLEAN +INIT_FUNCTION +NTAPI SepInitDACLs(VOID) { - ULONG AclLength2; - ULONG AclLength3; - ULONG AclLength4; - - AclLength2 = sizeof(ACL) + - 2 * (RtlLengthRequiredSid(1) + sizeof(ACE)); - AclLength3 = sizeof(ACL) + - 3 * (RtlLengthRequiredSid(1) + sizeof(ACE)); - AclLength4 = sizeof(ACL) + - 4 * (RtlLengthRequiredSid(1) + sizeof(ACE)); + ULONG AclLength; /* create PublicDefaultDacl */ - SePublicDefaultDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength2, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)); + + SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SePublicDefaultDacl == NULL) return FALSE; RtlCreateAcl(SePublicDefaultDacl, - AclLength2, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SePublicDefaultDacl, @@ -69,14 +65,20 @@ SepInitDACLs(VOID) /* create PublicDefaultUnrestrictedDacl */ - SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength4, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); + + SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SePublicDefaultUnrestrictedDacl == NULL) return FALSE; RtlCreateAcl(SePublicDefaultUnrestrictedDacl, - AclLength4, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, @@ -100,14 +102,19 @@ SepInitDACLs(VOID) SeRestrictedCodeSid); /* create PublicOpenDacl */ - SePublicOpenDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength3, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); + + SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SePublicOpenDacl == NULL) return FALSE; RtlCreateAcl(SePublicOpenDacl, - AclLength3, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SePublicOpenDacl, @@ -126,14 +133,20 @@ SepInitDACLs(VOID) SeAliasAdminsSid); /* create PublicOpenUnrestrictedDacl */ - SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength4, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); + + SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SePublicOpenUnrestrictedDacl == NULL) return FALSE; RtlCreateAcl(SePublicOpenUnrestrictedDacl, - AclLength4, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, @@ -157,14 +170,18 @@ SepInitDACLs(VOID) SeRestrictedCodeSid); /* create SystemDefaultDacl */ - SeSystemDefaultDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength2, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); + + SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SeSystemDefaultDacl == NULL) return FALSE; RtlCreateAcl(SeSystemDefaultDacl, - AclLength2, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SeSystemDefaultDacl, @@ -178,14 +195,18 @@ SepInitDACLs(VOID) SeAliasAdminsSid); /* create UnrestrictedDacl */ - SeUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool, - AclLength2, + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); + + SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, TAG_ACL); if (SeUnrestrictedDacl == NULL) return FALSE; RtlCreateAcl(SeUnrestrictedDacl, - AclLength2, + AclLength, ACL_REVISION); RtlAddAccessAllowedAce(SeUnrestrictedDacl, @@ -201,4 +222,152 @@ SepInitDACLs(VOID) return(TRUE); } +NTSTATUS STDCALL +SepCreateImpersonationTokenDacl(PTOKEN Token, + PTOKEN PrimaryToken, + PACL *Dacl) +{ + ULONG AclLength; + PVOID TokenDacl; + + PAGED_CODE(); + + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) + + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + + (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) + + (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid)); + + TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL); + if (TokenDacl == NULL) + { + return STATUS_INSUFFICIENT_RESOURCES; + } + + RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION); + RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, + Token->UserAndGroups->Sid); + RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, + PrimaryToken->UserAndGroups->Sid); + RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, + SeAliasAdminsSid); + RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, + SeLocalSystemSid); + + /* FIXME */ +#if 0 + if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL) + { + RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, + SeRestrictedCodeSid); + } +#endif + + return STATUS_SUCCESS; +} + +NTSTATUS +NTAPI +SepCaptureAcl(IN PACL InputAcl, + IN KPROCESSOR_MODE AccessMode, + IN POOL_TYPE PoolType, + IN BOOLEAN CaptureIfKernel, + OUT PACL *CapturedAcl) +{ + PACL NewAcl; + ULONG AclSize = 0; + NTSTATUS Status = STATUS_SUCCESS; + + PAGED_CODE(); + + if(AccessMode != KernelMode) + { + _SEH_TRY + { + ProbeForRead(InputAcl, + sizeof(ACL), + sizeof(ULONG)); + AclSize = InputAcl->AclSize; + ProbeForRead(InputAcl, + AclSize, + sizeof(ULONG)); + } + _SEH_HANDLE + { + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + + if(NT_SUCCESS(Status)) + { + NewAcl = ExAllocatePool(PoolType, + AclSize); + if(NewAcl != NULL) + { + _SEH_TRY + { + RtlCopyMemory(NewAcl, + InputAcl, + AclSize); + + *CapturedAcl = NewAcl; + } + _SEH_HANDLE + { + ExFreePool(NewAcl); + Status = _SEH_GetExceptionCode(); + } + _SEH_END; + } + else + { + Status = STATUS_INSUFFICIENT_RESOURCES; + } + } + } + else if(!CaptureIfKernel) + { + *CapturedAcl = InputAcl; + } + else + { + AclSize = InputAcl->AclSize; + + NewAcl = ExAllocatePool(PoolType, + AclSize); + + if(NewAcl != NULL) + { + RtlCopyMemory(NewAcl, + InputAcl, + AclSize); + + *CapturedAcl = NewAcl; + } + else + { + Status = STATUS_INSUFFICIENT_RESOURCES; + } + } + + return Status; +} + +VOID +NTAPI +SepReleaseAcl(IN PACL CapturedAcl, + IN KPROCESSOR_MODE AccessMode, + IN BOOLEAN CaptureIfKernel) +{ + PAGED_CODE(); + + if(CapturedAcl != NULL && + (AccessMode != KernelMode || + (AccessMode == KernelMode && CaptureIfKernel))) + { + ExFreePool(CapturedAcl); + } +} + /* EOF */