[NTOS:OB]
authorEric Kohl <eric.kohl@reactos.org>
Sun, 5 Mar 2017 21:28:10 +0000 (21:28 +0000)
committerEric Kohl <eric.kohl@reactos.org>
Sun, 5 Mar 2017 21:28:10 +0000 (21:28 +0000)
- Define and use a pool tag for directory security descriptors.
- Use a custom security descriptor to create the KernelObjects directory.

svn path=/trunk/; revision=74103

reactos/ntoskrnl/include/internal/tag.h
reactos/ntoskrnl/ob/obinit.c
reactos/ntoskrnl/ob/obname.c

index e7f7bfc..45ee8a5 100644 (file)
 /* Object Manager Tags */
 #define OB_NAME_TAG             'mNbO'
 #define OB_DIR_TAG              'iDbO'
+#define TAG_OB_DIR_SD           'sDbO'
+
 
 /* formerly located in ps/cid.c */
 #define TAG_CIDOBJECT 'ODIC'
index ff79755..e2a8335 100644 (file)
@@ -54,6 +54,82 @@ ULONG ObpInitializationPhase;
 
 /* PRIVATE FUNCTIONS *********************************************************/
 
+static
+NTSTATUS
+NTAPI
+INIT_FUNCTION
+ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+    ULONG AclLength;
+    PACL Dacl;
+    NTSTATUS Status;
+
+    /* Initialize the SD */
+    Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(Status))
+        return Status;
+
+    /* Allocate the DACL */
+    AclLength = sizeof(ACL) +
+                sizeof(ACE) + RtlLengthSid(SeWorldSid) +
+                sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) +
+                sizeof(ACE) + RtlLengthSid(SeLocalSystemSid);
+
+    Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
+    if (Dacl == NULL)
+    {
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    /* Initialize the DACL */
+    RtlCreateAcl(Dacl, AclLength, ACL_REVISION);
+
+    /* Add the ACEs */
+    RtlAddAccessAllowedAce(Dacl,
+                           ACL_REVISION,
+                           GENERIC_READ,
+                           SeWorldSid);
+
+    RtlAddAccessAllowedAce(Dacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeAliasAdminsSid);
+
+    RtlAddAccessAllowedAce(Dacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeLocalSystemSid);
+
+    /* Attach the DACL to the SD */
+    Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+
+    return Status;
+}
+
+static
+VOID
+NTAPI
+INIT_FUNCTION
+ObpFreeKernelObjectsSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
+{
+    PACL Dacl = NULL;
+    BOOLEAN DaclPresent, Defaulted;
+    NTSTATUS Status;
+
+    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
+                                          &DaclPresent,
+                                          &Dacl,
+                                          &Defaulted);
+    if (NT_SUCCESS(Status) && Dacl != NULL)
+    {
+        ExFreePool(Dacl);
+    }
+}
+
 BOOLEAN
 INIT_FUNCTION
 NTAPI
@@ -136,6 +212,7 @@ ObInitSystem(VOID)
     POBJECT_HEADER Header;
     POBJECT_HEADER_CREATOR_INFO CreatorInfo;
     POBJECT_HEADER_NAME_INFO NameInfo;
+    SECURITY_DESCRIPTOR KernelObjectsSD;
     NTSTATUS Status;
 
     /* Check if this is actually Phase 1 initialization */
@@ -258,25 +335,31 @@ ObPostPhase0:
     Status = NtClose(Handle);
     if (!NT_SUCCESS(Status)) return FALSE;
 
-    /* Initialize Object Types directory attributes */
+    /* Create a custom security descriptor for the KernelObjects directory */
+    Status = ObpCreateKernelObjectsSD(&KernelObjectsSD);
+    if (!NT_SUCCESS(Status))
+        return FALSE;
+
+    /* Initialize the KernelObjects directory attributes */
     RtlInitUnicodeString(&Name, L"\\KernelObjects");
     InitializeObjectAttributes(&ObjectAttributes,
                                &Name,
                                OBJ_CASE_INSENSITIVE | OBJ_PERMANENT,
                                NULL,
-                               NULL);
-    
+                               &KernelObjectsSD);
+
     /* Create the directory */
     Status = NtCreateDirectoryObject(&Handle,
                                      DIRECTORY_ALL_ACCESS,
                                      &ObjectAttributes);
+    ObpFreeKernelObjectsSD(&KernelObjectsSD);
     if (!NT_SUCCESS(Status)) return FALSE;
-    
+
     /* Close the extra handle */
     Status = NtClose(Handle);
     if (!NT_SUCCESS(Status)) return FALSE;
 
-    /* Initialize Object Types directory attributes */
+    /* Initialize ObjectTypes directory attributes */
     RtlInitUnicodeString(&Name, L"\\ObjectTypes");
     InitializeObjectAttributes(&ObjectAttributes,
                                &Name,
index 91fa67e..a6d8e29 100644 (file)
@@ -55,10 +55,10 @@ ObpCreateGlobalDosDevicesSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor)
                 sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) +
                 sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
 
-    Dacl = ExAllocatePool(PagedPool, AclLength);
+    Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD);
     if (Dacl == NULL)
     {
-        return STATUS_NO_MEMORY;
+        return STATUS_INSUFFICIENT_RESOURCES;
     }
 
     /* Initialize the DACL */