2008-03-09 14:11:42 +00:00
|
|
|
/*
|
2023-03-07 17:39:46 +00:00
|
|
|
* PROJECT: ReactOS Kernel
|
|
|
|
* LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
|
|
|
|
* PURPOSE: Security manager infrastructure
|
|
|
|
* COPYRIGHT: Copyright Timo Kreuzer <timo.kreuzer@reactos.org>
|
|
|
|
* Copyright Eric Kohl
|
|
|
|
* Copyright Aleksey Bragin
|
|
|
|
* Copyright Alex Ionescu <alex@relsoft.net>
|
1998-08-25 04:27:26 +00:00
|
|
|
*/
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* INCLUDES *******************************************************************/
|
1998-08-25 04:27:26 +00:00
|
|
|
|
2004-08-15 16:39:12 +00:00
|
|
|
#include <ntoskrnl.h>
|
2004-08-29 15:50:53 +00:00
|
|
|
#define NDEBUG
|
2008-04-23 20:38:37 +00:00
|
|
|
#include <debug.h>
|
1998-08-25 04:27:26 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* GLOBALS ********************************************************************/
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2021-03-13 19:32:18 +00:00
|
|
|
PTOKEN SeAnonymousLogonToken = NULL;
|
|
|
|
PTOKEN SeAnonymousLogonTokenNoEveryone = NULL;
|
2005-06-21 23:42:58 +00:00
|
|
|
PSE_EXPORTS SeExports = NULL;
|
2005-05-25 04:16:56 +00:00
|
|
|
SE_EXPORTS SepExports;
|
2010-05-28 16:28:27 +00:00
|
|
|
ULONG SidInTokenCalls = 0;
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
extern ULONG ExpInitializationPhase;
|
2008-04-23 20:38:37 +00:00
|
|
|
extern ERESOURCE SepSubjectContextLock;
|
2004-09-14 11:04:48 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* PRIVATE FUNCTIONS **********************************************************/
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Initializes all the security exports upon initialization phase of
|
|
|
|
* the module.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* Returns TRUE.
|
|
|
|
*/
|
2018-12-30 11:19:11 +00:00
|
|
|
static
|
2020-10-06 19:44:01 +00:00
|
|
|
CODE_SEG("INIT")
|
2018-12-30 11:19:11 +00:00
|
|
|
BOOLEAN
|
2008-04-23 20:38:37 +00:00
|
|
|
SepInitExports(VOID)
|
|
|
|
{
|
|
|
|
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
|
|
|
|
SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
|
|
|
|
SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
|
|
|
|
SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
|
|
|
|
SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
|
|
|
|
SepExports.SeTcbPrivilege = SeTcbPrivilege;
|
|
|
|
SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
|
|
|
|
SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
|
|
|
|
SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
|
|
|
|
SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
|
|
|
|
SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
|
|
|
|
SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
|
|
|
|
SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
|
|
|
|
SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
|
|
|
|
SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
|
|
|
|
SepExports.SeBackupPrivilege = SeBackupPrivilege;
|
|
|
|
SepExports.SeRestorePrivilege = SeRestorePrivilege;
|
|
|
|
SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
|
|
|
|
SepExports.SeDebugPrivilege = SeDebugPrivilege;
|
|
|
|
SepExports.SeAuditPrivilege = SeAuditPrivilege;
|
|
|
|
SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
|
|
|
|
SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
|
|
|
|
SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
SepExports.SeNullSid = SeNullSid;
|
|
|
|
SepExports.SeWorldSid = SeWorldSid;
|
|
|
|
SepExports.SeLocalSid = SeLocalSid;
|
|
|
|
SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
|
|
|
|
SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
|
|
|
|
SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
|
|
|
|
SepExports.SeDialupSid = SeDialupSid;
|
|
|
|
SepExports.SeNetworkSid = SeNetworkSid;
|
|
|
|
SepExports.SeBatchSid = SeBatchSid;
|
|
|
|
SepExports.SeInteractiveSid = SeInteractiveSid;
|
|
|
|
SepExports.SeLocalSystemSid = SeLocalSystemSid;
|
|
|
|
SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
|
|
|
|
SepExports.SeAliasUsersSid = SeAliasUsersSid;
|
|
|
|
SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
|
|
|
|
SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
|
|
|
|
SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
|
|
|
|
SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
|
|
|
|
SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
|
|
|
|
SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
|
|
|
|
SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
|
|
|
|
SepExports.SeRestrictedSid = SeRestrictedSid;
|
|
|
|
SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
|
2014-02-18 17:51:45 +00:00
|
|
|
SepExports.SeLocalServiceSid = SeLocalServiceSid;
|
|
|
|
SepExports.SeNetworkServiceSid = SeNetworkServiceSid;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
SepExports.SeUndockPrivilege = SeUndockPrivilege;
|
|
|
|
SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
|
|
|
|
SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
|
2014-02-18 17:51:45 +00:00
|
|
|
SepExports.SeManageVolumePrivilege = SeManageVolumePrivilege;
|
|
|
|
SepExports.SeImpersonatePrivilege = SeImpersonatePrivilege;
|
|
|
|
SepExports.SeCreateGlobalPrivilege = SeCreateGlobalPrivilege;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
SeExports = &SepExports;
|
|
|
|
return TRUE;
|
|
|
|
}
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Handles the phase 0 procedure of the SRM initialization.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* Returns TRUE if the phase 0 initialization has succeeded and that
|
|
|
|
* we can proceed further with next initialization phase, FALSE
|
|
|
|
* otherwise.
|
|
|
|
*/
|
2020-10-06 19:44:01 +00:00
|
|
|
CODE_SEG("INIT")
|
2007-01-25 01:13:09 +00:00
|
|
|
BOOLEAN
|
2005-09-13 23:28:21 +00:00
|
|
|
NTAPI
|
2007-01-25 01:13:09 +00:00
|
|
|
SepInitializationPhase0(VOID)
|
2002-02-20 20:16:49 +00:00
|
|
|
{
|
2009-09-02 13:02:30 +00:00
|
|
|
PAGED_CODE();
|
|
|
|
|
2019-02-27 20:12:32 +00:00
|
|
|
if (!ExLuidInitialization()) return FALSE;
|
2007-01-25 01:13:09 +00:00
|
|
|
if (!SepInitSecurityIDs()) return FALSE;
|
|
|
|
if (!SepInitDACLs()) return FALSE;
|
|
|
|
if (!SepInitSDs()) return FALSE;
|
|
|
|
SepInitPrivileges();
|
|
|
|
if (!SepInitExports()) return FALSE;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
/* Initialize the subject context lock */
|
|
|
|
ExInitializeResource(&SepSubjectContextLock);
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
/* Initialize token objects */
|
|
|
|
SepInitializeTokenImplementation();
|
2015-10-29 22:50:14 +00:00
|
|
|
|
|
|
|
/* Initialize logon sessions */
|
|
|
|
if (!SeRmInitPhase0()) return FALSE;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
/* Clear impersonation info for the idle thread */
|
|
|
|
PsGetCurrentThread()->ImpersonationInfo = NULL;
|
|
|
|
PspClearCrossThreadFlag(PsGetCurrentThread(),
|
|
|
|
CT_ACTIVE_IMPERSONATION_INFO_BIT);
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
/* Initialize the boot token */
|
|
|
|
ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
|
|
|
|
ObInitializeFastReference(&PsGetCurrentProcess()->Token,
|
|
|
|
SepCreateSystemProcessToken());
|
2021-03-13 19:32:18 +00:00
|
|
|
|
|
|
|
/* Initialise the anonymous logon tokens */
|
|
|
|
SeAnonymousLogonToken = SepCreateSystemAnonymousLogonToken();
|
|
|
|
if (!SeAnonymousLogonToken)
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
SeAnonymousLogonTokenNoEveryone = SepCreateSystemAnonymousLogonTokenNoEveryone();
|
|
|
|
if (!SeAnonymousLogonTokenNoEveryone)
|
|
|
|
return FALSE;
|
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Handles the phase 1 procedure of the SRM initialization.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* Returns TRUE if the phase 1 initialization has succeeded, FALSE
|
|
|
|
* otherwise.
|
|
|
|
*/
|
2020-10-06 19:44:01 +00:00
|
|
|
CODE_SEG("INIT")
|
2007-01-25 01:13:09 +00:00
|
|
|
BOOLEAN
|
|
|
|
NTAPI
|
|
|
|
SepInitializationPhase1(VOID)
|
|
|
|
{
|
2013-11-26 15:27:48 +00:00
|
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
HANDLE SecurityHandle;
|
|
|
|
HANDLE EventHandle;
|
2007-01-25 01:13:09 +00:00
|
|
|
NTSTATUS Status;
|
2018-11-10 22:23:59 +00:00
|
|
|
SECURITY_DESCRIPTOR SecurityDescriptor;
|
|
|
|
PACL Dacl;
|
|
|
|
ULONG DaclLength;
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
PAGED_CODE();
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
/* Insert the system token into the tree */
|
|
|
|
Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
|
|
|
|
~MAX_FAST_REFS),
|
|
|
|
NULL,
|
|
|
|
0,
|
|
|
|
0,
|
|
|
|
NULL,
|
|
|
|
NULL);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2018-11-10 22:23:59 +00:00
|
|
|
/* Create a security descriptor for the directory */
|
|
|
|
RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
|
|
|
|
|
|
|
|
/* Setup the ACL */
|
|
|
|
DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
|
|
|
|
RtlLengthSid(SeLocalSystemSid) +
|
|
|
|
RtlLengthSid(SeAliasAdminsSid) +
|
|
|
|
RtlLengthSid(SeWorldSid);
|
|
|
|
Dacl = ExAllocatePoolWithTag(NonPagedPool, DaclLength, TAG_SE);
|
|
|
|
if (Dacl == NULL)
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
/* Grant full access to SYSTEM */
|
|
|
|
Status = RtlAddAccessAllowedAce(Dacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
DIRECTORY_ALL_ACCESS,
|
|
|
|
SeLocalSystemSid);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
/* Allow admins to traverse and query */
|
|
|
|
Status = RtlAddAccessAllowedAce(Dacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
/* Allow anyone to traverse */
|
|
|
|
Status = RtlAddAccessAllowedAce(Dacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
DIRECTORY_TRAVERSE,
|
|
|
|
SeWorldSid);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
/* And link ACL and SD */
|
|
|
|
Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl, FALSE);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
2013-11-26 15:27:48 +00:00
|
|
|
|
|
|
|
/* Create '\Security' directory */
|
|
|
|
RtlInitUnicodeString(&Name, L"\\Security");
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
|
|
&Name,
|
|
|
|
OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
|
|
|
|
0,
|
2018-11-10 22:23:59 +00:00
|
|
|
&SecurityDescriptor);
|
2013-11-26 15:27:48 +00:00
|
|
|
|
|
|
|
Status = ZwCreateDirectoryObject(&SecurityHandle,
|
|
|
|
DIRECTORY_ALL_ACCESS,
|
|
|
|
&ObjectAttributes);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
2018-11-11 22:20:46 +00:00
|
|
|
/* Free the DACL */
|
|
|
|
ExFreePoolWithTag(Dacl, TAG_SE);
|
|
|
|
|
2013-11-26 15:27:48 +00:00
|
|
|
/* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
|
|
|
|
RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
|
|
&Name,
|
|
|
|
OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
|
|
|
|
SecurityHandle,
|
|
|
|
SePublicDefaultSd);
|
|
|
|
|
|
|
|
Status = ZwCreateEvent(&EventHandle,
|
|
|
|
GENERIC_WRITE,
|
|
|
|
&ObjectAttributes,
|
|
|
|
NotificationEvent,
|
|
|
|
FALSE);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
Status = ZwClose(EventHandle);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
|
|
|
Status = ZwClose(SecurityHandle);
|
|
|
|
ASSERT(NT_SUCCESS(Status));
|
|
|
|
|
2007-01-25 01:13:09 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Main security manager initialization function.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* Returns a boolean value according to the phase initialization
|
|
|
|
* routine that handles it. If TRUE, the routine deems the initialization
|
|
|
|
* phase as complete, FALSE otherwise.
|
|
|
|
*/
|
2020-10-06 19:44:01 +00:00
|
|
|
CODE_SEG("INIT")
|
2007-01-25 01:13:09 +00:00
|
|
|
BOOLEAN
|
|
|
|
NTAPI
|
2008-08-17 18:34:37 +00:00
|
|
|
SeInitSystem(VOID)
|
2007-01-25 01:13:09 +00:00
|
|
|
{
|
|
|
|
/* Check the initialization phase */
|
|
|
|
switch (ExpInitializationPhase)
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
case 0:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Do Phase 0 */
|
|
|
|
return SepInitializationPhase0();
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
case 1:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Do Phase 1 */
|
|
|
|
return SepInitializationPhase1();
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
default:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Don't know any other phase! Bugcheck! */
|
|
|
|
KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
|
|
|
|
0,
|
|
|
|
ExpInitializationPhase,
|
|
|
|
0,
|
|
|
|
0);
|
|
|
|
return FALSE;
|
2007-01-25 01:13:09 +00:00
|
|
|
}
|
2002-02-20 20:16:49 +00:00
|
|
|
}
|
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Internal function that is responsible for querying, deleting, assigning and
|
|
|
|
* setting a security descriptor for an object in the NT kernel. It is the default
|
|
|
|
* security method for objects regarding the security context of objects.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] Object
|
|
|
|
* The object that has the default security method, which the function has been
|
|
|
|
* called upon.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] OperationType
|
|
|
|
* Operation type to perform to that object.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] SecurityInformation
|
|
|
|
* Auxiliary security information of the object.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-20 09:48:19 +00:00
|
|
|
* @param[in,out] SecurityDescriptor
|
2021-08-11 14:24:45 +00:00
|
|
|
* A security descriptor. This SD is used accordingly to the operation type
|
|
|
|
* requested by the caller.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-20 09:48:19 +00:00
|
|
|
* @param[in,out] ReturnLength
|
2021-08-11 14:24:45 +00:00
|
|
|
* The length size of the queried security descriptor, in bytes.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-20 09:48:19 +00:00
|
|
|
* @param[in,out] OldSecurityDescriptor
|
2021-08-11 14:24:45 +00:00
|
|
|
* The old SD that belonged to the object, in case we're either deleting
|
|
|
|
* or replacing it.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] PoolType
|
|
|
|
* Pool type allocation for the security descriptor.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] GenericMapping
|
|
|
|
* The generic mapping of access rights masks for the object.
|
|
|
|
*
|
|
|
|
* @return
|
|
|
|
* Returns STATUS_SUCCESS if the specific operation tasked has been
|
|
|
|
* completed. Otherwise a failure NTSTATUS code is returned.
|
|
|
|
*/
|
2005-08-07 18:38:37 +00:00
|
|
|
NTSTATUS
|
2008-03-31 20:07:02 +00:00
|
|
|
NTAPI
|
2021-08-20 09:48:19 +00:00
|
|
|
SeDefaultObjectMethod(
|
|
|
|
_In_ PVOID Object,
|
|
|
|
_In_ SECURITY_OPERATION_CODE OperationType,
|
|
|
|
_In_ PSECURITY_INFORMATION SecurityInformation,
|
|
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
_Inout_opt_ PULONG ReturnLength,
|
|
|
|
_Inout_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
|
|
|
|
_In_ POOL_TYPE PoolType,
|
|
|
|
_In_ PGENERIC_MAPPING GenericMapping)
|
2005-08-07 18:38:37 +00:00
|
|
|
{
|
2008-03-31 20:07:02 +00:00
|
|
|
PAGED_CODE();
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Select the operation type */
|
|
|
|
switch (OperationType)
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
|
|
|
/* Setting a new descriptor */
|
2008-03-31 20:07:02 +00:00
|
|
|
case SetSecurityDescriptor:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Sanity check */
|
|
|
|
ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Set the information */
|
|
|
|
return ObSetSecurityDescriptorInfo(Object,
|
|
|
|
SecurityInformation,
|
2005-08-07 18:38:37 +00:00
|
|
|
SecurityDescriptor,
|
2008-03-31 20:07:02 +00:00
|
|
|
OldSecurityDescriptor,
|
|
|
|
PoolType,
|
|
|
|
GenericMapping);
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
case QuerySecurityDescriptor:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Query the information */
|
|
|
|
return ObQuerySecurityDescriptorInfo(Object,
|
|
|
|
SecurityInformation,
|
|
|
|
SecurityDescriptor,
|
|
|
|
ReturnLength,
|
|
|
|
OldSecurityDescriptor);
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
case DeleteSecurityDescriptor:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* De-assign it */
|
|
|
|
return ObDeassignSecurity(OldSecurityDescriptor);
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
case AssignSecurityDescriptor:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Assign it */
|
|
|
|
ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
|
|
|
|
return STATUS_SUCCESS;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
default:
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Bug check */
|
|
|
|
KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
|
|
|
|
}
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-03-31 20:07:02 +00:00
|
|
|
/* Should never reach here */
|
|
|
|
ASSERT(FALSE);
|
2005-08-07 18:38:37 +00:00
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
1998-10-05 04:01:30 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Queries the access mask from a security information context.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] SecurityInformation
|
|
|
|
* The security information context where the access mask is to be
|
|
|
|
* gathered.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[out] DesiredAccess
|
|
|
|
* The queried access mask right.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @return
|
|
|
|
* Nothing.
|
|
|
|
*/
|
2010-05-28 16:28:27 +00:00
|
|
|
VOID
|
|
|
|
NTAPI
|
2021-08-20 09:48:19 +00:00
|
|
|
SeQuerySecurityAccessMask(
|
|
|
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
|
|
|
_Out_ PACCESS_MASK DesiredAccess)
|
2004-05-20 12:42:51 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess = 0;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
|
|
|
|
GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
|
2004-05-20 12:42:51 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess |= READ_CONTROL;
|
2004-05-20 12:42:51 +00:00
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
2002-02-20 20:16:49 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
2002-02-20 20:16:49 +00:00
|
|
|
}
|
1998-08-25 04:27:26 +00:00
|
|
|
}
|
2000-01-26 10:07:30 +00:00
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @brief
|
|
|
|
* Sets the access mask for a security information context.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] SecurityInformation
|
|
|
|
* The security information context to apply a new access right.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[out] DesiredAccess
|
|
|
|
* The returned access mask right.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @return
|
|
|
|
* Nothing.
|
|
|
|
*/
|
2010-05-28 16:28:27 +00:00
|
|
|
VOID
|
|
|
|
NTAPI
|
2021-08-20 09:48:19 +00:00
|
|
|
SeSetSecurityAccessMask(
|
|
|
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
|
|
|
_Out_ PACCESS_MASK DesiredAccess)
|
1998-08-25 04:27:26 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess = 0;
|
2009-06-25 13:29:58 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
|
2004-07-20 12:08:04 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess |= WRITE_OWNER;
|
2004-07-20 12:08:04 +00:00
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
if (SecurityInformation & DACL_SECURITY_INFORMATION)
|
2004-07-20 12:08:04 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess |= WRITE_DAC;
|
2004-07-20 12:08:04 +00:00
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
2004-07-13 16:59:35 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
2004-07-13 16:59:35 +00:00
|
|
|
}
|
2000-01-05 21:57:00 +00:00
|
|
|
}
|
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @unimplemented
|
|
|
|
* @brief
|
|
|
|
* Report a security event to the security manager.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] Flags
|
|
|
|
* Flags that influence how the event should be reported.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] SourceName
|
|
|
|
* A Unicode string that represents the source name of the event.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] UserSid
|
|
|
|
* The SID that represents a user that initiated the reporting.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] AuditParameters
|
|
|
|
* An array of parameters for auditing purposes. This is used
|
|
|
|
* for reporting the event which the security manager will take
|
|
|
|
* care subsequently of doing eventual security auditing.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @return
|
|
|
|
* Returns STATUS_SUCCESS if the security event has been reported.
|
|
|
|
* STATUS_INVALID_PARAMETER is returned if one of the parameters
|
|
|
|
* do not satisfy the requirements expected by the function.
|
|
|
|
*/
|
2014-02-16 09:08:22 +00:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
SeReportSecurityEvent(
|
|
|
|
_In_ ULONG Flags,
|
|
|
|
_In_ PUNICODE_STRING SourceName,
|
|
|
|
_In_opt_ PSID UserSid,
|
|
|
|
_In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
|
|
|
|
{
|
|
|
|
SECURITY_SUBJECT_CONTEXT SubjectContext;
|
|
|
|
PTOKEN EffectiveToken;
|
|
|
|
PISID Sid;
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
/* Validate parameters */
|
|
|
|
if ((Flags != 0) ||
|
|
|
|
(SourceName == NULL) ||
|
|
|
|
(SourceName->Buffer == NULL) ||
|
|
|
|
(SourceName->Length == 0) ||
|
|
|
|
(AuditParameters == NULL) ||
|
|
|
|
(AuditParameters->ParameterCount > SE_MAX_AUDIT_PARAMETERS - 4))
|
|
|
|
{
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Validate the source name */
|
|
|
|
Status = RtlValidateUnicodeString(0, SourceName);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
{
|
|
|
|
return Status;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if we have a user SID */
|
|
|
|
if (UserSid != NULL)
|
|
|
|
{
|
|
|
|
/* Validate it */
|
|
|
|
if (!RtlValidSid(UserSid))
|
|
|
|
{
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Use the user SID */
|
|
|
|
Sid = UserSid;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* No user SID, capture the security subject context */
|
|
|
|
SeCaptureSubjectContext(&SubjectContext);
|
|
|
|
|
|
|
|
/* Extract the effective token */
|
|
|
|
EffectiveToken = SubjectContext.ClientToken ?
|
|
|
|
SubjectContext.ClientToken : SubjectContext.PrimaryToken;
|
|
|
|
|
|
|
|
/* Use the user-and-groups SID */
|
|
|
|
Sid = EffectiveToken->UserAndGroups->Sid;
|
|
|
|
}
|
|
|
|
|
|
|
|
UNIMPLEMENTED;
|
|
|
|
|
|
|
|
/* Check if we captured the subject context */
|
|
|
|
if (Sid != UserSid)
|
|
|
|
{
|
|
|
|
/* Release it */
|
|
|
|
SeReleaseSubjectContext(&SubjectContext);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Return success */
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2021-08-11 14:24:45 +00:00
|
|
|
/**
|
|
|
|
* @unimplemented
|
|
|
|
* @brief
|
|
|
|
* Sets an array of audit parameters for later security auditing use.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in,out] AuditParameters
|
|
|
|
* An array of audit parameters to be set.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] Type
|
|
|
|
* The type of audit parameters to be set.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] Index
|
|
|
|
* Index number that represents an instance of an audit parameters.
|
|
|
|
* Such index must be within the maximum range of audit parameters.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @param[in] Data
|
|
|
|
* An arbitrary buffer data that is bounds to what kind of audit parameter
|
|
|
|
* type must be set.
|
2021-09-13 01:33:14 +00:00
|
|
|
*
|
2021-08-11 14:24:45 +00:00
|
|
|
* @return
|
|
|
|
* To be added...
|
|
|
|
*/
|
2014-02-16 09:08:22 +00:00
|
|
|
_Const_
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
SeSetAuditParameter(
|
|
|
|
_Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters,
|
|
|
|
_In_ SE_ADT_PARAMETER_TYPE Type,
|
|
|
|
_In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index,
|
|
|
|
_In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
|
|
|
|
{
|
|
|
|
UNIMPLEMENTED;
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
1999-12-26 17:22:19 +00:00
|
|
|
/* EOF */
|