2005-04-20 20:58:16 +00:00
|
|
|
/*
|
2005-01-26 13:58:37 +00:00
|
|
|
* COPYRIGHT: See COPYING in the top level directory
|
|
|
|
|
* PROJECT: ReactOS kernel
|
|
|
|
|
* FILE: ntoskrnl/se/access.c
|
2005-04-20 20:58:16 +00:00
|
|
|
* PURPOSE: Access state functions
|
|
|
|
|
*
|
2012-09-10 08:15:43 +00:00
|
|
|
* PROGRAMMERS: Alex Ionescu (alex@relsoft.net) -
|
2005-05-09 19:57:41 +00:00
|
|
|
* Based on patch by Javier M. Mellid
|
2000-04-08 19:10:50 +00:00
|
|
|
*/
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* INCLUDES *******************************************************************/
|
2000-04-08 19:10:50 +00:00
|
|
|
|
2004-08-15 16:39:12 +00:00
|
|
|
#include <ntoskrnl.h>
|
2004-08-03 19:20:39 +00:00
|
|
|
#define NDEBUG
|
2008-04-23 20:38:37 +00:00
|
|
|
#include <debug.h>
|
2000-04-08 19:10:50 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* GLOBALS ********************************************************************/
|
2000-04-08 19:10:50 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
ERESOURCE SepSubjectContextLock;
|
|
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* PRIVATE FUNCTIONS **********************************************************/
|
|
|
|
|
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
SepSidInTokenEx(IN PACCESS_TOKEN _Token,
|
|
|
|
|
IN PSID PrincipalSelfSid,
|
|
|
|
|
IN PSID _Sid,
|
|
|
|
|
IN BOOLEAN Deny,
|
|
|
|
|
IN BOOLEAN Restricted)
|
|
|
|
|
{
|
|
|
|
|
ULONG i;
|
|
|
|
|
PTOKEN Token = (PTOKEN)_Token;
|
|
|
|
|
PISID TokenSid, Sid = (PISID)_Sid;
|
|
|
|
|
PSID_AND_ATTRIBUTES SidAndAttributes;
|
|
|
|
|
ULONG SidCount, SidLength;
|
|
|
|
|
USHORT SidMetadata;
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Not yet supported */
|
|
|
|
|
ASSERT(PrincipalSelfSid == NULL);
|
|
|
|
|
ASSERT(Restricted == FALSE);
|
|
|
|
|
|
|
|
|
|
/* Check if a principal SID was given, and this is our current SID already */
|
|
|
|
|
if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
|
|
|
|
|
{
|
|
|
|
|
/* Just use the principal SID in this case */
|
|
|
|
|
Sid = PrincipalSelfSid;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check if this is a restricted token or not */
|
|
|
|
|
if (Restricted)
|
|
|
|
|
{
|
|
|
|
|
/* Use the restricted SIDs and count */
|
|
|
|
|
SidAndAttributes = Token->RestrictedSids;
|
|
|
|
|
SidCount = Token->RestrictedSidCount;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Use the normal SIDs and count */
|
|
|
|
|
SidAndAttributes = Token->UserAndGroups;
|
|
|
|
|
SidCount = Token->UserAndGroupCount;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Do checks here by hand instead of the usual 4 function calls */
|
|
|
|
|
SidLength = FIELD_OFFSET(SID,
|
|
|
|
|
SubAuthority[Sid->SubAuthorityCount]);
|
|
|
|
|
SidMetadata = *(PUSHORT)&Sid->Revision;
|
|
|
|
|
|
|
|
|
|
/* Loop every SID */
|
|
|
|
|
for (i = 0; i < SidCount; i++)
|
|
|
|
|
{
|
|
|
|
|
TokenSid = (PISID)SidAndAttributes->Sid;
|
|
|
|
|
#if SE_SID_DEBUG
|
|
|
|
|
UNICODE_STRING sidString;
|
|
|
|
|
RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
|
|
|
|
|
DPRINT1("SID in Token: %wZ\n", &sidString);
|
|
|
|
|
RtlFreeUnicodeString(&sidString);
|
|
|
|
|
#endif
|
|
|
|
|
/* Check if the SID metadata matches */
|
|
|
|
|
if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
|
|
|
|
|
{
|
|
|
|
|
/* Check if the SID data matches */
|
|
|
|
|
if (RtlEqualMemory(Sid, TokenSid, SidLength))
|
|
|
|
|
{
|
|
|
|
|
/* Check if the group is enabled, or used for deny only */
|
|
|
|
|
if ((!(i) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
|
|
|
|
|
(SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
|
|
|
|
|
((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
|
|
|
|
|
{
|
|
|
|
|
/* SID is present */
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* SID is not present */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Move to the next SID */
|
|
|
|
|
SidAndAttributes++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* SID is not present */
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
SepSidInToken(IN PACCESS_TOKEN _Token,
|
|
|
|
|
IN PSID Sid)
|
|
|
|
|
{
|
|
|
|
|
/* Call extended API */
|
|
|
|
|
return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BOOLEAN
|
|
|
|
|
NTAPI
|
|
|
|
|
SepTokenIsOwner(IN PACCESS_TOKEN _Token,
|
|
|
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
|
|
|
IN BOOLEAN TokenLocked)
|
|
|
|
|
{
|
|
|
|
|
PSID Sid;
|
|
|
|
|
BOOLEAN Result;
|
|
|
|
|
PTOKEN Token = _Token;
|
|
|
|
|
|
|
|
|
|
/* Get the owner SID */
|
|
|
|
|
Sid = SepGetOwnerFromDescriptor(SecurityDescriptor);
|
|
|
|
|
ASSERT(Sid != NULL);
|
|
|
|
|
|
|
|
|
|
/* Lock the token if needed */
|
2012-09-12 16:29:28 +00:00
|
|
|
if (!TokenLocked) SepAcquireTokenLockShared(Token);
|
2012-09-10 08:15:43 +00:00
|
|
|
|
|
|
|
|
/* Check if the owner SID is found, handling restricted case as well */
|
|
|
|
|
Result = SepSidInToken(Token, Sid);
|
|
|
|
|
if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
|
|
|
|
|
{
|
|
|
|
|
Result = SepSidInTokenEx(Token, NULL, Sid, FALSE, TRUE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Release the lock if we had acquired it */
|
2012-09-12 16:29:28 +00:00
|
|
|
if (!TokenLocked) SepReleaseTokenLock(Token);
|
2012-09-10 08:15:43 +00:00
|
|
|
|
|
|
|
|
/* Return the result */
|
|
|
|
|
return Result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeGetTokenControlInformation(IN PACCESS_TOKEN _Token,
|
|
|
|
|
OUT PTOKEN_CONTROL TokenControl)
|
|
|
|
|
{
|
|
|
|
|
PTOKEN Token = _Token;
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Capture the main fields */
|
|
|
|
|
TokenControl->AuthenticationId = Token->AuthenticationId;
|
|
|
|
|
TokenControl->TokenId = Token->TokenId;
|
|
|
|
|
TokenControl->TokenSource = Token->TokenSource;
|
|
|
|
|
|
|
|
|
|
/* Lock the token */
|
2012-09-12 16:29:28 +00:00
|
|
|
SepAcquireTokenLockShared(Token);
|
2012-09-10 08:15:43 +00:00
|
|
|
|
2018-06-25 13:31:15 +00:00
|
|
|
/* Capture the modified ID */
|
2012-09-10 08:15:43 +00:00
|
|
|
TokenControl->ModifiedId = Token->ModifiedId;
|
|
|
|
|
|
|
|
|
|
/* Unlock it */
|
2012-09-12 16:29:28 +00:00
|
|
|
SepReleaseTokenLock(Token);
|
2012-09-10 08:15:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
SepCreateClientSecurity(IN PACCESS_TOKEN Token,
|
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
|
|
|
|
|
IN BOOLEAN ServerIsRemote,
|
|
|
|
|
IN TOKEN_TYPE TokenType,
|
|
|
|
|
IN BOOLEAN ThreadEffectiveOnly,
|
|
|
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
|
|
|
|
|
OUT PSECURITY_CLIENT_CONTEXT ClientContext)
|
|
|
|
|
{
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
PACCESS_TOKEN NewToken;
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Check for bogus impersonation level */
|
|
|
|
|
if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
|
|
|
|
|
{
|
|
|
|
|
/* Fail the call */
|
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check what kind of token this is */
|
|
|
|
|
if (TokenType != TokenImpersonation)
|
|
|
|
|
{
|
|
|
|
|
/* On a primary token, if we do direct access, copy the flag from the QOS */
|
|
|
|
|
ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* This is an impersonation token, is the level ok? */
|
|
|
|
|
if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
|
|
|
|
|
{
|
|
|
|
|
/* Nope, fail */
|
|
|
|
|
return STATUS_BAD_IMPERSONATION_LEVEL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Is the level too low, or are we doing something other than delegation remotely */
|
|
|
|
|
if ((ImpersonationLevel == SecurityAnonymous) ||
|
|
|
|
|
(ImpersonationLevel == SecurityIdentification) ||
|
|
|
|
|
((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
|
|
|
|
|
{
|
|
|
|
|
/* Fail the call */
|
|
|
|
|
return STATUS_BAD_IMPERSONATION_LEVEL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Pick either the thread setting or the QOS setting */
|
2018-06-25 13:31:15 +00:00
|
|
|
ClientContext->DirectAccessEffectiveOnly =
|
|
|
|
|
((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
|
2012-09-10 08:15:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Is this static tracking */
|
|
|
|
|
if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
|
|
|
|
|
{
|
|
|
|
|
/* Do not use direct access and make a copy */
|
|
|
|
|
ClientContext->DirectlyAccessClientToken = FALSE;
|
2018-06-25 13:31:15 +00:00
|
|
|
Status = SeCopyClientToken(Token,
|
2018-06-25 13:32:06 +00:00
|
|
|
ClientSecurityQos->ImpersonationLevel,
|
|
|
|
|
KernelMode,
|
2018-06-25 13:31:15 +00:00
|
|
|
&NewToken);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
return Status;
|
2012-09-10 08:15:43 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Use direct access and check if this is local */
|
|
|
|
|
ClientContext->DirectlyAccessClientToken = TRUE;
|
|
|
|
|
if (ServerIsRemote)
|
|
|
|
|
{
|
|
|
|
|
/* We are doing delegation, so make a copy of the control data */
|
|
|
|
|
SeGetTokenControlInformation(Token,
|
|
|
|
|
&ClientContext->ClientTokenControl);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Keep the same token */
|
|
|
|
|
NewToken = Token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Fill out the context and return success */
|
|
|
|
|
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
|
|
|
ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
|
|
|
|
|
ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
|
|
|
|
|
ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
|
|
|
|
|
ClientContext->ServerIsRemote = ServerIsRemote;
|
|
|
|
|
ClientContext->ClientToken = NewToken;
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* PUBLIC FUNCTIONS ***********************************************************/
|
2008-04-23 20:38:37 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeCaptureSubjectContextEx(IN PETHREAD Thread,
|
|
|
|
|
IN PEPROCESS Process,
|
|
|
|
|
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
|
|
|
|
{
|
|
|
|
|
BOOLEAN CopyOnOpen, EffectiveOnly;
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Save the unique ID */
|
|
|
|
|
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Check if we have a thread */
|
|
|
|
|
if (!Thread)
|
|
|
|
|
{
|
|
|
|
|
/* We don't, so no token */
|
|
|
|
|
SubjectContext->ClientToken = NULL;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* Get the impersonation token */
|
|
|
|
|
SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
|
|
|
|
|
&CopyOnOpen,
|
|
|
|
|
&EffectiveOnly,
|
|
|
|
|
&SubjectContext->ImpersonationLevel);
|
|
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Get the primary token */
|
|
|
|
|
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
|
|
|
|
{
|
|
|
|
|
/* Call the extended API */
|
|
|
|
|
SeCaptureSubjectContextEx(PsGetCurrentThread(),
|
|
|
|
|
PsGetCurrentProcess(),
|
|
|
|
|
SubjectContext);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
|
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
PTOKEN PrimaryToken, ClientToken;
|
2008-04-23 20:38:37 +00:00
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Read both tokens */
|
|
|
|
|
PrimaryToken = SubjectContext->PrimaryToken;
|
|
|
|
|
ClientToken = SubjectContext->ClientToken;
|
|
|
|
|
|
|
|
|
|
/* Always lock the primary */
|
2012-09-12 16:29:28 +00:00
|
|
|
SepAcquireTokenLockShared(PrimaryToken);
|
2012-09-10 08:15:43 +00:00
|
|
|
|
|
|
|
|
/* Lock the impersonation one if it's there */
|
|
|
|
|
if (!ClientToken) return;
|
2012-09-12 16:29:28 +00:00
|
|
|
SepAcquireTokenLockShared(ClientToken);
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
|
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
PTOKEN PrimaryToken, ClientToken;
|
2008-04-23 20:38:37 +00:00
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Read both tokens */
|
|
|
|
|
PrimaryToken = SubjectContext->PrimaryToken;
|
|
|
|
|
ClientToken = SubjectContext->ClientToken;
|
|
|
|
|
|
2016-09-10 13:54:16 +00:00
|
|
|
/* Unlock the impersonation one if it's there */
|
|
|
|
|
if (ClientToken)
|
|
|
|
|
{
|
|
|
|
|
SepReleaseTokenLock(ClientToken);
|
|
|
|
|
}
|
|
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Always unlock the primary one */
|
2012-09-12 16:29:28 +00:00
|
|
|
SepReleaseTokenLock(PrimaryToken);
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
|
|
|
|
{
|
|
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Drop reference on the primary */
|
|
|
|
|
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
|
|
|
|
|
SubjectContext->PrimaryToken = NULL;
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Drop reference on the impersonation, if there was one */
|
|
|
|
|
PsDereferenceImpersonationToken(SubjectContext->ClientToken);
|
|
|
|
|
SubjectContext->ClientToken = NULL;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-08-03 19:20:39 +00:00
|
|
|
NTSTATUS
|
2006-07-23 08:20:57 +00:00
|
|
|
NTAPI
|
|
|
|
|
SeCreateAccessStateEx(IN PETHREAD Thread,
|
|
|
|
|
IN PEPROCESS Process,
|
|
|
|
|
IN OUT PACCESS_STATE AccessState,
|
2008-06-16 08:54:21 +00:00
|
|
|
IN PAUX_ACCESS_DATA AuxData,
|
2006-07-23 08:20:57 +00:00
|
|
|
IN ACCESS_MASK Access,
|
|
|
|
|
IN PGENERIC_MAPPING GenericMapping)
|
2004-08-03 19:20:39 +00:00
|
|
|
{
|
2005-05-09 19:57:41 +00:00
|
|
|
ACCESS_MASK AccessMask = Access;
|
|
|
|
|
PTOKEN Token;
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Map the Generic Acess to Specific Access if we have a Mapping */
|
|
|
|
|
if ((Access & GENERIC_ACCESS) && (GenericMapping))
|
|
|
|
|
{
|
|
|
|
|
RtlMapGenericMask(&AccessMask, GenericMapping);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Initialize the Access State */
|
|
|
|
|
RtlZeroMemory(AccessState, sizeof(ACCESS_STATE));
|
2012-09-10 08:15:43 +00:00
|
|
|
ASSERT(AccessState->SecurityDescriptor == NULL);
|
|
|
|
|
ASSERT(AccessState->PrivilegesAllocated == FALSE);
|
|
|
|
|
|
|
|
|
|
/* Initialize and save aux data */
|
|
|
|
|
RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
|
|
|
|
|
AccessState->AuxData = AuxData;
|
2005-05-09 19:57:41 +00:00
|
|
|
|
|
|
|
|
/* Capture the Subject Context */
|
2006-07-23 08:20:57 +00:00
|
|
|
SeCaptureSubjectContextEx(Thread,
|
|
|
|
|
Process,
|
|
|
|
|
&AccessState->SubjectSecurityContext);
|
|
|
|
|
|
2005-05-09 19:57:41 +00:00
|
|
|
/* Set Access State Data */
|
2012-09-10 08:15:43 +00:00
|
|
|
AccessState->RemainingDesiredAccess = AccessMask;
|
2005-06-18 18:32:29 +00:00
|
|
|
AccessState->OriginalDesiredAccess = AccessMask;
|
2015-09-28 07:44:49 +00:00
|
|
|
ExAllocateLocallyUniqueId(&AccessState->OperationID);
|
2005-05-09 19:57:41 +00:00
|
|
|
|
|
|
|
|
/* Get the Token to use */
|
2012-09-10 08:15:43 +00:00
|
|
|
Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
|
2006-07-23 08:20:57 +00:00
|
|
|
|
2005-05-09 19:57:41 +00:00
|
|
|
/* Check for Travers Privilege */
|
|
|
|
|
if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
|
|
|
|
|
{
|
|
|
|
|
/* Preserve the Traverse Privilege */
|
|
|
|
|
AccessState->Flags = TOKEN_HAS_TRAVERSE_PRIVILEGE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Set the Auxiliary Data */
|
|
|
|
|
AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
|
|
|
|
|
FIELD_OFFSET(ACCESS_STATE,
|
2006-07-23 08:20:57 +00:00
|
|
|
Privileges));
|
2005-05-09 19:57:41 +00:00
|
|
|
if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
|
|
|
|
|
|
|
|
|
|
/* Return Sucess */
|
|
|
|
|
return STATUS_SUCCESS;
|
2004-08-03 19:20:39 +00:00
|
|
|
}
|
|
|
|
|
|
2006-07-23 08:20:57 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
2008-11-29 20:47:48 +00:00
|
|
|
NTAPI
|
2006-07-23 08:20:57 +00:00
|
|
|
SeCreateAccessState(IN OUT PACCESS_STATE AccessState,
|
2008-06-16 08:54:21 +00:00
|
|
|
IN PAUX_ACCESS_DATA AuxData,
|
2006-07-23 08:20:57 +00:00
|
|
|
IN ACCESS_MASK Access,
|
|
|
|
|
IN PGENERIC_MAPPING GenericMapping)
|
|
|
|
|
{
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* Call the extended API */
|
2006-07-23 08:20:57 +00:00
|
|
|
return SeCreateAccessStateEx(PsGetCurrentThread(),
|
|
|
|
|
PsGetCurrentProcess(),
|
|
|
|
|
AccessState,
|
|
|
|
|
AuxData,
|
|
|
|
|
Access,
|
|
|
|
|
GenericMapping);
|
|
|
|
|
}
|
|
|
|
|
|
2004-08-03 19:20:39 +00:00
|
|
|
/*
|
2005-05-09 19:57:41 +00:00
|
|
|
* @implemented
|
2004-08-03 19:20:39 +00:00
|
|
|
*/
|
|
|
|
|
VOID
|
2008-11-29 20:47:48 +00:00
|
|
|
NTAPI
|
2005-05-09 19:57:41 +00:00
|
|
|
SeDeleteAccessState(IN PACCESS_STATE AccessState)
|
2004-08-03 19:20:39 +00:00
|
|
|
{
|
2008-06-16 08:54:21 +00:00
|
|
|
PAUX_ACCESS_DATA AuxData;
|
2005-05-09 19:57:41 +00:00
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Get the Auxiliary Data */
|
|
|
|
|
AuxData = AccessState->AuxData;
|
|
|
|
|
|
|
|
|
|
/* Deallocate Privileges */
|
2015-03-29 06:04:19 +00:00
|
|
|
if (AccessState->PrivilegesAllocated)
|
|
|
|
|
ExFreePoolWithTag(AuxData->PrivilegeSet, TAG_PRIVILEGE_SET);
|
2006-07-23 08:20:57 +00:00
|
|
|
|
2005-05-09 19:57:41 +00:00
|
|
|
/* Deallocate Name and Type Name */
|
|
|
|
|
if (AccessState->ObjectName.Buffer)
|
|
|
|
|
{
|
|
|
|
|
ExFreePool(AccessState->ObjectName.Buffer);
|
|
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
|
|
|
|
if (AccessState->ObjectTypeName.Buffer)
|
2005-05-09 19:57:41 +00:00
|
|
|
{
|
|
|
|
|
ExFreePool(AccessState->ObjectTypeName.Buffer);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Release the Subject Context */
|
|
|
|
|
SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
|
2004-08-03 19:20:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2005-05-09 19:57:41 +00:00
|
|
|
* @implemented
|
2004-08-03 19:20:39 +00:00
|
|
|
*/
|
|
|
|
|
VOID
|
2008-11-29 20:47:48 +00:00
|
|
|
NTAPI
|
2008-04-23 20:38:37 +00:00
|
|
|
SeSetAccessStateGenericMapping(IN PACCESS_STATE AccessState,
|
|
|
|
|
IN PGENERIC_MAPPING GenericMapping)
|
2004-08-03 19:20:39 +00:00
|
|
|
{
|
2005-05-09 19:57:41 +00:00
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Set the Generic Mapping */
|
2008-06-16 08:54:21 +00:00
|
|
|
((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
|
2004-08-03 19:20:39 +00:00
|
|
|
}
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
SeCreateClientSecurity(IN PETHREAD Thread,
|
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE Qos,
|
|
|
|
|
IN BOOLEAN RemoteClient,
|
|
|
|
|
OUT PSECURITY_CLIENT_CONTEXT ClientContext)
|
|
|
|
|
{
|
|
|
|
|
TOKEN_TYPE TokenType;
|
|
|
|
|
BOOLEAN ThreadEffectiveOnly;
|
|
|
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|
|
|
|
PACCESS_TOKEN Token;
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Reference the correct token */
|
2008-04-23 20:38:37 +00:00
|
|
|
Token = PsReferenceEffectiveToken(Thread,
|
|
|
|
|
&TokenType,
|
|
|
|
|
&ThreadEffectiveOnly,
|
|
|
|
|
&ImpersonationLevel);
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Create client security from it */
|
|
|
|
|
Status = SepCreateClientSecurity(Token,
|
|
|
|
|
Qos,
|
|
|
|
|
RemoteClient,
|
|
|
|
|
TokenType,
|
|
|
|
|
ThreadEffectiveOnly,
|
|
|
|
|
ImpersonationLevel,
|
|
|
|
|
ClientContext);
|
|
|
|
|
|
|
|
|
|
/* Check if we failed or static tracking was used */
|
|
|
|
|
if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Dereference our copy since it's not being used */
|
|
|
|
|
ObDereferenceObject(Token);
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Return status */
|
|
|
|
|
return Status;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2012-09-10 08:15:43 +00:00
|
|
|
* @implemented
|
2008-04-23 20:38:37 +00:00
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
SeCreateClientSecurityFromSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
|
|
|
IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
|
|
|
|
|
IN BOOLEAN ServerIsRemote,
|
|
|
|
|
OUT PSECURITY_CLIENT_CONTEXT ClientContext)
|
|
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
PACCESS_TOKEN Token;
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
/* Get the right token and reference it */
|
|
|
|
|
Token = SeQuerySubjectContextToken(SubjectContext);
|
|
|
|
|
ObReferenceObject(Token);
|
|
|
|
|
|
|
|
|
|
/* Create the context */
|
|
|
|
|
Status = SepCreateClientSecurity(Token,
|
|
|
|
|
ClientSecurityQos,
|
|
|
|
|
ServerIsRemote,
|
|
|
|
|
SubjectContext->ClientToken ?
|
|
|
|
|
TokenImpersonation : TokenPrimary,
|
|
|
|
|
FALSE,
|
|
|
|
|
SubjectContext->ImpersonationLevel,
|
|
|
|
|
ClientContext);
|
|
|
|
|
|
|
|
|
|
/* Check if we failed or static tracking was used */
|
|
|
|
|
if (!(NT_SUCCESS(Status)) ||
|
|
|
|
|
(ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
|
|
|
|
|
{
|
|
|
|
|
/* Dereference our copy since it's not being used */
|
|
|
|
|
ObDereferenceObject(Token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Return status */
|
|
|
|
|
return Status;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-10-10 11:31:51 +00:00
|
|
|
* @implemented
|
2008-04-23 20:38:37 +00:00
|
|
|
*/
|
|
|
|
|
NTSTATUS
|
|
|
|
|
NTAPI
|
|
|
|
|
SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
|
|
|
|
IN PETHREAD ServerThread OPTIONAL)
|
|
|
|
|
{
|
2010-10-10 11:31:51 +00:00
|
|
|
BOOLEAN EffectiveOnly;
|
2008-04-23 20:38:37 +00:00
|
|
|
PAGED_CODE();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Check if direct access is requested */
|
|
|
|
|
if (!ClientContext->DirectlyAccessClientToken)
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
/* No, so get the flag from QOS */
|
2010-10-10 11:31:51 +00:00
|
|
|
EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Yes, so see if direct access should be effective only */
|
2010-10-10 11:31:51 +00:00
|
|
|
EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Use the current thread if one was not passed */
|
|
|
|
|
if (!ServerThread) ServerThread = PsGetCurrentThread();
|
2010-05-28 16:28:27 +00:00
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Call the lower layer routine */
|
2010-10-10 11:31:51 +00:00
|
|
|
return PsImpersonateClient(ServerThread,
|
|
|
|
|
ClientContext->ClientToken,
|
|
|
|
|
TRUE,
|
|
|
|
|
EffectiveOnly,
|
|
|
|
|
ClientContext->SecurityQos.ImpersonationLevel);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
|
|
|
|
VOID
|
|
|
|
|
NTAPI
|
|
|
|
|
SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
|
|
|
|
IN PETHREAD ServerThread OPTIONAL)
|
|
|
|
|
{
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
2012-09-10 08:15:43 +00:00
|
|
|
/* Call the new API */
|
|
|
|
|
SeImpersonateClientEx(ClientContext, ServerThread);
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
|
|
|
|
|
2000-04-08 19:10:50 +00:00
|
|
|
/* EOF */
|
