2008-03-09 14:11:42 +00:00
|
|
|
/*
|
2005-01-26 13:58:37 +00:00
|
|
|
* COPYRIGHT: See COPYING in the top level directory
|
|
|
|
|
* PROJECT: ReactOS kernel
|
|
|
|
|
* FILE: ntoskrnl/se/acl.c
|
|
|
|
|
* PURPOSE: Security manager
|
2005-05-09 01:38:29 +00:00
|
|
|
*
|
2005-01-26 13:58:37 +00:00
|
|
|
* PROGRAMMERS: David Welch <welch@cwcom.net>
|
1999-12-26 15:50:53 +00:00
|
|
|
*/
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* INCLUDES *******************************************************************/
|
1999-12-26 15:50:53 +00:00
|
|
|
|
2004-08-15 16:39:12 +00:00
|
|
|
#include <ntoskrnl.h>
|
2008-04-23 20:38:37 +00:00
|
|
|
#define NDEBUG
|
|
|
|
|
#include <debug.h>
|
1999-12-26 15:50:53 +00:00
|
|
|
|
2005-11-28 23:25:31 +00:00
|
|
|
#if defined (ALLOC_PRAGMA)
|
|
|
|
|
#pragma alloc_text(INIT, SepInitDACLs)
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* GLOBALS ********************************************************************/
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2005-06-21 23:42:58 +00:00
|
|
|
PACL SePublicDefaultDacl = NULL;
|
|
|
|
|
PACL SeSystemDefaultDacl = NULL;
|
2002-02-20 20:16:49 +00:00
|
|
|
PACL SePublicDefaultUnrestrictedDacl = NULL;
|
|
|
|
|
PACL SePublicOpenDacl = NULL;
|
|
|
|
|
PACL SePublicOpenUnrestrictedDacl = NULL;
|
|
|
|
|
PACL SeUnrestrictedDacl = NULL;
|
|
|
|
|
|
2008-04-23 20:38:37 +00:00
|
|
|
/* FUNCTIONS ******************************************************************/
|
2002-02-20 20:16:49 +00:00
|
|
|
|
2005-09-13 23:28:21 +00:00
|
|
|
BOOLEAN
|
|
|
|
|
INIT_FUNCTION
|
|
|
|
|
NTAPI
|
2002-02-20 20:16:49 +00:00
|
|
|
SepInitDACLs(VOID)
|
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
ULONG AclLength;
|
|
|
|
|
|
|
|
|
|
/* create PublicDefaultDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
|
|
|
|
|
|
|
|
|
|
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SePublicDefaultDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SePublicDefaultDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_EXECUTE,
|
|
|
|
|
SeWorldSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* create PublicDefaultUnrestrictedDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
|
|
|
|
|
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SePublicDefaultUnrestrictedDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_EXECUTE,
|
|
|
|
|
SeWorldSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
|
|
|
|
SeRestrictedCodeSid);
|
|
|
|
|
|
|
|
|
|
/* create PublicOpenDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
|
|
|
|
|
|
|
|
|
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SePublicOpenDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SePublicOpenDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
|
|
|
|
|
SeWorldSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
|
|
|
|
|
/* create PublicOpenUnrestrictedDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
|
|
|
|
|
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SePublicOpenUnrestrictedDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeWorldSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE,
|
|
|
|
|
SeRestrictedCodeSid);
|
|
|
|
|
|
|
|
|
|
/* create SystemDefaultDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
|
|
|
|
|
|
|
|
|
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SeSystemDefaultDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SeSystemDefaultDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
|
|
|
|
|
/* create UnrestrictedDacl */
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
|
|
|
|
|
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
|
AclLength,
|
|
|
|
|
TAG_ACL);
|
|
|
|
|
if (SeUnrestrictedDacl == NULL)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
RtlCreateAcl(SeUnrestrictedDacl,
|
|
|
|
|
AclLength,
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_ALL,
|
|
|
|
|
SeWorldSid);
|
|
|
|
|
|
|
|
|
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE,
|
|
|
|
|
SeRestrictedCodeSid);
|
|
|
|
|
|
|
|
|
|
return(TRUE);
|
2002-02-20 20:16:49 +00:00
|
|
|
}
|
|
|
|
|
|
2008-11-29 20:47:48 +00:00
|
|
|
NTSTATUS NTAPI
|
2005-05-09 01:38:29 +00:00
|
|
|
SepCreateImpersonationTokenDacl(PTOKEN Token,
|
2005-01-02 23:12:40 +00:00
|
|
|
PTOKEN PrimaryToken,
|
2004-12-10 16:50:38 +00:00
|
|
|
PACL *Dacl)
|
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
ULONG AclLength;
|
|
|
|
|
PVOID TokenDacl;
|
|
|
|
|
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
AclLength = sizeof(ACL) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
|
|
|
|
|
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
|
|
|
|
|
|
|
|
|
|
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
|
|
|
|
|
if (TokenDacl == NULL)
|
2004-12-10 16:50:38 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
2004-12-10 16:50:38 +00:00
|
|
|
}
|
2008-04-23 20:38:37 +00:00
|
|
|
|
|
|
|
|
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
|
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
|
Token->UserAndGroups->Sid);
|
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
|
PrimaryToken->UserAndGroups->Sid);
|
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
|
SeLocalSystemSid);
|
|
|
|
|
|
|
|
|
|
/* FIXME */
|
2004-12-10 16:50:38 +00:00
|
|
|
#if 0
|
2008-04-23 20:38:37 +00:00
|
|
|
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
|
2004-12-10 16:50:38 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
|
SeRestrictedCodeSid);
|
2004-12-10 16:50:38 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2008-04-23 20:38:37 +00:00
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
2004-12-10 16:50:38 +00:00
|
|
|
}
|
|
|
|
|
|
2005-03-12 22:16:02 +00:00
|
|
|
NTSTATUS
|
2005-09-13 23:28:21 +00:00
|
|
|
NTAPI
|
2005-03-12 22:16:02 +00:00
|
|
|
SepCaptureAcl(IN PACL InputAcl,
|
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
|
IN POOL_TYPE PoolType,
|
|
|
|
|
IN BOOLEAN CaptureIfKernel,
|
|
|
|
|
OUT PACL *CapturedAcl)
|
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
PACL NewAcl;
|
|
|
|
|
ULONG AclSize = 0;
|
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
|
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
2009-08-26 17:31:02 +00:00
|
|
|
if (AccessMode != KernelMode)
|
2005-03-12 22:16:02 +00:00
|
|
|
{
|
2008-11-24 13:40:26 +00:00
|
|
|
_SEH2_TRY
|
2005-03-12 22:16:02 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
ProbeForRead(InputAcl,
|
|
|
|
|
sizeof(ACL),
|
|
|
|
|
sizeof(ULONG));
|
|
|
|
|
AclSize = InputAcl->AclSize;
|
|
|
|
|
ProbeForRead(InputAcl,
|
|
|
|
|
AclSize,
|
|
|
|
|
sizeof(ULONG));
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
2008-11-24 13:40:26 +00:00
|
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
2005-03-12 22:16:02 +00:00
|
|
|
{
|
2009-08-26 17:31:02 +00:00
|
|
|
/* Return the exception code */
|
|
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
2008-11-24 13:40:26 +00:00
|
|
|
_SEH2_END;
|
2008-04-23 20:38:37 +00:00
|
|
|
|
2009-08-26 17:31:02 +00:00
|
|
|
NewAcl = ExAllocatePool(PoolType,
|
|
|
|
|
AclSize);
|
|
|
|
|
if(NewAcl != NULL)
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
2009-08-26 17:31:02 +00:00
|
|
|
_SEH2_TRY
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
2009-08-26 17:31:02 +00:00
|
|
|
RtlCopyMemory(NewAcl,
|
|
|
|
|
InputAcl,
|
|
|
|
|
AclSize);
|
|
|
|
|
|
|
|
|
|
*CapturedAcl = NewAcl;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
2009-08-26 17:31:02 +00:00
|
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
2008-04-23 20:38:37 +00:00
|
|
|
{
|
2009-08-26 17:31:02 +00:00
|
|
|
/* Free the ACL and return the exception code */
|
|
|
|
|
ExFreePool(NewAcl);
|
|
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
2009-08-26 17:31:02 +00:00
|
|
|
_SEH2_END;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
2008-04-23 20:38:37 +00:00
|
|
|
}
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
2008-04-23 20:38:37 +00:00
|
|
|
else if(!CaptureIfKernel)
|
2005-03-12 22:16:02 +00:00
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
*CapturedAcl = InputAcl;
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
AclSize = InputAcl->AclSize;
|
|
|
|
|
|
|
|
|
|
NewAcl = ExAllocatePool(PoolType,
|
|
|
|
|
AclSize);
|
|
|
|
|
|
|
|
|
|
if(NewAcl != NULL)
|
|
|
|
|
{
|
|
|
|
|
RtlCopyMemory(NewAcl,
|
|
|
|
|
InputAcl,
|
|
|
|
|
AclSize);
|
|
|
|
|
|
|
|
|
|
*CapturedAcl = NewAcl;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
}
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
2008-04-23 20:38:37 +00:00
|
|
|
|
|
|
|
|
return Status;
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VOID
|
2005-09-13 23:28:21 +00:00
|
|
|
NTAPI
|
2005-03-12 22:16:02 +00:00
|
|
|
SepReleaseAcl(IN PACL CapturedAcl,
|
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
|
IN BOOLEAN CaptureIfKernel)
|
|
|
|
|
{
|
2008-04-23 20:38:37 +00:00
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
if(CapturedAcl != NULL &&
|
|
|
|
|
(AccessMode != KernelMode ||
|
|
|
|
|
(AccessMode == KernelMode && CaptureIfKernel)))
|
|
|
|
|
{
|
|
|
|
|
ExFreePool(CapturedAcl);
|
|
|
|
|
}
|
2005-03-12 22:16:02 +00:00
|
|
|
}
|
|
|
|
|
|
1999-12-26 17:22:19 +00:00
|
|
|
/* EOF */
|
