Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-08-06 04:33:12 +00:00
Code Issues Projects Releases Packages Wiki Activity

- Refactor SeCaptureSubjectContext into SeCaptureSubjectContextEx and SeCreateAccessState into SeCreateAccessStateEx. The *Ex routines allow specifying a custom process/thread which isn't the current one. This is useful when creating a new process or thread since we're not actually in it.

Browse source 
- Implemented a bit more security calls in PspCreateProcess as seen in WI II. We now create an AccessState.
- Also write the PID in the ObjectTable.

svn path=/trunk/; revision=23236
This commit is contained in:
Alex Ionescu 2006-07-23 08:20:57 +00:00
parent a92eec4397
commit 1223ca9cab
5 changed files with 138 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

23
reactos/ntoskrnl/include/internal/se.h
View file

@ -129,6 +129,17 @@ SeSubProcessToken(
IN ULONG SessionId IN ULONG SessionId
); );
NTSTATUS
NTAPI
SeCreateAccessStateEx(
IN PETHREAD Thread,
IN PEPROCESS Process,
IN OUT PACCESS_STATE AccessState,
IN PAUX_DATA AuxData,
IN ACCESS_MASK Access,
IN PGENERIC_MAPPING GenericMapping
);
NTSTATUS NTSTATUS
NTAPI NTAPI
SeIsTokenChild( SeIsTokenChild(
@ -160,6 +171,10 @@ VOID
NTAPI NTAPI
SeAuditProcessExit(IN PEPROCESS Process); SeAuditProcessExit(IN PEPROCESS Process);
VOID
NTAPI
SeAuditProcessCreate(IN PEPROCESS Process);
NTSTATUS NTSTATUS
NTAPI NTAPI
SeExchangePrimaryToken( SeExchangePrimaryToken(
@ -168,6 +183,14 @@ SeExchangePrimaryToken(
PACCESS_TOKEN* OldTokenP PACCESS_TOKEN* OldTokenP
); );
VOID
NTAPI
SeCaptureSubjectContextEx(
IN PETHREAD Thread,
IN PEPROCESS Process,
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
);
NTSTATUS NTSTATUS
NTAPI NTAPI
SeCaptureLuidAndAttributesArray( SeCaptureLuidAndAttributesArray(

35
reactos/ntoskrnl/ps/process.c
View file

@ -368,6 +368,9 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
PETHREAD CurrentThread; PETHREAD CurrentThread;
PEPROCESS CurrentProcess; PEPROCESS CurrentProcess;
ULONG MinWs, MaxWs; ULONG MinWs, MaxWs;
ACCESS_STATE LocalAccessState;
PACCESS_STATE AccessState = &LocalAccessState;
AUX_DATA AuxData;
PAGED_CODE(); PAGED_CODE();
DirectoryTableBase.QuadPart = 0; DirectoryTableBase.QuadPart = 0;
@ -633,7 +636,19 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
goto CleanupWithRef; goto CleanupWithRef;
} }
/* FIXME: Insert into Job Object */ /* Set the handle table PID */
Process->ObjectTable->UniqueProcessId = Process->UniqueProcessId;
/* Check if we need to audit */
if (SeDetailedAuditingWithToken(NULL)) SeAuditProcessCreate(Process);
/* Check if the parent had a job */
if ((Parent) && (Parent->Job))
{
/* FIXME: We need to insert this process */
DPRINT1("Jobs not yet supported\n");
KEBUGCHECK(0);
}
/* Create PEB only for User-Mode Processes */ /* Create PEB only for User-Mode Processes */
if (Parent) if (Parent)
@ -647,15 +662,29 @@ PspCreateProcess(OUT PHANDLE ProcessHandle,
InsertTailList(&PsActiveProcessHead, &Process->ActiveProcessLinks); InsertTailList(&PsActiveProcessHead, &Process->ActiveProcessLinks);
KeReleaseGuardedMutex(&PspActiveProcessMutex); KeReleaseGuardedMutex(&PspActiveProcessMutex);
/* FIXME: SeCreateAccessStateEx */ /* Create an access state */
Status = SeCreateAccessStateEx(CurrentThread,
((Parent) &&
(Parent == PsInitialSystemProcess)) ?
Parent : CurrentProcess,
&LocalAccessState,
&AuxData,
DesiredAccess,
&PsProcessType->TypeInfo.GenericMapping);
if (!NT_SUCCESS(Status)) goto CleanupWithRef;
/* Insert the Process into the Object Directory */ /* Insert the Process into the Object Directory */
Status = ObInsertObject(Process, Status = ObInsertObject(Process,
NULL, AccessState,
DesiredAccess, DesiredAccess,
1, 1,
(PVOID*)&Process, (PVOID*)&Process,
&hProcess); &hProcess);
/* Free the access state */
if (AccessState) SeDeleteAccessState(AccessState);
/* Cleanup on failure */
if (!NT_SUCCESS(Status)) goto Cleanup; if (!NT_SUCCESS(Status)) goto Cleanup;
/* FIXME: Compute Quantum and Priority */ /* FIXME: Compute Quantum and Priority */

44
reactos/ntoskrnl/se/access.c
View file

@ -14,24 +14,19 @@
#define NDEBUG #define NDEBUG
#include <internal/debug.h> #include <internal/debug.h>
#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | \
GENERIC_ALL)
/* FUNCTIONS ***************************************************************/ /* FUNCTIONS ***************************************************************/
/*
* @implemented
*/
NTSTATUS NTSTATUS
STDCALL NTAPI
SeCreateAccessState(PACCESS_STATE AccessState, SeCreateAccessStateEx(IN PETHREAD Thread,
PAUX_DATA AuxData, IN PEPROCESS Process,
ACCESS_MASK Access, IN OUT PACCESS_STATE AccessState,
PGENERIC_MAPPING GenericMapping) IN PAUX_DATA AuxData,
IN ACCESS_MASK Access,
IN PGENERIC_MAPPING GenericMapping)
{ {
ACCESS_MASK AccessMask = Access; ACCESS_MASK AccessMask = Access;
PTOKEN Token; PTOKEN Token;
PAGED_CODE(); PAGED_CODE();
/* Map the Generic Acess to Specific Access if we have a Mapping */ /* Map the Generic Acess to Specific Access if we have a Mapping */
@ -44,7 +39,9 @@ SeCreateAccessState(PACCESS_STATE AccessState,
RtlZeroMemory(AccessState, sizeof(ACCESS_STATE)); RtlZeroMemory(AccessState, sizeof(ACCESS_STATE));
/* Capture the Subject Context */ /* Capture the Subject Context */
SeCaptureSubjectContext(&AccessState->SubjectSecurityContext); SeCaptureSubjectContextEx(Thread,
Process,
&AccessState->SubjectSecurityContext);
/* Set Access State Data */ /* Set Access State Data */
AccessState->AuxData = AuxData; AccessState->AuxData = AuxData;
@ -74,6 +71,27 @@ SeCreateAccessState(PACCESS_STATE AccessState,
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
/*
* @implemented
*/
NTSTATUS
STDCALL
SeCreateAccessState(IN OUT PACCESS_STATE AccessState,
IN PAUX_DATA AuxData,
IN ACCESS_MASK Access,
IN PGENERIC_MAPPING GenericMapping)
{
PAGED_CODE();
/* Call the internal API */
return SeCreateAccessStateEx(PsGetCurrentThread(),
PsGetCurrentProcess(),
AccessState,
AuxData,
Access,
GenericMapping);
}
/* /*
* @implemented * @implemented
*/ */

7
reactos/ntoskrnl/se/audit.c
View file

@ -23,6 +23,13 @@ SeDetailedAuditingWithToken(IN PTOKEN Token)
return FALSE; return FALSE;
} }
VOID
NTAPI
SeAuditProcessCreate(IN PEPROCESS Process)
{
/* FIXME */
}
VOID VOID
NTAPI NTAPI
SeAuditProcessExit(IN PEPROCESS Process) SeAuditProcessExit(IN PEPROCESS Process)

48
reactos/ntoskrnl/se/semgr.c
View file

@ -416,36 +416,52 @@ SeDefaultObjectMethod(PVOID Object,
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
/* VOID
* @implemented NTAPI
*/ SeCaptureSubjectContextEx(IN PETHREAD Thread,
VOID STDCALL IN PEPROCESS Process,
SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext) OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
PETHREAD Thread; BOOLEAN CopyOnOpen, EffectiveOnly;
BOOLEAN CopyOnOpen;
BOOLEAN EffectiveOnly;
PAGED_CODE(); PAGED_CODE();
Thread = PsGetCurrentThread(); /* ROS HACK */
if (Thread == NULL) if (!Process) return;
/* Save the unique ID */
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
/* Check if we have a thread */
if (!Thread)
{ {
SubjectContext->ProcessAuditId = 0; /* We don't, so no token */
SubjectContext->PrimaryToken = NULL;
SubjectContext->ClientToken = NULL; SubjectContext->ClientToken = NULL;
SubjectContext->ImpersonationLevel = 0;
} }
else else
{ {
SubjectContext->ProcessAuditId = Thread->ThreadsProcess; /* Get the impersonation token */
SubjectContext->ClientToken = SubjectContext->ClientToken =
PsReferenceImpersonationToken(Thread, PsReferenceImpersonationToken(Thread,
&CopyOnOpen, &CopyOnOpen,
&EffectiveOnly, &EffectiveOnly,
&SubjectContext->ImpersonationLevel); &SubjectContext->ImpersonationLevel);
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Thread->ThreadsProcess);
} }
/* Get the primary token */
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
}
/*
* @implemented
*/
VOID
NTAPI
SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
/* Call the internal API */
SeCaptureSubjectContextEx(PsGetCurrentThread(),
PsGetCurrentProcess(),
SubjectContext);
} }