Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Reformat Se code and put functions to more appropriate locations.

Browse source 
svn path=/trunk/; revision=33129
This commit is contained in:
Aleksey Bragin 2008-04-23 20:38:37 +00:00
parent c72bfe8de2
commit 9dc0da2dea
13 changed files with 4886 additions and 5090 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
reactos/ntoskrnl/ex/uuid.c
View file

@ -40,8 +40,8 @@ static BOOLEAN UuidSequenceInitialized = FALSE;
static BOOLEAN UuidSequenceChanged = FALSE; static BOOLEAN UuidSequenceChanged = FALSE;
static UCHAR UuidSeed[SEED_BUFFER_SIZE]; static UCHAR UuidSeed[SEED_BUFFER_SIZE];
static ULONG UuidCount; static ULONG UuidCount;
static LARGE_INTEGER LuidIncrement;
static LARGE_INTEGER LuidValue;
/* FUNCTIONS ****************************************************************/ /* FUNCTIONS ****************************************************************/
@ -214,6 +214,91 @@ ExpCreateUuids(PULARGE_INTEGER Time,
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
VOID
INIT_FUNCTION
NTAPI
ExpInitLuid(VOID)
{
LUID DummyLuidValue = SYSTEM_LUID;
LuidValue.u.HighPart = DummyLuidValue.HighPart;
LuidValue.u.LowPart = DummyLuidValue.LowPart;
LuidIncrement.QuadPart = 1;
}
NTSTATUS
NTAPI
ExpAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
{
LARGE_INTEGER NewLuid, PrevLuid;
/* atomically increment the luid */
do
{
PrevLuid = LuidValue;
NewLuid = RtlLargeIntegerAdd(PrevLuid,
LuidIncrement);
} while(ExfInterlockedCompareExchange64(&LuidValue.QuadPart,
&NewLuid.QuadPart,
&PrevLuid.QuadPart) != PrevLuid.QuadPart);
LocallyUniqueId->LowPart = NewLuid.u.LowPart;
LocallyUniqueId->HighPart = NewLuid.u.HighPart;
return STATUS_SUCCESS;
}
/*
* @implemented
*/
NTSTATUS STDCALL
NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
{
LUID NewLuid;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(LocallyUniqueId,
sizeof(LUID),
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
Status = ExpAllocateLocallyUniqueId(&NewLuid);
_SEH_TRY
{
*LocallyUniqueId = NewLuid;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return Status;
}
/* /*
* @unimplemented * @unimplemented
*/ */

11
reactos/ntoskrnl/include/internal/se.h
View file

@ -94,7 +94,7 @@ SeInitSRM(VOID);
VOID VOID
NTAPI NTAPI
SepInitLuid(VOID); ExpInitLuid(VOID);
VOID VOID
NTAPI NTAPI
@ -315,6 +315,15 @@ SeSetWorldSecurityDescriptor(
PULONG BufferLength PULONG BufferLength
); );
NTSTATUS
STDCALL
SeCopyClientToken(
IN PACCESS_TOKEN Token,
IN SECURITY_IMPERSONATION_LEVEL Level,
IN KPROCESSOR_MODE PreviousMode,
OUT PACCESS_TOKEN* NewToken
);
#define SepAcquireTokenLockExclusive(Token) \ #define SepAcquireTokenLockExclusive(Token) \
do { \ do { \
KeEnterCriticalRegion(); \ KeEnterCriticalRegion(); \

1
reactos/ntoskrnl/ntoskrnl-generic.rbuild
View file

@ -425,7 +425,6 @@
<file>acl.c</file> <file>acl.c</file>
<file>audit.c</file> <file>audit.c</file>
<file>lsa.c</file> <file>lsa.c</file>
<file>luid.c</file>
<file>priv.c</file> <file>priv.c</file>
<file>sd.c</file> <file>sd.c</file>
<file>semgr.c</file> <file>semgr.c</file>

245
reactos/ntoskrnl/se/access.c
View file

@ -8,14 +8,114 @@
* Based on patch by Javier M. Mellid * Based on patch by Javier M. Mellid
*/ */
/* INCLUDES *****************************************************************/ /* INCLUDES *******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#define NDEBUG #define NDEBUG
#include <internal/debug.h> #include <debug.h>
/* FUNCTIONS ***************************************************************/ /* GLOBALS ********************************************************************/
ERESOURCE SepSubjectContextLock;
/* FUNCTIONS ******************************************************************/
/*
* @implemented
*/
VOID
NTAPI
SeCaptureSubjectContextEx(IN PETHREAD Thread,
IN PEPROCESS Process,
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
BOOLEAN CopyOnOpen, EffectiveOnly;
PAGED_CODE();
/* Save the unique ID */
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
/* Check if we have a thread */
if (!Thread)
{
/* We don't, so no token */
SubjectContext->ClientToken = NULL;
}
else
{
/* Get the impersonation token */
SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
&CopyOnOpen,
&EffectiveOnly,
&SubjectContext->ImpersonationLevel);
}
/* Get the primary token */
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
}
/*
* @implemented
*/
VOID
NTAPI
SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
/* Call the extended API */
SeCaptureSubjectContextEx(PsGetCurrentThread(),
PsGetCurrentProcess(),
SubjectContext);
}
/*
* @implemented
*/
VOID
NTAPI
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
KeEnterCriticalRegion();
ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
}
/*
* @implemented
*/
VOID
NTAPI
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
ExReleaseResourceLite(&SepSubjectContextLock);
KeLeaveCriticalRegion();
}
/*
* @implemented
*/
VOID
NTAPI
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
if (SubjectContext->PrimaryToken != NULL)
{
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
}
if (SubjectContext->ClientToken != NULL)
{
ObDereferenceObject(SubjectContext->ClientToken);
}
}
/*
* @implemented
*/
NTSTATUS NTSTATUS
NTAPI NTAPI
SeCreateAccessStateEx(IN PETHREAD Thread, SeCreateAccessStateEx(IN PETHREAD Thread,
@ -83,7 +183,7 @@ SeCreateAccessState(IN OUT PACCESS_STATE AccessState,
{ {
PAGED_CODE(); PAGED_CODE();
/* Call the internal API */ /* Call the extended API */
return SeCreateAccessStateEx(PsGetCurrentThread(), return SeCreateAccessStateEx(PsGetCurrentThread(),
PsGetCurrentProcess(), PsGetCurrentProcess(),
AccessState, AccessState,
@ -127,8 +227,8 @@ SeDeleteAccessState(IN PACCESS_STATE AccessState)
*/ */
VOID VOID
STDCALL STDCALL
SeSetAccessStateGenericMapping(PACCESS_STATE AccessState, SeSetAccessStateGenericMapping(IN PACCESS_STATE AccessState,
PGENERIC_MAPPING GenericMapping) IN PGENERIC_MAPPING GenericMapping)
{ {
PAGED_CODE(); PAGED_CODE();
@ -136,4 +236,137 @@ SeSetAccessStateGenericMapping(PACCESS_STATE AccessState,
((PAUX_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping; ((PAUX_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
} }
/*
* @implemented
*/
NTSTATUS
NTAPI
SeCreateClientSecurity(IN PETHREAD Thread,
IN PSECURITY_QUALITY_OF_SERVICE Qos,
IN BOOLEAN RemoteClient,
OUT PSECURITY_CLIENT_CONTEXT ClientContext)
{
TOKEN_TYPE TokenType;
BOOLEAN ThreadEffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
PACCESS_TOKEN Token;
NTSTATUS Status;
PACCESS_TOKEN NewToken;
PAGED_CODE();
Token = PsReferenceEffectiveToken(Thread,
&TokenType,
&ThreadEffectiveOnly,
&ImpersonationLevel);
if (TokenType != TokenImpersonation)
{
ClientContext->DirectAccessEffectiveOnly = Qos->EffectiveOnly;
}
else
{
if (Qos->ImpersonationLevel > ImpersonationLevel)
{
if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
if ((ImpersonationLevel == SecurityAnonymous) ||
(ImpersonationLevel == SecurityIdentification) ||
((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
{
if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
(Qos->EffectiveOnly)) ?
TRUE : FALSE;
}
if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
{
ClientContext->DirectlyAccessClientToken = FALSE;
Status = SeCopyClientToken(Token, ImpersonationLevel, 0, &NewToken);
if (!NT_SUCCESS(Status)) return Status;
}
else
{
ClientContext->DirectlyAccessClientToken = TRUE;
if (RemoteClient != FALSE)
{
#if 0
SeGetTokenControlInformation(Token,
&ClientContext->ClientTokenControl);
#endif
}
NewToken = Token;
}
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
ClientContext->SecurityQos.EffectiveOnly = Qos->EffectiveOnly;
ClientContext->ServerIsRemote = RemoteClient;
ClientContext->ClientToken = NewToken;
return STATUS_SUCCESS;
}
/*
* @unimplemented
*/
NTSTATUS
NTAPI
SeCreateClientSecurityFromSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
IN BOOLEAN ServerIsRemote,
OUT PSECURITY_CLIENT_CONTEXT ClientContext)
{
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
}
/*
* @unimplemented
*/
NTSTATUS
NTAPI
SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL)
{
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
}
/*
* @implemented
*/
VOID
NTAPI
SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL)
{
UCHAR b;
PAGED_CODE();
if (ClientContext->DirectlyAccessClientToken == FALSE)
{
b = ClientContext->SecurityQos.EffectiveOnly;
}
else
{
b = ClientContext->DirectAccessEffectiveOnly;
}
if (ServerThread == NULL)
{
ServerThread = PsGetCurrentThread();
}
PsImpersonateClient(ServerThread,
ClientContext->ClientToken,
1,
b,
ClientContext->SecurityQos.ImpersonationLevel);
}
/* EOF */ /* EOF */

586
reactos/ntoskrnl/se/acl.c
View file

@ -7,218 +7,216 @@
* PROGRAMMERS: David Welch <welch@cwcom.net> * PROGRAMMERS: David Welch <welch@cwcom.net>
*/ */
/* INCLUDES *****************************************************************/ /* INCLUDES *******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#include <internal/debug.h> #define NDEBUG
#include <debug.h>
#if defined (ALLOC_PRAGMA) #if defined (ALLOC_PRAGMA)
#pragma alloc_text(INIT, SepInitDACLs) #pragma alloc_text(INIT, SepInitDACLs)
#endif #endif
/* GLOBALS ********************************************************************/
/* GLOBALS ******************************************************************/
PACL SePublicDefaultDacl = NULL; PACL SePublicDefaultDacl = NULL;
PACL SeSystemDefaultDacl = NULL; PACL SeSystemDefaultDacl = NULL;
PACL SePublicDefaultUnrestrictedDacl = NULL; PACL SePublicDefaultUnrestrictedDacl = NULL;
PACL SePublicOpenDacl = NULL; PACL SePublicOpenDacl = NULL;
PACL SePublicOpenUnrestrictedDacl = NULL; PACL SePublicOpenUnrestrictedDacl = NULL;
PACL SeUnrestrictedDacl = NULL; PACL SeUnrestrictedDacl = NULL;
/* FUNCTIONS ******************************************************************/
/* FUNCTIONS ****************************************************************/
BOOLEAN BOOLEAN
INIT_FUNCTION INIT_FUNCTION
NTAPI NTAPI
SepInitDACLs(VOID) SepInitDACLs(VOID)
{ {
ULONG AclLength; ULONG AclLength;
/* create PublicDefaultDacl */ /* create PublicDefaultDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)); (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool, SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicDefaultDacl == NULL) if (SePublicDefaultDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicDefaultDacl, RtlCreateAcl(SePublicDefaultDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultDacl, RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_EXECUTE, GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultDacl, RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
/* create PublicDefaultUnrestrictedDacl */ /* create PublicDefaultUnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicDefaultUnrestrictedDacl == NULL) if (SePublicDefaultUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicDefaultUnrestrictedDacl, RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_EXECUTE, GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeRestrictedCodeSid); SeRestrictedCodeSid);
/* create PublicOpenDacl */ /* create PublicOpenDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool, SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicOpenDacl == NULL) if (SePublicOpenDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicOpenDacl, RtlCreateAcl(SePublicOpenDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE, GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
/* create PublicOpenUnrestrictedDacl */ /* create PublicOpenUnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicOpenUnrestrictedDacl == NULL) if (SePublicOpenUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicOpenUnrestrictedDacl, RtlCreateAcl(SePublicOpenUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE, GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid); SeRestrictedCodeSid);
/* create SystemDefaultDacl */ /* create SystemDefaultDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool, SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SeSystemDefaultDacl == NULL) if (SeSystemDefaultDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SeSystemDefaultDacl, RtlCreateAcl(SeSystemDefaultDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SeSystemDefaultDacl, RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SeSystemDefaultDacl, RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeAliasAdminsSid); SeAliasAdminsSid);
/* create UnrestrictedDacl */ /* create UnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SeUnrestrictedDacl == NULL) if (SeUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SeUnrestrictedDacl, RtlCreateAcl(SeUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SeUnrestrictedDacl, RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SeUnrestrictedDacl, RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE, GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid); SeRestrictedCodeSid);
return(TRUE); return(TRUE);
} }
NTSTATUS STDCALL NTSTATUS STDCALL
@ -226,44 +224,44 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
PTOKEN PrimaryToken, PTOKEN PrimaryToken,
PACL *Dacl) PACL *Dacl)
{ {
ULONG AclLength; ULONG AclLength;
PVOID TokenDacl; PVOID TokenDacl;
PAGED_CODE(); PAGED_CODE();
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) + (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid)); (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL); TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
if (TokenDacl == NULL) if (TokenDacl == NULL)
{ {
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
} }
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION); RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
Token->UserAndGroups->Sid); Token->UserAndGroups->Sid);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
PrimaryToken->UserAndGroups->Sid); PrimaryToken->UserAndGroups->Sid);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
/* FIXME */ /* FIXME */
#if 0 #if 0
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL) if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
{ {
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeRestrictedCodeSid); SeRestrictedCodeSid);
} }
#endif #endif
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
NTSTATUS NTSTATUS
@ -274,83 +272,83 @@ SepCaptureAcl(IN PACL InputAcl,
IN BOOLEAN CaptureIfKernel, IN BOOLEAN CaptureIfKernel,
OUT PACL *CapturedAcl) OUT PACL *CapturedAcl)
{ {
PACL NewAcl; PACL NewAcl;
ULONG AclSize = 0; ULONG AclSize = 0;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
if(AccessMode != KernelMode) if(AccessMode != KernelMode)
{
_SEH_TRY
{ {
ProbeForRead(InputAcl,
sizeof(ACL),
sizeof(ULONG));
AclSize = InputAcl->AclSize;
ProbeForRead(InputAcl,
AclSize,
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(NT_SUCCESS(Status))
{
NewAcl = ExAllocatePool(PoolType,
AclSize);
if(NewAcl != NULL)
{
_SEH_TRY _SEH_TRY
{ {
RtlCopyMemory(NewAcl, ProbeForRead(InputAcl,
InputAcl, sizeof(ACL),
AclSize); sizeof(ULONG));
AclSize = InputAcl->AclSize;
*CapturedAcl = NewAcl; ProbeForRead(InputAcl,
AclSize,
sizeof(ULONG));
} }
_SEH_HANDLE _SEH_HANDLE
{ {
ExFreePool(NewAcl); Status = _SEH_GetExceptionCode();
Status = _SEH_GetExceptionCode();
} }
_SEH_END; _SEH_END;
}
else if(NT_SUCCESS(Status))
{ {
Status = STATUS_INSUFFICIENT_RESOURCES; NewAcl = ExAllocatePool(PoolType,
} AclSize);
if(NewAcl != NULL)
{
_SEH_TRY
{
RtlCopyMemory(NewAcl,
InputAcl,
AclSize);
*CapturedAcl = NewAcl;
}
_SEH_HANDLE
{
ExFreePool(NewAcl);
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
} }
} else if(!CaptureIfKernel)
else if(!CaptureIfKernel)
{
*CapturedAcl = InputAcl;
}
else
{
AclSize = InputAcl->AclSize;
NewAcl = ExAllocatePool(PoolType,
AclSize);
if(NewAcl != NULL)
{ {
RtlCopyMemory(NewAcl, *CapturedAcl = InputAcl;
InputAcl,
AclSize);
*CapturedAcl = NewAcl;
} }
else else
{ {
Status = STATUS_INSUFFICIENT_RESOURCES; AclSize = InputAcl->AclSize;
NewAcl = ExAllocatePool(PoolType,
AclSize);
if(NewAcl != NULL)
{
RtlCopyMemory(NewAcl,
InputAcl,
AclSize);
*CapturedAcl = NewAcl;
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
} }
}
return Status;
return Status;
} }
VOID VOID
@ -359,14 +357,14 @@ SepReleaseAcl(IN PACL CapturedAcl,
IN KPROCESSOR_MODE AccessMode, IN KPROCESSOR_MODE AccessMode,
IN BOOLEAN CaptureIfKernel) IN BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if(CapturedAcl != NULL && if(CapturedAcl != NULL &&
(AccessMode != KernelMode || (AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel))) (AccessMode == KernelMode && CaptureIfKernel)))
{ {
ExFreePool(CapturedAcl); ExFreePool(CapturedAcl);
} }
} }
/* EOF */ /* EOF */

406
reactos/ntoskrnl/se/audit.c
View file

@ -7,12 +7,13 @@
* PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de> * PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de>
*/ */
/* INCLUDES *****************************************************************/ /* INCLUDES *******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#include <internal/debug.h> #define NDEBUG
#include <debug.h>
/* INTERNAL *****************************************************************/ /* PRIVATE FUNCTIONS***********************************************************/
BOOLEAN BOOLEAN
NTAPI NTAPI
@ -179,7 +180,165 @@ SeLocateProcessImageName(IN PEPROCESS Process,
return Status; return Status;
} }
/* FUNCTIONS ****************************************************************/ /* PUBLIC FUNCTIONS ***********************************************************/
/*
* @unimplemented
*/
VOID
STDCALL
SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
IN PUNICODE_STRING LinkName,
IN BOOLEAN bSuccess)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
VOID
STDCALL
SeCloseObjectAuditAlarm(
IN PVOID Object,
IN HANDLE Handle,
IN BOOLEAN PerformAction
)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID STDCALL
SeDeleteObjectAuditAlarm(IN PVOID Object,
IN HANDLE Handle)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID
NTAPI
SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose)
{
PAGED_CODE();
/* Audits aren't done on kernel-mode access */
if (AccessMode == KernelMode) return;
/* Otherwise, unimplemented! */
//UNIMPLEMENTED;
return;
}
/*
* @unimplemented
*/
VOID STDCALL
SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID
STDCALL
SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE CurrentMode)
{
UNIMPLEMENTED;
}
/* SYSTEM CALLS ***************************************************************/
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -202,236 +361,65 @@ NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
NTSTATUS STDCALL NTSTATUS STDCALL
NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId, IN PVOID HandleId,
IN BOOLEAN GenerateOnClose) IN BOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return(STATUS_NOT_IMPLEMENTED);
} }
NTSTATUS STDCALL NTSTATUS STDCALL
NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId, IN PVOID HandleId,
IN BOOLEAN GenerateOnClose) IN BOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return(STATUS_NOT_IMPLEMENTED);
} }
NTSTATUS STDCALL NTSTATUS STDCALL
NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId, IN PVOID HandleId,
IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName, IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN HANDLE ClientToken, IN HANDLE ClientToken,
IN ULONG DesiredAccess, IN ULONG DesiredAccess,
IN ULONG GrantedAccess, IN ULONG GrantedAccess,
IN PPRIVILEGE_SET Privileges, IN PPRIVILEGE_SET Privileges,
IN BOOLEAN ObjectCreation, IN BOOLEAN ObjectCreation,
IN BOOLEAN AccessGranted, IN BOOLEAN AccessGranted,
OUT PBOOLEAN GenerateOnClose) OUT PBOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return(STATUS_NOT_IMPLEMENTED);
} }
NTSTATUS STDCALL NTSTATUS STDCALL
NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName, NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN PUNICODE_STRING ServiceName, IN PUNICODE_STRING ServiceName,
IN HANDLE ClientToken, IN HANDLE ClientToken,
IN PPRIVILEGE_SET Privileges, IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted) IN BOOLEAN AccessGranted)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return(STATUS_NOT_IMPLEMENTED);
} }
NTSTATUS STDCALL NTSTATUS STDCALL
NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId, IN PVOID HandleId,
IN HANDLE ClientToken, IN HANDLE ClientToken,
IN ULONG DesiredAccess, IN ULONG DesiredAccess,
IN PPRIVILEGE_SET Privileges, IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted) IN BOOLEAN AccessGranted)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return(STATUS_NOT_IMPLEMENTED);
}
/*
* @unimplemented
*/
VOID
STDCALL
SeAuditHardLinkCreation(
IN PUNICODE_STRING FileName,
IN PUNICODE_STRING LinkName,
IN BOOLEAN bSuccess
)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileEvents(
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileEventsWithContext(
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingHardLinkEvents(
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingHardLinkEventsWithContext(
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL
)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
BOOLEAN
STDCALL
SeAuditingFileOrGlobalEvents(
IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
)
{
UNIMPLEMENTED;
return FALSE;
}
/*
* @unimplemented
*/
VOID
STDCALL
SeCloseObjectAuditAlarm(
IN PVOID Object,
IN HANDLE Handle,
IN BOOLEAN PerformAction
)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID STDCALL
SeDeleteObjectAuditAlarm(IN PVOID Object,
IN HANDLE Handle)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID
NTAPI
SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose)
{
PAGED_CODE();
/* Audits aren't done on kernel-mode access */
if (AccessMode == KernelMode) return;
/* Otherwise, unimplemented! */
//UNIMPLEMENTED;
return;
}
/*
* @unimplemented
*/
VOID STDCALL
SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
IN PVOID Object OPTIONAL,
IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PACCESS_STATE AccessState,
IN BOOLEAN ObjectCreated,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE AccessMode,
OUT PBOOLEAN GenerateOnClose)
{
UNIMPLEMENTED;
}
/*
* @unimplemented
*/
VOID
STDCALL
SePrivilegeObjectAuditAlarm(
IN HANDLE Handle,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE CurrentMode
)
{
UNIMPLEMENTED;
} }
/* EOF */ /* EOF */

84
reactos/ntoskrnl/se/lsa.c
View file

@ -1,28 +1,32 @@
/* /*
* COPYRIGHT: See COPYING in the top level directory * COPYRIGHT: See COPYING in the top level directory
* PROJECT: ReactOS kernel * PROJECT: ReactOS kernel
* FILE: ntoskrnl/se/lsa.c * FILE: ntoskrnl/se/sid.c
* PURPOSE: No purpose listed. * PURPOSE: Security manager
* *
* PROGRAMMERS: No programmer listed. * PROGRAMMERS: David Welch <welch@cwcom.net>
*/ */
/* INCLUDES *******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#define NDEBUG #define NDEBUG
#include <internal/debug.h> #include <debug.h>
/* FUNCTIONS ******************************************************************/
/* /*
* @unimplemented * @unimplemented
*/ */
NTSTATUS STDCALL LsaCallAuthenticationPackage ( NTSTATUS
ULONG Unknown0, NTAPI
ULONG Unknown1, LsaCallAuthenticationPackage(ULONG Unknown0,
ULONG Unknown2, ULONG Unknown1,
ULONG Unknown3, ULONG Unknown2,
ULONG Unknown4, ULONG Unknown3,
ULONG Unknown5, ULONG Unknown4,
ULONG Unknown6 ULONG Unknown5,
) ULONG Unknown6)
{ {
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
@ -30,10 +34,10 @@ NTSTATUS STDCALL LsaCallAuthenticationPackage (
/* /*
* @unimplemented * @unimplemented
*/ */
NTSTATUS STDCALL LsaDeregisterLogonProcess ( NTSTATUS
ULONG Unknown0, NTAPI
ULONG Unknown1 LsaDeregisterLogonProcess(ULONG Unknown0,
) ULONG Unknown1)
{ {
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
@ -41,16 +45,15 @@ NTSTATUS STDCALL LsaDeregisterLogonProcess (
/* /*
* @implemented * @implemented
*/ */
NTSTATUS STDCALL LsaFreeReturnBuffer (PVOID Buffer) NTSTATUS
NTAPI
LsaFreeReturnBuffer(PVOID Buffer)
{ {
ULONG Size = 0; /* required by MEM_RELEASE */ ULONG Size = 0;
return ZwFreeVirtualMemory(NtCurrentProcess(),
return ZwFreeVirtualMemory ( &Buffer,
NtCurrentProcess(), &Size,
& Buffer, MEM_RELEASE);
& Size,
MEM_RELEASE
);
} }
/* /*
@ -79,11 +82,11 @@ LsaLogonUser(IN HANDLE LsaHandle,
/* /*
* @unimplemented * @unimplemented
*/ */
NTSTATUS STDCALL LsaLookupAuthenticationPackage ( NTSTATUS
ULONG Unknown0, NTAPI
ULONG Unknown1, LsaLookupAuthenticationPackage(ULONG Unknown0,
ULONG Unknown2 ULONG Unknown1,
) ULONG Unknown2)
{ {
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
@ -93,9 +96,9 @@ NTSTATUS STDCALL LsaLookupAuthenticationPackage (
*/ */
NTSTATUS NTSTATUS
NTAPI NTAPI
LsaRegisterLogonProcess (IN PLSA_STRING LogonProcessName, LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName,
OUT PHANDLE LsaHandle, OUT PHANDLE LsaHandle,
OUT PLSA_OPERATIONAL_MODE SecurityMode) OUT PLSA_OPERATIONAL_MODE SecurityMode)
{ {
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
@ -105,9 +108,7 @@ LsaRegisterLogonProcess (IN PLSA_STRING LogonProcessName,
*/ */
NTSTATUS NTSTATUS
STDCALL STDCALL
SeMarkLogonSessionForTerminationNotification( SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
IN PLUID LogonId
)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
@ -118,9 +119,7 @@ SeMarkLogonSessionForTerminationNotification(
*/ */
NTSTATUS NTSTATUS
STDCALL STDCALL
SeRegisterLogonSessionTerminatedRoutine( SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
@ -131,13 +130,10 @@ SeRegisterLogonSessionTerminatedRoutine(
*/ */
NTSTATUS NTSTATUS
STDCALL STDCALL
SeUnregisterLogonSessionTerminatedRoutine( SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
/* EOF */ /* EOF */

112
reactos/ntoskrnl/se/luid.c
View file

@ -1,112 +0,0 @@
/*
* COPYRIGHT: See COPYING in the top level directory
* PROJECT: ReactOS kernel
* FILE: ntoskrnl/se/luid.c
* PURPOSE: Security manager
*
* PROGRAMMERS: No programmer listed.
*/
/* INCLUDES *****************************************************************/
#include <ntoskrnl.h>
#include <internal/debug.h>
#if defined (ALLOC_PRAGMA)
#pragma alloc_text(INIT, SepInitLuid)
#endif
/* GLOBALS *******************************************************************/
static LARGE_INTEGER LuidIncrement;
static LARGE_INTEGER LuidValue;
/* FUNCTIONS *****************************************************************/
VOID
INIT_FUNCTION
NTAPI
SepInitLuid(VOID)
{
LUID DummyLuidValue = SYSTEM_LUID;
LuidValue.u.HighPart = DummyLuidValue.HighPart;
LuidValue.u.LowPart = DummyLuidValue.LowPart;
LuidIncrement.QuadPart = 1;
}
NTSTATUS
NTAPI
ExpAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
{
LARGE_INTEGER NewLuid, PrevLuid;
/* atomically increment the luid */
do
{
PrevLuid = LuidValue;
NewLuid = RtlLargeIntegerAdd(PrevLuid,
LuidIncrement);
} while(ExfInterlockedCompareExchange64(&LuidValue.QuadPart,
&NewLuid.QuadPart,
&PrevLuid.QuadPart) != PrevLuid.QuadPart);
LocallyUniqueId->LowPart = NewLuid.u.LowPart;
LocallyUniqueId->HighPart = NewLuid.u.HighPart;
return STATUS_SUCCESS;
}
/*
* @implemented
*/
NTSTATUS STDCALL
NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
{
LUID NewLuid;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(LocallyUniqueId,
sizeof(LUID),
sizeof(ULONG));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(!NT_SUCCESS(Status))
{
return Status;
}
}
Status = ExpAllocateLocallyUniqueId(&NewLuid);
_SEH_TRY
{
*LocallyUniqueId = NewLuid;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
return Status;
}
/* EOF */

634
reactos/ntoskrnl/se/priv.c
View file

@ -7,18 +7,17 @@
* PROGRAMMERS: No programmer listed. * PROGRAMMERS: No programmer listed.
*/ */
/* INCLUDES *****************************************************************/ /* INCLUDES ******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#define NDEBUG #define NDEBUG
#include <internal/debug.h> #include <debug.h>
#if defined (ALLOC_PRAGMA) #if defined (ALLOC_PRAGMA)
#pragma alloc_text(INIT, SepInitPrivileges) #pragma alloc_text(INIT, SepInitPrivileges)
#endif #endif
/* GLOBALS ********************************************************************/
/* GLOBALS *******************************************************************/
LUID SeCreateTokenPrivilege; LUID SeCreateTokenPrivilege;
LUID SeAssignPrimaryTokenPrivilege; LUID SeAssignPrimaryTokenPrivilege;
@ -47,166 +46,164 @@ LUID SeUndockPrivilege;
LUID SeSyncAgentPrivilege; LUID SeSyncAgentPrivilege;
LUID SeEnableDelegationPrivilege; LUID SeEnableDelegationPrivilege;
/* PRIVATE FUNCTIONS **********************************************************/
/* FUNCTIONS ***************************************************************/
VOID VOID
INIT_FUNCTION INIT_FUNCTION
NTAPI NTAPI
SepInitPrivileges (VOID) SepInitPrivileges (VOID)
{ {
SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE; SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
SeCreateTokenPrivilege.HighPart = 0; SeCreateTokenPrivilege.HighPart = 0;
SeAssignPrimaryTokenPrivilege.LowPart = SE_ASSIGNPRIMARYTOKEN_PRIVILEGE; SeAssignPrimaryTokenPrivilege.LowPart = SE_ASSIGNPRIMARYTOKEN_PRIVILEGE;
SeAssignPrimaryTokenPrivilege.HighPart = 0; SeAssignPrimaryTokenPrivilege.HighPart = 0;
SeLockMemoryPrivilege.LowPart = SE_LOCK_MEMORY_PRIVILEGE; SeLockMemoryPrivilege.LowPart = SE_LOCK_MEMORY_PRIVILEGE;
SeLockMemoryPrivilege.HighPart = 0; SeLockMemoryPrivilege.HighPart = 0;
SeIncreaseQuotaPrivilege.LowPart = SE_INCREASE_QUOTA_PRIVILEGE; SeIncreaseQuotaPrivilege.LowPart = SE_INCREASE_QUOTA_PRIVILEGE;
SeIncreaseQuotaPrivilege.HighPart = 0; SeIncreaseQuotaPrivilege.HighPart = 0;
SeUnsolicitedInputPrivilege.LowPart = SE_UNSOLICITED_INPUT_PRIVILEGE; SeUnsolicitedInputPrivilege.LowPart = SE_UNSOLICITED_INPUT_PRIVILEGE;
SeUnsolicitedInputPrivilege.HighPart = 0; SeUnsolicitedInputPrivilege.HighPart = 0;
SeTcbPrivilege.LowPart = SE_TCB_PRIVILEGE; SeTcbPrivilege.LowPart = SE_TCB_PRIVILEGE;
SeTcbPrivilege.HighPart = 0; SeTcbPrivilege.HighPart = 0;
SeSecurityPrivilege.LowPart = SE_SECURITY_PRIVILEGE; SeSecurityPrivilege.LowPart = SE_SECURITY_PRIVILEGE;
SeSecurityPrivilege.HighPart = 0; SeSecurityPrivilege.HighPart = 0;
SeTakeOwnershipPrivilege.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE; SeTakeOwnershipPrivilege.LowPart = SE_TAKE_OWNERSHIP_PRIVILEGE;
SeTakeOwnershipPrivilege.HighPart = 0; SeTakeOwnershipPrivilege.HighPart = 0;
SeLoadDriverPrivilege.LowPart = SE_LOAD_DRIVER_PRIVILEGE; SeLoadDriverPrivilege.LowPart = SE_LOAD_DRIVER_PRIVILEGE;
SeLoadDriverPrivilege.HighPart = 0; SeLoadDriverPrivilege.HighPart = 0;
SeSystemProfilePrivilege.LowPart = SE_SYSTEM_PROFILE_PRIVILEGE; SeSystemProfilePrivilege.LowPart = SE_SYSTEM_PROFILE_PRIVILEGE;
SeSystemProfilePrivilege.HighPart = 0; SeSystemProfilePrivilege.HighPart = 0;
SeSystemtimePrivilege.LowPart = SE_SYSTEMTIME_PRIVILEGE; SeSystemtimePrivilege.LowPart = SE_SYSTEMTIME_PRIVILEGE;
SeSystemtimePrivilege.HighPart = 0; SeSystemtimePrivilege.HighPart = 0;
SeProfileSingleProcessPrivilege.LowPart = SE_PROF_SINGLE_PROCESS_PRIVILEGE; SeProfileSingleProcessPrivilege.LowPart = SE_PROF_SINGLE_PROCESS_PRIVILEGE;
SeProfileSingleProcessPrivilege.HighPart = 0; SeProfileSingleProcessPrivilege.HighPart = 0;
SeIncreaseBasePriorityPrivilege.LowPart = SE_INC_BASE_PRIORITY_PRIVILEGE; SeIncreaseBasePriorityPrivilege.LowPart = SE_INC_BASE_PRIORITY_PRIVILEGE;
SeIncreaseBasePriorityPrivilege.HighPart = 0; SeIncreaseBasePriorityPrivilege.HighPart = 0;
SeCreatePagefilePrivilege.LowPart = SE_CREATE_PAGEFILE_PRIVILEGE; SeCreatePagefilePrivilege.LowPart = SE_CREATE_PAGEFILE_PRIVILEGE;
SeCreatePagefilePrivilege.HighPart = 0; SeCreatePagefilePrivilege.HighPart = 0;
SeCreatePermanentPrivilege.LowPart = SE_CREATE_PERMANENT_PRIVILEGE; SeCreatePermanentPrivilege.LowPart = SE_CREATE_PERMANENT_PRIVILEGE;
SeCreatePermanentPrivilege.HighPart = 0; SeCreatePermanentPrivilege.HighPart = 0;
SeBackupPrivilege.LowPart = SE_BACKUP_PRIVILEGE; SeBackupPrivilege.LowPart = SE_BACKUP_PRIVILEGE;
SeBackupPrivilege.HighPart = 0; SeBackupPrivilege.HighPart = 0;
SeRestorePrivilege.LowPart = SE_RESTORE_PRIVILEGE; SeRestorePrivilege.LowPart = SE_RESTORE_PRIVILEGE;
SeRestorePrivilege.HighPart = 0; SeRestorePrivilege.HighPart = 0;
SeShutdownPrivilege.LowPart = SE_SHUTDOWN_PRIVILEGE; SeShutdownPrivilege.LowPart = SE_SHUTDOWN_PRIVILEGE;
SeShutdownPrivilege.HighPart = 0; SeShutdownPrivilege.HighPart = 0;
SeDebugPrivilege.LowPart = SE_DEBUG_PRIVILEGE; SeDebugPrivilege.LowPart = SE_DEBUG_PRIVILEGE;
SeDebugPrivilege.HighPart = 0; SeDebugPrivilege.HighPart = 0;
SeAuditPrivilege.LowPart = SE_AUDIT_PRIVILEGE; SeAuditPrivilege.LowPart = SE_AUDIT_PRIVILEGE;
SeAuditPrivilege.HighPart = 0; SeAuditPrivilege.HighPart = 0;
SeSystemEnvironmentPrivilege.LowPart = SE_SYSTEM_ENVIRONMENT_PRIVILEGE; SeSystemEnvironmentPrivilege.LowPart = SE_SYSTEM_ENVIRONMENT_PRIVILEGE;
SeSystemEnvironmentPrivilege.HighPart = 0; SeSystemEnvironmentPrivilege.HighPart = 0;
SeChangeNotifyPrivilege.LowPart = SE_CHANGE_NOTIFY_PRIVILEGE; SeChangeNotifyPrivilege.LowPart = SE_CHANGE_NOTIFY_PRIVILEGE;
SeChangeNotifyPrivilege.HighPart = 0; SeChangeNotifyPrivilege.HighPart = 0;
SeRemoteShutdownPrivilege.LowPart = SE_REMOTE_SHUTDOWN_PRIVILEGE; SeRemoteShutdownPrivilege.LowPart = SE_REMOTE_SHUTDOWN_PRIVILEGE;
SeRemoteShutdownPrivilege.HighPart = 0; SeRemoteShutdownPrivilege.HighPart = 0;
SeUndockPrivilege.LowPart = SE_UNDOCK_PRIVILEGE; SeUndockPrivilege.LowPart = SE_UNDOCK_PRIVILEGE;
SeUndockPrivilege.HighPart = 0; SeUndockPrivilege.HighPart = 0;
SeSyncAgentPrivilege.LowPart = SE_SYNC_AGENT_PRIVILEGE; SeSyncAgentPrivilege.LowPart = SE_SYNC_AGENT_PRIVILEGE;
SeSyncAgentPrivilege.HighPart = 0; SeSyncAgentPrivilege.HighPart = 0;
SeEnableDelegationPrivilege.LowPart = SE_ENABLE_DELEGATION_PRIVILEGE; SeEnableDelegationPrivilege.LowPart = SE_ENABLE_DELEGATION_PRIVILEGE;
SeEnableDelegationPrivilege.HighPart = 0; SeEnableDelegationPrivilege.HighPart = 0;
} }
BOOLEAN BOOLEAN
NTAPI NTAPI
SepPrivilegeCheck (PTOKEN Token, SepPrivilegeCheck (PTOKEN Token,
PLUID_AND_ATTRIBUTES Privileges, PLUID_AND_ATTRIBUTES Privileges,
ULONG PrivilegeCount, ULONG PrivilegeCount,
ULONG PrivilegeControl, ULONG PrivilegeControl,
KPROCESSOR_MODE PreviousMode) KPROCESSOR_MODE PreviousMode)
{ {
ULONG i; ULONG i;
ULONG j; ULONG j;
ULONG k; ULONG k;
DPRINT ("SepPrivilegeCheck() called\n"); DPRINT ("SepPrivilegeCheck() called\n");
PAGED_CODE(); PAGED_CODE();
if (PreviousMode == KernelMode) if (PreviousMode == KernelMode)
{ {
return TRUE; return TRUE;
} }
k = 0; k = 0;
if (PrivilegeCount > 0) if (PrivilegeCount > 0)
{ {
for (i = 0; i < Token->PrivilegeCount; i++) for (i = 0; i < Token->PrivilegeCount; i++)
{ {
for (j = 0; j < PrivilegeCount; j++) for (j = 0; j < PrivilegeCount; j++)
{ {
if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart && if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart &&
Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart) Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart)
{ {
DPRINT ("Found privilege\n"); DPRINT ("Found privilege\n");
DPRINT ("Privilege attributes %lx\n", DPRINT ("Privilege attributes %lx\n",
Token->Privileges[i].Attributes); Token->Privileges[i].Attributes);
if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED)
{ {
Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS; Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
k++; k++;
} }
} }
} }
} }
} }
if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) && if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) &&
PrivilegeCount == k) PrivilegeCount == k)
{ {
return TRUE; return TRUE;
} }
if (k > 0 && if (k > 0 &&
!(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY)) !(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY))
{ {
return TRUE; return TRUE;
} }
return FALSE; return FALSE;
} }
NTSTATUS NTSTATUS
NTAPI NTAPI
SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src, SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
ULONG PrivilegeCount, ULONG PrivilegeCount,
KPROCESSOR_MODE PreviousMode, KPROCESSOR_MODE PreviousMode,
PLUID_AND_ATTRIBUTES AllocatedMem, PLUID_AND_ATTRIBUTES AllocatedMem,
ULONG AllocatedLength, ULONG AllocatedLength,
POOL_TYPE PoolType, POOL_TYPE PoolType,
BOOLEAN CaptureIfKernel, BOOLEAN CaptureIfKernel,
PLUID_AND_ATTRIBUTES* Dest, PLUID_AND_ATTRIBUTES* Dest,
PULONG Length) PULONG Length)
{ {
ULONG BufferSize; ULONG BufferSize;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
if (PrivilegeCount == 0) if (PrivilegeCount == 0)
{ {
*Dest = 0; *Dest = 0;
*Length = 0; *Length = 0;
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
if (PreviousMode == KernelMode && !CaptureIfKernel) if (PreviousMode == KernelMode && !CaptureIfKernel)
{ {
*Dest = Src; *Dest = Src;
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
/* FIXME - check PrivilegeCount for a valid number so we don't /* FIXME - check PrivilegeCount for a valid number so we don't
cause an integer overflow or exhaust system resources! */ cause an integer overflow or exhaust system resources! */
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES); BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */ *Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */
/* probe the buffer */ /* probe the buffer */
if (PreviousMode != KernelMode) if (PreviousMode != KernelMode)
{ {
@ -221,35 +218,35 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();
} }
_SEH_END; _SEH_END;
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
return Status; return Status;
} }
} }
/* allocate enough memory or check if the provided buffer is /* allocate enough memory or check if the provided buffer is
large enough to hold the array */ large enough to hold the array */
if (AllocatedMem != NULL) if (AllocatedMem != NULL)
{ {
if (AllocatedLength < BufferSize) if (AllocatedLength < BufferSize)
{ {
return STATUS_BUFFER_TOO_SMALL; return STATUS_BUFFER_TOO_SMALL;
} }
*Dest = AllocatedMem; *Dest = AllocatedMem;
} }
else else
{ {
*Dest = ExAllocatePool(PoolType, *Dest = ExAllocatePool(PoolType,
BufferSize); BufferSize);
if (&Dest == NULL) if (&Dest == NULL)
{ {
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
} }
} }
/* copy the array to the buffer */ /* copy the array to the buffer */
_SEH_TRY _SEH_TRY
{ {
@ -262,24 +259,23 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
Status = _SEH_GetExceptionCode(); Status = _SEH_GetExceptionCode();
} }
_SEH_END; _SEH_END;
if (!NT_SUCCESS(Status) && AllocatedMem == NULL) if (!NT_SUCCESS(Status) && AllocatedMem == NULL)
{ {
ExFreePool(*Dest); ExFreePool(*Dest);
} }
return Status; return Status;
} }
VOID VOID
NTAPI NTAPI
SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege, SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
KPROCESSOR_MODE PreviousMode, KPROCESSOR_MODE PreviousMode,
BOOLEAN CaptureIfKernel) BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if (Privilege != NULL && if (Privilege != NULL &&
(PreviousMode != KernelMode || CaptureIfKernel)) (PreviousMode != KernelMode || CaptureIfKernel))
{ {
@ -287,208 +283,232 @@ SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
} }
} }
/* PUBLIC FUNCTIONS ***********************************************************/
NTSTATUS STDCALL /*
NtPrivilegeCheck (IN HANDLE ClientToken, * @unimplemented
IN PPRIVILEGE_SET RequiredPrivileges, */
OUT PBOOLEAN Result) NTSTATUS
STDCALL
SeAppendPrivileges(PACCESS_STATE AccessState,
PPRIVILEGE_SET Privileges)
{ {
PLUID_AND_ATTRIBUTES Privileges; UNIMPLEMENTED;
PTOKEN Token; return STATUS_NOT_IMPLEMENTED;
ULONG PrivilegeCount = 0;
ULONG PrivilegeControl = 0;
ULONG Length;
BOOLEAN CheckResult;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
/* probe the buffers */
if (PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege),
sizeof(ULONG));
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
/* Check PrivilegeCount to avoid an integer overflow! */
if (FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]) /
sizeof(RequiredPrivileges->Privilege[0]) != PrivilegeCount)
{
Status = STATUS_INVALID_PARAMETER;
_SEH_LEAVE;
}
/* probe all of the array */
ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]),
sizeof(ULONG));
ProbeForWriteBoolean(Result);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
return Status;
}
}
else
{
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
}
/* reference the token and make sure we're
not doing an anonymous impersonation */
Status = ObReferenceObjectByHandle (ClientToken,
TOKEN_QUERY,
SepTokenObjectType,
PreviousMode,
(PVOID*)&Token,
NULL);
if (!NT_SUCCESS(Status))
{
return Status;
}
if (Token->TokenType == TokenImpersonation &&
Token->ImpersonationLevel < SecurityIdentification)
{
ObDereferenceObject (Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
/* capture the privileges */
Status = SeCaptureLuidAndAttributesArray (RequiredPrivileges->Privilege,
PrivilegeCount,
PreviousMode,
NULL,
0,
PagedPool,
TRUE,
&Privileges,
&Length);
if (!NT_SUCCESS(Status))
{
ObDereferenceObject (Token);
return Status;
}
CheckResult = SepPrivilegeCheck (Token,
Privileges,
PrivilegeCount,
PrivilegeControl,
PreviousMode);
ObDereferenceObject (Token);
/* return the array */
_SEH_TRY
{
RtlCopyMemory(RequiredPrivileges->Privilege,
Privileges,
PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES));
*Result = CheckResult;
Status = STATUS_SUCCESS;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SeReleaseLuidAndAttributesArray (Privileges,
PreviousMode,
TRUE);
return Status;
} }
/*
* @unimplemented
*/
VOID
STDCALL
SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
{
UNIMPLEMENTED;
}
/* /*
* @implemented * @implemented
*/ */
BOOLEAN STDCALL BOOLEAN STDCALL
SePrivilegeCheck (PPRIVILEGE_SET Privileges, SePrivilegeCheck (PPRIVILEGE_SET Privileges,
PSECURITY_SUBJECT_CONTEXT SubjectContext, PSECURITY_SUBJECT_CONTEXT SubjectContext,
KPROCESSOR_MODE PreviousMode) KPROCESSOR_MODE PreviousMode)
{ {
PACCESS_TOKEN Token = NULL; PACCESS_TOKEN Token = NULL;
PAGED_CODE(); PAGED_CODE();
if (SubjectContext->ClientToken == NULL) if (SubjectContext->ClientToken == NULL)
{ {
Token = SubjectContext->PrimaryToken; Token = SubjectContext->PrimaryToken;
} }
else else
{ {
Token = SubjectContext->ClientToken; Token = SubjectContext->ClientToken;
if (SubjectContext->ImpersonationLevel < 2) if (SubjectContext->ImpersonationLevel < 2)
{ {
return FALSE; return FALSE;
} }
} }
return SepPrivilegeCheck (Token, return SepPrivilegeCheck (Token,
Privileges->Privilege, Privileges->Privilege,
Privileges->PrivilegeCount, Privileges->PrivilegeCount,
Privileges->Control, Privileges->Control,
PreviousMode); PreviousMode);
} }
/* /*
* @implemented * @implemented
*/ */
BOOLEAN STDCALL BOOLEAN STDCALL
SeSinglePrivilegeCheck (IN LUID PrivilegeValue, SeSinglePrivilegeCheck (IN LUID PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode) IN KPROCESSOR_MODE PreviousMode)
{ {
SECURITY_SUBJECT_CONTEXT SubjectContext; SECURITY_SUBJECT_CONTEXT SubjectContext;
PRIVILEGE_SET Priv; PRIVILEGE_SET Priv;
BOOLEAN Result; BOOLEAN Result;
PAGED_CODE(); PAGED_CODE();
SeCaptureSubjectContext (&SubjectContext); SeCaptureSubjectContext (&SubjectContext);
Priv.PrivilegeCount = 1; Priv.PrivilegeCount = 1;
Priv.Control = PRIVILEGE_SET_ALL_NECESSARY; Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
Priv.Privilege[0].Luid = PrivilegeValue; Priv.Privilege[0].Luid = PrivilegeValue;
Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
Result = SePrivilegeCheck (&Priv, Result = SePrivilegeCheck (&Priv,
&SubjectContext, &SubjectContext,
PreviousMode); PreviousMode);
if (PreviousMode != KernelMode) if (PreviousMode != KernelMode)
{ {
#if 0 #if 0
SePrivilegedServiceAuditAlarm (0, SePrivilegedServiceAuditAlarm (0,
&SubjectContext, &SubjectContext,
&PrivilegeValue); &PrivilegeValue);
#endif #endif
} }
SeReleaseSubjectContext (&SubjectContext); SeReleaseSubjectContext (&SubjectContext);
return Result; return Result;
} }
/* SYSTEM CALLS ***************************************************************/
NTSTATUS STDCALL
NtPrivilegeCheck (IN HANDLE ClientToken,
IN PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result)
{
PLUID_AND_ATTRIBUTES Privileges;
PTOKEN Token;
ULONG PrivilegeCount = 0;
ULONG PrivilegeControl = 0;
ULONG Length;
BOOLEAN CheckResult;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
/* probe the buffers */
if (PreviousMode != KernelMode)
{
_SEH_TRY
{
ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege),
sizeof(ULONG));
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
/* Check PrivilegeCount to avoid an integer overflow! */
if (FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]) /
sizeof(RequiredPrivileges->Privilege[0]) != PrivilegeCount)
{
Status = STATUS_INVALID_PARAMETER;
_SEH_LEAVE;
}
/* probe all of the array */
ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]),
sizeof(ULONG));
ProbeForWriteBoolean(Result);
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if (!NT_SUCCESS(Status))
{
return Status;
}
}
else
{
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
}
/* reference the token and make sure we're
not doing an anonymous impersonation */
Status = ObReferenceObjectByHandle (ClientToken,
TOKEN_QUERY,
SepTokenObjectType,
PreviousMode,
(PVOID*)&Token,
NULL);
if (!NT_SUCCESS(Status))
{
return Status;
}
if (Token->TokenType == TokenImpersonation &&
Token->ImpersonationLevel < SecurityIdentification)
{
ObDereferenceObject (Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
/* capture the privileges */
Status = SeCaptureLuidAndAttributesArray (RequiredPrivileges->Privilege,
PrivilegeCount,
PreviousMode,
NULL,
0,
PagedPool,
TRUE,
&Privileges,
&Length);
if (!NT_SUCCESS(Status))
{
ObDereferenceObject (Token);
return Status;
}
CheckResult = SepPrivilegeCheck (Token,
Privileges,
PrivilegeCount,
PrivilegeControl,
PreviousMode);
ObDereferenceObject (Token);
/* return the array */
_SEH_TRY
{
RtlCopyMemory(RequiredPrivileges->Privilege,
Privileges,
PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES));
*Result = CheckResult;
Status = STATUS_SUCCESS;
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
SeReleaseLuidAndAttributesArray (Privileges,
PreviousMode,
TRUE);
return Status;
}
/* EOF */ /* EOF */

1978
reactos/ntoskrnl/se/sd.c
View file

File diff suppressed because it is too large Load diff

1247
reactos/ntoskrnl/se/semgr.c
View file

File diff suppressed because it is too large Load diff

478
reactos/ntoskrnl/se/sid.c
View file

@ -7,19 +7,17 @@
* PROGRAMMERS: David Welch <welch@cwcom.net> * PROGRAMMERS: David Welch <welch@cwcom.net>
*/ */
/* INCLUDES *****************************************************************/ /* INCLUDES *******************************************************************/
#include <ntoskrnl.h> #include <ntoskrnl.h>
#define NDEBUG #define NDEBUG
#include <internal/debug.h> #include <debug.h>
#if defined (ALLOC_PRAGMA) #if defined (ALLOC_PRAGMA)
#pragma alloc_text(INIT, SepInitSecurityIDs) #pragma alloc_text(INIT, SepInitSecurityIDs)
#endif #endif
/* GLOBALS ********************************************************************/
/* GLOBALS ******************************************************************/
SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY}; SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY}; SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
@ -56,174 +54,172 @@ PSID SeAuthenticatedUsersSid = NULL;
PSID SeRestrictedSid = NULL; PSID SeRestrictedSid = NULL;
PSID SeAnonymousLogonSid = NULL; PSID SeAnonymousLogonSid = NULL;
/* FUNCTIONS ******************************************************************/
/* FUNCTIONS ****************************************************************/
BOOLEAN BOOLEAN
INIT_FUNCTION INIT_FUNCTION
NTAPI NTAPI
SepInitSecurityIDs(VOID) SepInitSecurityIDs(VOID)
{ {
ULONG SidLength0; ULONG SidLength0;
ULONG SidLength1; ULONG SidLength1;
ULONG SidLength2; ULONG SidLength2;
PULONG SubAuthority; PULONG SubAuthority;
SidLength0 = RtlLengthRequiredSid(0); SidLength0 = RtlLengthRequiredSid(0);
SidLength1 = RtlLengthRequiredSid(1); SidLength1 = RtlLengthRequiredSid(1);
SidLength2 = RtlLengthRequiredSid(2); SidLength2 = RtlLengthRequiredSid(2);
/* create NullSid */ /* create NullSid */
SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID); SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID); SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
if (SeNullSid == NULL || SeWorldSid == NULL || if (SeNullSid == NULL || SeWorldSid == NULL ||
SeLocalSid == NULL || SeCreatorOwnerSid == NULL || SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL || SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL || SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL || SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
SeInteractiveSid == NULL || SeServiceSid == NULL || SeInteractiveSid == NULL || SeServiceSid == NULL ||
SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL || SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL || SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL || SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL || SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL || SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL || SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL || SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
SeAnonymousLogonSid == NULL) SeAnonymousLogonSid == NULL)
{ {
/* FIXME: We're leaking memory here. */ /* FIXME: We're leaking memory here. */
return(FALSE); return(FALSE);
} }
RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1); RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1); RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1); RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1); RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1); RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1); RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1); RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0); RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1); RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2); RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
SubAuthority = RtlSubAuthoritySid(SeNullSid, 0); SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
*SubAuthority = SECURITY_NULL_RID; *SubAuthority = SECURITY_NULL_RID;
SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0); SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
*SubAuthority = SECURITY_WORLD_RID; *SubAuthority = SECURITY_WORLD_RID;
SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0); SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
*SubAuthority = SECURITY_LOCAL_RID; *SubAuthority = SECURITY_LOCAL_RID;
SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0); SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
*SubAuthority = SECURITY_CREATOR_OWNER_RID; *SubAuthority = SECURITY_CREATOR_OWNER_RID;
SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0); SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
*SubAuthority = SECURITY_CREATOR_GROUP_RID; *SubAuthority = SECURITY_CREATOR_GROUP_RID;
SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0); SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
*SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID; *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0); SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
*SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID; *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0); SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
*SubAuthority = SECURITY_DIALUP_RID; *SubAuthority = SECURITY_DIALUP_RID;
SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0); SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
*SubAuthority = SECURITY_NETWORK_RID; *SubAuthority = SECURITY_NETWORK_RID;
SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0); SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
*SubAuthority = SECURITY_BATCH_RID; *SubAuthority = SECURITY_BATCH_RID;
SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0); SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
*SubAuthority = SECURITY_INTERACTIVE_RID; *SubAuthority = SECURITY_INTERACTIVE_RID;
SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0); SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
*SubAuthority = SECURITY_SERVICE_RID; *SubAuthority = SECURITY_SERVICE_RID;
SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0); SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
*SubAuthority = SECURITY_PRINCIPAL_SELF_RID; *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0); SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
*SubAuthority = SECURITY_LOCAL_SYSTEM_RID; *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0); SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
*SubAuthority = SECURITY_AUTHENTICATED_USER_RID; *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0); SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
*SubAuthority = SECURITY_RESTRICTED_CODE_RID; *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_ADMINS; *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_USERS; *SubAuthority = DOMAIN_ALIAS_RID_USERS;
SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_GUESTS; *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS; *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS; *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS; *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS; *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0); SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
*SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1); SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
*SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS; *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0); SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
*SubAuthority = SECURITY_AUTHENTICATED_USER_RID; *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0); SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
*SubAuthority = SECURITY_RESTRICTED_CODE_RID; *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0); SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
*SubAuthority = SECURITY_ANONYMOUS_LOGON_RID; *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
return(TRUE); return(TRUE);
} }
NTSTATUS NTSTATUS
@ -234,86 +230,86 @@ SepCaptureSid(IN PSID InputSid,
IN BOOLEAN CaptureIfKernel, IN BOOLEAN CaptureIfKernel,
OUT PSID *CapturedSid) OUT PSID *CapturedSid)
{ {
ULONG SidSize = 0; ULONG SidSize = 0;
PISID NewSid, Sid = (PISID)InputSid; PISID NewSid, Sid = (PISID)InputSid;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
if(AccessMode != KernelMode) if(AccessMode != KernelMode)
{
_SEH_TRY
{ {
ProbeForRead(Sid,
FIELD_OFFSET(SID,
SubAuthority),
sizeof(UCHAR));
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
ProbeForRead(Sid,
SidSize,
sizeof(UCHAR));
}
_SEH_HANDLE
{
Status = _SEH_GetExceptionCode();
}
_SEH_END;
if(NT_SUCCESS(Status))
{
/* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
{
_SEH_TRY _SEH_TRY
{ {
RtlCopyMemory(NewSid, ProbeForRead(Sid,
Sid, FIELD_OFFSET(SID,
SidSize); SubAuthority),
sizeof(UCHAR));
*CapturedSid = NewSid; SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
ProbeForRead(Sid,
SidSize,
sizeof(UCHAR));
} }
_SEH_HANDLE _SEH_HANDLE
{ {
ExFreePool(NewSid); Status = _SEH_GetExceptionCode();
Status = _SEH_GetExceptionCode();
} }
_SEH_END; _SEH_END;
}
else if(NT_SUCCESS(Status))
{ {
Status = STATUS_INSUFFICIENT_RESOURCES; /* allocate a SID and copy it */
} NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
{
_SEH_TRY
{
RtlCopyMemory(NewSid,
Sid,
SidSize);
*CapturedSid = NewSid;
}
_SEH_HANDLE
{
ExFreePool(NewSid);
Status = _SEH_GetExceptionCode();
}
_SEH_END;
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
} }
} else if(!CaptureIfKernel)
else if(!CaptureIfKernel)
{
*CapturedSid = InputSid;
return STATUS_SUCCESS;
}
else
{
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
/* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
{ {
RtlCopyMemory(NewSid, *CapturedSid = InputSid;
Sid, return STATUS_SUCCESS;
SidSize);
*CapturedSid = NewSid;
} }
else else
{ {
Status = STATUS_INSUFFICIENT_RESOURCES; SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
/* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
{
RtlCopyMemory(NewSid,
Sid,
SidSize);
*CapturedSid = NewSid;
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
} }
}
return Status;
return Status;
} }
VOID VOID
@ -322,14 +318,14 @@ SepReleaseSid(IN PSID CapturedSid,
IN KPROCESSOR_MODE AccessMode, IN KPROCESSOR_MODE AccessMode,
IN BOOLEAN CaptureIfKernel) IN BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if(CapturedSid != NULL && if(CapturedSid != NULL &&
(AccessMode != KernelMode || (AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel))) (AccessMode == KernelMode && CaptureIfKernel)))
{ {
ExFreePool(CapturedSid); ExFreePool(CapturedSid);
} }
} }
/* EOF */ /* EOF */

4105
reactos/ntoskrnl/se/token.c
View file

File diff suppressed because it is too large Load diff