[NTOS:SE] Set up an ACL and SD for the anonymous logon

ntoskrnl/include/internal/se.h

@@ -187,6 +187,7 @@ extern PACL SePublicDefaultUnrestrictedDacl;
 extern PACL SePublicOpenDacl;
 extern PACL SePublicOpenUnrestrictedDacl;
 extern PACL SeUnrestrictedDacl;
+extern PACL SeSystemAnonymousLogonDacl;
 
 /* SDs */
 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
@@ -195,6 +196,7 @@ extern PSECURITY_DESCRIPTOR SePublicOpenSd;
 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
+extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;
 
 
 #define SepAcquireTokenLockExclusive(Token)                                    \

ntoskrnl/se/acl.c

@@ -21,6 +21,7 @@ PACL SePublicDefaultUnrestrictedDacl = NULL;
 PACL SePublicOpenDacl = NULL;
 PACL SePublicOpenUnrestrictedDacl = NULL;
 PACL SeUnrestrictedDacl = NULL;
+PACL SeSystemAnonymousLogonDacl = NULL;
 
 /* FUNCTIONS ******************************************************************/
 
@@ -217,6 +218,31 @@ SepInitDACLs(VOID)
                            GENERIC_READ | GENERIC_EXECUTE,
                            SeRestrictedCodeSid);
 
+    /* create SystemAnonymousLogonDacl */
+    AclLength = sizeof(ACL) +
+                (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+                (sizeof(ACE) + RtlLengthSid(SeAnonymousLogonSid));
+
+    SeSystemAnonymousLogonDacl = ExAllocatePoolWithTag(PagedPool,
+                                                       AclLength,
+                                                       TAG_ACL);
+    if (SeSystemAnonymousLogonDacl == NULL)
+        return FALSE;
+
+    RtlCreateAcl(SeSystemAnonymousLogonDacl,
+                 AclLength,
+                 ACL_REVISION);
+
+    RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeWorldSid);
+
+    RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           SeAnonymousLogonSid);
+
     return TRUE;
 }
 

ntoskrnl/se/sd.c

@@ -21,6 +21,7 @@ PSECURITY_DESCRIPTOR SePublicOpenSd = NULL;
 PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL;
 PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL;
 PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL;
+PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd = NULL;
 
 /* PRIVATE FUNCTIONS **********************************************************/
 
@@ -107,6 +108,19 @@ SepInitSDs(VOID)
                                  SeUnrestrictedDacl,
                                  FALSE);
 
+    /* Create SystemAnonymousLogonSd */
+    SeSystemAnonymousLogonSd = ExAllocatePoolWithTag(PagedPool,
+                                                     sizeof(SECURITY_DESCRIPTOR), TAG_SD);
+    if (SeSystemAnonymousLogonSd == NULL)
+        return FALSE;
+
+    RtlCreateSecurityDescriptor(SeSystemAnonymousLogonSd,
+                                SECURITY_DESCRIPTOR_REVISION);
+    RtlSetDaclSecurityDescriptor(SeSystemAnonymousLogonSd,
+                                 TRUE,
+                                 SeSystemAnonymousLogonDacl,
+                                 FALSE);
+
     return TRUE;
 }