Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-26 07:51:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

[FORMATTING]

Browse source 
No code changes.

svn path=/trunk/; revision=47383
This commit is contained in:
Eric Kohl 2010-05-28 16:28:27 +00:00
parent 4e25539b71
commit f0910f33d3
9 changed files with 856 additions and 827 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
reactos/ntoskrnl/se/access.c
View file

@ -30,11 +30,12 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
BOOLEAN CopyOnOpen, EffectiveOnly;
PAGED_CODE();
/* Save the unique ID */
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
/* Check if we have a thread */
if (!Thread)
{
@ -49,7 +50,7 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
&EffectiveOnly,
&SubjectContext->ImpersonationLevel);
}
/* Get the primary token */
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
}
@ -75,7 +76,7 @@ NTAPI
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
KeEnterCriticalRegion();
ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
}
@ -88,7 +89,7 @@ NTAPI
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
ExReleaseResourceLite(&SepSubjectContextLock);
KeLeaveCriticalRegion();
}
@ -101,12 +102,12 @@ NTAPI
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{
PAGED_CODE();
if (SubjectContext->PrimaryToken != NULL)
{
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
}
if (SubjectContext->ClientToken != NULL)
{
ObDereferenceObject(SubjectContext->ClientToken);
@ -127,6 +128,7 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
{
ACCESS_MASK AccessMask = Access;
PTOKEN Token;
PAGED_CODE();
/* Map the Generic Acess to Specific Access if we have a Mapping */
@ -150,9 +152,9 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
ExpAllocateLocallyUniqueId(&AccessState->OperationID);
/* Get the Token to use */
Token = AccessState->SubjectSecurityContext.ClientToken ?
(PTOKEN)&AccessState->SubjectSecurityContext.ClientToken :
(PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken;
Token = AccessState->SubjectSecurityContext.ClientToken ?
(PTOKEN)&AccessState->SubjectSecurityContext.ClientToken :
(PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken;
/* Check for Travers Privilege */
if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
@ -200,6 +202,7 @@ NTAPI
SeDeleteAccessState(IN PACCESS_STATE AccessState)
{
PAUX_ACCESS_DATA AuxData;
PAGED_CODE();
/* Get the Auxiliary Data */
@ -213,7 +216,8 @@ SeDeleteAccessState(IN PACCESS_STATE AccessState)
{
ExFreePool(AccessState->ObjectName.Buffer);
}
if (AccessState->ObjectTypeName.Buffer)
if (AccessState->ObjectTypeName.Buffer)
{
ExFreePool(AccessState->ObjectTypeName.Buffer);
}
@ -252,8 +256,9 @@ SeCreateClientSecurity(IN PETHREAD Thread,
PACCESS_TOKEN Token;
NTSTATUS Status;
PACCESS_TOKEN NewToken;
PAGED_CODE();
Token = PsReferenceEffectiveToken(Thread,
&TokenType,
&ThreadEffectiveOnly,
@ -269,7 +274,7 @@ SeCreateClientSecurity(IN PETHREAD Thread,
if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
if ((ImpersonationLevel == SecurityAnonymous) ||
(ImpersonationLevel == SecurityIdentification) ||
((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
@ -277,12 +282,11 @@ SeCreateClientSecurity(IN PETHREAD Thread,
if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
(Qos->EffectiveOnly)) ?
TRUE : FALSE;
(Qos->EffectiveOnly)) ? TRUE : FALSE;
}
if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
{
ClientContext->DirectlyAccessClientToken = FALSE;
@ -299,10 +303,10 @@ SeCreateClientSecurity(IN PETHREAD Thread,
&ClientContext->ClientTokenControl);
#endif
}
NewToken = Token;
}
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
@ -347,9 +351,9 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL)
{
UCHAR b;
PAGED_CODE();
if (ClientContext->DirectlyAccessClientToken == FALSE)
{
b = ClientContext->SecurityQos.EffectiveOnly;
@ -358,10 +362,12 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
{
b = ClientContext->DirectAccessEffectiveOnly;
}
if (ServerThread == NULL)
{
ServerThread = PsGetCurrentThread();
}
PsImpersonateClient(ServerThread,
ClientContext->ClientToken,
1,

149
reactos/ntoskrnl/se/acl.c
View file

@ -34,189 +34,188 @@ NTAPI
SepInitDACLs(VOID)
{
ULONG AclLength;
/* create PublicDefaultDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SePublicDefaultDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicDefaultDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION,
GENERIC_EXECUTE,
SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION,
GENERIC_ALL,
SeLocalSystemSid);
/* create PublicDefaultUnrestrictedDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SePublicDefaultUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION,
GENERIC_EXECUTE,
SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeRestrictedCodeSid);
/* create PublicOpenDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SePublicOpenDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicOpenDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION,
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION,
GENERIC_ALL,
SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION,
GENERIC_ALL,
SeAliasAdminsSid);
/* create PublicOpenUnrestrictedDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SePublicOpenUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid);
/* create SystemDefaultDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SeSystemDefaultDacl == NULL)
return FALSE;
RtlCreateAcl(SeSystemDefaultDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION,
GENERIC_ALL,
SeLocalSystemSid);
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeAliasAdminsSid);
/* create UnrestrictedDacl */
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength,
TAG_ACL);
if (SeUnrestrictedDacl == NULL)
return FALSE;
RtlCreateAcl(SeUnrestrictedDacl,
AclLength,
ACL_REVISION);
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION,
GENERIC_ALL,
SeWorldSid);
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid);
return(TRUE);
return TRUE;
}
NTSTATUS NTAPI
@ -226,22 +225,22 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
{
ULONG AclLength;
PVOID TokenDacl;
PAGED_CODE();
AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
if (TokenDacl == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
Token->UserAndGroups->Sid);
@ -251,7 +250,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
SeAliasAdminsSid);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeLocalSystemSid);
/* FIXME */
#if 0
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
@ -260,7 +259,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
SeRestrictedCodeSid);
}
#endif
return STATUS_SUCCESS;
}
@ -275,9 +274,9 @@ SepCaptureAcl(IN PACL InputAcl,
PACL NewAcl;
ULONG AclSize = 0;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
if (AccessMode != KernelMode)
{
_SEH2_TRY
@ -296,10 +295,10 @@ SepCaptureAcl(IN PACL InputAcl,
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
NewAcl = ExAllocatePool(PoolType,
AclSize);
if(NewAcl != NULL)
if (NewAcl != NULL)
{
_SEH2_TRY
{
@ -322,23 +321,23 @@ SepCaptureAcl(IN PACL InputAcl,
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
else if(!CaptureIfKernel)
else if (!CaptureIfKernel)
{
*CapturedAcl = InputAcl;
}
else
{
AclSize = InputAcl->AclSize;
NewAcl = ExAllocatePool(PoolType,
AclSize);
if(NewAcl != NULL)
if (NewAcl != NULL)
{
RtlCopyMemory(NewAcl,
InputAcl,
AclSize);
*CapturedAcl = NewAcl;
}
else
@ -346,7 +345,7 @@ SepCaptureAcl(IN PACL InputAcl,
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
return Status;
}
@ -357,10 +356,10 @@ SepReleaseAcl(IN PACL CapturedAcl,
IN BOOLEAN CaptureIfKernel)
{
PAGED_CODE();
if(CapturedAcl != NULL &&
(AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel)))
if (CapturedAcl != NULL &&
(AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel)))
{
ExFreePool(CapturedAcl);
}

50
reactos/ntoskrnl/se/audit.c
View file

@ -4,7 +4,7 @@
* FILE: ntoskrnl/se/audit.c
* PURPOSE: Audit functions
*
* PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de>
* PROGRAMMERS: Eric Kohl
*/
/* INCLUDES *******************************************************************/
@ -47,6 +47,7 @@ SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject,
POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
ULONG ReturnLength = 8;
NTSTATUS Status;
PAGED_CODE();
ASSERT(AuditInfo);
@ -120,6 +121,7 @@ SeLocateProcessImageName(IN PEPROCESS Process,
PUNICODE_STRING ImageName;
PFILE_OBJECT FileObject;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
/* Assume failure */
@ -189,7 +191,7 @@ SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
IN PUNICODE_STRING LinkName,
IN BOOLEAN bSuccess)
{
UNIMPLEMENTED;
UNIMPLEMENTED;
}
/*
@ -200,8 +202,8 @@ NTAPI
SeAuditingFileEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{
UNIMPLEMENTED;
return FALSE;
UNIMPLEMENTED;
return FALSE;
}
/*
@ -213,8 +215,8 @@ SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{
UNIMPLEMENTED;
return FALSE;
UNIMPLEMENTED;
return FALSE;
}
/*
@ -225,8 +227,8 @@ NTAPI
SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{
UNIMPLEMENTED;
return FALSE;
UNIMPLEMENTED;
return FALSE;
}
/*
@ -238,8 +240,8 @@ SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{
UNIMPLEMENTED;
return FALSE;
UNIMPLEMENTED;
return FALSE;
}
/*
@ -251,8 +253,8 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
{
UNIMPLEMENTED;
return FALSE;
UNIMPLEMENTED;
return FALSE;
}
/*
@ -260,13 +262,11 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
*/
VOID
NTAPI
SeCloseObjectAuditAlarm(
IN PVOID Object,
SeCloseObjectAuditAlarm(IN PVOID Object,
IN HANDLE Handle,
IN BOOLEAN PerformAction
)
IN BOOLEAN PerformAction)
{
UNIMPLEMENTED;
UNIMPLEMENTED;
}
/*
@ -295,10 +295,10 @@ SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
OUT PBOOLEAN GenerateOnClose)
{
PAGED_CODE();
/* Audits aren't done on kernel-mode access */
if (AccessMode == KernelMode) return;
/* Otherwise, unimplemented! */
//UNIMPLEMENTED;
return;
@ -333,7 +333,7 @@ SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE CurrentMode)
{
UNIMPLEMENTED;
UNIMPLEMENTED;
}
/* SYSTEM CALLS ***************************************************************/
@ -363,7 +363,7 @@ NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN GenerateOnClose)
{
UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED);
return STATUS_NOT_IMPLEMENTED;
}
@ -373,7 +373,7 @@ NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN GenerateOnClose)
{
UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED);
return STATUS_NOT_IMPLEMENTED;
}
@ -392,7 +392,7 @@ NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
OUT PBOOLEAN GenerateOnClose)
{
UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED);
return STATUS_NOT_IMPLEMENTED;
}
@ -404,7 +404,7 @@ NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN AccessGranted)
{
UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED);
return STATUS_NOT_IMPLEMENTED;
}
@ -417,7 +417,7 @@ NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN AccessGranted)
{
UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED);
return STATUS_NOT_IMPLEMENTED;
}
/* EOF */

12
reactos/ntoskrnl/se/lsa.c
View file

@ -110,8 +110,8 @@ NTSTATUS
NTAPI
SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
{
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
}
/*
@ -121,8 +121,8 @@ NTSTATUS
NTAPI
SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
{
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
}
/*
@ -132,8 +132,8 @@ NTSTATUS
NTAPI
SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
{
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED;
}
/* EOF */

235
reactos/ntoskrnl/se/priv.c
View file

@ -51,7 +51,7 @@ LUID SeEnableDelegationPrivilege;
VOID
INIT_FUNCTION
NTAPI
SepInitPrivileges (VOID)
SepInitPrivileges(VOID)
{
SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
SeCreateTokenPrivilege.HighPart = 0;
@ -110,25 +110,25 @@ SepInitPrivileges (VOID)
BOOLEAN
NTAPI
SepPrivilegeCheck (PTOKEN Token,
PLUID_AND_ATTRIBUTES Privileges,
ULONG PrivilegeCount,
ULONG PrivilegeControl,
KPROCESSOR_MODE PreviousMode)
SepPrivilegeCheck(PTOKEN Token,
PLUID_AND_ATTRIBUTES Privileges,
ULONG PrivilegeCount,
ULONG PrivilegeControl,
KPROCESSOR_MODE PreviousMode)
{
ULONG i;
ULONG j;
ULONG k;
DPRINT ("SepPrivilegeCheck() called\n");
DPRINT("SepPrivilegeCheck() called\n");
PAGED_CODE();
if (PreviousMode == KernelMode)
{
return TRUE;
}
k = 0;
if (PrivilegeCount > 0)
{
@ -139,10 +139,10 @@ SepPrivilegeCheck (PTOKEN Token,
if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart &&
Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart)
{
DPRINT ("Found privilege\n");
DPRINT ("Privilege attributes %lx\n",
Token->Privileges[i].Attributes);
DPRINT("Found privilege\n");
DPRINT("Privilege attributes %lx\n",
Token->Privileges[i].Attributes);
if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED)
{
Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
@ -152,58 +152,58 @@ SepPrivilegeCheck (PTOKEN Token,
}
}
}
if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) &&
PrivilegeCount == k)
{
return TRUE;
}
if (k > 0 &&
!(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY))
{
return TRUE;
}
return FALSE;
}
NTSTATUS
NTAPI
SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
ULONG PrivilegeCount,
KPROCESSOR_MODE PreviousMode,
PLUID_AND_ATTRIBUTES AllocatedMem,
ULONG AllocatedLength,
POOL_TYPE PoolType,
BOOLEAN CaptureIfKernel,
PLUID_AND_ATTRIBUTES* Dest,
PULONG Length)
SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src,
ULONG PrivilegeCount,
KPROCESSOR_MODE PreviousMode,
PLUID_AND_ATTRIBUTES AllocatedMem,
ULONG AllocatedLength,
POOL_TYPE PoolType,
BOOLEAN CaptureIfKernel,
PLUID_AND_ATTRIBUTES *Dest,
PULONG Length)
{
ULONG BufferSize;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
if (PrivilegeCount == 0)
{
*Dest = 0;
*Length = 0;
return STATUS_SUCCESS;
}
if (PreviousMode == KernelMode && !CaptureIfKernel)
{
*Dest = Src;
return STATUS_SUCCESS;
}
/* FIXME - check PrivilegeCount for a valid number so we don't
cause an integer overflow or exhaust system resources! */
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */
/* probe the buffer */
if (PreviousMode != KernelMode)
{
@ -220,7 +220,7 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
}
_SEH2_END;
}
/* allocate enough memory or check if the provided buffer is
large enough to hold the array */
if (AllocatedMem != NULL)
@ -229,14 +229,13 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
{
return STATUS_BUFFER_TOO_SMALL;
}
*Dest = AllocatedMem;
}
else
{
*Dest = ExAllocatePool(PoolType,
BufferSize);
if (*Dest == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
@ -255,23 +254,23 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
if (!NT_SUCCESS(Status) && AllocatedMem == NULL)
{
ExFreePool(*Dest);
}
return Status;
}
VOID
NTAPI
SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
KPROCESSOR_MODE PreviousMode,
BOOLEAN CaptureIfKernel)
SeReleaseLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Privilege,
KPROCESSOR_MODE PreviousMode,
BOOLEAN CaptureIfKernel)
{
PAGED_CODE();
if (Privilege != NULL &&
(PreviousMode != KernelMode || CaptureIfKernel))
{
@ -307,15 +306,16 @@ SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
/*
* @implemented
*/
BOOLEAN NTAPI
SePrivilegeCheck (PPRIVILEGE_SET Privileges,
PSECURITY_SUBJECT_CONTEXT SubjectContext,
KPROCESSOR_MODE PreviousMode)
BOOLEAN
NTAPI
SePrivilegeCheck(PPRIVILEGE_SET Privileges,
PSECURITY_SUBJECT_CONTEXT SubjectContext,
KPROCESSOR_MODE PreviousMode)
{
PACCESS_TOKEN Token = NULL;
PAGED_CODE();
if (SubjectContext->ClientToken == NULL)
{
Token = SubjectContext->PrimaryToken;
@ -328,58 +328,60 @@ SePrivilegeCheck (PPRIVILEGE_SET Privileges,
return FALSE;
}
}
return SepPrivilegeCheck (Token,
Privileges->Privilege,
Privileges->PrivilegeCount,
Privileges->Control,
PreviousMode);
return SepPrivilegeCheck(Token,
Privileges->Privilege,
Privileges->PrivilegeCount,
Privileges->Control,
PreviousMode);
}
/*
* @implemented
*/
BOOLEAN NTAPI
SeSinglePrivilegeCheck (IN LUID PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode)
BOOLEAN
NTAPI
SeSinglePrivilegeCheck(IN LUID PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode)
{
SECURITY_SUBJECT_CONTEXT SubjectContext;
PRIVILEGE_SET Priv;
BOOLEAN Result;
PAGED_CODE();
SeCaptureSubjectContext (&SubjectContext);
SeCaptureSubjectContext(&SubjectContext);
Priv.PrivilegeCount = 1;
Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
Priv.Privilege[0].Luid = PrivilegeValue;
Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
Result = SePrivilegeCheck (&Priv,
&SubjectContext,
PreviousMode);
Result = SePrivilegeCheck(&Priv,
&SubjectContext,
PreviousMode);
if (PreviousMode != KernelMode)
{
#if 0
SePrivilegedServiceAuditAlarm (0,
&SubjectContext,
&PrivilegeValue);
SePrivilegedServiceAuditAlarm(0,
&SubjectContext,
&PrivilegeValue);
#endif
}
SeReleaseSubjectContext (&SubjectContext);
SeReleaseSubjectContext(&SubjectContext);
return Result;
}
/* SYSTEM CALLS ***************************************************************/
NTSTATUS NTAPI
NtPrivilegeCheck (IN HANDLE ClientToken,
IN PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result)
NTSTATUS
NTAPI
NtPrivilegeCheck(IN HANDLE ClientToken,
IN PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result)
{
PLUID_AND_ATTRIBUTES Privileges;
PTOKEN Token;
@ -389,11 +391,11 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
BOOLEAN CheckResult;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
/* probe the buffers */
if (PreviousMode != KernelMode)
{
@ -403,10 +405,10 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege),
sizeof(ULONG));
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
/* Check PrivilegeCount to avoid an integer overflow! */
if (FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]) /
@ -414,13 +416,13 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
{
_SEH2_YIELD(return STATUS_INVALID_PARAMETER);
}
/* probe all of the array */
ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]),
sizeof(ULONG));
ProbeForWriteBoolean(Result);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@ -435,51 +437,51 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control;
}
/* reference the token and make sure we're
not doing an anonymous impersonation */
Status = ObReferenceObjectByHandle (ClientToken,
TOKEN_QUERY,
SepTokenObjectType,
PreviousMode,
(PVOID*)&Token,
NULL);
Status = ObReferenceObjectByHandle(ClientToken,
TOKEN_QUERY,
SepTokenObjectType,
PreviousMode,
(PVOID*)&Token,
NULL);
if (!NT_SUCCESS(Status))
{
return Status;
}
if (Token->TokenType == TokenImpersonation &&
Token->ImpersonationLevel < SecurityIdentification)
{
ObDereferenceObject (Token);
ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL;
}
/* capture the privileges */
Status = SeCaptureLuidAndAttributesArray (RequiredPrivileges->Privilege,
PrivilegeCount,
PreviousMode,
NULL,
0,
PagedPool,
TRUE,
&Privileges,
&Length);
Status = SeCaptureLuidAndAttributesArray(RequiredPrivileges->Privilege,
PrivilegeCount,
PreviousMode,
NULL,
0,
PagedPool,
TRUE,
&Privileges,
&Length);
if (!NT_SUCCESS(Status))
{
ObDereferenceObject (Token);
return Status;
}
CheckResult = SepPrivilegeCheck (Token,
Privileges,
PrivilegeCount,
PrivilegeControl,
PreviousMode);
ObDereferenceObject (Token);
CheckResult = SepPrivilegeCheck(Token,
Privileges,
PrivilegeCount,
PrivilegeControl,
PreviousMode);
ObDereferenceObject(Token);
/* return the array */
_SEH2_TRY
{
@ -494,13 +496,12 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
SeReleaseLuidAndAttributesArray (Privileges,
PreviousMode,
TRUE);
SeReleaseLuidAndAttributesArray(Privileges,
PreviousMode,
TRUE);
return Status;
}
/* EOF */

368
reactos/ntoskrnl/se/sd.c
View file

File diff suppressed because it is too large Load diff

23
reactos/ntoskrnl/se/semgr.c
View file

@ -17,13 +17,15 @@
PSE_EXPORTS SeExports = NULL;
SE_EXPORTS SepExports;
ULONG SidInTokenCalls = 0;
extern ULONG ExpInitializationPhase;
extern ERESOURCE SepSubjectContextLock;
/* PRIVATE FUNCTIONS **********************************************************/
static BOOLEAN INIT_FUNCTION
static BOOLEAN
INIT_FUNCTION
SepInitExports(VOID)
{
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
@ -118,6 +120,7 @@ NTAPI
SepInitializationPhase1(VOID)
{
NTSTATUS Status;
PAGED_CODE();
/* Insert the system token into the tree */
@ -279,8 +282,6 @@ SeDefaultObjectMethod(IN PVOID Object,
return STATUS_SUCCESS;
}
ULONG SidInTokenCalls = 0;
static BOOLEAN
SepSidInToken(PACCESS_TOKEN _Token,
PSID Sid)
@ -292,7 +293,7 @@ SepSidInToken(PACCESS_TOKEN _Token,
SidInTokenCalls++;
if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
if (Token->UserAndGroupCount == 0)
{
return FALSE;
@ -340,7 +341,8 @@ SepTokenIsOwner(PACCESS_TOKEN Token,
return SepSidInToken(Token, Sid);
}
VOID NTAPI
VOID
NTAPI
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
@ -351,13 +353,15 @@ SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
{
*DesiredAccess |= READ_CONTROL;
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
VOID NTAPI
VOID
NTAPI
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess)
{
@ -367,10 +371,12 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
{
*DesiredAccess |= WRITE_OWNER;
}
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
*DesiredAccess |= WRITE_DAC;
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
@ -494,7 +500,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
}
*AccessStatus = STATUS_SUCCESS;
return TRUE;
}
@ -763,7 +769,8 @@ SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
/*
* @implemented
*/
BOOLEAN NTAPI
BOOLEAN
NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked,

40
reactos/ntoskrnl/se/sid.c
View file

@ -99,11 +99,11 @@ SepInitSecurityIDs(VOID)
ULONG SidLength1;
ULONG SidLength2;
PULONG SubAuthority;
SidLength0 = RtlLengthRequiredSid(0);
SidLength1 = RtlLengthRequiredSid(1);
SidLength2 = RtlLengthRequiredSid(2);
/* create NullSid */
SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
@ -150,9 +150,9 @@ SepInitSecurityIDs(VOID)
SeAnonymousLogonSid == NULL)
{
FreeInitializedSids();
return(FALSE);
return FALSE;
}
RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
@ -181,7 +181,7 @@ SepInitSecurityIDs(VOID)
RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
*SubAuthority = SECURITY_NULL_RID;
SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
@ -252,8 +252,8 @@ SepInitSecurityIDs(VOID)
*SubAuthority = SECURITY_RESTRICTED_CODE_RID;
SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
*SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
return(TRUE);
return TRUE;
}
NTSTATUS
@ -267,9 +267,9 @@ SepCaptureSid(IN PSID InputSid,
ULONG SidSize = 0;
PISID NewSid, Sid = (PISID)InputSid;
NTSTATUS Status;
PAGED_CODE();
if (AccessMode != KernelMode)
{
_SEH2_TRY
@ -289,11 +289,11 @@ SepCaptureSid(IN PSID InputSid,
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
/* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
if (NewSid != NULL)
{
_SEH2_TRY
{
@ -316,7 +316,7 @@ SepCaptureSid(IN PSID InputSid,
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
else if(!CaptureIfKernel)
else if (!CaptureIfKernel)
{
*CapturedSid = InputSid;
return STATUS_SUCCESS;
@ -324,16 +324,16 @@ SepCaptureSid(IN PSID InputSid,
else
{
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
/* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType,
SidSize);
if(NewSid != NULL)
if (NewSid != NULL)
{
RtlCopyMemory(NewSid,
Sid,
SidSize);
*CapturedSid = NewSid;
}
else
@ -341,7 +341,7 @@ SepCaptureSid(IN PSID InputSid,
Status = STATUS_INSUFFICIENT_RESOURCES;
}
}
return Status;
}
@ -352,10 +352,10 @@ SepReleaseSid(IN PSID CapturedSid,
IN BOOLEAN CaptureIfKernel)
{
PAGED_CODE();
if(CapturedSid != NULL &&
(AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel)))
if (CapturedSid != NULL &&
(AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel)))
{
ExFreePool(CapturedSid);
}

758
reactos/ntoskrnl/se/token.c
View file

File diff suppressed because it is too large Load diff