Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[FORMATTING]

Browse source 
No code changes.

svn path=/trunk/; revision=47383
This commit is contained in:
Eric Kohl 2010-05-28 16:28:27 +00:00
parent 4e25539b71
commit f0910f33d3
9 changed files with 856 additions and 827 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
reactos/ntoskrnl/se/access.c
View file

@ -30,11 +30,12 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext) OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
BOOLEAN CopyOnOpen, EffectiveOnly; BOOLEAN CopyOnOpen, EffectiveOnly;
PAGED_CODE(); PAGED_CODE();
/* Save the unique ID */ /* Save the unique ID */
SubjectContext->ProcessAuditId = Process->UniqueProcessId; SubjectContext->ProcessAuditId = Process->UniqueProcessId;
/* Check if we have a thread */ /* Check if we have a thread */
if (!Thread) if (!Thread)
{ {
@ -49,7 +50,7 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
&EffectiveOnly, &EffectiveOnly,
&SubjectContext->ImpersonationLevel); &SubjectContext->ImpersonationLevel);
} }
/* Get the primary token */ /* Get the primary token */
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process); SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
} }
@ -75,7 +76,7 @@ NTAPI
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext) SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
PAGED_CODE(); PAGED_CODE();
KeEnterCriticalRegion(); KeEnterCriticalRegion();
ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE); ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
} }
@ -88,7 +89,7 @@ NTAPI
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext) SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
PAGED_CODE(); PAGED_CODE();
ExReleaseResourceLite(&SepSubjectContextLock); ExReleaseResourceLite(&SepSubjectContextLock);
KeLeaveCriticalRegion(); KeLeaveCriticalRegion();
} }
@ -101,12 +102,12 @@ NTAPI
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext) SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
{ {
PAGED_CODE(); PAGED_CODE();
if (SubjectContext->PrimaryToken != NULL) if (SubjectContext->PrimaryToken != NULL)
{ {
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken); ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
} }
if (SubjectContext->ClientToken != NULL) if (SubjectContext->ClientToken != NULL)
{ {
ObDereferenceObject(SubjectContext->ClientToken); ObDereferenceObject(SubjectContext->ClientToken);
@ -127,6 +128,7 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
{ {
ACCESS_MASK AccessMask = Access; ACCESS_MASK AccessMask = Access;
PTOKEN Token; PTOKEN Token;
PAGED_CODE(); PAGED_CODE();
/* Map the Generic Acess to Specific Access if we have a Mapping */ /* Map the Generic Acess to Specific Access if we have a Mapping */
@ -150,9 +152,9 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
ExpAllocateLocallyUniqueId(&AccessState->OperationID); ExpAllocateLocallyUniqueId(&AccessState->OperationID);
/* Get the Token to use */ /* Get the Token to use */
Token = AccessState->SubjectSecurityContext.ClientToken ? Token = AccessState->SubjectSecurityContext.ClientToken ?
(PTOKEN)&AccessState->SubjectSecurityContext.ClientToken : (PTOKEN)&AccessState->SubjectSecurityContext.ClientToken :
(PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken; (PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken;
/* Check for Travers Privilege */ /* Check for Travers Privilege */
if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE) if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
@ -200,6 +202,7 @@ NTAPI
SeDeleteAccessState(IN PACCESS_STATE AccessState) SeDeleteAccessState(IN PACCESS_STATE AccessState)
{ {
PAUX_ACCESS_DATA AuxData; PAUX_ACCESS_DATA AuxData;
PAGED_CODE(); PAGED_CODE();
/* Get the Auxiliary Data */ /* Get the Auxiliary Data */
@ -213,7 +216,8 @@ SeDeleteAccessState(IN PACCESS_STATE AccessState)
{ {
ExFreePool(AccessState->ObjectName.Buffer); ExFreePool(AccessState->ObjectName.Buffer);
} }
if (AccessState->ObjectTypeName.Buffer)
if (AccessState->ObjectTypeName.Buffer)
{ {
ExFreePool(AccessState->ObjectTypeName.Buffer); ExFreePool(AccessState->ObjectTypeName.Buffer);
} }
@ -252,8 +256,9 @@ SeCreateClientSecurity(IN PETHREAD Thread,
PACCESS_TOKEN Token; PACCESS_TOKEN Token;
NTSTATUS Status; NTSTATUS Status;
PACCESS_TOKEN NewToken; PACCESS_TOKEN NewToken;
PAGED_CODE(); PAGED_CODE();
Token = PsReferenceEffectiveToken(Thread, Token = PsReferenceEffectiveToken(Thread,
&TokenType, &TokenType,
&ThreadEffectiveOnly, &ThreadEffectiveOnly,
@ -269,7 +274,7 @@ SeCreateClientSecurity(IN PETHREAD Thread,
if (Token) ObDereferenceObject(Token); if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL; return STATUS_BAD_IMPERSONATION_LEVEL;
} }
if ((ImpersonationLevel == SecurityAnonymous) || if ((ImpersonationLevel == SecurityAnonymous) ||
(ImpersonationLevel == SecurityIdentification) || (ImpersonationLevel == SecurityIdentification) ||
((RemoteClient) && (ImpersonationLevel != SecurityDelegation))) ((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
@ -277,12 +282,11 @@ SeCreateClientSecurity(IN PETHREAD Thread,
if (Token) ObDereferenceObject(Token); if (Token) ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL; return STATUS_BAD_IMPERSONATION_LEVEL;
} }
ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) || ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
(Qos->EffectiveOnly)) ? (Qos->EffectiveOnly)) ? TRUE : FALSE;
TRUE : FALSE;
} }
if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING) if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
{ {
ClientContext->DirectlyAccessClientToken = FALSE; ClientContext->DirectlyAccessClientToken = FALSE;
@ -299,10 +303,10 @@ SeCreateClientSecurity(IN PETHREAD Thread,
&ClientContext->ClientTokenControl); &ClientContext->ClientTokenControl);
#endif #endif
} }
NewToken = Token; NewToken = Token;
} }
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel; ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode; ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
@ -347,9 +351,9 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
IN PETHREAD ServerThread OPTIONAL) IN PETHREAD ServerThread OPTIONAL)
{ {
UCHAR b; UCHAR b;
PAGED_CODE(); PAGED_CODE();
if (ClientContext->DirectlyAccessClientToken == FALSE) if (ClientContext->DirectlyAccessClientToken == FALSE)
{ {
b = ClientContext->SecurityQos.EffectiveOnly; b = ClientContext->SecurityQos.EffectiveOnly;
@ -358,10 +362,12 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
{ {
b = ClientContext->DirectAccessEffectiveOnly; b = ClientContext->DirectAccessEffectiveOnly;
} }
if (ServerThread == NULL) if (ServerThread == NULL)
{ {
ServerThread = PsGetCurrentThread(); ServerThread = PsGetCurrentThread();
} }
PsImpersonateClient(ServerThread, PsImpersonateClient(ServerThread,
ClientContext->ClientToken, ClientContext->ClientToken,
1, 1,

149
reactos/ntoskrnl/se/acl.c
View file

@ -34,189 +34,188 @@ NTAPI
SepInitDACLs(VOID) SepInitDACLs(VOID)
{ {
ULONG AclLength; ULONG AclLength;
/* create PublicDefaultDacl */ /* create PublicDefaultDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)); (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool, SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicDefaultDacl == NULL) if (SePublicDefaultDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicDefaultDacl, RtlCreateAcl(SePublicDefaultDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultDacl, RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_EXECUTE, GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultDacl, RtlAddAccessAllowedAce(SePublicDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
/* create PublicDefaultUnrestrictedDacl */ /* create PublicDefaultUnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicDefaultUnrestrictedDacl == NULL) if (SePublicDefaultUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicDefaultUnrestrictedDacl, RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_EXECUTE, GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeRestrictedCodeSid); SeRestrictedCodeSid);
/* create PublicOpenDacl */ /* create PublicOpenDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool, SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicOpenDacl == NULL) if (SePublicOpenDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicOpenDacl, RtlCreateAcl(SePublicOpenDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE, GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenDacl, RtlAddAccessAllowedAce(SePublicOpenDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
/* create PublicOpenUnrestrictedDacl */ /* create PublicOpenUnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SePublicOpenUnrestrictedDacl == NULL) if (SePublicOpenUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SePublicOpenUnrestrictedDacl, RtlCreateAcl(SePublicOpenUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE, GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid); SeRestrictedCodeSid);
/* create SystemDefaultDacl */ /* create SystemDefaultDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool, SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SeSystemDefaultDacl == NULL) if (SeSystemDefaultDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SeSystemDefaultDacl, RtlCreateAcl(SeSystemDefaultDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SeSystemDefaultDacl, RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
RtlAddAccessAllowedAce(SeSystemDefaultDacl, RtlAddAccessAllowedAce(SeSystemDefaultDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
SeAliasAdminsSid); SeAliasAdminsSid);
/* create UnrestrictedDacl */ /* create UnrestrictedDacl */
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
AclLength, AclLength,
TAG_ACL); TAG_ACL);
if (SeUnrestrictedDacl == NULL) if (SeUnrestrictedDacl == NULL)
return FALSE; return FALSE;
RtlCreateAcl(SeUnrestrictedDacl, RtlCreateAcl(SeUnrestrictedDacl,
AclLength, AclLength,
ACL_REVISION); ACL_REVISION);
RtlAddAccessAllowedAce(SeUnrestrictedDacl, RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_ALL, GENERIC_ALL,
SeWorldSid); SeWorldSid);
RtlAddAccessAllowedAce(SeUnrestrictedDacl, RtlAddAccessAllowedAce(SeUnrestrictedDacl,
ACL_REVISION, ACL_REVISION,
GENERIC_READ | GENERIC_EXECUTE, GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid); SeRestrictedCodeSid);
return(TRUE); return TRUE;
} }
NTSTATUS NTAPI NTSTATUS NTAPI
@ -226,22 +225,22 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
{ {
ULONG AclLength; ULONG AclLength;
PVOID TokenDacl; PVOID TokenDacl;
PAGED_CODE(); PAGED_CODE();
AclLength = sizeof(ACL) + AclLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) + (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) + (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid)); (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL); TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
if (TokenDacl == NULL) if (TokenDacl == NULL)
{ {
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
} }
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION); RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
Token->UserAndGroups->Sid); Token->UserAndGroups->Sid);
@ -251,7 +250,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
SeAliasAdminsSid); SeAliasAdminsSid);
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
SeLocalSystemSid); SeLocalSystemSid);
/* FIXME */ /* FIXME */
#if 0 #if 0
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL) if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
@ -260,7 +259,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
SeRestrictedCodeSid); SeRestrictedCodeSid);
} }
#endif #endif
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
@ -275,9 +274,9 @@ SepCaptureAcl(IN PACL InputAcl,
PACL NewAcl; PACL NewAcl;
ULONG AclSize = 0; ULONG AclSize = 0;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
if (AccessMode != KernelMode) if (AccessMode != KernelMode)
{ {
_SEH2_TRY _SEH2_TRY
@ -296,10 +295,10 @@ SepCaptureAcl(IN PACL InputAcl,
_SEH2_YIELD(return _SEH2_GetExceptionCode()); _SEH2_YIELD(return _SEH2_GetExceptionCode());
} }
_SEH2_END; _SEH2_END;
NewAcl = ExAllocatePool(PoolType, NewAcl = ExAllocatePool(PoolType,
AclSize); AclSize);
if(NewAcl != NULL) if (NewAcl != NULL)
{ {
_SEH2_TRY _SEH2_TRY
{ {
@ -322,23 +321,23 @@ SepCaptureAcl(IN PACL InputAcl,
Status = STATUS_INSUFFICIENT_RESOURCES; Status = STATUS_INSUFFICIENT_RESOURCES;
} }
} }
else if(!CaptureIfKernel) else if (!CaptureIfKernel)
{ {
*CapturedAcl = InputAcl; *CapturedAcl = InputAcl;
} }
else else
{ {
AclSize = InputAcl->AclSize; AclSize = InputAcl->AclSize;
NewAcl = ExAllocatePool(PoolType, NewAcl = ExAllocatePool(PoolType,
AclSize); AclSize);
if(NewAcl != NULL) if (NewAcl != NULL)
{ {
RtlCopyMemory(NewAcl, RtlCopyMemory(NewAcl,
InputAcl, InputAcl,
AclSize); AclSize);
*CapturedAcl = NewAcl; *CapturedAcl = NewAcl;
} }
else else
@ -346,7 +345,7 @@ SepCaptureAcl(IN PACL InputAcl,
Status = STATUS_INSUFFICIENT_RESOURCES; Status = STATUS_INSUFFICIENT_RESOURCES;
} }
} }
return Status; return Status;
} }
@ -357,10 +356,10 @@ SepReleaseAcl(IN PACL CapturedAcl,
IN BOOLEAN CaptureIfKernel) IN BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if(CapturedAcl != NULL && if (CapturedAcl != NULL &&
(AccessMode != KernelMode || (AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel))) (AccessMode == KernelMode && CaptureIfKernel)))
{ {
ExFreePool(CapturedAcl); ExFreePool(CapturedAcl);
} }

50
reactos/ntoskrnl/se/audit.c
View file

@ -4,7 +4,7 @@
* FILE: ntoskrnl/se/audit.c * FILE: ntoskrnl/se/audit.c
* PURPOSE: Audit functions * PURPOSE: Audit functions
* *
* PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de> * PROGRAMMERS: Eric Kohl
*/ */
/* INCLUDES *******************************************************************/ /* INCLUDES *******************************************************************/
@ -47,6 +47,7 @@ SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject,
POBJECT_NAME_INFORMATION ObjectNameInfo = NULL; POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
ULONG ReturnLength = 8; ULONG ReturnLength = 8;
NTSTATUS Status; NTSTATUS Status;
PAGED_CODE(); PAGED_CODE();
ASSERT(AuditInfo); ASSERT(AuditInfo);
@ -120,6 +121,7 @@ SeLocateProcessImageName(IN PEPROCESS Process,
PUNICODE_STRING ImageName; PUNICODE_STRING ImageName;
PFILE_OBJECT FileObject; PFILE_OBJECT FileObject;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
/* Assume failure */ /* Assume failure */
@ -189,7 +191,7 @@ SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
IN PUNICODE_STRING LinkName, IN PUNICODE_STRING LinkName,
IN BOOLEAN bSuccess) IN BOOLEAN bSuccess)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
} }
/* /*
@ -200,8 +202,8 @@ NTAPI
SeAuditingFileEvents(IN BOOLEAN AccessGranted, SeAuditingFileEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor) IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return FALSE; return FALSE;
} }
/* /*
@ -213,8 +215,8 @@ SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL) IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return FALSE; return FALSE;
} }
/* /*
@ -225,8 +227,8 @@ NTAPI
SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted, SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor) IN PSECURITY_DESCRIPTOR SecurityDescriptor)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return FALSE; return FALSE;
} }
/* /*
@ -238,8 +240,8 @@ SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL) IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return FALSE; return FALSE;
} }
/* /*
@ -251,8 +253,8 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext) IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return FALSE; return FALSE;
} }
/* /*
@ -260,13 +262,11 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
*/ */
VOID VOID
NTAPI NTAPI
SeCloseObjectAuditAlarm( SeCloseObjectAuditAlarm(IN PVOID Object,
IN PVOID Object,
IN HANDLE Handle, IN HANDLE Handle,
IN BOOLEAN PerformAction IN BOOLEAN PerformAction)
)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
} }
/* /*
@ -295,10 +295,10 @@ SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
OUT PBOOLEAN GenerateOnClose) OUT PBOOLEAN GenerateOnClose)
{ {
PAGED_CODE(); PAGED_CODE();
/* Audits aren't done on kernel-mode access */ /* Audits aren't done on kernel-mode access */
if (AccessMode == KernelMode) return; if (AccessMode == KernelMode) return;
/* Otherwise, unimplemented! */ /* Otherwise, unimplemented! */
//UNIMPLEMENTED; //UNIMPLEMENTED;
return; return;
@ -333,7 +333,7 @@ SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
IN BOOLEAN AccessGranted, IN BOOLEAN AccessGranted,
IN KPROCESSOR_MODE CurrentMode) IN KPROCESSOR_MODE CurrentMode)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
} }
/* SYSTEM CALLS ***************************************************************/ /* SYSTEM CALLS ***************************************************************/
@ -363,7 +363,7 @@ NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN GenerateOnClose) IN BOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return STATUS_NOT_IMPLEMENTED;
} }
@ -373,7 +373,7 @@ NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN GenerateOnClose) IN BOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return STATUS_NOT_IMPLEMENTED;
} }
@ -392,7 +392,7 @@ NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
OUT PBOOLEAN GenerateOnClose) OUT PBOOLEAN GenerateOnClose)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return STATUS_NOT_IMPLEMENTED;
} }
@ -404,7 +404,7 @@ NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN AccessGranted) IN BOOLEAN AccessGranted)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return STATUS_NOT_IMPLEMENTED;
} }
@ -417,7 +417,7 @@ NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
IN BOOLEAN AccessGranted) IN BOOLEAN AccessGranted)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return(STATUS_NOT_IMPLEMENTED); return STATUS_NOT_IMPLEMENTED;
} }
/* EOF */ /* EOF */

12
reactos/ntoskrnl/se/lsa.c
View file

@ -110,8 +110,8 @@ NTSTATUS
NTAPI NTAPI
SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId) SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
/* /*
@ -121,8 +121,8 @@ NTSTATUS
NTAPI NTAPI
SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine) SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
/* /*
@ -132,8 +132,8 @@ NTSTATUS
NTAPI NTAPI
SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine) SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
{ {
UNIMPLEMENTED; UNIMPLEMENTED;
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
/* EOF */ /* EOF */

235
reactos/ntoskrnl/se/priv.c
View file

@ -51,7 +51,7 @@ LUID SeEnableDelegationPrivilege;
VOID VOID
INIT_FUNCTION INIT_FUNCTION
NTAPI NTAPI
SepInitPrivileges (VOID) SepInitPrivileges(VOID)
{ {
SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE; SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
SeCreateTokenPrivilege.HighPart = 0; SeCreateTokenPrivilege.HighPart = 0;
@ -110,25 +110,25 @@ SepInitPrivileges (VOID)
BOOLEAN BOOLEAN
NTAPI NTAPI
SepPrivilegeCheck (PTOKEN Token, SepPrivilegeCheck(PTOKEN Token,
PLUID_AND_ATTRIBUTES Privileges, PLUID_AND_ATTRIBUTES Privileges,
ULONG PrivilegeCount, ULONG PrivilegeCount,
ULONG PrivilegeControl, ULONG PrivilegeControl,
KPROCESSOR_MODE PreviousMode) KPROCESSOR_MODE PreviousMode)
{ {
ULONG i; ULONG i;
ULONG j; ULONG j;
ULONG k; ULONG k;
DPRINT ("SepPrivilegeCheck() called\n"); DPRINT("SepPrivilegeCheck() called\n");
PAGED_CODE(); PAGED_CODE();
if (PreviousMode == KernelMode) if (PreviousMode == KernelMode)
{ {
return TRUE; return TRUE;
} }
k = 0; k = 0;
if (PrivilegeCount > 0) if (PrivilegeCount > 0)
{ {
@ -139,10 +139,10 @@ SepPrivilegeCheck (PTOKEN Token,
if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart && if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart &&
Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart) Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart)
{ {
DPRINT ("Found privilege\n"); DPRINT("Found privilege\n");
DPRINT ("Privilege attributes %lx\n", DPRINT("Privilege attributes %lx\n",
Token->Privileges[i].Attributes); Token->Privileges[i].Attributes);
if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED)
{ {
Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS; Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
@ -152,58 +152,58 @@ SepPrivilegeCheck (PTOKEN Token,
} }
} }
} }
if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) && if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) &&
PrivilegeCount == k) PrivilegeCount == k)
{ {
return TRUE; return TRUE;
} }
if (k > 0 && if (k > 0 &&
!(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY)) !(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY))
{ {
return TRUE; return TRUE;
} }
return FALSE; return FALSE;
} }
NTSTATUS NTSTATUS
NTAPI NTAPI
SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src, SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src,
ULONG PrivilegeCount, ULONG PrivilegeCount,
KPROCESSOR_MODE PreviousMode, KPROCESSOR_MODE PreviousMode,
PLUID_AND_ATTRIBUTES AllocatedMem, PLUID_AND_ATTRIBUTES AllocatedMem,
ULONG AllocatedLength, ULONG AllocatedLength,
POOL_TYPE PoolType, POOL_TYPE PoolType,
BOOLEAN CaptureIfKernel, BOOLEAN CaptureIfKernel,
PLUID_AND_ATTRIBUTES* Dest, PLUID_AND_ATTRIBUTES *Dest,
PULONG Length) PULONG Length)
{ {
ULONG BufferSize; ULONG BufferSize;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE(); PAGED_CODE();
if (PrivilegeCount == 0) if (PrivilegeCount == 0)
{ {
*Dest = 0; *Dest = 0;
*Length = 0; *Length = 0;
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
if (PreviousMode == KernelMode && !CaptureIfKernel) if (PreviousMode == KernelMode && !CaptureIfKernel)
{ {
*Dest = Src; *Dest = Src;
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
/* FIXME - check PrivilegeCount for a valid number so we don't /* FIXME - check PrivilegeCount for a valid number so we don't
cause an integer overflow or exhaust system resources! */ cause an integer overflow or exhaust system resources! */
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES); BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */ *Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */
/* probe the buffer */ /* probe the buffer */
if (PreviousMode != KernelMode) if (PreviousMode != KernelMode)
{ {
@ -220,7 +220,7 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
} }
_SEH2_END; _SEH2_END;
} }
/* allocate enough memory or check if the provided buffer is /* allocate enough memory or check if the provided buffer is
large enough to hold the array */ large enough to hold the array */
if (AllocatedMem != NULL) if (AllocatedMem != NULL)
@ -229,14 +229,13 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
{ {
return STATUS_BUFFER_TOO_SMALL; return STATUS_BUFFER_TOO_SMALL;
} }
*Dest = AllocatedMem; *Dest = AllocatedMem;
} }
else else
{ {
*Dest = ExAllocatePool(PoolType, *Dest = ExAllocatePool(PoolType,
BufferSize); BufferSize);
if (*Dest == NULL) if (*Dest == NULL)
{ {
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
@ -255,23 +254,23 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
Status = _SEH2_GetExceptionCode(); Status = _SEH2_GetExceptionCode();
} }
_SEH2_END; _SEH2_END;
if (!NT_SUCCESS(Status) && AllocatedMem == NULL) if (!NT_SUCCESS(Status) && AllocatedMem == NULL)
{ {
ExFreePool(*Dest); ExFreePool(*Dest);
} }
return Status; return Status;
} }
VOID VOID
NTAPI NTAPI
SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege, SeReleaseLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Privilege,
KPROCESSOR_MODE PreviousMode, KPROCESSOR_MODE PreviousMode,
BOOLEAN CaptureIfKernel) BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if (Privilege != NULL && if (Privilege != NULL &&
(PreviousMode != KernelMode || CaptureIfKernel)) (PreviousMode != KernelMode || CaptureIfKernel))
{ {
@ -307,15 +306,16 @@ SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
/* /*
* @implemented * @implemented
*/ */
BOOLEAN NTAPI BOOLEAN
SePrivilegeCheck (PPRIVILEGE_SET Privileges, NTAPI
PSECURITY_SUBJECT_CONTEXT SubjectContext, SePrivilegeCheck(PPRIVILEGE_SET Privileges,
KPROCESSOR_MODE PreviousMode) PSECURITY_SUBJECT_CONTEXT SubjectContext,
KPROCESSOR_MODE PreviousMode)
{ {
PACCESS_TOKEN Token = NULL; PACCESS_TOKEN Token = NULL;
PAGED_CODE(); PAGED_CODE();
if (SubjectContext->ClientToken == NULL) if (SubjectContext->ClientToken == NULL)
{ {
Token = SubjectContext->PrimaryToken; Token = SubjectContext->PrimaryToken;
@ -328,58 +328,60 @@ SePrivilegeCheck (PPRIVILEGE_SET Privileges,
return FALSE; return FALSE;
} }
} }
return SepPrivilegeCheck (Token, return SepPrivilegeCheck(Token,
Privileges->Privilege, Privileges->Privilege,
Privileges->PrivilegeCount, Privileges->PrivilegeCount,
Privileges->Control, Privileges->Control,
PreviousMode); PreviousMode);
} }
/* /*
* @implemented * @implemented
*/ */
BOOLEAN NTAPI BOOLEAN
SeSinglePrivilegeCheck (IN LUID PrivilegeValue, NTAPI
IN KPROCESSOR_MODE PreviousMode) SeSinglePrivilegeCheck(IN LUID PrivilegeValue,
IN KPROCESSOR_MODE PreviousMode)
{ {
SECURITY_SUBJECT_CONTEXT SubjectContext; SECURITY_SUBJECT_CONTEXT SubjectContext;
PRIVILEGE_SET Priv; PRIVILEGE_SET Priv;
BOOLEAN Result; BOOLEAN Result;
PAGED_CODE(); PAGED_CODE();
SeCaptureSubjectContext (&SubjectContext); SeCaptureSubjectContext(&SubjectContext);
Priv.PrivilegeCount = 1; Priv.PrivilegeCount = 1;
Priv.Control = PRIVILEGE_SET_ALL_NECESSARY; Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
Priv.Privilege[0].Luid = PrivilegeValue; Priv.Privilege[0].Luid = PrivilegeValue;
Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
Result = SePrivilegeCheck (&Priv, Result = SePrivilegeCheck(&Priv,
&SubjectContext, &SubjectContext,
PreviousMode); PreviousMode);
if (PreviousMode != KernelMode) if (PreviousMode != KernelMode)
{ {
#if 0 #if 0
SePrivilegedServiceAuditAlarm (0, SePrivilegedServiceAuditAlarm(0,
&SubjectContext, &SubjectContext,
&PrivilegeValue); &PrivilegeValue);
#endif #endif
} }
SeReleaseSubjectContext (&SubjectContext); SeReleaseSubjectContext(&SubjectContext);
return Result; return Result;
} }
/* SYSTEM CALLS ***************************************************************/ /* SYSTEM CALLS ***************************************************************/
NTSTATUS NTAPI NTSTATUS
NtPrivilegeCheck (IN HANDLE ClientToken, NTAPI
IN PPRIVILEGE_SET RequiredPrivileges, NtPrivilegeCheck(IN HANDLE ClientToken,
OUT PBOOLEAN Result) IN PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result)
{ {
PLUID_AND_ATTRIBUTES Privileges; PLUID_AND_ATTRIBUTES Privileges;
PTOKEN Token; PTOKEN Token;
@ -389,11 +391,11 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
BOOLEAN CheckResult; BOOLEAN CheckResult;
KPROCESSOR_MODE PreviousMode; KPROCESSOR_MODE PreviousMode;
NTSTATUS Status; NTSTATUS Status;
PAGED_CODE(); PAGED_CODE();
PreviousMode = KeGetPreviousMode(); PreviousMode = KeGetPreviousMode();
/* probe the buffers */ /* probe the buffers */
if (PreviousMode != KernelMode) if (PreviousMode != KernelMode)
{ {
@ -403,10 +405,10 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
FIELD_OFFSET(PRIVILEGE_SET, FIELD_OFFSET(PRIVILEGE_SET,
Privilege), Privilege),
sizeof(ULONG)); sizeof(ULONG));
PrivilegeCount = RequiredPrivileges->PrivilegeCount; PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control; PrivilegeControl = RequiredPrivileges->Control;
/* Check PrivilegeCount to avoid an integer overflow! */ /* Check PrivilegeCount to avoid an integer overflow! */
if (FIELD_OFFSET(PRIVILEGE_SET, if (FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]) / Privilege[PrivilegeCount]) /
@ -414,13 +416,13 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
{ {
_SEH2_YIELD(return STATUS_INVALID_PARAMETER); _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
} }
/* probe all of the array */ /* probe all of the array */
ProbeForWrite(RequiredPrivileges, ProbeForWrite(RequiredPrivileges,
FIELD_OFFSET(PRIVILEGE_SET, FIELD_OFFSET(PRIVILEGE_SET,
Privilege[PrivilegeCount]), Privilege[PrivilegeCount]),
sizeof(ULONG)); sizeof(ULONG));
ProbeForWriteBoolean(Result); ProbeForWriteBoolean(Result);
} }
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
@ -435,51 +437,51 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
PrivilegeCount = RequiredPrivileges->PrivilegeCount; PrivilegeCount = RequiredPrivileges->PrivilegeCount;
PrivilegeControl = RequiredPrivileges->Control; PrivilegeControl = RequiredPrivileges->Control;
} }
/* reference the token and make sure we're /* reference the token and make sure we're
not doing an anonymous impersonation */ not doing an anonymous impersonation */
Status = ObReferenceObjectByHandle (ClientToken, Status = ObReferenceObjectByHandle(ClientToken,
TOKEN_QUERY, TOKEN_QUERY,
SepTokenObjectType, SepTokenObjectType,
PreviousMode, PreviousMode,
(PVOID*)&Token, (PVOID*)&Token,
NULL); NULL);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
return Status; return Status;
} }
if (Token->TokenType == TokenImpersonation && if (Token->TokenType == TokenImpersonation &&
Token->ImpersonationLevel < SecurityIdentification) Token->ImpersonationLevel < SecurityIdentification)
{ {
ObDereferenceObject (Token); ObDereferenceObject(Token);
return STATUS_BAD_IMPERSONATION_LEVEL; return STATUS_BAD_IMPERSONATION_LEVEL;
} }
/* capture the privileges */ /* capture the privileges */
Status = SeCaptureLuidAndAttributesArray (RequiredPrivileges->Privilege, Status = SeCaptureLuidAndAttributesArray(RequiredPrivileges->Privilege,
PrivilegeCount, PrivilegeCount,
PreviousMode, PreviousMode,
NULL, NULL,
0, 0,
PagedPool, PagedPool,
TRUE, TRUE,
&Privileges, &Privileges,
&Length); &Length);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
ObDereferenceObject (Token); ObDereferenceObject (Token);
return Status; return Status;
} }
CheckResult = SepPrivilegeCheck (Token, CheckResult = SepPrivilegeCheck(Token,
Privileges, Privileges,
PrivilegeCount, PrivilegeCount,
PrivilegeControl, PrivilegeControl,
PreviousMode); PreviousMode);
ObDereferenceObject (Token); ObDereferenceObject(Token);
/* return the array */ /* return the array */
_SEH2_TRY _SEH2_TRY
{ {
@ -494,13 +496,12 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
Status = _SEH2_GetExceptionCode(); Status = _SEH2_GetExceptionCode();
} }
_SEH2_END; _SEH2_END;
SeReleaseLuidAndAttributesArray (Privileges, SeReleaseLuidAndAttributesArray(Privileges,
PreviousMode, PreviousMode,
TRUE); TRUE);
return Status; return Status;
} }
/* EOF */ /* EOF */

368
reactos/ntoskrnl/se/sd.c
View file

File diff suppressed because it is too large Load diff

23
reactos/ntoskrnl/se/semgr.c
View file

@ -17,13 +17,15 @@
PSE_EXPORTS SeExports = NULL; PSE_EXPORTS SeExports = NULL;
SE_EXPORTS SepExports; SE_EXPORTS SepExports;
ULONG SidInTokenCalls = 0;
extern ULONG ExpInitializationPhase; extern ULONG ExpInitializationPhase;
extern ERESOURCE SepSubjectContextLock; extern ERESOURCE SepSubjectContextLock;
/* PRIVATE FUNCTIONS **********************************************************/ /* PRIVATE FUNCTIONS **********************************************************/
static BOOLEAN INIT_FUNCTION static BOOLEAN
INIT_FUNCTION
SepInitExports(VOID) SepInitExports(VOID)
{ {
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege; SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
@ -118,6 +120,7 @@ NTAPI
SepInitializationPhase1(VOID) SepInitializationPhase1(VOID)
{ {
NTSTATUS Status; NTSTATUS Status;
PAGED_CODE(); PAGED_CODE();
/* Insert the system token into the tree */ /* Insert the system token into the tree */
@ -279,8 +282,6 @@ SeDefaultObjectMethod(IN PVOID Object,
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }
ULONG SidInTokenCalls = 0;
static BOOLEAN static BOOLEAN
SepSidInToken(PACCESS_TOKEN _Token, SepSidInToken(PACCESS_TOKEN _Token,
PSID Sid) PSID Sid)
@ -292,7 +293,7 @@ SepSidInToken(PACCESS_TOKEN _Token,
SidInTokenCalls++; SidInTokenCalls++;
if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls); if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
if (Token->UserAndGroupCount == 0) if (Token->UserAndGroupCount == 0)
{ {
return FALSE; return FALSE;
@ -340,7 +341,8 @@ SepTokenIsOwner(PACCESS_TOKEN Token,
return SepSidInToken(Token, Sid); return SepSidInToken(Token, Sid);
} }
VOID NTAPI VOID
NTAPI
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess) OUT PACCESS_MASK DesiredAccess)
{ {
@ -351,13 +353,15 @@ SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
{ {
*DesiredAccess |= READ_CONTROL; *DesiredAccess |= READ_CONTROL;
} }
if (SecurityInformation & SACL_SECURITY_INFORMATION) if (SecurityInformation & SACL_SECURITY_INFORMATION)
{ {
*DesiredAccess |= ACCESS_SYSTEM_SECURITY; *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
} }
} }
VOID NTAPI VOID
NTAPI
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
OUT PACCESS_MASK DesiredAccess) OUT PACCESS_MASK DesiredAccess)
{ {
@ -367,10 +371,12 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
{ {
*DesiredAccess |= WRITE_OWNER; *DesiredAccess |= WRITE_OWNER;
} }
if (SecurityInformation & DACL_SECURITY_INFORMATION) if (SecurityInformation & DACL_SECURITY_INFORMATION)
{ {
*DesiredAccess |= WRITE_DAC; *DesiredAccess |= WRITE_DAC;
} }
if (SecurityInformation & SACL_SECURITY_INFORMATION) if (SecurityInformation & SACL_SECURITY_INFORMATION)
{ {
*DesiredAccess |= ACCESS_SYSTEM_SECURITY; *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
@ -494,7 +500,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
{ {
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess; *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
} }
*AccessStatus = STATUS_SUCCESS; *AccessStatus = STATUS_SUCCESS;
return TRUE; return TRUE;
} }
@ -763,7 +769,8 @@ SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
/* /*
* @implemented * @implemented
*/ */
BOOLEAN NTAPI BOOLEAN
NTAPI
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
IN BOOLEAN SubjectContextLocked, IN BOOLEAN SubjectContextLocked,

40
reactos/ntoskrnl/se/sid.c
View file

@ -99,11 +99,11 @@ SepInitSecurityIDs(VOID)
ULONG SidLength1; ULONG SidLength1;
ULONG SidLength2; ULONG SidLength2;
PULONG SubAuthority; PULONG SubAuthority;
SidLength0 = RtlLengthRequiredSid(0); SidLength0 = RtlLengthRequiredSid(0);
SidLength1 = RtlLengthRequiredSid(1); SidLength1 = RtlLengthRequiredSid(1);
SidLength2 = RtlLengthRequiredSid(2); SidLength2 = RtlLengthRequiredSid(2);
/* create NullSid */ /* create NullSid */
SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID); SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
@ -150,9 +150,9 @@ SepInitSecurityIDs(VOID)
SeAnonymousLogonSid == NULL) SeAnonymousLogonSid == NULL)
{ {
FreeInitializedSids(); FreeInitializedSids();
return(FALSE); return FALSE;
} }
RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1); RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1); RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1); RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
@ -181,7 +181,7 @@ SepInitSecurityIDs(VOID)
RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1); RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
SubAuthority = RtlSubAuthoritySid(SeNullSid, 0); SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
*SubAuthority = SECURITY_NULL_RID; *SubAuthority = SECURITY_NULL_RID;
SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0); SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
@ -252,8 +252,8 @@ SepInitSecurityIDs(VOID)
*SubAuthority = SECURITY_RESTRICTED_CODE_RID; *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0); SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
*SubAuthority = SECURITY_ANONYMOUS_LOGON_RID; *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
return(TRUE); return TRUE;
} }
NTSTATUS NTSTATUS
@ -267,9 +267,9 @@ SepCaptureSid(IN PSID InputSid,
ULONG SidSize = 0; ULONG SidSize = 0;
PISID NewSid, Sid = (PISID)InputSid; PISID NewSid, Sid = (PISID)InputSid;
NTSTATUS Status; NTSTATUS Status;
PAGED_CODE(); PAGED_CODE();
if (AccessMode != KernelMode) if (AccessMode != KernelMode)
{ {
_SEH2_TRY _SEH2_TRY
@ -289,11 +289,11 @@ SepCaptureSid(IN PSID InputSid,
_SEH2_YIELD(return _SEH2_GetExceptionCode()); _SEH2_YIELD(return _SEH2_GetExceptionCode());
} }
_SEH2_END; _SEH2_END;
/* allocate a SID and copy it */ /* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType, NewSid = ExAllocatePool(PoolType,
SidSize); SidSize);
if(NewSid != NULL) if (NewSid != NULL)
{ {
_SEH2_TRY _SEH2_TRY
{ {
@ -316,7 +316,7 @@ SepCaptureSid(IN PSID InputSid,
Status = STATUS_INSUFFICIENT_RESOURCES; Status = STATUS_INSUFFICIENT_RESOURCES;
} }
} }
else if(!CaptureIfKernel) else if (!CaptureIfKernel)
{ {
*CapturedSid = InputSid; *CapturedSid = InputSid;
return STATUS_SUCCESS; return STATUS_SUCCESS;
@ -324,16 +324,16 @@ SepCaptureSid(IN PSID InputSid,
else else
{ {
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount); SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
/* allocate a SID and copy it */ /* allocate a SID and copy it */
NewSid = ExAllocatePool(PoolType, NewSid = ExAllocatePool(PoolType,
SidSize); SidSize);
if(NewSid != NULL) if (NewSid != NULL)
{ {
RtlCopyMemory(NewSid, RtlCopyMemory(NewSid,
Sid, Sid,
SidSize); SidSize);
*CapturedSid = NewSid; *CapturedSid = NewSid;
} }
else else
@ -341,7 +341,7 @@ SepCaptureSid(IN PSID InputSid,
Status = STATUS_INSUFFICIENT_RESOURCES; Status = STATUS_INSUFFICIENT_RESOURCES;
} }
} }
return Status; return Status;
} }
@ -352,10 +352,10 @@ SepReleaseSid(IN PSID CapturedSid,
IN BOOLEAN CaptureIfKernel) IN BOOLEAN CaptureIfKernel)
{ {
PAGED_CODE(); PAGED_CODE();
if(CapturedSid != NULL && if (CapturedSid != NULL &&
(AccessMode != KernelMode || (AccessMode != KernelMode ||
(AccessMode == KernelMode && CaptureIfKernel))) (AccessMode == KernelMode && CaptureIfKernel)))
{ {
ExFreePool(CapturedSid); ExFreePool(CapturedSid);
} }

758
reactos/ntoskrnl/se/token.c
View file

File diff suppressed because it is too large Load diff