mirror of
https://github.com/reactos/reactos.git
synced 2024-06-29 01:12:06 +00:00
[FORMATTING]
No code changes. svn path=/trunk/; revision=47383
This commit is contained in:
parent
4e25539b71
commit
f0910f33d3
|
@ -30,11 +30,12 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
|
||||||
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
||||||
{
|
{
|
||||||
BOOLEAN CopyOnOpen, EffectiveOnly;
|
BOOLEAN CopyOnOpen, EffectiveOnly;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Save the unique ID */
|
/* Save the unique ID */
|
||||||
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
|
SubjectContext->ProcessAuditId = Process->UniqueProcessId;
|
||||||
|
|
||||||
/* Check if we have a thread */
|
/* Check if we have a thread */
|
||||||
if (!Thread)
|
if (!Thread)
|
||||||
{
|
{
|
||||||
|
@ -49,7 +50,7 @@ SeCaptureSubjectContextEx(IN PETHREAD Thread,
|
||||||
&EffectiveOnly,
|
&EffectiveOnly,
|
||||||
&SubjectContext->ImpersonationLevel);
|
&SubjectContext->ImpersonationLevel);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get the primary token */
|
/* Get the primary token */
|
||||||
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
|
SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
|
||||||
}
|
}
|
||||||
|
@ -75,7 +76,7 @@ NTAPI
|
||||||
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
KeEnterCriticalRegion();
|
KeEnterCriticalRegion();
|
||||||
ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
|
ExAcquireResourceExclusiveLite(&SepSubjectContextLock, TRUE);
|
||||||
}
|
}
|
||||||
|
@ -88,7 +89,7 @@ NTAPI
|
||||||
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
ExReleaseResourceLite(&SepSubjectContextLock);
|
ExReleaseResourceLite(&SepSubjectContextLock);
|
||||||
KeLeaveCriticalRegion();
|
KeLeaveCriticalRegion();
|
||||||
}
|
}
|
||||||
|
@ -101,12 +102,12 @@ NTAPI
|
||||||
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (SubjectContext->PrimaryToken != NULL)
|
if (SubjectContext->PrimaryToken != NULL)
|
||||||
{
|
{
|
||||||
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
|
ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SubjectContext->ClientToken != NULL)
|
if (SubjectContext->ClientToken != NULL)
|
||||||
{
|
{
|
||||||
ObDereferenceObject(SubjectContext->ClientToken);
|
ObDereferenceObject(SubjectContext->ClientToken);
|
||||||
|
@ -127,6 +128,7 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
|
||||||
{
|
{
|
||||||
ACCESS_MASK AccessMask = Access;
|
ACCESS_MASK AccessMask = Access;
|
||||||
PTOKEN Token;
|
PTOKEN Token;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Map the Generic Acess to Specific Access if we have a Mapping */
|
/* Map the Generic Acess to Specific Access if we have a Mapping */
|
||||||
|
@ -150,9 +152,9 @@ SeCreateAccessStateEx(IN PETHREAD Thread,
|
||||||
ExpAllocateLocallyUniqueId(&AccessState->OperationID);
|
ExpAllocateLocallyUniqueId(&AccessState->OperationID);
|
||||||
|
|
||||||
/* Get the Token to use */
|
/* Get the Token to use */
|
||||||
Token = AccessState->SubjectSecurityContext.ClientToken ?
|
Token = AccessState->SubjectSecurityContext.ClientToken ?
|
||||||
(PTOKEN)&AccessState->SubjectSecurityContext.ClientToken :
|
(PTOKEN)&AccessState->SubjectSecurityContext.ClientToken :
|
||||||
(PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken;
|
(PTOKEN)&AccessState->SubjectSecurityContext.PrimaryToken;
|
||||||
|
|
||||||
/* Check for Travers Privilege */
|
/* Check for Travers Privilege */
|
||||||
if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
|
if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
|
||||||
|
@ -200,6 +202,7 @@ NTAPI
|
||||||
SeDeleteAccessState(IN PACCESS_STATE AccessState)
|
SeDeleteAccessState(IN PACCESS_STATE AccessState)
|
||||||
{
|
{
|
||||||
PAUX_ACCESS_DATA AuxData;
|
PAUX_ACCESS_DATA AuxData;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Get the Auxiliary Data */
|
/* Get the Auxiliary Data */
|
||||||
|
@ -213,7 +216,8 @@ SeDeleteAccessState(IN PACCESS_STATE AccessState)
|
||||||
{
|
{
|
||||||
ExFreePool(AccessState->ObjectName.Buffer);
|
ExFreePool(AccessState->ObjectName.Buffer);
|
||||||
}
|
}
|
||||||
if (AccessState->ObjectTypeName.Buffer)
|
|
||||||
|
if (AccessState->ObjectTypeName.Buffer)
|
||||||
{
|
{
|
||||||
ExFreePool(AccessState->ObjectTypeName.Buffer);
|
ExFreePool(AccessState->ObjectTypeName.Buffer);
|
||||||
}
|
}
|
||||||
|
@ -252,8 +256,9 @@ SeCreateClientSecurity(IN PETHREAD Thread,
|
||||||
PACCESS_TOKEN Token;
|
PACCESS_TOKEN Token;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
PACCESS_TOKEN NewToken;
|
PACCESS_TOKEN NewToken;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
Token = PsReferenceEffectiveToken(Thread,
|
Token = PsReferenceEffectiveToken(Thread,
|
||||||
&TokenType,
|
&TokenType,
|
||||||
&ThreadEffectiveOnly,
|
&ThreadEffectiveOnly,
|
||||||
|
@ -269,7 +274,7 @@ SeCreateClientSecurity(IN PETHREAD Thread,
|
||||||
if (Token) ObDereferenceObject(Token);
|
if (Token) ObDereferenceObject(Token);
|
||||||
return STATUS_BAD_IMPERSONATION_LEVEL;
|
return STATUS_BAD_IMPERSONATION_LEVEL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ImpersonationLevel == SecurityAnonymous) ||
|
if ((ImpersonationLevel == SecurityAnonymous) ||
|
||||||
(ImpersonationLevel == SecurityIdentification) ||
|
(ImpersonationLevel == SecurityIdentification) ||
|
||||||
((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
|
((RemoteClient) && (ImpersonationLevel != SecurityDelegation)))
|
||||||
|
@ -277,12 +282,11 @@ SeCreateClientSecurity(IN PETHREAD Thread,
|
||||||
if (Token) ObDereferenceObject(Token);
|
if (Token) ObDereferenceObject(Token);
|
||||||
return STATUS_BAD_IMPERSONATION_LEVEL;
|
return STATUS_BAD_IMPERSONATION_LEVEL;
|
||||||
}
|
}
|
||||||
|
|
||||||
ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
|
ClientContext->DirectAccessEffectiveOnly = ((ThreadEffectiveOnly) ||
|
||||||
(Qos->EffectiveOnly)) ?
|
(Qos->EffectiveOnly)) ? TRUE : FALSE;
|
||||||
TRUE : FALSE;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
|
if (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
|
||||||
{
|
{
|
||||||
ClientContext->DirectlyAccessClientToken = FALSE;
|
ClientContext->DirectlyAccessClientToken = FALSE;
|
||||||
|
@ -299,10 +303,10 @@ SeCreateClientSecurity(IN PETHREAD Thread,
|
||||||
&ClientContext->ClientTokenControl);
|
&ClientContext->ClientTokenControl);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
NewToken = Token;
|
NewToken = Token;
|
||||||
}
|
}
|
||||||
|
|
||||||
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
||||||
ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
|
ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel;
|
||||||
ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
|
ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode;
|
||||||
|
@ -347,9 +351,9 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
||||||
IN PETHREAD ServerThread OPTIONAL)
|
IN PETHREAD ServerThread OPTIONAL)
|
||||||
{
|
{
|
||||||
UCHAR b;
|
UCHAR b;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (ClientContext->DirectlyAccessClientToken == FALSE)
|
if (ClientContext->DirectlyAccessClientToken == FALSE)
|
||||||
{
|
{
|
||||||
b = ClientContext->SecurityQos.EffectiveOnly;
|
b = ClientContext->SecurityQos.EffectiveOnly;
|
||||||
|
@ -358,10 +362,12 @@ SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext,
|
||||||
{
|
{
|
||||||
b = ClientContext->DirectAccessEffectiveOnly;
|
b = ClientContext->DirectAccessEffectiveOnly;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ServerThread == NULL)
|
if (ServerThread == NULL)
|
||||||
{
|
{
|
||||||
ServerThread = PsGetCurrentThread();
|
ServerThread = PsGetCurrentThread();
|
||||||
}
|
}
|
||||||
|
|
||||||
PsImpersonateClient(ServerThread,
|
PsImpersonateClient(ServerThread,
|
||||||
ClientContext->ClientToken,
|
ClientContext->ClientToken,
|
||||||
1,
|
1,
|
||||||
|
|
|
@ -34,189 +34,188 @@ NTAPI
|
||||||
SepInitDACLs(VOID)
|
SepInitDACLs(VOID)
|
||||||
{
|
{
|
||||||
ULONG AclLength;
|
ULONG AclLength;
|
||||||
|
|
||||||
/* create PublicDefaultDacl */
|
/* create PublicDefaultDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid));
|
||||||
|
|
||||||
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SePublicDefaultDacl == NULL)
|
if (SePublicDefaultDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SePublicDefaultDacl,
|
RtlCreateAcl(SePublicDefaultDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_EXECUTE,
|
GENERIC_EXECUTE,
|
||||||
SeWorldSid);
|
SeWorldSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
|
|
||||||
/* create PublicDefaultUnrestrictedDacl */
|
/* create PublicDefaultUnrestrictedDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
||||||
|
|
||||||
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SePublicDefaultUnrestrictedDacl == NULL)
|
if (SePublicDefaultUnrestrictedDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
|
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_EXECUTE,
|
GENERIC_EXECUTE,
|
||||||
SeWorldSid);
|
SeWorldSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeAliasAdminsSid);
|
SeAliasAdminsSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
||||||
SeRestrictedCodeSid);
|
SeRestrictedCodeSid);
|
||||||
|
|
||||||
/* create PublicOpenDacl */
|
/* create PublicOpenDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
||||||
|
|
||||||
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
|
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SePublicOpenDacl == NULL)
|
if (SePublicOpenDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SePublicOpenDacl,
|
RtlCreateAcl(SePublicOpenDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
|
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
|
||||||
SeWorldSid);
|
SeWorldSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeAliasAdminsSid);
|
SeAliasAdminsSid);
|
||||||
|
|
||||||
/* create PublicOpenUnrestrictedDacl */
|
/* create PublicOpenUnrestrictedDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
||||||
|
|
||||||
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SePublicOpenUnrestrictedDacl == NULL)
|
if (SePublicOpenUnrestrictedDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
|
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeWorldSid);
|
SeWorldSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeAliasAdminsSid);
|
SeAliasAdminsSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_READ | GENERIC_EXECUTE,
|
GENERIC_READ | GENERIC_EXECUTE,
|
||||||
SeRestrictedCodeSid);
|
SeRestrictedCodeSid);
|
||||||
|
|
||||||
/* create SystemDefaultDacl */
|
/* create SystemDefaultDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
||||||
|
|
||||||
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SeSystemDefaultDacl == NULL)
|
if (SeSystemDefaultDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SeSystemDefaultDacl,
|
RtlCreateAcl(SeSystemDefaultDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
||||||
SeAliasAdminsSid);
|
SeAliasAdminsSid);
|
||||||
|
|
||||||
/* create UnrestrictedDacl */
|
/* create UnrestrictedDacl */
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
||||||
|
|
||||||
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
||||||
AclLength,
|
AclLength,
|
||||||
TAG_ACL);
|
TAG_ACL);
|
||||||
if (SeUnrestrictedDacl == NULL)
|
if (SeUnrestrictedDacl == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
RtlCreateAcl(SeUnrestrictedDacl,
|
RtlCreateAcl(SeUnrestrictedDacl,
|
||||||
AclLength,
|
AclLength,
|
||||||
ACL_REVISION);
|
ACL_REVISION);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_ALL,
|
GENERIC_ALL,
|
||||||
SeWorldSid);
|
SeWorldSid);
|
||||||
|
|
||||||
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
GENERIC_READ | GENERIC_EXECUTE,
|
GENERIC_READ | GENERIC_EXECUTE,
|
||||||
SeRestrictedCodeSid);
|
SeRestrictedCodeSid);
|
||||||
|
|
||||||
return(TRUE);
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS NTAPI
|
NTSTATUS NTAPI
|
||||||
|
@ -226,22 +225,22 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
|
||||||
{
|
{
|
||||||
ULONG AclLength;
|
ULONG AclLength;
|
||||||
PVOID TokenDacl;
|
PVOID TokenDacl;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
AclLength = sizeof(ACL) +
|
AclLength = sizeof(ACL) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
|
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
|
||||||
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
|
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
|
||||||
|
|
||||||
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
|
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
|
||||||
if (TokenDacl == NULL)
|
if (TokenDacl == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
|
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
|
||||||
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
||||||
Token->UserAndGroups->Sid);
|
Token->UserAndGroups->Sid);
|
||||||
|
@ -251,7 +250,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
|
||||||
SeAliasAdminsSid);
|
SeAliasAdminsSid);
|
||||||
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
||||||
SeLocalSystemSid);
|
SeLocalSystemSid);
|
||||||
|
|
||||||
/* FIXME */
|
/* FIXME */
|
||||||
#if 0
|
#if 0
|
||||||
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
|
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
|
||||||
|
@ -260,7 +259,7 @@ SepCreateImpersonationTokenDacl(PTOKEN Token,
|
||||||
SeRestrictedCodeSid);
|
SeRestrictedCodeSid);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -275,9 +274,9 @@ SepCaptureAcl(IN PACL InputAcl,
|
||||||
PACL NewAcl;
|
PACL NewAcl;
|
||||||
ULONG AclSize = 0;
|
ULONG AclSize = 0;
|
||||||
NTSTATUS Status = STATUS_SUCCESS;
|
NTSTATUS Status = STATUS_SUCCESS;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (AccessMode != KernelMode)
|
if (AccessMode != KernelMode)
|
||||||
{
|
{
|
||||||
_SEH2_TRY
|
_SEH2_TRY
|
||||||
|
@ -296,10 +295,10 @@ SepCaptureAcl(IN PACL InputAcl,
|
||||||
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
||||||
}
|
}
|
||||||
_SEH2_END;
|
_SEH2_END;
|
||||||
|
|
||||||
NewAcl = ExAllocatePool(PoolType,
|
NewAcl = ExAllocatePool(PoolType,
|
||||||
AclSize);
|
AclSize);
|
||||||
if(NewAcl != NULL)
|
if (NewAcl != NULL)
|
||||||
{
|
{
|
||||||
_SEH2_TRY
|
_SEH2_TRY
|
||||||
{
|
{
|
||||||
|
@ -322,23 +321,23 @@ SepCaptureAcl(IN PACL InputAcl,
|
||||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if(!CaptureIfKernel)
|
else if (!CaptureIfKernel)
|
||||||
{
|
{
|
||||||
*CapturedAcl = InputAcl;
|
*CapturedAcl = InputAcl;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
AclSize = InputAcl->AclSize;
|
AclSize = InputAcl->AclSize;
|
||||||
|
|
||||||
NewAcl = ExAllocatePool(PoolType,
|
NewAcl = ExAllocatePool(PoolType,
|
||||||
AclSize);
|
AclSize);
|
||||||
|
|
||||||
if(NewAcl != NULL)
|
if (NewAcl != NULL)
|
||||||
{
|
{
|
||||||
RtlCopyMemory(NewAcl,
|
RtlCopyMemory(NewAcl,
|
||||||
InputAcl,
|
InputAcl,
|
||||||
AclSize);
|
AclSize);
|
||||||
|
|
||||||
*CapturedAcl = NewAcl;
|
*CapturedAcl = NewAcl;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -346,7 +345,7 @@ SepCaptureAcl(IN PACL InputAcl,
|
||||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -357,10 +356,10 @@ SepReleaseAcl(IN PACL CapturedAcl,
|
||||||
IN BOOLEAN CaptureIfKernel)
|
IN BOOLEAN CaptureIfKernel)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if(CapturedAcl != NULL &&
|
if (CapturedAcl != NULL &&
|
||||||
(AccessMode != KernelMode ||
|
(AccessMode != KernelMode ||
|
||||||
(AccessMode == KernelMode && CaptureIfKernel)))
|
(AccessMode == KernelMode && CaptureIfKernel)))
|
||||||
{
|
{
|
||||||
ExFreePool(CapturedAcl);
|
ExFreePool(CapturedAcl);
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
* FILE: ntoskrnl/se/audit.c
|
* FILE: ntoskrnl/se/audit.c
|
||||||
* PURPOSE: Audit functions
|
* PURPOSE: Audit functions
|
||||||
*
|
*
|
||||||
* PROGRAMMERS: Eric Kohl <eric.kohl@t-online.de>
|
* PROGRAMMERS: Eric Kohl
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* INCLUDES *******************************************************************/
|
/* INCLUDES *******************************************************************/
|
||||||
|
@ -47,6 +47,7 @@ SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject,
|
||||||
POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
|
POBJECT_NAME_INFORMATION ObjectNameInfo = NULL;
|
||||||
ULONG ReturnLength = 8;
|
ULONG ReturnLength = 8;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
ASSERT(AuditInfo);
|
ASSERT(AuditInfo);
|
||||||
|
|
||||||
|
@ -120,6 +121,7 @@ SeLocateProcessImageName(IN PEPROCESS Process,
|
||||||
PUNICODE_STRING ImageName;
|
PUNICODE_STRING ImageName;
|
||||||
PFILE_OBJECT FileObject;
|
PFILE_OBJECT FileObject;
|
||||||
NTSTATUS Status = STATUS_SUCCESS;
|
NTSTATUS Status = STATUS_SUCCESS;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Assume failure */
|
/* Assume failure */
|
||||||
|
@ -189,7 +191,7 @@ SeAuditHardLinkCreation(IN PUNICODE_STRING FileName,
|
||||||
IN PUNICODE_STRING LinkName,
|
IN PUNICODE_STRING LinkName,
|
||||||
IN BOOLEAN bSuccess)
|
IN BOOLEAN bSuccess)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -200,8 +202,8 @@ NTAPI
|
||||||
SeAuditingFileEvents(IN BOOLEAN AccessGranted,
|
SeAuditingFileEvents(IN BOOLEAN AccessGranted,
|
||||||
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -213,8 +215,8 @@ SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted,
|
||||||
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
|
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -225,8 +227,8 @@ NTAPI
|
||||||
SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
|
SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted,
|
||||||
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -238,8 +240,8 @@ SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted,
|
||||||
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
|
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -251,8 +253,8 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
|
||||||
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
|
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -260,13 +262,11 @@ SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted,
|
||||||
*/
|
*/
|
||||||
VOID
|
VOID
|
||||||
NTAPI
|
NTAPI
|
||||||
SeCloseObjectAuditAlarm(
|
SeCloseObjectAuditAlarm(IN PVOID Object,
|
||||||
IN PVOID Object,
|
|
||||||
IN HANDLE Handle,
|
IN HANDLE Handle,
|
||||||
IN BOOLEAN PerformAction
|
IN BOOLEAN PerformAction)
|
||||||
)
|
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -295,10 +295,10 @@ SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName,
|
||||||
OUT PBOOLEAN GenerateOnClose)
|
OUT PBOOLEAN GenerateOnClose)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Audits aren't done on kernel-mode access */
|
/* Audits aren't done on kernel-mode access */
|
||||||
if (AccessMode == KernelMode) return;
|
if (AccessMode == KernelMode) return;
|
||||||
|
|
||||||
/* Otherwise, unimplemented! */
|
/* Otherwise, unimplemented! */
|
||||||
//UNIMPLEMENTED;
|
//UNIMPLEMENTED;
|
||||||
return;
|
return;
|
||||||
|
@ -333,7 +333,7 @@ SePrivilegeObjectAuditAlarm(IN HANDLE Handle,
|
||||||
IN BOOLEAN AccessGranted,
|
IN BOOLEAN AccessGranted,
|
||||||
IN KPROCESSOR_MODE CurrentMode)
|
IN KPROCESSOR_MODE CurrentMode)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* SYSTEM CALLS ***************************************************************/
|
/* SYSTEM CALLS ***************************************************************/
|
||||||
|
@ -363,7 +363,7 @@ NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
|
||||||
IN BOOLEAN GenerateOnClose)
|
IN BOOLEAN GenerateOnClose)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return(STATUS_NOT_IMPLEMENTED);
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -373,7 +373,7 @@ NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
|
||||||
IN BOOLEAN GenerateOnClose)
|
IN BOOLEAN GenerateOnClose)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return(STATUS_NOT_IMPLEMENTED);
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -392,7 +392,7 @@ NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
|
||||||
OUT PBOOLEAN GenerateOnClose)
|
OUT PBOOLEAN GenerateOnClose)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return(STATUS_NOT_IMPLEMENTED);
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -404,7 +404,7 @@ NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName,
|
||||||
IN BOOLEAN AccessGranted)
|
IN BOOLEAN AccessGranted)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return(STATUS_NOT_IMPLEMENTED);
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -417,7 +417,7 @@ NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
|
||||||
IN BOOLEAN AccessGranted)
|
IN BOOLEAN AccessGranted)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return(STATUS_NOT_IMPLEMENTED);
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* EOF */
|
/* EOF */
|
||||||
|
|
|
@ -110,8 +110,8 @@ NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
|
SeMarkLogonSessionForTerminationNotification(IN PLUID LogonId)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -121,8 +121,8 @@ NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
|
SeRegisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -132,8 +132,8 @@ NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
|
SeUnregisterLogonSessionTerminatedRoutine(IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine)
|
||||||
{
|
{
|
||||||
UNIMPLEMENTED;
|
UNIMPLEMENTED;
|
||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* EOF */
|
/* EOF */
|
||||||
|
|
|
@ -51,7 +51,7 @@ LUID SeEnableDelegationPrivilege;
|
||||||
VOID
|
VOID
|
||||||
INIT_FUNCTION
|
INIT_FUNCTION
|
||||||
NTAPI
|
NTAPI
|
||||||
SepInitPrivileges (VOID)
|
SepInitPrivileges(VOID)
|
||||||
{
|
{
|
||||||
SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
|
SeCreateTokenPrivilege.LowPart = SE_CREATE_TOKEN_PRIVILEGE;
|
||||||
SeCreateTokenPrivilege.HighPart = 0;
|
SeCreateTokenPrivilege.HighPart = 0;
|
||||||
|
@ -110,25 +110,25 @@ SepInitPrivileges (VOID)
|
||||||
|
|
||||||
BOOLEAN
|
BOOLEAN
|
||||||
NTAPI
|
NTAPI
|
||||||
SepPrivilegeCheck (PTOKEN Token,
|
SepPrivilegeCheck(PTOKEN Token,
|
||||||
PLUID_AND_ATTRIBUTES Privileges,
|
PLUID_AND_ATTRIBUTES Privileges,
|
||||||
ULONG PrivilegeCount,
|
ULONG PrivilegeCount,
|
||||||
ULONG PrivilegeControl,
|
ULONG PrivilegeControl,
|
||||||
KPROCESSOR_MODE PreviousMode)
|
KPROCESSOR_MODE PreviousMode)
|
||||||
{
|
{
|
||||||
ULONG i;
|
ULONG i;
|
||||||
ULONG j;
|
ULONG j;
|
||||||
ULONG k;
|
ULONG k;
|
||||||
|
|
||||||
DPRINT ("SepPrivilegeCheck() called\n");
|
DPRINT("SepPrivilegeCheck() called\n");
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (PreviousMode == KernelMode)
|
if (PreviousMode == KernelMode)
|
||||||
{
|
{
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
k = 0;
|
k = 0;
|
||||||
if (PrivilegeCount > 0)
|
if (PrivilegeCount > 0)
|
||||||
{
|
{
|
||||||
|
@ -139,10 +139,10 @@ SepPrivilegeCheck (PTOKEN Token,
|
||||||
if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart &&
|
if (Token->Privileges[i].Luid.LowPart == Privileges[j].Luid.LowPart &&
|
||||||
Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart)
|
Token->Privileges[i].Luid.HighPart == Privileges[j].Luid.HighPart)
|
||||||
{
|
{
|
||||||
DPRINT ("Found privilege\n");
|
DPRINT("Found privilege\n");
|
||||||
DPRINT ("Privilege attributes %lx\n",
|
DPRINT("Privilege attributes %lx\n",
|
||||||
Token->Privileges[i].Attributes);
|
Token->Privileges[i].Attributes);
|
||||||
|
|
||||||
if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED)
|
if (Token->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED)
|
||||||
{
|
{
|
||||||
Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
|
Privileges[j].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
|
||||||
|
@ -152,58 +152,58 @@ SepPrivilegeCheck (PTOKEN Token,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) &&
|
if ((PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY) &&
|
||||||
PrivilegeCount == k)
|
PrivilegeCount == k)
|
||||||
{
|
{
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (k > 0 &&
|
if (k > 0 &&
|
||||||
!(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY))
|
!(PrivilegeControl & PRIVILEGE_SET_ALL_NECESSARY))
|
||||||
{
|
{
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
|
SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src,
|
||||||
ULONG PrivilegeCount,
|
ULONG PrivilegeCount,
|
||||||
KPROCESSOR_MODE PreviousMode,
|
KPROCESSOR_MODE PreviousMode,
|
||||||
PLUID_AND_ATTRIBUTES AllocatedMem,
|
PLUID_AND_ATTRIBUTES AllocatedMem,
|
||||||
ULONG AllocatedLength,
|
ULONG AllocatedLength,
|
||||||
POOL_TYPE PoolType,
|
POOL_TYPE PoolType,
|
||||||
BOOLEAN CaptureIfKernel,
|
BOOLEAN CaptureIfKernel,
|
||||||
PLUID_AND_ATTRIBUTES* Dest,
|
PLUID_AND_ATTRIBUTES *Dest,
|
||||||
PULONG Length)
|
PULONG Length)
|
||||||
{
|
{
|
||||||
ULONG BufferSize;
|
ULONG BufferSize;
|
||||||
NTSTATUS Status = STATUS_SUCCESS;
|
NTSTATUS Status = STATUS_SUCCESS;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (PrivilegeCount == 0)
|
if (PrivilegeCount == 0)
|
||||||
{
|
{
|
||||||
*Dest = 0;
|
*Dest = 0;
|
||||||
*Length = 0;
|
*Length = 0;
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (PreviousMode == KernelMode && !CaptureIfKernel)
|
if (PreviousMode == KernelMode && !CaptureIfKernel)
|
||||||
{
|
{
|
||||||
*Dest = Src;
|
*Dest = Src;
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* FIXME - check PrivilegeCount for a valid number so we don't
|
/* FIXME - check PrivilegeCount for a valid number so we don't
|
||||||
cause an integer overflow or exhaust system resources! */
|
cause an integer overflow or exhaust system resources! */
|
||||||
|
|
||||||
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
|
BufferSize = PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
|
||||||
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */
|
*Length = ROUND_UP(BufferSize, 4); /* round up to a 4 byte alignment */
|
||||||
|
|
||||||
/* probe the buffer */
|
/* probe the buffer */
|
||||||
if (PreviousMode != KernelMode)
|
if (PreviousMode != KernelMode)
|
||||||
{
|
{
|
||||||
|
@ -220,7 +220,7 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
|
||||||
}
|
}
|
||||||
_SEH2_END;
|
_SEH2_END;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* allocate enough memory or check if the provided buffer is
|
/* allocate enough memory or check if the provided buffer is
|
||||||
large enough to hold the array */
|
large enough to hold the array */
|
||||||
if (AllocatedMem != NULL)
|
if (AllocatedMem != NULL)
|
||||||
|
@ -229,14 +229,13 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
|
||||||
{
|
{
|
||||||
return STATUS_BUFFER_TOO_SMALL;
|
return STATUS_BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
|
|
||||||
*Dest = AllocatedMem;
|
*Dest = AllocatedMem;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
*Dest = ExAllocatePool(PoolType,
|
*Dest = ExAllocatePool(PoolType,
|
||||||
BufferSize);
|
BufferSize);
|
||||||
|
|
||||||
if (*Dest == NULL)
|
if (*Dest == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
@ -255,23 +254,23 @@ SeCaptureLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Src,
|
||||||
Status = _SEH2_GetExceptionCode();
|
Status = _SEH2_GetExceptionCode();
|
||||||
}
|
}
|
||||||
_SEH2_END;
|
_SEH2_END;
|
||||||
|
|
||||||
if (!NT_SUCCESS(Status) && AllocatedMem == NULL)
|
if (!NT_SUCCESS(Status) && AllocatedMem == NULL)
|
||||||
{
|
{
|
||||||
ExFreePool(*Dest);
|
ExFreePool(*Dest);
|
||||||
}
|
}
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID
|
VOID
|
||||||
NTAPI
|
NTAPI
|
||||||
SeReleaseLuidAndAttributesArray (PLUID_AND_ATTRIBUTES Privilege,
|
SeReleaseLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Privilege,
|
||||||
KPROCESSOR_MODE PreviousMode,
|
KPROCESSOR_MODE PreviousMode,
|
||||||
BOOLEAN CaptureIfKernel)
|
BOOLEAN CaptureIfKernel)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (Privilege != NULL &&
|
if (Privilege != NULL &&
|
||||||
(PreviousMode != KernelMode || CaptureIfKernel))
|
(PreviousMode != KernelMode || CaptureIfKernel))
|
||||||
{
|
{
|
||||||
|
@ -307,15 +306,16 @@ SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
|
||||||
/*
|
/*
|
||||||
* @implemented
|
* @implemented
|
||||||
*/
|
*/
|
||||||
BOOLEAN NTAPI
|
BOOLEAN
|
||||||
SePrivilegeCheck (PPRIVILEGE_SET Privileges,
|
NTAPI
|
||||||
PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
SePrivilegeCheck(PPRIVILEGE_SET Privileges,
|
||||||
KPROCESSOR_MODE PreviousMode)
|
PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
||||||
|
KPROCESSOR_MODE PreviousMode)
|
||||||
{
|
{
|
||||||
PACCESS_TOKEN Token = NULL;
|
PACCESS_TOKEN Token = NULL;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (SubjectContext->ClientToken == NULL)
|
if (SubjectContext->ClientToken == NULL)
|
||||||
{
|
{
|
||||||
Token = SubjectContext->PrimaryToken;
|
Token = SubjectContext->PrimaryToken;
|
||||||
|
@ -328,58 +328,60 @@ SePrivilegeCheck (PPRIVILEGE_SET Privileges,
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return SepPrivilegeCheck (Token,
|
return SepPrivilegeCheck(Token,
|
||||||
Privileges->Privilege,
|
Privileges->Privilege,
|
||||||
Privileges->PrivilegeCount,
|
Privileges->PrivilegeCount,
|
||||||
Privileges->Control,
|
Privileges->Control,
|
||||||
PreviousMode);
|
PreviousMode);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @implemented
|
* @implemented
|
||||||
*/
|
*/
|
||||||
BOOLEAN NTAPI
|
BOOLEAN
|
||||||
SeSinglePrivilegeCheck (IN LUID PrivilegeValue,
|
NTAPI
|
||||||
IN KPROCESSOR_MODE PreviousMode)
|
SeSinglePrivilegeCheck(IN LUID PrivilegeValue,
|
||||||
|
IN KPROCESSOR_MODE PreviousMode)
|
||||||
{
|
{
|
||||||
SECURITY_SUBJECT_CONTEXT SubjectContext;
|
SECURITY_SUBJECT_CONTEXT SubjectContext;
|
||||||
PRIVILEGE_SET Priv;
|
PRIVILEGE_SET Priv;
|
||||||
BOOLEAN Result;
|
BOOLEAN Result;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
SeCaptureSubjectContext (&SubjectContext);
|
SeCaptureSubjectContext(&SubjectContext);
|
||||||
|
|
||||||
Priv.PrivilegeCount = 1;
|
Priv.PrivilegeCount = 1;
|
||||||
Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
|
Priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
|
||||||
Priv.Privilege[0].Luid = PrivilegeValue;
|
Priv.Privilege[0].Luid = PrivilegeValue;
|
||||||
Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
|
Priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||||
|
|
||||||
Result = SePrivilegeCheck (&Priv,
|
Result = SePrivilegeCheck(&Priv,
|
||||||
&SubjectContext,
|
&SubjectContext,
|
||||||
PreviousMode);
|
PreviousMode);
|
||||||
|
|
||||||
if (PreviousMode != KernelMode)
|
if (PreviousMode != KernelMode)
|
||||||
{
|
{
|
||||||
#if 0
|
#if 0
|
||||||
SePrivilegedServiceAuditAlarm (0,
|
SePrivilegedServiceAuditAlarm(0,
|
||||||
&SubjectContext,
|
&SubjectContext,
|
||||||
&PrivilegeValue);
|
&PrivilegeValue);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
SeReleaseSubjectContext (&SubjectContext);
|
SeReleaseSubjectContext(&SubjectContext);
|
||||||
|
|
||||||
return Result;
|
return Result;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* SYSTEM CALLS ***************************************************************/
|
/* SYSTEM CALLS ***************************************************************/
|
||||||
|
|
||||||
NTSTATUS NTAPI
|
NTSTATUS
|
||||||
NtPrivilegeCheck (IN HANDLE ClientToken,
|
NTAPI
|
||||||
IN PPRIVILEGE_SET RequiredPrivileges,
|
NtPrivilegeCheck(IN HANDLE ClientToken,
|
||||||
OUT PBOOLEAN Result)
|
IN PPRIVILEGE_SET RequiredPrivileges,
|
||||||
|
OUT PBOOLEAN Result)
|
||||||
{
|
{
|
||||||
PLUID_AND_ATTRIBUTES Privileges;
|
PLUID_AND_ATTRIBUTES Privileges;
|
||||||
PTOKEN Token;
|
PTOKEN Token;
|
||||||
|
@ -389,11 +391,11 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
|
||||||
BOOLEAN CheckResult;
|
BOOLEAN CheckResult;
|
||||||
KPROCESSOR_MODE PreviousMode;
|
KPROCESSOR_MODE PreviousMode;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
PreviousMode = KeGetPreviousMode();
|
PreviousMode = KeGetPreviousMode();
|
||||||
|
|
||||||
/* probe the buffers */
|
/* probe the buffers */
|
||||||
if (PreviousMode != KernelMode)
|
if (PreviousMode != KernelMode)
|
||||||
{
|
{
|
||||||
|
@ -403,10 +405,10 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
|
||||||
FIELD_OFFSET(PRIVILEGE_SET,
|
FIELD_OFFSET(PRIVILEGE_SET,
|
||||||
Privilege),
|
Privilege),
|
||||||
sizeof(ULONG));
|
sizeof(ULONG));
|
||||||
|
|
||||||
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
|
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
|
||||||
PrivilegeControl = RequiredPrivileges->Control;
|
PrivilegeControl = RequiredPrivileges->Control;
|
||||||
|
|
||||||
/* Check PrivilegeCount to avoid an integer overflow! */
|
/* Check PrivilegeCount to avoid an integer overflow! */
|
||||||
if (FIELD_OFFSET(PRIVILEGE_SET,
|
if (FIELD_OFFSET(PRIVILEGE_SET,
|
||||||
Privilege[PrivilegeCount]) /
|
Privilege[PrivilegeCount]) /
|
||||||
|
@ -414,13 +416,13 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
|
||||||
{
|
{
|
||||||
_SEH2_YIELD(return STATUS_INVALID_PARAMETER);
|
_SEH2_YIELD(return STATUS_INVALID_PARAMETER);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* probe all of the array */
|
/* probe all of the array */
|
||||||
ProbeForWrite(RequiredPrivileges,
|
ProbeForWrite(RequiredPrivileges,
|
||||||
FIELD_OFFSET(PRIVILEGE_SET,
|
FIELD_OFFSET(PRIVILEGE_SET,
|
||||||
Privilege[PrivilegeCount]),
|
Privilege[PrivilegeCount]),
|
||||||
sizeof(ULONG));
|
sizeof(ULONG));
|
||||||
|
|
||||||
ProbeForWriteBoolean(Result);
|
ProbeForWriteBoolean(Result);
|
||||||
}
|
}
|
||||||
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
||||||
|
@ -435,51 +437,51 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
|
||||||
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
|
PrivilegeCount = RequiredPrivileges->PrivilegeCount;
|
||||||
PrivilegeControl = RequiredPrivileges->Control;
|
PrivilegeControl = RequiredPrivileges->Control;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* reference the token and make sure we're
|
/* reference the token and make sure we're
|
||||||
not doing an anonymous impersonation */
|
not doing an anonymous impersonation */
|
||||||
Status = ObReferenceObjectByHandle (ClientToken,
|
Status = ObReferenceObjectByHandle(ClientToken,
|
||||||
TOKEN_QUERY,
|
TOKEN_QUERY,
|
||||||
SepTokenObjectType,
|
SepTokenObjectType,
|
||||||
PreviousMode,
|
PreviousMode,
|
||||||
(PVOID*)&Token,
|
(PVOID*)&Token,
|
||||||
NULL);
|
NULL);
|
||||||
if (!NT_SUCCESS(Status))
|
if (!NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (Token->TokenType == TokenImpersonation &&
|
if (Token->TokenType == TokenImpersonation &&
|
||||||
Token->ImpersonationLevel < SecurityIdentification)
|
Token->ImpersonationLevel < SecurityIdentification)
|
||||||
{
|
{
|
||||||
ObDereferenceObject (Token);
|
ObDereferenceObject(Token);
|
||||||
return STATUS_BAD_IMPERSONATION_LEVEL;
|
return STATUS_BAD_IMPERSONATION_LEVEL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* capture the privileges */
|
/* capture the privileges */
|
||||||
Status = SeCaptureLuidAndAttributesArray (RequiredPrivileges->Privilege,
|
Status = SeCaptureLuidAndAttributesArray(RequiredPrivileges->Privilege,
|
||||||
PrivilegeCount,
|
PrivilegeCount,
|
||||||
PreviousMode,
|
PreviousMode,
|
||||||
NULL,
|
NULL,
|
||||||
0,
|
0,
|
||||||
PagedPool,
|
PagedPool,
|
||||||
TRUE,
|
TRUE,
|
||||||
&Privileges,
|
&Privileges,
|
||||||
&Length);
|
&Length);
|
||||||
if (!NT_SUCCESS(Status))
|
if (!NT_SUCCESS(Status))
|
||||||
{
|
{
|
||||||
ObDereferenceObject (Token);
|
ObDereferenceObject (Token);
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
CheckResult = SepPrivilegeCheck (Token,
|
CheckResult = SepPrivilegeCheck(Token,
|
||||||
Privileges,
|
Privileges,
|
||||||
PrivilegeCount,
|
PrivilegeCount,
|
||||||
PrivilegeControl,
|
PrivilegeControl,
|
||||||
PreviousMode);
|
PreviousMode);
|
||||||
|
|
||||||
ObDereferenceObject (Token);
|
ObDereferenceObject(Token);
|
||||||
|
|
||||||
/* return the array */
|
/* return the array */
|
||||||
_SEH2_TRY
|
_SEH2_TRY
|
||||||
{
|
{
|
||||||
|
@ -494,13 +496,12 @@ NtPrivilegeCheck (IN HANDLE ClientToken,
|
||||||
Status = _SEH2_GetExceptionCode();
|
Status = _SEH2_GetExceptionCode();
|
||||||
}
|
}
|
||||||
_SEH2_END;
|
_SEH2_END;
|
||||||
|
|
||||||
SeReleaseLuidAndAttributesArray (Privileges,
|
SeReleaseLuidAndAttributesArray(Privileges,
|
||||||
PreviousMode,
|
PreviousMode,
|
||||||
TRUE);
|
TRUE);
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* EOF */
|
/* EOF */
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -17,13 +17,15 @@
|
||||||
|
|
||||||
PSE_EXPORTS SeExports = NULL;
|
PSE_EXPORTS SeExports = NULL;
|
||||||
SE_EXPORTS SepExports;
|
SE_EXPORTS SepExports;
|
||||||
|
ULONG SidInTokenCalls = 0;
|
||||||
|
|
||||||
extern ULONG ExpInitializationPhase;
|
extern ULONG ExpInitializationPhase;
|
||||||
extern ERESOURCE SepSubjectContextLock;
|
extern ERESOURCE SepSubjectContextLock;
|
||||||
|
|
||||||
/* PRIVATE FUNCTIONS **********************************************************/
|
/* PRIVATE FUNCTIONS **********************************************************/
|
||||||
|
|
||||||
static BOOLEAN INIT_FUNCTION
|
static BOOLEAN
|
||||||
|
INIT_FUNCTION
|
||||||
SepInitExports(VOID)
|
SepInitExports(VOID)
|
||||||
{
|
{
|
||||||
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
|
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
|
||||||
|
@ -118,6 +120,7 @@ NTAPI
|
||||||
SepInitializationPhase1(VOID)
|
SepInitializationPhase1(VOID)
|
||||||
{
|
{
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
/* Insert the system token into the tree */
|
/* Insert the system token into the tree */
|
||||||
|
@ -279,8 +282,6 @@ SeDefaultObjectMethod(IN PVOID Object,
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
ULONG SidInTokenCalls = 0;
|
|
||||||
|
|
||||||
static BOOLEAN
|
static BOOLEAN
|
||||||
SepSidInToken(PACCESS_TOKEN _Token,
|
SepSidInToken(PACCESS_TOKEN _Token,
|
||||||
PSID Sid)
|
PSID Sid)
|
||||||
|
@ -292,7 +293,7 @@ SepSidInToken(PACCESS_TOKEN _Token,
|
||||||
|
|
||||||
SidInTokenCalls++;
|
SidInTokenCalls++;
|
||||||
if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
|
if (!(SidInTokenCalls % 10000)) DPRINT1("SidInToken Calls: %d\n", SidInTokenCalls);
|
||||||
|
|
||||||
if (Token->UserAndGroupCount == 0)
|
if (Token->UserAndGroupCount == 0)
|
||||||
{
|
{
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
@ -340,7 +341,8 @@ SepTokenIsOwner(PACCESS_TOKEN Token,
|
||||||
return SepSidInToken(Token, Sid);
|
return SepSidInToken(Token, Sid);
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID NTAPI
|
VOID
|
||||||
|
NTAPI
|
||||||
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
||||||
OUT PACCESS_MASK DesiredAccess)
|
OUT PACCESS_MASK DesiredAccess)
|
||||||
{
|
{
|
||||||
|
@ -351,13 +353,15 @@ SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
||||||
{
|
{
|
||||||
*DesiredAccess |= READ_CONTROL;
|
*DesiredAccess |= READ_CONTROL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
||||||
{
|
{
|
||||||
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID NTAPI
|
VOID
|
||||||
|
NTAPI
|
||||||
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
||||||
OUT PACCESS_MASK DesiredAccess)
|
OUT PACCESS_MASK DesiredAccess)
|
||||||
{
|
{
|
||||||
|
@ -367,10 +371,12 @@ SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
||||||
{
|
{
|
||||||
*DesiredAccess |= WRITE_OWNER;
|
*DesiredAccess |= WRITE_OWNER;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SecurityInformation & DACL_SECURITY_INFORMATION)
|
if (SecurityInformation & DACL_SECURITY_INFORMATION)
|
||||||
{
|
{
|
||||||
*DesiredAccess |= WRITE_DAC;
|
*DesiredAccess |= WRITE_DAC;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
if (SecurityInformation & SACL_SECURITY_INFORMATION)
|
||||||
{
|
{
|
||||||
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
*DesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
||||||
|
@ -494,7 +500,7 @@ SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
{
|
{
|
||||||
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
|
*GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
*AccessStatus = STATUS_SUCCESS;
|
*AccessStatus = STATUS_SUCCESS;
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
@ -763,7 +769,8 @@ SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
|
||||||
/*
|
/*
|
||||||
* @implemented
|
* @implemented
|
||||||
*/
|
*/
|
||||||
BOOLEAN NTAPI
|
BOOLEAN
|
||||||
|
NTAPI
|
||||||
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
|
IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
|
||||||
IN BOOLEAN SubjectContextLocked,
|
IN BOOLEAN SubjectContextLocked,
|
||||||
|
|
|
@ -99,11 +99,11 @@ SepInitSecurityIDs(VOID)
|
||||||
ULONG SidLength1;
|
ULONG SidLength1;
|
||||||
ULONG SidLength2;
|
ULONG SidLength2;
|
||||||
PULONG SubAuthority;
|
PULONG SubAuthority;
|
||||||
|
|
||||||
SidLength0 = RtlLengthRequiredSid(0);
|
SidLength0 = RtlLengthRequiredSid(0);
|
||||||
SidLength1 = RtlLengthRequiredSid(1);
|
SidLength1 = RtlLengthRequiredSid(1);
|
||||||
SidLength2 = RtlLengthRequiredSid(2);
|
SidLength2 = RtlLengthRequiredSid(2);
|
||||||
|
|
||||||
/* create NullSid */
|
/* create NullSid */
|
||||||
SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
|
SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
|
||||||
SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
|
SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
|
||||||
|
@ -150,9 +150,9 @@ SepInitSecurityIDs(VOID)
|
||||||
SeAnonymousLogonSid == NULL)
|
SeAnonymousLogonSid == NULL)
|
||||||
{
|
{
|
||||||
FreeInitializedSids();
|
FreeInitializedSids();
|
||||||
return(FALSE);
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
|
RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
|
||||||
RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
|
RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
|
||||||
RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
|
RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
|
||||||
|
@ -181,7 +181,7 @@ SepInitSecurityIDs(VOID)
|
||||||
RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
|
RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
|
||||||
RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
|
RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
|
||||||
RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
|
RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
|
||||||
|
|
||||||
SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
|
SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
|
||||||
*SubAuthority = SECURITY_NULL_RID;
|
*SubAuthority = SECURITY_NULL_RID;
|
||||||
SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
|
SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
|
||||||
|
@ -252,8 +252,8 @@ SepInitSecurityIDs(VOID)
|
||||||
*SubAuthority = SECURITY_RESTRICTED_CODE_RID;
|
*SubAuthority = SECURITY_RESTRICTED_CODE_RID;
|
||||||
SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
|
SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
|
||||||
*SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
|
*SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
|
||||||
|
|
||||||
return(TRUE);
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
|
@ -267,9 +267,9 @@ SepCaptureSid(IN PSID InputSid,
|
||||||
ULONG SidSize = 0;
|
ULONG SidSize = 0;
|
||||||
PISID NewSid, Sid = (PISID)InputSid;
|
PISID NewSid, Sid = (PISID)InputSid;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if (AccessMode != KernelMode)
|
if (AccessMode != KernelMode)
|
||||||
{
|
{
|
||||||
_SEH2_TRY
|
_SEH2_TRY
|
||||||
|
@ -289,11 +289,11 @@ SepCaptureSid(IN PSID InputSid,
|
||||||
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
||||||
}
|
}
|
||||||
_SEH2_END;
|
_SEH2_END;
|
||||||
|
|
||||||
/* allocate a SID and copy it */
|
/* allocate a SID and copy it */
|
||||||
NewSid = ExAllocatePool(PoolType,
|
NewSid = ExAllocatePool(PoolType,
|
||||||
SidSize);
|
SidSize);
|
||||||
if(NewSid != NULL)
|
if (NewSid != NULL)
|
||||||
{
|
{
|
||||||
_SEH2_TRY
|
_SEH2_TRY
|
||||||
{
|
{
|
||||||
|
@ -316,7 +316,7 @@ SepCaptureSid(IN PSID InputSid,
|
||||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if(!CaptureIfKernel)
|
else if (!CaptureIfKernel)
|
||||||
{
|
{
|
||||||
*CapturedSid = InputSid;
|
*CapturedSid = InputSid;
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
|
@ -324,16 +324,16 @@ SepCaptureSid(IN PSID InputSid,
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
|
SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
|
||||||
|
|
||||||
/* allocate a SID and copy it */
|
/* allocate a SID and copy it */
|
||||||
NewSid = ExAllocatePool(PoolType,
|
NewSid = ExAllocatePool(PoolType,
|
||||||
SidSize);
|
SidSize);
|
||||||
if(NewSid != NULL)
|
if (NewSid != NULL)
|
||||||
{
|
{
|
||||||
RtlCopyMemory(NewSid,
|
RtlCopyMemory(NewSid,
|
||||||
Sid,
|
Sid,
|
||||||
SidSize);
|
SidSize);
|
||||||
|
|
||||||
*CapturedSid = NewSid;
|
*CapturedSid = NewSid;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -341,7 +341,7 @@ SepCaptureSid(IN PSID InputSid,
|
||||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -352,10 +352,10 @@ SepReleaseSid(IN PSID CapturedSid,
|
||||||
IN BOOLEAN CaptureIfKernel)
|
IN BOOLEAN CaptureIfKernel)
|
||||||
{
|
{
|
||||||
PAGED_CODE();
|
PAGED_CODE();
|
||||||
|
|
||||||
if(CapturedSid != NULL &&
|
if (CapturedSid != NULL &&
|
||||||
(AccessMode != KernelMode ||
|
(AccessMode != KernelMode ||
|
||||||
(AccessMode == KernelMode && CaptureIfKernel)))
|
(AccessMode == KernelMode && CaptureIfKernel)))
|
||||||
{
|
{
|
||||||
ExFreePool(CapturedSid);
|
ExFreePool(CapturedSid);
|
||||||
}
|
}
|
||||||
|
|
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue