Commit graph

56 commits

Author SHA1 Message Date
George Bișoc
09bfd96f3b
[NTOS:SE] HACK: Temporarily add the Local group SID to the system token
Temporarily add the local group to the system token so that Virtualbox
GA services can properly set up network drives for shared folders.

What happens is that a security descriptor has a DACL with only one ACE
that grants access to Local SID (presumably coming from Vbox?)
but the client token is that of the service which is a SYSTEM token.
Perhaps we are not impersonating the right user or whatever else.

This is only a temporary placebo, until a proper solution is found.

CORE-18250
2023-10-04 18:04:30 +02:00
George Bișoc
59e74584ac
[NTOS:SE] Refactor SeTokenCanImpersonate
- Refactor most of the code, since there's quite some stuff that don't make much sense.
For instance ImpersonationLevel is basically the requested impersonation level a
server asks for. PsImpersonateClient doesn't explicitly say that SecurityAnonymous
and SecurityIdentification are not allowed. If the server was to give such levels
it simply means it doesn't want to impersonate the client.

Another thing that doesn't make much sense is that we check if the client is
associated with an anonymous token, then avoid impersonating regular anonymous
tokens that weren't created by the system. Only system can create such tokens
and an anonymous token basically means a token with hidden security info.

- Check that the server is within the same client logon session.

- If the server is granted the SeImpersonatePrivilege privilege, allow impersonation
regardless of the conditions we want to check for.

- Update the documentation and code comments.
2023-06-09 11:53:56 +02:00
George Bișoc
f483e42f89
[NTOS:SE] Grant the SYSTEM process the missing privileges
- Add the missing privileges to the SYSTEM privileges which might be needed,
notably SeUndockPrivilege, SeManageVolumePrivilege, SeCreateGlobalPrivilege and
SeImpersonatePrivilege.

Specifically SeImpersonatePrivilege is important here because with it we
allow system components of the core OS to perform certain system tasks.

- Declare the Groups array with a maximum of 3 elements in SepCreateSystemProcessToken
and 1 element in SepCreateSystemAnonymousLogonToken respectively, because previously
this array was oversized with most of free space left as a waste.

- Avoid hardcoding the size value of the Privilege array, instead initialize it
by hand and compute the exact number of elements with RTL_NUMBER_OF.
2023-06-09 11:53:51 +02:00
George Bișoc
51279c3e44
[NTOS:SE] Refactor NtOpenThreadTokenEx
- Wrap most of the code into a new private routine, SepOpenThreadToken.
And properly fail gracefully if we fail to open a thread's token instead of just keeping going.

- Do not use the same thread object that we have referenced in NtOpenThreadTokenEx
to do a copy of the access token in case we can't open it directly.
Instead we must reference a new object with full access, solely used for
the purpose to do our required operations.

- Add debug prints

CORE-18986
2023-06-04 11:09:34 +02:00
George Bișoc
8b75dce45a
[NTOS:SE][FORMATTING] Fix the file header
This fixes the copyright file header at the top of the file, reflecting
the Coding Style rules. No code changes!
2023-03-07 18:39:46 +01:00
George Bișoc
4471ee4dfa
[NTOS:SE] Properly handle dynamic counters in token
On current master, ReactOS faces these problems:

- ObCreateObject charges both paged and non paged pool a size of TOKEN structure, not the actual dynamic contents of WHAT IS inside a token. For paged pool charge the size is that of the dynamic area (primary group + default DACL if any). This is basically what DynamicCharged is for.
For the non paged pool charge, the actual charge is that of TOKEN structure upon creation. On duplication and filtering however, the paged pool charge size is that of the inherited dynamic charged space from an existing token whereas the non paged pool size is that of the calculated token body
length for the new duplicated/filtered token. On current master, we're literally cheating the kernel by charging the wrong amount of quota not taking into account the dynamic contents which they come from UM.

- Both DynamicCharged and DynamicAvailable are not fully handled (DynamicAvailable is pretty much poorly handled with some cases still to be taking into account). DynamicCharged is barely handled, like at all.

- As a result of these two points above, NtSetInformationToken doesn't check when the caller wants to set up a new default token DACL or primary group if the newly DACL or the said group exceeds the dynamic charged boundary. So what happens is that I'm going to act like a smug bastard fat politician and whack
the primary group and DACL of an token however I want to, because why in the hell not? In reality no, the kernel has to punish whoever attempts to do that, although we currently don't.

- The dynamic area (aka DynamicPart) only picks up the default DACL but not the primary group as well. Generally the dynamic part is composed of primary group and default DACL, if provided.

In addition to that, we aren't returning the dynamic charged and available area in token statistics. SepComputeAvailableDynamicSpace helper is here to accommodate that. Apparently Windows is calculating the dynamic available area rather than just querying the DynamicAvailable field directly from the token.
My theory regarding this is like the following: on Windows both TokenDefaultDacl and TokenPrimaryGroup classes are barely used by the system components during startup (LSASS provides both a DACL and primary group when calling NtCreateToken anyway). In fact DynamicAvailable is 0 during token creation, duplication and filtering when inspecting a token with WinDBG. So
if an application wants to query token statistics that application will face a dynamic available space of 0.
2022-06-29 10:06:37 +02:00
George Bișoc
5e1f292062
[NTOS:SE] NtQueryInformationToken: implement token sandbox inert querying 2022-06-13 18:17:10 +02:00
George Bișoc
9a2c62b544
[NTOS:SE] Reorganize the security manager component
The current state of Security manager's code is kind of a mess. Mainly, there's code scattered around places where they shouldn't belong and token implementation (token.c) is already of a bloat in itself as it is. The file has over 6k lines and it's subject to grow exponentially with improvements, features, whatever that is.

With that being said, the token implementation code in the kernel will be split accordingly and rest of the code moved to appropriate places. The new layout will look as follows (excluding the already existing files):

- client.c (Client security implementation code)
- objtype.c (Object type list implementation code -- more code related to object types will be put here when I'm going to implement object type access checks in the future)
- subject.c (Subject security context support)

The token implementation in the kernel will be split in 4 distinct files as shown:

- token.c (Base token support routines)
- tokenlif.c (Life management of a token object -- that is Duplication, Creation and Filtering)
- tokencls.c (Token Query/Set Information Classes support)
- tokenadj.c (Token privileges/groups adjusting support)

In addition to that, tidy up the internal header and reorganize it as well.
2022-05-29 20:22:19 +02:00
Hermès Bélusca-Maïto
985468d08a
[NTOS:SE] Replace a bunch of RtlCopyLuid() calls into direct assignations (#4523)
Nowadays' compilers support such direct structure assignations,
and our existing codebase already uses that in other places.
2022-05-23 19:30:37 +02:00
Hermès Bélusca-Maïto
487d8601f9
[NTOS:SE] SepPerformTokenFiltering(): Fix corruption of DynamicPart (#4523)
The problem is that EndMem is changed to point to the DynamicPart of
the token, but the code after that expects it to still point into the
VariablePart instead.

Problem fixed by moving the insertion of RestrictedSids much sooner
(where the original ones are also being copied).
2022-05-23 19:30:36 +02:00
Hermès Bélusca-Maïto
9676188543
[NTOS:SE] NtAdjustGroupsToken(): Avoid double-free on ObReferenceObjectByHandle failure path (#4523) 2022-05-23 19:30:36 +02:00
Hermès Bélusca-Maïto
3370652dfc
[NTOS:SE] Fix locking in SepDuplicateToken() and SepPerformTokenFiltering() (#4523)
Shared locking must be used on the source token as it is accessed for
reading only. This fixes in particular the kmtest SeTokenFiltering that
would hang otherwise on a (wrong) exclusive locking.

- SepPerformTokenFiltering(): Always shared-lock the source token.
  Its callers (NtFilterToken and SeFilterToken) just need to sanitize and
  put the parameters in correct form before calling this helper function.

- Sync comments in NtFilterToken() with SeFilterToken().
2022-05-23 19:30:35 +02:00
Hermès Bélusca-Maïto
b33911b93d
[NTOS:SE] SepPerformTokenFiltering(): Remove useless SEH handling (#4523)
This function is either called inter-kernel (in which case, all
parameters must be valid, and if not, we have to bugcheck), or, it
is called with **captured** parameters (from NtFilterToken) and those
latter ones are now expected to be valid and reside in kernel-mode.
Finally, data copied between token structures reside in kernel-mode
only and again are expected to be valid (if not, we bugcheck).
2022-05-23 19:30:34 +02:00
Hermès Bélusca-Maïto
389a2da7ff
[NTOS:SE] SepCaptureAcl(): Add missing validation of the captured ACL (#4523)
- The ACL is however not validated when the function is called within
  kernel mode and no capture is actually being done.

- Simplify aspects of the function (returning early when possible).
2022-05-23 19:30:34 +02:00
George Bișoc
11d9c88c35
[NTOS:SE] Add token debug code
Implement initial token debug code. For now debug information that is being tracked are: process image file name, process and thread client IDs and token creation method. More specific debug code can be added later only if needed.

As for the token creation method, this follows the same principle as on Windows where the creation method is defined by a value denoting the first letter of the said method of creation. That is, 0xC is for token creation, 0xD is for token duplication and 0xF is for token filtering. The debug field names are taken from Windows PDB symbols for WinDBG debug extension support purposes. The names must not be changed!
2022-04-19 11:04:59 +02:00
George Bișoc
1b06522638
[NTOS:SE] Assign the captured SID and/or privileges to NULL manually on token filtering
This reverts 8479509 commit which pretty much does nothing at all (the captured pointer is NULL within the stack of the function has no effect outside of the function). My mistake, sorry.
2022-02-10 09:51:58 +01:00
George Bișoc
8479509a7b
[NTOS:SE] Assign the captured privilege or SID as NULL when releasing
Whenever a captured security property such as privilege or SID is released, we must not have such captured property point at random address in memory but rather we must assign it as NULL after it's been freed from pool memory. This avoids potential double-after-free situations where we might release a buffer twice.
This is exactly the case with token filtering.
2022-02-09 10:29:56 +01:00
Thomas Faber
88e3ef5fa0
[NTOS:SE] Don't assert on levels that don't allow impersonation. 2021-11-21 17:19:03 -05:00
Thomas Faber
d84022d7fd
[NTOS:SE] Fix always-true assert in SeTokenCanImpersonate.
Courtesy of VS analysis warning C6289:
Incorrect operator:  mutual exclusion over || is always a non-zero constant.  Did you intend to use && instead?
2021-11-21 12:57:50 -05:00
Thomas Faber
0af3689c2e
[REACTOS] Fix traces with missing arguments.
Courtesy of VS Code Analysis warning C6064:
Missing integer argument to 'DbgPrint' that corresponds to conversion specifier 'N'.
2021-11-21 12:57:35 -05:00
George Bișoc
53db5377e2
[NTOS:SE] Implement token filtering
This implements the support of token filtering within the kernel, where the kernel can create restricted tokens of regular ones on demand by the caller. The implementation can be accessed thorough a NT syscall, NtFilterToken, and a kernel mode routine, SeFilterToken.
2021-11-07 14:14:18 +01:00
George Bișoc
05d52aba2b
[NTOS:SE] Partially revert 0129de2
The continue statements do not server any useful purpose in these loops so they're basically pointless. These have been introduced by mistake so my bad.
2021-11-05 10:13:45 +01:00
George Bișoc
0129de218b
[NTOS:SE] Mark the token as no longer belonging to admin group upon effective duplication
A scenario where it happens that an access token belongs to an administrators group but it's disabled (that is, SeAliasAdminsSid has no attributes or it doesn't have SE_GROUP_ENABLED turn ON), the function removes this group from the token but still has TOKEN_HAS_ADMIN_GROUP flag which can lead to erratic behavior across the kernel and security modules -- implying that the token still belongs to administrators group.

This is an oversight from my part.
2021-11-04 09:30:00 +01:00
George Bișoc
fdb4205061
[NTOS:SE] Minor cleanup on SepDuplicateToken
The current code that searches for the primary group of token upon duplication is OK as is, remove whatever rest that's no longer needed.
2021-10-23 17:55:12 +02:00
George Bișoc
8e6fc7a5f5
[NTOS:SE] Implement token groups adjusting 2021-09-23 17:38:31 +02:00
George Bișoc
982ee872dd
[NTOS:SE] Privileges adjusting private routine must be paged
SepAdjustPrivileges is a private helper call that must be paged, alongside with its syscall -- NtAdjustPrivilegesToken.
2021-09-21 17:40:53 +02:00
Hermès Bélusca-Maïto
9393fc320e
[FORMATTING] Remove trailing whitespace. Addendum to 34593d93.
Excluded: 3rd-party code (incl. wine) and most of the win32ss.
2021-09-13 03:52:22 +02:00
George Bișoc
c407460f6a
[NTOS:SE] Implement effective token option upon duplication
This implements the EffectiveOnly option of SepDuplicateToken routine (used by NtDuplicateToken syscall and other functions alike) which makes the access token effective by removing the disabled parts like privileges and groups.
2021-09-05 17:01:21 +02:00
George Bișoc
8567d8145e
[NTOS:SE] Annotate the remaining functions with SAL 2021-08-22 10:29:58 +02:00
George Bișoc
6413009c10
[NTOS:SE] Document the whole subsystem in Doxygen format
And update the file comment headers.
2021-08-22 10:29:47 +02:00
George Bișoc
632fa1cfbe
[NTOS:SE] Handle the reference logon session of the token
When creating or duplicating an access token object, make sure that the logon session is getting referenced by the token must be inserted onto the logon reference member (a.k.a LogonSession) for proper logon session referencing tracking.

Also when a token object is about to be destroyed or that we are taking away a reference session from it, we must ensure that the referenced logon session data gets removed from the token in question.
CORE-17700
2021-07-31 17:23:05 +02:00
George Bișoc
e2a8585edc
[NTOS:SE] Remove redundant commented call on token duplication
When duplicating an access token, the authentication ID is already copied from the existing token to the new one anyway so there's no point on having the commented call still left in the code.
2021-07-25 18:02:32 +02:00
George Bișoc
5912c11650
[NTOS:SE] Minor refactor on NtOpenThreadTokenEx
- Remove a redundant call of ObReferenceObjectByHandle. Not only it didn't make much sense (we reference the object from thread handle and the new thread object referencing the same handle!), specifying a request access of THREAD_ALL_ACCESS for the thread object is kind of suspicious and all of these access rights are unwanted.
- Add some failure checks involving the CopyOnOpen code paths
- Add some DPRINT1 debug prints (concerning the CopyOnOpen code paths as usual)
2021-06-18 18:38:12 +02:00
George Bișoc
7ca6bfb994
[NTOS:SE] Use IQS_NONE for the first class which is not existent and barely used 2021-06-08 09:26:11 +02:00
George Bișoc
a330b56787
[NTOS:PS] Enable alignment probing for thread/process information classes
In addition to that, here are some stuff done in this commit whilst testing:

- ICIF_QUERY_SIZE_VARIABLE and friends were badly misused, they should be used only when an information class whose information length size is dyanmic and not fixed. By removing such flags from erroneous classes, this fixes the STATUS_INFO_LENGTH_MISMATCH testcases.

- Use CHAR instead of UCHAR for classes that do not need alignment probing, as every other class in the table do, for the sake of consistency.

- ProcessEnableAlignmentFaultFixup uses BOOLEAN as type size, not CHAR. This fixes a testcase failure on ROS.

- Check for information length size before proceeding further on querying the process' cookie information.

- ProcessHandleTracing wants an alignment of a ULONG, not CHAR.

- Move PROCESS_LDT_INFORMATION and PROCESS_LDT_SIZE outside of NTOS_MODE_USER macro case. This fixes a compilation issue when enabling the alignment probing. My mistake of having them inside NTOS_MODE_USER case, sorry.

- On functions like NtQueryInformationThread and the Process equivalent, complete probing is not done at the beginning of the function, complete probing including if the buffer is writable alongside with datatype misalignment check that is. Instead such check is done on each information class case basis. With that said, we have to explicitly tell DefaultQueryInfoBufferCheck if we want a complete probing or not initially.
2021-06-06 17:14:22 +02:00
George Bișoc
3140dac3fe
[NTOS:SE] Do some cleanup on ICIF flags in token information classes
A few of these classes have fixed size lengths, the rest are arbitrary. Also the TokenAuditPolicy class hasn't a size length type specified in the table, which is wrong (and move the corresponding TOKEN_AUDIT_POLICY_INFORMATION structure into the private header).
2021-05-29 12:44:03 +02:00
George Bișoc
99d776894a
[NTOS:SE] Capture the groups length when creating a token
The groups length is already returned by SeCaptureSidAndAttributesArray, it doesn't make sense to not use it.
2021-05-16 17:18:29 +02:00
Jérôme Gardou
3adf450867 [REACTOS] Addendum to 5c7ce4475e - Fix MSVC 2015 build
Put data into PAGEDATA or INITDATA sections
Keep section declaration for prototypes

CORE-17540
2021-05-12 11:04:29 +02:00
George Bișoc
11f239373d
[NTOS:SE] Add further remarks in SeQueryInformationToken
Explicitly mention under remarks that some classes are not implemented for that function, for documentation purposes. No code changes.
2021-05-08 18:11:42 +02:00
George Bișoc
5dd93a8a5b
[NTOS:SE] Get the session ID and assign it to the new token
SeExchangePrimaryToken doesn't assign the session ID to the new token, which could lead to incorrect behaviour in the long run. Let's fix that.
2021-05-04 10:08:26 +02:00
George Bișoc
207543429b
[NTOSKRNL] Use IQS_SAME instead of ICI_SQ_SAME
And remove the redundant ICI_SQ_SAME macro as it's no longer needed in the codebase.
2021-05-02 21:00:51 +02:00
George Bișoc
18ddb6ba92
[NTOS:SE] Implement SeTokenCanImpersonate routine
SeTokenCanImpersonate ensures whether the client impersonation can occur, and if not, the call signals this to the caller.
2021-05-02 16:55:19 +02:00
George Bișoc
44fb528fcc
[NTOS:SE] Implement the NtImpersonateAnonymousToken system call
Implement SepImpersonateAnonymousToken private helpers, which is necessary for the complete implementation of NtImpersonateAnonymousToken function and thus finally we're able to impersonate the anonymous logon token.
2021-04-27 12:25:03 +02:00
George Bișoc
3d8dd932b1
[NTOS:SE] Lock the token in SeQueryInformationToken and do some cleanup
* Guard the token in a lock whilst querying stuff
* Remove the piece of code that checks if the information class provided is above the maximum information class threshold. That code literally duplicates the inner functionality of the default case in the switch block, where the code falls in that case if an invalid information class is provided anyway.
* Remove the redundant information classes. Internally, this function in Windows has 12 switch case blocks (11 token info classes + the default case) and the other classes are supported in NtQueryInformationToken only so it doesn't make any logical sense to keep them in the codebase.
* Annotate the argument parameters with SAL and add documentation header
2021-04-18 13:56:37 +02:00
George Bișoc
eba68ffb9c [NTOS:SE] Specify the code section of SepCreateSystemProcessToken as INIT
This function is used during the Security kernel module phase initialisation to set up the system process token which the phase initialisation procedure in itself is stored in the INIT section. With that being said, do the same for SepCreateSystemProcessToken too and add a header documentation as an addition.
2021-03-25 02:30:46 +03:00
George Bișoc
fe0f9d8646 [NTOS:SE] Implement SepCreateSystemAnonymousLogonToken and SepCreateSystemAnonymousLogonTokenNoEveryone functions
These private functions are needed to set up two different kinds of system's anonymous logon tokens: one that includes everyone in the group and the other that doesn't. These functions are needed as next step closer to the
implementation of NtImpersonateAnonymousToken system call.
2021-03-25 02:30:46 +03:00
George Bișoc
44b8e5caac [NTOS:SE] Complete the SepCompareTokens implementation
* Implement SepCompareSidAndAttributesFromTokens and SepComparePrivilegeAndAttributesFromTokens functions for array elements comparison
* Implement the token comparison code in SepCompareTokens function
* Add a missing PAGED_CODE() in SepCompareTokens as most of the token comparison code is paged
* Use SAL annotations for SepCompareTokens and NtCompareTokens
2021-03-04 16:22:56 +03:00
George Bișoc
dd4c113594
[NTOS:SE] Do not use a global lock for tokens (#3445)
In Windows Server 2003 the lock is initialised on a per-token basis, that is, the lock resource is created in SepDuplicateToken() and SepCreateToken() functions. This ensures that the lock initialisation is done locally for the specific token thus avoiding the need of a global lock.
2021-02-05 12:10:19 +03:00
Victor Perevertkin
5c7ce4475e
[REACTOS] Cleanup INIT and some PAGE section allocations
- Change INIT_FUNCTION and INIT_SECTION to CODE_SEG("INIT") and DATA_SEG("INIT") respectively
- Remove INIT_FUNCTION from function prototypes
- Remove alloc_text pragma calls as they are not needed anymore
2020-11-02 21:45:31 +03:00
Serge Gautherie
b20f815126
[NTOSKRNL] Place INIT_FUNCTION before the return type (#2823)
(but after 'static' or SAL 2 annotation.)
Follow-up to 71fefa32, which mentions that it's actually required by the compiler in some circumstances.
2020-05-23 15:56:10 +02:00