Commit graph

120 commits

Author SHA1 Message Date
George Bișoc
fdb4205061
[NTOS:SE] Minor cleanup on SepDuplicateToken
The current code that searches for the primary group of token upon duplication is OK as is, remove whatever rest that's no longer needed.
2021-10-23 17:55:12 +02:00
George Bișoc
9c1c88de3e
[NTOS:SE] Define a name macro for the threshold value
Instead of having this magic value as is, describe it within a macro for readability purposes.
2021-09-27 09:39:23 +02:00
George Bișoc
199f575342
[NTOS:SE] Check the privilege count against the maximum threshold
In SeCaptureLuidAndAttributesArray we must ensure that we don't go onto a potential integer overflow scenario by checking against the maximum limit threshold the kernel states. In addition, write an explicit name macro for the value.
2021-09-27 09:37:28 +02:00
George Bișoc
0b4763f1b1
[NTOS:SE] Do not set SE_DACL_PRESENT flag that early
The function might assign the flag yet it could possibly fail on creating a DACL and insert an "access allowed" right to the access entry within the DACL. In this case, make sure we actually succeeded on all the tasks and THEN assign the flag that the DACL is truly present.

Also, make sure that the Current buffer size variable gets its new size so that we avoid overidding the memory of the DACL if the security descriptor wants both a DACL and SACL and so that happens that the DACL memory gets overwritten by the SACL.
2021-09-24 19:39:30 +02:00
George Bișoc
f341b9080b
[NTOS:SE] Set the SACL to the World security descriptor
Implement the portion chunk of code that is responsible for setting the system access control list (SACL) to the World security descriptor, based from SeWorldSid (World security identifier).
2021-09-24 19:13:16 +02:00
George Bișoc
8e6fc7a5f5
[NTOS:SE] Implement token groups adjusting 2021-09-23 17:38:31 +02:00
George Bișoc
982ee872dd
[NTOS:SE] Privileges adjusting private routine must be paged
SepAdjustPrivileges is a private helper call that must be paged, alongside with its syscall -- NtAdjustPrivilegesToken.
2021-09-21 17:40:53 +02:00
Hermès Bélusca-Maïto
9393fc320e
[FORMATTING] Remove trailing whitespace. Addendum to 34593d93.
Excluded: 3rd-party code (incl. wine) and most of the win32ss.
2021-09-13 03:52:22 +02:00
George Bișoc
fc5bc55fbb
[NTOS:SE] Use the captured security descriptor when access checking
When performing access security check, use the security descriptor that we've captured it to determine based on that descriptor if the client can be granted access or not.
2021-09-12 16:07:44 +02:00
George Bișoc
d7255f1584
[NTOS:SE] Explicitly check the auto inherit flags right away
As we now have the SEF_* flags declared within the SDK we can simply check for such flags directly wihout having to check for the hard-coded flag values.
2021-09-09 19:29:53 +02:00
George Bișoc
c407460f6a
[NTOS:SE] Implement effective token option upon duplication
This implements the EffectiveOnly option of SepDuplicateToken routine (used by NtDuplicateToken syscall and other functions alike) which makes the access token effective by removing the disabled parts like privileges and groups.
2021-09-05 17:01:21 +02:00
George Bișoc
84f7bee18f
[NTOS:SE] SepSinglePrivilegeCheck doesn't expect a NT status code value
Fix a wrong returned datatype of the function, as SepSinglePrivilegeCheck calls the internal private SepPrivilegeCheck function which returns a BOOLEAN value.
2021-08-22 11:31:57 +02:00
George Bișoc
8567d8145e
[NTOS:SE] Annotate the remaining functions with SAL 2021-08-22 10:29:58 +02:00
George Bișoc
6413009c10
[NTOS:SE] Document the whole subsystem in Doxygen format
And update the file comment headers.
2021-08-22 10:29:47 +02:00
George Bișoc
632fa1cfbe
[NTOS:SE] Handle the reference logon session of the token
When creating or duplicating an access token object, make sure that the logon session is getting referenced by the token must be inserted onto the logon reference member (a.k.a LogonSession) for proper logon session referencing tracking.

Also when a token object is about to be destroyed or that we are taking away a reference session from it, we must ensure that the referenced logon session data gets removed from the token in question.
CORE-17700
2021-07-31 17:23:05 +02:00
George Bișoc
5e51f8dad2
[NTOS:SE] Implement logon reference insertion/removal to tokens 2021-07-31 16:11:03 +02:00
George Bișoc
7692c10527
[NTOS:SE] Unify all the SRM tags in one place
And rename SEP_LOGON_SESSION_TAG and SEP_LOGON_NOTIFICATION_TAG to TAG_LOGON_SESSION and TAG_LOGON_NOTIFICATION respectively.
2021-07-31 16:10:50 +02:00
George Bișoc
e2a8585edc
[NTOS:SE] Remove redundant commented call on token duplication
When duplicating an access token, the authentication ID is already copied from the existing token to the new one anyway so there's no point on having the commented call still left in the code.
2021-07-25 18:02:32 +02:00
George Bișoc
506cee3219 [NTOS:SE] Implement logon session termination notification
Note to SELF and EVERYONE: the commit implements the initial logon session termination notification implementation, the SeMarkLogonSessionForTerminationNotification function, but as it currently stands there are several other tasks to be addressed in the future in order for the logon termination notification to be fully completed. The tasks as of which are.

1. Our SepRmDereferenceLogonSession is not fully implemented, as it doesn't inform the LSA and filesystems of logon deletion notification
2. Implement two worker routines that are actually in charge of such tasks of informing LSA and FSDs
3. Perform logon deletion
4. Do further investigations and check whatever that is left to address, if any
2021-07-15 19:31:46 +02:00
George Bișoc
7fb0d13a46
[NTOS:SE] Move SQOS capturing in its own file
* Quality of service kernel stuff bears nothing with security descriptors in anyway, so just have a file specifically for it
* Annotate the function arguments parameters with SAL
* Document the functions
2021-07-05 09:39:06 +02:00
George Bișoc
ff0a325116
[NTOS:SE] Allocate pool memory for security descriptor based on the caller pool type request
We're indiscriminately allocate the pool as non paged all the time, thus further ignoring the pool type parameter of the function.
2021-07-04 11:01:54 +02:00
George Bișoc
c869c4778d
[NTOS:SE] Assign the control flag bits to the newly created security descriptor
We allocate memory pool for a new security descriptor with specific info filled by the caller but we don't set the control flag bits for the newly allocated descriptor, which is wrong. Originally spotted by Vadim Galyant.
CORE-17650
2021-07-03 17:20:48 +02:00
Jérôme Gardou
8178996559 [NTOS:SE] Do not ignore SepAccessCheckAndAuditAlarmWorker return value
CORE-17637
2021-06-28 10:20:57 +02:00
George Bișoc
5912c11650
[NTOS:SE] Minor refactor on NtOpenThreadTokenEx
- Remove a redundant call of ObReferenceObjectByHandle. Not only it didn't make much sense (we reference the object from thread handle and the new thread object referencing the same handle!), specifying a request access of THREAD_ALL_ACCESS for the thread object is kind of suspicious and all of these access rights are unwanted.
- Add some failure checks involving the CopyOnOpen code paths
- Add some DPRINT1 debug prints (concerning the CopyOnOpen code paths as usual)
2021-06-18 18:38:12 +02:00
Victor Perevertkin
34593d933b
[FORMATTING][NTOS][HAL][DRIVERS][SDK] Fix trailing spaces 2021-06-11 15:33:08 +03:00
George Bișoc
7ca6bfb994
[NTOS:SE] Use IQS_NONE for the first class which is not existent and barely used 2021-06-08 09:26:11 +02:00
George Bișoc
a330b56787
[NTOS:PS] Enable alignment probing for thread/process information classes
In addition to that, here are some stuff done in this commit whilst testing:

- ICIF_QUERY_SIZE_VARIABLE and friends were badly misused, they should be used only when an information class whose information length size is dyanmic and not fixed. By removing such flags from erroneous classes, this fixes the STATUS_INFO_LENGTH_MISMATCH testcases.

- Use CHAR instead of UCHAR for classes that do not need alignment probing, as every other class in the table do, for the sake of consistency.

- ProcessEnableAlignmentFaultFixup uses BOOLEAN as type size, not CHAR. This fixes a testcase failure on ROS.

- Check for information length size before proceeding further on querying the process' cookie information.

- ProcessHandleTracing wants an alignment of a ULONG, not CHAR.

- Move PROCESS_LDT_INFORMATION and PROCESS_LDT_SIZE outside of NTOS_MODE_USER macro case. This fixes a compilation issue when enabling the alignment probing. My mistake of having them inside NTOS_MODE_USER case, sorry.

- On functions like NtQueryInformationThread and the Process equivalent, complete probing is not done at the beginning of the function, complete probing including if the buffer is writable alongside with datatype misalignment check that is. Instead such check is done on each information class case basis. With that said, we have to explicitly tell DefaultQueryInfoBufferCheck if we want a complete probing or not initially.
2021-06-06 17:14:22 +02:00
George Bișoc
06b0d2e380
[NTOS:SE] Implement logon session deletion
And declare a prototype for SepCleanupLUIDDeviceMapDirectory and annotate it with SAL.
2021-06-02 11:09:01 +02:00
George Bișoc
3140dac3fe
[NTOS:SE] Do some cleanup on ICIF flags in token information classes
A few of these classes have fixed size lengths, the rest are arbitrary. Also the TokenAuditPolicy class hasn't a size length type specified in the table, which is wrong (and move the corresponding TOKEN_AUDIT_POLICY_INFORMATION structure into the private header).
2021-05-29 12:44:03 +02:00
George Bișoc
99d776894a
[NTOS:SE] Capture the groups length when creating a token
The groups length is already returned by SeCaptureSidAndAttributesArray, it doesn't make sense to not use it.
2021-05-16 17:18:29 +02:00
Jérôme Gardou
3adf450867 [REACTOS] Addendum to 5c7ce4475e - Fix MSVC 2015 build
Put data into PAGEDATA or INITDATA sections
Keep section declaration for prototypes

CORE-17540
2021-05-12 11:04:29 +02:00
George Bișoc
f5dc1c77b5
[NDK][NTOS:SE] Add the missing "LogonSession" member to TOKEN structure
And also fix the wrong member offsets in comments. The said offset values are based upon the ones retrieved with WinDBG.
2021-05-09 17:34:02 +02:00
George Bișoc
11f239373d
[NTOS:SE] Add further remarks in SeQueryInformationToken
Explicitly mention under remarks that some classes are not implemented for that function, for documentation purposes. No code changes.
2021-05-08 18:11:42 +02:00
George Bișoc
5dd93a8a5b
[NTOS:SE] Get the session ID and assign it to the new token
SeExchangePrimaryToken doesn't assign the session ID to the new token, which could lead to incorrect behaviour in the long run. Let's fix that.
2021-05-04 10:08:26 +02:00
George Bișoc
207543429b
[NTOSKRNL] Use IQS_SAME instead of ICI_SQ_SAME
And remove the redundant ICI_SQ_SAME macro as it's no longer needed in the codebase.
2021-05-02 21:00:51 +02:00
George Bișoc
18ddb6ba92
[NTOS:SE] Implement SeTokenCanImpersonate routine
SeTokenCanImpersonate ensures whether the client impersonation can occur, and if not, the call signals this to the caller.
2021-05-02 16:55:19 +02:00
George Bișoc
44fb528fcc
[NTOS:SE] Implement the NtImpersonateAnonymousToken system call
Implement SepImpersonateAnonymousToken private helpers, which is necessary for the complete implementation of NtImpersonateAnonymousToken function and thus finally we're able to impersonate the anonymous logon token.
2021-04-27 12:25:03 +02:00
George Bișoc
b68216e503
[NTOS:SE] Annotate the function parameters of SepRegQueryHelper with SAL
And add a documentation comment header
2021-04-27 12:25:03 +02:00
George Bișoc
3d8dd932b1
[NTOS:SE] Lock the token in SeQueryInformationToken and do some cleanup
* Guard the token in a lock whilst querying stuff
* Remove the piece of code that checks if the information class provided is above the maximum information class threshold. That code literally duplicates the inner functionality of the default case in the switch block, where the code falls in that case if an invalid information class is provided anyway.
* Remove the redundant information classes. Internally, this function in Windows has 12 switch case blocks (11 token info classes + the default case) and the other classes are supported in NtQueryInformationToken only so it doesn't make any logical sense to keep them in the codebase.
* Annotate the argument parameters with SAL and add documentation header
2021-04-18 13:56:37 +02:00
Oleg Dubinskiy
52f4d8019b [NTOS:MM][NTOS:SE] Mute some noisy stubs
Mute debug prints of MmDoesFileHaveUserWritableReferences and SeAuditingFileEventsWithContext stubs.
These stubs are very noisy and create a lot of spam in the log when using Microsoft NTFS driver in ReactOS (with some other improvements applied).
Implementing those functions isn't badly required for the proper work of this driver, so better way for now is just mute these stubs a bit.
After my changes, they will be displayed only once, and the log will be more clear, so it will seem to be enough to understand that the driver calls these routines.
CORE-17409
2021-04-07 13:16:03 +02:00
George Bișoc
eba68ffb9c [NTOS:SE] Specify the code section of SepCreateSystemProcessToken as INIT
This function is used during the Security kernel module phase initialisation to set up the system process token which the phase initialisation procedure in itself is stored in the INIT section. With that being said, do the same for SepCreateSystemProcessToken too and add a header documentation as an addition.
2021-03-25 02:30:46 +03:00
George Bișoc
5b5b814af8 [NTOS:SE] Create the anonymous logon tokens on Security initialisation phase 2021-03-25 02:30:46 +03:00
George Bișoc
fe0f9d8646 [NTOS:SE] Implement SepCreateSystemAnonymousLogonToken and SepCreateSystemAnonymousLogonTokenNoEveryone functions
These private functions are needed to set up two different kinds of system's anonymous logon tokens: one that includes everyone in the group and the other that doesn't. These functions are needed as next step closer to the
implementation of NtImpersonateAnonymousToken system call.
2021-03-25 02:30:46 +03:00
George Bișoc
b28530d4ac [NTOS:SE] Set up an ACL and SD for the anonymous logon 2021-03-25 02:30:46 +03:00
George Bișoc
44b8e5caac [NTOS:SE] Complete the SepCompareTokens implementation
* Implement SepCompareSidAndAttributesFromTokens and SepComparePrivilegeAndAttributesFromTokens functions for array elements comparison
* Implement the token comparison code in SepCompareTokens function
* Add a missing PAGED_CODE() in SepCompareTokens as most of the token comparison code is paged
* Use SAL annotations for SepCompareTokens and NtCompareTokens
2021-03-04 16:22:56 +03:00
George Bișoc
dd4c113594
[NTOS:SE] Do not use a global lock for tokens (#3445)
In Windows Server 2003 the lock is initialised on a per-token basis, that is, the lock resource is created in SepDuplicateToken() and SepCreateToken() functions. This ensures that the lock initialisation is done locally for the specific token thus avoiding the need of a global lock.
2021-02-05 12:10:19 +03:00
Timo Kreuzer
274bc4de1c [NTOS:SE] Fix handling of relative security descriptors in SeQuerySecurityDescriptorInfo 2020-11-07 15:54:47 +01:00
Victor Perevertkin
5c7ce4475e
[REACTOS] Cleanup INIT and some PAGE section allocations
- Change INIT_FUNCTION and INIT_SECTION to CODE_SEG("INIT") and DATA_SEG("INIT") respectively
- Remove INIT_FUNCTION from function prototypes
- Remove alloc_text pragma calls as they are not needed anymore
2020-11-02 21:45:31 +03:00
Serge Gautherie
b20f815126
[NTOSKRNL] Place INIT_FUNCTION before the return type (#2823)
(but after 'static' or SAL 2 annotation.)
Follow-up to 71fefa32, which mentions that it's actually required by the compiler in some circumstances.
2020-05-23 15:56:10 +02:00
Eric Kohl
4614c5b57c [NTOSKRNL] Implement SeRegisterLogonSessionTerminatedRoutine() and SeUnregisterLogonSessionTerminatedRoutine(). 2019-08-04 14:01:26 +02:00
Pierre Schweitzer
651ba03c6d
[NTOSKRNL] Taggify some allocs 2019-06-10 14:54:55 +02:00
Pierre Schweitzer
a5daa8894d
[NTOSKRNL] Implement SepCleanupLUIDDeviceMapDirectory
This will clean up all the links (drive letters) created
by an user on session deletion once LUID device maps are
in use
2019-06-10 14:49:50 +02:00
Pierre Schweitzer
5ecc05003d
[NTOSKRNL] On session last reference removal, dereference LUID device map 2019-06-10 12:30:49 +02:00
Pierre Schweitzer
7c618faa32
[NTOSKRNL] Implement SeGetLogonIdDeviceMap 2019-06-01 21:09:20 +02:00
Pierre Schweitzer
59806f7eb0
[NTOSKRNL] Stub SeGetLogonIdDeviceMap 2019-06-01 18:37:47 +02:00
Hermès Bélusca-Maïto
627b1df579
[NTOS] Fix typos. 2019-04-22 19:41:19 +02:00
Pierre Schweitzer
eb8b481cd4
[NTOSKRNL] Rewrite/fix our UUID generation implementation
So that it matches Windows behavior
Also implement ExUuidCreate that will generate UUID version 1

The implementation is based on the RFC 4122
2019-03-01 08:22:48 +01:00
Timo Kreuzer
71fefa32db
[NDK][NTOS] Add global definition of INIT_FUNCTION/INIT_SECTION (#779)
* Add an NDK header to define INIT_FUNCTION/INIT_SECTION globally
* Use _declspec(allocate(x)) and _declspec(code_seg(x)) on MSVC versions that support it
* Use INIT_FUNCTION on functions only and INIT_SECTION on data only (required by MSVC)
* Place INIT_FUNCTION before the return type (required by MSVC)
* Make sure declarations and implementations share the same modifiers (required by MSVC)
* Add a global linker option to suppress warnings about defined but unused INIT section
* Merge INIT section into .text in freeldr
2018-12-30 12:19:11 +01:00
Pierre Schweitzer
95bc44e214
[NTOSKRNL] Don't leak DACL
Spotted by Thomas :-)
2018-11-11 23:21:36 +01:00
Pierre Schweitzer
6747dacf10
[NTOSKRNL] Create a security descriptor for the \security directory object 2018-11-10 23:25:10 +01:00
Pierre Schweitzer
2ce071d19a
[NTOSKRNL] Implement SeComputeQuotaInformationSize() 2018-10-27 19:36:14 +02:00
Hermès Bélusca-Maïto
7f9282927b
[NTOS:SE] Fixes for NT tokens.
- SeIsTokenChild(): Correctly check whether a caller-provided token
  is a child from the current process' primary token by looking at
  its ParentTokenId member.

- Add a SeIsTokenSibling() helper to determine whether a caller-provided
  token and the current process' primary token are siblings, by comparing
  their ParentTokenId's and AuthenticationId's.

NOTE: Children tokens are created through CreateRestrictedToken();
sibling tokens are created through DuplicateToken() (amongst others).

See slide 49 of https://www.slideshare.net/Shakacon/social-engineering-the-windows-kernel-by-james-forshaw
or https://googleprojectzero.blogspot.com/2016/01/raising-dead.html
for some details.
2018-09-28 00:45:01 +02:00
Timo Kreuzer
6c154c0625 [NTOS:SE] Fix SeSetSecurityDescriptorInfoEx to prevent pool corruption on x64 2018-08-16 16:32:49 +02:00
Hermès Bélusca-Maïto
4d494caf61
[NTOS:SE] Overhaul the token management code.
- Overhaul SepCreateToken() and SepDuplicateToken() so that they
  implement the "variable information area" of the token, where
  immutable lists of user & groups and privileges reside, and the
  "dynamic information area" (allocated separately in paged pool),
  where mutable data such as the token's default DACL is stored.
  Perform the necessary adaptations in SepDeleteToken() and in
  NtSetInformationToken().

- Actually dereference the token's logon session, when needed, in the
  'TokenSessionReference' case in NtSetInformationToken().

- Overhaul SepFindPrimaryGroupAndDefaultOwner() so that it returns
  the indices of candidate primary group and default owner within the
  token's user & groups array. This allows for fixing the 'TokenOwner'
  and 'TokenPrimaryGroup' cases of NtSetInformationToken(), since the
  owner or primary group being set *MUST* already exist in the token's
  user & groups array (as a by-product, memory corruptions that existed
  before due to the broken way of setting these properties disappear too).

- Lock tokens every time operations are performed on them (NOTE: we
  still use a global token lock!).

- Touch the ModifiedId LUID member of tokens everytime a write operation
  (property change, etc...) is made on them.

- Fix some group attributes in the SYSTEM process token, SepCreateSystemProcessToken().

- Make the SeCreateTokenPrivilege mandatory when calling NtCreateToken().

- Update the token pool tags.

- Explicitly use the Ex*ResourceLite() versions of the locking functions
  in the token locking macros.
2018-06-27 23:40:18 +02:00
Hermès Bélusca-Maïto
9594022ce1
[NTOS:SE] Add a documentation note about SeTokenIsWriteRestricted() and SeTokenIsAdmin(), and update the one for NtDuplicateToken().
[XDK] Move TOKEN_HAS_ADMIN_GROUP where appropriate.
2018-06-27 23:40:15 +02:00
Hermès Bélusca-Maïto
f61694cfbb
[NTOS:SE] Minor style changes.
- Use TRUE/FALSE instead of 1/0 for booleans.
- Use NULL instead of 0 for null pointers.
- Print 0x prefix for hex values in DPRINTs.
- Use new annotations for SepCreateToken() and SepDuplicateToken().
2018-06-27 23:40:15 +02:00
Hermès Bélusca-Maïto
986bf4c407
[NTOS:SE] In SepCreateClientSecurity(), fix the impersonation level value passed to the SeCopyClientToken() call.
Caught while debugging, in the case the ImpersonationLevel value was
uninitialized, due to the fact it was left untouched on purpose by
PsReferenceEffectiveToken().
2018-06-27 23:40:14 +02:00
Hermès Bélusca-Maïto
0ef734dba4
[FORMATTING] No code change; typo fix. 2018-06-27 23:40:14 +02:00
Hermès Bélusca-Maïto
5b2dda9134
[NTOS:SE] Finish SepCreateImpersonationTokenDacl() implementation.
- Re-enable a commented-out block;
- Return the allocated Dacl.
- Use the correct pool tag when freeing the allocated Dacl.
2018-06-27 23:40:14 +02:00
Colin Finck
c2c66aff7d Git conversion: Make reactos the root directory, move rosapps, rostests, wallpapers into modules, and delete rossubsys. 2017-10-03 07:45:34 +00:00