mirror of
https://github.com/reactos/reactos.git
synced 2024-12-30 19:14:31 +00:00
9a2c62b544
The current state of Security manager's code is kind of a mess. Mainly, there's code scattered around places where they shouldn't belong and token implementation (token.c) is already of a bloat in itself as it is. The file has over 6k lines and it's subject to grow exponentially with improvements, features, whatever that is. With that being said, the token implementation code in the kernel will be split accordingly and rest of the code moved to appropriate places. The new layout will look as follows (excluding the already existing files): - client.c (Client security implementation code) - objtype.c (Object type list implementation code -- more code related to object types will be put here when I'm going to implement object type access checks in the future) - subject.c (Subject security context support) The token implementation in the kernel will be split in 4 distinct files as shown: - token.c (Base token support routines) - tokenlif.c (Life management of a token object -- that is Duplication, Creation and Filtering) - tokencls.c (Token Query/Set Information Classes support) - tokenadj.c (Token privileges/groups adjusting support) In addition to that, tidy up the internal header and reorganize it as well.
910 lines
32 KiB
C
910 lines
32 KiB
C
/*
|
|
* PROJECT: ReactOS Kernel
|
|
* LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
|
|
* PURPOSE: Access token ajusting Groups/Privileges support routines
|
|
* COPYRIGHT: Copyright David Welch <welch@cwcom.net>
|
|
* Copyright 2021-2022 George Bișoc <george.bisoc@reactos.org>
|
|
*/
|
|
|
|
/* INCLUDES *******************************************************************/
|
|
|
|
#include <ntoskrnl.h>
|
|
#define NDEBUG
|
|
#include <debug.h>
|
|
|
|
/* PRIVATE FUNCTIONS *********************************************************/
|
|
|
|
/**
|
|
* @brief
|
|
* Removes a certain amount of privileges of a token based upon the request
|
|
* by the caller.
|
|
*
|
|
* @param[in,out] Token
|
|
* Token handle where the privileges are about to be modified.
|
|
*
|
|
* @param[in] DisableAllPrivileges
|
|
* If set to TRUE, the function disables all the privileges.
|
|
*
|
|
* @param[in] NewState
|
|
* A new list of privileges that the function will use it accordingly to
|
|
* either disable or enable the said privileges and change them.
|
|
*
|
|
* @param[in] NewStateCount
|
|
* The new total number count of privileges.
|
|
*
|
|
* @param[out] PreviousState
|
|
* If specified, the function will return the previous state list of privileges.
|
|
*
|
|
* @param[in] ApplyChanges
|
|
* If set to TRUE, the function will immediatelly apply the changes onto the
|
|
* token's privileges.
|
|
*
|
|
* @param[out] ChangedPrivileges
|
|
* The returned count number of changed privileges.
|
|
*
|
|
* @param[out] ChangesMade
|
|
* If TRUE, the function has made changes to the token's privileges. FALSE
|
|
* otherwise.
|
|
*
|
|
* @return
|
|
* Returns STATUS_SUCCESS if the function has successfully changed the list
|
|
* of privileges. STATUS_NOT_ALL_ASSIGNED is returned if not every privilege
|
|
* has been changed.
|
|
*/
|
|
static
|
|
NTSTATUS
|
|
SepAdjustPrivileges(
|
|
_Inout_ PTOKEN Token,
|
|
_In_ BOOLEAN DisableAllPrivileges,
|
|
_In_opt_ PLUID_AND_ATTRIBUTES NewState,
|
|
_In_ ULONG NewStateCount,
|
|
_Out_opt_ PTOKEN_PRIVILEGES PreviousState,
|
|
_In_ BOOLEAN ApplyChanges,
|
|
_Out_ PULONG ChangedPrivileges,
|
|
_Out_ PBOOLEAN ChangesMade)
|
|
{
|
|
ULONG i, j, PrivilegeCount, ChangeCount, NewAttributes;
|
|
|
|
PAGED_CODE();
|
|
|
|
/* Count the found privileges and those that need to be changed */
|
|
PrivilegeCount = 0;
|
|
ChangeCount = 0;
|
|
*ChangesMade = FALSE;
|
|
|
|
/* Loop all privileges in the token */
|
|
for (i = 0; i < Token->PrivilegeCount; i++)
|
|
{
|
|
/* Shall all of them be disabled? */
|
|
if (DisableAllPrivileges)
|
|
{
|
|
/* The new attributes are the old ones, but disabled */
|
|
NewAttributes = Token->Privileges[i].Attributes & ~SE_PRIVILEGE_ENABLED;
|
|
}
|
|
else
|
|
{
|
|
/* Otherwise loop all provided privileges */
|
|
for (j = 0; j < NewStateCount; j++)
|
|
{
|
|
/* Check if this is the LUID we are looking for */
|
|
if (RtlEqualLuid(&Token->Privileges[i].Luid, &NewState[j].Luid))
|
|
{
|
|
DPRINT("Found privilege\n");
|
|
|
|
/* Copy SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED */
|
|
NewAttributes = NewState[j].Attributes;
|
|
NewAttributes &= (SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED);
|
|
NewAttributes |= Token->Privileges[i].Attributes & ~SE_PRIVILEGE_ENABLED;
|
|
|
|
/* Stop looking */
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Check if we didn't find the privilege */
|
|
if (j == NewStateCount)
|
|
{
|
|
/* Continue with the token's next privilege */
|
|
continue;
|
|
}
|
|
}
|
|
|
|
/* We found a privilege, count it */
|
|
PrivilegeCount++;
|
|
|
|
/* Does the privilege need to be changed? */
|
|
if (Token->Privileges[i].Attributes != NewAttributes)
|
|
{
|
|
/* Does the caller want the old privileges? */
|
|
if (PreviousState != NULL)
|
|
{
|
|
/* Copy the old privilege */
|
|
PreviousState->Privileges[ChangeCount] = Token->Privileges[i];
|
|
}
|
|
|
|
/* Does the caller want to apply the changes? */
|
|
if (ApplyChanges)
|
|
{
|
|
/* Shall we remove the privilege? */
|
|
if (NewAttributes & SE_PRIVILEGE_REMOVED)
|
|
{
|
|
/* Set the token as disabled and update flags for it */
|
|
Token->Privileges[i].Attributes &= ~SE_PRIVILEGE_ENABLED;
|
|
SepUpdateSinglePrivilegeFlagToken(Token, i);
|
|
|
|
/* Remove the privilege */
|
|
SepRemovePrivilegeToken(Token, i);
|
|
|
|
*ChangesMade = TRUE;
|
|
|
|
/* Fix the running index and continue with next one */
|
|
i--;
|
|
continue;
|
|
}
|
|
|
|
/* Set the new attributes and update flags */
|
|
Token->Privileges[i].Attributes = NewAttributes;
|
|
SepUpdateSinglePrivilegeFlagToken(Token, i);
|
|
*ChangesMade = TRUE;
|
|
}
|
|
|
|
/* Increment the change count */
|
|
ChangeCount++;
|
|
}
|
|
}
|
|
|
|
/* Set the number of saved privileges */
|
|
if (PreviousState != NULL)
|
|
PreviousState->PrivilegeCount = ChangeCount;
|
|
|
|
/* Return the number of changed privileges */
|
|
*ChangedPrivileges = ChangeCount;
|
|
|
|
/* Check if we missed some */
|
|
if (!DisableAllPrivileges && (PrivilegeCount < NewStateCount))
|
|
{
|
|
return STATUS_NOT_ALL_ASSIGNED;
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
/**
|
|
* @brief
|
|
* Private routine that iterates over the groups of an
|
|
* access token to be adjusted as per on request by the
|
|
* caller, where a group can be enabled or disabled.
|
|
*
|
|
* @param[in] Token
|
|
* Access token where its groups are to be enabled or disabled.
|
|
*
|
|
* @param[in] NewState
|
|
* A list of groups with new state attributes to be assigned to
|
|
* the token.
|
|
*
|
|
* @param[in] NewStateCount
|
|
* The captured count number of groups in the list.
|
|
*
|
|
* @param[in] ApplyChanges
|
|
* If set to FALSE, the function will only iterate over the token's
|
|
* groups without performing any kind of modification. If set to TRUE,
|
|
* the changes will be applied immediately when the function has done
|
|
* looping the groups.
|
|
*
|
|
* @param[in] ResetToDefaultStates
|
|
* The function will reset the groups in an access token to default
|
|
* states if set to TRUE. In such scenario the function ignores
|
|
* NewState outright. Otherwise if set to FALSE, the function will
|
|
* use NewState to assign the newly attributes to adjust the token's
|
|
* groups. SE_GROUP_ENABLED_BY_DEFAULT is a flag indicator that is used
|
|
* for such purpose.
|
|
*
|
|
* @param[out] ChangesMade
|
|
* Returns TRUE if changes to token's groups have been made, otherwise
|
|
* FALSE is returned. Bear in mind such changes aren't always deterministic.
|
|
* See remarks for further details.
|
|
*
|
|
* @param[out] PreviousGroupsState
|
|
* If requested by the caller, the function will return the previous state
|
|
* of groups in an access token prior taking action on adjusting the token.
|
|
* This is a UM (user mode) pointer and it's prone to raise exceptions
|
|
* if such pointer address is not valid.
|
|
*
|
|
* @param[out] ChangedGroups
|
|
* Returns the total number of changed groups in an access token. This
|
|
* argument could also indicate the number of groups to be changed if
|
|
* the calling thread hasn't chosen to apply the changes yet. A number
|
|
* of 0 indicates no groups have been or to be changed because the groups'
|
|
* attributes in a token are the same as the ones from NewState given by
|
|
* the caller.
|
|
*
|
|
* @return
|
|
* STATUS_SUCCESS is returned if the function has successfully completed
|
|
* the operation of adjusting groups in a token. STATUS_CANT_DISABLE_MANDATORY
|
|
* is returned if there was an attempt to disable a mandatory group which is
|
|
* not possible. STATUS_CANT_ENABLE_DENY_ONLY is returned if there was an attempt
|
|
* to enable a "use for Deny only" group which is not allowed, that is, a restricted
|
|
* group. STATUS_NOT_ALL_ASSIGNED is returned if not all the groups are actually
|
|
* assigned to the token.
|
|
*
|
|
* @remarks
|
|
* Token groups adjusting can be judged to be deterministic or not based on the
|
|
* NT status code value. That is, STATUS_SUCCESS indicates the function not only
|
|
* has iterated over the whole groups in a token, it also has applied the changes
|
|
* thoroughly without impediment and the results perfectly match with the request
|
|
* desired by the caller. In this situation the condition is deemed deterministic.
|
|
* In a different situation however, if the status code was STATUS_NOT_ALL_ASSIGNED,
|
|
* the function would still continue looping the groups in a token and apply the
|
|
* changes whenever possible where the respective groups actually exist in the
|
|
* token. This kind of situation is deemed as indeterministic.
|
|
* For STATUS_CANT_DISABLE_MANDATORY and STATUS_CANT_ENABLE_DENY_ONLY the scenario
|
|
* is even more indeterministic as the iteration of groups comes to a halt thus
|
|
* leaving all other possible groups to be adjusted.
|
|
*/
|
|
static
|
|
NTSTATUS
|
|
SepAdjustGroups(
|
|
_In_ PTOKEN Token,
|
|
_In_opt_ PSID_AND_ATTRIBUTES NewState,
|
|
_In_ ULONG NewStateCount,
|
|
_In_ BOOLEAN ApplyChanges,
|
|
_In_ BOOLEAN ResetToDefaultStates,
|
|
_Out_ PBOOLEAN ChangesMade,
|
|
_Out_opt_ PTOKEN_GROUPS PreviousGroupsState,
|
|
_Out_ PULONG ChangedGroups)
|
|
{
|
|
ULONG GroupsInToken, GroupsInList;
|
|
ULONG ChangeCount, GroupsCount, NewAttributes;
|
|
|
|
PAGED_CODE();
|
|
|
|
/* Ensure that the token we get is valid */
|
|
ASSERT(Token);
|
|
|
|
/* Initialize the counters and begin the work */
|
|
*ChangesMade = FALSE;
|
|
GroupsCount = 0;
|
|
ChangeCount = 0;
|
|
|
|
/* Begin looping all the groups in the token */
|
|
for (GroupsInToken = 0; GroupsInToken < Token->UserAndGroupCount; GroupsInToken++)
|
|
{
|
|
/* Does the caller want to reset groups to default states? */
|
|
if (ResetToDefaultStates)
|
|
{
|
|
/*
|
|
* SE_GROUP_ENABLED_BY_DEFAULT is a special indicator that informs us
|
|
* if a certain group has been enabled by default or not. In case
|
|
* a group is enabled by default but it is not currently enabled then
|
|
* at that point we must enable it back by default. For now just
|
|
* assign the respective SE_GROUP_ENABLED attribute as we'll do the
|
|
* eventual work later.
|
|
*/
|
|
if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) &&
|
|
(Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED) == 0)
|
|
{
|
|
NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes |= SE_GROUP_ENABLED;
|
|
}
|
|
|
|
/*
|
|
* Unlike the case above, a group that hasn't been enabled by
|
|
* default but it's currently enabled then we must disable
|
|
* it back.
|
|
*/
|
|
if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) == 0 &&
|
|
(Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED))
|
|
{
|
|
NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes & ~SE_GROUP_ENABLED;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
/* Loop the provided groups in the list then */
|
|
for (GroupsInList = 0; GroupsInList < NewStateCount; GroupsInList++)
|
|
{
|
|
/* Does this group exist in the token? */
|
|
if (RtlEqualSid(&Token->UserAndGroups[GroupsInToken].Sid,
|
|
&NewState[GroupsInList].Sid))
|
|
{
|
|
/*
|
|
* This is the group that we're looking for.
|
|
* However, it could be that the group is a
|
|
* mandatory group which we are not allowed
|
|
* and cannot disable it.
|
|
*/
|
|
if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_MANDATORY) &&
|
|
(NewState[GroupsInList].Attributes & SE_GROUP_ENABLED) == 0)
|
|
{
|
|
/* It is mandatory, forget about this group */
|
|
DPRINT1("SepAdjustGroups(): The SID group is mandatory!\n");
|
|
return STATUS_CANT_DISABLE_MANDATORY;
|
|
}
|
|
|
|
/*
|
|
* We've to ensure that apart the group mustn't be
|
|
* mandatory, it mustn't be a restricted group as
|
|
* well. That is, the group is marked with
|
|
* SE_GROUP_USE_FOR_DENY_ONLY flag and no one
|
|
* can enable it because it's for "deny" use only.
|
|
*/
|
|
if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_USE_FOR_DENY_ONLY) &&
|
|
(NewState[GroupsInList].Attributes & SE_GROUP_ENABLED))
|
|
{
|
|
/* This group is restricted, forget about it */
|
|
DPRINT1("SepAdjustGroups(): The SID group is for use deny only!\n");
|
|
return STATUS_CANT_ENABLE_DENY_ONLY;
|
|
}
|
|
|
|
/* Copy the attributes and stop searching */
|
|
NewAttributes = NewState[GroupsInList].Attributes;
|
|
NewAttributes &= SE_GROUP_ENABLED;
|
|
NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes & ~SE_GROUP_ENABLED;
|
|
break;
|
|
}
|
|
|
|
/* Did we find the specific group we wanted? */
|
|
if (GroupsInList == NewStateCount)
|
|
{
|
|
/* We didn't, continue with the next token's group */
|
|
continue;
|
|
}
|
|
}
|
|
|
|
/* Count the group that we found it */
|
|
GroupsCount++;
|
|
|
|
/* Does the token have the same attributes as the caller requested them? */
|
|
if (Token->UserAndGroups[GroupsInToken].Attributes != NewAttributes)
|
|
{
|
|
/*
|
|
* No, then it's time to make some adjustment to the
|
|
* token's groups. Does the caller want the previous states
|
|
* of groups?
|
|
*/
|
|
if (PreviousGroupsState != NULL)
|
|
{
|
|
PreviousGroupsState->Groups[ChangeCount] = Token->UserAndGroups[GroupsInToken];
|
|
}
|
|
|
|
/* Time to apply the changes now? */
|
|
if (ApplyChanges)
|
|
{
|
|
/* The caller gave us consent, apply and report that we made changes! */
|
|
Token->UserAndGroups[GroupsInToken].Attributes = NewAttributes;
|
|
*ChangesMade = TRUE;
|
|
}
|
|
|
|
/* Increment the count change */
|
|
ChangeCount++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Report the number of previous saved groups */
|
|
if (PreviousGroupsState != NULL)
|
|
{
|
|
PreviousGroupsState->GroupCount = ChangeCount;
|
|
}
|
|
|
|
/* Report the number of changed groups */
|
|
*ChangedGroups = ChangeCount;
|
|
|
|
/* Did we miss some groups? */
|
|
if (!ResetToDefaultStates && (GroupsCount < NewStateCount))
|
|
{
|
|
/*
|
|
* If we're at this stage then we are in a situation
|
|
* where the adjust changes done to token's groups is
|
|
* not deterministic as the caller might have wanted
|
|
* as per NewState parameter.
|
|
*/
|
|
DPRINT1("SepAdjustGroups(): The token hasn't all the groups assigned!\n");
|
|
return STATUS_NOT_ALL_ASSIGNED;
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
/* SYSTEM CALLS ***************************************************************/
|
|
|
|
/**
|
|
* @brief
|
|
* Removes a certain amount of privileges of a token based upon the request
|
|
* by the caller.
|
|
*
|
|
* @param[in,out] Token
|
|
* Token handle where the privileges are about to be modified.
|
|
*
|
|
* @param[in] DisableAllPrivileges
|
|
* If set to TRUE, the function disables all the privileges.
|
|
*
|
|
* @param[in] NewState
|
|
* A new list of privileges that the function will use it accordingly to
|
|
* either disable or enable the said privileges and change them.
|
|
*
|
|
* @param[in] NewStateCount
|
|
* The new total number count of privileges.
|
|
*
|
|
* @param[out] PreviousState
|
|
* If specified, the function will return the previous state list of privileges.
|
|
*
|
|
* @param[in] ApplyChanges
|
|
* If set to TRUE, the function will immediatelly apply the changes onto the
|
|
* token's privileges.
|
|
*
|
|
* @param[out] ChangedPrivileges
|
|
* The returned count number of changed privileges.
|
|
*
|
|
* @param[out] ChangesMade
|
|
* If TRUE, the function has made changes to the token's privileges. FALSE
|
|
* otherwise.
|
|
*
|
|
* @return
|
|
* Returns STATUS_SUCCESS if the function has successfully changed the list
|
|
* of privileges. STATUS_NOT_ALL_ASSIGNED is returned if not every privilege
|
|
* has been changed.
|
|
*/
|
|
_Must_inspect_result_
|
|
__kernel_entry
|
|
NTSTATUS
|
|
NTAPI
|
|
NtAdjustPrivilegesToken(
|
|
_In_ HANDLE TokenHandle,
|
|
_In_ BOOLEAN DisableAllPrivileges,
|
|
_In_opt_ PTOKEN_PRIVILEGES NewState,
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_to_opt_(BufferLength,*ReturnLength)
|
|
PTOKEN_PRIVILEGES PreviousState,
|
|
_When_(PreviousState!=NULL, _Out_) PULONG ReturnLength)
|
|
{
|
|
NTSTATUS Status;
|
|
KPROCESSOR_MODE PreviousMode;
|
|
PTOKEN Token;
|
|
PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
|
|
ULONG CapturedCount = 0;
|
|
ULONG CapturedLength = 0;
|
|
ULONG NewStateSize = 0;
|
|
ULONG ChangeCount;
|
|
ULONG RequiredLength;
|
|
BOOLEAN ChangesMade = FALSE;
|
|
|
|
PAGED_CODE();
|
|
|
|
DPRINT("NtAdjustPrivilegesToken() called\n");
|
|
|
|
/* Fail, if we do not disable all privileges but NewState is NULL */
|
|
if (DisableAllPrivileges == FALSE && NewState == NULL)
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
PreviousMode = KeGetPreviousMode();
|
|
if (PreviousMode != KernelMode)
|
|
{
|
|
_SEH2_TRY
|
|
{
|
|
/* Probe NewState */
|
|
if (DisableAllPrivileges == FALSE)
|
|
{
|
|
/* First probe the header */
|
|
ProbeForRead(NewState, sizeof(TOKEN_PRIVILEGES), sizeof(ULONG));
|
|
|
|
CapturedCount = NewState->PrivilegeCount;
|
|
NewStateSize = FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges[CapturedCount]);
|
|
|
|
ProbeForRead(NewState, NewStateSize, sizeof(ULONG));
|
|
}
|
|
|
|
/* Probe PreviousState and ReturnLength */
|
|
if (PreviousState != NULL)
|
|
{
|
|
ProbeForWrite(PreviousState, BufferLength, sizeof(ULONG));
|
|
ProbeForWrite(ReturnLength, sizeof(ULONG), sizeof(ULONG));
|
|
}
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Return the exception code */
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
|
}
|
|
_SEH2_END;
|
|
}
|
|
else
|
|
{
|
|
/* This is kernel mode, we trust the caller */
|
|
if (DisableAllPrivileges == FALSE)
|
|
CapturedCount = NewState->PrivilegeCount;
|
|
}
|
|
|
|
/* Do we need to capture the new state? */
|
|
if (DisableAllPrivileges == FALSE)
|
|
{
|
|
_SEH2_TRY
|
|
{
|
|
/* Capture the new state array of privileges */
|
|
Status = SeCaptureLuidAndAttributesArray(NewState->Privileges,
|
|
CapturedCount,
|
|
PreviousMode,
|
|
NULL,
|
|
0,
|
|
PagedPool,
|
|
TRUE,
|
|
&CapturedPrivileges,
|
|
&CapturedLength);
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Return the exception code */
|
|
Status = _SEH2_GetExceptionCode();
|
|
}
|
|
_SEH2_END;
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
return Status;
|
|
}
|
|
|
|
/* Reference the token */
|
|
Status = ObReferenceObjectByHandle(TokenHandle,
|
|
TOKEN_ADJUST_PRIVILEGES | (PreviousState != NULL ? TOKEN_QUERY : 0),
|
|
SeTokenObjectType,
|
|
PreviousMode,
|
|
(PVOID*)&Token,
|
|
NULL);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DPRINT1("Failed to reference token (Status 0x%lx)\n", Status);
|
|
|
|
/* Release the captured privileges */
|
|
if (CapturedPrivileges != NULL)
|
|
{
|
|
SeReleaseLuidAndAttributesArray(CapturedPrivileges,
|
|
PreviousMode,
|
|
TRUE);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/* Lock the token */
|
|
SepAcquireTokenLockExclusive(Token);
|
|
|
|
/* Count the privileges that need to be changed, do not apply them yet */
|
|
Status = SepAdjustPrivileges(Token,
|
|
DisableAllPrivileges,
|
|
CapturedPrivileges,
|
|
CapturedCount,
|
|
NULL,
|
|
FALSE,
|
|
&ChangeCount,
|
|
&ChangesMade);
|
|
|
|
/* Check if the caller asked for the previous state */
|
|
if (PreviousState != NULL)
|
|
{
|
|
/* Calculate the required length */
|
|
RequiredLength = FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges[ChangeCount]);
|
|
|
|
/* Try to return the required buffer length */
|
|
_SEH2_TRY
|
|
{
|
|
*ReturnLength = RequiredLength;
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Do cleanup and return the exception code */
|
|
Status = _SEH2_GetExceptionCode();
|
|
_SEH2_YIELD(goto Cleanup);
|
|
}
|
|
_SEH2_END;
|
|
|
|
/* Fail, if the buffer length is smaller than the required length */
|
|
if (BufferLength < RequiredLength)
|
|
{
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
/* Now enter SEH, since we might return the old privileges */
|
|
_SEH2_TRY
|
|
{
|
|
/* This time apply the changes */
|
|
Status = SepAdjustPrivileges(Token,
|
|
DisableAllPrivileges,
|
|
CapturedPrivileges,
|
|
CapturedCount,
|
|
PreviousState,
|
|
TRUE,
|
|
&ChangeCount,
|
|
&ChangesMade);
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Do cleanup and return the exception code */
|
|
Status = _SEH2_GetExceptionCode();
|
|
ChangesMade = TRUE; // Force write.
|
|
_SEH2_YIELD(goto Cleanup);
|
|
}
|
|
_SEH2_END;
|
|
|
|
Cleanup:
|
|
/* Touch the token if we made changes */
|
|
if (ChangesMade)
|
|
ExAllocateLocallyUniqueId(&Token->ModifiedId);
|
|
|
|
/* Unlock and dereference the token */
|
|
SepReleaseTokenLock(Token);
|
|
ObDereferenceObject(Token);
|
|
|
|
/* Release the captured privileges */
|
|
if (CapturedPrivileges != NULL)
|
|
{
|
|
SeReleaseLuidAndAttributesArray(CapturedPrivileges,
|
|
PreviousMode,
|
|
TRUE);
|
|
}
|
|
|
|
DPRINT("NtAdjustPrivilegesToken() done\n");
|
|
return Status;
|
|
}
|
|
|
|
/**
|
|
* @brief
|
|
* Changes the list of groups by enabling or disabling them
|
|
* in an access token. Unlike NtAdjustPrivilegesToken,
|
|
* this API routine does not remove groups.
|
|
*
|
|
* @param[in] TokenHandle
|
|
* Token handle where the list of groups SID are to be adjusted.
|
|
* The access token must have TOKEN_ADJUST_GROUPS access right
|
|
* in order to change the groups in a token. The token must also
|
|
* have TOKEN_QUERY access right if the caller requests the previous
|
|
* states of groups list, that is, PreviousState is not NULL.
|
|
*
|
|
* @param[in] ResetToDefault
|
|
* If set to TRUE, the function resets the list of groups to default
|
|
* enabled and disabled states. NewState is ignored in this case.
|
|
* Otherwise if the parameter is set to FALSE, the function expects
|
|
* a new list of groups from NewState to be adjusted within the token.
|
|
*
|
|
* @param[in] NewState
|
|
* A new list of groups SID that the function will use it accordingly to
|
|
* modify the current list of groups SID of a token.
|
|
*
|
|
* @param[in] BufferLength
|
|
* The length size of the buffer that is pointed by the NewState parameter
|
|
* argument, in bytes.
|
|
*
|
|
* @param[out] PreviousState
|
|
* If specified, the function will return to the caller the old list of groups
|
|
* SID. If this parameter is NULL, ReturnLength must also be NULL.
|
|
*
|
|
* @param[out] ReturnLength
|
|
* If specified, the function will return the total size length of the old list
|
|
* of groups SIDs, in bytes.
|
|
*
|
|
* @return
|
|
* STATUS_SUCCESS is returned if the function has successfully adjusted the
|
|
* token's groups. STATUS_INVALID_PARAMETER is returned if the caller has
|
|
* submitted one or more invalid parameters, that is, the caller didn't want
|
|
* to reset the groups to default state but no NewState argument list has been
|
|
* provided. STATUS_BUFFER_TOO_SMALL is returned if the buffer length given
|
|
* by the caller is smaller than the required length size. A failure NTSTATUS
|
|
* code is returned otherwise.
|
|
*/
|
|
NTSTATUS
|
|
NTAPI
|
|
NtAdjustGroupsToken(
|
|
_In_ HANDLE TokenHandle,
|
|
_In_ BOOLEAN ResetToDefault,
|
|
_In_ PTOKEN_GROUPS NewState,
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength)
|
|
PTOKEN_GROUPS PreviousState,
|
|
_When_(PreviousState != NULL, _Out_) PULONG ReturnLength)
|
|
{
|
|
PTOKEN Token;
|
|
NTSTATUS Status;
|
|
KPROCESSOR_MODE PreviousMode;
|
|
ULONG ChangeCount, RequiredLength;
|
|
ULONG CapturedCount = 0;
|
|
ULONG CapturedLength = 0;
|
|
ULONG NewStateSize = 0;
|
|
PSID_AND_ATTRIBUTES CapturedGroups = NULL;
|
|
BOOLEAN ChangesMade = FALSE;
|
|
|
|
PAGED_CODE();
|
|
|
|
/*
|
|
* If the caller doesn't want to reset the groups of an
|
|
* access token to default states then at least we must
|
|
* expect a list of groups to be adjusted based on NewState
|
|
* parameter. Otherwise bail out because the caller has
|
|
* no idea what they're doing.
|
|
*/
|
|
if (!ResetToDefault && !NewState)
|
|
{
|
|
DPRINT1("NtAdjustGroupsToken(): The caller hasn't provided any list of groups to adjust!\n");
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
PreviousMode = ExGetPreviousMode();
|
|
|
|
if (PreviousMode != KernelMode)
|
|
{
|
|
_SEH2_TRY
|
|
{
|
|
/* Probe NewState */
|
|
if (!ResetToDefault)
|
|
{
|
|
/* Probe the header */
|
|
ProbeForRead(NewState, sizeof(*NewState), sizeof(ULONG));
|
|
|
|
CapturedCount = NewState->GroupCount;
|
|
NewStateSize = FIELD_OFFSET(TOKEN_GROUPS, Groups[CapturedCount]);
|
|
|
|
ProbeForRead(NewState, NewStateSize, sizeof(ULONG));
|
|
}
|
|
|
|
if (PreviousState != NULL)
|
|
{
|
|
ProbeForWrite(PreviousState, BufferLength, sizeof(ULONG));
|
|
ProbeForWrite(ReturnLength, sizeof(*ReturnLength), sizeof(ULONG));
|
|
}
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Return the exception code */
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
|
}
|
|
_SEH2_END;
|
|
}
|
|
else
|
|
{
|
|
/*
|
|
* We're calling directly from the kernel, just retrieve
|
|
* the number count of captured groups outright.
|
|
*/
|
|
if (!ResetToDefault)
|
|
{
|
|
CapturedCount = NewState->GroupCount;
|
|
}
|
|
}
|
|
|
|
/* Time to capture the NewState list */
|
|
if (!ResetToDefault)
|
|
{
|
|
_SEH2_TRY
|
|
{
|
|
Status = SeCaptureSidAndAttributesArray(NewState->Groups,
|
|
CapturedCount,
|
|
PreviousMode,
|
|
NULL,
|
|
0,
|
|
PagedPool,
|
|
TRUE,
|
|
&CapturedGroups,
|
|
&CapturedLength);
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
Status = _SEH2_GetExceptionCode();
|
|
}
|
|
_SEH2_END;
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DPRINT1("NtAdjustGroupsToken(): Failed to capture the NewState list of groups (Status 0x%lx)\n", Status);
|
|
return Status;
|
|
}
|
|
}
|
|
|
|
/* Time to reference the token */
|
|
Status = ObReferenceObjectByHandle(TokenHandle,
|
|
TOKEN_ADJUST_GROUPS | (PreviousState != NULL ? TOKEN_QUERY : 0),
|
|
SeTokenObjectType,
|
|
PreviousMode,
|
|
(PVOID*)&Token,
|
|
NULL);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
/* We couldn't reference the access token, bail out */
|
|
DPRINT1("NtAdjustGroupsToken(): Failed to reference the token (Status 0x%lx)\n", Status);
|
|
|
|
if (CapturedGroups != NULL)
|
|
{
|
|
SeReleaseSidAndAttributesArray(CapturedGroups,
|
|
PreviousMode,
|
|
TRUE);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/* Lock the token */
|
|
SepAcquireTokenLockExclusive(Token);
|
|
|
|
/* Count the number of groups to be changed */
|
|
Status = SepAdjustGroups(Token,
|
|
CapturedGroups,
|
|
CapturedCount,
|
|
FALSE,
|
|
ResetToDefault,
|
|
&ChangesMade,
|
|
NULL,
|
|
&ChangeCount);
|
|
|
|
/* Does the caller want the previous state of groups? */
|
|
if (PreviousState != NULL)
|
|
{
|
|
/* Calculate the required length */
|
|
RequiredLength = FIELD_OFFSET(TOKEN_GROUPS, Groups[ChangeCount]);
|
|
|
|
/* Return the required length to the caller */
|
|
_SEH2_TRY
|
|
{
|
|
*ReturnLength = RequiredLength;
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Bail out and return the exception code */
|
|
Status = _SEH2_GetExceptionCode();
|
|
_SEH2_YIELD(goto Quit);
|
|
}
|
|
_SEH2_END;
|
|
|
|
/* The buffer length provided is smaller than the required length, bail out */
|
|
if (BufferLength < RequiredLength)
|
|
{
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
goto Quit;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now it's time to apply changes. Wrap the code
|
|
* in SEH as we are returning the old groups state
|
|
* list to the caller since PreviousState is a
|
|
* UM pointer.
|
|
*/
|
|
_SEH2_TRY
|
|
{
|
|
Status = SepAdjustGroups(Token,
|
|
CapturedGroups,
|
|
CapturedCount,
|
|
TRUE,
|
|
ResetToDefault,
|
|
&ChangesMade,
|
|
PreviousState,
|
|
&ChangeCount);
|
|
}
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
/* Bail out and return the exception code */
|
|
Status = _SEH2_GetExceptionCode();
|
|
|
|
/* Force the write as we touched the token still */
|
|
ChangesMade = TRUE;
|
|
_SEH2_YIELD(goto Quit);
|
|
}
|
|
_SEH2_END;
|
|
|
|
Quit:
|
|
/* Allocate a new ID for the token as we made changes */
|
|
if (ChangesMade)
|
|
ExAllocateLocallyUniqueId(&Token->ModifiedId);
|
|
|
|
/* Unlock and dereference the token */
|
|
SepReleaseTokenLock(Token);
|
|
ObDereferenceObject(Token);
|
|
|
|
/* Release the captured groups */
|
|
if (CapturedGroups != NULL)
|
|
{
|
|
SeReleaseSidAndAttributesArray(CapturedGroups,
|
|
PreviousMode,
|
|
TRUE);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/* EOF */
|