mirror of
https://github.com/reactos/reactos.git
synced 2025-04-18 03:34:11 +00:00
4d494caf61
- Overhaul SepCreateToken() and SepDuplicateToken() so that they implement the "variable information area" of the token, where immutable lists of user & groups and privileges reside, and the "dynamic information area" (allocated separately in paged pool), where mutable data such as the token's default DACL is stored. Perform the necessary adaptations in SepDeleteToken() and in NtSetInformationToken(). - Actually dereference the token's logon session, when needed, in the 'TokenSessionReference' case in NtSetInformationToken(). - Overhaul SepFindPrimaryGroupAndDefaultOwner() so that it returns the indices of candidate primary group and default owner within the token's user & groups array. This allows for fixing the 'TokenOwner' and 'TokenPrimaryGroup' cases of NtSetInformationToken(), since the owner or primary group being set *MUST* already exist in the token's user & groups array (as a by-product, memory corruptions that existed before due to the broken way of setting these properties disappear too). - Lock tokens every time operations are performed on them (NOTE: we still use a global token lock!). - Touch the ModifiedId LUID member of tokens everytime a write operation (property change, etc...) is made on them. - Fix some group attributes in the SYSTEM process token, SepCreateSystemProcessToken(). - Make the SeCreateTokenPrivilege mandatory when calling NtCreateToken(). - Update the token pool tags. - Explicitly use the Ex*ResourceLite() versions of the locking functions in the token locking macros.
594 lines
14 KiB
C
594 lines
14 KiB
C
#pragma once
|
|
|
|
typedef struct _KNOWN_ACE
|
|
{
|
|
ACE_HEADER Header;
|
|
ACCESS_MASK Mask;
|
|
ULONG SidStart;
|
|
} KNOWN_ACE, *PKNOWN_ACE;
|
|
|
|
typedef struct _KNOWN_OBJECT_ACE
|
|
{
|
|
ACE_HEADER Header;
|
|
ACCESS_MASK Mask;
|
|
ULONG Flags;
|
|
ULONG SidStart;
|
|
} KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
|
|
|
|
typedef struct _KNOWN_COMPOUND_ACE
|
|
{
|
|
ACE_HEADER Header;
|
|
ACCESS_MASK Mask;
|
|
USHORT CompoundAceType;
|
|
USHORT Reserved;
|
|
ULONG SidStart;
|
|
} KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
|
|
|
|
FORCEINLINE
|
|
PSID
|
|
SepGetGroupFromDescriptor(PVOID _Descriptor)
|
|
{
|
|
PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
|
|
PISECURITY_DESCRIPTOR_RELATIVE SdRel;
|
|
|
|
if (Descriptor->Control & SE_SELF_RELATIVE)
|
|
{
|
|
SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
|
|
if (!SdRel->Group) return NULL;
|
|
return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
|
|
}
|
|
else
|
|
{
|
|
return Descriptor->Group;
|
|
}
|
|
}
|
|
|
|
FORCEINLINE
|
|
PSID
|
|
SepGetOwnerFromDescriptor(PVOID _Descriptor)
|
|
{
|
|
PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
|
|
PISECURITY_DESCRIPTOR_RELATIVE SdRel;
|
|
|
|
if (Descriptor->Control & SE_SELF_RELATIVE)
|
|
{
|
|
SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
|
|
if (!SdRel->Owner) return NULL;
|
|
return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
|
|
}
|
|
else
|
|
{
|
|
return Descriptor->Owner;
|
|
}
|
|
}
|
|
|
|
FORCEINLINE
|
|
PACL
|
|
SepGetDaclFromDescriptor(PVOID _Descriptor)
|
|
{
|
|
PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
|
|
PISECURITY_DESCRIPTOR_RELATIVE SdRel;
|
|
|
|
if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
|
|
|
|
if (Descriptor->Control & SE_SELF_RELATIVE)
|
|
{
|
|
SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
|
|
if (!SdRel->Dacl) return NULL;
|
|
return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
|
|
}
|
|
else
|
|
{
|
|
return Descriptor->Dacl;
|
|
}
|
|
}
|
|
|
|
FORCEINLINE
|
|
PACL
|
|
SepGetSaclFromDescriptor(PVOID _Descriptor)
|
|
{
|
|
PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
|
|
PISECURITY_DESCRIPTOR_RELATIVE SdRel;
|
|
|
|
if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
|
|
|
|
if (Descriptor->Control & SE_SELF_RELATIVE)
|
|
{
|
|
SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
|
|
if (!SdRel->Sacl) return NULL;
|
|
return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
|
|
}
|
|
else
|
|
{
|
|
return Descriptor->Sacl;
|
|
}
|
|
}
|
|
|
|
#ifndef RTL_H
|
|
|
|
/* SID Authorities */
|
|
extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
|
|
extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
|
|
extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
|
|
extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
|
|
extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
|
|
|
|
/* SIDs */
|
|
extern PSID SeNullSid;
|
|
extern PSID SeWorldSid;
|
|
extern PSID SeLocalSid;
|
|
extern PSID SeCreatorOwnerSid;
|
|
extern PSID SeCreatorGroupSid;
|
|
extern PSID SeCreatorOwnerServerSid;
|
|
extern PSID SeCreatorGroupServerSid;
|
|
extern PSID SeNtAuthoritySid;
|
|
extern PSID SeDialupSid;
|
|
extern PSID SeNetworkSid;
|
|
extern PSID SeBatchSid;
|
|
extern PSID SeInteractiveSid;
|
|
extern PSID SeServiceSid;
|
|
extern PSID SeAnonymousLogonSid;
|
|
extern PSID SePrincipalSelfSid;
|
|
extern PSID SeLocalSystemSid;
|
|
extern PSID SeAuthenticatedUserSid;
|
|
extern PSID SeRestrictedCodeSid;
|
|
extern PSID SeAliasAdminsSid;
|
|
extern PSID SeAliasUsersSid;
|
|
extern PSID SeAliasGuestsSid;
|
|
extern PSID SeAliasPowerUsersSid;
|
|
extern PSID SeAliasAccountOpsSid;
|
|
extern PSID SeAliasSystemOpsSid;
|
|
extern PSID SeAliasPrintOpsSid;
|
|
extern PSID SeAliasBackupOpsSid;
|
|
extern PSID SeAuthenticatedUsersSid;
|
|
extern PSID SeRestrictedSid;
|
|
extern PSID SeAnonymousLogonSid;
|
|
extern PSID SeLocalServiceSid;
|
|
extern PSID SeNetworkServiceSid;
|
|
|
|
/* Privileges */
|
|
extern const LUID SeCreateTokenPrivilege;
|
|
extern const LUID SeAssignPrimaryTokenPrivilege;
|
|
extern const LUID SeLockMemoryPrivilege;
|
|
extern const LUID SeIncreaseQuotaPrivilege;
|
|
extern const LUID SeUnsolicitedInputPrivilege;
|
|
extern const LUID SeTcbPrivilege;
|
|
extern const LUID SeSecurityPrivilege;
|
|
extern const LUID SeTakeOwnershipPrivilege;
|
|
extern const LUID SeLoadDriverPrivilege;
|
|
extern const LUID SeSystemProfilePrivilege;
|
|
extern const LUID SeSystemtimePrivilege;
|
|
extern const LUID SeProfileSingleProcessPrivilege;
|
|
extern const LUID SeIncreaseBasePriorityPrivilege;
|
|
extern const LUID SeCreatePagefilePrivilege;
|
|
extern const LUID SeCreatePermanentPrivilege;
|
|
extern const LUID SeBackupPrivilege;
|
|
extern const LUID SeRestorePrivilege;
|
|
extern const LUID SeShutdownPrivilege;
|
|
extern const LUID SeDebugPrivilege;
|
|
extern const LUID SeAuditPrivilege;
|
|
extern const LUID SeSystemEnvironmentPrivilege;
|
|
extern const LUID SeChangeNotifyPrivilege;
|
|
extern const LUID SeRemoteShutdownPrivilege;
|
|
extern const LUID SeUndockPrivilege;
|
|
extern const LUID SeSyncAgentPrivilege;
|
|
extern const LUID SeEnableDelegationPrivilege;
|
|
extern const LUID SeManageVolumePrivilege;
|
|
extern const LUID SeImpersonatePrivilege;
|
|
extern const LUID SeCreateGlobalPrivilege;
|
|
extern const LUID SeTrustedCredmanPrivilege;
|
|
extern const LUID SeRelabelPrivilege;
|
|
extern const LUID SeIncreaseWorkingSetPrivilege;
|
|
extern const LUID SeTimeZonePrivilege;
|
|
extern const LUID SeCreateSymbolicLinkPrivilege;
|
|
|
|
/* DACLs */
|
|
extern PACL SePublicDefaultUnrestrictedDacl;
|
|
extern PACL SePublicOpenDacl;
|
|
extern PACL SePublicOpenUnrestrictedDacl;
|
|
extern PACL SeUnrestrictedDacl;
|
|
|
|
/* SDs */
|
|
extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
|
|
extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
|
|
extern PSECURITY_DESCRIPTOR SePublicOpenSd;
|
|
extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
|
|
extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
|
|
extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
|
|
|
|
|
|
#define SepAcquireTokenLockExclusive(Token) \
|
|
{ \
|
|
KeEnterCriticalRegion(); \
|
|
ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \
|
|
}
|
|
#define SepAcquireTokenLockShared(Token) \
|
|
{ \
|
|
KeEnterCriticalRegion(); \
|
|
ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \
|
|
}
|
|
|
|
#define SepReleaseTokenLock(Token) \
|
|
{ \
|
|
ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \
|
|
KeLeaveCriticalRegion(); \
|
|
}
|
|
|
|
//
|
|
// Token Functions
|
|
//
|
|
BOOLEAN
|
|
NTAPI
|
|
SepTokenIsOwner(
|
|
IN PACCESS_TOKEN _Token,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN BOOLEAN TokenLocked
|
|
);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepSidInToken(
|
|
IN PACCESS_TOKEN _Token,
|
|
IN PSID Sid
|
|
);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepSidInTokenEx(
|
|
IN PACCESS_TOKEN _Token,
|
|
IN PSID PrincipalSelfSid,
|
|
IN PSID _Sid,
|
|
IN BOOLEAN Deny,
|
|
IN BOOLEAN Restricted
|
|
);
|
|
|
|
/* Functions */
|
|
BOOLEAN
|
|
NTAPI
|
|
SeInitSystem(VOID);
|
|
|
|
VOID
|
|
NTAPI
|
|
ExpInitLuid(VOID);
|
|
|
|
VOID
|
|
NTAPI
|
|
SepInitPrivileges(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepInitSecurityIDs(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepInitDACLs(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepInitSDs(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeRmInitPhase0(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeRmInitPhase1(VOID);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeDeassignPrimaryToken(struct _EPROCESS *Process);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeSubProcessToken(
|
|
IN PTOKEN Parent,
|
|
OUT PTOKEN *Token,
|
|
IN BOOLEAN InUse,
|
|
IN ULONG SessionId
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeInitializeProcessAuditName(
|
|
IN PFILE_OBJECT FileObject,
|
|
IN BOOLEAN DoAudit,
|
|
OUT POBJECT_NAME_INFORMATION *AuditInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeCreateAccessStateEx(
|
|
IN PETHREAD Thread,
|
|
IN PEPROCESS Process,
|
|
IN OUT PACCESS_STATE AccessState,
|
|
IN PAUX_ACCESS_DATA AuxData,
|
|
IN ACCESS_MASK Access,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeIsTokenChild(
|
|
IN PTOKEN Token,
|
|
OUT PBOOLEAN IsChild
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SepCreateImpersonationTokenDacl(
|
|
_In_ PTOKEN Token,
|
|
_In_ PTOKEN PrimaryToken,
|
|
_Out_ PACL* Dacl
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SepInitializeTokenImplementation(VOID);
|
|
|
|
PTOKEN
|
|
NTAPI
|
|
SepCreateSystemProcessToken(VOID);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeDetailedAuditingWithToken(IN PTOKEN Token);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeAuditProcessExit(IN PEPROCESS Process);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeAuditProcessCreate(IN PEPROCESS Process);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeExchangePrimaryToken(
|
|
_In_ PEPROCESS Process,
|
|
_In_ PACCESS_TOKEN NewAccessToken,
|
|
_Out_ PACCESS_TOKEN* OldAccessToken
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeCaptureSubjectContextEx(
|
|
IN PETHREAD Thread,
|
|
IN PEPROCESS Process,
|
|
OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeCaptureLuidAndAttributesArray(
|
|
PLUID_AND_ATTRIBUTES Src,
|
|
ULONG PrivilegeCount,
|
|
KPROCESSOR_MODE PreviousMode,
|
|
PLUID_AND_ATTRIBUTES AllocatedMem,
|
|
ULONG AllocatedLength,
|
|
POOL_TYPE PoolType,
|
|
BOOLEAN CaptureIfKernel,
|
|
PLUID_AND_ATTRIBUTES* Dest,
|
|
PULONG Length
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeReleaseLuidAndAttributesArray(
|
|
PLUID_AND_ATTRIBUTES Privilege,
|
|
KPROCESSOR_MODE PreviousMode,
|
|
BOOLEAN CaptureIfKernel
|
|
);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SepPrivilegeCheck(
|
|
PTOKEN Token,
|
|
PLUID_AND_ATTRIBUTES Privileges,
|
|
ULONG PrivilegeCount,
|
|
ULONG PrivilegeControl,
|
|
KPROCESSOR_MODE PreviousMode
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SePrivilegePolicyCheck(
|
|
_Inout_ PACCESS_MASK DesiredAccess,
|
|
_Inout_ PACCESS_MASK GrantedAccess,
|
|
_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
_In_ PTOKEN Token,
|
|
_Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
|
|
_In_ KPROCESSOR_MODE PreviousMode);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeCheckPrivilegedObject(
|
|
IN LUID PrivilegeValue,
|
|
IN HANDLE ObjectHandle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN KPROCESSOR_MODE PreviousMode
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SepDuplicateToken(
|
|
_In_ PTOKEN Token,
|
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
|
_In_ BOOLEAN EffectiveOnly,
|
|
_In_ TOKEN_TYPE TokenType,
|
|
_In_ SECURITY_IMPERSONATION_LEVEL Level,
|
|
_In_ KPROCESSOR_MODE PreviousMode,
|
|
_Out_ PTOKEN* NewAccessToken
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SepCaptureSecurityQualityOfService(
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN POOL_TYPE PoolType,
|
|
IN BOOLEAN CaptureIfKernel,
|
|
OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
|
|
OUT PBOOLEAN Present
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SepReleaseSecurityQualityOfService(
|
|
IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN BOOLEAN CaptureIfKernel
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SepCaptureSid(
|
|
IN PSID InputSid,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN POOL_TYPE PoolType,
|
|
IN BOOLEAN CaptureIfKernel,
|
|
OUT PSID *CapturedSid
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SepReleaseSid(
|
|
IN PSID CapturedSid,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN BOOLEAN CaptureIfKernel
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeCaptureSidAndAttributesArray(
|
|
_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
|
|
_In_ ULONG AttributeCount,
|
|
_In_ KPROCESSOR_MODE PreviousMode,
|
|
_In_opt_ PVOID AllocatedMem,
|
|
_In_ ULONG AllocatedLength,
|
|
_In_ POOL_TYPE PoolType,
|
|
_In_ BOOLEAN CaptureIfKernel,
|
|
_Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
|
|
_Out_ PULONG ResultLength);
|
|
|
|
VOID
|
|
NTAPI
|
|
SeReleaseSidAndAttributesArray(
|
|
_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
|
|
_In_ KPROCESSOR_MODE AccessMode,
|
|
_In_ BOOLEAN CaptureIfKernel);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SepCaptureAcl(
|
|
IN PACL InputAcl,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN POOL_TYPE PoolType,
|
|
IN BOOLEAN CaptureIfKernel,
|
|
OUT PACL *CapturedAcl
|
|
);
|
|
|
|
VOID
|
|
NTAPI
|
|
SepReleaseAcl(
|
|
IN PACL CapturedAcl,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN BOOLEAN CaptureIfKernel
|
|
);
|
|
|
|
NTSTATUS
|
|
SepPropagateAcl(
|
|
_Out_writes_bytes_opt_(DaclLength) PACL AclDest,
|
|
_Inout_ PULONG AclLength,
|
|
_In_reads_bytes_(AclSource->AclSize) PACL AclSource,
|
|
_In_ PSID Owner,
|
|
_In_ PSID Group,
|
|
_In_ BOOLEAN IsInherited,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ PGENERIC_MAPPING GenericMapping);
|
|
|
|
PACL
|
|
SepSelectAcl(
|
|
_In_opt_ PACL ExplicitAcl,
|
|
_In_ BOOLEAN ExplicitPresent,
|
|
_In_ BOOLEAN ExplicitDefaulted,
|
|
_In_opt_ PACL ParentAcl,
|
|
_In_opt_ PACL DefaultAcl,
|
|
_Out_ PULONG AclLength,
|
|
_In_ PSID Owner,
|
|
_In_ PSID Group,
|
|
_Out_ PBOOLEAN AclPresent,
|
|
_Out_ PBOOLEAN IsInherited,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ PGENERIC_MAPPING GenericMapping);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeDefaultObjectMethod(
|
|
PVOID Object,
|
|
SECURITY_OPERATION_CODE OperationType,
|
|
PSECURITY_INFORMATION SecurityInformation,
|
|
PSECURITY_DESCRIPTOR NewSecurityDescriptor,
|
|
PULONG ReturnLength,
|
|
PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
|
|
POOL_TYPE PoolType,
|
|
PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeSetWorldSecurityDescriptor(
|
|
SECURITY_INFORMATION SecurityInformation,
|
|
PISECURITY_DESCRIPTOR SecurityDescriptor,
|
|
PULONG BufferLength
|
|
);
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SeCopyClientToken(
|
|
IN PACCESS_TOKEN Token,
|
|
IN SECURITY_IMPERSONATION_LEVEL Level,
|
|
IN KPROCESSOR_MODE PreviousMode,
|
|
OUT PACCESS_TOKEN* NewToken
|
|
);
|
|
|
|
VOID NTAPI
|
|
SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
|
OUT PACCESS_MASK DesiredAccess);
|
|
|
|
VOID NTAPI
|
|
SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
|
|
OUT PACCESS_MASK DesiredAccess);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN PACCESS_STATE AccessState,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN KPROCESSOR_MODE AccessMode);
|
|
|
|
BOOLEAN
|
|
NTAPI
|
|
SeCheckAuditPrivilege(
|
|
_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
_In_ KPROCESSOR_MODE PreviousMode);
|
|
|
|
VOID
|
|
NTAPI
|
|
SePrivilegedServiceAuditAlarm(
|
|
_In_opt_ PUNICODE_STRING ServiceName,
|
|
_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
|
|
_In_ PPRIVILEGE_SET PrivilegeSet,
|
|
_In_ BOOLEAN AccessGranted);
|
|
|
|
NTSTATUS
|
|
SepRmReferenceLogonSession(
|
|
PLUID LogonLuid);
|
|
|
|
NTSTATUS
|
|
SepRmDereferenceLogonSession(
|
|
PLUID LogonLuid);
|
|
|
|
#endif
|
|
|
|
/* EOF */
|