3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
6 * FILE: kernel/se/semgr.c
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/ps.h>
16 #include <internal/se.h>
18 #include <internal/debug.h>
20 #define TAG_SXPT TAG('S', 'X', 'P', 'T')
23 /* GLOBALS ******************************************************************/
25 PSE_EXPORTS EXPORTED SeExports = NULL;
28 /* PROTOTYPES ***************************************************************/
30 static BOOLEAN SepInitExports(VOID);
32 /* FUNCTIONS ****************************************************************/
40 if (!SepInitSecurityIDs())
51 if (!SepInitExports())
61 SepInitializeTokenImplementation();
70 OBJECT_ATTRIBUTES ObjectAttributes;
72 HANDLE DirectoryHandle;
76 /* Create '\Security' directory */
77 RtlInitUnicodeString(&Name,
79 InitializeObjectAttributes(&ObjectAttributes,
84 Status = NtCreateDirectoryObject(&DirectoryHandle,
87 if (!NT_SUCCESS(Status))
89 DPRINT1("Failed to create 'Security' directory!\n");
93 /* Create 'LSA_AUTHENTICATION_INITALIZED' event */
94 RtlInitUnicodeString(&Name,
95 L"\\LSA_AUTHENTICATION_INITALIZED");
96 InitializeObjectAttributes(&ObjectAttributes,
101 Status = NtCreateEvent(&EventHandle,
106 if (!NT_SUCCESS(Status))
108 DPRINT1("Failed to create 'Security' directory!\n");
109 NtClose(DirectoryHandle);
113 NtClose(EventHandle);
114 NtClose(DirectoryHandle);
116 /* FIXME: Create SRM port and listener thread */
125 SeExports = ExAllocatePoolWithTag(NonPagedPool,
128 if (SeExports == NULL)
131 SeExports->SeCreateTokenPrivilege = SeCreateTokenPrivilege;
132 SeExports->SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
133 SeExports->SeLockMemoryPrivilege = SeLockMemoryPrivilege;
134 SeExports->SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
135 SeExports->SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
136 SeExports->SeTcbPrivilege = SeTcbPrivilege;
137 SeExports->SeSecurityPrivilege = SeSecurityPrivilege;
138 SeExports->SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
139 SeExports->SeLoadDriverPrivilege = SeLoadDriverPrivilege;
140 SeExports->SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
141 SeExports->SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
142 SeExports->SeSystemProfilePrivilege = SeSystemProfilePrivilege;
143 SeExports->SeSystemtimePrivilege = SeSystemtimePrivilege;
144 SeExports->SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
145 SeExports->SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
146 SeExports->SeBackupPrivilege = SeBackupPrivilege;
147 SeExports->SeRestorePrivilege = SeRestorePrivilege;
148 SeExports->SeShutdownPrivilege = SeShutdownPrivilege;
149 SeExports->SeDebugPrivilege = SeDebugPrivilege;
150 SeExports->SeAuditPrivilege = SeAuditPrivilege;
151 SeExports->SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
152 SeExports->SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
153 SeExports->SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
155 SeExports->SeNullSid = SeNullSid;
156 SeExports->SeWorldSid = SeWorldSid;
157 SeExports->SeLocalSid = SeLocalSid;
158 SeExports->SeCreatorOwnerSid = SeCreatorOwnerSid;
159 SeExports->SeCreatorGroupSid = SeCreatorGroupSid;
160 SeExports->SeNtAuthoritySid = SeNtAuthoritySid;
161 SeExports->SeDialupSid = SeDialupSid;
162 SeExports->SeNetworkSid = SeNetworkSid;
163 SeExports->SeBatchSid = SeBatchSid;
164 SeExports->SeInteractiveSid = SeInteractiveSid;
165 SeExports->SeLocalSystemSid = SeLocalSystemSid;
166 SeExports->SeAliasAdminsSid = SeAliasAdminsSid;
167 SeExports->SeAliasUsersSid = SeAliasUsersSid;
168 SeExports->SeAliasGuestsSid = SeAliasGuestsSid;
169 SeExports->SeAliasPowerUsersSid = SeAliasPowerUsersSid;
170 SeExports->SeAliasAccountOpsSid = SeAliasAccountOpsSid;
171 SeExports->SeAliasSystemOpsSid = SeAliasSystemOpsSid;
172 SeExports->SeAliasPrintOpsSid = SeAliasPrintOpsSid;
173 SeExports->SeAliasBackupOpsSid = SeAliasBackupOpsSid;
179 VOID SepReferenceLogonSession(PLUID AuthenticationId)
184 VOID SepDeReferenceLogonSession(PLUID AuthenticationId)
190 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName,
191 IN PUNICODE_STRING ServiceName,
192 IN HANDLE ClientToken,
193 IN PPRIVILEGE_SET Privileges,
194 IN BOOLEAN AccessGranted)
201 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
203 IN HANDLE ClientToken,
204 IN ULONG DesiredAccess,
205 IN PPRIVILEGE_SET Privileges,
206 IN BOOLEAN AccessGranted)
213 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
215 IN POBJECT_ATTRIBUTES ObjectAttributes,
216 IN HANDLE ClientToken,
217 IN ULONG DesiredAccess,
218 IN ULONG GrantedAccess,
219 IN PPRIVILEGE_SET Privileges,
220 IN BOOLEAN ObjectCreation,
221 IN BOOLEAN AccessGranted,
222 OUT PBOOLEAN GenerateOnClose)
229 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName,
230 IN PHANDLE ObjectHandle,
231 IN POBJECT_ATTRIBUTES ObjectAttributes,
232 IN ACCESS_MASK DesiredAccess,
233 IN PGENERIC_MAPPING GenericMapping,
234 IN BOOLEAN ObjectCreation,
235 OUT PULONG GrantedAccess,
236 OUT PBOOLEAN AccessStatus,
237 OUT PBOOLEAN GenerateOnClose
245 NtAllocateUuids(PULARGE_INTEGER Time,
254 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
256 IN BOOLEAN GenerateOnClose)
263 NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
264 IN HANDLE ClientToken,
265 IN ACCESS_MASK DesiredAccess,
266 IN PGENERIC_MAPPING GenericMapping,
267 OUT PPRIVILEGE_SET PrivilegeSet,
268 OUT PULONG ReturnLength,
269 OUT PULONG GrantedAccess,
270 OUT PBOOLEAN AccessStatus)
277 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName,
279 IN BOOLEAN GenerateOnClose)
286 VOID STDCALL SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext)
288 ObDereferenceObject(SubjectContext->PrimaryToken);
289 if (SubjectContext->ClientToken != NULL)
291 ObDereferenceObject(SubjectContext->ClientToken);
295 VOID STDCALL SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext)
301 Process = PsGetCurrentThread()->ThreadsProcess;
303 SubjectContext->ProcessAuditId = Process;
304 SubjectContext->ClientToken =
305 PsReferenceImpersonationToken(PsGetCurrentThread(),
308 &SubjectContext->ImpersonationLevel);
309 SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
314 SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor)
316 if ((*SecurityDescriptor) != NULL)
318 ExFreePool(*SecurityDescriptor);
319 (*SecurityDescriptor) = NULL;
321 return(STATUS_SUCCESS);
326 VOID SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext,
330 PSID* ProcessPrimaryGroup,
335 if (SubjectContext->ClientToken != NULL)
337 Token = SubjectContext->ClientToken;
341 Token = SubjectContext->PrimaryToken;
343 *Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
344 *PrimaryGroup = Token->PrimaryGroup;
345 *DefaultDacl = Token->DefaultDacl;
346 *ProcessOwner = SubjectContext->PrimaryToken->
347 UserAndGroups[Token->DefaultOwnerIndex].Sid;
348 *ProcessPrimaryGroup = SubjectContext->PrimaryToken->PrimaryGroup;
351 NTSTATUS SepInheritAcl(PACL Acl,
352 BOOLEAN IsDirectoryObject,
358 PGENERIC_MAPPING GenericMapping)
362 return(STATUS_UNSUCCESSFUL);
364 if (Acl->AclRevision != 2 &&
365 Acl->AclRevision != 3 )
367 return(STATUS_UNSUCCESSFUL);
374 SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor,
375 PSECURITY_DESCRIPTOR ExplicitDescriptor,
376 PSECURITY_DESCRIPTOR* NewDescriptor,
377 BOOLEAN IsDirectoryObject,
378 PSECURITY_SUBJECT_CONTEXT SubjectContext,
379 PGENERIC_MAPPING GenericMapping,
383 PSECURITY_DESCRIPTOR Descriptor;
388 PSID ProcessPrimaryGroup;
391 if (ExplicitDescriptor == NULL)
393 RtlCreateSecurityDescriptor(&Descriptor, 1);
397 Descriptor = ExplicitDescriptor;
399 SeLockSubjectContext(SubjectContext);
400 SepGetDefaultsSubjectContext(SubjectContext,
405 &ProcessPrimaryGroup);
406 if (Descriptor->Control & SE_SACL_PRESENT ||
407 Descriptor->Control & SE_SACL_DEFAULTED)
409 if (ParentDescriptor == NULL)
412 if (Descriptor->Control & SE_SACL_PRESENT ||
413 Descriptor->Sacl == NULL ||)
419 Sacl = Descriptor->Sacl;
420 if (Descriptor->Control & SE_SELF_RELATIVE)
422 Sacl = (PACL)(((PVOID)Sacl) + (PVOID)Descriptor);
438 BOOLEAN SepSidInToken(PACCESS_TOKEN Token,
443 if (Token->UserAndGroupCount == 0)
448 for (i=0; i<Token->UserAndGroupCount; i++)
450 if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid))
453 (!(Token->UserAndGroups[i].Attributes & SE_GROUP_ENABLED)))
465 SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
466 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
467 IN BOOLEAN SubjectContextLocked,
468 IN ACCESS_MASK DesiredAccess,
469 IN ACCESS_MASK PreviouslyGrantedAccess,
470 OUT PPRIVILEGE_SET* Privileges,
471 IN PGENERIC_MAPPING GenericMapping,
472 IN KPROCESSOR_MODE AccessMode,
473 OUT PACCESS_MODE GrantedAccess,
474 OUT PNTSTATUS AccessStatus)
476 * FUNCTION: Determines whether the requested access rights can be granted
477 * to an object protected by a security descriptor and an object owner
479 * SecurityDescriptor = Security descriptor protecting the object
480 * SubjectSecurityContext = Subject's captured security context
481 * SubjectContextLocked = Indicates the user's subject context is locked
482 * DesiredAccess = Access rights the caller is trying to acquire
483 * PreviouslyGrantedAccess = Specified the access rights already granted
485 * GenericMapping = Generic mapping associated with the object
486 * AccessMode = Access mode used for the check
487 * GrantedAccess (OUT) = On return specifies the access granted
488 * AccessStatus (OUT) = Status indicating why access was denied
489 * RETURNS: If access was granted, returns TRUE
499 ACCESS_MASK CurrentAccess;
501 CurrentAccess = PreviouslyGrantedAccess;
504 * Ignore the SACL for now
510 Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
514 if (!NT_SUCCESS(Status))
519 CurrentAce = (PACE)(Dacl + 1);
520 for (i = 0; i < Dacl->AceCount; i++)
522 Sid = (PSID)(CurrentAce + 1);
523 if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
525 if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid))
527 *AccessStatus = STATUS_ACCESS_DENIED;
529 return(STATUS_SUCCESS);
532 if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
534 if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid))
536 CurrentAccess = CurrentAccess |
537 CurrentAce->AccessMask;
541 if (!(CurrentAccess & DesiredAccess) &&
542 !((~CurrentAccess) & DesiredAccess))
544 *AccessStatus = STATUS_ACCESS_DENIED;
548 *AccessStatus = STATUS_SUCCESS;
550 *GrantedAccess = CurrentAccess;
552 return(STATUS_SUCCESS);