ReactOS Development > Doxygen
audit.c
Go to the documentation of this file.
00001 /* 00002 * COPYRIGHT: See COPYING in the top level directory 00003 * PROJECT: ReactOS kernel 00004 * FILE: ntoskrnl/se/audit.c 00005 * PURPOSE: Audit functions 00006 * 00007 * PROGRAMMERS: Eric Kohl 00008 */ 00009 00010 /* INCLUDES *******************************************************************/ 00011 00012 #include <ntoskrnl.h> 00013 #define NDEBUG 00014 #include <debug.h> 00015 00016 /* PRIVATE FUNCTIONS***********************************************************/ 00017 00018 BOOLEAN 00019 NTAPI 00020 SeDetailedAuditingWithToken(IN PTOKEN Token) 00021 { 00022 /* FIXME */ 00023 return FALSE; 00024 } 00025 00026 VOID 00027 NTAPI 00028 SeAuditProcessCreate(IN PEPROCESS Process) 00029 { 00030 /* FIXME */ 00031 } 00032 00033 VOID 00034 NTAPI 00035 SeAuditProcessExit(IN PEPROCESS Process) 00036 { 00037 /* FIXME */ 00038 } 00039 00040 NTSTATUS 00041 NTAPI 00042 SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject, 00043 IN BOOLEAN DoAudit, 00044 OUT POBJECT_NAME_INFORMATION *AuditInfo) 00045 { 00046 OBJECT_NAME_INFORMATION LocalNameInfo; 00047 POBJECT_NAME_INFORMATION ObjectNameInfo = NULL; 00048 ULONG ReturnLength = 8; 00049 NTSTATUS Status; 00050 00051 PAGED_CODE(); 00052 ASSERT(AuditInfo); 00053 00054 /* Check if we should do auditing */ 00055 if (DoAudit) 00056 { 00057 /* FIXME: TODO */ 00058 } 00059 00060 /* Now query the name */ 00061 Status = ObQueryNameString(FileObject, 00062 &LocalNameInfo, 00063 sizeof(LocalNameInfo), 00064 &ReturnLength); 00065 if (((Status == STATUS_BUFFER_OVERFLOW) || 00066 (Status == STATUS_BUFFER_TOO_SMALL) || 00067 (Status == STATUS_INFO_LENGTH_MISMATCH)) && 00068 (ReturnLength != sizeof(LocalNameInfo))) 00069 { 00070 /* Allocate required size */ 00071 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool, 00072 ReturnLength, 00073 TAG_SEPA); 00074 if (ObjectNameInfo) 00075 { 00076 /* Query the name again */ 00077 Status = ObQueryNameString(FileObject, 00078 ObjectNameInfo, 00079 ReturnLength, 00080 &ReturnLength); 00081 } 00082 } 00083 00084 /* Check if we got here due to failure */ 00085 if ((ObjectNameInfo) && 00086 (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo)))) 00087 { 00088 /* First, free any buffer we might've allocated */ 00089 ASSERT(FALSE); 00090 if (ObjectNameInfo) ExFreePool(ObjectNameInfo); 00091 00092 /* Now allocate a temporary one */ 00093 ReturnLength = sizeof(OBJECT_NAME_INFORMATION); 00094 ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool, 00095 sizeof(OBJECT_NAME_INFORMATION), 00096 TAG_SEPA); 00097 if (ObjectNameInfo) 00098 { 00099 /* Clear it */ 00100 RtlZeroMemory(ObjectNameInfo, ReturnLength); 00101 Status = STATUS_SUCCESS; 00102 } 00103 } 00104 00105 /* Check if memory allocation failed */ 00106 if (!ObjectNameInfo) Status = STATUS_NO_MEMORY; 00107 00108 /* Return the audit name */ 00109 *AuditInfo = ObjectNameInfo; 00110 00111 /* Return status */ 00112 return Status; 00113 } 00114 00115 NTSTATUS 00116 NTAPI 00117 SeLocateProcessImageName(IN PEPROCESS Process, 00118 OUT PUNICODE_STRING *ProcessImageName) 00119 { 00120 POBJECT_NAME_INFORMATION AuditName; 00121 PUNICODE_STRING ImageName; 00122 PFILE_OBJECT FileObject; 00123 NTSTATUS Status = STATUS_SUCCESS; 00124 00125 PAGED_CODE(); 00126 00127 /* Assume failure */ 00128 *ProcessImageName = NULL; 00129 00130 /* Check if we have audit info */ 00131 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName; 00132 if (!AuditName) 00133 { 00134 /* Get the file object */ 00135 Status = PsReferenceProcessFilePointer(Process, &FileObject); 00136 if (!NT_SUCCESS(Status)) return Status; 00137 00138 /* Initialize the audit structure */ 00139 Status = SeInitializeProcessAuditName(FileObject, TRUE, &AuditName); 00140 if (NT_SUCCESS(Status)) 00141 { 00142 /* Set it */ 00143 if (InterlockedCompareExchangePointer((PVOID*)&Process-> 00144 SeAuditProcessCreationInfo.ImageFileName, 00145 AuditName, 00146 NULL)) 00147 { 00148 /* Someone beat us to it, deallocate our copy */ 00149 ExFreePool(AuditName); 00150 } 00151 } 00152 00153 /* Dereference the file object */ 00154 ObDereferenceObject(FileObject); 00155 if (!NT_SUCCESS(Status)) return Status; 00156 } 00157 00158 /* Get audit info again, now we have it for sure */ 00159 AuditName = Process->SeAuditProcessCreationInfo.ImageFileName; 00160 00161 /* Allocate the output string */ 00162 ImageName = ExAllocatePoolWithTag(NonPagedPool, 00163 AuditName->Name.MaximumLength + 00164 sizeof(UNICODE_STRING), 00165 TAG_SEPA); 00166 if (!ImageName) return STATUS_NO_MEMORY; 00167 00168 /* Make a copy of it */ 00169 RtlCopyMemory(ImageName, 00170 &AuditName->Name, 00171 AuditName->Name.MaximumLength + sizeof(UNICODE_STRING)); 00172 00173 /* Fix up the buffer */ 00174 ImageName->Buffer = (PWSTR)(ImageName + 1); 00175 00176 /* Return it */ 00177 *ProcessImageName = ImageName; 00178 00179 /* Return status */ 00180 return Status; 00181 } 00182 00183 /* PUBLIC FUNCTIONS ***********************************************************/ 00184 00185 /* 00186 * @unimplemented 00187 */ 00188 VOID 00189 NTAPI 00190 SeAuditHardLinkCreation(IN PUNICODE_STRING FileName, 00191 IN PUNICODE_STRING LinkName, 00192 IN BOOLEAN bSuccess) 00193 { 00194 UNIMPLEMENTED; 00195 } 00196 00197 /* 00198 * @unimplemented 00199 */ 00200 BOOLEAN 00201 NTAPI 00202 SeAuditingFileEvents(IN BOOLEAN AccessGranted, 00203 IN PSECURITY_DESCRIPTOR SecurityDescriptor) 00204 { 00205 UNIMPLEMENTED; 00206 return FALSE; 00207 } 00208 00209 /* 00210 * @unimplemented 00211 */ 00212 BOOLEAN 00213 NTAPI 00214 SeAuditingFileEventsWithContext(IN BOOLEAN AccessGranted, 00215 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00216 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL) 00217 { 00218 UNIMPLEMENTED; 00219 return FALSE; 00220 } 00221 00222 /* 00223 * @unimplemented 00224 */ 00225 BOOLEAN 00226 NTAPI 00227 SeAuditingHardLinkEvents(IN BOOLEAN AccessGranted, 00228 IN PSECURITY_DESCRIPTOR SecurityDescriptor) 00229 { 00230 UNIMPLEMENTED; 00231 return FALSE; 00232 } 00233 00234 /* 00235 * @unimplemented 00236 */ 00237 BOOLEAN 00238 NTAPI 00239 SeAuditingHardLinkEventsWithContext(IN BOOLEAN AccessGranted, 00240 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00241 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL) 00242 { 00243 UNIMPLEMENTED; 00244 return FALSE; 00245 } 00246 00247 /* 00248 * @unimplemented 00249 */ 00250 BOOLEAN 00251 NTAPI 00252 SeAuditingFileOrGlobalEvents(IN BOOLEAN AccessGranted, 00253 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00254 IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext) 00255 { 00256 UNIMPLEMENTED; 00257 return FALSE; 00258 } 00259 00260 /* 00261 * @unimplemented 00262 */ 00263 VOID 00264 NTAPI 00265 SeCloseObjectAuditAlarm(IN PVOID Object, 00266 IN HANDLE Handle, 00267 IN BOOLEAN PerformAction) 00268 { 00269 UNIMPLEMENTED; 00270 } 00271 00272 /* 00273 * @unimplemented 00274 */ 00275 VOID NTAPI 00276 SeDeleteObjectAuditAlarm(IN PVOID Object, 00277 IN HANDLE Handle) 00278 { 00279 UNIMPLEMENTED; 00280 } 00281 00282 /* 00283 * @unimplemented 00284 */ 00285 VOID 00286 NTAPI 00287 SeOpenObjectAuditAlarm(IN PUNICODE_STRING ObjectTypeName, 00288 IN PVOID Object OPTIONAL, 00289 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, 00290 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00291 IN PACCESS_STATE AccessState, 00292 IN BOOLEAN ObjectCreated, 00293 IN BOOLEAN AccessGranted, 00294 IN KPROCESSOR_MODE AccessMode, 00295 OUT PBOOLEAN GenerateOnClose) 00296 { 00297 PAGED_CODE(); 00298 00299 /* Audits aren't done on kernel-mode access */ 00300 if (AccessMode == KernelMode) return; 00301 00302 /* Otherwise, unimplemented! */ 00303 //UNIMPLEMENTED; 00304 return; 00305 } 00306 00307 /* 00308 * @unimplemented 00309 */ 00310 VOID NTAPI 00311 SeOpenObjectForDeleteAuditAlarm(IN PUNICODE_STRING ObjectTypeName, 00312 IN PVOID Object OPTIONAL, 00313 IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, 00314 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00315 IN PACCESS_STATE AccessState, 00316 IN BOOLEAN ObjectCreated, 00317 IN BOOLEAN AccessGranted, 00318 IN KPROCESSOR_MODE AccessMode, 00319 OUT PBOOLEAN GenerateOnClose) 00320 { 00321 UNIMPLEMENTED; 00322 } 00323 00324 /* 00325 * @unimplemented 00326 */ 00327 VOID 00328 NTAPI 00329 SePrivilegeObjectAuditAlarm(IN HANDLE Handle, 00330 IN PSECURITY_SUBJECT_CONTEXT SubjectContext, 00331 IN ACCESS_MASK DesiredAccess, 00332 IN PPRIVILEGE_SET Privileges, 00333 IN BOOLEAN AccessGranted, 00334 IN KPROCESSOR_MODE CurrentMode) 00335 { 00336 UNIMPLEMENTED; 00337 } 00338 00339 /* SYSTEM CALLS ***************************************************************/ 00340 00341 NTSTATUS 00342 NTAPI 00343 NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName, 00344 IN HANDLE HandleId, 00345 IN PUNICODE_STRING ObjectTypeName, 00346 IN PUNICODE_STRING ObjectName, 00347 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00348 IN ACCESS_MASK DesiredAccess, 00349 IN PGENERIC_MAPPING GenericMapping, 00350 IN BOOLEAN ObjectCreation, 00351 OUT PACCESS_MASK GrantedAccess, 00352 OUT PNTSTATUS AccessStatus, 00353 OUT PBOOLEAN GenerateOnClose) 00354 { 00355 UNIMPLEMENTED; 00356 return STATUS_NOT_IMPLEMENTED; 00357 } 00358 00359 00360 NTSTATUS NTAPI 00361 NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, 00362 IN PVOID HandleId, 00363 IN BOOLEAN GenerateOnClose) 00364 { 00365 UNIMPLEMENTED; 00366 return STATUS_NOT_IMPLEMENTED; 00367 } 00368 00369 00370 NTSTATUS NTAPI 00371 NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, 00372 IN PVOID HandleId, 00373 IN BOOLEAN GenerateOnClose) 00374 { 00375 UNIMPLEMENTED; 00376 return STATUS_NOT_IMPLEMENTED; 00377 } 00378 00379 00380 NTSTATUS NTAPI 00381 NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, 00382 IN PVOID HandleId, 00383 IN PUNICODE_STRING ObjectTypeName, 00384 IN PUNICODE_STRING ObjectName, 00385 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00386 IN HANDLE ClientToken, 00387 IN ULONG DesiredAccess, 00388 IN ULONG GrantedAccess, 00389 IN PPRIVILEGE_SET Privileges, 00390 IN BOOLEAN ObjectCreation, 00391 IN BOOLEAN AccessGranted, 00392 OUT PBOOLEAN GenerateOnClose) 00393 { 00394 UNIMPLEMENTED; 00395 return STATUS_NOT_IMPLEMENTED; 00396 } 00397 00398 00399 NTSTATUS NTAPI 00400 NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName, 00401 IN PUNICODE_STRING ServiceName, 00402 IN HANDLE ClientToken, 00403 IN PPRIVILEGE_SET Privileges, 00404 IN BOOLEAN AccessGranted) 00405 { 00406 UNIMPLEMENTED; 00407 return STATUS_NOT_IMPLEMENTED; 00408 } 00409 00410 00411 NTSTATUS NTAPI 00412 NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, 00413 IN PVOID HandleId, 00414 IN HANDLE ClientToken, 00415 IN ULONG DesiredAccess, 00416 IN PPRIVILEGE_SET Privileges, 00417 IN BOOLEAN AccessGranted) 00418 { 00419 UNIMPLEMENTED; 00420 return STATUS_NOT_IMPLEMENTED; 00421 } 00422 00423 /* EOF */
Generated on Fri May 25 2012 04:20:43 for ReactOS by
1.7.6.1
