ReactOS Development > Doxygen
acl.c
Go to the documentation of this file.
00001 /* 00002 * COPYRIGHT: See COPYING in the top level directory 00003 * PROJECT: ReactOS kernel 00004 * FILE: ntoskrnl/se/acl.c 00005 * PURPOSE: Security manager 00006 * 00007 * PROGRAMMERS: David Welch <welch@cwcom.net> 00008 */ 00009 00010 /* INCLUDES *******************************************************************/ 00011 00012 #include <ntoskrnl.h> 00013 #define NDEBUG 00014 #include <debug.h> 00015 00016 #if defined (ALLOC_PRAGMA) 00017 #pragma alloc_text(INIT, SepInitDACLs) 00018 #endif 00019 00020 /* GLOBALS ********************************************************************/ 00021 00022 PACL SePublicDefaultDacl = NULL; 00023 PACL SeSystemDefaultDacl = NULL; 00024 PACL SePublicDefaultUnrestrictedDacl = NULL; 00025 PACL SePublicOpenDacl = NULL; 00026 PACL SePublicOpenUnrestrictedDacl = NULL; 00027 PACL SeUnrestrictedDacl = NULL; 00028 00029 /* FUNCTIONS ******************************************************************/ 00030 00031 BOOLEAN 00032 INIT_FUNCTION 00033 NTAPI 00034 SepInitDACLs(VOID) 00035 { 00036 ULONG AclLength; 00037 00038 /* create PublicDefaultDacl */ 00039 AclLength = sizeof(ACL) + 00040 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + 00041 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)); 00042 00043 SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool, 00044 AclLength, 00045 TAG_ACL); 00046 if (SePublicDefaultDacl == NULL) 00047 return FALSE; 00048 00049 RtlCreateAcl(SePublicDefaultDacl, 00050 AclLength, 00051 ACL_REVISION); 00052 00053 RtlAddAccessAllowedAce(SePublicDefaultDacl, 00054 ACL_REVISION, 00055 GENERIC_EXECUTE, 00056 SeWorldSid); 00057 00058 RtlAddAccessAllowedAce(SePublicDefaultDacl, 00059 ACL_REVISION, 00060 GENERIC_ALL, 00061 SeLocalSystemSid); 00062 00063 /* create PublicDefaultUnrestrictedDacl */ 00064 AclLength = sizeof(ACL) + 00065 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + 00066 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + 00067 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + 00068 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); 00069 00070 SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, 00071 AclLength, 00072 TAG_ACL); 00073 if (SePublicDefaultUnrestrictedDacl == NULL) 00074 return FALSE; 00075 00076 RtlCreateAcl(SePublicDefaultUnrestrictedDacl, 00077 AclLength, 00078 ACL_REVISION); 00079 00080 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, 00081 ACL_REVISION, 00082 GENERIC_EXECUTE, 00083 SeWorldSid); 00084 00085 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, 00086 ACL_REVISION, 00087 GENERIC_ALL, 00088 SeLocalSystemSid); 00089 00090 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, 00091 ACL_REVISION, 00092 GENERIC_ALL, 00093 SeAliasAdminsSid); 00094 00095 RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, 00096 ACL_REVISION, 00097 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, 00098 SeRestrictedCodeSid); 00099 00100 /* create PublicOpenDacl */ 00101 AclLength = sizeof(ACL) + 00102 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + 00103 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + 00104 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); 00105 00106 SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool, 00107 AclLength, 00108 TAG_ACL); 00109 if (SePublicOpenDacl == NULL) 00110 return FALSE; 00111 00112 RtlCreateAcl(SePublicOpenDacl, 00113 AclLength, 00114 ACL_REVISION); 00115 00116 RtlAddAccessAllowedAce(SePublicOpenDacl, 00117 ACL_REVISION, 00118 GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE, 00119 SeWorldSid); 00120 00121 RtlAddAccessAllowedAce(SePublicOpenDacl, 00122 ACL_REVISION, 00123 GENERIC_ALL, 00124 SeLocalSystemSid); 00125 00126 RtlAddAccessAllowedAce(SePublicOpenDacl, 00127 ACL_REVISION, 00128 GENERIC_ALL, 00129 SeAliasAdminsSid); 00130 00131 /* create PublicOpenUnrestrictedDacl */ 00132 AclLength = sizeof(ACL) + 00133 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + 00134 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + 00135 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + 00136 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); 00137 00138 SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, 00139 AclLength, 00140 TAG_ACL); 00141 if (SePublicOpenUnrestrictedDacl == NULL) 00142 return FALSE; 00143 00144 RtlCreateAcl(SePublicOpenUnrestrictedDacl, 00145 AclLength, 00146 ACL_REVISION); 00147 00148 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, 00149 ACL_REVISION, 00150 GENERIC_ALL, 00151 SeWorldSid); 00152 00153 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, 00154 ACL_REVISION, 00155 GENERIC_ALL, 00156 SeLocalSystemSid); 00157 00158 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, 00159 ACL_REVISION, 00160 GENERIC_ALL, 00161 SeAliasAdminsSid); 00162 00163 RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl, 00164 ACL_REVISION, 00165 GENERIC_READ | GENERIC_EXECUTE, 00166 SeRestrictedCodeSid); 00167 00168 /* create SystemDefaultDacl */ 00169 AclLength = sizeof(ACL) + 00170 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + 00171 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)); 00172 00173 SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool, 00174 AclLength, 00175 TAG_ACL); 00176 if (SeSystemDefaultDacl == NULL) 00177 return FALSE; 00178 00179 RtlCreateAcl(SeSystemDefaultDacl, 00180 AclLength, 00181 ACL_REVISION); 00182 00183 RtlAddAccessAllowedAce(SeSystemDefaultDacl, 00184 ACL_REVISION, 00185 GENERIC_ALL, 00186 SeLocalSystemSid); 00187 00188 RtlAddAccessAllowedAce(SeSystemDefaultDacl, 00189 ACL_REVISION, 00190 GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, 00191 SeAliasAdminsSid); 00192 00193 /* create UnrestrictedDacl */ 00194 AclLength = sizeof(ACL) + 00195 (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + 00196 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)); 00197 00198 SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool, 00199 AclLength, 00200 TAG_ACL); 00201 if (SeUnrestrictedDacl == NULL) 00202 return FALSE; 00203 00204 RtlCreateAcl(SeUnrestrictedDacl, 00205 AclLength, 00206 ACL_REVISION); 00207 00208 RtlAddAccessAllowedAce(SeUnrestrictedDacl, 00209 ACL_REVISION, 00210 GENERIC_ALL, 00211 SeWorldSid); 00212 00213 RtlAddAccessAllowedAce(SeUnrestrictedDacl, 00214 ACL_REVISION, 00215 GENERIC_READ | GENERIC_EXECUTE, 00216 SeRestrictedCodeSid); 00217 00218 return TRUE; 00219 } 00220 00221 NTSTATUS NTAPI 00222 SepCreateImpersonationTokenDacl(PTOKEN Token, 00223 PTOKEN PrimaryToken, 00224 PACL *Dacl) 00225 { 00226 ULONG AclLength; 00227 PVOID TokenDacl; 00228 00229 PAGED_CODE(); 00230 00231 AclLength = sizeof(ACL) + 00232 (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) + 00233 (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) + 00234 (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) + 00235 (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) + 00236 (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid)); 00237 00238 TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL); 00239 if (TokenDacl == NULL) 00240 { 00241 return STATUS_INSUFFICIENT_RESOURCES; 00242 } 00243 00244 RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION); 00245 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, 00246 Token->UserAndGroups->Sid); 00247 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, 00248 PrimaryToken->UserAndGroups->Sid); 00249 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, 00250 SeAliasAdminsSid); 00251 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, 00252 SeLocalSystemSid); 00253 00254 /* FIXME */ 00255 #if 0 00256 if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL) 00257 { 00258 RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL, 00259 SeRestrictedCodeSid); 00260 } 00261 #endif 00262 00263 return STATUS_SUCCESS; 00264 } 00265 00266 NTSTATUS 00267 NTAPI 00268 SepCaptureAcl(IN PACL InputAcl, 00269 IN KPROCESSOR_MODE AccessMode, 00270 IN POOL_TYPE PoolType, 00271 IN BOOLEAN CaptureIfKernel, 00272 OUT PACL *CapturedAcl) 00273 { 00274 PACL NewAcl; 00275 ULONG AclSize = 0; 00276 NTSTATUS Status = STATUS_SUCCESS; 00277 00278 PAGED_CODE(); 00279 00280 if (AccessMode != KernelMode) 00281 { 00282 _SEH2_TRY 00283 { 00284 ProbeForRead(InputAcl, 00285 sizeof(ACL), 00286 sizeof(ULONG)); 00287 AclSize = InputAcl->AclSize; 00288 ProbeForRead(InputAcl, 00289 AclSize, 00290 sizeof(ULONG)); 00291 } 00292 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) 00293 { 00294 /* Return the exception code */ 00295 _SEH2_YIELD(return _SEH2_GetExceptionCode()); 00296 } 00297 _SEH2_END; 00298 00299 NewAcl = ExAllocatePool(PoolType, 00300 AclSize); 00301 if (NewAcl != NULL) 00302 { 00303 _SEH2_TRY 00304 { 00305 RtlCopyMemory(NewAcl, 00306 InputAcl, 00307 AclSize); 00308 00309 *CapturedAcl = NewAcl; 00310 } 00311 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) 00312 { 00313 /* Free the ACL and return the exception code */ 00314 ExFreePoolWithTag(NewAcl, TAG_ACL); 00315 _SEH2_YIELD(return _SEH2_GetExceptionCode()); 00316 } 00317 _SEH2_END; 00318 } 00319 else 00320 { 00321 Status = STATUS_INSUFFICIENT_RESOURCES; 00322 } 00323 } 00324 else if (!CaptureIfKernel) 00325 { 00326 *CapturedAcl = InputAcl; 00327 } 00328 else 00329 { 00330 AclSize = InputAcl->AclSize; 00331 00332 NewAcl = ExAllocatePool(PoolType, 00333 AclSize); 00334 00335 if (NewAcl != NULL) 00336 { 00337 RtlCopyMemory(NewAcl, 00338 InputAcl, 00339 AclSize); 00340 00341 *CapturedAcl = NewAcl; 00342 } 00343 else 00344 { 00345 Status = STATUS_INSUFFICIENT_RESOURCES; 00346 } 00347 } 00348 00349 return Status; 00350 } 00351 00352 VOID 00353 NTAPI 00354 SepReleaseAcl(IN PACL CapturedAcl, 00355 IN KPROCESSOR_MODE AccessMode, 00356 IN BOOLEAN CaptureIfKernel) 00357 { 00358 PAGED_CODE(); 00359 00360 if (CapturedAcl != NULL && 00361 (AccessMode != KernelMode || 00362 (AccessMode == KernelMode && CaptureIfKernel))) 00363 { 00364 ExFreePoolWithTag(CapturedAcl, TAG_ACL); 00365 } 00366 } 00367 00368 /* EOF */
Generated on Sun May 27 2012 04:36:21 for ReactOS by
1.7.6.1
