ReactOS 0.4.15-dev-7924-g5949c20
Macros | Functions | Variables
subject.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for subject.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeCaptureSubjectContextEx (_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 An extended function that captures the security subject context based upon the specified thread and process.
 
VOID NTAPI SeCaptureSubjectContext (_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Captures the security subject context of the calling thread and calling process.
 
VOID NTAPI SeLockSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Locks both the referenced primary and client access tokens of a security subject context.
 
VOID NTAPI SeUnlockSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Unlocks both the referenced primary and client access tokens of a security subject context.
 
VOID NTAPI SeReleaseSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Releases both the primary and client tokens of a security subject context.
 

Variables

ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 11 of file subject.c.

Function Documentation

◆ SeCaptureSubjectContext()

VOID NTAPI SeCaptureSubjectContext ( _Out_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Captures the security subject context of the calling thread and calling process.

Parameters
[out]SubjectContextThe returned security subject context.
Returns
Nothing.

Definition at line 85 of file subject.c.

87{
88 /* Call the extended API */
89 SeCaptureSubjectContextEx(PsGetCurrentThread(),
90 PsGetCurrentProcess(),
91 SubjectContext);
92}
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
SeCaptureSubjectContextEx
VOID NTAPI SeCaptureSubjectContextEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
An extended function that captures the security subject context based upon the specified thread and p...
Definition: subject.c:41
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17

Referenced by create_directory_fcb(), create_subvol(), fcb_get_sd(), FilterToken(), HasPrivilege(), KsCreateDefaultSecurity(), mknod(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SepAccessCheck(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), START_TEST(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeCaptureSubjectContextEx()

VOID NTAPI SeCaptureSubjectContextEx ( _In_ PETHREAD  Thread,
_In_ PEPROCESS  Process,
_Out_ PSECURITY_SUBJECT_CONTEXT  SubjectContext 
)

An extended function that captures the security subject context based upon the specified thread and process.

Parameters
[in]ThreadA thread where the calling thread's token is to be referenced for the security context.
[in]ProcessA process where the main process' token is to be referenced for the security context.
[out]SubjectContextThe returned security subject context.
Returns
Nothing.

Definition at line 41 of file subject.c.

45{
46 BOOLEAN CopyOnOpen, EffectiveOnly;
47
48 PAGED_CODE();
49
50 /* Save the unique ID */
51 SubjectContext->ProcessAuditId = Process->UniqueProcessId;
52
53 /* Check if we have a thread */
54 if (!Thread)
55 {
56 /* We don't, so no token */
57 SubjectContext->ClientToken = NULL;
58 }
59 else
60 {
61 /* Get the impersonation token */
62 SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
63 &CopyOnOpen,
64 &EffectiveOnly,
65 &SubjectContext->ImpersonationLevel);
66 }
67
68 /* Get the primary token */
69 SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
70}
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_EvalMethod.c:87
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
NULL
#define NULL
Definition: types.h:112
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:223
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PsReferenceImpersonationToken
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:871
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154

Referenced by SeCaptureSubjectContext(), and SeCreateAccessStateEx().

◆ SeLockSubjectContext()

VOID NTAPI SeLockSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Locks both the referenced primary and client access tokens of a security subject context.

Parameters
[in]SubjectContextA valid security context with both referenced tokens.
Returns
Nothing.

Definition at line 107 of file subject.c.

109{
110 PTOKEN PrimaryToken, ClientToken;
111 PAGED_CODE();
112
113 /* Read both tokens */
114 PrimaryToken = SubjectContext->PrimaryToken;
115 ClientToken = SubjectContext->ClientToken;
116
117 /* Always lock the primary */
118 SepAcquireTokenLockShared(PrimaryToken);
119
120 /* Lock the impersonation one if it's there */
121 if (!ClientToken) return;
122 SepAcquireTokenLockShared(ClientToken);
123}
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:290
_TOKEN
Definition: setypes.h:216

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), FilterToken(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), and START_TEST().

◆ SeReleaseSubjectContext()

VOID NTAPI SeReleaseSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Releases both the primary and client tokens of a security subject context.

Parameters
[in]SubjectContextThe captured security context.
Returns
Nothing.

Definition at line 171 of file subject.c.

173{
174 PAGED_CODE();
175
176 /* Drop reference on the primary */
177 ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
178 SubjectContext->PrimaryToken = NULL;
179
180 /* Drop reference on the impersonation, if there was one */
181 PsDereferenceImpersonationToken(SubjectContext->ClientToken);
182 SubjectContext->ClientToken = NULL;
183}
PsDereferenceImpersonationToken
#define PsDereferenceImpersonationToken(T)
Definition: imports.h:298
ObFastDereferenceObject
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167

Referenced by FatExplicitDeviceAccessGranted(), FsRtlCancelNotify(), FsRtlNotifyCleanup(), FsRtlNotifyFilterChangeDirectory(), HasPrivilege(), KsCreateDefaultSecurity(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SeDeleteAccessState(), SepAccessCheck(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeUnlockSubjectContext()

VOID NTAPI SeUnlockSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Unlocks both the referenced primary and client access tokens of a security subject context.

Parameters
[in]SubjectContextA valid security context with both referenced tokens.
Returns
Nothing.

Definition at line 138 of file subject.c.

140{
141 PTOKEN PrimaryToken, ClientToken;
142 PAGED_CODE();
143
144 /* Read both tokens */
145 PrimaryToken = SubjectContext->PrimaryToken;
146 ClientToken = SubjectContext->ClientToken;
147
148 /* Unlock the impersonation one if it's there */
149 if (ClientToken)
150 {
151 SepReleaseTokenLock(ClientToken);
152 }
153
154 /* Always unlock the primary one */
155 SepReleaseTokenLock(PrimaryToken);
156}
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:296

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), FilterToken(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), START_TEST(), and TestSeAssignSecurity().

Variable Documentation

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock

Definition at line 16 of file subject.c.

Referenced by SepInitializationPhase0().