ReactOS  0.4.15-dev-4927-gfe8f806
subject.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for subject.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

VOID NTAPI SeCaptureSubjectContextEx (_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 An extended function that captures the security subject context based upon the specified thread and process. More...
 
VOID NTAPI SeCaptureSubjectContext (_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Captures the security subject context of the calling thread and calling process. More...
 
VOID NTAPI SeLockSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Locks both the referenced primary and client access tokens of a security subject context. More...
 
VOID NTAPI SeUnlockSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Unlocks both the referenced primary and client access tokens of a security subject context. More...
 
VOID NTAPI SeReleaseSubjectContext (_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
 Releases both the primary and client tokens of a security subject context. More...
 

Variables

ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 11 of file subject.c.

Function Documentation

◆ SeCaptureSubjectContext()

VOID NTAPI SeCaptureSubjectContext ( _Out_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Captures the security subject context of the calling thread and calling process.

Parameters
[out]SubjectContextThe returned security subject context.
Returns
Nothing.

Definition at line 85 of file subject.c.

87 {
88  /* Call the extended API */
92 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PsGetCurrentProcess
Definition: psfuncs.h:17
VOID NTAPI SeCaptureSubjectContextEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
An extended function that captures the security subject context based upon the specified thread and p...
Definition: subject.c:41

Referenced by create_directory_fcb(), create_subvol(), fcb_get_sd(), FilterToken(), HasPrivilege(), KsCreateDefaultSecurity(), mknod(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), START_TEST(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeCaptureSubjectContextEx()

VOID NTAPI SeCaptureSubjectContextEx ( _In_ PETHREAD  Thread,
_In_ PEPROCESS  Process,
_Out_ PSECURITY_SUBJECT_CONTEXT  SubjectContext 
)

An extended function that captures the security subject context based upon the specified thread and process.

Parameters
[in]ThreadA thread where the calling thread's token is to be referenced for the security context.
[in]ProcessA process where the main process' token is to be referenced for the security context.
[out]SubjectContextThe returned security subject context.
Returns
Nothing.

Definition at line 41 of file subject.c.

45 {
47 
48  PAGED_CODE();
49 
50  /* Save the unique ID */
51  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
52 
53  /* Check if we have a thread */
54  if (!Thread)
55  {
56  /* We don't, so no token */
57  SubjectContext->ClientToken = NULL;
58  }
59  else
60  {
61  /* Get the impersonation token */
63  &CopyOnOpen,
65  &SubjectContext->ImpersonationLevel);
66  }
67 
68  /* Get the primary token */
70 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
unsigned char BOOLEAN
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2652
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
#define NULL
Definition: types.h:112
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:401
#define PAGED_CODE()

Referenced by SeCaptureSubjectContext(), and SeCreateAccessStateEx().

◆ SeLockSubjectContext()

VOID NTAPI SeLockSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Locks both the referenced primary and client access tokens of a security subject context.

Parameters
[in]SubjectContextA valid security context with both referenced tokens.
Returns
Nothing.

Definition at line 107 of file subject.c.

109 {
110  PTOKEN PrimaryToken, ClientToken;
111  PAGED_CODE();
112 
113  /* Read both tokens */
114  PrimaryToken = SubjectContext->PrimaryToken;
115  ClientToken = SubjectContext->ClientToken;
116 
117  /* Always lock the primary */
118  SepAcquireTokenLockShared(PrimaryToken);
119 
120  /* Lock the impersonation one if it's there */
121  if (!ClientToken) return;
122  SepAcquireTokenLockShared(ClientToken);
123 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define SepAcquireTokenLockShared(Token)
Definition: se.h:280
#define PAGED_CODE()

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), FilterToken(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), and START_TEST().

◆ SeReleaseSubjectContext()

VOID NTAPI SeReleaseSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Releases both the primary and client tokens of a security subject context.

Parameters
[in]SubjectContextThe captured security context.
Returns
Nothing.

Definition at line 171 of file subject.c.

173 {
174  PAGED_CODE();
175 
176  /* Drop reference on the primary */
178  SubjectContext->PrimaryToken = NULL;
179 
180  /* Drop reference on the impersonation, if there was one */
182  SubjectContext->ClientToken = NULL;
183 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PsGetCurrentProcess
Definition: psfuncs.h:17
#define NULL
Definition: types.h:112
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
#define PAGED_CODE()
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888

Referenced by FatExplicitDeviceAccessGranted(), FsRtlCancelNotify(), FsRtlNotifyCleanup(), FsRtlNotifyFilterChangeDirectory(), HasPrivilege(), KsCreateDefaultSecurity(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SeDeleteAccessState(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeUnlockSubjectContext()

VOID NTAPI SeUnlockSubjectContext ( _In_ PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Unlocks both the referenced primary and client access tokens of a security subject context.

Parameters
[in]SubjectContextA valid security context with both referenced tokens.
Returns
Nothing.

Definition at line 138 of file subject.c.

140 {
141  PTOKEN PrimaryToken, ClientToken;
142  PAGED_CODE();
143 
144  /* Read both tokens */
145  PrimaryToken = SubjectContext->PrimaryToken;
146  ClientToken = SubjectContext->ClientToken;
147 
148  /* Unlock the impersonation one if it's there */
149  if (ClientToken)
150  {
151  SepReleaseTokenLock(ClientToken);
152  }
153 
154  /* Always unlock the primary one */
155  SepReleaseTokenLock(PrimaryToken);
156 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define SepReleaseTokenLock(Token)
Definition: se.h:286
#define PAGED_CODE()

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), FilterToken(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), START_TEST(), and TestSeAssignSecurity().

Variable Documentation

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock

Definition at line 16 of file subject.c.

Referenced by SepInitializationPhase0().