#include <ntoskrnl.h>#include <debug.h>
Include dependency graph for sd.c:
Go to the source code of this file.
Macros | |
| #define | NDEBUG |
Functions | |
| BOOLEAN NTAPI | SepInitSDs (VOID) |
| Initializes the known security descriptors in the system. | |
| NTSTATUS NTAPI | SeSetWorldSecurityDescriptor (_In_ SECURITY_INFORMATION SecurityInformation, _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, _In_ PULONG BufferLength) |
| Sets a "World" security descriptor. | |
| static ULONG | DetermineSIDSize (_In_ PISID Sid, _Inout_ PULONG OutSAC, _In_ KPROCESSOR_MODE ProcessorMode) |
| Determines the size of a SID. | |
| static ULONG | DetermineACLSize (_In_ PACL Acl, _In_ KPROCESSOR_MODE ProcessorMode) |
| Determines the size of an ACL. | |
| NTSTATUS NTAPI | SeCaptureSecurityDescriptor (_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor) |
| Captures a security descriptor. | |
| _IRQL_requires_max_ (PASSIVE_LEVEL) | |
| Queries information details about a security descriptor. | |
| NTSTATUS NTAPI | SeReleaseSecurityDescriptor (_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode) |
| Releases a captured security descriptor buffer. | |
| BOOLEAN NTAPI | SeValidSecurityDescriptor (_In_ ULONG Length, _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor) |
| Determines if a security descriptor is valid according to the general security requirements and conditions set by the kernel. | |
Macro Definition Documentation
◆ NDEBUG
Function Documentation
◆ _IRQL_requires_max_()
| _IRQL_requires_max_ | ( | PASSIVE_LEVEL | ) |
Queries information details about a security descriptor.
Computes the quota size of a security descriptor.
Assigns a security descriptor for a new object.
An extended function that assigns a security descriptor for a new object.
Frees a security descriptor.
An extended function that sets new information data to a security descriptor.
Modifies some information data about a security descriptor.
- Parameters
-
[in] SecurityInformation Security information details to be queried from a security descriptor. [out] SecurityDescriptor The returned security descriptor with security information data. [in,out] Length The returned length of a security descriptor. [in,out] ObjectsSecurityDescriptor The returned object security descriptor.
- Returns
- Returns STATUS_SUCCESS if the operations have been completed successfully and that the specific information about the security descriptor has been queried. STATUS_BUFFER_TOO_SMALL is returned if the buffer size is too small to contain the queried info about the security descriptor.
- Parameters
-
[in] Object If specified, the function will use this arbitrary object that points to an object security descriptor. [in] SecurityInformation Security information details to be set. [in] SecurityDescriptor A security descriptor where its info is to be changed. [in,out] ObjectsSecurityDescriptor The returned pointer to security descriptor objects. [in] PoolType Pool type for the new security descriptor to allocate. [in] GenericMapping The generic mapping of access rights masks.
- Returns
- See SeSetSecurityDescriptorInfoEx.
- Parameters
-
[in] Object If specified, the function will use this arbitrary object that points to an object security descriptor. [in] SecurityInformation Security information details to be set. [in] SecurityDescriptor A security descriptor where its info is to be changed. [in,out] ObjectsSecurityDescriptor The returned pointer to security descriptor objects. [in] AutoInheritFlags Flags bitmask inheritation, influencing how the security descriptor can be inherited and if it can be in the first place. [in] PoolType Pool type for the new security descriptor to allocate. [in] GenericMapping The generic mapping of access rights masks.
- Returns
- Returns STATUS_SUCCESS if the operations have been completed without problems and that new info has been set to the security descriptor. STATUS_NO_SECURITY_ON_OBJECT is returned if the object does not have a security descriptor. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the new security descriptor with new info set has failed.
- Parameters
-
[in] SecurityDescriptor A security descriptor to be freed from memory.
- Returns
- Returns STATUS_SUCCESS.
- Parameters
-
[in] _ParentDescriptor A security descriptor of the parent object that is being created. [in] _ExplicitDescriptor An explicit security descriptor that is applied to a new object. [out] NewDescriptor The new allocated security descriptor. [in] ObjectType The type of the new object. [in] IsDirectoryObject Set this to TRUE if the newly created object is a directory object, otherwise set this to FALSE. [in] AutoInheritFlags Automatic inheritance flags that influence how access control entries within ACLs from security descriptors are inherited. [in] SubjectContext Security subject context of the new object. [in] GenericMapping Generic mapping of access mask rights. [in] PoolType This parameter is unused.
- Returns
- Returns STATUS_SUCCESS if the operations have been completed successfully and that the security descriptor has been assigned to the new object. STATUS_NO_TOKEN is returned if the caller hasn't supplied a valid argument to a security subject context. STATUS_INVALID_OWNER is returned if the caller hasn't supplied a parent descriptor that belongs to the main user (owner). STATUS_INVALID_PRIMARY_GROUP is returned by the same reason as with the previous NTSTATUS code. The two NTSTATUS codes are returned if the calling thread stated that the owner and/or group is defaulted to the parent descriptor (SEF_DEFAULT_OWNER_FROM_PARENT and/or SEF_DEFAULT_GROUP_FROM_PARENT respectively). STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the descriptor buffer has failed. A failure NTSTATUS is returned otherwise.
- Parameters
-
[in] ParentDescriptor A security descriptor of the parent object that is being created. [in] ExplicitDescriptor An explicit security descriptor that is applied to a new object. [out] NewDescriptor The new allocated security descriptor. [in] IsDirectoryObject Set this to TRUE if the newly created object is a directory object, otherwise set this to FALSE. [in] SubjectContext Security subject context of the new object. [in] GenericMapping Generic mapping of access mask rights. [in] PoolType This parameter is unused.
- Returns
- See SeAssignSecurityEx.
- Parameters
-
[in] SecurityDescriptor A security descriptor. [out] QuotaInfoSize The returned quota size of the given security descriptor to the caller. The function may return 0 to this parameter if the descriptor doesn't have a group or a discretionary access control list (DACL) even.
- Returns
- Returns STATUS_SUCCESS if the quota size of a security descriptor has been computed successfully. STATUS_UNKNOWN_REVISION is returned if the security descriptor has an invalid revision.
Definition at line 596 of file sd.c.
604{
605 PISECURITY_DESCRIPTOR ObjectSd;
606 PISECURITY_DESCRIPTOR_RELATIVE RelSD;
611 ULONG OwnerLength = 0;
613 ULONG DaclLength = 0;
614 ULONG SaclLength = 0;
616 ULONG_PTR Current;
617 ULONG SdLength;
618
619 PAGED_CODE();
620
622
624 {
626 {
629 }
630
632 RtlCreateSecurityDescriptorRelative(RelSD,
635 }
636
637 ObjectSd = *ObjectsSecurityDescriptor;
638
639 /* Calculate the required security descriptor length */
642 {
645 {
648 }
649 }
650
652 {
655 {
658 }
659 }
660
663 {
666 {
668 }
669
671 }
672
675 {
678 {
680 }
681
683 }
684
685 SdLength = OwnerLength + GroupLength + DaclLength +
688 {
689 *Length = SdLength;
691 }
692
693 /* Build the new security descrtiptor */
694 RtlCreateSecurityDescriptorRelative(RelSD,
697
698 Current = (ULONG_PTR)(RelSD + 1);
699
700 if (OwnerLength != 0)
701 {
703 Owner,
704 OwnerLength);
706 Current += OwnerLength;
707 }
708
710 {
712 Group,
713 GroupLength);
715 Current += GroupLength;
716 }
717
718 if (DaclLength != 0)
719 {
721 Dacl,
722 DaclLength);
724 Current += DaclLength;
725 }
726
727 if (SaclLength != 0)
728 {
730 Sacl,
731 SaclLength);
733 Current += SaclLength;
734 }
735
736 *Length = SdLength;
737
739}
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1340
Definition: nsiface.idl:2307
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1597
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1595
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptorRelative(_Out_ PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor, _In_ ULONG Revision)
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:109
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:89
FORCEINLINE PACL SepGetDaclFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:129
FORCEINLINE PACL SepGetSaclFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)
Definition: se.h:151
Definition: ms-dtyp.idl:293
Definition: setypes.h:836
Definition: ms-dtyp.idl:301
Definition: ms-dtyp.idl:198
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
struct _SECURITY_DESCRIPTOR_RELATIVE * PISECURITY_DESCRIPTOR_RELATIVE
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
◆ DetermineACLSize()
|
static |
Determines the size of an ACL.
- Parameters
-
[in] Acl An access control list where its size is to be determined. [in] ProcessorMode Processor level access mode.
- Returns
- Returns the size length of a an access control list (ACL).
Definition at line 336 of file sd.c.
339{
341
342 if (!Acl) return 0;
343
345
346 /* Probe the buffers! */
349
351}
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533
Referenced by SeCaptureSecurityDescriptor().
◆ DetermineSIDSize()
|
static |
Determines the size of a SID.
- Parameters
-
[in] Sid A security identifier where its size is to be determined. [in,out] OutSAC The returned sub authority count of the security identifier. [in] ProcessorMode Processor level access mode.
- Returns
- Returns the size length of a security identifier (SID).
Definition at line 290 of file sd.c.
294{
296
298 {
299 *OutSAC = 0;
300 return 0;
301 }
302
304 {
305 /* Securely access the buffers! */
309 }
310 else
311 {
314 }
315
317}
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
Referenced by SeCaptureSecurityDescriptor().
◆ SeCaptureSecurityDescriptor()
| NTSTATUS NTAPI SeCaptureSecurityDescriptor | ( | _In_ PSECURITY_DESCRIPTOR | _OriginalSecurityDescriptor, |
| _In_ KPROCESSOR_MODE | CurrentMode, | ||
| _In_ POOL_TYPE | PoolType, | ||
| _In_ BOOLEAN | CaptureIfKernel, | ||
| _Out_ PSECURITY_DESCRIPTOR * | CapturedSecurityDescriptor | ||
| ) |
Captures a security descriptor.
- Parameters
-
[in] _OriginalSecurityDescriptor An already existing and valid security descriptor to be captured. [in] CurrentMode Processor level access mode. [in] PoolType Pool type to be used when allocating the captured buffer. [in] CaptureIfKernel Set this to TRUE if capturing is done within the kernel. [out] CapturedSecurityDescriptor The captured security descriptor.
- Returns
- Returns STATUS_SUCCESS if the operations have been completed successfully and that the security descriptor has been captured. STATUS_UNKNOWN_REVISION is returned if the security descriptor has an unknown revision. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the captured buffer has failed. A failure NTSTATUS code is returned otherwise.
Definition at line 386 of file sd.c.
392{
393 PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
394 SECURITY_DESCRIPTOR DescriptorCopy;
396 ULONG OwnerSAC = 0, GroupSAC = 0;
401
402 if (!OriginalDescriptor)
403 {
404 /* Nothing to do... */
405 *CapturedSecurityDescriptor = NULL;
407 }
408
409 /* Quick path */
411 {
412 /* Check descriptor version */
414 {
416 }
417
418 *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
420 }
421
422 _SEH2_TRY
423 {
425 {
426 ProbeForRead(OriginalDescriptor,
429 }
430
431 /* Check the descriptor version */
433 {
435 }
436
438 {
439 /* Get the size of the descriptor */
442
443 /* Probe the entire security descriptor structure. The SIDs
444 * and ACLs will be probed and copied later though */
446 }
447
448 /* Now capture all fields and convert to an absolute descriptor */
457
458 /* Determine owner and group sizes */
463
464 /* Determine the size of the ACLs */
466 {
467 /* Get the size and probe if user mode */
470 }
471
473 {
474 /* Get the size and probe if user mode */
477 }
478 }
480 {
482 }
483 _SEH2_END;
484
485 /*
486 * Allocate enough memory to store a complete copy of a self-relative
487 * security descriptor
488 */
490 DescriptorSize,
491 TAG_SD);
493
498
499 _SEH2_TRY
500 {
501 /*
502 * Setup the offsets and copy the SIDs and ACLs to the new
503 * self-relative security descriptor. Probing the pointers is not
504 * neccessary anymore as we did that when collecting the sizes!
505 * Make sure to validate the SIDs and ACLs *again* as they could have
506 * been modified in the meanwhile!
507 */
509
511 {
515 DescriptorCopy.Owner,
516 OwnerSize);
518 }
519
521 {
525 DescriptorCopy.Group,
526 GroupSize);
528 }
529
531 {
535 DescriptorCopy.Sacl,
536 SaclSize);
538 }
539
541 {
545 DescriptorCopy.Dacl,
546 DaclSize);
548 }
549
550 /* Make sure the size was correct */
552 }
554 {
555 /* We failed to copy the data to the new descriptor */
558 }
559 _SEH2_END;
560
561 /*
562 * We're finally done!
563 * Copy the pointer to the captured descriptor to to the caller.
564 */
565 *CapturedSecurityDescriptor = NewDescriptor;
567}
struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG OwnerSize
Definition: rtlfuncs.h:1598
NTSYSAPI BOOLEAN NTAPI RtlValidAcl(PACL Acl)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1596
DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlRaiseStatus(_In_ NTSTATUS Status)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1594
static ULONG DetermineSIDSize(_In_ PISID Sid, _Inout_ PULONG OutSAC, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of a SID.
Definition: sd.c:290
static ULONG DetermineACLSize(_In_ PACL Acl, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of an ACL.
Definition: sd.c:336
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3815
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR * NewDescriptor
Definition: sefuncs.h:30
Referenced by NtOpenObjectAuditAlarm(), NtSetSecurityObject(), ObpCaptureObjectCreateInformation(), ProbeAndCaptureObjectAttributes(), SepAccessCheck(), and SepAccessCheckAndAuditAlarm().
◆ SepInitSDs()
Initializes the known security descriptors in the system.
- Returns
- Returns TRUE if all the security descriptors have been initialized, FALSE otherwise.
Definition at line 37 of file sd.c.
38{
39 /* Create PublicDefaultSd */
44
48 TRUE,
50 FALSE);
51
52 /* Create PublicDefaultUnrestrictedSd */
57
61 TRUE,
63 FALSE);
64
65 /* Create PublicOpenSd */
70
74 TRUE,
75 SePublicOpenDacl,
76 FALSE);
77
78 /* Create PublicOpenUnrestrictedSd */
83
87 TRUE,
89 FALSE);
90
91 /* Create SystemDefaultSd */
96
100 TRUE,
101 SeSystemDefaultDacl,
102 FALSE);
103
104 /* Create UnrestrictedSd */
109
113 TRUE,
114 SeUnrestrictedDacl,
115 FALSE);
116
117 /* Create SystemAnonymousLogonSd */
122
126 TRUE,
128 FALSE);
129
131}
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
Referenced by SepInitializationPhase0().
◆ SeReleaseSecurityDescriptor()
| NTSTATUS NTAPI SeReleaseSecurityDescriptor | ( | _In_ PSECURITY_DESCRIPTOR | CapturedSecurityDescriptor, |
| _In_ KPROCESSOR_MODE | CurrentMode, | ||
| _In_ BOOLEAN | CaptureIfKernelMode | ||
| ) |
Releases a captured security descriptor buffer.
- Parameters
-
[in] CapturedSecurityDescriptor The captured security descriptor to be freed. [in] CurrentMode Processor level access mode. [in] CaptureIfKernelMode Set this to TRUE if the releasing is to be done within the kernel.
- Returns
- Returns STATUS_SUCCESS.
Definition at line 760 of file sd.c.
764{
765 PAGED_CODE();
766
767 /*
768 * WARNING! You need to call this function with the same value for CurrentMode
769 * and CaptureIfKernelMode that you previously passed to
770 * SeCaptureSecurityDescriptor() in order to avoid memory leaks!
771 */
773 (CurrentMode != KernelMode ||
774 (CurrentMode == KernelMode && CaptureIfKernelMode)))
775 {
776 /* Only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */
778 }
779
781}
Referenced by NtOpenObjectAuditAlarm(), NtSetSecurityObject(), ObInsertObject(), ObpReleaseObjectCreateInformation(), ReleaseCapturedObjectAttributes(), SepAccessCheck(), and SepAccessCheckAndAuditAlarm().
◆ SeSetWorldSecurityDescriptor()
| NTSTATUS NTAPI SeSetWorldSecurityDescriptor | ( | _In_ SECURITY_INFORMATION | SecurityInformation, |
| _In_ PISECURITY_DESCRIPTOR | SecurityDescriptor, | ||
| _In_ PULONG | BufferLength | ||
| ) |
Sets a "World" security descriptor.
- Parameters
-
[in] SecurityInformation Security information details, alongside with the security descriptor to set the World SD. [in] SecurityDescriptor A security descriptor buffer. [in] BufferLength Length size of the buffer.
- Returns
- Returns STATUS_SUCCESS if the World security descriptor has been set. STATUS_ACCESS_DENIED is returned if the caller hasn't provided security information details thus the SD cannot be set.
Definition at line 155 of file sd.c.
159{
160 ULONG Current;
161 ULONG SidSize;
162 ULONG SdSize;
165
167
169 {
171 }
172
173 /* calculate the minimum size of the buffer */
177 SdSize += SidSize;
179 SdSize += SidSize;
181 {
183 }
185 {
187 }
188
190 {
191 *BufferLength = SdSize;
193 }
194
195 *BufferLength = SdSize;
196
200 {
202 }
203
205
207 {
209 SdRel->Owner = Current;
210 Current += SidSize;
211 }
212
214 {
216 SdRel->Group = Current;
217 Current += SidSize;
218 }
219
221 {
223
226 ACL_REVISION);
229
231 ACL_REVISION,
232 GENERIC_ALL,
233 SeWorldSid);
236
238 SdRel->Dacl = Current;
239 Current += SidSize;
240 }
241
243 {
245
248 ACL_REVISION);
251
253 ACL_REVISION,
255 SeWorldSid,
256 TRUE,
257 TRUE);
260
262 SdRel->Sacl = Current;
263 Current += SidSize;
264 }
265
267}
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
struct _ACL ACL
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
Definition: rtltypes.h:993
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG BufferLength
Definition: wdfdevice.h:3771
Referenced by IopGetSetSecurityObject().
◆ SeValidSecurityDescriptor()
| BOOLEAN NTAPI SeValidSecurityDescriptor | ( | _In_ ULONG | Length, |
| _In_ PSECURITY_DESCRIPTOR | _SecurityDescriptor | ||
| ) |
Determines if a security descriptor is valid according to the general security requirements and conditions set by the kernel.
- Parameters
-
[in] Length The length of a security descriptor. [in] _SecurityDescriptor A security descriptor where its properties are to be checked for validity.
- Returns
- Returns TRUE if the given security descriptor is valid, FALSE otherwise.
Definition at line 1027 of file sd.c.
1030{
1031 ULONG SdLength;
1033 PACL Acl;
1035
1037 {
1040 }
1041
1043 {
1046 }
1047
1049 {
1052 }
1053
1055
1056 /* Check Owner SID */
1058 {
1061 }
1062
1064 {
1067 }
1068
1069 /* Ensure the Owner SID is within the bounds of the security descriptor */
1072 {
1075 }
1076
1077 /* Reference it */
1080 {
1083 }
1084
1085 // NOTE: Same as SeLengthSid(Sid); but doesn't use hardcoded values.
1088 {
1091 }
1092
1093 /* Check Group SID */
1095 {
1097 {
1100 }
1101
1102 /* Ensure the Group SID is within the bounds of the security descriptor */
1105 {
1108 }
1109
1110 /* Reference it */
1113 {
1116 }
1117
1118 // NOTE: Same as SeLengthSid(Sid); but doesn't use hardcoded values.
1121 {
1124 }
1125 }
1126
1127 /* Check DACL */
1129 {
1131 {
1134 }
1135
1136 /* Ensure the DACL is within the bounds of the security descriptor */
1139 {
1142 }
1143
1144 /* Reference it */
1146
1147 SdLength += Acl->AclSize;
1149 {
1152 }
1153
1155 {
1158 }
1159 }
1160
1161 /* Check SACL */
1163 {
1165 {
1168 }
1169
1170 /* Ensure the SACL is within the bounds of the security descriptor */
1173 {
1176 }
1177
1178 /* Reference it */
1180
1181 SdLength += Acl->AclSize;
1183 {
1186 }
1187
1189 {
1192 }
1193 }
1194
1196}
struct _SID SID
struct _SID * PISID
Variable Documentation
◆ SePublicDefaultSd
| PSECURITY_DESCRIPTOR SePublicDefaultSd = NULL |
Definition at line 16 of file sd.c.
Referenced by ExpInitializeCallbacks(), IoCreateSymbolicLink(), SepInitializationPhase1(), and SepInitSDs().
◆ SePublicDefaultUnrestrictedSd
| PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd = NULL |
Definition at line 17 of file sd.c.
Referenced by ExpCreateSystemRootLink(), ObInitSystem(), and SepInitSDs().
◆ SePublicOpenSd
| PSECURITY_DESCRIPTOR SePublicOpenSd = NULL |
Definition at line 18 of file sd.c.
Referenced by SepInitSDs().
◆ SePublicOpenUnrestrictedSd
| PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL |
Definition at line 19 of file sd.c.
Referenced by SepInitSDs().
◆ SeSystemAnonymousLogonSd
| PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd = NULL |
Definition at line 22 of file sd.c.
Referenced by SepInitSDs().
◆ SeSystemDefaultSd
| PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL |
Definition at line 20 of file sd.c.
Referenced by SepInitSDs().
◆ SeUnrestrictedSd
| PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL |
Definition at line 21 of file sd.c.
Referenced by SepInitSDs().
