ReactOS  0.4.15-dev-3326-ga91f5e8
sd.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security descriptors (SDs) implementation support
5  * COPYRIGHT: Copyright David Welch <welch@cwcom.net>
6  */
7 
8 /* INCLUDES *******************************************************************/
9 
10 #include <ntoskrnl.h>
11 #define NDEBUG
12 #include <debug.h>
13 
14 /* GLOBALS ********************************************************************/
15 
23 
24 /* PRIVATE FUNCTIONS **********************************************************/
25 
34 CODE_SEG("INIT")
35 BOOLEAN
36 NTAPI
38 {
39  /* Create PublicDefaultSd */
41  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
42  if (SePublicDefaultSd == NULL)
43  return FALSE;
44 
48  TRUE,
50  FALSE);
51 
52  /* Create PublicDefaultUnrestrictedSd */
54  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
56  return FALSE;
57 
61  TRUE,
63  FALSE);
64 
65  /* Create PublicOpenSd */
67  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
68  if (SePublicOpenSd == NULL)
69  return FALSE;
70 
74  TRUE,
76  FALSE);
77 
78  /* Create PublicOpenUnrestrictedSd */
80  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
82  return FALSE;
83 
87  TRUE,
89  FALSE);
90 
91  /* Create SystemDefaultSd */
93  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
94  if (SeSystemDefaultSd == NULL)
95  return FALSE;
96 
100  TRUE,
102  FALSE);
103 
104  /* Create UnrestrictedSd */
106  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
107  if (SeUnrestrictedSd == NULL)
108  return FALSE;
109 
113  TRUE,
115  FALSE);
116 
117  /* Create SystemAnonymousLogonSd */
119  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
121  return FALSE;
122 
126  TRUE,
128  FALSE);
129 
130  return TRUE;
131 }
132 
153 NTSTATUS
154 NTAPI
159 {
160  ULONG Current;
161  ULONG SidSize;
162  ULONG SdSize;
165 
166  DPRINT("SeSetWorldSecurityDescriptor() called\n");
167 
168  if (SecurityInformation == 0)
169  {
170  return STATUS_ACCESS_DENIED;
171  }
172 
173  /* calculate the minimum size of the buffer */
174  SidSize = RtlLengthSid(SeWorldSid);
175  SdSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
177  SdSize += SidSize;
179  SdSize += SidSize;
181  {
182  SdSize += sizeof(ACL) + sizeof(ACE) + SidSize;
183  }
185  {
186  SdSize += sizeof(ACL) + sizeof(ACE) + SidSize;
187  }
188 
189  if (*BufferLength < SdSize)
190  {
191  *BufferLength = SdSize;
193  }
194 
195  *BufferLength = SdSize;
196 
199  if (!NT_SUCCESS(Status))
200  {
201  return Status;
202  }
203 
204  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
205 
207  {
208  RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
209  SdRel->Owner = Current;
210  Current += SidSize;
211  }
212 
214  {
215  RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
216  SdRel->Group = Current;
217  Current += SidSize;
218  }
219 
221  {
222  PACL Dacl = (PACL)((PUCHAR)SdRel + Current);
223 
225  sizeof(ACL) + sizeof(ACE) + SidSize,
226  ACL_REVISION);
227  if (!NT_SUCCESS(Status))
228  return Status;
229 
231  ACL_REVISION,
232  GENERIC_ALL,
233  SeWorldSid);
234  if (!NT_SUCCESS(Status))
235  return Status;
236 
237  SdRel->Control |= SE_DACL_PRESENT;
238  SdRel->Dacl = Current;
239  Current += SidSize;
240  }
241 
243  {
244  PACL Sacl = (PACL)((PUCHAR)SdRel + Current);
245 
247  sizeof(ACL) + sizeof(ACE) + SidSize,
248  ACL_REVISION);
249  if (!NT_SUCCESS(Status))
250  return Status;
251 
253  ACL_REVISION,
255  SeWorldSid,
256  TRUE,
257  TRUE);
258  if (!NT_SUCCESS(Status))
259  return Status;
260 
261  SdRel->Control |= SE_SACL_PRESENT;
262  SdRel->Sacl = Current;
263  Current += SidSize;
264  }
265 
266  return STATUS_SUCCESS;
267 }
268 
269 /* PUBLIC FUNCTIONS ***********************************************************/
270 
288 static
289 ULONG
291  _In_ PISID Sid,
292  _Inout_ PULONG OutSAC,
293  _In_ KPROCESSOR_MODE ProcessorMode)
294 {
295  ULONG Size;
296 
297  if (!Sid)
298  {
299  *OutSAC = 0;
300  return 0;
301  }
302 
303  if (ProcessorMode != KernelMode)
304  {
305  /* Securely access the buffers! */
307  Size = RtlLengthRequiredSid(*OutSAC);
308  ProbeForRead(Sid, Size, sizeof(ULONG));
309  }
310  else
311  {
312  *OutSAC = Sid->SubAuthorityCount;
313  Size = RtlLengthRequiredSid(*OutSAC);
314  }
315 
316  return Size;
317 }
318 
334 static
335 ULONG
337  _In_ PACL Acl,
338  _In_ KPROCESSOR_MODE ProcessorMode)
339 {
340  ULONG Size;
341 
342  if (!Acl) return 0;
343 
344  if (ProcessorMode == KernelMode) return Acl->AclSize;
345 
346  /* Probe the buffers! */
347  Size = ProbeForReadUshort(&Acl->AclSize);
348  ProbeForRead(Acl, Size, sizeof(ULONG));
349 
350  return Size;
351 }
352 
384 NTSTATUS
385 NTAPI
387  _In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
388  _In_ KPROCESSOR_MODE CurrentMode,
390  _In_ BOOLEAN CaptureIfKernel,
391  _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
392 {
393  PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
394  SECURITY_DESCRIPTOR DescriptorCopy;
396  ULONG OwnerSAC = 0, GroupSAC = 0;
397  ULONG OwnerSize = 0, GroupSize = 0;
398  ULONG SaclSize = 0, DaclSize = 0;
399  ULONG DescriptorSize = 0;
400  ULONG Offset;
401 
402  if (!OriginalDescriptor)
403  {
404  /* Nothing to do... */
405  *CapturedSecurityDescriptor = NULL;
406  return STATUS_SUCCESS;
407  }
408 
409  /* Quick path */
410  if (CurrentMode == KernelMode && !CaptureIfKernel)
411  {
412  /* Check descriptor version */
413  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
414  {
416  }
417 
418  *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
419  return STATUS_SUCCESS;
420  }
421 
422  _SEH2_TRY
423  {
424  if (CurrentMode != KernelMode)
425  {
426  ProbeForRead(OriginalDescriptor,
428  sizeof(ULONG));
429  }
430 
431  /* Check the descriptor version */
432  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
433  {
435  }
436 
437  if (CurrentMode != KernelMode)
438  {
439  /* Get the size of the descriptor */
440  DescriptorSize = (OriginalDescriptor->Control & SE_SELF_RELATIVE) ?
442 
443  /* Probe the entire security descriptor structure. The SIDs
444  * and ACLs will be probed and copied later though */
445  ProbeForRead(OriginalDescriptor, DescriptorSize, sizeof(ULONG));
446  }
447 
448  /* Now capture all fields and convert to an absolute descriptor */
449  DescriptorCopy.Revision = OriginalDescriptor->Revision;
450  DescriptorCopy.Sbz1 = OriginalDescriptor->Sbz1;
451  DescriptorCopy.Control = OriginalDescriptor->Control & ~SE_SELF_RELATIVE;
452  DescriptorCopy.Owner = SepGetOwnerFromDescriptor(OriginalDescriptor);
453  DescriptorCopy.Group = SepGetGroupFromDescriptor(OriginalDescriptor);
454  DescriptorCopy.Sacl = SepGetSaclFromDescriptor(OriginalDescriptor);
455  DescriptorCopy.Dacl = SepGetDaclFromDescriptor(OriginalDescriptor);
456  DescriptorSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
457 
458  /* Determine owner and group sizes */
459  OwnerSize = DetermineSIDSize(DescriptorCopy.Owner, &OwnerSAC, CurrentMode);
460  DescriptorSize += ROUND_UP(OwnerSize, sizeof(ULONG));
461  GroupSize = DetermineSIDSize(DescriptorCopy.Group, &GroupSAC, CurrentMode);
462  DescriptorSize += ROUND_UP(GroupSize, sizeof(ULONG));
463 
464  /* Determine the size of the ACLs */
465  if (DescriptorCopy.Control & SE_SACL_PRESENT)
466  {
467  /* Get the size and probe if user mode */
468  SaclSize = DetermineACLSize(DescriptorCopy.Sacl, CurrentMode);
469  DescriptorSize += ROUND_UP(SaclSize, sizeof(ULONG));
470  }
471 
472  if (DescriptorCopy.Control & SE_DACL_PRESENT)
473  {
474  /* Get the size and probe if user mode */
475  DaclSize = DetermineACLSize(DescriptorCopy.Dacl, CurrentMode);
476  DescriptorSize += ROUND_UP(DaclSize, sizeof(ULONG));
477  }
478  }
480  {
482  }
483  _SEH2_END;
484 
485  /*
486  * Allocate enough memory to store a complete copy of a self-relative
487  * security descriptor
488  */
490  DescriptorSize,
491  TAG_SD);
493 
494  RtlZeroMemory(NewDescriptor, DescriptorSize);
495  NewDescriptor->Revision = DescriptorCopy.Revision;
496  NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
497  NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
498 
499  _SEH2_TRY
500  {
501  /*
502  * Setup the offsets and copy the SIDs and ACLs to the new
503  * self-relative security descriptor. Probing the pointers is not
504  * neccessary anymore as we did that when collecting the sizes!
505  * Make sure to validate the SIDs and ACLs *again* as they could have
506  * been modified in the meanwhile!
507  */
509 
510  if (DescriptorCopy.Owner)
511  {
512  if (!RtlValidSid(DescriptorCopy.Owner)) RtlRaiseStatus(STATUS_INVALID_SID);
515  DescriptorCopy.Owner,
516  OwnerSize);
517  Offset += ROUND_UP(OwnerSize, sizeof(ULONG));
518  }
519 
520  if (DescriptorCopy.Group)
521  {
522  if (!RtlValidSid(DescriptorCopy.Group)) RtlRaiseStatus(STATUS_INVALID_SID);
525  DescriptorCopy.Group,
526  GroupSize);
527  Offset += ROUND_UP(GroupSize, sizeof(ULONG));
528  }
529 
530  if (DescriptorCopy.Sacl)
531  {
532  if (!RtlValidAcl(DescriptorCopy.Sacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
535  DescriptorCopy.Sacl,
536  SaclSize);
537  Offset += ROUND_UP(SaclSize, sizeof(ULONG));
538  }
539 
540  if (DescriptorCopy.Dacl)
541  {
542  if (!RtlValidAcl(DescriptorCopy.Dacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
545  DescriptorCopy.Dacl,
546  DaclSize);
547  Offset += ROUND_UP(DaclSize, sizeof(ULONG));
548  }
549 
550  /* Make sure the size was correct */
551  ASSERT(Offset == DescriptorSize);
552  }
554  {
555  /* We failed to copy the data to the new descriptor */
558  }
559  _SEH2_END;
560 
561  /*
562  * We're finally done!
563  * Copy the pointer to the captured descriptor to to the caller.
564  */
565  *CapturedSecurityDescriptor = NewDescriptor;
566  return STATUS_SUCCESS;
567 }
568 
597 NTSTATUS
598 NTAPI
603  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
604 {
605  PISECURITY_DESCRIPTOR ObjectSd;
607  PSID Owner = NULL;
608  PSID Group = NULL;
609  PACL Dacl = NULL;
610  PACL Sacl = NULL;
611  ULONG OwnerLength = 0;
612  ULONG GroupLength = 0;
613  ULONG DaclLength = 0;
614  ULONG SaclLength = 0;
616  ULONG_PTR Current;
617  ULONG SdLength;
618 
619  PAGED_CODE();
620 
622 
623  if (*ObjectsSecurityDescriptor == NULL)
624  {
625  if (*Length < sizeof(SECURITY_DESCRIPTOR_RELATIVE))
626  {
629  }
630 
634  return STATUS_SUCCESS;
635  }
636 
637  ObjectSd = *ObjectsSecurityDescriptor;
638 
639  /* Calculate the required security descriptor length */
642  {
643  Owner = SepGetOwnerFromDescriptor(ObjectSd);
644  if (Owner != NULL)
645  {
646  OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
647  Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
648  }
649  }
650 
652  {
653  Group = SepGetGroupFromDescriptor(ObjectSd);
654  if (Group != NULL)
655  {
657  Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
658  }
659  }
660 
662  (ObjectSd->Control & SE_DACL_PRESENT))
663  {
664  Dacl = SepGetDaclFromDescriptor(ObjectSd);
665  if (Dacl != NULL)
666  {
667  DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
668  }
669 
670  Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
671  }
672 
674  (ObjectSd->Control & SE_SACL_PRESENT))
675  {
676  Sacl = SepGetSaclFromDescriptor(ObjectSd);
677  if (Sacl != NULL)
678  {
679  SaclLength = ROUND_UP(Sacl->AclSize, 4);
680  }
681 
682  Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
683  }
684 
685  SdLength = OwnerLength + GroupLength + DaclLength +
686  SaclLength + sizeof(SECURITY_DESCRIPTOR_RELATIVE);
687  if (*Length < SdLength)
688  {
689  *Length = SdLength;
691  }
692 
693  /* Build the new security descrtiptor */
696  RelSD->Control = Control;
697 
698  Current = (ULONG_PTR)(RelSD + 1);
699 
700  if (OwnerLength != 0)
701  {
702  RtlCopyMemory((PVOID)Current,
703  Owner,
704  OwnerLength);
705  RelSD->Owner = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
706  Current += OwnerLength;
707  }
708 
709  if (GroupLength != 0)
710  {
711  RtlCopyMemory((PVOID)Current,
712  Group,
713  GroupLength);
714  RelSD->Group = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
715  Current += GroupLength;
716  }
717 
718  if (DaclLength != 0)
719  {
720  RtlCopyMemory((PVOID)Current,
721  Dacl,
722  DaclLength);
723  RelSD->Dacl = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
724  Current += DaclLength;
725  }
726 
727  if (SaclLength != 0)
728  {
729  RtlCopyMemory((PVOID)Current,
730  Sacl,
731  SaclLength);
732  RelSD->Sacl = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
733  Current += SaclLength;
734  }
735 
736  *Length = SdLength;
737 
738  return STATUS_SUCCESS;
739 }
740 
758 NTSTATUS
759 NTAPI
761  _In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
762  _In_ KPROCESSOR_MODE CurrentMode,
763  _In_ BOOLEAN CaptureIfKernelMode)
764 {
765  PAGED_CODE();
766 
767  /*
768  * WARNING! You need to call this function with the same value for CurrentMode
769  * and CaptureIfKernelMode that you previously passed to
770  * SeCaptureSecurityDescriptor() in order to avoid memory leaks!
771  */
772  if (CapturedSecurityDescriptor != NULL &&
773  (CurrentMode != KernelMode ||
774  (CurrentMode == KernelMode && CaptureIfKernelMode)))
775  {
776  /* Only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */
777  ExFreePoolWithTag(CapturedSecurityDescriptor, TAG_SD);
778  }
779 
780  return STATUS_SUCCESS;
781 }
782 
811 NTSTATUS
812 NTAPI
817  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
820 {
821  PAGED_CODE();
822 
826  ObjectsSecurityDescriptor,
827  0,
828  PoolType,
830 }
831 
870 NTSTATUS
871 NTAPI
874  _In_ PSECURITY_INFORMATION _SecurityInformation,
875  _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor,
876  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
877  _In_ ULONG AutoInheritFlags,
880 {
883  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
884  PSID Owner;
885  PSID Group;
886  PACL Dacl;
887  PACL Sacl;
888  ULONG OwnerLength;
890  ULONG DaclLength;
891  ULONG SaclLength;
893  ULONG Current;
895 
896  PAGED_CODE();
897 
898  ObjectSd = *ObjectsSecurityDescriptor;
899 
900  /* The object does not have a security descriptor. */
901  if (!ObjectSd)
903 
904  ASSERT(ObjectSd->Control & SE_SELF_RELATIVE);
905 
906  SecurityInformation = *_SecurityInformation;
907 
908  /* Get owner and owner size */
910  {
913  }
914  else
915  {
916  Owner = SepGetOwnerFromDescriptor(ObjectSd);
917  Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
918  }
919  OwnerLength = Owner ? RtlLengthSid(Owner) : 0;
920  ASSERT(OwnerLength % sizeof(ULONG) == 0);
921 
922  /* Get group and group size */
924  {
927  }
928  else
929  {
930  Group = SepGetGroupFromDescriptor(ObjectSd);
931  Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
932  }
934  ASSERT(GroupLength % sizeof(ULONG) == 0);
935 
936  /* Get DACL and DACL size */
938  {
941  }
942  else
943  {
944  Dacl = SepGetDaclFromDescriptor(ObjectSd);
945  Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
946  }
947  DaclLength = Dacl ? ROUND_UP((ULONG)Dacl->AclSize, 4) : 0;
948 
949  /* Get SACL and SACL size */
951  {
954  }
955  else
956  {
957  Sacl = SepGetSaclFromDescriptor(ObjectSd);
958  Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
959  }
960  SaclLength = Sacl ? ROUND_UP((ULONG)Sacl->AclSize, 4) : 0;
961 
964  OwnerLength + GroupLength +
965  DaclLength + SaclLength,
966  TAG_SD);
967  if (NewSd == NULL)
968  {
970  }
971 
973 
974  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
975 
976  if (OwnerLength != 0)
977  {
978  RtlCopyMemory((PUCHAR)NewSd + Current, Owner, OwnerLength);
979  NewSd->Owner = Current;
980  Current += OwnerLength;
981  }
982 
983  if (GroupLength != 0)
984  {
985  RtlCopyMemory((PUCHAR)NewSd + Current, Group, GroupLength);
986  NewSd->Group = Current;
987  Current += GroupLength;
988  }
989 
990  if (DaclLength != 0)
991  {
992  RtlCopyMemory((PUCHAR)NewSd + Current, Dacl, DaclLength);
993  NewSd->Dacl = Current;
994  Current += DaclLength;
995  }
996 
997  if (SaclLength != 0)
998  {
999  RtlCopyMemory((PUCHAR)NewSd + Current, Sacl, SaclLength);
1000  NewSd->Sacl = Current;
1001  Current += SaclLength;
1002  }
1003 
1004  NewSd->Control |= Control;
1005  *ObjectsSecurityDescriptor = NewSd;
1006  return STATUS_SUCCESS;
1007 }
1008 
1026 BOOLEAN NTAPI
1028  _In_ ULONG Length,
1029  _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor)
1030 {
1031  ULONG SdLength;
1032  PISID Sid;
1033  PACL Acl;
1034  PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor = _SecurityDescriptor;
1035 
1037  {
1038  DPRINT1("Invalid Security Descriptor revision\n");
1039  return FALSE;
1040  }
1041 
1043  {
1044  DPRINT1("Invalid Security Descriptor revision\n");
1045  return FALSE;
1046  }
1047 
1048  if (!(SecurityDescriptor->Control & SE_SELF_RELATIVE))
1049  {
1050  DPRINT1("No self-relative Security Descriptor\n");
1051  return FALSE;
1052  }
1053 
1054  SdLength = sizeof(SECURITY_DESCRIPTOR);
1055 
1056  /* Check Owner SID */
1057  if (!SecurityDescriptor->Owner)
1058  {
1059  DPRINT1("No Owner SID\n");
1060  return FALSE;
1061  }
1062 
1063  if (SecurityDescriptor->Owner % sizeof(ULONG))
1064  {
1065  DPRINT1("Invalid Owner SID alignment\n");
1066  return FALSE;
1067  }
1068 
1070  if (Sid->Revision != SID_REVISION)
1071  {
1072  DPRINT1("Invalid Owner SID revision\n");
1073  return FALSE;
1074  }
1075 
1076  SdLength += (sizeof(SID) + (Sid->SubAuthorityCount - 1) * sizeof(ULONG));
1077  if (Length < SdLength)
1078  {
1079  DPRINT1("Invalid Owner SID size\n");
1080  return FALSE;
1081  }
1082 
1083  /* Check Group SID */
1084  if (SecurityDescriptor->Group)
1085  {
1086  if (SecurityDescriptor->Group % sizeof(ULONG))
1087  {
1088  DPRINT1("Invalid Group SID alignment\n");
1089  return FALSE;
1090  }
1091 
1093  if (Sid->Revision != SID_REVISION)
1094  {
1095  DPRINT1("Invalid Group SID revision\n");
1096  return FALSE;
1097  }
1098 
1099  SdLength += (sizeof(SID) + (Sid->SubAuthorityCount - 1) * sizeof(ULONG));
1100  if (Length < SdLength)
1101  {
1102  DPRINT1("Invalid Group SID size\n");
1103  return FALSE;
1104  }
1105  }
1106 
1107  /* Check DACL */
1108  if (SecurityDescriptor->Dacl)
1109  {
1110  if (SecurityDescriptor->Dacl % sizeof(ULONG))
1111  {
1112  DPRINT1("Invalid DACL alignment\n");
1113  return FALSE;
1114  }
1115 
1117  if ((Acl->AclRevision < MIN_ACL_REVISION) ||
1118  (Acl->AclRevision > MAX_ACL_REVISION))
1119  {
1120  DPRINT1("Invalid DACL revision\n");
1121  return FALSE;
1122  }
1123 
1124  SdLength += Acl->AclSize;
1125  if (Length < SdLength)
1126  {
1127  DPRINT1("Invalid DACL size\n");
1128  return FALSE;
1129  }
1130  }
1131 
1132  /* Check SACL */
1133  if (SecurityDescriptor->Sacl)
1134  {
1135  if (SecurityDescriptor->Sacl % sizeof(ULONG))
1136  {
1137  DPRINT1("Invalid SACL alignment\n");
1138  return FALSE;
1139  }
1140 
1142  if ((Acl->AclRevision < MIN_ACL_REVISION) ||
1143  (Acl->AclRevision > MAX_ACL_REVISION))
1144  {
1145  DPRINT1("Invalid SACL revision\n");
1146  return FALSE;
1147  }
1148 
1149  SdLength += Acl->AclSize;
1150  if (Length < SdLength)
1151  {
1152  DPRINT1("Invalid SACL size\n");
1153  return FALSE;
1154  }
1155  }
1156 
1157  return TRUE;
1158 }
1159 
1171 NTSTATUS
1172 NTAPI
1173 SeDeassignSecurity(
1175 {
1176  PAGED_CODE();
1177 
1178  if (*SecurityDescriptor != NULL)
1179  {
1182  }
1183 
1184  return STATUS_SUCCESS;
1185 }
1186 
1241 NTSTATUS
1242 NTAPI
1244  _In_opt_ PSECURITY_DESCRIPTOR _ParentDescriptor,
1245  _In_opt_ PSECURITY_DESCRIPTOR _ExplicitDescriptor,
1249  _In_ ULONG AutoInheritFlags,
1253 {
1254  PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
1255  PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
1257  PTOKEN Token;
1258  ULONG OwnerLength;
1260  ULONG DaclLength;
1261  ULONG SaclLength;
1262  ULONG Length;
1264  ULONG Current;
1265  PSID Owner = NULL;
1266  PSID Group = NULL;
1267  PACL ExplicitAcl;
1268  BOOLEAN ExplicitPresent;
1269  BOOLEAN ExplicitDefaulted;
1270  PACL ParentAcl;
1271  PACL Dacl = NULL;
1272  PACL Sacl = NULL;
1273  BOOLEAN DaclIsInherited;
1274  BOOLEAN SaclIsInherited;
1277  NTSTATUS Status;
1278 
1280  DBG_UNREFERENCED_PARAMETER(AutoInheritFlags);
1282 
1283  PAGED_CODE();
1284 
1285  *NewDescriptor = NULL;
1286 
1288  {
1289  return STATUS_NO_TOKEN;
1290  }
1291 
1292  /* Lock subject context */
1294 
1295  if (SubjectContext->ClientToken != NULL)
1296  {
1297  Token = SubjectContext->ClientToken;
1298  }
1299  else
1300  {
1301  Token = SubjectContext->PrimaryToken;
1302  }
1303 
1304  /* Inherit the Owner SID */
1305  if (ExplicitDescriptor != NULL)
1306  {
1307  DPRINT("Use explicit owner sid!\n");
1309  }
1310  if (!Owner)
1311  {
1312  if (AutoInheritFlags & SEF_DEFAULT_OWNER_FROM_PARENT)
1313  {
1314  DPRINT("Use parent owner sid!\n");
1315  if (!ARGUMENT_PRESENT(ParentDescriptor))
1316  {
1318  return STATUS_INVALID_OWNER;
1319  }
1320 
1321  Owner = SepGetOwnerFromDescriptor(ParentDescriptor);
1322  if (!Owner)
1323  {
1325  return STATUS_INVALID_OWNER;
1326  }
1327  }
1328  else
1329  {
1330  DPRINT("Use token owner sid!\n");
1331  Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
1332  }
1333  }
1334  OwnerLength = RtlLengthSid(Owner);
1335  ASSERT(OwnerLength % sizeof(ULONG) == 0);
1336 
1337  /* Inherit the Group SID */
1338  if (ExplicitDescriptor != NULL)
1339  {
1341  }
1342  if (!Group)
1343  {
1344  if (AutoInheritFlags & SEF_DEFAULT_GROUP_FROM_PARENT)
1345  {
1346  DPRINT("Use parent group sid!\n");
1347  if (!ARGUMENT_PRESENT(ParentDescriptor))
1348  {
1351  }
1352 
1353  Group = SepGetGroupFromDescriptor(ParentDescriptor);
1354  if (!Group)
1355  {
1358  }
1359  }
1360  else
1361  {
1362  DPRINT("Use token group sid!\n");
1363  Group = Token->PrimaryGroup;
1364  }
1365  }
1366  if (!Group)
1367  {
1370  }
1372  ASSERT(GroupLength % sizeof(ULONG) == 0);
1373 
1374  /* Inherit the DACL */
1375  DaclLength = 0;
1376  ExplicitAcl = NULL;
1377  ExplicitPresent = FALSE;
1378  ExplicitDefaulted = FALSE;
1379  if (ExplicitDescriptor != NULL &&
1381  {
1383  ExplicitPresent = TRUE;
1385  ExplicitDefaulted = TRUE;
1386  }
1387  ParentAcl = NULL;
1388  if (ParentDescriptor != NULL &&
1389  (ParentDescriptor->Control & SE_DACL_PRESENT))
1390  {
1391  ParentAcl = SepGetDaclFromDescriptor(ParentDescriptor);
1392  }
1393  Dacl = SepSelectAcl(ExplicitAcl,
1394  ExplicitPresent,
1395  ExplicitDefaulted,
1396  ParentAcl,
1397  Token->DefaultDacl,
1398  &DaclLength,
1399  Owner,
1400  Group,
1401  &DaclPresent,
1402  &DaclIsInherited,
1404  GenericMapping);
1405  if (DaclPresent)
1407  ASSERT(DaclLength % sizeof(ULONG) == 0);
1408 
1409  /* Inherit the SACL */
1410  SaclLength = 0;
1411  ExplicitAcl = NULL;
1412  ExplicitPresent = FALSE;
1413  ExplicitDefaulted = FALSE;
1414  if (ExplicitDescriptor != NULL &&
1416  {
1418  ExplicitPresent = TRUE;
1420  ExplicitDefaulted = TRUE;
1421  }
1422  ParentAcl = NULL;
1423  if (ParentDescriptor != NULL &&
1424  (ParentDescriptor->Control & SE_SACL_PRESENT))
1425  {
1426  ParentAcl = SepGetSaclFromDescriptor(ParentDescriptor);
1427  }
1428  Sacl = SepSelectAcl(ExplicitAcl,
1429  ExplicitPresent,
1430  ExplicitDefaulted,
1431  ParentAcl,
1432  NULL,
1433  &SaclLength,
1434  Owner,
1435  Group,
1436  &SaclPresent,
1437  &SaclIsInherited,
1439  GenericMapping);
1440  if (SaclPresent)
1442  ASSERT(SaclLength % sizeof(ULONG) == 0);
1443 
1444  /* Allocate and initialize the new security descriptor */
1446  OwnerLength + GroupLength + DaclLength + SaclLength;
1447 
1448  DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %u OwnerLength %lu GroupLength %lu DaclLength %lu SaclLength %lu\n",
1449  sizeof(SECURITY_DESCRIPTOR),
1450  OwnerLength,
1451  GroupLength,
1452  DaclLength,
1453  SaclLength);
1454 
1456  if (Descriptor == NULL)
1457  {
1458  DPRINT1("ExAlloctePool() failed\n");
1461  }
1462 
1465 
1466  Descriptor->Control = Control | SE_SELF_RELATIVE;
1467 
1468  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
1469 
1470  if (SaclLength != 0)
1471  {
1472  Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
1473  &SaclLength,
1474  Sacl,
1475  Owner,
1476  Group,
1477  SaclIsInherited,
1479  GenericMapping);
1481  Descriptor->Sacl = Current;
1482  Current += SaclLength;
1483  }
1484 
1485  if (DaclLength != 0)
1486  {
1487  Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
1488  &DaclLength,
1489  Dacl,
1490  Owner,
1491  Group,
1492  DaclIsInherited,
1494  GenericMapping);
1496  Descriptor->Dacl = Current;
1497  Current += DaclLength;
1498  }
1499 
1500  if (OwnerLength != 0)
1501  {
1502  RtlCopyMemory((PUCHAR)Descriptor + Current, Owner, OwnerLength);
1503  Descriptor->Owner = Current;
1504  Current += OwnerLength;
1505  DPRINT("Owner of %p at %x\n", Descriptor, Descriptor->Owner);
1506  }
1507  else
1508  {
1509  DPRINT("Owner of %p is zero length\n", Descriptor);
1510  }
1511 
1512  if (GroupLength != 0)
1513  {
1515  Descriptor->Group = Current;
1516  }
1517 
1518  /* Unlock subject context */
1520 
1522 
1523  DPRINT("Descriptor %p\n", Descriptor);
1525 
1526  return STATUS_SUCCESS;
1527 }
1528 
1561 NTSTATUS
1562 NTAPI
1563 SeAssignSecurity(
1564  _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
1571 {
1572  PAGED_CODE();
1573 
1574  return SeAssignSecurityEx(ParentDescriptor,
1576  NewDescriptor,
1577  NULL,
1579  0,
1582  PoolType);
1583 }
1584 
1604 NTSTATUS
1605 NTAPI
1608  _Out_ PULONG QuotaInfoSize)
1609 {
1610  PSID Group;
1611  PACL Dacl;
1612 
1613  PAGED_CODE();
1614 
1615  *QuotaInfoSize = 0;
1616 
1617  /* Validate security descriptor revision */
1619  {
1620  return STATUS_UNKNOWN_REVISION;
1621  }
1622 
1623  /* Get group and DACL, if any */
1626 
1627  /* Return SID length if any */
1628  if (Group != NULL)
1629  {
1630  *QuotaInfoSize = ALIGN_UP_BY(RtlLengthSid(Group), sizeof(ULONG));
1631  }
1632 
1633  /* Return DACL if any */
1634  if (Dacl != NULL)
1635  {
1636  *QuotaInfoSize += ALIGN_UP_BY(Dacl->AclSize, sizeof(ULONG));
1637  }
1638 
1639  return STATUS_SUCCESS;
1640 }
1641 
1642 /* EOF */
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
ObjectType
Definition: metafile.c:80
#define SE_SACL_PRESENT
Definition: setypes.h:788
DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlRaiseStatus(_In_ NTSTATUS Status)
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG BufferLength
Definition: wdfdevice.h:3767
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define GENERIC_ALL
Definition: nt_native.h:92
NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfo(_In_opt_ PVOID Object, _In_ PSECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ ULONG _In_ ULONG _In_ ULONG Length
Definition: ntddpcm.h:101
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
Definition: wdfresource.h:339
#define SE_SELF_RELATIVE
Definition: setypes.h:799
BOOLEAN NTAPI SeValidSecurityDescriptor(_In_ ULONG Length, _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor)
Determines if a security descriptor is valid according to the general security requirements and condi...
Definition: sd.c:1027
#define ROUND_UP(n, align)
Definition: eventvwr.h:31
#define _In_opt_
Definition: ms_sal.h:309
_In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor
Definition: sefuncs.h:29
PACL SePublicDefaultUnrestrictedDacl
Definition: acl.c:18
#define _Inout_
Definition: ms_sal.h:378
#define ProbeForReadUchar(Ptr)
Definition: probe.h:61
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define SECURITY_DESCRIPTOR_MIN_LENGTH
Definition: setypes.h:780
NTSTATUS NTAPI SeSetWorldSecurityDescriptor(_In_ SECURITY_INFORMATION SecurityInformation, _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, _In_ PULONG BufferLength)
Sets a "World" security descriptor.
Definition: sd.c:155
#define _Out_
Definition: ms_sal.h:345
NTSTATUS NTAPI SeComputeQuotaInformationSize(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PULONG QuotaInfoSize)
struct _SID SID
#define MAX_ACL_REVISION
Definition: setypes.h:47
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
USHORT AclSize
Definition: ms-dtyp.idl:296
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
PSECURITY_DESCRIPTOR SePublicDefaultSd
Definition: sd.c:16
PACL SeSystemDefaultDacl
Definition: acl.c:17
static ULONG DetermineACLSize(_In_ PACL Acl, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of an ACL.
Definition: sd.c:336
PSECURITY_DESCRIPTOR SeUnrestrictedSd
Definition: sd.c:21
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:29
_In_opt_ PSID Group
Definition: rtlfuncs.h:1605
unsigned char * PUCHAR
Definition: retypes.h:3
#define SID_REVISION
Definition: setypes.h:468
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
NTSTATUS SepPropagateAcl(_Out_writes_bytes_opt_(DaclLength) PACL AclDest, _Inout_ PULONG AclLength, _In_reads_bytes_(AclSource->AclSize) PACL AclSource, _In_ PSID Owner, _In_ PSID Group, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361
NTSTATUS NTAPI RtlCreateSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG Revision)
Definition: sd.c:117
NTSTATUS NTAPI RtlCreateSecurityDescriptorRelative(IN PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor, IN ULONG Revision)
Definition: sd.c:139
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:39
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:59
#define SE_DACL_PRESENT
Definition: setypes.h:786
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
PSECURITY_DESCRIPTOR SePublicOpenSd
Definition: sd.c:18
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR * NewDescriptor
Definition: sefuncs.h:29
_In_ ULONG Revision
Definition: rtlfuncs.h:1103
BOOLEAN NTAPI SepInitSDs(VOID)
Initializes the known security descriptors in the system.
Definition: sd.c:37
#define SEF_DEFAULT_OWNER_FROM_PARENT
Definition: setypes.h:140
_In_ BOOLEAN DaclPresent
Definition: rtlfuncs.h:1594
#define SE_OWNER_DEFAULTED
Definition: setypes.h:784
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SEH2_TRY
Definition: create.c:4226
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSTATUS NTAPI RtlSetDaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN DaclPresent, IN PACL Dacl, IN BOOLEAN DaclDefaulted)
Definition: sd.c:303
uint32_t ULONG_PTR
Definition: typedefs.h:65
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:456
#define FALSE
Definition: types.h:117
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
PACL SePublicOpenDacl
Definition: acl.c:19
WORD SECURITY_DESCRIPTOR_CONTROL
Definition: lsa.idl:37
struct _SID * PISID
NTSYSAPI BOOLEAN NTAPI RtlValidAcl(PACL Acl)
_Out_ PBOOLEAN SaclPresent
Definition: rtlfuncs.h:2413
struct _SECURITY_DESCRIPTOR_RELATIVE * PISECURITY_DESCRIPTOR_RELATIVE
FORCEINLINE PACL SepGetSaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:101
unsigned char BOOLEAN
#define SEF_DEFAULT_GROUP_FROM_PARENT
Definition: setypes.h:141
_In_ WDF_WMI_PROVIDER_CONTROL Control
Definition: wdfwmi.h:166
struct _ACL ACL
#define _In_
Definition: ms_sal.h:308
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
static ULONG DetermineSIDSize(_In_ PISID Sid, _Inout_ PULONG OutSAC, _In_ KPROCESSOR_MODE ProcessorMode)
Determines the size of a SID.
Definition: sd.c:290
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1554
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define STATUS_INVALID_SID
Definition: ntstatus.h:356
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:487
#define TAG_SD
Definition: tag.h:176
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
#define SE_DACL_DEFAULTED
Definition: setypes.h:787
PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd
Definition: sd.c:19
struct _ACL * PACL
Definition: security.c:104
Status
Definition: gdiplustypes.h:24
#define STATUS_INVALID_PRIMARY_GROUP
Definition: ntstatus.h:327
_IRQL_requires_max_(PASSIVE_LEVEL)
Queries information details about a security descriptor.
Definition: sd.c:596
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
DWORD * PSECURITY_INFORMATION
Definition: ms-dtyp.idl:311
INT POOL_TYPE
Definition: typedefs.h:78
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ARGUMENT_PRESENT(ArgumentPointer)
NTSTATUS NTAPI SeCaptureSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Captures a security descriptor.
Definition: sd.c:386
#define MIN_ACL_REVISION
Definition: setypes.h:46
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
#define STATUS_NO_SECURITY_ON_OBJECT
Definition: ntstatus.h:451
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
struct _SID * PSID
Definition: eventlog.c:35
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
NTSTATUS NTAPI SeReleaseSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, _In_ KPROCESSOR_MODE CurrentMode, _In_ BOOLEAN CaptureIfKernelMode)
Releases a captured security descriptor buffer.
Definition: sd.c:760
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR
PSID SeWorldSid
Definition: sid.c:25
#define SE_GROUP_DEFAULTED
Definition: setypes.h:785
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
_In_ ULONG _In_ ULONG Offset
Definition: ntddpcm.h:101
PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd
Definition: sd.c:17
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfoEx(_In_opt_ PVOID Object, _In_ PSECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ ULONG AutoInheritFlags, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
UCHAR AclRevision
Definition: ms-dtyp.idl:294
_SEH2_END
Definition: create.c:4400
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
SECURITY_DESCRIPTOR_CONTROL Control
Definition: setypes.h:804
PACL SePublicDefaultDacl
Definition: acl.c:16
#define STATUS_INVALID_ACL
Definition: ntstatus.h:355
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG OwnerSize
Definition: rtlfuncs.h:1556
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
unsigned int * PULONG
Definition: retypes.h:1
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1556
#define NULL
Definition: types.h:112
#define STATUS_INVALID_OWNER
Definition: ntstatus.h:326
#define DPRINT1
Definition: precomp.h:8
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
PACL SeUnrestrictedDacl
Definition: acl.c:21
PACL SePublicOpenUnrestrictedDacl
Definition: acl.c:20
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define ProbeForReadUshort(Ptr)
Definition: probe.h:63
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
#define ULONG_PTR
Definition: config.h:101
#define ALIGN_UP_BY(size, align)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1554
FORCEINLINE PACL SepGetDaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
NTKERNELAPI NTSTATUS NTAPI SeQuerySecurityDescriptorInfo(_In_ PSECURITY_INFORMATION SecurityInformation, _Out_writes_bytes_(*Length) PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_ PULONG Length, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd
Definition: sd.c:22
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
BYTE Revision
Definition: ms-dtyp.idl:199
_In_ ULONG _In_ CONST SOCKADDR _In_ int GroupLength
Definition: ws2tcpip.h:710
#define STATUS_SUCCESS
Definition: shellext.h:65
PSECURITY_DESCRIPTOR SeSystemDefaultSd
Definition: sd.c:20
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
#define SE_SACL_DEFAULTED
Definition: setypes.h:789
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _Out_writes_bytes_(size)
Definition: ms_sal.h:350
static CODE_SEG("PAGE")
Definition: isapnp.c:1482
#define SECURITY_DESCRIPTOR_REVISION1
Definition: setypes.h:59
ULONG NTAPI RtlLengthSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: sd.c:161
PACL SeSystemAnonymousLogonDacl
Definition: acl.c:22
Definition: rtltypes.h:990
#define STATUS_UNKNOWN_REVISION
Definition: ntstatus.h:324
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
#define PAGED_CODE()
PACL SepSelectAcl(_In_opt_ PACL ExplicitAcl, _In_ BOOLEAN ExplicitPresent, _In_ BOOLEAN ExplicitDefaulted, _In_opt_ PACL ParentAcl, _In_opt_ PACL DefaultAcl, _Out_ PULONG AclLength, _In_ PSID Owner, _In_ PSID Group, _Out_ PBOOLEAN AclPresent, _Out_ PBOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
Selects an ACL and returns it to the caller.
Definition: acl.c:799