ReactOS  0.4.15-dev-2534-geba00d1
sd.c
Go to the documentation of this file.
1 /*
2  * COPYRIGHT: See COPYING in the top level directory
3  * PROJECT: ReactOS kernel
4  * FILE: ntoskrnl/se/sd.c
5  * PURPOSE: Security manager
6  *
7  * PROGRAMMERS: David Welch <welch@cwcom.net>
8  */
9 
10 /* INCLUDES *******************************************************************/
11 
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15 
16 /* GLOBALS ********************************************************************/
17 
25 
26 /* PRIVATE FUNCTIONS **********************************************************/
27 
28 CODE_SEG("INIT")
29 BOOLEAN
30 NTAPI
32 {
33  /* Create PublicDefaultSd */
35  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
36  if (SePublicDefaultSd == NULL)
37  return FALSE;
38 
42  TRUE,
44  FALSE);
45 
46  /* Create PublicDefaultUnrestrictedSd */
48  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
50  return FALSE;
51 
55  TRUE,
57  FALSE);
58 
59  /* Create PublicOpenSd */
61  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
62  if (SePublicOpenSd == NULL)
63  return FALSE;
64 
68  TRUE,
70  FALSE);
71 
72  /* Create PublicOpenUnrestrictedSd */
74  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
76  return FALSE;
77 
81  TRUE,
83  FALSE);
84 
85  /* Create SystemDefaultSd */
87  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
88  if (SeSystemDefaultSd == NULL)
89  return FALSE;
90 
94  TRUE,
96  FALSE);
97 
98  /* Create UnrestrictedSd */
100  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
101  if (SeUnrestrictedSd == NULL)
102  return FALSE;
103 
107  TRUE,
109  FALSE);
110 
111  /* Create SystemAnonymousLogonSd */
113  sizeof(SECURITY_DESCRIPTOR), TAG_SD);
115  return FALSE;
116 
120  TRUE,
122  FALSE);
123 
124  return TRUE;
125 }
126 
127 NTSTATUS
128 NTAPI
132 {
133  ULONG Current;
134  ULONG SidSize;
135  ULONG SdSize;
138 
139  DPRINT("SeSetWorldSecurityDescriptor() called\n");
140 
141  if (SecurityInformation == 0)
142  {
143  return STATUS_ACCESS_DENIED;
144  }
145 
146  /* calculate the minimum size of the buffer */
147  SidSize = RtlLengthSid(SeWorldSid);
148  SdSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
150  SdSize += SidSize;
152  SdSize += SidSize;
154  {
155  SdSize += sizeof(ACL) + sizeof(ACE) + SidSize;
156  }
157 
158  if (*BufferLength < SdSize)
159  {
160  *BufferLength = SdSize;
162  }
163 
164  *BufferLength = SdSize;
165 
168  if (!NT_SUCCESS(Status))
169  {
170  return Status;
171  }
172 
173  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
174 
176  {
177  RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
178  SdRel->Owner = Current;
179  Current += SidSize;
180  }
181 
183  {
184  RtlCopyMemory((PUCHAR)SdRel + Current, SeWorldSid, SidSize);
185  SdRel->Group = Current;
186  Current += SidSize;
187  }
188 
190  {
191  PACL Dacl = (PACL)((PUCHAR)SdRel + Current);
192  SdRel->Control |= SE_DACL_PRESENT;
193 
195  sizeof(ACL) + sizeof(ACE) + SidSize,
196  ACL_REVISION);
197  if (!NT_SUCCESS(Status))
198  return Status;
199 
201  ACL_REVISION,
202  GENERIC_ALL,
203  SeWorldSid);
204  if (!NT_SUCCESS(Status))
205  return Status;
206 
207  SdRel->Dacl = Current;
208  }
209 
211  {
212  /* FIXME - SdRel->Control |= SE_SACL_PRESENT; */
213  }
214 
215  return STATUS_SUCCESS;
216 }
217 
218 
219 NTSTATUS
220 NTAPI
224  IN BOOLEAN CaptureIfKernel,
225  OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
226  OUT PBOOLEAN Present)
227 {
228  PSECURITY_QUALITY_OF_SERVICE CapturedQos;
230 
231  PAGED_CODE();
232 
233  ASSERT(CapturedSecurityQualityOfService);
234  ASSERT(Present);
235 
236  if (ObjectAttributes != NULL)
237  {
238  if (AccessMode != KernelMode)
239  {
241 
242  _SEH2_TRY
243  {
245  sizeof(OBJECT_ATTRIBUTES),
246  sizeof(ULONG));
247  if (ObjectAttributes->Length == sizeof(OBJECT_ATTRIBUTES))
248  {
249  if (ObjectAttributes->SecurityQualityOfService != NULL)
250  {
251  ProbeForRead(ObjectAttributes->SecurityQualityOfService,
253  sizeof(ULONG));
254 
255  if (((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length ==
257  {
258  /*
259  * Don't allocate memory here because ExAllocate should bugcheck
260  * the system if it's buggy, SEH would catch that! So make a local
261  * copy of the qos structure.
262  */
263  RtlCopyMemory(&SafeQos,
264  ObjectAttributes->SecurityQualityOfService,
266  *Present = TRUE;
267  }
268  else
269  {
271  }
272  }
273  else
274  {
275  *CapturedSecurityQualityOfService = NULL;
276  *Present = FALSE;
277  }
278  }
279  else
280  {
282  }
283  }
285  {
287  }
288  _SEH2_END;
289 
290  if (NT_SUCCESS(Status))
291  {
292  if (*Present)
293  {
294  CapturedQos = ExAllocatePoolWithTag(PoolType,
296  TAG_QOS);
297  if (CapturedQos != NULL)
298  {
299  RtlCopyMemory(CapturedQos,
300  &SafeQos,
302  *CapturedSecurityQualityOfService = CapturedQos;
303  }
304  else
305  {
307  }
308  }
309  else
310  {
311  *CapturedSecurityQualityOfService = NULL;
312  }
313  }
314  }
315  else
316  {
317  if (ObjectAttributes->Length == sizeof(OBJECT_ATTRIBUTES))
318  {
319  if (CaptureIfKernel)
320  {
321  if (ObjectAttributes->SecurityQualityOfService != NULL)
322  {
323  if (((PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService)->Length ==
325  {
326  CapturedQos = ExAllocatePoolWithTag(PoolType,
328  TAG_QOS);
329  if (CapturedQos != NULL)
330  {
331  RtlCopyMemory(CapturedQos,
332  ObjectAttributes->SecurityQualityOfService,
334  *CapturedSecurityQualityOfService = CapturedQos;
335  *Present = TRUE;
336  }
337  else
338  {
340  }
341  }
342  else
343  {
345  }
346  }
347  else
348  {
349  *CapturedSecurityQualityOfService = NULL;
350  *Present = FALSE;
351  }
352  }
353  else
354  {
355  *CapturedSecurityQualityOfService = (PSECURITY_QUALITY_OF_SERVICE)ObjectAttributes->SecurityQualityOfService;
356  *Present = (ObjectAttributes->SecurityQualityOfService != NULL);
357  }
358  }
359  else
360  {
362  }
363  }
364  }
365  else
366  {
367  *CapturedSecurityQualityOfService = NULL;
368  *Present = FALSE;
369  }
370 
371  return Status;
372 }
373 
374 
375 VOID
376 NTAPI
379  IN BOOLEAN CaptureIfKernel)
380 {
381  PAGED_CODE();
382 
383  if (CapturedSecurityQualityOfService != NULL &&
384  (AccessMode != KernelMode || CaptureIfKernel))
385  {
386  ExFreePoolWithTag(CapturedSecurityQualityOfService, TAG_QOS);
387  }
388 }
389 
390 /* PUBLIC FUNCTIONS ***********************************************************/
391 
392 static
393 ULONG
395  PISID Sid,
396  PULONG OutSAC,
397  KPROCESSOR_MODE ProcessorMode)
398 {
399  ULONG Size;
400 
401  if (!Sid)
402  {
403  *OutSAC = 0;
404  return 0;
405  }
406 
407  if (ProcessorMode != KernelMode)
408  {
409  /* Securely access the buffers! */
411  Size = RtlLengthRequiredSid(*OutSAC);
412  ProbeForRead(Sid, Size, sizeof(ULONG));
413  }
414  else
415  {
416  *OutSAC = Sid->SubAuthorityCount;
417  Size = RtlLengthRequiredSid(*OutSAC);
418  }
419 
420  return Size;
421 }
422 
423 static
424 ULONG
426  PACL Acl,
427  KPROCESSOR_MODE ProcessorMode)
428 {
429  ULONG Size;
430 
431  if (!Acl) return 0;
432 
433  if (ProcessorMode == KernelMode) return Acl->AclSize;
434 
435  /* Probe the buffers! */
437  ProbeForRead(Acl, Size, sizeof(ULONG));
438 
439  return Size;
440 }
441 
442 NTSTATUS
443 NTAPI
445  IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor,
446  IN KPROCESSOR_MODE CurrentMode,
448  IN BOOLEAN CaptureIfKernel,
449  OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
450 {
451  PISECURITY_DESCRIPTOR OriginalDescriptor = _OriginalSecurityDescriptor;
452  SECURITY_DESCRIPTOR DescriptorCopy;
454  ULONG OwnerSAC = 0, GroupSAC = 0;
455  ULONG OwnerSize = 0, GroupSize = 0;
456  ULONG SaclSize = 0, DaclSize = 0;
457  ULONG DescriptorSize = 0;
458  ULONG Offset;
459 
460  if (!OriginalDescriptor)
461  {
462  /* Nothing to do... */
463  *CapturedSecurityDescriptor = NULL;
464  return STATUS_SUCCESS;
465  }
466 
467  /* Quick path */
468  if (CurrentMode == KernelMode && !CaptureIfKernel)
469  {
470  /* Check descriptor version */
471  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
472  {
474  }
475 
476  *CapturedSecurityDescriptor = _OriginalSecurityDescriptor;
477  return STATUS_SUCCESS;
478  }
479 
480  _SEH2_TRY
481  {
482  if (CurrentMode != KernelMode)
483  {
484  ProbeForRead(OriginalDescriptor,
486  sizeof(ULONG));
487  }
488 
489  /* Check the descriptor version */
490  if (OriginalDescriptor->Revision != SECURITY_DESCRIPTOR_REVISION1)
491  {
493  }
494 
495  if (CurrentMode != KernelMode)
496  {
497  /* Get the size of the descriptor */
498  DescriptorSize = (OriginalDescriptor->Control & SE_SELF_RELATIVE) ?
500 
501  /* Probe the entire security descriptor structure. The SIDs
502  * and ACLs will be probed and copied later though */
503  ProbeForRead(OriginalDescriptor, DescriptorSize, sizeof(ULONG));
504  }
505 
506  /* Now capture all fields and convert to an absolute descriptor */
507  DescriptorCopy.Revision = OriginalDescriptor->Revision;
508  DescriptorCopy.Sbz1 = OriginalDescriptor->Sbz1;
509  DescriptorCopy.Control = OriginalDescriptor->Control & ~SE_SELF_RELATIVE;
510  DescriptorCopy.Owner = SepGetOwnerFromDescriptor(OriginalDescriptor);
511  DescriptorCopy.Group = SepGetGroupFromDescriptor(OriginalDescriptor);
512  DescriptorCopy.Sacl = SepGetSaclFromDescriptor(OriginalDescriptor);
513  DescriptorCopy.Dacl = SepGetDaclFromDescriptor(OriginalDescriptor);
514  DescriptorSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
515 
516  /* Determine owner and group sizes */
517  OwnerSize = DetermineSIDSize(DescriptorCopy.Owner, &OwnerSAC, CurrentMode);
518  DescriptorSize += ROUND_UP(OwnerSize, sizeof(ULONG));
519  GroupSize = DetermineSIDSize(DescriptorCopy.Group, &GroupSAC, CurrentMode);
520  DescriptorSize += ROUND_UP(GroupSize, sizeof(ULONG));
521 
522  /* Determine the size of the ACLs */
523  if (DescriptorCopy.Control & SE_SACL_PRESENT)
524  {
525  /* Get the size and probe if user mode */
526  SaclSize = DetermineACLSize(DescriptorCopy.Sacl, CurrentMode);
527  DescriptorSize += ROUND_UP(SaclSize, sizeof(ULONG));
528  }
529 
530  if (DescriptorCopy.Control & SE_DACL_PRESENT)
531  {
532  /* Get the size and probe if user mode */
533  DaclSize = DetermineACLSize(DescriptorCopy.Dacl, CurrentMode);
534  DescriptorSize += ROUND_UP(DaclSize, sizeof(ULONG));
535  }
536  }
538  {
540  }
541  _SEH2_END;
542 
543  /*
544  * Allocate enough memory to store a complete copy of a self-relative
545  * security descriptor
546  */
548  DescriptorSize,
549  TAG_SD);
551 
552  RtlZeroMemory(NewDescriptor, DescriptorSize);
553  NewDescriptor->Revision = DescriptorCopy.Revision;
554  NewDescriptor->Sbz1 = DescriptorCopy.Sbz1;
555  NewDescriptor->Control = DescriptorCopy.Control | SE_SELF_RELATIVE;
556 
557  _SEH2_TRY
558  {
559  /*
560  * Setup the offsets and copy the SIDs and ACLs to the new
561  * self-relative security descriptor. Probing the pointers is not
562  * neccessary anymore as we did that when collecting the sizes!
563  * Make sure to validate the SIDs and ACLs *again* as they could have
564  * been modified in the meanwhile!
565  */
567 
568  if (DescriptorCopy.Owner)
569  {
570  if (!RtlValidSid(DescriptorCopy.Owner)) RtlRaiseStatus(STATUS_INVALID_SID);
573  DescriptorCopy.Owner,
574  OwnerSize);
575  Offset += ROUND_UP(OwnerSize, sizeof(ULONG));
576  }
577 
578  if (DescriptorCopy.Group)
579  {
580  if (!RtlValidSid(DescriptorCopy.Group)) RtlRaiseStatus(STATUS_INVALID_SID);
583  DescriptorCopy.Group,
584  GroupSize);
585  Offset += ROUND_UP(GroupSize, sizeof(ULONG));
586  }
587 
588  if (DescriptorCopy.Sacl)
589  {
590  if (!RtlValidAcl(DescriptorCopy.Sacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
593  DescriptorCopy.Sacl,
594  SaclSize);
595  Offset += ROUND_UP(SaclSize, sizeof(ULONG));
596  }
597 
598  if (DescriptorCopy.Dacl)
599  {
600  if (!RtlValidAcl(DescriptorCopy.Dacl)) RtlRaiseStatus(STATUS_INVALID_ACL);
603  DescriptorCopy.Dacl,
604  DaclSize);
605  Offset += ROUND_UP(DaclSize, sizeof(ULONG));
606  }
607 
608  /* Make sure the size was correct */
609  ASSERT(Offset == DescriptorSize);
610  }
612  {
613  /* We failed to copy the data to the new descriptor */
616  }
617  _SEH2_END;
618 
619  /*
620  * We're finally done!
621  * Copy the pointer to the captured descriptor to to the caller.
622  */
623  *CapturedSecurityDescriptor = NewDescriptor;
624  return STATUS_SUCCESS;
625 }
626 
627 /*
628  * @implemented
629  */
631 NTSTATUS
632 NTAPI
637  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
638 {
639  PISECURITY_DESCRIPTOR ObjectSd;
641  PSID Owner = NULL;
642  PSID Group = NULL;
643  PACL Dacl = NULL;
644  PACL Sacl = NULL;
645  ULONG OwnerLength = 0;
646  ULONG GroupLength = 0;
647  ULONG DaclLength = 0;
648  ULONG SaclLength = 0;
650  ULONG_PTR Current;
651  ULONG SdLength;
652 
653  PAGED_CODE();
654 
656 
657  if (*ObjectsSecurityDescriptor == NULL)
658  {
659  if (*Length < sizeof(SECURITY_DESCRIPTOR_RELATIVE))
660  {
663  }
664 
668  return STATUS_SUCCESS;
669  }
670 
671  ObjectSd = *ObjectsSecurityDescriptor;
672 
673  /* Calculate the required security descriptor length */
676  {
677  Owner = SepGetOwnerFromDescriptor(ObjectSd);
678  if (Owner != NULL)
679  {
680  OwnerLength = ROUND_UP(RtlLengthSid(Owner), 4);
681  Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
682  }
683  }
684 
686  {
687  Group = SepGetGroupFromDescriptor(ObjectSd);
688  if (Group != NULL)
689  {
691  Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
692  }
693  }
694 
696  (ObjectSd->Control & SE_DACL_PRESENT))
697  {
698  Dacl = SepGetDaclFromDescriptor(ObjectSd);
699  if (Dacl != NULL)
700  {
701  DaclLength = ROUND_UP((ULONG)Dacl->AclSize, 4);
702  }
703 
704  Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
705  }
706 
708  (ObjectSd->Control & SE_SACL_PRESENT))
709  {
710  Sacl = SepGetSaclFromDescriptor(ObjectSd);
711  if (Sacl != NULL)
712  {
713  SaclLength = ROUND_UP(Sacl->AclSize, 4);
714  }
715 
716  Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
717  }
718 
719  SdLength = OwnerLength + GroupLength + DaclLength +
720  SaclLength + sizeof(SECURITY_DESCRIPTOR_RELATIVE);
721  if (*Length < SdLength)
722  {
723  *Length = SdLength;
725  }
726 
727  /* Build the new security descrtiptor */
730  RelSD->Control = Control;
731 
732  Current = (ULONG_PTR)(RelSD + 1);
733 
734  if (OwnerLength != 0)
735  {
736  RtlCopyMemory((PVOID)Current,
737  Owner,
738  OwnerLength);
739  RelSD->Owner = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
740  Current += OwnerLength;
741  }
742 
743  if (GroupLength != 0)
744  {
745  RtlCopyMemory((PVOID)Current,
746  Group,
747  GroupLength);
748  RelSD->Group = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
749  Current += GroupLength;
750  }
751 
752  if (DaclLength != 0)
753  {
754  RtlCopyMemory((PVOID)Current,
755  Dacl,
756  DaclLength);
757  RelSD->Dacl = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
758  Current += DaclLength;
759  }
760 
761  if (SaclLength != 0)
762  {
763  RtlCopyMemory((PVOID)Current,
764  Sacl,
765  SaclLength);
766  RelSD->Sacl = (ULONG)(Current - (ULONG_PTR)SecurityDescriptor);
767  Current += SaclLength;
768  }
769 
770  *Length = SdLength;
771 
772  return STATUS_SUCCESS;
773 }
774 
775 /*
776  * @implemented
777  */
778 NTSTATUS
779 NTAPI
781  IN KPROCESSOR_MODE CurrentMode,
782  IN BOOLEAN CaptureIfKernelMode)
783 {
784  PAGED_CODE();
785 
786  /*
787  * WARNING! You need to call this function with the same value for CurrentMode
788  * and CaptureIfKernelMode that you previously passed to
789  * SeCaptureSecurityDescriptor() in order to avoid memory leaks!
790  */
791  if (CapturedSecurityDescriptor != NULL &&
792  (CurrentMode != KernelMode ||
793  (CurrentMode == KernelMode && CaptureIfKernelMode)))
794  {
795  /* Only delete the descriptor when SeCaptureSecurityDescriptor() allocated one! */
796  ExFreePoolWithTag(CapturedSecurityDescriptor, TAG_SD);
797  }
798 
799  return STATUS_SUCCESS;
800 }
801 
802 /*
803  * @implemented
804  */
806 NTSTATUS
807 NTAPI
812  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
815 {
816  PAGED_CODE();
817 
821  ObjectsSecurityDescriptor,
822  0,
823  PoolType,
825 }
826 
827 /*
828  * @implemented
829  */
831 NTSTATUS
832 NTAPI
835  _In_ PSECURITY_INFORMATION _SecurityInformation,
836  _In_ PSECURITY_DESCRIPTOR _SecurityDescriptor,
837  _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
838  _In_ ULONG AutoInheritFlags,
841 {
844  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
845  PSID Owner;
846  PSID Group;
847  PACL Dacl;
848  PACL Sacl;
849  ULONG OwnerLength;
851  ULONG DaclLength;
852  ULONG SaclLength;
854  ULONG Current;
856 
857  PAGED_CODE();
858 
859  ObjectSd = *ObjectsSecurityDescriptor;
860 
861  /* The object does not have a security descriptor. */
862  if (!ObjectSd)
864 
865  ASSERT(ObjectSd->Control & SE_SELF_RELATIVE);
866 
867  SecurityInformation = *_SecurityInformation;
868 
869  /* Get owner and owner size */
871  {
874  }
875  else
876  {
877  Owner = SepGetOwnerFromDescriptor(ObjectSd);
878  Control |= (ObjectSd->Control & SE_OWNER_DEFAULTED);
879  }
880  OwnerLength = Owner ? RtlLengthSid(Owner) : 0;
881  ASSERT(OwnerLength % sizeof(ULONG) == 0);
882 
883  /* Get group and group size */
885  {
888  }
889  else
890  {
891  Group = SepGetGroupFromDescriptor(ObjectSd);
892  Control |= (ObjectSd->Control & SE_GROUP_DEFAULTED);
893  }
895  ASSERT(GroupLength % sizeof(ULONG) == 0);
896 
897  /* Get DACL and DACL size */
899  {
902  }
903  else
904  {
905  Dacl = SepGetDaclFromDescriptor(ObjectSd);
906  Control |= (ObjectSd->Control & (SE_DACL_DEFAULTED | SE_DACL_PRESENT));
907  }
908  DaclLength = Dacl ? ROUND_UP((ULONG)Dacl->AclSize, 4) : 0;
909 
910  /* Get SACL and SACL size */
912  {
915  }
916  else
917  {
918  Sacl = SepGetSaclFromDescriptor(ObjectSd);
919  Control |= (ObjectSd->Control & (SE_SACL_DEFAULTED | SE_SACL_PRESENT));
920  }
921  SaclLength = Sacl ? ROUND_UP((ULONG)Sacl->AclSize, 4) : 0;
922 
925  OwnerLength + GroupLength +
926  DaclLength + SaclLength,
927  TAG_SD);
928  if (NewSd == NULL)
929  {
931  }
932 
934 
935  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
936 
937  if (OwnerLength != 0)
938  {
939  RtlCopyMemory((PUCHAR)NewSd + Current, Owner, OwnerLength);
940  NewSd->Owner = Current;
941  Current += OwnerLength;
942  }
943 
944  if (GroupLength != 0)
945  {
946  RtlCopyMemory((PUCHAR)NewSd + Current, Group, GroupLength);
947  NewSd->Group = Current;
948  Current += GroupLength;
949  }
950 
951  if (DaclLength != 0)
952  {
953  RtlCopyMemory((PUCHAR)NewSd + Current, Dacl, DaclLength);
954  NewSd->Dacl = Current;
955  Current += DaclLength;
956  }
957 
958  if (SaclLength != 0)
959  {
960  RtlCopyMemory((PUCHAR)NewSd + Current, Sacl, SaclLength);
961  NewSd->Sacl = Current;
962  Current += SaclLength;
963  }
964 
965  *ObjectsSecurityDescriptor = NewSd;
966  return STATUS_SUCCESS;
967 }
968 
969 
970 /*
971  * @implemented
972  */
975  IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
976 {
977  ULONG SdLength;
978  PISID Sid;
979  PACL Acl;
981 
983  {
984  DPRINT1("Invalid Security Descriptor revision\n");
985  return FALSE;
986  }
987 
989  {
990  DPRINT1("Invalid Security Descriptor revision\n");
991  return FALSE;
992  }
993 
994  if (!(SecurityDescriptor->Control & SE_SELF_RELATIVE))
995  {
996  DPRINT1("No self-relative Security Descriptor\n");
997  return FALSE;
998  }
999 
1000  SdLength = sizeof(SECURITY_DESCRIPTOR);
1001 
1002  /* Check Owner SID */
1003  if (!SecurityDescriptor->Owner)
1004  {
1005  DPRINT1("No Owner SID\n");
1006  return FALSE;
1007  }
1008 
1009  if (SecurityDescriptor->Owner % sizeof(ULONG))
1010  {
1011  DPRINT1("Invalid Owner SID alignment\n");
1012  return FALSE;
1013  }
1014 
1016  if (Sid->Revision != SID_REVISION)
1017  {
1018  DPRINT1("Invalid Owner SID revision\n");
1019  return FALSE;
1020  }
1021 
1022  SdLength += (sizeof(SID) + (Sid->SubAuthorityCount - 1) * sizeof(ULONG));
1023  if (Length < SdLength)
1024  {
1025  DPRINT1("Invalid Owner SID size\n");
1026  return FALSE;
1027  }
1028 
1029  /* Check Group SID */
1030  if (SecurityDescriptor->Group)
1031  {
1032  if (SecurityDescriptor->Group % sizeof(ULONG))
1033  {
1034  DPRINT1("Invalid Group SID alignment\n");
1035  return FALSE;
1036  }
1037 
1039  if (Sid->Revision != SID_REVISION)
1040  {
1041  DPRINT1("Invalid Group SID revision\n");
1042  return FALSE;
1043  }
1044 
1045  SdLength += (sizeof(SID) + (Sid->SubAuthorityCount - 1) * sizeof(ULONG));
1046  if (Length < SdLength)
1047  {
1048  DPRINT1("Invalid Group SID size\n");
1049  return FALSE;
1050  }
1051  }
1052 
1053  /* Check DACL */
1054  if (SecurityDescriptor->Dacl)
1055  {
1056  if (SecurityDescriptor->Dacl % sizeof(ULONG))
1057  {
1058  DPRINT1("Invalid DACL alignment\n");
1059  return FALSE;
1060  }
1061 
1063  if ((Acl->AclRevision < MIN_ACL_REVISION) ||
1064  (Acl->AclRevision > MAX_ACL_REVISION))
1065  {
1066  DPRINT1("Invalid DACL revision\n");
1067  return FALSE;
1068  }
1069 
1070  SdLength += Acl->AclSize;
1071  if (Length < SdLength)
1072  {
1073  DPRINT1("Invalid DACL size\n");
1074  return FALSE;
1075  }
1076  }
1077 
1078  /* Check SACL */
1079  if (SecurityDescriptor->Sacl)
1080  {
1081  if (SecurityDescriptor->Sacl % sizeof(ULONG))
1082  {
1083  DPRINT1("Invalid SACL alignment\n");
1084  return FALSE;
1085  }
1086 
1088  if ((Acl->AclRevision < MIN_ACL_REVISION) ||
1089  (Acl->AclRevision > MAX_ACL_REVISION))
1090  {
1091  DPRINT1("Invalid SACL revision\n");
1092  return FALSE;
1093  }
1094 
1095  SdLength += Acl->AclSize;
1096  if (Length < SdLength)
1097  {
1098  DPRINT1("Invalid SACL size\n");
1099  return FALSE;
1100  }
1101  }
1102 
1103  return TRUE;
1104 }
1105 
1106 /*
1107  * @implemented
1108  */
1110 NTSTATUS
1111 NTAPI
1112 SeDeassignSecurity(
1114 {
1115  PAGED_CODE();
1116 
1117  if (*SecurityDescriptor != NULL)
1118  {
1121  }
1122 
1123  return STATUS_SUCCESS;
1124 }
1125 
1126 /*
1127  * @implemented
1128  */
1130 NTSTATUS
1131 NTAPI
1133  _In_opt_ PSECURITY_DESCRIPTOR _ParentDescriptor,
1134  _In_opt_ PSECURITY_DESCRIPTOR _ExplicitDescriptor,
1138  _In_ ULONG AutoInheritFlags,
1142 {
1143  PISECURITY_DESCRIPTOR ParentDescriptor = _ParentDescriptor;
1144  PISECURITY_DESCRIPTOR ExplicitDescriptor = _ExplicitDescriptor;
1146  PTOKEN Token;
1147  ULONG OwnerLength;
1149  ULONG DaclLength;
1150  ULONG SaclLength;
1151  ULONG Length;
1153  ULONG Current;
1154  PSID Owner = NULL;
1155  PSID Group = NULL;
1156  PACL ExplicitAcl;
1157  BOOLEAN ExplicitPresent;
1158  BOOLEAN ExplicitDefaulted;
1159  PACL ParentAcl;
1160  PACL Dacl = NULL;
1161  PACL Sacl = NULL;
1162  BOOLEAN DaclIsInherited;
1163  BOOLEAN SaclIsInherited;
1166  NTSTATUS Status;
1167 
1169  DBG_UNREFERENCED_PARAMETER(AutoInheritFlags);
1171 
1172  PAGED_CODE();
1173 
1174  *NewDescriptor = NULL;
1175 
1177  {
1178  return STATUS_NO_TOKEN;
1179  }
1180 
1181  /* Lock subject context */
1183 
1184  if (SubjectContext->ClientToken != NULL)
1185  {
1186  Token = SubjectContext->ClientToken;
1187  }
1188  else
1189  {
1190  Token = SubjectContext->PrimaryToken;
1191  }
1192 
1193  /* Inherit the Owner SID */
1194  if (ExplicitDescriptor != NULL)
1195  {
1196  DPRINT("Use explicit owner sid!\n");
1198  }
1199  if (!Owner)
1200  {
1201  if (AutoInheritFlags & 0x20 /* FIXME: SEF_DEFAULT_OWNER_FROM_PARENT */)
1202  {
1203  DPRINT("Use parent owner sid!\n");
1204  if (!ARGUMENT_PRESENT(ParentDescriptor))
1205  {
1207  return STATUS_INVALID_OWNER;
1208  }
1209 
1210  Owner = SepGetOwnerFromDescriptor(ParentDescriptor);
1211  if (!Owner)
1212  {
1214  return STATUS_INVALID_OWNER;
1215  }
1216  }
1217  else
1218  {
1219  DPRINT("Use token owner sid!\n");
1220  Owner = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
1221  }
1222  }
1223  OwnerLength = RtlLengthSid(Owner);
1224  ASSERT(OwnerLength % sizeof(ULONG) == 0);
1225 
1226  /* Inherit the Group SID */
1227  if (ExplicitDescriptor != NULL)
1228  {
1230  }
1231  if (!Group)
1232  {
1233  if (AutoInheritFlags & 0x40 /* FIXME: SEF_DEFAULT_GROUP_FROM_PARENT */)
1234  {
1235  DPRINT("Use parent group sid!\n");
1236  if (!ARGUMENT_PRESENT(ParentDescriptor))
1237  {
1240  }
1241 
1242  Group = SepGetGroupFromDescriptor(ParentDescriptor);
1243  if (!Group)
1244  {
1247  }
1248  }
1249  else
1250  {
1251  DPRINT("Use token group sid!\n");
1252  Group = Token->PrimaryGroup;
1253  }
1254  }
1255  if (!Group)
1256  {
1259  }
1261  ASSERT(GroupLength % sizeof(ULONG) == 0);
1262 
1263  /* Inherit the DACL */
1264  DaclLength = 0;
1265  ExplicitAcl = NULL;
1266  ExplicitPresent = FALSE;
1267  ExplicitDefaulted = FALSE;
1268  if (ExplicitDescriptor != NULL &&
1270  {
1272  ExplicitPresent = TRUE;
1274  ExplicitDefaulted = TRUE;
1275  }
1276  ParentAcl = NULL;
1277  if (ParentDescriptor != NULL &&
1278  (ParentDescriptor->Control & SE_DACL_PRESENT))
1279  {
1280  ParentAcl = SepGetDaclFromDescriptor(ParentDescriptor);
1281  }
1282  Dacl = SepSelectAcl(ExplicitAcl,
1283  ExplicitPresent,
1284  ExplicitDefaulted,
1285  ParentAcl,
1286  Token->DefaultDacl,
1287  &DaclLength,
1288  Owner,
1289  Group,
1290  &DaclPresent,
1291  &DaclIsInherited,
1293  GenericMapping);
1294  if (DaclPresent)
1296  ASSERT(DaclLength % sizeof(ULONG) == 0);
1297 
1298  /* Inherit the SACL */
1299  SaclLength = 0;
1300  ExplicitAcl = NULL;
1301  ExplicitPresent = FALSE;
1302  ExplicitDefaulted = FALSE;
1303  if (ExplicitDescriptor != NULL &&
1305  {
1307  ExplicitPresent = TRUE;
1309  ExplicitDefaulted = TRUE;
1310  }
1311  ParentAcl = NULL;
1312  if (ParentDescriptor != NULL &&
1313  (ParentDescriptor->Control & SE_SACL_PRESENT))
1314  {
1315  ParentAcl = SepGetSaclFromDescriptor(ParentDescriptor);
1316  }
1317  Sacl = SepSelectAcl(ExplicitAcl,
1318  ExplicitPresent,
1319  ExplicitDefaulted,
1320  ParentAcl,
1321  NULL,
1322  &SaclLength,
1323  Owner,
1324  Group,
1325  &SaclPresent,
1326  &SaclIsInherited,
1328  GenericMapping);
1329  if (SaclPresent)
1331  ASSERT(SaclLength % sizeof(ULONG) == 0);
1332 
1333  /* Allocate and initialize the new security descriptor */
1335  OwnerLength + GroupLength + DaclLength + SaclLength;
1336 
1337  DPRINT("L: sizeof(SECURITY_DESCRIPTOR) %u OwnerLength %lu GroupLength %lu DaclLength %lu SaclLength %lu\n",
1338  sizeof(SECURITY_DESCRIPTOR),
1339  OwnerLength,
1340  GroupLength,
1341  DaclLength,
1342  SaclLength);
1343 
1345  if (Descriptor == NULL)
1346  {
1347  DPRINT1("ExAlloctePool() failed\n");
1350  }
1351 
1354 
1355  Descriptor->Control = Control | SE_SELF_RELATIVE;
1356 
1357  Current = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
1358 
1359  if (SaclLength != 0)
1360  {
1361  Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
1362  &SaclLength,
1363  Sacl,
1364  Owner,
1365  Group,
1366  SaclIsInherited,
1368  GenericMapping);
1370  Descriptor->Sacl = Current;
1371  Current += SaclLength;
1372  }
1373 
1374  if (DaclLength != 0)
1375  {
1376  Status = SepPropagateAcl((PACL)((PUCHAR)Descriptor + Current),
1377  &DaclLength,
1378  Dacl,
1379  Owner,
1380  Group,
1381  DaclIsInherited,
1383  GenericMapping);
1385  Descriptor->Dacl = Current;
1386  Current += DaclLength;
1387  }
1388 
1389  if (OwnerLength != 0)
1390  {
1391  RtlCopyMemory((PUCHAR)Descriptor + Current, Owner, OwnerLength);
1392  Descriptor->Owner = Current;
1393  Current += OwnerLength;
1394  DPRINT("Owner of %p at %x\n", Descriptor, Descriptor->Owner);
1395  }
1396  else
1397  {
1398  DPRINT("Owner of %p is zero length\n", Descriptor);
1399  }
1400 
1401  if (GroupLength != 0)
1402  {
1404  Descriptor->Group = Current;
1405  }
1406 
1407  /* Unlock subject context */
1409 
1411 
1412  DPRINT("Descriptor %p\n", Descriptor);
1414 
1415  return STATUS_SUCCESS;
1416 }
1417 
1418 /*
1419  * @implemented
1420  */
1422 NTSTATUS
1423 NTAPI
1424 SeAssignSecurity(
1425  _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
1432 {
1433  PAGED_CODE();
1434 
1435  return SeAssignSecurityEx(ParentDescriptor,
1437  NewDescriptor,
1438  NULL,
1440  0,
1443  PoolType);
1444 }
1445 
1446 /*
1447  * @implemented
1448  */
1450 NTSTATUS
1451 NTAPI
1454  _Out_ PULONG QuotaInfoSize)
1455 {
1456  PSID Group;
1457  PACL Dacl;
1458 
1459  PAGED_CODE();
1460 
1461  *QuotaInfoSize = 0;
1462 
1463  /* Validate security descriptor revision */
1465  {
1466  return STATUS_UNKNOWN_REVISION;
1467  }
1468 
1469  /* Get group and DACL, if any */
1472 
1473  /* Return SID length if any */
1474  if (Group != NULL)
1475  {
1476  *QuotaInfoSize = ALIGN_UP_BY(RtlLengthSid(Group), sizeof(ULONG));
1477  }
1478 
1479  /* Return DACL if any */
1480  if (Dacl != NULL)
1481  {
1482  *QuotaInfoSize += ALIGN_UP_BY(Dacl->AclSize, sizeof(ULONG));
1483  }
1484 
1485  return STATUS_SUCCESS;
1486 }
1487 
1488 /* EOF */
NTSTATUS NTAPI SeSetWorldSecurityDescriptor(SECURITY_INFORMATION SecurityInformation, PISECURITY_DESCRIPTOR SecurityDescriptor, PULONG BufferLength)
Definition: sd.c:129
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
NTKERNELAPI NTSTATUS NTAPI SeAssignSecurityEx(_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PGENERIC_MAPPING GenericMapping, _In_ POOL_TYPE PoolType)
ObjectType
Definition: metafile.c:80
#define IN
Definition: typedefs.h:39
#define SE_SACL_PRESENT
Definition: setypes.h:769
DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlRaiseStatus(_In_ NTSTATUS Status)
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG BufferLength
Definition: wdfdevice.h:3767
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
#define GENERIC_ALL
Definition: nt_native.h:92
NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfo(_In_opt_ PVOID Object, _In_ PSECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
_In_ ULONG _In_ ULONG _In_ ULONG Length
Definition: ntddpcm.h:101
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
Definition: wdfresource.h:339
#define SE_SELF_RELATIVE
Definition: setypes.h:780
#define ROUND_UP(n, align)
Definition: eventvwr.h:31
_In_opt_ PSECURITY_DESCRIPTOR ExplicitDescriptor
Definition: sefuncs.h:29
VOID NTAPI SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:336
PACL SePublicDefaultUnrestrictedDacl
Definition: acl.c:20
#define ProbeForReadUchar(Ptr)
Definition: probe.h:61
#define SECURITY_DESCRIPTOR_MIN_LENGTH
Definition: setypes.h:761
NTSTATUS NTAPI SeComputeQuotaInformationSize(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PULONG QuotaInfoSize)
NTSTATUS NTAPI SepCaptureSecurityQualityOfService(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, OUT PBOOLEAN Present)
Definition: sd.c:221
struct _SID SID
#define MAX_ACL_REVISION
Definition: setypes.h:47
#define TRUE
Definition: types.h:120
#define UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:317
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
USHORT AclSize
Definition: ms-dtyp.idl:296
#define DBG_UNREFERENCED_PARAMETER(P)
Definition: ntbasedef.h:318
PSECURITY_DESCRIPTOR SePublicDefaultSd
Definition: sd.c:18
PACL SeSystemDefaultDacl
Definition: acl.c:19
PSECURITY_DESCRIPTOR SeUnrestrictedSd
Definition: sd.c:23
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:29
_In_opt_ PSID Group
Definition: rtlfuncs.h:1605
unsigned char * PUCHAR
Definition: retypes.h:3
#define SID_REVISION
Definition: setypes.h:453
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:314
NTSTATUS SepPropagateAcl(_Out_writes_bytes_opt_(DaclLength) PACL AclDest, _Inout_ PULONG AclLength, _In_reads_bytes_(AclSource->AclSize) PACL AclSource, _In_ PSID Owner, _In_ PSID Group, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361
NTSTATUS NTAPI RtlCreateSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG Revision)
Definition: sd.c:117
NTSTATUS NTAPI RtlCreateSecurityDescriptorRelative(IN PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor, IN ULONG Revision)
Definition: sd.c:139
struct _SECURITY_QUALITY_OF_SERVICE * PSECURITY_QUALITY_OF_SERVICE
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define SE_DACL_PRESENT
Definition: setypes.h:767
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
PSECURITY_DESCRIPTOR SePublicOpenSd
Definition: sd.c:20
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR * NewDescriptor
Definition: sefuncs.h:29
_In_ ULONG Revision
Definition: rtlfuncs.h:1103
BOOLEAN NTAPI SepInitSDs(VOID)
Definition: sd.c:31
_In_ BOOLEAN DaclPresent
Definition: rtlfuncs.h:1594
#define _In_opt_
Definition: no_sal2.h:212
VOID NTAPI SepReleaseSecurityQualityOfService(IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN CaptureIfKernel)
Definition: sd.c:377
static ULONG DetermineACLSize(PACL Acl, KPROCESSOR_MODE ProcessorMode)
Definition: sd.c:425
#define SE_OWNER_DEFAULTED
Definition: setypes.h:765
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:780
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SEH2_TRY
Definition: create.c:4226
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSTATUS NTAPI RtlSetDaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN DaclPresent, IN PACL Dacl, IN BOOLEAN DaclDefaulted)
Definition: sd.c:303
uint32_t ULONG_PTR
Definition: typedefs.h:65
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define _Out_writes_bytes_(s)
Definition: no_sal2.h:178
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
PACL SePublicOpenDacl
Definition: acl.c:21
WORD SECURITY_DESCRIPTOR_CONTROL
Definition: lsa.idl:37
struct _SID * PISID
FORCEINLINE PACL SepGetSaclFromDescriptor(PVOID _Descriptor)
Definition: se.h:88
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
NTSYSAPI BOOLEAN NTAPI RtlValidAcl(PACL Acl)
_Out_ PBOOLEAN SaclPresent
Definition: rtlfuncs.h:2415
struct _SECURITY_DESCRIPTOR_RELATIVE * PISECURITY_DESCRIPTOR_RELATIVE
unsigned char BOOLEAN
_In_ WDF_WMI_PROVIDER_CONTROL Control
Definition: wdfwmi.h:166
struct _ACL ACL
#define _Out_
Definition: no_sal2.h:160
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1554
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define STATUS_INVALID_SID
Definition: ntstatus.h:356
CODE_SEG("INIT")
Definition: Interface.c:1810
#define TAG_SD
Definition: tag.h:176
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
#define SE_DACL_DEFAULTED
Definition: setypes.h:768
PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd
Definition: sd.c:21
struct _ACL * PACL
Definition: security.c:104
Status
Definition: gdiplustypes.h:24
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:48
#define STATUS_INVALID_PRIMARY_GROUP
Definition: ntstatus.h:327
_IRQL_requires_max_(PASSIVE_LEVEL)
Definition: sd.c:630
#define ASSERT(a)
Definition: mode.c:45
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
DWORD * PSECURITY_INFORMATION
Definition: ms-dtyp.idl:311
INT POOL_TYPE
Definition: typedefs.h:78
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ARGUMENT_PRESENT(ArgumentPointer)
#define MIN_ACL_REVISION
Definition: setypes.h:46
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
#define _Inout_
Definition: no_sal2.h:162
#define STATUS_NO_SECURITY_ON_OBJECT
Definition: ntstatus.h:451
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
struct _SID * PSID
Definition: eventlog.c:35
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
char * PBOOLEAN
Definition: retypes.h:11
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
#define PASSIVE_LEVEL
Definition: env_spec_w32.h:693
struct _SECURITY_DESCRIPTOR SECURITY_DESCRIPTOR
PSID SeWorldSid
Definition: sid.c:27
#define SE_GROUP_DEFAULTED
Definition: setypes.h:766
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
FORCEINLINE PSID SepGetGroupFromDescriptor(PVOID _Descriptor)
Definition: se.h:29
_In_ ULONG _In_ ULONG Offset
Definition: ntddpcm.h:101
#define _In_
Definition: no_sal2.h:158
PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd
Definition: sd.c:19
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfoEx(_In_opt_ PVOID Object, _In_ PSECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ ULONG AutoInheritFlags, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
UCHAR AclRevision
Definition: ms-dtyp.idl:294
FORCEINLINE PACL SepGetDaclFromDescriptor(PVOID _Descriptor)
Definition: se.h:67
_SEH2_END
Definition: create.c:4400
SECURITY_DESCRIPTOR_CONTROL Control
Definition: setypes.h:785
PACL SePublicDefaultDacl
Definition: acl.c:18
#define STATUS_INVALID_ACL
Definition: ntstatus.h:355
BOOLEAN NTAPI SeValidSecurityDescriptor(IN ULONG Length, IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
Definition: sd.c:974
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID _Inout_ PULONG OwnerSize
Definition: rtlfuncs.h:1556
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
unsigned int * PULONG
Definition: retypes.h:1
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1556
#define NULL
Definition: types.h:112
#define STATUS_INVALID_OWNER
Definition: ntstatus.h:326
#define DPRINT1
Definition: precomp.h:8
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define OUT
Definition: typedefs.h:40
PACL SeUnrestrictedDacl
Definition: acl.c:23
PACL SePublicOpenUnrestrictedDacl
Definition: acl.c:22
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define ProbeForReadUshort(Ptr)
Definition: probe.h:63
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
#define ULONG_PTR
Definition: config.h:101
#define ALIGN_UP_BY(size, align)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1554
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
NTKERNELAPI NTSTATUS NTAPI SeQuerySecurityDescriptorInfo(_In_ PSECURITY_INFORMATION SecurityInformation, _Out_writes_bytes_(*Length) PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_ PULONG Length, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd
Definition: sd.c:24
#define TAG_QOS
Definition: tag.h:177
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
BYTE Revision
Definition: ms-dtyp.idl:199
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:444
_In_ ULONG _In_ CONST SOCKADDR _In_ int GroupLength
Definition: ws2tcpip.h:710
#define STATUS_SUCCESS
Definition: shellext.h:65
PSECURITY_DESCRIPTOR SeSystemDefaultSd
Definition: sd.c:22
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
#define SE_SACL_DEFAULTED
Definition: setypes.h:770
#define SECURITY_DESCRIPTOR_REVISION1
Definition: setypes.h:59
ULONG NTAPI RtlLengthSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor)
Definition: sd.c:161
PACL SeSystemAnonymousLogonDacl
Definition: acl.c:24
Definition: rtltypes.h:990
#define STATUS_UNKNOWN_REVISION
Definition: ntstatus.h:324
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
#define PAGED_CODE()
static ULONG DetermineSIDSize(PISID Sid, PULONG OutSAC, KPROCESSOR_MODE ProcessorMode)
Definition: sd.c:394
PACL SepSelectAcl(_In_opt_ PACL ExplicitAcl, _In_ BOOLEAN ExplicitPresent, _In_ BOOLEAN ExplicitDefaulted, _In_opt_ PACL ParentAcl, _In_opt_ PACL DefaultAcl, _Out_ PULONG AclLength, _In_ PSID Owner, _In_ PSID Group, _Out_ PBOOLEAN AclPresent, _Out_ PBOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
Definition: acl.c:613
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68