#include <ntoskrnl.h>#include <debug.h>
Include dependency graph for client.c:
Go to the source code of this file.
Macros | |
| #define | NDEBUG |
Macro Definition Documentation
◆ NDEBUG
Function Documentation
◆ SeCreateClientSecurity()
| NTSTATUS NTAPI SeCreateClientSecurity | ( | _In_ PETHREAD | Thread, |
| _In_ PSECURITY_QUALITY_OF_SERVICE | Qos, | ||
| _In_ BOOLEAN | RemoteClient, | ||
| _Out_ PSECURITY_CLIENT_CONTEXT | ClientContext | ||
| ) |
Creates a client security context.
- Parameters
-
[in] Thread Thread object of the client where impersonation has to begin. [in] Qos Quality of service to specify what kind of impersonation to be done. [in] RemoteClient If set to TRUE, the client that we're going to impersonate is remote. [out] ClientContext The returned security client context.
- Returns
- See SepCreateClientSecurity.
Definition at line 162 of file client.c.
167{
169 BOOLEAN ThreadEffectiveOnly;
173 PAGED_CODE();
174
175 /* Reference the correct token */
177 &TokenType,
178 &ThreadEffectiveOnly,
179 &ImpersonationLevel);
180
181 /* Create client security from it */
183 Qos,
184 RemoteClient,
185 TokenType,
186 ThreadEffectiveOnly,
187 ImpersonationLevel,
188 ClientContext);
189
190 /* Check if we failed or static tracking was used */
192 {
193 /* Dereference our copy since it's not being used */
195 }
196
197 /* Return status */
199}
Definition: tokenizer.hpp:28
Definition: nsiface.idl:2307
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:411
NTSTATUS NTAPI SepCreateClientSecurity(_In_ PACCESS_TOKEN Token, _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, _In_ BOOLEAN ServerIsRemote, _In_ TOKEN_TYPE TokenType, _In_ BOOLEAN ThreadEffectiveOnly, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context based upon an access token.
Definition: client.c:53
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:802
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:157
◆ SeCreateClientSecurityFromSubjectContext()
| NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext | ( | _In_ PSECURITY_SUBJECT_CONTEXT | SubjectContext, |
| _In_ PSECURITY_QUALITY_OF_SERVICE | ClientSecurityQos, | ||
| _In_ BOOLEAN | ServerIsRemote, | ||
| _Out_ PSECURITY_CLIENT_CONTEXT | ClientContext | ||
| ) |
Creates a client security context based upon the captured security subject context.
- Parameters
-
[in] SubjectContext The captured subject context where client security is to be created from. [in] ClientSecurityQos Quality of service to specify what kind of impersonation to be done. [in] ServerIsRemote If set to TRUE, the client that we're going to impersonate is remote. [out] ClientContext The returned security client context.
- Returns
- See SepCreateClientSecurity.
Definition at line 224 of file client.c.
229{
232 PAGED_CODE();
233
234 /* Get the right token and reference it */
237
238 /* Create the context */
240 ClientSecurityQos,
241 ServerIsRemote,
242 SubjectContext->ClientToken ?
244 FALSE,
245 SubjectContext->ImpersonationLevel,
246 ClientContext);
247
248 /* Check if we failed or static tracking was used */
250 (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
251 {
252 /* Dereference our copy since it's not being used */
254 }
255
256 /* Return status */
258}
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
Referenced by nfs41_get_sec_ctx(), nfs41_GetLUID(), and nfs41_UpcallCreate().
◆ SeImpersonateClient()
| VOID NTAPI SeImpersonateClient | ( | _In_ PSECURITY_CLIENT_CONTEXT | ClientContext, |
| _In_opt_ PETHREAD | ServerThread | ||
| ) |
Impersonates a client user.
- Parameters
-
[in] ClientContext A valid client context. [in] ServerThread The thread where impersonation is to be done.
- Returns
- Nothing.
Definition at line 321 of file client.c.
324{
325 PAGED_CODE();
326
327 /* Call the new API */
329}
NTSTATUS NTAPI SeImpersonateClientEx(_In_ PSECURITY_CLIENT_CONTEXT ClientContext, _In_opt_ PETHREAD ServerThread)
Extended function that impersonates a client.
Definition: client.c:276
◆ SeImpersonateClientEx()
| NTSTATUS NTAPI SeImpersonateClientEx | ( | _In_ PSECURITY_CLIENT_CONTEXT | ClientContext, |
| _In_opt_ PETHREAD | ServerThread | ||
| ) |
Extended function that impersonates a client.
- Parameters
-
[in] ClientContext A valid client context. [in] ServerThread The thread where impersonation is to be done.
- Returns
- STATUS_SUCCESS is returned if the calling thread successfully impersonates the client. A failure NTSTATUS code is returned otherwise.
Definition at line 276 of file client.c.
279{
281 PAGED_CODE();
282
283 /* Check if direct access is requested */
285 {
286 /* No, so get the flag from QOS */
288 }
289 else
290 {
291 /* Yes, so see if direct access should be effective only */
293 }
294
295 /* Use the current thread if one was not passed */
297
298 /* Call the lower layer routine */
300 ClientContext->ClientToken,
301 TRUE,
302 EffectiveOnly,
303 ClientContext->SecurityQos.ImpersonationLevel);
304}
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:410
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
Referenced by CmpCmdHiveOpen(), handle_upcall(), NpImpersonateClientContext(), NtImpersonateClientOfPort(), and SeImpersonateClient().
◆ SepCreateClientSecurity()
| NTSTATUS NTAPI SepCreateClientSecurity | ( | _In_ PACCESS_TOKEN | Token, |
| _In_ PSECURITY_QUALITY_OF_SERVICE | ClientSecurityQos, | ||
| _In_ BOOLEAN | ServerIsRemote, | ||
| _In_ TOKEN_TYPE | TokenType, | ||
| _In_ BOOLEAN | ThreadEffectiveOnly, | ||
| _In_ SECURITY_IMPERSONATION_LEVEL | ImpersonationLevel, | ||
| _Out_ PSECURITY_CLIENT_CONTEXT | ClientContext | ||
| ) |
Creates a client security context based upon an access token.
- Parameters
-
[in] Token A valid token object. [in] ClientSecurityQos The Quality of Service (QoS) of a client security context. [in] ServerIsRemote If the client is a remote server (TRUE), the function will retrieve the control information of an access token, that is, we're doing delegation and that the server isn't local. [in] TokenType Type of token. [in] ThreadEffectiveOnly If set to TRUE, the client wants that the current thread wants to modify (enable or disable) privileges and groups. [in] ImpersonationLevel Security impersonation level filled in the QoS context. [out] ClientContext The returned security client context.
- Returns
- Returns STATUS_SUCCESS if client security creation has completed successfully. STATUS_INVALID_PARAMETER is returned if one or more of the parameters are bogus. STATUS_BAD_IMPERSONATION_LEVEL is returned if the current impersonation level within QoS context doesn't meet with the conditions required. A failure NTSTATUS code is returned otherwise.
Definition at line 53 of file client.c.
61{
63 PACCESS_TOKEN NewToken;
64 PAGED_CODE();
65
66 /* Check for bogus impersonation level */
68 {
69 /* Fail the call */
71 }
72
73 /* Check what kind of token this is */
75 {
76 /* On a primary token, if we do direct access, copy the flag from the QOS */
77 ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
78 }
79 else
80 {
81 /* This is an impersonation token, is the level ok? */
83 {
84 /* Nope, fail */
86 }
87
88 /* Is the level too low, or are we doing something other than delegation remotely */
92 {
93 /* Fail the call */
95 }
96
97 /* Pick either the thread setting or the QOS setting */
98 ClientContext->DirectAccessEffectiveOnly =
100 }
101
102 /* Is this static tracking */
104 {
105 /* Do not use direct access and make a copy */
108 ClientSecurityQos->ImpersonationLevel,
109 KernelMode,
110 &NewToken);
113 }
114 else
115 {
116 /* Use direct access and check if this is local */
118 if (ServerIsRemote)
119 {
120 /* We are doing delegation, so make a copy of the control data */
122 &ClientContext->ClientTokenControl);
123 }
124
125 /* Keep the same token */
126 NewToken = Token;
127 }
128
129 /* Fill out the context and return success */
131 ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
132 ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
133 ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
134 ClientContext->ServerIsRemote = ServerIsRemote;
135 ClientContext->ClientToken = NewToken;
137}
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
NTSTATUS NTAPI SeCopyClientToken(_In_ PACCESS_TOKEN Token, _In_ SECURITY_IMPERSONATION_LEVEL Level, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PACCESS_TOKEN *NewToken)
Copies an existing access token (technically duplicating a new one).
Definition: token.c:1543
VOID NTAPI SeGetTokenControlInformation(_In_ PACCESS_TOKEN _Token, _Out_ PTOKEN_CONTROL TokenControl)
Retrieves token control information.
Definition: token.c:1721
Referenced by SeCreateClientSecurity(), and SeCreateClientSecurityFromSubjectContext().
