security.c

Go to the documentation of this file.

/*
 * PROJECT:         ReactOS Win32k subsystem
 * LICENSE:         GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
 * PURPOSE:         Security infrastructure of NTUSER component of Win32k
 * COPYRIGHT:       Copyright 2022-2023 George Bișoc <george.bisoc@reactos.org>
 */
 
/* INCLUDES ******************************************************************/
 
#include <win32k.h>
DBG_DEFAULT_CHANNEL(UserSecurity);
 
/* FUNCTIONS *****************************************************************/
 
HANDLE
IntGetCurrentAccessToken(VOID)
{
    NTSTATUS Status;
    HANDLE TokenHandle;
 
    /*
     * Try acquiring the security context by opening
     * the current thread (or so called impersonation)
     * token. Such token represents the effective caller.
     * Otherwise if the current thread does not have a
     * token (hence no impersonation occurs) then open
     * the token of main calling process instead.
     */
    Status = ZwOpenThreadToken(ZwCurrentThread(),
                               TOKEN_QUERY,
                               FALSE,
                               &TokenHandle);
    if (!NT_SUCCESS(Status))
    {
        /*
         * We might likely fail to open the thread
         * token if the process isn't impersonating
         * a client. In scenarios where the server
         * isn't impersonating, open the main process
         * token.
         */
        if (Status == STATUS_NO_TOKEN)
        {
            TRACE("IntGetCurrentAccessToken(): The thread doesn't have a token, trying to open the process one...\n");
            Status = ZwOpenProcessToken(ZwCurrentProcess(),
                                        TOKEN_QUERY,
                                        &TokenHandle);
            if (!NT_SUCCESS(Status))
            {
                /* We failed opening process token as well, bail out... */
                ERR("IntGetCurrentAccessToken(): Failed to capture security context, couldn't open the process token (Status 0x%08lx)\n", Status);
                return NULL;
            }
 
            /* Return the opened token handle */
            return TokenHandle;
        }
 
        /* There's a thread token but we couldn't open it so bail out */
        ERR("IntGetCurrentAccessToken(): Failed to capture security context, couldn't open the thread token (Status 0x%08lx)\n", Status);
        return NULL;
    }
 
    /* Return the opened token handle */
    return TokenHandle;
}
 
PVOID
IntAllocateSecurityBuffer(
    _In_ SIZE_T Length)
{
    NTSTATUS Status;
    PVOID Buffer = NULL;
 
    /* Allocate the buffer in UM memory space */
    Status = ZwAllocateVirtualMemory(ZwCurrentProcess(),
                                     &Buffer,
                                     0,
                                     &Length,
                                     MEM_COMMIT,
                                     PAGE_READWRITE);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntAllocateSecurityBuffer(): Failed to allocate the buffer (Status 0x%08lx)\n", Status);
        return NULL;
    }
 
    return Buffer;
}
 
VOID
IntFreeSecurityBuffer(
    _In_ PVOID Buffer)
{
    SIZE_T Size = 0;
 
    ZwFreeVirtualMemory(ZwCurrentProcess(),
                        &Buffer,
                        &Size,
                        MEM_RELEASE);
}
 
NTSTATUS
IntQueryUserSecurityIdentification(
    _Out_ PTOKEN_USER *User)
{
    NTSTATUS Status;
    PTOKEN_USER UserToken = NULL;
    HANDLE Token;
    ULONG BufferLength;
 
    /* Initialize the parameter */
    *User = NULL;
 
    /* Open the current token of the caller */
    Token = IntGetCurrentAccessToken();
    if (!Token)
    {
        ERR("IntQueryUserSecurityIdentification(): Couldn't capture the token!\n");
        return STATUS_UNSUCCESSFUL;
    }
 
    /*
     * Since we do not know what the length
     * of the buffer size should be exactly to
     * hold the user data, let the function
     * tell us the size.
     */
    Status = ZwQueryInformationToken(Token,
                                     TokenUser,
                                     NULL,
                                     0,
                                     &BufferLength);
    if (Status == STATUS_BUFFER_TOO_SMALL)
    {
        /*
         * Allocate some memory for the buffer
         * based on the size that the function
         * gave us.
         */
        UserToken = IntAllocateSecurityBuffer(BufferLength);
        if (!UserToken)
        {
            /* Bail out if we failed */
            ERR("IntQueryUserSecurityIdentification(): Couldn't allocate memory for the token user!\n");
            ZwClose(Token);
            return STATUS_NO_MEMORY;
        }
    }
    else if (!NT_SUCCESS(Status))
    {
        ERR("IntQueryUserSecurityIdentification(): Failed to query the necessary length for the buffer (Status 0x%08lx)!\n", Status);
        ZwClose(Token);
        return Status;
    }
 
    /* Query the user now as we have plenty of space to hold it */
    Status = ZwQueryInformationToken(Token,
                                     TokenUser,
                                     UserToken,
                                     BufferLength,
                                     &BufferLength);
    if (!NT_SUCCESS(Status))
    {
        /* We failed, bail out */
        ERR("IntQueryUserSecurityIdentification(): Failed to query token user (Status 0x%08lx)\n", Status);
        IntFreeSecurityBuffer(UserToken);
        ZwClose(Token);
        return Status;
    }
 
    /* All good, give the buffer to the caller and close the captured token */
    *User = UserToken;
    ZwClose(Token);
 
    return STATUS_SUCCESS;
}
 
NTSTATUS
NTAPI
IntAssignDesktopSecurityOnParse(
    _In_ PWINSTATION_OBJECT WinSta,
    _In_ PDESKTOP Desktop,
    _In_ PACCESS_STATE AccessState)
{
    NTSTATUS Status;
    PSECURITY_DESCRIPTOR CapturedDescriptor;
    BOOLEAN MemoryAllocated;
 
    /*
     * Capture the security descriptor from
     * the window station. The window station
     * in question has a descriptor that is
     * inheritable and contains desktop access
     * rights as well.
     */
    Status = ObGetObjectSecurity(WinSta,
                                 &CapturedDescriptor,
                                 &MemoryAllocated);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntAssignDesktopSecurityOnParse(): Failed to capture the security descriptor from window station (Status 0x%08lx)\n", Status);
        return Status;
    }
 
    /* Assign new security to the desktop */
    Status = ObAssignSecurity(AccessState,
                              CapturedDescriptor,
                              Desktop,
                              ExDesktopObjectType);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntAssignDesktopSecurityOnParse(): Failed to assign security information to the desktop object (Status 0x%08lx)\n", Status);
    }
 
    /* Release the descriptor that we have captured */
    ObReleaseObjectSecurity(CapturedDescriptor, MemoryAllocated);
    return Status;
}
 
NTSTATUS
NTAPI
IntCreateServiceSecurity(
    _Out_ PSECURITY_DESCRIPTOR *ServiceSd)
{
    NTSTATUS Status;
    PACL ServiceDacl;
    ULONG DaclSize;
    ULONG RelSDSize;
    SECURITY_DESCRIPTOR AbsSD;
    PSECURITY_DESCRIPTOR RelSD;
    PTOKEN_USER TokenUser;
 
    /* Initialize our local variables */
    RelSDSize = 0;
    TokenUser = NULL;
    RelSD = NULL;
    ServiceDacl = NULL;
 
    /* Query the logged in user of the current security context (aka token) */
    Status = IntQueryUserSecurityIdentification(&TokenUser);
    if (!TokenUser)
    {
        ERR("IntCreateServiceSecurity(): Failed to query the token user (Status 0x%08lx)\n", Status);
        return Status;
    }
 
    /* Initialize the absolute security descriptor */
    Status = RtlCreateSecurityDescriptor(&AbsSD, SECURITY_DESCRIPTOR_REVISION);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to initialize absolute SD (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * Build up the size of access control
     * list (the DACL) necessary to initialize
     * our ACL. The first two entry members
     * of ACL field are the authenticated user
     * that is associated with the security
     * context of the token. Then here come
     * the last two entries which are admins.
     * Why the ACL contains two ACEs of the
     * same SID is because of service access
     * rights and ACE inheritance.
     *
     * A service is composed of a default
     * desktop and window station upon
     * booting the system. On Windows connection
     * to such service is being made if no
     * default window station and desktop handles
     * were created before. The desktop and winsta
     * objects grant access on a separate type basis.
     * The user is granted full access to the window
     * station first and then full access to the desktop.
     * After that admins are granted specific rights
     * separately, just like the user. Ultimately the
     * ACEs that handle desktop rights management are
     * inherited to the default desktop object so
     * that there's no need to have a separate security
     * descriptor for the desktop object alone.
     */
    DaclSize = sizeof(ACL) +
               sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(TokenUser->User.Sid) +
               sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(TokenUser->User.Sid) +
               sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(SeExports->SeAliasAdminsSid) +
               sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(SeExports->SeAliasAdminsSid);
 
    /* Allocate memory for service DACL */
    ServiceDacl = IntAllocateSecurityBuffer(DaclSize);
    if (!ServiceDacl)
    {
        ERR("IntCreateServiceSecurity(): Failed to allocate memory for service DACL!\n");
        Status = STATUS_NO_MEMORY;
        goto Quit;
    }
 
    /* Now create the DACL */
    Status = RtlCreateAcl(ServiceDacl,
                          DaclSize,
                          ACL_REVISION);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to create service DACL (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * The authenticated user is the ultimate and absolute
     * king in charge of the created (or opened, whatever that is)
     * window station object.
     */
    Status = RtlAddAccessAllowedAceEx(ServiceDacl,
                                      ACL_REVISION,
                                      0,
                                      WINSTA_ACCESS_ALL,
                                      TokenUser->User.Sid);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to set up window station ACE for authenticated user (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * The authenticated user also has the ultimate power
     * over the desktop object as well. This ACE cannot
     * be propagated but inherited. See the comment
     * above regarding ACL size for further explanation.
     */
    Status = RtlAddAccessAllowedAceEx(ServiceDacl,
                                      ACL_REVISION,
                                      INHERIT_ONLY_ACE | NO_PROPAGATE_INHERIT_ACE | OBJECT_INHERIT_ACE,
                                      DESKTOP_ALL_ACCESS,
                                      TokenUser->User.Sid);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to set up desktop ACE for authenticated user (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * Administrators can only enumerate window
     * stations within a desktop.
     */
    Status = RtlAddAccessAllowedAceEx(ServiceDacl,
                                      ACL_REVISION,
                                      0,
                                      WINSTA_ENUMERATE,
                                      SeExports->SeAliasAdminsSid);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to set up window station ACE for admins (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * Administrators have some share of power over
     * the desktop object. They can enumerate desktops,
     * write and read upon the object itself.
     */
    Status = RtlAddAccessAllowedAceEx(ServiceDacl,
                                      ACL_REVISION,
                                      INHERIT_ONLY_ACE | NO_PROPAGATE_INHERIT_ACE | OBJECT_INHERIT_ACE,
                                      DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | DESKTOP_WRITEOBJECTS,
                                      SeExports->SeAliasAdminsSid);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to set up desktop ACE for admins (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /* Set the DACL to absolute SD */
    Status = RtlSetDaclSecurityDescriptor(&AbsSD,
                                          TRUE,
                                          ServiceDacl,
                                          FALSE);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to set up service DACL to absolute SD (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /* This descriptor is ownerless */
    Status = RtlSetOwnerSecurityDescriptor(&AbsSD,
                                           NULL,
                                           FALSE);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to make the absolute SD as ownerless (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /* This descriptor has no primary group */
    Status = RtlSetGroupSecurityDescriptor(&AbsSD,
                                           NULL,
                                           FALSE);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to make the absolute SD as having no primary group (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /*
     * Determine how much size is needed to allocate
     * memory space for our relative security descriptor.
     */
    Status = RtlAbsoluteToSelfRelativeSD(&AbsSD,
                                         NULL,
                                         &RelSDSize);
    if (Status != STATUS_BUFFER_TOO_SMALL)
    {
        ERR("IntCreateServiceSecurity(): Unexpected status code, must be STATUS_BUFFER_TOO_SMALL (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /* Allocate memory for this */
    RelSD = IntAllocateSecurityBuffer(RelSDSize);
    if (!RelSD)
    {
        ERR("IntCreateServiceSecurity(): Failed to allocate memory pool for relative SD!\n");
        Status = STATUS_NO_MEMORY;
        goto Quit;
    }
 
    /* Convert the absolute SD into a relative one now */
    Status = RtlAbsoluteToSelfRelativeSD(&AbsSD,
                                         RelSD,
                                         &RelSDSize);
    if (!NT_SUCCESS(Status))
    {
        ERR("IntCreateServiceSecurity(): Failed to convert absolute SD to a relative one (Status 0x%08lx)\n", Status);
        goto Quit;
    }
 
    /* All good, give the SD to the caller */
    *ServiceSd = RelSD;
 
Quit:
    if (ServiceDacl)
    {
        IntFreeSecurityBuffer(ServiceDacl);
    }
 
    if (TokenUser)
    {
        IntFreeSecurityBuffer(TokenUser);
    }
 
    if (!NT_SUCCESS(Status))
    {
        if (RelSD)
        {
            IntFreeSecurityBuffer(RelSD);
        }
    }
 
    return Status;
}
 
/* EOF */