ReactOS 0.4.16-dev-125-g798ea90
security.c File Reference
#include <rtl.h>
#include <debug.h>
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

NTSTATUS NTAPI RtlpSetSecurityObject (IN PVOID Object OPTIONAL, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR ModificationDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN ULONG AutoInheritFlags, IN ULONG PoolType, IN PGENERIC_MAPPING GenericMapping, IN HANDLE Token OPTIONAL)
 
NTSTATUS NTAPI RtlpNewSecurityObject (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID *ObjectTypes, IN ULONG GuidCount, IN BOOLEAN IsDirectoryObject, IN ULONG AutoInheritFlags, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlpConvertToAutoInheritSecurityObject (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID ObjectType, IN BOOLEAN IsDirectoryObject, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlDefaultNpAcl (OUT PACL *pAcl)
 
NTSTATUS NTAPI RtlCreateAndSetSD (IN PVOID AceData, IN ULONG AceCount, IN PSID OwnerSid OPTIONAL, IN PSID GroupSid OPTIONAL, OUT PSECURITY_DESCRIPTOR *NewDescriptor)
 
NTSTATUS NTAPI RtlDeleteSecurityObject (IN PSECURITY_DESCRIPTOR *ObjectDescriptor)
 
NTSTATUS NTAPI RtlNewSecurityObject (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN BOOLEAN IsDirectoryObject, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlNewSecurityObjectEx (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID ObjectType, IN BOOLEAN IsDirectoryObject, IN ULONG AutoInheritFlags, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlNewSecurityObjectWithMultipleInheritance (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID *ObjectTypes, IN ULONG GuidCount, IN BOOLEAN IsDirectoryObject, IN ULONG AutoInheritFlags, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlNewInstanceSecurityObject (IN BOOLEAN ParentDescriptorChanged, IN BOOLEAN CreatorDescriptorChanged, IN PLUID OldClientTokenModifiedId, OUT PLUID NewClientTokenModifiedId, IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN BOOLEAN IsDirectoryObject, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlCreateUserSecurityObject (IN PVOID AceData, IN ULONG AceCount, IN PSID OwnerSid, IN PSID GroupSid, IN BOOLEAN IsDirectoryObject, IN PGENERIC_MAPPING GenericMapping, OUT PSECURITY_DESCRIPTOR *NewDescriptor)
 
NTSTATUS NTAPI RtlNewSecurityGrantedAccess (IN ACCESS_MASK DesiredAccess, OUT PPRIVILEGE_SET Privileges, IN OUT PULONG Length, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping, OUT PACCESS_MASK RemainingDesiredAccess)
 
NTSTATUS NTAPI RtlQuerySecurityObject (IN PSECURITY_DESCRIPTOR ObjectDescriptor, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR ResultantDescriptor, IN ULONG DescriptorLength, OUT PULONG ReturnLength)
 
NTSTATUS NTAPI RtlSetSecurityObject (IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR ModificationDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN PGENERIC_MAPPING GenericMapping, IN HANDLE Token OPTIONAL)
 
NTSTATUS NTAPI RtlSetSecurityObjectEx (IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR ModificationDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN ULONG AutoInheritFlags, IN PGENERIC_MAPPING GenericMapping, IN HANDLE Token OPTIONAL)
 
NTSTATUS NTAPI RtlConvertToAutoInheritSecurityObject (IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID ObjectType, IN BOOLEAN IsDirectoryObject, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI RtlRegisterSecureMemoryCacheCallback (IN PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback)
 
BOOLEAN NTAPI RtlFlushSecureMemoryCache (IN PVOID MemoryCache, IN OPTIONAL SIZE_T MemoryLength)
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 12 of file security.c.

Function Documentation

◆ RtlConvertToAutoInheritSecurityObject()

NTSTATUS NTAPI RtlConvertToAutoInheritSecurityObject ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN LPGUID  ObjectType,
IN BOOLEAN  IsDirectoryObject,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 798 of file security.c.

804{
805 /* Call the internal API */
806 return RtlpConvertToAutoInheritSecurityObject(ParentDescriptor,
807 CreatorDescriptor,
812}
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
ObjectType
Definition: metafile.c:81
NTSTATUS NTAPI RtlpConvertToAutoInheritSecurityObject(IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID ObjectType, IN BOOLEAN IsDirectoryObject, IN PGENERIC_MAPPING GenericMapping)
Definition: security.c:220
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:31
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR * NewDescriptor
Definition: sefuncs.h:30

◆ RtlCreateAndSetSD()

NTSTATUS NTAPI RtlCreateAndSetSD ( IN PVOID  AceData,
IN ULONG  AceCount,
IN PSID OwnerSid  OPTIONAL,
IN PSID GroupSid  OPTIONAL,
OUT PSECURITY_DESCRIPTOR NewDescriptor 
)

Definition at line 394 of file security.c.

399{
402}
#define UNIMPLEMENTED
Definition: debug.h:118
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:239

Referenced by RtlCreateUserSecurityObject().

◆ RtlCreateUserSecurityObject()

NTSTATUS NTAPI RtlCreateUserSecurityObject ( IN PVOID  AceData,
IN ULONG  AceCount,
IN PSID  OwnerSid,
IN PSID  GroupSid,
IN BOOLEAN  IsDirectoryObject,
IN PGENERIC_MAPPING  GenericMapping,
OUT PSECURITY_DESCRIPTOR NewDescriptor 
)

Definition at line 559 of file security.c.

566{
570 DPRINT1("RtlCreateUserSecurityObject(%p)\n", AceData);
571
572 /* Create the security descriptor based on the ACE Data */
573 Status = RtlCreateAndSetSD(AceData,
574 AceCount,
575 OwnerSid,
576 GroupSid,
577 &Sd);
578 if (!NT_SUCCESS(Status)) return Status;
579
580 /* Open the process token */
582 if (!NT_SUCCESS(Status)) goto Quickie;
583
584 /* Create the security object */
586 Sd,
591
592 /* We're done, close the token handle */
594
595Quickie:
596 /* Free the SD and return status */
597 RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
598 return Status;
599}
LONG NTSTATUS
Definition: precomp.h:26
#define DPRINT1
Definition: precomp.h:8
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
#define NULL
Definition: types.h:112
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
Status
Definition: gdiplustypes.h:25
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:726
#define NtCurrentProcess()
Definition: nt_native.h:1657
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
NTSTATUS NTAPI RtlNewSecurityObject(IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN BOOLEAN IsDirectoryObject, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
Definition: security.c:423
NTSTATUS NTAPI RtlCreateAndSetSD(IN PVOID AceData, IN ULONG AceCount, IN PSID OwnerSid OPTIONAL, IN PSID GroupSid OPTIONAL, OUT PSECURITY_DESCRIPTOR *NewDescriptor)
Definition: security.c:394
#define TOKEN_QUERY
Definition: setypes.h:928

◆ RtlDefaultNpAcl()

NTSTATUS NTAPI RtlDefaultNpAcl ( OUT PACL pAcl)

Definition at line 238 of file security.c.

239{
242 PTOKEN_OWNER OwnerSid;
244 ULONG AclSize;
247
248 C_ASSERT(sizeof(ACE) == FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart));
249
250 /*
251 * Temporary buffer large enough to hold a maximum of two SIDs.
252 * An alternative is to call RtlAllocateAndInitializeSid many times...
253 */
254 UCHAR SidBuffer[FIELD_OFFSET(SID, SubAuthority)
255 + 2*RTL_FIELD_SIZE(SID, SubAuthority)];
256 PSID Sid = (PSID)&SidBuffer;
257
258 ASSERT(RtlLengthRequiredSid(2) == sizeof(SidBuffer));
259
260 /* Initialize the user ACL pointer */
261 *pAcl = NULL;
262
263 /*
264 * Try to retrieve the SID of the current owner. For that,
265 * we first attempt to get the current thread level token.
266 */
269 TRUE,
270 &TokenHandle);
271 if (Status == STATUS_NO_TOKEN)
272 {
273 /*
274 * No thread level token, so use the process level token.
275 * This is the common case since the only time a thread
276 * has a token is when it is impersonating.
277 */
280 &TokenHandle);
281 }
282 /* Fail if we didn't succeed in retrieving a handle to the token */
283 if (!NT_SUCCESS(Status)) return Status;
284
285 /*
286 * Retrieve the owner SID from the token.
287 */
288
289 /* Query the needed size... */
292 NULL, 0,
293 &ReturnLength);
294 /* ... so that we must fail with STATUS_BUFFER_TOO_SMALL error */
295 if (Status != STATUS_BUFFER_TOO_SMALL) goto Cleanup1;
296
297 /* Allocate space for the owner SID */
298 OwnerSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ReturnLength);
299 if (OwnerSid == NULL)
300 {
302 goto Cleanup1;
303 }
304
305 /* Retrieve the owner SID; we must succeed */
308 OwnerSid,
310 &ReturnLength);
311 if (!NT_SUCCESS(Status)) goto Cleanup2;
312
313 /*
314 * Allocate one ACL with 5 ACEs.
315 */
316 AclSize = sizeof(ACL) + // Header
317 5 * sizeof(ACE) + // 5 ACEs:
318 RtlLengthRequiredSid(1) + // LocalSystem
319 RtlLengthRequiredSid(2) + // Administrators
320 RtlLengthRequiredSid(1) + // Anonymous
321 RtlLengthRequiredSid(1) + // World
322 RtlLengthSid(OwnerSid->Owner); // Owner
323
324 *pAcl = RtlAllocateHeap(RtlGetProcessHeap(), 0, AclSize);
325 if (*pAcl == NULL)
326 {
328 goto Cleanup2;
329 }
330
331 /*
332 * Build the ACL and add the five ACEs.
333 */
334 Status = RtlCreateAcl(*pAcl, AclSize, ACL_REVISION2);
336
337 /* Local System SID - Generic All */
343
344 /* Administrators SID - Generic All */
351
352 /* Owner SID - Generic All */
355
356 /* Anonymous SID - Generic Read */
362
363 /* World SID - Generic Read */
369
370 /* If some problem happened, cleanup everything */
371 if (!NT_SUCCESS(Status))
372 {
373 RtlFreeHeap(RtlGetProcessHeap(), 0, *pAcl);
374 *pAcl = NULL;
375 }
376
377Cleanup2:
378 /* Get rid of the owner SID */
379 RtlFreeHeap(RtlGetProcessHeap(), 0, OwnerSid);
380
381Cleanup1:
382 /* Close the token handle */
384
385 /* Done */
386 return Status;
387}
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
#define TRUE
Definition: types.h:120
#define GENERIC_READ
Definition: compat.h:135
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:43
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
#define C_ASSERT(e)
Definition: intsafe.h:73
#define RTL_FIELD_SIZE(type, field)
Definition: kdb_expr.c:86
#define ASSERT(a)
Definition: mode.c:44
struct _SID * PSID
Definition: eventlog.c:35
struct _ACL ACL
NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(_In_ PSID Sid, _In_ ULONG SubAuthority)
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1145
#define GENERIC_ALL
Definition: nt_native.h:92
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
NTSTATUS NTAPI NtOpenThreadToken(_In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle)
Opens a token that is tied to a thread handle.
Definition: token.c:2474
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
Definition: rtltypes.h:993
PSID Owner
Definition: setypes.h:1028
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: tokencls.c:473
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
uint32_t ULONG
Definition: typedefs.h:59
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
#define ACL_REVISION2
Definition: setypes.h:43
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
@ TokenOwner
Definition: setypes.h:969
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
unsigned char UCHAR
Definition: xmlstorage.h:181
#define NtCurrentThread()

◆ RtlDeleteSecurityObject()

NTSTATUS NTAPI RtlDeleteSecurityObject ( IN PSECURITY_DESCRIPTOR ObjectDescriptor)

Definition at line 409 of file security.c.

410{
411 DPRINT1("RtlDeleteSecurityObject(%p)\n", ObjectDescriptor);
412
413 /* Free the object from the heap */
414 RtlFreeHeap(RtlGetProcessHeap(), 0, *ObjectDescriptor);
415 return STATUS_SUCCESS;
416}
#define STATUS_SUCCESS
Definition: shellext.h:65

◆ RtlFlushSecureMemoryCache()

BOOLEAN NTAPI RtlFlushSecureMemoryCache ( IN PVOID  MemoryCache,
IN OPTIONAL SIZE_T  MemoryLength 
)

Definition at line 830 of file security.c.

832{
834 return FALSE;
835}
#define FALSE
Definition: types.h:117

Referenced by RtlpSecMemFreeVirtualMemory(), and UnmapViewOfFile().

◆ RtlNewInstanceSecurityObject()

NTSTATUS NTAPI RtlNewInstanceSecurityObject ( IN BOOLEAN  ParentDescriptorChanged,
IN BOOLEAN  CreatorDescriptorChanged,
IN PLUID  OldClientTokenModifiedId,
OUT PLUID  NewClientTokenModifiedId,
IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN BOOLEAN  IsDirectoryObject,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 506 of file security.c.

516{
517 TOKEN_STATISTICS TokenStats;
518 ULONG Size;
520 DPRINT1("RtlNewInstanceSecurityObject(%p)\n", ParentDescriptor);
521
522 /* Query the token statistics */
525 &TokenStats,
526 sizeof(TokenStats),
527 &Size);
528 if (!NT_SUCCESS(Status)) return Status;
529
530 /* Return the LUID */
531 *NewClientTokenModifiedId = TokenStats.ModifiedId;
532
533 /* Check if the LUID changed */
534 if (RtlEqualLuid(NewClientTokenModifiedId, OldClientTokenModifiedId))
535 {
536 /* Did nothing change? */
537 if (!(ParentDescriptorChanged) && !(CreatorDescriptorChanged))
538 {
539 /* There's no new descriptor, we're done */
541 return STATUS_SUCCESS;
542 }
543 }
544
545 /* Call the standard API */
546 return RtlNewSecurityObject(ParentDescriptor,
547 CreatorDescriptor,
550 Token,
552}
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533
#define RtlEqualLuid(Luid1, Luid2)
Definition: rtlfuncs.h:301
@ TokenStatistics
Definition: setypes.h:975

◆ RtlNewSecurityGrantedAccess()

NTSTATUS NTAPI RtlNewSecurityGrantedAccess ( IN ACCESS_MASK  DesiredAccess,
OUT PPRIVILEGE_SET  Privileges,
IN OUT PULONG  Length,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping,
OUT PACCESS_MASK  RemainingDesiredAccess 
)

Definition at line 606 of file security.c.

612{
614 BOOLEAN Granted, CallerToken;
615 TOKEN_STATISTICS TokenStats;
616 ULONG Size;
617 DPRINT1("RtlNewSecurityGrantedAccess(%lx)\n", DesiredAccess);
618
619 /* Has the caller passed a token? */
620 if (!Token)
621 {
622 /* Remember that we'll have to close the handle */
623 CallerToken = FALSE;
624
625 /* Nope, open it */
627 if (!NT_SUCCESS(Status)) return Status;
628 }
629 else
630 {
631 /* Yep, use it */
632 CallerToken = TRUE;
633 }
634
635 /* Get information on the token */
638 &TokenStats,
639 sizeof(TokenStats),
640 &Size);
642
643 /* Windows doesn't do anything with the token statistics! */
644
645 /* Map the access and return it back decoded */
647 *RemainingDesiredAccess = DesiredAccess;
648
649 /* Check if one of the rights requested was the SACL right */
651 {
652 /* Pretend that it's allowed FIXME: Do privilege check */
653 DPRINT1("Missing privilege check for SE_SECURITY_PRIVILEGE");
654 Granted = TRUE;
655 *RemainingDesiredAccess &= ~ACCESS_SYSTEM_SECURITY;
656 }
657 else
658 {
659 /* Nothing to grant */
660 Granted = FALSE;
661 }
662
663 /* If the caller did not pass in a token, close the handle to ours */
664 if (!CallerToken) NtClose(Token);
665
666 /* We need space to return only 1 privilege -- already part of the struct */
667 Size = sizeof(PRIVILEGE_SET);
668 if (Size > *Length)
669 {
670 /* Tell the caller how much space we need and fail */
671 *Length = Size;
673 }
674
675 /* Check if the SACL right was granted */
677 if (Granted)
678 {
679 /* Yes, return it in the structure */
680 Privileges->PrivilegeCount = 1;
681 Privileges->Privilege[0].Luid.LowPart = SE_SECURITY_PRIVILEGE;
682 Privileges->Privilege[0].Luid.HighPart = 0;
683 Privileges->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
684 }
685
686 /* All done */
687 return STATUS_SUCCESS;
688}
unsigned char BOOLEAN
#define SE_SECURITY_PRIVILEGE
Definition: security.c:662
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
_In_ ULONG _In_ ULONG _In_ ULONG Length
Definition: ntddpcm.h:102
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17
#define SE_PRIVILEGE_USED_FOR_ACCESS
Definition: setypes.h:65
struct _PRIVILEGE_SET PRIVILEGE_SET

◆ RtlNewSecurityObject()

NTSTATUS NTAPI RtlNewSecurityObject ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN BOOLEAN  IsDirectoryObject,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 423 of file security.c.

429{
430 DPRINT1("RtlNewSecurityObject(%p)\n", ParentDescriptor);
431
432 /* Call the internal API */
433 return RtlpNewSecurityObject(ParentDescriptor,
434 CreatorDescriptor,
436 NULL,
437 0,
439 0,
440 Token,
442}
NTSTATUS NTAPI RtlpNewSecurityObject(IN PSECURITY_DESCRIPTOR ParentDescriptor, IN PSECURITY_DESCRIPTOR CreatorDescriptor, OUT PSECURITY_DESCRIPTOR *NewDescriptor, IN LPGUID *ObjectTypes, IN ULONG GuidCount, IN BOOLEAN IsDirectoryObject, IN ULONG AutoInheritFlags, IN HANDLE Token, IN PGENERIC_MAPPING GenericMapping)
Definition: security.c:204

Referenced by RtlCreateUserSecurityObject(), and RtlNewInstanceSecurityObject().

◆ RtlNewSecurityObjectEx()

NTSTATUS NTAPI RtlNewSecurityObjectEx ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN LPGUID  ObjectType,
IN BOOLEAN  IsDirectoryObject,
IN ULONG  AutoInheritFlags,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 449 of file security.c.

457{
458 DPRINT1("RtlNewSecurityObjectEx(%p)\n", ParentDescriptor);
459
460 /* Call the internal API */
461 return RtlpNewSecurityObject(ParentDescriptor,
462 CreatorDescriptor,
465 ObjectType ? 1 : 0,
467 AutoInheritFlags,
468 Token,
470}

◆ RtlNewSecurityObjectWithMultipleInheritance()

NTSTATUS NTAPI RtlNewSecurityObjectWithMultipleInheritance ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN LPGUID ObjectTypes,
IN ULONG  GuidCount,
IN BOOLEAN  IsDirectoryObject,
IN ULONG  AutoInheritFlags,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 477 of file security.c.

486{
487 DPRINT1("RtlNewSecurityObjectWithMultipleInheritance(%p)\n", ParentDescriptor);
488
489 /* Call the internal API */
490 return RtlpNewSecurityObject(ParentDescriptor,
491 CreatorDescriptor,
493 ObjectTypes,
494 GuidCount,
496 AutoInheritFlags,
497 Token,
499}

◆ RtlpConvertToAutoInheritSecurityObject()

NTSTATUS NTAPI RtlpConvertToAutoInheritSecurityObject ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN LPGUID  ObjectType,
IN BOOLEAN  IsDirectoryObject,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 220 of file security.c.

226{
229}

Referenced by RtlConvertToAutoInheritSecurityObject().

◆ RtlpNewSecurityObject()

NTSTATUS NTAPI RtlpNewSecurityObject ( IN PSECURITY_DESCRIPTOR  ParentDescriptor,
IN PSECURITY_DESCRIPTOR  CreatorDescriptor,
OUT PSECURITY_DESCRIPTOR NewDescriptor,
IN LPGUID ObjectTypes,
IN ULONG  GuidCount,
IN BOOLEAN  IsDirectoryObject,
IN ULONG  AutoInheritFlags,
IN HANDLE  Token,
IN PGENERIC_MAPPING  GenericMapping 
)

◆ RtlpSetSecurityObject()

NTSTATUS NTAPI RtlpSetSecurityObject ( IN PVOID Object  OPTIONAL,
IN SECURITY_INFORMATION  SecurityInformation,
IN PSECURITY_DESCRIPTOR  ModificationDescriptor,
IN OUT PSECURITY_DESCRIPTOR ObjectsSecurityDescriptor,
IN ULONG  AutoInheritFlags,
IN ULONG  PoolType,
IN PGENERIC_MAPPING  GenericMapping,
IN HANDLE Token  OPTIONAL 
)

Definition at line 19 of file security.c.

27{
29 PSID pOwnerSid = NULL;
30 PSID pGroupSid = NULL;
31 PACL pDacl = NULL;
32 PACL pSacl = NULL;
33 BOOLEAN Defaulted;
34 BOOLEAN Present;
35 ULONG ulOwnerSidSize = 0, ulGroupSidSize = 0;
36 ULONG ulDaclSize = 0, ulSaclSize = 0;
37 ULONG ulNewSdSize;
39 PUCHAR pDest;
41
42 DPRINT("RtlpSetSecurityObject()\n");
43
44 /* Change the Owner SID */
46 {
47 Status = RtlGetOwnerSecurityDescriptor(ModificationDescriptor, &pOwnerSid, &Defaulted);
48 if (!NT_SUCCESS(Status))
49 return Status;
50 }
51 else
52 {
53 Status = RtlGetOwnerSecurityDescriptor(*ObjectsSecurityDescriptor, &pOwnerSid, &Defaulted);
54 if (!NT_SUCCESS(Status))
55 return Status;
56 }
57
58 if (pOwnerSid == NULL || !RtlValidSid(pOwnerSid))
60
61 ulOwnerSidSize = RtlLengthSid(pOwnerSid);
62
63 /* Change the Group SID */
65 {
66 Status = RtlGetGroupSecurityDescriptor(ModificationDescriptor, &pGroupSid, &Defaulted);
67 if (!NT_SUCCESS(Status))
68 return Status;
69 }
70 else
71 {
72 Status = RtlGetGroupSecurityDescriptor(*ObjectsSecurityDescriptor, &pGroupSid, &Defaulted);
73 if (!NT_SUCCESS(Status))
74 return Status;
75 }
76
77 if (pGroupSid == NULL || !RtlValidSid(pGroupSid))
79
80 ulGroupSidSize = ROUND_UP(RtlLengthSid(pGroupSid), sizeof(ULONG));
81
82 /* Change the DACL */
84 {
85 Status = RtlGetDaclSecurityDescriptor(ModificationDescriptor, &Present, &pDacl, &Defaulted);
86 if (!NT_SUCCESS(Status))
87 return Status;
88
90 }
91 else
92 {
93 Status = RtlGetDaclSecurityDescriptor(*ObjectsSecurityDescriptor, &Present, &pDacl, &Defaulted);
94 if (!NT_SUCCESS(Status))
95 return Status;
96
97 if (Present)
99
100 if (Defaulted)
102 }
103
104 if (pDacl != NULL)
105 ulDaclSize = pDacl->AclSize;
106
107 /* Change the SACL */
109 {
110 Status = RtlGetSaclSecurityDescriptor(ModificationDescriptor, &Present, &pSacl, &Defaulted);
111 if (!NT_SUCCESS(Status))
112 return Status;
113
115 }
116 else
117 {
118 Status = RtlGetSaclSecurityDescriptor(*ObjectsSecurityDescriptor, &Present, &pSacl, &Defaulted);
119 if (!NT_SUCCESS(Status))
120 return Status;
121
122 if (Present)
124
125 if (Defaulted)
127 }
128
129 if (pSacl != NULL)
130 ulSaclSize = pSacl->AclSize;
131
132 /* Calculate the size of the new security descriptor */
133 ulNewSdSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
134 ROUND_UP(ulOwnerSidSize, sizeof(ULONG)) +
135 ROUND_UP(ulGroupSidSize, sizeof(ULONG)) +
136 ROUND_UP(ulDaclSize, sizeof(ULONG)) +
137 ROUND_UP(ulSaclSize, sizeof(ULONG));
138
139 /* Allocate the new security descriptor */
140 pNewSd = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulNewSdSize);
141 if (pNewSd == NULL)
142 {
144 DPRINT1("New security descriptor allocation failed (Status 0x%08lx)\n", Status);
145 goto done;
146 }
147
148 /* Initialize the new security descriptor */
150 if (!NT_SUCCESS(Status))
151 {
152 DPRINT1("New security descriptor creation failed (Status 0x%08lx)\n", Status);
153 goto done;
154 }
155
156 /* Set the security descriptor control flags */
157 pNewSd->Control = Control;
158
159 pDest = (PUCHAR)((ULONG_PTR)pNewSd + sizeof(SECURITY_DESCRIPTOR_RELATIVE));
160
161 /* Copy the SACL */
162 if (pSacl != NULL)
163 {
164 RtlCopyMemory(pDest, pSacl, ulSaclSize);
165 pNewSd->Sacl = (ULONG_PTR)pDest - (ULONG_PTR)pNewSd;
166 pDest = pDest + ROUND_UP(ulSaclSize, sizeof(ULONG));
167 }
168
169 /* Copy the DACL */
170 if (pDacl != NULL)
171 {
172 RtlCopyMemory(pDest, pDacl, ulDaclSize);
173 pNewSd->Dacl = (ULONG_PTR)pDest - (ULONG_PTR)pNewSd;
174 pDest = pDest + ROUND_UP(ulDaclSize, sizeof(ULONG));
175 }
176
177 /* Copy the Owner SID */
178 RtlCopyMemory(pDest, pOwnerSid, ulOwnerSidSize);
179 pNewSd->Owner = (ULONG_PTR)pDest - (ULONG_PTR)pNewSd;
180 pDest = pDest + ROUND_UP(ulOwnerSidSize, sizeof(ULONG));
181
182 /* Copy the Group SID */
183 RtlCopyMemory(pDest, pGroupSid, ulGroupSidSize);
184 pNewSd->Group = (ULONG_PTR)pDest - (ULONG_PTR)pNewSd;
185
186 /* Free the old security descriptor */
187 RtlFreeHeap(RtlGetProcessHeap(), 0, (PVOID)*ObjectsSecurityDescriptor);
188
189 /* Return the new security descriptor */
190 *ObjectsSecurityDescriptor = (PSECURITY_DESCRIPTOR)pNewSd;
191
192done:
193 if (!NT_SUCCESS(Status))
194 {
195 if (pNewSd != NULL)
196 RtlFreeHeap(RtlGetProcessHeap(), 0, pNewSd);
197 }
198
199 return Status;
200}
#define ULONG_PTR
Definition: config.h:101
#define ROUND_UP(n, align)
Definition: eventvwr.h:34
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1340
WORD SECURITY_DESCRIPTOR_CONTROL
Definition: lsa.idl:37
struct _SECURITY_DESCRIPTOR * PSECURITY_DESCRIPTOR
Definition: security.c:98
NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted)
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptorRelative(_Out_ PISECURITY_DESCRIPTOR_RELATIVE SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
NTSYSAPI NTSTATUS NTAPI RtlGetGroupSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Group, OUT PBOOLEAN GroupDefaulted)
Definition: sd.c:280
NTSYSAPI NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Owner, OUT PBOOLEAN OwnerDefaulted)
Definition: sd.c:257
#define STATUS_INVALID_PRIMARY_GROUP
Definition: ntstatus.h:327
#define STATUS_INVALID_OWNER
Definition: ntstatus.h:326
#define DPRINT
Definition: sndvol32.h:73
USHORT AclSize
Definition: ms-dtyp.idl:296
SECURITY_DESCRIPTOR_CONTROL Control
Definition: setypes.h:839
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
uint32_t ULONG_PTR
Definition: typedefs.h:65
unsigned char * PUCHAR
Definition: typedefs.h:53
_In_ WDF_WMI_PROVIDER_CONTROL Control
Definition: wdfwmi.h:166
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
#define SE_DACL_DEFAULTED
Definition: setypes.h:822
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define SE_SELF_RELATIVE
Definition: setypes.h:834
#define SE_SACL_DEFAULTED
Definition: setypes.h:824
struct _SECURITY_DESCRIPTOR_RELATIVE SECURITY_DESCRIPTOR_RELATIVE
#define SE_SACL_PRESENT
Definition: setypes.h:823
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define SE_DACL_PRESENT
Definition: setypes.h:821

Referenced by RtlSetSecurityObject(), and RtlSetSecurityObjectEx().

◆ RtlQuerySecurityObject()

NTSTATUS NTAPI RtlQuerySecurityObject ( IN PSECURITY_DESCRIPTOR  ObjectDescriptor,
IN SECURITY_INFORMATION  SecurityInformation,
OUT PSECURITY_DESCRIPTOR  ResultantDescriptor,
IN ULONG  DescriptorLength,
OUT PULONG  ReturnLength 
)

Definition at line 695 of file security.c.

700{
703 BOOLEAN defaulted, present;
704 PACL pacl;
705 PSID psid;
706
708 if (!NT_SUCCESS(Status)) return Status;
709
711 {
712 Status = RtlGetOwnerSecurityDescriptor(ObjectDescriptor, &psid, &defaulted);
713 if (!NT_SUCCESS(Status)) return Status;
714 Status = RtlSetOwnerSecurityDescriptor(&desc, psid, defaulted);
715 if (!NT_SUCCESS(Status)) return Status;
716 }
717
719 {
720 Status = RtlGetGroupSecurityDescriptor(ObjectDescriptor, &psid, &defaulted);
721 if (!NT_SUCCESS(Status)) return Status;
722 Status = RtlSetGroupSecurityDescriptor(&desc, psid, defaulted);
723 if (!NT_SUCCESS(Status)) return Status;
724 }
725
727 {
728 Status = RtlGetDaclSecurityDescriptor(ObjectDescriptor, &present, &pacl, &defaulted);
729 if (!NT_SUCCESS(Status)) return Status;
730 Status = RtlSetDaclSecurityDescriptor(&desc, present, pacl, defaulted);
731 if (!NT_SUCCESS(Status)) return Status;
732 }
733
735 {
736 Status = RtlGetSaclSecurityDescriptor(ObjectDescriptor, &present, &pacl, &defaulted);
737 if (!NT_SUCCESS(Status)) return Status;
738 Status = RtlSetSaclSecurityDescriptor(&desc, present, pacl, defaulted);
739 if (!NT_SUCCESS(Status)) return Status;
740 }
741
742 *ReturnLength = DescriptorLength;
743 return RtlAbsoluteToSelfRelativeSD(&desc, ResultantDescriptor, ReturnLength);
744}
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
static const WCHAR desc[]
Definition: protectdata.c:36
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626

◆ RtlRegisterSecureMemoryCacheCallback()

NTSTATUS NTAPI RtlRegisterSecureMemoryCacheCallback ( IN PRTL_SECURE_MEMORY_CACHE_CALLBACK  Callback)

Definition at line 819 of file security.c.

820{
823}

◆ RtlSetSecurityObject()

NTSTATUS NTAPI RtlSetSecurityObject ( IN SECURITY_INFORMATION  SecurityInformation,
IN PSECURITY_DESCRIPTOR  ModificationDescriptor,
IN OUT PSECURITY_DESCRIPTOR ObjectsSecurityDescriptor,
IN PGENERIC_MAPPING  GenericMapping,
IN HANDLE Token  OPTIONAL 
)

Definition at line 752 of file security.c.

757{
758 /* Call the internal API */
761 ModificationDescriptor,
762 ObjectsSecurityDescriptor,
763 0,
764 PagedPool,
766 Token);
767}
#define PagedPool
Definition: env_spec_w32.h:308
NTSTATUS NTAPI RtlpSetSecurityObject(IN PVOID Object OPTIONAL, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR ModificationDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN ULONG AutoInheritFlags, IN ULONG PoolType, IN PGENERIC_MAPPING GenericMapping, IN HANDLE Token OPTIONAL)
Definition: security.c:19

◆ RtlSetSecurityObjectEx()

NTSTATUS NTAPI RtlSetSecurityObjectEx ( IN SECURITY_INFORMATION  SecurityInformation,
IN PSECURITY_DESCRIPTOR  ModificationDescriptor,
IN OUT PSECURITY_DESCRIPTOR ObjectsSecurityDescriptor,
IN ULONG  AutoInheritFlags,
IN PGENERIC_MAPPING  GenericMapping,
IN HANDLE Token  OPTIONAL 
)

Definition at line 774 of file security.c.

780{
781 /* Call the internal API */
784 ModificationDescriptor,
785 ObjectsSecurityDescriptor,
786 AutoInheritFlags,
787 PagedPool,
789 Token);
790
791}