ReactOS 0.4.15-dev-5666-gc548b97
debug.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Security subsystem debug routines support
5 * COPYRIGHT: Copyright 2022 George Bișoc <george.bisoc@reactos.org>
6 */
7
8/* INCLUDES *******************************************************************/
9
10#include <ntoskrnl.h>
11#define NDEBUG
12#include <debug.h>
13
14/* PRIVATE FUNCTIONS **********************************************************/
15
25static
29{
30#define TOSTR(x) #x
31 static const PCSTR AceTypes[] =
32 {
51 };
52#undef TOSTR
53
54 if (AceType < RTL_NUMBER_OF(AceTypes))
55 return AceTypes[AceType];
56 else
57 return "UNKNOWN TYPE";
58}
59
64static
65VOID
68{
69#define ACE_FLAG_PRINT(x) \
70 if (AceFlags & x) \
71 { \
72 DbgPrint(#x "\n"); \
73 }
74
80#undef ACE_FLAG_PRINT
81}
82
87static
88VOID
90 _In_ PACL Acl)
91{
93 PACE Ace;
95 PSID Sid;
96 UNICODE_STRING SidString;
97
98 /* Loop all ACEs and dump their info */
99 for (AceIndex = 0; AceIndex < Acl->AceCount; AceIndex++)
100 {
101 /* Get the ACE at this index */
102 Status = RtlGetAce(Acl, AceIndex, (PVOID*)&Ace);
103 if (!NT_SUCCESS(Status))
104 {
105 /*
106 * Normally this should never happen.
107 * Just fail gracefully and stop further
108 * debugging of ACEs.
109 */
110 DbgPrint("SepDumpAces(): Failed to find the next ACE, stop dumping info...\n");
111 return;
112 }
113
114 DbgPrint("================== %lu# ACE DUMP INFO ==================\n", AceIndex);
115 DbgPrint("Ace -> 0x%p\n", Ace);
116 DbgPrint("Ace->Header -> 0x%p\n", Ace->Header);
117 DbgPrint("Ace->Header.AceType -> %s\n", SepGetAceTypeString(Ace->Header.AceType));
118 DbgPrint("Ace->AccessMask -> 0x%08lx\n", Ace->AccessMask);
119
120 Sid = SepGetSidFromAce(Ace->Header.AceType, Ace);
121 ASSERT(Sid);
123 DbgPrint("Ace SID -> %wZ\n", &SidString);
124 RtlFreeUnicodeString(&SidString);
125
126 DbgPrint("Ace->Header.AceSize -> %u\n", Ace->Header.AceSize);
127 DbgPrint("Ace->Header.AceFlags:\n");
128 SepDumpAceFlags(Ace->Header.AceFlags);
129 }
130}
131
136static
137VOID
139 _In_ PACL Acl,
140 _In_ BOOLEAN IsSacl)
141{
142 /* Dump relevant info */
143 DbgPrint("================== %s DUMP INFO ==================\n", IsSacl ? "SACL" : "DACL");
144 DbgPrint("Acl->AclRevision -> %u\n", Acl->AclRevision);
145 DbgPrint("Acl->AclSize -> %u\n", Acl->AclSize);
146 DbgPrint("Acl->AceCount -> %u\n", Acl->AceCount);
147
148 /* Dump all the ACEs present on this ACL */
149 SepDumpAces(Acl);
150}
151
156static
157VOID
160{
161#define SD_CONTROL_PRINT(x) \
162 if (SdControl & x) \
163 { \
164 DbgPrint(#x "\n"); \
165 }
166
183#undef SD_CONTROL_PRINT
184}
185
190static
191VOID
194 _In_ ULONG SidCount)
195{
196 ULONG SidIndex;
197 UNICODE_STRING SidString;
198
199 /* Loop all SIDs and dump them */
200 for (SidIndex = 0; SidIndex < SidCount; SidIndex++)
201 {
202 RtlConvertSidToUnicodeString(&SidString, Sids[SidIndex].Sid, TRUE);
203 DbgPrint("%lu# %wZ\n", SidIndex, &SidString);
204 RtlFreeUnicodeString(&SidString);
205 }
206}
207
208/* PUBLIC FUNCTIONS ***********************************************************/
209
214VOID
217{
218 UNICODE_STRING SidString;
219 PSID OwnerSid, GroupSid;
220 PACL Dacl, Sacl;
221
222 /* Don't dump anything if no SD was provided */
224 {
225 return;
226 }
227
228 /* Cache the necessary security buffers to dump info from */
233
234 DbgPrint("================== SECURITY DESCRIPTOR DUMP INFO ==================\n");
235 DbgPrint("SecurityDescriptor -> 0x%p\n", SecurityDescriptor);
236 DbgPrint("SecurityDescriptor->Revision -> %u\n", SecurityDescriptor->Revision);
237 DbgPrint("SecurityDescriptor->Control:\n");
239
240 /* Dump the Owner SID if the SD belongs to an owner */
241 if (OwnerSid)
242 {
243 RtlConvertSidToUnicodeString(&SidString, OwnerSid, TRUE);
244 DbgPrint("SD Owner SID -> %wZ\n", &SidString);
245 RtlFreeUnicodeString(&SidString);
246 }
247
248 /* Dump the Group SID if the SD belongs to a group */
249 if (GroupSid)
250 {
251 RtlConvertSidToUnicodeString(&SidString, GroupSid, TRUE);
252 DbgPrint("SD Group SID -> %wZ\n", &SidString);
253 RtlFreeUnicodeString(&SidString);
254 }
255
256 /* Dump the ACL contents of SACL if this SD has one */
257 if (Sacl)
258 {
260 }
261
262 /* Dump the ACL contents of DACL if this SD has one */
263 if (Dacl)
264 {
266 }
267}
268
273VOID
276{
277 UNICODE_STRING SidString;
278
279 /* Don't dump anything if no token was provided */
280 if (!Token)
281 {
282 return;
283 }
284
285 /* Dump relevant token info */
286 DbgPrint("================== ACCESS TOKEN DUMP INFO ==================\n");
287 DbgPrint("Token -> 0x%p\n", Token);
288 DbgPrint("Token->ImageFileName -> %s\n", Token->ImageFileName);
289 DbgPrint("Token->TokenSource.SourceName -> \"%-.*s\"\n",
290 RTL_NUMBER_OF(Token->TokenSource.SourceName),
291 Token->TokenSource.SourceName);
292 DbgPrint("Token->TokenSource.SourceIdentifier -> %lu.%lu\n",
293 Token->TokenSource.SourceIdentifier.HighPart,
294 Token->TokenSource.SourceIdentifier.LowPart);
295
296 RtlConvertSidToUnicodeString(&SidString, Token->PrimaryGroup, TRUE);
297 DbgPrint("Token primary group SID -> %wZ\n", &SidString);
298 RtlFreeUnicodeString(&SidString);
299
300 DbgPrint("Token user and groups SIDs:\n");
301 SepDumpSidsOfToken(Token->UserAndGroups, Token->UserAndGroupCount);
302
304 {
305 DbgPrint("Token restricted SIDs:\n");
306 SepDumpSidsOfToken(Token->RestrictedSids, Token->RestrictedSidCount);
307 }
308}
309
314VOID
316 _In_opt_ PACCESS_CHECK_RIGHTS AccessRights)
317{
318 /* Don't dump anything if no access check rights list was provided */
319 if (!AccessRights)
320 {
321 return;
322 }
323
324 DbgPrint("================== ACCESS CHECK RIGHTS STATISTICS ==================\n");
325 DbgPrint("Remaining access rights -> 0x%08lx\n", AccessRights->RemainingAccessRights);
326 DbgPrint("Granted access rights -> 0x%08lx\n", AccessRights->GrantedAccessRights);
327 DbgPrint("Denied access rights -> 0x%08lx\n", AccessRights->DeniedAccessRights);
328}
329
330/* EOF */
unsigned char BOOLEAN
#define RTL_NUMBER_OF(x)
Definition: RtlRegistry.c:12
LONG NTSTATUS
Definition: precomp.h:26
@ Ace
Definition: card.h:12
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
static const ACEFLAG AceFlags[]
Definition: security.c:2423
static const ACEFLAG AceType[]
Definition: security.c:2382
Status
Definition: gdiplustypes.h:25
#define DbgPrint
Definition: hal.h:12
unsigned int ULONG
Definition: retypes.h:1
WORD SECURITY_DESCRIPTOR_CONTROL
Definition: lsa.idl:37
#define ASSERT(a)
Definition: mode.c:44
#define _In_
Definition: ms_sal.h:308
#define _In_opt_
Definition: ms_sal.h:309
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
NTSYSAPI NTSTATUS NTAPI RtlGetAce(PACL Acl, ULONG AceIndex, PVOID *Ace)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1595
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1133
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:99
FORCEINLINE PACL SepGetSaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:141
FORCEINLINE PSID SepGetGroupFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:79
FORCEINLINE PACL SepGetDaclFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:119
PSID NTAPI SepGetSidFromAce(_In_ UCHAR AceType, _In_ PACE Ace)
Captures a security identifier from a given access control entry. This identifier is valid for the wh...
Definition: sid.c:579
#define SD_CONTROL_PRINT(x)
#define TOSTR(x)
static VOID SepDumpAclInfo(_In_ PACL Acl, _In_ BOOLEAN IsSacl)
Dumps debug info of an Access Control List (ACL).
Definition: debug.c:138
#define ACE_FLAG_PRINT(x)
static VOID SepDumpSdControlInfo(_In_ SECURITY_DESCRIPTOR_CONTROL SdControl)
Dumps control flags of a security descriptor to the debugger.
Definition: debug.c:158
VOID SepDumpTokenDebugInfo(_In_opt_ PTOKEN Token)
Dumps debug information of an access token to the debugger.
Definition: debug.c:274
static VOID SepDumpAces(_In_ PACL Acl)
Iterates and dumps each ACE debug info in an ACL.
Definition: debug.c:89
static VOID SepDumpSidsOfToken(_In_ PSID_AND_ATTRIBUTES Sids, _In_ ULONG SidCount)
Dumps each security identifier (SID) of an access token to debugger.
Definition: debug.c:192
static PCSTR SepGetAceTypeString(_In_ UCHAR AceType)
Converts an Access Control Entry (ACE) type to a string.
Definition: debug.c:27
VOID SepDumpSdDebugInfo(_In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor)
Dumps debug information of a security descriptor to the debugger.
Definition: debug.c:215
VOID SepDumpAccessRightsStats(_In_opt_ PACCESS_CHECK_RIGHTS AccessRights)
Dumps security access rights to the debugger.
Definition: debug.c:315
static VOID SepDumpAceFlags(_In_ UCHAR AceFlags)
Dumps the ACE flags to the debugger output.
Definition: debug.c:66
BOOLEAN NTAPI SeTokenIsRestricted(_In_ PACCESS_TOKEN Token)
Determines if a token is restricted or not, based upon the token flags.
Definition: token.c:1913
Definition: rtltypes.h:993
#define INHERITED_ACE
Definition: ph.h:47
const char * PCSTR
Definition: typedefs.h:52
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
_In_ ULONG AceIndex
Definition: rtlfuncs.h:1862
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define SE_OWNER_DEFAULTED
Definition: setypes.h:815
#define ACCESS_DENIED_CALLBACK_ACE_TYPE
Definition: setypes.h:733
#define SE_SACL_PROTECTED
Definition: setypes.h:828
#define SE_DACL_DEFAULTED
Definition: setypes.h:818
#define SE_DACL_PROTECTED
Definition: setypes.h:827
#define SE_DACL_AUTO_INHERITED
Definition: setypes.h:825
#define SE_SERVER_SECURITY
Definition: setypes.h:822
#define ACCESS_DENIED_OBJECT_ACE_TYPE
Definition: setypes.h:726
#define SYSTEM_AUDIT_ACE_TYPE
Definition: setypes.h:719
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717
#define ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE
Definition: setypes.h:734
#define SE_DACL_AUTO_INHERIT_REQ
Definition: setypes.h:823
#define SE_SELF_RELATIVE
Definition: setypes.h:830
#define SE_SACL_DEFAULTED
Definition: setypes.h:820
#define SE_SACL_AUTO_INHERITED
Definition: setypes.h:826
#define SYSTEM_ALARM_CALLBACK_ACE_TYPE
Definition: setypes.h:737
#define SYSTEM_ALARM_ACE_TYPE
Definition: setypes.h:720
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define SE_DACL_UNTRUSTED
Definition: setypes.h:821
#define SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE
Definition: setypes.h:738
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:718
#define SE_SACL_PRESENT
Definition: setypes.h:819
#define SYSTEM_AUDIT_CALLBACK_ACE_TYPE
Definition: setypes.h:736
#define SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
Definition: setypes.h:739
#define SYSTEM_MANDATORY_LABEL_ACE_TYPE
Definition: setypes.h:741
#define SE_SACL_AUTO_INHERIT_REQ
Definition: setypes.h:824
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE
Definition: setypes.h:725
#define ACCESS_ALLOWED_COMPOUND_ACE_TYPE
Definition: setypes.h:722
#define SE_GROUP_DEFAULTED
Definition: setypes.h:816
#define SYSTEM_ALARM_OBJECT_ACE_TYPE
Definition: setypes.h:728
#define ACCESS_ALLOWED_CALLBACK_ACE_TYPE
Definition: setypes.h:732
#define SE_RM_CONTROL_VALID
Definition: setypes.h:829
#define SYSTEM_AUDIT_OBJECT_ACE_TYPE
Definition: setypes.h:727
#define ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE
Definition: setypes.h:735
#define SE_DACL_PRESENT
Definition: setypes.h:817
unsigned char UCHAR
Definition: xmlstorage.h:181