ReactOS 0.4.16-dev-401-g45b008d
semgr.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for semgr.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

static BOOLEAN SepInitExports (VOID)
 Initializes all the security exports upon initialization phase of the module.
 
BOOLEAN NTAPI SepInitializationPhase0 (VOID)
 Handles the phase 0 procedure of the SRM initialization.
 
BOOLEAN NTAPI SepInitializationPhase1 (VOID)
 Handles the phase 1 procedure of the SRM initialization.
 
BOOLEAN NTAPI SeInitSystem (VOID)
 Main security manager initialization function.
 
NTSTATUS NTAPI SeDefaultObjectMethod (_In_ PVOID Object, _In_ SECURITY_OPERATION_CODE OperationType, _In_ PSECURITY_INFORMATION SecurityInformation, _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_opt_ PULONG ReturnLength, _Inout_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
 Internal function that is responsible for querying, deleting, assigning and setting a security descriptor for an object in the NT kernel. It is the default security method for objects regarding the security context of objects.
 
VOID NTAPI SeQuerySecurityAccessMask (_In_ SECURITY_INFORMATION SecurityInformation, _Out_ PACCESS_MASK DesiredAccess)
 Queries the access mask from a security information context.
 
VOID NTAPI SeSetSecurityAccessMask (_In_ SECURITY_INFORMATION SecurityInformation, _Out_ PACCESS_MASK DesiredAccess)
 Sets the access mask for a security information context.
 
NTSTATUS NTAPI SeReportSecurityEvent (_In_ ULONG Flags, _In_ PUNICODE_STRING SourceName, _In_opt_ PSID UserSid, _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
 Report a security event to the security manager.
 
_Const_ NTSTATUS NTAPI SeSetAuditParameter (_Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters, _In_ SE_ADT_PARAMETER_TYPE Type, _In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index, _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
 Sets an array of audit parameters for later security auditing use.
 

Variables

PTOKEN SeAnonymousLogonToken = NULL
 
PTOKEN SeAnonymousLogonTokenNoEveryone = NULL
 
PSE_EXPORTS SeExports = NULL
 
SE_EXPORTS SepExports
 
ULONG SidInTokenCalls = 0
 
ULONG ExpInitializationPhase
 
ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file semgr.c.

Function Documentation

◆ SeDefaultObjectMethod()

NTSTATUS NTAPI SeDefaultObjectMethod ( _In_ PVOID  Object,
_In_ SECURITY_OPERATION_CODE  OperationType,
_In_ PSECURITY_INFORMATION  SecurityInformation,
_Inout_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_Inout_opt_ PULONG  ReturnLength,
_Inout_ PSECURITY_DESCRIPTOR OldSecurityDescriptor,
_In_ POOL_TYPE  PoolType,
_In_ PGENERIC_MAPPING  GenericMapping 
)

Internal function that is responsible for querying, deleting, assigning and setting a security descriptor for an object in the NT kernel. It is the default security method for objects regarding the security context of objects.

Parameters
[in]ObjectThe object that has the default security method, which the function has been called upon.
[in]OperationTypeOperation type to perform to that object.
[in]SecurityInformationAuxiliary security information of the object.
[in,out]SecurityDescriptorA security descriptor. This SD is used accordingly to the operation type requested by the caller.
[in,out]ReturnLengthThe length size of the queried security descriptor, in bytes.
[in,out]OldSecurityDescriptorThe old SD that belonged to the object, in case we're either deleting or replacing it.
[in]PoolTypePool type allocation for the security descriptor.
[in]GenericMappingThe generic mapping of access rights masks for the object.
Returns
Returns STATUS_SUCCESS if the specific operation tasked has been completed. Otherwise a failure NTSTATUS code is returned.

Definition at line 351 of file semgr.c.

360{
361 PAGED_CODE();
362
363 /* Select the operation type */
364 switch (OperationType)
365 {
366 /* Setting a new descriptor */
367 case SetSecurityDescriptor:
368
369 /* Sanity check */
371
372 /* Set the information */
376 OldSecurityDescriptor,
377 PoolType,
379
380 case QuerySecurityDescriptor:
381
382 /* Query the information */
387 OldSecurityDescriptor);
388
389 case DeleteSecurityDescriptor:
390
391 /* De-assign it */
392 return ObDeassignSecurity(OldSecurityDescriptor);
393
394 case AssignSecurityDescriptor:
395
396 /* Assign it */
398 return STATUS_SUCCESS;
399
400 default:
401
402 /* Bug check */
403 KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
404 }
405
406 /* Should never reach here */
407 ASSERT(FALSE);
408 return STATUS_SUCCESS;
409}
#define PAGED_CODE()
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define FALSE
Definition: types.h:117
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:43
#define NonPagedPool
Definition: env_spec_w32.h:307
#define PagedPool
Definition: env_spec_w32.h:308
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1340
#define ASSERT(a)
Definition: mode.c:44
NTSTATUS NTAPI ObDeassignSecurity(IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
Definition: obsecure.c:60
NTSTATUS NTAPI ObAssignObjectSecurityDescriptor(IN PVOID Object, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN POOL_TYPE PoolType)
Definition: obsecure.c:20
NTSTATUS NTAPI ObSetSecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping)
Definition: obsecure.c:117
NTSTATUS NTAPI ObQuerySecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG Length, IN PSECURITY_DESCRIPTOR *OutputSecurityDescriptor)
Definition: obsecure.c:85
VOID NTAPI KeBugCheckEx(_In_ ULONG BugCheckCode, _In_ ULONG_PTR BugCheckParameter1, _In_ ULONG_PTR BugCheckParameter2, _In_ ULONG_PTR BugCheckParameter3, _In_ ULONG_PTR BugCheckParameter4)
Definition: rtlcompat.c:108
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3815
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191

◆ SeInitSystem()

BOOLEAN NTAPI SeInitSystem ( VOID  )

Main security manager initialization function.

Returns
Returns a boolean value according to the phase initialization routine that handles it. If TRUE, the routine deems the initialization phase as complete, FALSE otherwise.

Definition at line 285 of file semgr.c.

286{
287 /* Check the initialization phase */
289 {
290 case 0:
291
292 /* Do Phase 0 */
294
295 case 1:
296
297 /* Do Phase 1 */
299
300 default:
301
302 /* Don't know any other phase! Bugcheck! */
303 KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
304 0,
306 0,
307 0);
308 return FALSE;
309 }
310}
ULONG ExpInitializationPhase
Definition: init.c:68
BOOLEAN NTAPI SepInitializationPhase1(VOID)
Handles the phase 1 procedure of the SRM initialization.
Definition: semgr.c:168
BOOLEAN NTAPI SepInitializationPhase0(VOID)
Handles the phase 0 procedure of the SRM initialization.
Definition: semgr.c:115

Referenced by ExpInitializeExecutive(), and Phase1InitializationDiscard().

◆ SepInitExports()

static BOOLEAN SepInitExports ( VOID  )
static

Initializes all the security exports upon initialization phase of the module.

Returns
Returns TRUE.

Definition at line 41 of file semgr.c.

42{
66
91
98
100 return TRUE;
101}
static const LUID SeCreateGlobalPrivilege
Definition: authpackage.c:168
static const LUID SeChangeNotifyPrivilege
Definition: authpackage.c:167
static const LUID SeImpersonatePrivilege
Definition: authpackage.c:169
#define TRUE
Definition: types.h:120
PSID SeLocalSystemSid
Definition: sid.c:38
const LUID SeDebugPrivilege
Definition: priv.c:39
PSID SeAliasAccountOpsSid
Definition: sid.c:45
const LUID SeSyncAgentPrivilege
Definition: priv.c:45
const LUID SeSystemProfilePrivilege
Definition: priv.c:30
const LUID SeCreateTokenPrivilege
Definition: priv.c:21
PSID SeRestrictedSid
Definition: sid.c:50
const LUID SeBackupPrivilege
Definition: priv.c:36
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:22
PSID SeNetworkServiceSid
Definition: sid.c:53
PSID SeBatchSid
Definition: sid.c:34
const LUID SeSystemtimePrivilege
Definition: priv.c:31
PSID SeAliasAdminsSid
Definition: sid.c:41
PSID SeAnonymousLogonSid
Definition: se.h:213
const LUID SeTcbPrivilege
Definition: priv.c:26
PSID SeAliasPowerUsersSid
Definition: sid.c:44
PSID SeInteractiveSid
Definition: sid.c:35
PSID SeWorldSid
Definition: sid.c:25
const LUID SeManageVolumePrivilege
Definition: priv.c:47
const LUID SeRestorePrivilege
Definition: priv.c:37
PSID SeNetworkSid
Definition: sid.c:33
PSID SeCreatorGroupSid
Definition: sid.c:28
PSID SeNtAuthoritySid
Definition: sid.c:31
const LUID SeRemoteShutdownPrivilege
Definition: priv.c:43
const LUID SeLoadDriverPrivilege
Definition: priv.c:29
const LUID SeIncreaseBasePriorityPrivilege
Definition: priv.c:33
const LUID SeLockMemoryPrivilege
Definition: priv.c:23
const LUID SeCreatePermanentPrivilege
Definition: priv.c:35
PSID SeLocalSid
Definition: sid.c:26
PSID SeDialupSid
Definition: sid.c:32
const LUID SeUndockPrivilege
Definition: priv.c:44
const LUID SeCreatePagefilePrivilege
Definition: priv.c:34
PSID SeCreatorOwnerSid
Definition: sid.c:27
const LUID SeTakeOwnershipPrivilege
Definition: priv.c:28
const LUID SeProfileSingleProcessPrivilege
Definition: priv.c:32
const LUID SeShutdownPrivilege
Definition: priv.c:38
const LUID SeSystemEnvironmentPrivilege
Definition: priv.c:41
PSID SeAliasUsersSid
Definition: sid.c:42
const LUID SeSecurityPrivilege
Definition: priv.c:27
const LUID SeUnsolicitedInputPrivilege
Definition: priv.c:25
PSID SeAliasBackupOpsSid
Definition: sid.c:48
const LUID SeEnableDelegationPrivilege
Definition: priv.c:46
PSID SeAuthenticatedUsersSid
Definition: sid.c:49
PSID SeAliasGuestsSid
Definition: sid.c:43
PSID SeAliasSystemOpsSid
Definition: sid.c:46
const LUID SeAuditPrivilege
Definition: priv.c:40
PSID SeAliasPrintOpsSid
Definition: sid.c:47
const LUID SeIncreaseQuotaPrivilege
Definition: priv.c:24
PSID SeLocalServiceSid
Definition: sid.c:52
PSID SeNullSid
Definition: sid.c:24
PSE_EXPORTS SeExports
Definition: semgr.c:21
SE_EXPORTS SepExports
Definition: semgr.c:22
PSID SeInteractiveSid
Definition: setypes.h:1227
PSID SeCreatorGroupSid
Definition: setypes.h:1222
LUID SeUnsolicitedInputPrivilege
Definition: setypes.h:1199
LUID SeIncreaseBasePriorityPrivilege
Definition: setypes.h:1205
LUID SeAssignPrimaryTokenPrivilege
Definition: setypes.h:1196
PSID SeAliasAdminsSid
Definition: setypes.h:1229
LUID SeUndockPrivilege
Definition: setypes.h:1240
LUID SeLoadDriverPrivilege
Definition: setypes.h:1203
LUID SeLockMemoryPrivilege
Definition: setypes.h:1197
PSID SeAliasUsersSid
Definition: setypes.h:1230
PSID SeNetworkSid
Definition: setypes.h:1225
LUID SeProfileSingleProcessPrivilege
Definition: setypes.h:1208
LUID SeIncreaseQuotaPrivilege
Definition: setypes.h:1198
PSID SeNullSid
Definition: setypes.h:1218
LUID SeEnableDelegationPrivilege
Definition: setypes.h:1242
PSID SeAliasSystemOpsSid
Definition: setypes.h:1234
PSID SeCreatorOwnerSid
Definition: setypes.h:1221
LUID SeAuditPrivilege
Definition: setypes.h:1214
LUID SeRestorePrivilege
Definition: setypes.h:1211
LUID SeTakeOwnershipPrivilege
Definition: setypes.h:1202
LUID SeSystemtimePrivilege
Definition: setypes.h:1207
LUID SeSecurityPrivilege
Definition: setypes.h:1201
PSID SeAliasGuestsSid
Definition: setypes.h:1231
PSID SeAuthenticatedUsersSid
Definition: setypes.h:1237
PSID SeAliasPrintOpsSid
Definition: setypes.h:1235
LUID SeTcbPrivilege
Definition: setypes.h:1200
LUID SeSystemProfilePrivilege
Definition: setypes.h:1206
PSID SeDialupSid
Definition: setypes.h:1224
PSID SeAnonymousLogonSid
Definition: setypes.h:1239
LUID SeBackupPrivilege
Definition: setypes.h:1210
PSID SeRestrictedSid
Definition: setypes.h:1238
PSID SeAliasAccountOpsSid
Definition: setypes.h:1233
PSID SeLocalSid
Definition: setypes.h:1220
LUID SeDebugPrivilege
Definition: setypes.h:1213
PSID SeNetworkServiceSid
Definition: setypes.h:1244
LUID SeCreateGlobalPrivilege
Definition: setypes.h:1247
LUID SeCreatePagefilePrivilege
Definition: setypes.h:1204
LUID SeShutdownPrivilege
Definition: setypes.h:1212
PSID SeWorldSid
Definition: setypes.h:1219
LUID SeImpersonatePrivilege
Definition: setypes.h:1246
PSID SeNtAuthoritySid
Definition: setypes.h:1223
LUID SeChangeNotifyPrivilege
Definition: setypes.h:1216
PSID SeBatchSid
Definition: setypes.h:1226
PSID SeAliasBackupOpsSid
Definition: setypes.h:1236
LUID SeSyncAgentPrivilege
Definition: setypes.h:1241
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1215
LUID SeCreateTokenPrivilege
Definition: setypes.h:1195
PSID SeLocalServiceSid
Definition: setypes.h:1243
PSID SeAliasPowerUsersSid
Definition: setypes.h:1232
LUID SeManageVolumePrivilege
Definition: setypes.h:1245
PSID SeLocalSystemSid
Definition: setypes.h:1228
LUID SeCreatePermanentPrivilege
Definition: setypes.h:1209
LUID SeRemoteShutdownPrivilege
Definition: setypes.h:1217

Referenced by SepInitializationPhase0().

◆ SepInitializationPhase0()

BOOLEAN NTAPI SepInitializationPhase0 ( VOID  )

Handles the phase 0 procedure of the SRM initialization.

Returns
Returns TRUE if the phase 0 initialization has succeeded and that we can proceed further with next initialization phase, FALSE otherwise.

Definition at line 115 of file semgr.c.

116{
117 PAGED_CODE();
118
119 if (!ExLuidInitialization()) return FALSE;
120 if (!SepInitSecurityIDs()) return FALSE;
121 if (!SepInitDACLs()) return FALSE;
122 if (!SepInitSDs()) return FALSE;
124 if (!SepInitExports()) return FALSE;
125
126 /* Initialize the subject context lock */
128
129 /* Initialize token objects */
131
132 /* Initialize logon sessions */
133 if (!SeRmInitPhase0()) return FALSE;
134
135 /* Clear impersonation info for the idle thread */
136 PsGetCurrentThread()->ImpersonationInfo = NULL;
139
140 /* Initialize the boot token */
144
145 /* Initialise the anonymous logon tokens */
148 return FALSE;
149
152 return FALSE;
153
154 return TRUE;
155}
#define NULL
Definition: types.h:112
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:242
BOOLEAN NTAPI ExLuidInitialization(VOID)
Definition: uuid.c:325
VOID NTAPI SepInitializeTokenImplementation(VOID)
Internal function that initializes critical kernel data for access token implementation in SRM.
Definition: token.c:1649
PTOKEN NTAPI SepCreateSystemProcessToken(VOID)
Creates the system process token.
Definition: token.c:1753
BOOLEAN NTAPI SeRmInitPhase0(VOID)
Manages the phase 0 initialization of the security reference monitoring module of the kernel.
Definition: srm.c:176
PTOKEN SepCreateSystemAnonymousLogonTokenNoEveryone(VOID)
Creates the anonymous logon token for the system. This kind of token doesn't include the everyone SID...
Definition: token.c:1938
BOOLEAN NTAPI SepInitSecurityIDs(VOID)
Initializes all the SIDs known in the system.
Definition: sid.c:115
BOOLEAN NTAPI SepInitDACLs(VOID)
Initializes known discretionary access control lists in the system upon kernel and Executive initiali...
Definition: acl.c:38
PTOKEN SepCreateSystemAnonymousLogonToken(VOID)
Creates the anonymous logon token for the system. The difference between this token and the other one...
Definition: token.c:1868
BOOLEAN NTAPI SepInitSDs(VOID)
Initializes the known security descriptors in the system.
Definition: sd.c:37
VOID NTAPI SepInitPrivileges(VOID)
Initializes the privileges during the startup phase of the security manager module....
Definition: priv.c:71
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:107
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
PTOKEN SeAnonymousLogonToken
Definition: semgr.c:19
PTOKEN SeAnonymousLogonTokenNoEveryone
Definition: semgr.c:20
static BOOLEAN SepInitExports(VOID)
Initializes all the security exports upon initialization phase of the module.
Definition: semgr.c:41
ERESOURCE SepSubjectContextLock
Definition: subject.c:16
#define ExInitializeResource
Definition: exfuncs.h:346
#define PsGetCurrentProcess
Definition: psfuncs.h:17

Referenced by SeInitSystem().

◆ SepInitializationPhase1()

BOOLEAN NTAPI SepInitializationPhase1 ( VOID  )

Handles the phase 1 procedure of the SRM initialization.

Returns
Returns TRUE if the phase 1 initialization has succeeded, FALSE otherwise.

Definition at line 168 of file semgr.c.

169{
172 HANDLE SecurityHandle;
176 PACL Dacl;
177 ULONG DaclLength;
178
179 PAGED_CODE();
180
181 /* Insert the system token into the tree */
184 NULL,
185 0,
186 0,
187 NULL,
188 NULL);
190
191 /* Create a security descriptor for the directory */
193
194 /* Setup the ACL */
195 DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
200 if (Dacl == NULL)
201 {
202 return FALSE;
203 }
204
205 Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
207
208 /* Grant full access to SYSTEM */
214
215 /* Allow admins to traverse and query */
221
222 /* Allow anyone to traverse */
226 SeWorldSid);
228
229 /* And link ACL and SD */
232
233 /* Create '\Security' directory */
234 RtlInitUnicodeString(&Name, L"\\Security");
236 &Name,
238 0,
240
241 Status = ZwCreateDirectoryObject(&SecurityHandle,
245
246 /* Free the DACL */
248
249 /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
250 RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
252 &Name,
254 SecurityHandle,
256
257 Status = ZwCreateEvent(&EventHandle,
261 FALSE);
263
266
267 Status = ZwClose(SecurityHandle);
269
270 return TRUE;
271}
struct NameRec_ * Name
Definition: cdprocs.h:460
LONG NTSTATUS
Definition: precomp.h:26
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:36
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define MAX_FAST_REFS
Definition: ex.h:136
Status
Definition: gdiplustypes.h:25
#define OBJ_CASE_INSENSITIVE
Definition: winternl.h:228
#define OBJ_PERMANENT
Definition: winternl.h:226
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1109
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
struct _ACL ACL
NTSYSAPI NTSTATUS NTAPI ZwClose(_In_ HANDLE Handle)
NTSYSAPI NTSTATUS NTAPI ZwCreateDirectoryObject(_Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1605
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define READ_CONTROL
Definition: nt_native.h:58
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
#define GENERIC_WRITE
Definition: nt_native.h:90
@ NotificationEvent
PSECURITY_DESCRIPTOR SePublicDefaultSd
Definition: sd.c:16
#define L(x)
Definition: ntvdm.h:50
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
Definition: obhandle.c:2935
#define TAG_SE
Definition: tag.h:150
uint32_t ULONG
Definition: typedefs.h:59
_Out_ PHANDLE EventHandle
Definition: iofuncs.h:857
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define ACL_REVISION
Definition: setypes.h:39

Referenced by SeInitSystem().

◆ SeQuerySecurityAccessMask()

VOID NTAPI SeQuerySecurityAccessMask ( _In_ SECURITY_INFORMATION  SecurityInformation,
_Out_ PACCESS_MASK  DesiredAccess 
)

Queries the access mask from a security information context.

Parameters
[in]SecurityInformationThe security information context where the access mask is to be gathered.
[out]DesiredAccessThe queried access mask right.
Returns
Nothing.

Definition at line 427 of file semgr.c.

430{
431 *DesiredAccess = 0;
432
435 {
437 }
438
440 {
442 }
443}
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2658
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126

Referenced by NtQuerySecurityObject().

◆ SeReportSecurityEvent()

NTSTATUS NTAPI SeReportSecurityEvent ( _In_ ULONG  Flags,
_In_ PUNICODE_STRING  SourceName,
_In_opt_ PSID  UserSid,
_In_ PSE_ADT_PARAMETER_ARRAY  AuditParameters 
)

Report a security event to the security manager.

@unimplemented

Parameters
[in]FlagsFlags that influence how the event should be reported.
[in]SourceNameA Unicode string that represents the source name of the event.
[in]UserSidThe SID that represents a user that initiated the reporting.
[in]AuditParametersAn array of parameters for auditing purposes. This is used for reporting the event which the security manager will take care subsequently of doing eventual security auditing.
Returns
Returns STATUS_SUCCESS if the security event has been reported. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the requirements expected by the function.

Definition at line 508 of file semgr.c.

513{
515 PTOKEN EffectiveToken;
516 PISID Sid;
518
519 /* Validate parameters */
520 if ((Flags != 0) ||
521 (SourceName == NULL) ||
522 (SourceName->Buffer == NULL) ||
523 (SourceName->Length == 0) ||
524 (AuditParameters == NULL) ||
525 (AuditParameters->ParameterCount > SE_MAX_AUDIT_PARAMETERS - 4))
526 {
528 }
529
530 /* Validate the source name */
532 if (!NT_SUCCESS(Status))
533 {
534 return Status;
535 }
536
537 /* Check if we have a user SID */
538 if (UserSid != NULL)
539 {
540 /* Validate it */
541 if (!RtlValidSid(UserSid))
542 {
544 }
545
546 /* Use the user SID */
547 Sid = UserSid;
548 }
549 else
550 {
551 /* No user SID, capture the security subject context */
553
554 /* Extract the effective token */
555 EffectiveToken = SubjectContext.ClientToken ?
556 SubjectContext.ClientToken : SubjectContext.PrimaryToken;
557
558 /* Use the user-and-groups SID */
559 Sid = EffectiveToken->UserAndGroups->Sid;
560 }
561
563
564 /* Check if we captured the subject context */
565 if (Sid != UserSid)
566 {
567 /* Release it */
569 }
570
571 /* Return success */
572 return STATUS_SUCCESS;
573}
WCHAR SourceName[256]
Definition: arping.c:28
#define UNIMPLEMENTED
Definition: ntoskrnl.c:15
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2246
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
NTSYSAPI NTSTATUS NTAPI RtlValidateUnicodeString(_In_ ULONG Flags, _In_ PCUNICODE_STRING String)
Definition: unicode.c:2605
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1145
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:233
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: subject.c:171
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: subject.c:85
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
#define SE_MAX_AUDIT_PARAMETERS
Definition: setypes.h:256

◆ SeSetAuditParameter()

_Const_ NTSTATUS NTAPI SeSetAuditParameter ( _Inout_ PSE_ADT_PARAMETER_ARRAY  AuditParameters,
_In_ SE_ADT_PARAMETER_TYPE  Type,
_In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG  Index,
_In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID  Data 
)

Sets an array of audit parameters for later security auditing use.

@unimplemented

Parameters
[in,out]AuditParametersAn array of audit parameters to be set.
[in]TypeThe type of audit parameters to be set.
[in]IndexIndex number that represents an instance of an audit parameters. Such index must be within the maximum range of audit parameters.
[in]DataAn arbitrary buffer data that is bounds to what kind of audit parameter type must be set.
Returns
To be added...

Definition at line 600 of file semgr.c.

605{
607 return STATUS_SUCCESS;
608}

◆ SeSetSecurityAccessMask()

VOID NTAPI SeSetSecurityAccessMask ( _In_ SECURITY_INFORMATION  SecurityInformation,
_Out_ PACCESS_MASK  DesiredAccess 
)

Sets the access mask for a security information context.

Parameters
[in]SecurityInformationThe security information context to apply a new access right.
[out]DesiredAccessThe returned access mask right.
Returns
Nothing.

Definition at line 460 of file semgr.c.

463{
464 *DesiredAccess = 0;
465
467 {
469 }
470
472 {
474 }
475
477 {
479 }
480}
#define WRITE_DAC
Definition: nt_native.h:59
#define WRITE_OWNER
Definition: nt_native.h:60

Referenced by NtSetSecurityObject().

Variable Documentation

◆ ExpInitializationPhase

◆ SeAnonymousLogonToken

PTOKEN SeAnonymousLogonToken = NULL

Definition at line 19 of file semgr.c.

Referenced by SepImpersonateAnonymousToken(), and SepInitializationPhase0().

◆ SeAnonymousLogonTokenNoEveryone

PTOKEN SeAnonymousLogonTokenNoEveryone = NULL

Definition at line 20 of file semgr.c.

Referenced by SepImpersonateAnonymousToken(), and SepInitializationPhase0().

◆ SeExports

◆ SepExports

SE_EXPORTS SepExports

Definition at line 22 of file semgr.c.

Referenced by SepInitExports().

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock
extern

Definition at line 16 of file subject.c.

Referenced by SepInitializationPhase0().

◆ SidInTokenCalls

ULONG SidInTokenCalls = 0

Definition at line 23 of file semgr.c.