ReactOS  0.4.15-dev-3182-g7b62228
semgr.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for semgr.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

static BOOLEAN SepInitExports (VOID)
 Initializes all the security exports upon initialization phase of the module. More...
 
BOOLEAN NTAPI SepInitializationPhase0 (VOID)
 Handles the phase 0 procedure of the SRM initialization. More...
 
BOOLEAN NTAPI SepInitializationPhase1 (VOID)
 Handles the phase 1 procedure of the SRM initialization. More...
 
BOOLEAN NTAPI SeInitSystem (VOID)
 Main security manager initialization function. More...
 
NTSTATUS NTAPI SeDefaultObjectMethod (_In_ PVOID Object, _In_ SECURITY_OPERATION_CODE OperationType, _In_ PSECURITY_INFORMATION SecurityInformation, _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Inout_opt_ PULONG ReturnLength, _Inout_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, _In_ POOL_TYPE PoolType, _In_ PGENERIC_MAPPING GenericMapping)
 Internal function that is responsible for querying, deleting, assigning and setting a security descriptor for an object in the NT kernel. It is the default security method for objects regarding the security context of objects. More...
 
VOID NTAPI SeQuerySecurityAccessMask (_In_ SECURITY_INFORMATION SecurityInformation, _Out_ PACCESS_MASK DesiredAccess)
 Queries the access mask from a security information context. More...
 
VOID NTAPI SeSetSecurityAccessMask (_In_ SECURITY_INFORMATION SecurityInformation, _Out_ PACCESS_MASK DesiredAccess)
 Sets the access mask for a security information context. More...
 
NTSTATUS NTAPI SeReportSecurityEvent (_In_ ULONG Flags, _In_ PUNICODE_STRING SourceName, _In_opt_ PSID UserSid, _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
 Report a security event to the security manager. More...
 
_Const_ NTSTATUS NTAPI SeSetAuditParameter (_Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters, _In_ SE_ADT_PARAMETER_TYPE Type, _In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index, _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
 Sets an array of audit parameters for later security auditing use. More...
 

Variables

PTOKEN SeAnonymousLogonToken = NULL
 
PTOKEN SeAnonymousLogonTokenNoEveryone = NULL
 
PSE_EXPORTS SeExports = NULL
 
SE_EXPORTS SepExports
 
ULONG SidInTokenCalls = 0
 
ULONG ExpInitializationPhase
 
ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file semgr.c.

Function Documentation

◆ SeDefaultObjectMethod()

NTSTATUS NTAPI SeDefaultObjectMethod ( _In_ PVOID  Object,
_In_ SECURITY_OPERATION_CODE  OperationType,
_In_ PSECURITY_INFORMATION  SecurityInformation,
_Inout_ PSECURITY_DESCRIPTOR  SecurityDescriptor,
_Inout_opt_ PULONG  ReturnLength,
_Inout_ PSECURITY_DESCRIPTOR OldSecurityDescriptor,
_In_ POOL_TYPE  PoolType,
_In_ PGENERIC_MAPPING  GenericMapping 
)

Internal function that is responsible for querying, deleting, assigning and setting a security descriptor for an object in the NT kernel. It is the default security method for objects regarding the security context of objects.

Parameters
[in]ObjectThe object that has the default security method, which the function has been called upon.
[in]OperationTypeOperation type to perform to that object.
[in]SecurityInformationAuxiliary security information of the object.
[in,out]SecurityDescriptorA security descriptor. This SD is used accordingly to the operation type requested by the caller.
[in,out]ReturnLengthThe length size of the queried security descriptor, in bytes.
[in,out]OldSecurityDescriptorThe old SD that belonged to the object, in case we're either deleting or replacing it.
[in]PoolTypePool type allocation for the security descriptor.
[in]GenericMappingThe generic mapping of access rights masks for the object.
Returns
Returns STATUS_SUCCESS if the specific operation tasked has been completed. Otherwise a failure NTSTATUS code is returned.

Definition at line 351 of file semgr.c.

360 {
361  PAGED_CODE();
362 
363  /* Select the operation type */
364  switch (OperationType)
365  {
366  /* Setting a new descriptor */
367  case SetSecurityDescriptor:
368 
369  /* Sanity check */
371 
372  /* Set the information */
376  OldSecurityDescriptor,
377  PoolType,
379 
380  case QuerySecurityDescriptor:
381 
382  /* Query the information */
386  ReturnLength,
387  OldSecurityDescriptor);
388 
389  case DeleteSecurityDescriptor:
390 
391  /* De-assign it */
392  return ObDeassignSecurity(OldSecurityDescriptor);
393 
394  case AssignSecurityDescriptor:
395 
396  /* Assign it */
398  return STATUS_SUCCESS;
399 
400  default:
401 
402  /* Bug check */
403  KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
404  }
405 
406  /* Should never reach here */
407  ASSERT(FALSE);
408  return STATUS_SUCCESS;
409 }
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define FALSE
Definition: types.h:117
NTSTATUS NTAPI ObSetSecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping)
Definition: obsecure.c:117
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
#define ASSERT(a)
Definition: mode.c:44
NTSTATUS NTAPI ObQuerySecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG Length, IN PSECURITY_DESCRIPTOR *OutputSecurityDescriptor)
Definition: obsecure.c:85
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
NTSTATUS NTAPI ObDeassignSecurity(IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
Definition: obsecure.c:60
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTSTATUS NTAPI ObAssignObjectSecurityDescriptor(IN PVOID Object, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN POOL_TYPE PoolType)
Definition: obsecure.c:20
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
#define STATUS_SUCCESS
Definition: shellext.h:65
VOID NTAPI KeBugCheckEx(_In_ ULONG BugCheckCode, _In_ ULONG_PTR BugCheckParameter1, _In_ ULONG_PTR BugCheckParameter2, _In_ ULONG_PTR BugCheckParameter3, _In_ ULONG_PTR BugCheckParameter4)
Definition: rtlcompat.c:108
#define PAGED_CODE()

◆ SeInitSystem()

BOOLEAN NTAPI SeInitSystem ( VOID  )

Main security manager initialization function.

Returns
Returns a boolean value according to the phase initialization routine that handles it. If TRUE, the routine deems the initialization phase as complete, FALSE otherwise.

Definition at line 285 of file semgr.c.

286 {
287  /* Check the initialization phase */
288  switch (ExpInitializationPhase)
289  {
290  case 0:
291 
292  /* Do Phase 0 */
293  return SepInitializationPhase0();
294 
295  case 1:
296 
297  /* Do Phase 1 */
298  return SepInitializationPhase1();
299 
300  default:
301 
302  /* Don't know any other phase! Bugcheck! */
303  KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
304  0,
306  0,
307  0);
308  return FALSE;
309  }
310 }
BOOLEAN NTAPI SepInitializationPhase0(VOID)
Handles the phase 0 procedure of the SRM initialization.
Definition: semgr.c:115
#define FALSE
Definition: types.h:117
ULONG ExpInitializationPhase
Definition: init.c:66
BOOLEAN NTAPI SepInitializationPhase1(VOID)
Handles the phase 1 procedure of the SRM initialization.
Definition: semgr.c:168
VOID NTAPI KeBugCheckEx(_In_ ULONG BugCheckCode, _In_ ULONG_PTR BugCheckParameter1, _In_ ULONG_PTR BugCheckParameter2, _In_ ULONG_PTR BugCheckParameter3, _In_ ULONG_PTR BugCheckParameter4)
Definition: rtlcompat.c:108

Referenced by ExpInitializeExecutive(), and Phase1InitializationDiscard().

◆ SepInitExports()

static BOOLEAN SepInitExports ( VOID  )
static

Initializes all the security exports upon initialization phase of the module.

Returns
Returns TRUE.

Definition at line 41 of file semgr.c.

42 {
66 
91 
98 
100  return TRUE;
101 }
PSID SeAliasBackupOpsSid
Definition: setypes.h:1201
PSID SeAliasAdminsSid
Definition: setypes.h:1194
const LUID SeSystemEnvironmentPrivilege
Definition: priv.c:39
const LUID SeRemoteShutdownPrivilege
Definition: priv.c:41
LUID SeEnableDelegationPrivilege
Definition: setypes.h:1207
LUID SeShutdownPrivilege
Definition: setypes.h:1177
LUID SeManageVolumePrivilege
Definition: setypes.h:1210
const LUID SeSystemtimePrivilege
Definition: priv.c:29
const LUID SeIncreaseQuotaPrivilege
Definition: priv.c:22
const LUID SeCreateTokenPrivilege
Definition: priv.c:19
const LUID SeCreatePermanentPrivilege
Definition: priv.c:33
const LUID SeDebugPrivilege
Definition: priv.c:37
const LUID SeBackupPrivilege
Definition: priv.c:34
#define TRUE
Definition: types.h:120
LUID SeDebugPrivilege
Definition: setypes.h:1178
PSID SeAuthenticatedUsersSid
Definition: setypes.h:1202
LUID SeChangeNotifyPrivilege
Definition: setypes.h:1181
LUID SeLockMemoryPrivilege
Definition: setypes.h:1162
const LUID SeEnableDelegationPrivilege
Definition: priv.c:44
PSID SeAliasBackupOpsSid
Definition: sid.c:46
PSID SeAnonymousLogonSid
Definition: setypes.h:1204
PSID SeAliasGuestsSid
Definition: setypes.h:1196
PSID SeRestrictedSid
Definition: sid.c:48
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:20
const LUID SeSystemProfilePrivilege
Definition: priv.c:28
PSID SeAuthenticatedUsersSid
Definition: sid.c:47
PSID SeAliasPrintOpsSid
Definition: sid.c:45
PSID SeAliasAccountOpsSid
Definition: sid.c:43
const LUID SeSyncAgentPrivilege
Definition: priv.c:43
LUID SeUnsolicitedInputPrivilege
Definition: setypes.h:1164
PSID SeAliasSystemOpsSid
Definition: setypes.h:1199
LUID SeSecurityPrivilege
Definition: setypes.h:1166
PSID SeBatchSid
Definition: setypes.h:1191
SE_EXPORTS SepExports
Definition: semgr.c:22
PSID SeNullSid
Definition: setypes.h:1183
PSE_EXPORTS SeExports
Definition: semgr.c:21
PSID SeCreatorGroupSid
Definition: sid.c:26
PSID SeNtAuthoritySid
Definition: sid.c:29
LUID SeLoadDriverPrivilege
Definition: setypes.h:1168
LUID SeUndockPrivilege
Definition: setypes.h:1205
PSID SeNetworkServiceSid
Definition: sid.c:51
PSID SeNetworkServiceSid
Definition: setypes.h:1209
const LUID SeLoadDriverPrivilege
Definition: priv.c:27
const LUID SeManageVolumePrivilege
Definition: priv.c:45
const LUID SeTakeOwnershipPrivilege
Definition: priv.c:26
PSID SeAliasPowerUsersSid
Definition: setypes.h:1197
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1180
LUID SeProfileSingleProcessPrivilege
Definition: setypes.h:1173
PSID SeDialupSid
Definition: setypes.h:1189
PSID SeAliasUsersSid
Definition: sid.c:40
PSID SeNetworkSid
Definition: setypes.h:1190
PSID SeAliasAccountOpsSid
Definition: setypes.h:1198
LUID SeTcbPrivilege
Definition: setypes.h:1165
const LUID SeCreatePagefilePrivilege
Definition: priv.c:32
LUID SeImpersonatePrivilege
Definition: setypes.h:1211
LUID SeRemoteShutdownPrivilege
Definition: setypes.h:1182
const LUID SeRestorePrivilege
Definition: priv.c:35
LUID SeCreatePermanentPrivilege
Definition: setypes.h:1174
PSID SeLocalServiceSid
Definition: sid.c:50
static const LUID SeChangeNotifyPrivilege
Definition: authpackage.c:167
static const LUID SeCreateGlobalPrivilege
Definition: authpackage.c:168
PSID SeAliasAdminsSid
Definition: sid.c:39
PSID SeLocalServiceSid
Definition: setypes.h:1208
PSID SeCreatorOwnerSid
Definition: sid.c:25
const LUID SeLockMemoryPrivilege
Definition: priv.c:21
const LUID SeProfileSingleProcessPrivilege
Definition: priv.c:30
PSID SeWorldSid
Definition: sid.c:23
const LUID SeIncreaseBasePriorityPrivilege
Definition: priv.c:31
PSID SeLocalSid
Definition: sid.c:24
PSID SeAliasGuestsSid
Definition: sid.c:41
const LUID SeTcbPrivilege
Definition: priv.c:24
LUID SeCreateGlobalPrivilege
Definition: setypes.h:1212
LUID SeBackupPrivilege
Definition: setypes.h:1175
LUID SeIncreaseBasePriorityPrivilege
Definition: setypes.h:1170
PSID SeAliasUsersSid
Definition: setypes.h:1195
const LUID SeShutdownPrivilege
Definition: priv.c:36
PSID SeAliasPowerUsersSid
Definition: sid.c:42
LUID SeSystemtimePrivilege
Definition: setypes.h:1172
PSID SeDialupSid
Definition: sid.c:30
PSID SeCreatorOwnerSid
Definition: setypes.h:1186
PSID SeAliasSystemOpsSid
Definition: sid.c:44
LUID SeSyncAgentPrivilege
Definition: setypes.h:1206
const LUID SeSecurityPrivilege
Definition: priv.c:25
PSID SeNtAuthoritySid
Definition: setypes.h:1188
LUID SeAuditPrivilege
Definition: setypes.h:1179
PSID SeLocalSystemSid
Definition: sid.c:36
PSID SeRestrictedSid
Definition: setypes.h:1203
PSID SeNetworkSid
Definition: sid.c:31
const LUID SeUnsolicitedInputPrivilege
Definition: priv.c:23
LUID SeIncreaseQuotaPrivilege
Definition: setypes.h:1163
LUID SeTakeOwnershipPrivilege
Definition: setypes.h:1167
PSID SeInteractiveSid
Definition: sid.c:33
PSID SeBatchSid
Definition: sid.c:32
PSID SeAnonymousLogonSid
Definition: se.h:159
LUID SeAssignPrimaryTokenPrivilege
Definition: setypes.h:1161
PSID SeWorldSid
Definition: setypes.h:1184
LUID SeRestorePrivilege
Definition: setypes.h:1176
PSID SeLocalSid
Definition: setypes.h:1185
const LUID SeUndockPrivilege
Definition: priv.c:42
PSID SeCreatorGroupSid
Definition: setypes.h:1187
PSID SeNullSid
Definition: sid.c:22
const LUID SeAuditPrivilege
Definition: priv.c:38
LUID SeSystemProfilePrivilege
Definition: setypes.h:1171
LUID SeCreatePagefilePrivilege
Definition: setypes.h:1169
PSID SeAliasPrintOpsSid
Definition: setypes.h:1200
PSID SeLocalSystemSid
Definition: setypes.h:1193
static const LUID SeImpersonatePrivilege
Definition: authpackage.c:169
PSID SeInteractiveSid
Definition: setypes.h:1192
LUID SeCreateTokenPrivilege
Definition: setypes.h:1160

Referenced by SepInitializationPhase0().

◆ SepInitializationPhase0()

BOOLEAN NTAPI SepInitializationPhase0 ( VOID  )

Handles the phase 0 procedure of the SRM initialization.

Returns
Returns TRUE if the phase 0 initialization has succeeded and that we can proceed further with next initialization phase, FALSE otherwise.

Definition at line 115 of file semgr.c.

116 {
117  PAGED_CODE();
118 
119  if (!ExLuidInitialization()) return FALSE;
120  if (!SepInitSecurityIDs()) return FALSE;
121  if (!SepInitDACLs()) return FALSE;
122  if (!SepInitSDs()) return FALSE;
124  if (!SepInitExports()) return FALSE;
125 
126  /* Initialize the subject context lock */
128 
129  /* Initialize token objects */
131 
132  /* Initialize logon sessions */
133  if (!SeRmInitPhase0()) return FALSE;
134 
135  /* Clear impersonation info for the idle thread */
136  PsGetCurrentThread()->ImpersonationInfo = NULL;
139 
140  /* Initialize the boot token */
144 
145  /* Initialise the anonymous logon tokens */
148  return FALSE;
149 
152  return FALSE;
153 
154  return TRUE;
155 }
BOOLEAN NTAPI ExLuidInitialization(VOID)
Definition: uuid.c:325
#define ExInitializeResource
Definition: exfuncs.h:346
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
PTOKEN NTAPI SepCreateSystemProcessToken(VOID)
Creates the system process token.
Definition: token.c:1984
#define TRUE
Definition: types.h:120
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SepInitPrivileges(VOID)
Initializes the privileges during the startup phase of the security manager module....
Definition: priv.c:69
BOOLEAN NTAPI SepInitSecurityIDs(VOID)
Initializes all the SIDs known in the system.
Definition: sid.c:107
BOOLEAN NTAPI SepInitDACLs(VOID)
Initializes known discretionary access control lists in the system upon kernel and Executive initiali...
Definition: acl.c:38
PTOKEN SeAnonymousLogonTokenNoEveryone
Definition: semgr.c:20
#define FALSE
Definition: types.h:117
PTOKEN SepCreateSystemAnonymousLogonToken(VOID)
Creates the anonymous logon token for the system. The difference between this token and the other one...
Definition: token.c:2134
VOID NTAPI SepInitializeTokenImplementation(VOID)
Internal function that initializes critical kernel data for access token implementation in SRM.
Definition: token.c:1568
#define PsGetCurrentProcess
Definition: psfuncs.h:17
static BOOLEAN SepInitExports(VOID)
Initializes all the security exports upon initialization phase of the module.
Definition: semgr.c:41
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:107
BOOLEAN NTAPI SeRmInitPhase0(VOID)
Manages the phase 0 initialization of the security reference monitoring module of the kernel.
Definition: srm.c:176
#define NULL
Definition: types.h:112
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:241
PTOKEN SeAnonymousLogonToken
Definition: semgr.c:19
ERESOURCE SepSubjectContextLock
Definition: access.c:16
PTOKEN SepCreateSystemAnonymousLogonTokenNoEveryone(VOID)
Creates the anonymous logon token for the system. This kind of token doesn't include the everyone SID...
Definition: token.c:2202
#define PAGED_CODE()
BOOLEAN NTAPI SepInitSDs(VOID)
Initializes the known security descriptors in the system.
Definition: sd.c:37

Referenced by SeInitSystem().

◆ SepInitializationPhase1()

BOOLEAN NTAPI SepInitializationPhase1 ( VOID  )

Handles the phase 1 procedure of the SRM initialization.

Returns
Returns TRUE if the phase 1 initialization has succeeded, FALSE otherwise.

Definition at line 168 of file semgr.c.

169 {
172  HANDLE SecurityHandle;
176  PACL Dacl;
177  ULONG DaclLength;
178 
179  PAGED_CODE();
180 
181  /* Insert the system token into the tree */
183  ~MAX_FAST_REFS),
184  NULL,
185  0,
186  0,
187  NULL,
188  NULL);
190 
191  /* Create a security descriptor for the directory */
193 
194  /* Setup the ACL */
195  DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
200  if (Dacl == NULL)
201  {
202  return FALSE;
203  }
204 
205  Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
207 
208  /* Grant full access to SYSTEM */
210  ACL_REVISION,
214 
215  /* Allow admins to traverse and query */
217  ACL_REVISION,
221 
222  /* Allow anyone to traverse */
224  ACL_REVISION,
226  SeWorldSid);
228 
229  /* And link ACL and SD */
232 
233  /* Create '\Security' directory */
234  RtlInitUnicodeString(&Name, L"\\Security");
236  &Name,
238  0,
240 
241  Status = ZwCreateDirectoryObject(&SecurityHandle,
245 
246  /* Free the DACL */
248 
249  /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
250  RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
252  &Name,
254  SecurityHandle,
256 
257  Status = ZwCreateEvent(&EventHandle,
261  FALSE);
263 
266 
267  Status = ZwClose(SecurityHandle);
269 
270  return TRUE;
271 }
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
#define OBJ_CASE_INSENSITIVE
Definition: winternl.h:228
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSYSAPI NTSTATUS NTAPI ZwClose(_In_ HANDLE Handle)
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
PSECURITY_DESCRIPTOR SePublicDefaultSd
Definition: sd.c:16
#define FALSE
Definition: types.h:117
#define GENERIC_WRITE
Definition: nt_native.h:90
struct NameRec_ * Name
Definition: cdprocs.h:459
#define PsGetCurrentProcess
Definition: psfuncs.h:17
NTSYSAPI NTSTATUS NTAPI ZwCreateDirectoryObject(_Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
struct _ACL ACL
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
Status
Definition: gdiplustypes.h:24
#define TAG_SE
Definition: tag.h:173
#define ASSERT(a)
Definition: mode.c:44
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define READ_CONTROL
Definition: nt_native.h:58
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
PSID SeAliasAdminsSid
Definition: sid.c:39
static const WCHAR L[]
Definition: oid.c:1250
#define OBJ_PERMANENT
Definition: winternl.h:226
PSID SeWorldSid
Definition: sid.c:23
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
Definition: obhandle.c:2931
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
#define NULL
Definition: types.h:112
#define ACL_REVISION
Definition: setypes.h:39
PSID SeLocalSystemSid
Definition: sid.c:36
unsigned int ULONG
Definition: retypes.h:1
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
#define MAX_FAST_REFS
Definition: ex.h:131
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()
_Out_ PHANDLE EventHandle
Definition: iofuncs.h:857

Referenced by SeInitSystem().

◆ SeQuerySecurityAccessMask()

VOID NTAPI SeQuerySecurityAccessMask ( _In_ SECURITY_INFORMATION  SecurityInformation,
_Out_ PACCESS_MASK  DesiredAccess 
)

Queries the access mask from a security information context.

Parameters
[in]SecurityInformationThe security information context where the access mask is to be gathered.
[out]DesiredAccessThe queried access mask right.
Returns
Nothing.

Definition at line 427 of file semgr.c.

430 {
431  *DesiredAccess = 0;
432 
435  {
437  }
438 
440  {
442  }
443 }
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define READ_CONTROL
Definition: nt_native.h:58
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125

Referenced by NtQuerySecurityObject().

◆ SeReportSecurityEvent()

NTSTATUS NTAPI SeReportSecurityEvent ( _In_ ULONG  Flags,
_In_ PUNICODE_STRING  SourceName,
_In_opt_ PSID  UserSid,
_In_ PSE_ADT_PARAMETER_ARRAY  AuditParameters 
)

Report a security event to the security manager.

@unimplemented

Parameters
[in]FlagsFlags that influence how the event should be reported.
[in]SourceNameA Unicode string that represents the source name of the event.
[in]UserSidThe SID that represents a user that initiated the reporting.
[in]AuditParametersAn array of parameters for auditing purposes. This is used for reporting the event which the security manager will take care subsequently of doing eventual security auditing.
Returns
Returns STATUS_SUCCESS if the security event has been reported. STATUS_INVALID_PARAMETER is returned if one of the parameters do not satisfy the requirements expected by the function.

Definition at line 508 of file semgr.c.

513 {
515  PTOKEN EffectiveToken;
516  PISID Sid;
518 
519  /* Validate parameters */
520  if ((Flags != 0) ||
521  (SourceName == NULL) ||
522  (SourceName->Buffer == NULL) ||
523  (SourceName->Length == 0) ||
524  (AuditParameters == NULL) ||
525  (AuditParameters->ParameterCount > SE_MAX_AUDIT_PARAMETERS - 4))
526  {
528  }
529 
530  /* Validate the source name */
532  if (!NT_SUCCESS(Status))
533  {
534  return Status;
535  }
536 
537  /* Check if we have a user SID */
538  if (UserSid != NULL)
539  {
540  /* Validate it */
541  if (!RtlValidSid(UserSid))
542  {
544  }
545 
546  /* Use the user SID */
547  Sid = UserSid;
548  }
549  else
550  {
551  /* No user SID, capture the security subject context */
553 
554  /* Extract the effective token */
555  EffectiveToken = SubjectContext.ClientToken ?
556  SubjectContext.ClientToken : SubjectContext.PrimaryToken;
557 
558  /* Use the user-and-groups SID */
559  Sid = EffectiveToken->UserAndGroups->Sid;
560  }
561 
563 
564  /* Check if we captured the subject context */
565  if (Sid != UserSid)
566  {
567  /* Release it */
569  }
570 
571  /* Return success */
572  return STATUS_SUCCESS;
573 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
#define SE_MAX_AUDIT_PARAMETERS
Definition: setypes.h:243
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
NTSYSAPI NTSTATUS NTAPI RtlValidateUnicodeString(_In_ ULONG Flags, _In_ PCUNICODE_STRING String)
Definition: unicode.c:2559
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
Status
Definition: gdiplustypes.h:24
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
#define NULL
Definition: types.h:112
WCHAR SourceName[256]
Definition: arping.c:28
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
#define UNIMPLEMENTED
Definition: debug.h:115
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:215
#define STATUS_SUCCESS
Definition: shellext.h:65

◆ SeSetAuditParameter()

_Const_ NTSTATUS NTAPI SeSetAuditParameter ( _Inout_ PSE_ADT_PARAMETER_ARRAY  AuditParameters,
_In_ SE_ADT_PARAMETER_TYPE  Type,
_In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG  Index,
_In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID  Data 
)

Sets an array of audit parameters for later security auditing use.

@unimplemented

Parameters
[in,out]AuditParametersAn array of audit parameters to be set.
[in]TypeThe type of audit parameters to be set.
[in]IndexIndex number that represents an instance of an audit parameters. Such index must be within the maximum range of audit parameters.
[in]DataAn arbitrary buffer data that is bounds to what kind of audit parameter type must be set.
Returns
To be added...

Definition at line 600 of file semgr.c.

605 {
607  return STATUS_SUCCESS;
608 }
#define UNIMPLEMENTED
Definition: debug.h:115
#define STATUS_SUCCESS
Definition: shellext.h:65

◆ SeSetSecurityAccessMask()

VOID NTAPI SeSetSecurityAccessMask ( _In_ SECURITY_INFORMATION  SecurityInformation,
_Out_ PACCESS_MASK  DesiredAccess 
)

Sets the access mask for a security information context.

Parameters
[in]SecurityInformationThe security information context to apply a new access right.
[out]DesiredAccessThe returned access mask right.
Returns
Nothing.

Definition at line 460 of file semgr.c.

463 {
464  *DesiredAccess = 0;
465 
467  {
469  }
470 
472  {
474  }
475 
477  {
479  }
480 }
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
#define WRITE_OWNER
Definition: nt_native.h:60
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
#define WRITE_DAC
Definition: nt_native.h:59
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125

Referenced by NtSetSecurityObject().

Variable Documentation

◆ ExpInitializationPhase

◆ SeAnonymousLogonToken

PTOKEN SeAnonymousLogonToken = NULL

Definition at line 19 of file semgr.c.

Referenced by SepImpersonateAnonymousToken(), and SepInitializationPhase0().

◆ SeAnonymousLogonTokenNoEveryone

PTOKEN SeAnonymousLogonTokenNoEveryone = NULL

Definition at line 20 of file semgr.c.

Referenced by SepImpersonateAnonymousToken(), and SepInitializationPhase0().

◆ SeExports

◆ SepExports

SE_EXPORTS SepExports

Definition at line 22 of file semgr.c.

Referenced by SepInitExports().

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock

Definition at line 16 of file access.c.

Referenced by SepInitializationPhase0().

◆ SidInTokenCalls

ULONG SidInTokenCalls = 0

Definition at line 23 of file semgr.c.