ReactOS  0.4.15-dev-2738-gbe65a85
semgr.c
Go to the documentation of this file.
1 /*
2  * COPYRIGHT: See COPYING in the top level directory
3  * PROJECT: ReactOS kernel
4  * FILE: ntoskrnl/se/semgr.c
5  * PURPOSE: Security manager
6  *
7  * PROGRAMMERS: No programmer listed.
8  */
9 
10 /* INCLUDES *******************************************************************/
11 
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15 
16 /* GLOBALS ********************************************************************/
17 
18 PTOKEN SeAnonymousLogonToken = NULL;
19 PTOKEN SeAnonymousLogonTokenNoEveryone = NULL;
20 PSE_EXPORTS SeExports = NULL;
21 SE_EXPORTS SepExports;
22 ULONG SidInTokenCalls = 0;
23 
24 extern ULONG ExpInitializationPhase;
25 extern ERESOURCE SepSubjectContextLock;
26 
27 /* PRIVATE FUNCTIONS **********************************************************/
28 
29 static
30 CODE_SEG("INIT")
31 BOOLEAN
32 SepInitExports(VOID)
33 {
34  SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
35  SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
36  SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
37  SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
38  SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
39  SepExports.SeTcbPrivilege = SeTcbPrivilege;
40  SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
41  SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
42  SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
43  SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
44  SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
45  SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
46  SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
47  SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
48  SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
49  SepExports.SeBackupPrivilege = SeBackupPrivilege;
50  SepExports.SeRestorePrivilege = SeRestorePrivilege;
51  SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
52  SepExports.SeDebugPrivilege = SeDebugPrivilege;
53  SepExports.SeAuditPrivilege = SeAuditPrivilege;
54  SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
55  SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
56  SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
57 
58  SepExports.SeNullSid = SeNullSid;
59  SepExports.SeWorldSid = SeWorldSid;
60  SepExports.SeLocalSid = SeLocalSid;
61  SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
62  SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
63  SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
64  SepExports.SeDialupSid = SeDialupSid;
65  SepExports.SeNetworkSid = SeNetworkSid;
66  SepExports.SeBatchSid = SeBatchSid;
67  SepExports.SeInteractiveSid = SeInteractiveSid;
68  SepExports.SeLocalSystemSid = SeLocalSystemSid;
69  SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
70  SepExports.SeAliasUsersSid = SeAliasUsersSid;
71  SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
72  SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
73  SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
74  SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
75  SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
76  SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
77  SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
78  SepExports.SeRestrictedSid = SeRestrictedSid;
79  SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
80  SepExports.SeLocalServiceSid = SeLocalServiceSid;
81  SepExports.SeNetworkServiceSid = SeNetworkServiceSid;
82 
83  SepExports.SeUndockPrivilege = SeUndockPrivilege;
84  SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
85  SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
86  SepExports.SeManageVolumePrivilege = SeManageVolumePrivilege;
87  SepExports.SeImpersonatePrivilege = SeImpersonatePrivilege;
88  SepExports.SeCreateGlobalPrivilege = SeCreateGlobalPrivilege;
89 
90  SeExports = &SepExports;
91  return TRUE;
92 }
93 
94 
95 CODE_SEG("INIT")
96 BOOLEAN
97 NTAPI
98 SepInitializationPhase0(VOID)
99 {
100  PAGED_CODE();
101 
102  if (!ExLuidInitialization()) return FALSE;
103  if (!SepInitSecurityIDs()) return FALSE;
104  if (!SepInitDACLs()) return FALSE;
105  if (!SepInitSDs()) return FALSE;
106  SepInitPrivileges();
107  if (!SepInitExports()) return FALSE;
108 
109  /* Initialize the subject context lock */
110  ExInitializeResource(&SepSubjectContextLock);
111 
112  /* Initialize token objects */
113  SepInitializeTokenImplementation();
114 
115  /* Initialize logon sessions */
116  if (!SeRmInitPhase0()) return FALSE;
117 
118  /* Clear impersonation info for the idle thread */
119  PsGetCurrentThread()->ImpersonationInfo = NULL;
120  PspClearCrossThreadFlag(PsGetCurrentThread(),
121  CT_ACTIVE_IMPERSONATION_INFO_BIT);
122 
123  /* Initialize the boot token */
124  ObInitializeFastReference(&PsGetCurrentProcess()->Token, NULL);
125  ObInitializeFastReference(&PsGetCurrentProcess()->Token,
126  SepCreateSystemProcessToken());
127 
128  /* Initialise the anonymous logon tokens */
129  SeAnonymousLogonToken = SepCreateSystemAnonymousLogonToken();
130  if (!SeAnonymousLogonToken)
131  return FALSE;
132 
133  SeAnonymousLogonTokenNoEveryone = SepCreateSystemAnonymousLogonTokenNoEveryone();
134  if (!SeAnonymousLogonTokenNoEveryone)
135  return FALSE;
136 
137  return TRUE;
138 }
139 
140 CODE_SEG("INIT")
141 BOOLEAN
142 NTAPI
143 SepInitializationPhase1(VOID)
144 {
145  OBJECT_ATTRIBUTES ObjectAttributes;
146  UNICODE_STRING Name;
147  HANDLE SecurityHandle;
148  HANDLE EventHandle;
149  NTSTATUS Status;
150  SECURITY_DESCRIPTOR SecurityDescriptor;
151  PACL Dacl;
152  ULONG DaclLength;
153 
154  PAGED_CODE();
155 
156  /* Insert the system token into the tree */
157  Status = ObInsertObject((PVOID)(PsGetCurrentProcess()->Token.Value &
158  ~MAX_FAST_REFS),
159  NULL,
160  0,
161  0,
162  NULL,
163  NULL);
164  ASSERT(NT_SUCCESS(Status));
165 
166  /* Create a security descriptor for the directory */
167  RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
168 
169  /* Setup the ACL */
170  DaclLength = sizeof(ACL) + 3 * sizeof(ACCESS_ALLOWED_ACE) +
171  RtlLengthSid(SeLocalSystemSid) +
172  RtlLengthSid(SeAliasAdminsSid) +
173  RtlLengthSid(SeWorldSid);
174  Dacl = ExAllocatePoolWithTag(NonPagedPool, DaclLength, TAG_SE);
175  if (Dacl == NULL)
176  {
177  return FALSE;
178  }
179 
180  Status = RtlCreateAcl(Dacl, DaclLength, ACL_REVISION);
181  ASSERT(NT_SUCCESS(Status));
182 
183  /* Grant full access to SYSTEM */
184  Status = RtlAddAccessAllowedAce(Dacl,
185  ACL_REVISION,
186  DIRECTORY_ALL_ACCESS,
187  SeLocalSystemSid);
188  ASSERT(NT_SUCCESS(Status));
189 
190  /* Allow admins to traverse and query */
191  Status = RtlAddAccessAllowedAce(Dacl,
192  ACL_REVISION,
193  READ_CONTROL | DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
194  SeAliasAdminsSid);
195  ASSERT(NT_SUCCESS(Status));
196 
197  /* Allow anyone to traverse */
198  Status = RtlAddAccessAllowedAce(Dacl,
199  ACL_REVISION,
200  DIRECTORY_TRAVERSE,
201  SeWorldSid);
202  ASSERT(NT_SUCCESS(Status));
203 
204  /* And link ACL and SD */
205  Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, Dacl, FALSE);
206  ASSERT(NT_SUCCESS(Status));
207 
208  /* Create '\Security' directory */
209  RtlInitUnicodeString(&Name, L"\\Security");
210  InitializeObjectAttributes(&ObjectAttributes,
211  &Name,
212  OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
213  0,
214  &SecurityDescriptor);
215 
216  Status = ZwCreateDirectoryObject(&SecurityHandle,
217  DIRECTORY_ALL_ACCESS,
218  &ObjectAttributes);
219  ASSERT(NT_SUCCESS(Status));
220 
221  /* Free the DACL */
222  ExFreePoolWithTag(Dacl, TAG_SE);
223 
224  /* Create 'LSA_AUTHENTICATION_INITIALIZED' event */
225  RtlInitUnicodeString(&Name, L"LSA_AUTHENTICATION_INITIALIZED");
226  InitializeObjectAttributes(&ObjectAttributes,
227  &Name,
228  OBJ_PERMANENT | OBJ_CASE_INSENSITIVE,
229  SecurityHandle,
230  SePublicDefaultSd);
231 
232  Status = ZwCreateEvent(&EventHandle,
233  GENERIC_WRITE,
234  &ObjectAttributes,
235  NotificationEvent,
236  FALSE);
237  ASSERT(NT_SUCCESS(Status));
238 
239  Status = ZwClose(EventHandle);
240  ASSERT(NT_SUCCESS(Status));
241 
242  Status = ZwClose(SecurityHandle);
243  ASSERT(NT_SUCCESS(Status));
244 
245  return TRUE;
246 }
247 
248 CODE_SEG("INIT")
249 BOOLEAN
250 NTAPI
251 SeInitSystem(VOID)
252 {
253  /* Check the initialization phase */
254  switch (ExpInitializationPhase)
255  {
256  case 0:
257 
258  /* Do Phase 0 */
259  return SepInitializationPhase0();
260 
261  case 1:
262 
263  /* Do Phase 1 */
264  return SepInitializationPhase1();
265 
266  default:
267 
268  /* Don't know any other phase! Bugcheck! */
269  KeBugCheckEx(UNEXPECTED_INITIALIZATION_CALL,
270  0,
271  ExpInitializationPhase,
272  0,
273  0);
274  return FALSE;
275  }
276 }
277 
278 NTSTATUS
279 NTAPI
280 SeDefaultObjectMethod(IN PVOID Object,
281  IN SECURITY_OPERATION_CODE OperationType,
282  IN PSECURITY_INFORMATION SecurityInformation,
283  IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
284  IN OUT PULONG ReturnLength OPTIONAL,
285  IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
286  IN POOL_TYPE PoolType,
287  IN PGENERIC_MAPPING GenericMapping)
288 {
289  PAGED_CODE();
290 
291  /* Select the operation type */
292  switch (OperationType)
293  {
294  /* Setting a new descriptor */
295  case SetSecurityDescriptor:
296 
297  /* Sanity check */
298  ASSERT((PoolType == PagedPool) || (PoolType == NonPagedPool));
299 
300  /* Set the information */
301  return ObSetSecurityDescriptorInfo(Object,
302  SecurityInformation,
303  SecurityDescriptor,
304  OldSecurityDescriptor,
305  PoolType,
306  GenericMapping);
307 
308  case QuerySecurityDescriptor:
309 
310  /* Query the information */
311  return ObQuerySecurityDescriptorInfo(Object,
312  SecurityInformation,
313  SecurityDescriptor,
314  ReturnLength,
315  OldSecurityDescriptor);
316 
317  case DeleteSecurityDescriptor:
318 
319  /* De-assign it */
320  return ObDeassignSecurity(OldSecurityDescriptor);
321 
322  case AssignSecurityDescriptor:
323 
324  /* Assign it */
325  ObAssignObjectSecurityDescriptor(Object, SecurityDescriptor, PoolType);
326  return STATUS_SUCCESS;
327 
328  default:
329 
330  /* Bug check */
331  KeBugCheckEx(SECURITY_SYSTEM, 0, STATUS_INVALID_PARAMETER, 0, 0);
332  }
333 
334  /* Should never reach here */
335  ASSERT(FALSE);
336  return STATUS_SUCCESS;
337 }
338 
339 VOID
340 NTAPI
341 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
342  OUT PACCESS_MASK DesiredAccess)
343 {
344  *DesiredAccess = 0;
345 
346  if (SecurityInformation & (OWNER_SECURITY_INFORMATION |
347  GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION))
348  {
349  *DesiredAccess |= READ_CONTROL;
350  }
351 
352  if (SecurityInformation & SACL_SECURITY_INFORMATION)
353  {
354  *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
355  }
356 }
357 
358 VOID
359 NTAPI
360 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
361  OUT PACCESS_MASK DesiredAccess)
362 {
363  *DesiredAccess = 0;
364 
365  if (SecurityInformation & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
366  {
367  *DesiredAccess |= WRITE_OWNER;
368  }
369 
370  if (SecurityInformation & DACL_SECURITY_INFORMATION)
371  {
372  *DesiredAccess |= WRITE_DAC;
373  }
374 
375  if (SecurityInformation & SACL_SECURITY_INFORMATION)
376  {
377  *DesiredAccess |= ACCESS_SYSTEM_SECURITY;
378  }
379 }
380 
381 NTSTATUS
382 NTAPI
383 SeReportSecurityEvent(
384  _In_ ULONG Flags,
385  _In_ PUNICODE_STRING SourceName,
386  _In_opt_ PSID UserSid,
387  _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
388 {
389  SECURITY_SUBJECT_CONTEXT SubjectContext;
390  PTOKEN EffectiveToken;
391  PISID Sid;
392  NTSTATUS Status;
393 
394  /* Validate parameters */
395  if ((Flags != 0) ||
396  (SourceName == NULL) ||
397  (SourceName->Buffer == NULL) ||
398  (SourceName->Length == 0) ||
399  (AuditParameters == NULL) ||
400  (AuditParameters->ParameterCount > SE_MAX_AUDIT_PARAMETERS - 4))
401  {
402  return STATUS_INVALID_PARAMETER;
403  }
404 
405  /* Validate the source name */
406  Status = RtlValidateUnicodeString(0, SourceName);
407  if (!NT_SUCCESS(Status))
408  {
409  return Status;
410  }
411 
412  /* Check if we have a user SID */
413  if (UserSid != NULL)
414  {
415  /* Validate it */
416  if (!RtlValidSid(UserSid))
417  {
418  return STATUS_INVALID_PARAMETER;
419  }
420 
421  /* Use the user SID */
422  Sid = UserSid;
423  }
424  else
425  {
426  /* No user SID, capture the security subject context */
427  SeCaptureSubjectContext(&SubjectContext);
428 
429  /* Extract the effective token */
430  EffectiveToken = SubjectContext.ClientToken ?
431  SubjectContext.ClientToken : SubjectContext.PrimaryToken;
432 
433  /* Use the user-and-groups SID */
434  Sid = EffectiveToken->UserAndGroups->Sid;
435  }
436 
437  UNIMPLEMENTED;
438 
439  /* Check if we captured the subject context */
440  if (Sid != UserSid)
441  {
442  /* Release it */
443  SeReleaseSubjectContext(&SubjectContext);
444  }
445 
446  /* Return success */
447  return STATUS_SUCCESS;
448 }
449 
450 _Const_
451 NTSTATUS
452 NTAPI
453 SeSetAuditParameter(
454  _Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters,
455  _In_ SE_ADT_PARAMETER_TYPE Type,
456  _In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index,
457  _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
458 {
459  UNIMPLEMENTED;
460  return STATUS_SUCCESS;
461 }
462 
463 /* EOF */
_SE_EXPORTS::SeAliasBackupOpsSid
PSID SeAliasBackupOpsSid
Definition: setypes.h:1182
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SE_EXPORTS::SeAliasAdminsSid
PSID SeAliasAdminsSid
Definition: setypes.h:1175
ExLuidInitialization
BOOLEAN NTAPI ExLuidInitialization(VOID)
Definition: uuid.c:325
SeSystemEnvironmentPrivilege
const LUID SeSystemEnvironmentPrivilege
Definition: priv.c:39
SE_ADT_PARAMETER_TYPE
enum _SE_ADT_PARAMETER_TYPE SE_ADT_PARAMETER_TYPE
_SE_ADT_PARAMETER_ARRAY
Definition: setypes.h:298
SeRemoteShutdownPrivilege
const LUID SeRemoteShutdownPrivilege
Definition: priv.c:41
SeCaptureSubjectContext
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
ObjectAttributes
IN PUNICODE_STRING IN POBJECT_ATTRIBUTES ObjectAttributes
Definition: conport.c:35
_SE_EXPORTS::SeEnableDelegationPrivilege
LUID SeEnableDelegationPrivilege
Definition: setypes.h:1188
ReturnLength
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
IN
#define IN
Definition: typedefs.h:39
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
DesiredAccess
_Must_inspect_result_ _In_ WDFDEVICE _In_ ULONG _In_ ACCESS_MASK DesiredAccess
Definition: wdfdevice.h:2654
SeReleaseSubjectContext
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
_SE_EXPORTS::SeShutdownPrivilege
LUID SeShutdownPrivilege
Definition: setypes.h:1158
_SE_EXPORTS::SeManageVolumePrivilege
LUID SeManageVolumePrivilege
Definition: setypes.h:1191
ExInitializeResource
#define ExInitializeResource
Definition: exfuncs.h:346
SeSystemtimePrivilege
const LUID SeSystemtimePrivilege
Definition: priv.c:29
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:478
_In_range_
#define _In_range_(l, h)
Definition: no_sal2.h:368
_SID
Definition: ms-dtyp.idl:198
OBJ_CASE_INSENSITIVE
#define OBJ_CASE_INSENSITIVE
Definition: winternl.h:228
SeIncreaseQuotaPrivilege
const LUID SeIncreaseQuotaPrivilege
Definition: priv.c:22
ACCESS_SYSTEM_SECURITY
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
PspClearCrossThreadFlag
#define PspClearCrossThreadFlag(Thread, Flag)
Definition: ps_x.h:27
SepCreateSystemProcessToken
PTOKEN NTAPI SepCreateSystemProcessToken(VOID)
Creates the system process token.
Definition: token.c:1508
_ACCESS_ALLOWED_ACE
Definition: ms-dtyp.idl:215
SeCreateTokenPrivilege
const LUID SeCreateTokenPrivilege
Definition: priv.c:19
SE_MAX_AUDIT_PARAMETERS
#define SE_MAX_AUDIT_PARAMETERS
Definition: setypes.h:228
SeCreatePermanentPrivilege
const LUID SeCreatePermanentPrivilege
Definition: priv.c:33
SeDebugPrivilege
const LUID SeDebugPrivilege
Definition: priv.c:37
SeBackupPrivilege
const LUID SeBackupPrivilege
Definition: priv.c:34
TRUE
#define TRUE
Definition: types.h:120
_OBJECT_ATTRIBUTES
Definition: umtypes.h:181
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_ACL
Definition: ms-dtyp.idl:293
ZwClose
NTSYSAPI NTSTATUS NTAPI ZwClose(_In_ HANDLE Handle)
_SE_EXPORTS::SeDebugPrivilege
LUID SeDebugPrivilege
Definition: setypes.h:1159
_SE_EXPORTS::SeAuthenticatedUsersSid
PSID SeAuthenticatedUsersSid
Definition: setypes.h:1183
_SE_EXPORTS::SeChangeNotifyPrivilege
LUID SeChangeNotifyPrivilege
Definition: setypes.h:1162
_SE_EXPORTS::SeLockMemoryPrivilege
LUID SeLockMemoryPrivilege
Definition: setypes.h:1143
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
SeEnableDelegationPrivilege
const LUID SeEnableDelegationPrivilege
Definition: priv.c:44
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
SepInitPrivileges
VOID NTAPI SepInitPrivileges(VOID)
Definition: priv.c:60
SeAliasBackupOpsSid
PSID SeAliasBackupOpsSid
Definition: sid.c:50
_SE_EXPORTS::SeAnonymousLogonSid
PSID SeAnonymousLogonSid
Definition: setypes.h:1185
_Const_
#define _Const_
Definition: no_sal2.h:58
SepInitializationPhase0
BOOLEAN NTAPI SepInitializationPhase0(VOID)
Definition: semgr.c:98
_SE_EXPORTS::SeAliasGuestsSid
PSID SeAliasGuestsSid
Definition: setypes.h:1177
SeRestrictedSid
PSID SeRestrictedSid
Definition: sid.c:52
GROUP_SECURITY_INFORMATION
#define GROUP_SECURITY_INFORMATION
Definition: setypes.h:124
SeQuerySecurityAccessMask
VOID NTAPI SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, OUT PACCESS_MASK DesiredAccess)
Definition: semgr.c:341
SeAssignPrimaryTokenPrivilege
const LUID SeAssignPrimaryTokenPrivilege
Definition: priv.c:20
RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
SeSystemProfilePrivilege
const LUID SeSystemProfilePrivilege
Definition: priv.c:28
WRITE_OWNER
#define WRITE_OWNER
Definition: nt_native.h:60
SeAuthenticatedUsersSid
PSID SeAuthenticatedUsersSid
Definition: sid.c:51
RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
SeAliasPrintOpsSid
PSID SeAliasPrintOpsSid
Definition: sid.c:49
SeAliasAccountOpsSid
PSID SeAliasAccountOpsSid
Definition: sid.c:47
SeSyncAgentPrivilege
const LUID SeSyncAgentPrivilege
Definition: priv.c:43
_In_opt_
#define _In_opt_
Definition: no_sal2.h:212
_SE_EXPORTS::SeUnsolicitedInputPrivilege
LUID SeUnsolicitedInputPrivilege
Definition: setypes.h:1145
SepInitSecurityIDs
BOOLEAN NTAPI SepInitSecurityIDs(VOID)
Definition: sid.c:96
_SE_EXPORTS::SeAliasSystemOpsSid
PSID SeAliasSystemOpsSid
Definition: setypes.h:1180
SepInitDACLs
BOOLEAN NTAPI SepInitDACLs(VOID)
Definition: acl.c:31
_SE_EXPORTS::SeSecurityPrivilege
LUID SeSecurityPrivilege
Definition: setypes.h:1147
RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
_SE_EXPORTS::SeBatchSid
PSID SeBatchSid
Definition: setypes.h:1172
SepExports
SE_EXPORTS SepExports
Definition: semgr.c:21
SePublicDefaultSd
PSECURITY_DESCRIPTOR SePublicDefaultSd
Definition: sd.c:18
SeAnonymousLogonTokenNoEveryone
PTOKEN SeAnonymousLogonTokenNoEveryone
Definition: semgr.c:19
NTAPI
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
_SE_EXPORTS::SeNullSid
PSID SeNullSid
Definition: setypes.h:1164
FALSE
#define FALSE
Definition: types.h:117
SeExports
PSE_EXPORTS SeExports
Definition: semgr.c:20
SECURITY_INFORMATION
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
SeCreatorGroupSid
PSID SeCreatorGroupSid
Definition: sid.c:30
SepCreateSystemAnonymousLogonToken
PTOKEN SepCreateSystemAnonymousLogonToken(VOID)
Creates the anonymous logon token for the system. The difference between this token and the other one...
Definition: token.c:1658
SeNtAuthoritySid
PSID SeNtAuthoritySid
Definition: sid.c:33
GENERIC_WRITE
#define GENERIC_WRITE
Definition: nt_native.h:90
_SE_EXPORTS::SeLoadDriverPrivilege
LUID SeLoadDriverPrivilege
Definition: setypes.h:1149
_SE_EXPORTS::SeUndockPrivilege
LUID SeUndockPrivilege
Definition: setypes.h:1186
SepInitializeTokenImplementation
VOID NTAPI SepInitializeTokenImplementation(VOID)
Definition: token.c:1189
Name
struct NameRec_ * Name
Definition: cdprocs.h:459
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17
RtlValidateUnicodeString
NTSYSAPI NTSTATUS NTAPI RtlValidateUnicodeString(_In_ ULONG Flags, _In_ PCUNICODE_STRING String)
Definition: unicode.c:2559
ZwCreateDirectoryObject
NTSYSAPI NTSTATUS NTAPI ZwCreateDirectoryObject(_Out_ PHANDLE DirectoryHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes)
ObSetSecurityDescriptorInfo
NTSTATUS NTAPI ObSetSecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping)
Definition: obsecure.c:117
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
SeNetworkServiceSid
PSID SeNetworkServiceSid
Definition: sid.c:55
_SE_EXPORTS::SeNetworkServiceSid
PSID SeNetworkServiceSid
Definition: setypes.h:1190
ACL
struct _ACL ACL
NameRec_
Definition: apinames.c:48
SeLoadDriverPrivilege
const LUID SeLoadDriverPrivilege
Definition: priv.c:27
SeManageVolumePrivilege
const LUID SeManageVolumePrivilege
Definition: priv.c:45
SeTakeOwnershipPrivilege
const LUID SeTakeOwnershipPrivilege
Definition: priv.c:26
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
_SE_EXPORTS::SeAliasPowerUsersSid
PSID SeAliasPowerUsersSid
Definition: setypes.h:1178
SecurityInformation
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
_SE_EXPORTS::SeSystemEnvironmentPrivilege
LUID SeSystemEnvironmentPrivilege
Definition: setypes.h:1161
_SE_EXPORTS::SeProfileSingleProcessPrivilege
LUID SeProfileSingleProcessPrivilege
Definition: setypes.h:1154
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
_SE_EXPORTS::SeDialupSid
PSID SeDialupSid
Definition: setypes.h:1170
CODE_SEG
CODE_SEG("INIT")
Definition: Interface.c:1810
RtlValidSid
NTSYSAPI BOOLEAN NTAPI RtlValidSid(IN PSID Sid)
Definition: sid.c:21
SeAliasUsersSid
PSID SeAliasUsersSid
Definition: sid.c:44
_SE_EXPORTS::SeNetworkSid
PSID SeNetworkSid
Definition: setypes.h:1171
DIRECTORY_TRAVERSE
#define DIRECTORY_TRAVERSE
Definition: nt_native.h:1255
Status
Status
Definition: gdiplustypes.h:24
SepInitExports
static BOOLEAN SepInitExports(VOID)
Definition: semgr.c:32
TAG_SE
#define TAG_SE
Definition: tag.h:173
_SE_EXPORTS::SeAliasAccountOpsSid
PSID SeAliasAccountOpsSid
Definition: setypes.h:1179
ExpInitializationPhase
ULONG ExpInitializationPhase
Definition: init.c:66
_SE_EXPORTS::SeTcbPrivilege
LUID SeTcbPrivilege
Definition: setypes.h:1146
Flags
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170
SeCreatePagefilePrivilege
const LUID SeCreatePagefilePrivilege
Definition: priv.c:32
_SE_EXPORTS::SeImpersonatePrivilege
LUID SeImpersonatePrivilege
Definition: setypes.h:1192
ASSERT
#define ASSERT(a)
Definition: mode.c:44
_GENERIC_MAPPING
Definition: nt_native.h:564
_SE_EXPORTS::SeRemoteShutdownPrivilege
LUID SeRemoteShutdownPrivilege
Definition: setypes.h:1163
SeRestorePrivilege
const LUID SeRestorePrivilege
Definition: priv.c:35
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
PSECURITY_INFORMATION
DWORD * PSECURITY_INFORMATION
Definition: ms-dtyp.idl:311
POOL_TYPE
INT POOL_TYPE
Definition: typedefs.h:78
Index
_In_ WDFCOLLECTION _In_ ULONG Index
Definition: wdfcollection.h:179
SeDefaultObjectMethod
NTSTATUS NTAPI SeDefaultObjectMethod(IN PVOID Object, IN SECURITY_OPERATION_CODE OperationType, IN PSECURITY_INFORMATION SecurityInformation, IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG ReturnLength OPTIONAL, IN OUT PSECURITY_DESCRIPTOR *OldSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping)
Definition: semgr.c:280
_SE_EXPORTS
Definition: setypes.h:1140
_SE_EXPORTS::SeCreatePermanentPrivilege
LUID SeCreatePermanentPrivilege
Definition: setypes.h:1155
SepInitializationPhase1
BOOLEAN NTAPI SepInitializationPhase1(VOID)
Definition: semgr.c:143
Type
Type
Definition: Type.h:6
SACL_SECURITY_INFORMATION
#define SACL_SECURITY_INFORMATION
Definition: setypes.h:126
WRITE_DAC
#define WRITE_DAC
Definition: nt_native.h:59
SeLocalServiceSid
PSID SeLocalServiceSid
Definition: sid.c:54
_Inout_
#define _Inout_
Definition: no_sal2.h:162
SeChangeNotifyPrivilege
static const LUID SeChangeNotifyPrivilege
Definition: authpackage.c:167
ObInitializeFastReference
VOID FASTCALL ObInitializeFastReference(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:107
SeCreateGlobalPrivilege
static const LUID SeCreateGlobalPrivilege
Definition: authpackage.c:168
READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58
ExAllocatePoolWithTag
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
SeSetSecurityAccessMask
VOID NTAPI SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation, OUT PACCESS_MASK DesiredAccess)
Definition: semgr.c:360
SeRmInitPhase0
BOOLEAN NTAPI SeRmInitPhase0(VOID)
Definition: srm.c:173
SeAliasAdminsSid
PSID SeAliasAdminsSid
Definition: sid.c:43
L
static const WCHAR L[]
Definition: oid.c:1250
_SE_EXPORTS::SeLocalServiceSid
PSID SeLocalServiceSid
Definition: setypes.h:1189
SeCreatorOwnerSid
PSID SeCreatorOwnerSid
Definition: sid.c:29
OBJ_PERMANENT
#define OBJ_PERMANENT
Definition: winternl.h:226
ObQuerySecurityDescriptorInfo
NTSTATUS NTAPI ObQuerySecurityDescriptorInfo(IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG Length, IN PSECURITY_DESCRIPTOR *OutputSecurityDescriptor)
Definition: obsecure.c:85
SidInTokenCalls
ULONG SidInTokenCalls
Definition: semgr.c:22
SeLockMemoryPrivilege
const LUID SeLockMemoryPrivilege
Definition: priv.c:21
SeProfileSingleProcessPrivilege
const LUID SeProfileSingleProcessPrivilege
Definition: priv.c:30
SeWorldSid
PSID SeWorldSid
Definition: sid.c:27
SeIncreaseBasePriorityPrivilege
const LUID SeIncreaseBasePriorityPrivilege
Definition: priv.c:31
SeReportSecurityEvent
NTSTATUS NTAPI SeReportSecurityEvent(_In_ ULONG Flags, _In_ PUNICODE_STRING SourceName, _In_opt_ PSID UserSid, _In_ PSE_ADT_PARAMETER_ARRAY AuditParameters)
Definition: semgr.c:383
SeLocalSid
PSID SeLocalSid
Definition: sid.c:28
SeAliasGuestsSid
PSID SeAliasGuestsSid
Definition: sid.c:45
Object
_Must_inspect_result_ _In_ WDFCOLLECTION _In_ WDFOBJECT Object
Definition: wdfcollection.h:120
SeTcbPrivilege
const LUID SeTcbPrivilege
Definition: priv.c:24
ObDeassignSecurity
NTSTATUS NTAPI ObDeassignSecurity(IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
Definition: obsecure.c:60
_In_
#define _In_
Definition: no_sal2.h:158
_SE_EXPORTS::SeCreateGlobalPrivilege
LUID SeCreateGlobalPrivilege
Definition: setypes.h:1193
_SE_EXPORTS::SeBackupPrivilege
LUID SeBackupPrivilege
Definition: setypes.h:1156
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SE_EXPORTS::SeIncreaseBasePriorityPrivilege
LUID SeIncreaseBasePriorityPrivilege
Definition: setypes.h:1151
_UNICODE_STRING
Definition: env_spec_w32.h:368
_SE_EXPORTS::SeAliasUsersSid
PSID SeAliasUsersSid
Definition: setypes.h:1176
SeShutdownPrivilege
const LUID SeShutdownPrivilege
Definition: priv.c:36
ObInsertObject
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
Definition: obhandle.c:2931
SeAliasPowerUsersSid
PSID SeAliasPowerUsersSid
Definition: sid.c:46
_SE_EXPORTS::SeSystemtimePrivilege
LUID SeSystemtimePrivilege
Definition: setypes.h:1153
SeDialupSid
PSID SeDialupSid
Definition: sid.c:34
_SE_EXPORTS::SeCreatorOwnerSid
PSID SeCreatorOwnerSid
Definition: setypes.h:1167
SeAliasSystemOpsSid
PSID SeAliasSystemOpsSid
Definition: sid.c:48
DIRECTORY_ALL_ACCESS
#define DIRECTORY_ALL_ACCESS
Definition: nt_native.h:1259
_SE_EXPORTS::SeSyncAgentPrivilege
LUID SeSyncAgentPrivilege
Definition: setypes.h:1187
SeInitSystem
BOOLEAN NTAPI SeInitSystem(VOID)
Definition: semgr.c:251
OWNER_SECURITY_INFORMATION
#define OWNER_SECURITY_INFORMATION
Definition: setypes.h:123
PULONG
unsigned int * PULONG
Definition: retypes.h:1
NULL
#define NULL
Definition: types.h:112
SourceName
WCHAR SourceName[256]
Definition: arping.c:28
ObAssignObjectSecurityDescriptor
NTSTATUS NTAPI ObAssignObjectSecurityDescriptor(IN PVOID Object, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN POOL_TYPE PoolType)
Definition: obsecure.c:20
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:189
SeSecurityPrivilege
const LUID SeSecurityPrivilege
Definition: priv.c:25
_SE_EXPORTS::SeNtAuthoritySid
PSID SeNtAuthoritySid
Definition: setypes.h:1169
ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39
CT_ACTIVE_IMPERSONATION_INFO_BIT
#define CT_ACTIVE_IMPERSONATION_INFO_BIT
Definition: pstypes.h:241
_SE_EXPORTS::SeAuditPrivilege
LUID SeAuditPrivilege
Definition: setypes.h:1160
SeLocalSystemSid
PSID SeLocalSystemSid
Definition: sid.c:40
_SE_EXPORTS::SeRestrictedSid
PSID SeRestrictedSid
Definition: setypes.h:1184
OUT
#define OUT
Definition: typedefs.h:40
PoolType
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
ERESOURCE
ULONG ERESOURCE
Definition: env_spec_w32.h:594
SeNetworkSid
PSID SeNetworkSid
Definition: sid.c:35
ULONG
unsigned int ULONG
Definition: retypes.h:1
SeSetAuditParameter
_Const_ NTSTATUS NTAPI SeSetAuditParameter(_Inout_ PSE_ADT_PARAMETER_ARRAY AuditParameters, _In_ SE_ADT_PARAMETER_TYPE Type, _In_range_(<, SE_MAX_AUDIT_PARAMETERS) ULONG Index, _In_reads_(_Inexpressible_("depends on SE_ADT_PARAMETER_TYPE")) PVOID Data)
Definition: semgr.c:453
PACCESS_MASK
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
SeAnonymousLogonToken
PTOKEN SeAnonymousLogonToken
Definition: semgr.c:18
DIRECTORY_QUERY
#define DIRECTORY_QUERY
Definition: nt_native.h:1254
RtlInitUnicodeString
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115
InitializeObjectAttributes
#define InitializeObjectAttributes(p, n, a, r, s)
Definition: reg.c:106
_TOKEN::UserAndGroups
PSID_AND_ATTRIBUTES UserAndGroups
Definition: setypes.h:215
SeUnsolicitedInputPrivilege
const LUID SeUnsolicitedInputPrivilege
Definition: priv.c:23
MAX_FAST_REFS
#define MAX_FAST_REFS
Definition: ex.h:131
_SE_EXPORTS::SeIncreaseQuotaPrivilege
LUID SeIncreaseQuotaPrivilege
Definition: setypes.h:1144
_SE_EXPORTS::SeTakeOwnershipPrivilege
LUID SeTakeOwnershipPrivilege
Definition: setypes.h:1148
SeInteractiveSid
PSID SeInteractiveSid
Definition: sid.c:37
SeBatchSid
PSID SeBatchSid
Definition: sid.c:36
SeAnonymousLogonSid
PSID SeAnonymousLogonSid
Definition: se.h:155
_SE_EXPORTS::SeAssignPrimaryTokenPrivilege
LUID SeAssignPrimaryTokenPrivilege
Definition: setypes.h:1142
_SE_EXPORTS::SeWorldSid
PSID SeWorldSid
Definition: setypes.h:1165
_SE_EXPORTS::SeRestorePrivilege
LUID SeRestorePrivilege
Definition: setypes.h:1157
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_SE_EXPORTS::SeLocalSid
PSID SeLocalSid
Definition: setypes.h:1166
SeUndockPrivilege
const LUID SeUndockPrivilege
Definition: priv.c:42
_In_reads_
#define _In_reads_(s)
Definition: no_sal2.h:168
_TOKEN
Definition: setypes.h:197
SepSubjectContextLock
ERESOURCE SepSubjectContextLock
Definition: access.c:19
_SE_EXPORTS::SeCreatorGroupSid
PSID SeCreatorGroupSid
Definition: setypes.h:1168
SepCreateSystemAnonymousLogonTokenNoEveryone
PTOKEN SepCreateSystemAnonymousLogonTokenNoEveryone(VOID)
Creates the anonymous logon token for the system. This kind of token doesn't include the everyone SID...
Definition: token.c:1726
SeNullSid
PSID SeNullSid
Definition: sid.c:26
SeAuditPrivilege
const LUID SeAuditPrivilege
Definition: priv.c:38
_SE_EXPORTS::SeSystemProfilePrivilege
LUID SeSystemProfilePrivilege
Definition: setypes.h:1152
_SE_EXPORTS::SeCreatePagefilePrivilege
LUID SeCreatePagefilePrivilege
Definition: setypes.h:1150
SECURITY_OPERATION_CODE
SECURITY_OPERATION_CODE
Definition: setypes.h:142
KeBugCheckEx
VOID NTAPI KeBugCheckEx(_In_ ULONG BugCheckCode, _In_ ULONG_PTR BugCheckParameter1, _In_ ULONG_PTR BugCheckParameter2, _In_ ULONG_PTR BugCheckParameter3, _In_ ULONG_PTR BugCheckParameter4)
Definition: rtlcompat.c:108
DACL_SECURITY_INFORMATION
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
_SE_EXPORTS::SeAliasPrintOpsSid
PSID SeAliasPrintOpsSid
Definition: setypes.h:1181
_SE_EXPORTS::SeLocalSystemSid
PSID SeLocalSystemSid
Definition: setypes.h:1174
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
SepInitSDs
BOOLEAN NTAPI SepInitSDs(VOID)
Definition: sd.c:31
SeImpersonatePrivilege
static const LUID SeImpersonatePrivilege
Definition: authpackage.c:169
_SE_EXPORTS::SeInteractiveSid
PSID SeInteractiveSid
Definition: setypes.h:1173
_SE_EXPORTS::SeCreateTokenPrivilege
LUID SeCreateTokenPrivilege
Definition: setypes.h:1141
EventHandle
_Out_ PHANDLE EventHandle
Definition: iofuncs.h:857
OPTIONAL
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68