ReactOS 0.4.16-dev-753-g705a985
|
#include <ntoskrnl.h>
#include <debug.h>
Go to the source code of this file.
Classes | |
struct | _SID_VALIDATE |
Macros | |
#define | NDEBUG |
#define | SE_MAXIMUM_GROUP_LIMIT 0x1000 |
Typedefs | |
typedef struct _SID_VALIDATE | SID_VALIDATE |
typedef struct _SID_VALIDATE * | PSID_VALIDATE |
Functions | |
VOID NTAPI | FreeInitializedSids (VOID) |
Frees all the known initialized SIDs in the system from the memory. | |
BOOLEAN NTAPI | SepInitSecurityIDs (VOID) |
Initializes all the SIDs known in the system. | |
NTSTATUS NTAPI | SepCaptureSid (_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid) |
Captures a SID. | |
VOID NTAPI | SepReleaseSid (_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel) |
Releases a captured SID. | |
BOOLEAN NTAPI | SepSidInTokenEx (_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted) |
Checks if a SID is present in a token. | |
BOOLEAN NTAPI | SepSidInToken (_In_ PACCESS_TOKEN _Token, _In_ PSID Sid) |
Checks if a SID is present in a token. | |
PSID NTAPI | SepGetSidFromAce (_In_ PACE Ace) |
Captures a security identifier from a given access control entry. This identifier is valid for the whole of its lifetime. | |
NTSTATUS NTAPI | SeCaptureSidAndAttributesArray (_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, _In_ ULONG AttributeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_opt_ PVOID AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, _Out_ PULONG ResultLength) |
Captures a SID with attributes. | |
VOID NTAPI | SeReleaseSidAndAttributesArray (_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel) |
Releases a captured SID with attributes. | |
typedef struct _SID_VALIDATE * PSID_VALIDATE |
typedef struct _SID_VALIDATE SID_VALIDATE |
Frees all the known initialized SIDs in the system from the memory.
Definition at line 72 of file sid.c.
Referenced by SepInitSecurityIDs().
NTSTATUS NTAPI SeCaptureSidAndAttributesArray | ( | _In_ PSID_AND_ATTRIBUTES | SrcSidAndAttributes, |
_In_ ULONG | AttributeCount, | ||
_In_ KPROCESSOR_MODE | PreviousMode, | ||
_In_opt_ PVOID | AllocatedMem, | ||
_In_ ULONG | AllocatedLength, | ||
_In_ POOL_TYPE | PoolType, | ||
_In_ BOOLEAN | CaptureIfKernel, | ||
_Out_ PSID_AND_ATTRIBUTES * | CapturedSidAndAttributes, | ||
_Out_ PULONG | ResultLength | ||
) |
Captures a SID with attributes.
[in] | SrcSidAndAttributes | Source of the SID with attributes to be captured. |
[in] | AttributeCount | The number count of attributes, in total. |
[in] | PreviousMode | Processor access level mode. |
[in] | AllocatedMem | The allocated memory buffer for the captured SID. If the caller supplies no allocated block of memory then the function will allocate some buffer block of memory for the captured SID automatically. |
[in] | AllocatedLength | The length of the buffer that points to the allocated memory, in bytes. |
[in] | PoolType | The pool type for the captured SID and attributes to assign. |
[in] | CaptureIfKernel | If set to TRUE, the capturing is done within the kernel. Otherwise the capturing is done in a kernel mode driver. |
[out] | CapturedSidAndAttributes | The captured SID and attributes. |
[out] | ResultLength | The length of the captured SID and attributes, in bytes. |
For this reason, the logic of copying the SIDs and their attributes into a new buffer goes like this: first, allocate a buffer array that just holds the lengths and subauthority count of each SID. Such information is copied in the first loop. Then in a second loop, iterate over the array with SID provided and copy them into the final array. The moment we're doing this, validate the lengths of each SID basing upon the captured lengths we've got before. In this way we ensure that the SIDs have remained intact. The validation checks are done in user mode as a general rule that we just cannot trust UM and whatever data is coming from it.
Definition at line 693 of file sid.c.
Referenced by NtAdjustGroupsToken(), NtCreateToken(), and NtFilterToken().
NTSTATUS NTAPI SepCaptureSid | ( | _In_ PSID | InputSid, |
_In_ KPROCESSOR_MODE | AccessMode, | ||
_In_ POOL_TYPE | PoolType, | ||
_In_ BOOLEAN | CaptureIfKernel, | ||
_Out_ PSID * | CapturedSid | ||
) |
Captures a SID.
[in] | InputSid | A valid security identifier to be captured. |
[in] | AccessMode | Processor level access mode. |
[in] | PoolType | Pool memory type for the captured SID to assign upon allocation. |
[in] | CaptureIfKernel | If set to TRUE, the capturing is done within the kernel. Otherwise the capturing is done in a kernel mode driver. |
[out] | CapturedSid | The captured security identifier, returned to the caller. |
Definition at line 314 of file sid.c.
Referenced by NtCreateToken(), NtSecureConnectPort(), NtSetInformationToken(), SepAccessCheck(), and SepAccessCheckAndAuditAlarm().
Captures a security identifier from a given access control entry. This identifier is valid for the whole of its lifetime.
[in] | Ace | A pointer to an access control entry, which can be obtained from a DACL. |
Definition at line 572 of file sid.c.
Referenced by SepAnalyzeAcesFromDacl().
Initializes all the SIDs known in the system.
Definition at line 115 of file sid.c.
Referenced by SepInitializationPhase0().
VOID NTAPI SepReleaseSid | ( | _In_ PSID | CapturedSid, |
_In_ KPROCESSOR_MODE | AccessMode, | ||
_In_ BOOLEAN | CaptureIfKernel | ||
) |
Releases a captured SID.
[in] | CapturedSid | The captured SID to be released. |
[in] | AccessMode | Processor level access mode. |
[in] | CaptureIfKernel | If set to TRUE, the releasing is done within the kernel. Otherwise the releasing is done in a kernel mode driver. |
Definition at line 400 of file sid.c.
Referenced by NtCreateToken(), NtSecureConnectPort(), NtSetInformationToken(), SepAccessCheck(), and SepAccessCheckAndAuditAlarm().
Checks if a SID is present in a token.
Definition at line 547 of file sid.c.
Referenced by SepTokenIsOwner().
BOOLEAN NTAPI SepSidInTokenEx | ( | _In_ PACCESS_TOKEN | _Token, |
_In_ PSID | PrincipalSelfSid, | ||
_In_ PSID | _Sid, | ||
_In_ BOOLEAN | Deny, | ||
_In_ BOOLEAN | Restricted | ||
) |
Checks if a SID is present in a token.
[in] | _Token | A valid token object. |
[in] | PrincipalSelfSid | A principal self SID. |
[in] | _Sid | A regular SID. |
[in] | Deny | If set to TRUE, the caller expected that a SID in a token must be a deny-only SID, that is, access checks are performed only for deny-only ACEs of the said SID. |
[in] | Restricted | If set to TRUE, the caller expects that a SID in a token is restricted (by the general definition, a token is restricted). |
Definition at line 443 of file sid.c.
Referenced by SepAnalyzeAcesFromDacl(), SepSidInToken(), and SepTokenIsOwner().
VOID NTAPI SeReleaseSidAndAttributesArray | ( | _In_ _Post_invalid_ PSID_AND_ATTRIBUTES | CapturedSidAndAttributes, |
_In_ KPROCESSOR_MODE | AccessMode, | ||
_In_ BOOLEAN | CaptureIfKernel | ||
) |
Releases a captured SID with attributes.
[in] | CapturedSidAndAttributes | The captured SID with attributes to be released. |
[in] | AccessMode | Processor access level mode. |
[in] | CaptureIfKernel | If set to TRUE, the releasing is done within the kernel. Otherwise the releasing is done in a kernel mode driver. |
Definition at line 976 of file sid.c.
Referenced by NtAdjustGroupsToken(), NtCreateToken(), and NtFilterToken().
Definition at line 45 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 41 of file sid.c.
Referenced by FreeInitializedSids(), IopCreateDefaultDeviceSecurityDescriptor(), MiCreateMemoryEvent(), NtCreatePagingFile(), ObpCreateKernelObjectsSD(), ObpGetDosDevicesProtection(), SepCreateImpersonationTokenDacl(), SepCreateSystemProcessToken(), SepCreateToken(), SepDuplicateToken(), SepInitDACLs(), SepInitExports(), SepInitializationPhase1(), SepInitSecurityIDs(), and SepPerformTokenFiltering().
Definition at line 48 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 43 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 44 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 47 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 46 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 42 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 51 of file sid.c.
Referenced by FreeInitializedSids(), SepCreateSystemAnonymousLogonToken(), SepCreateSystemAnonymousLogonTokenNoEveryone(), SepInitDACLs(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 39 of file sid.c.
Referenced by FreeInitializedSids(), and SepInitSecurityIDs().
Definition at line 49 of file sid.c.
Referenced by FreeInitializedSids(), SepCreateSystemProcessToken(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 34 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 30 of file sid.c.
Referenced by FreeInitializedSids(), and SepInitSecurityIDs().
Definition at line 28 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), SepInitSecurityIDs(), and SepPropagateAcl().
Definition at line 29 of file sid.c.
Referenced by FreeInitializedSids(), and SepInitSecurityIDs().
Definition at line 27 of file sid.c.
Referenced by FreeInitializedSids(), ObpGetDosDevicesProtection(), SepInitExports(), SepInitSecurityIDs(), and SepPropagateAcl().
SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY} |
Definition at line 21 of file sid.c.
Referenced by SepInitSecurityIDs().
Definition at line 32 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 35 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 52 of file sid.c.
Referenced by SepInitExports(), and SepInitSecurityIDs().
Definition at line 26 of file sid.c.
Referenced by FreeInitializedSids(), SepCreateSystemProcessToken(), SepInitExports(), and SepInitSecurityIDs().
SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY} |
Definition at line 20 of file sid.c.
Referenced by SepInitSecurityIDs().
Definition at line 38 of file sid.c.
Referenced by FreeInitializedSids(), MiCreateMemoryEvent(), NtCreatePagingFile(), ObpCreateKernelObjectsSD(), ObpGetDosDevicesProtection(), SepCreateImpersonationTokenDacl(), SepCreateSystemProcessToken(), SepInitDACLs(), SepInitExports(), SepInitializationPhase1(), SepInitSecurityIDs(), and SePrivilegedServiceAuditAlarm().
Definition at line 53 of file sid.c.
Referenced by SepInitExports(), and SepInitSecurityIDs().
Definition at line 33 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 31 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY} |
Definition at line 22 of file sid.c.
Referenced by SepInitSecurityIDs().
Definition at line 24 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY} |
Definition at line 18 of file sid.c.
Referenced by SepInitSecurityIDs().
Definition at line 37 of file sid.c.
Referenced by FreeInitializedSids(), SepInitSecurityIDs(), and SepSidInTokenEx().
Definition at line 40 of file sid.c.
Referenced by FreeInitializedSids(), SepCreateImpersonationTokenDacl(), SepInitDACLs(), and SepInitSecurityIDs().
Definition at line 50 of file sid.c.
Referenced by FreeInitializedSids(), SepInitExports(), and SepInitSecurityIDs().
Definition at line 36 of file sid.c.
Referenced by FreeInitializedSids(), and SepInitSecurityIDs().
Definition at line 25 of file sid.c.
Referenced by CmpQuerySecurityDescriptor(), FreeInitializedSids(), IopCreateDefaultDeviceSecurityDescriptor(), MiCreateMemoryEvent(), ObpCreateKernelObjectsSD(), ObpGetDosDevicesProtection(), SeFastTraverseCheck(), SepCreateSystemAnonymousLogonToken(), SepCreateSystemProcessToken(), SepInitDACLs(), SepInitExports(), SepInitializationPhase1(), SepInitSecurityIDs(), and SeSetWorldSecurityDescriptor().
SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY} |
Definition at line 19 of file sid.c.
Referenced by SepInitSecurityIDs().