ReactOS  0.4.15-dev-2765-g10e48fa
acl.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for acl.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

BOOLEAN NTAPI SepInitDACLs (VOID)
 
NTSTATUS NTAPI SepCreateImpersonationTokenDacl (_In_ PTOKEN Token, _In_ PTOKEN PrimaryToken, _Out_ PACL *Dacl)
 
NTSTATUS NTAPI SepCaptureAcl (IN PACL InputAcl, IN KPROCESSOR_MODE AccessMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PACL *CapturedAcl)
 
VOID NTAPI SepReleaseAcl (IN PACL CapturedAcl, IN KPROCESSOR_MODE AccessMode, IN BOOLEAN CaptureIfKernel)
 
BOOLEAN SepShouldPropagateAce (_In_ UCHAR AceFlags, _Out_ PUCHAR NewAceFlags, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject)
 
NTSTATUS SepPropagateAcl (_Out_writes_bytes_opt_(AclLength) PACL AclDest, _Inout_ PULONG AclLength, _In_reads_bytes_(AclSource->AclSize) PACL AclSource, _In_ PSID Owner, _In_ PSID Group, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
 
PACL SepSelectAcl (_In_opt_ PACL ExplicitAcl, _In_ BOOLEAN ExplicitPresent, _In_ BOOLEAN ExplicitDefaulted, _In_opt_ PACL ParentAcl, _In_opt_ PACL DefaultAcl, _Out_ PULONG AclLength, _In_ PSID Owner, _In_ PSID Group, _Out_ PBOOLEAN AclPresent, _Out_ PBOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
 

Variables

PACL SePublicDefaultDacl = NULL
 
PACL SeSystemDefaultDacl = NULL
 
PACL SePublicDefaultUnrestrictedDacl = NULL
 
PACL SePublicOpenDacl = NULL
 
PACL SePublicOpenUnrestrictedDacl = NULL
 
PACL SeUnrestrictedDacl = NULL
 
PACL SeSystemAnonymousLogonDacl = NULL
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 13 of file acl.c.

Function Documentation

◆ SepCaptureAcl()

NTSTATUS NTAPI SepCaptureAcl ( IN PACL  InputAcl,
IN KPROCESSOR_MODE  AccessMode,
IN POOL_TYPE  PoolType,
IN BOOLEAN  CaptureIfKernel,
OUT PACL CapturedAcl 
)

Definition at line 299 of file acl.c.

304 {
305  PACL NewAcl;
306  ULONG AclSize = 0;
308 
309  PAGED_CODE();
310 
311  if (AccessMode != KernelMode)
312  {
313  _SEH2_TRY
314  {
315  ProbeForRead(InputAcl,
316  sizeof(ACL),
317  sizeof(ULONG));
318  AclSize = InputAcl->AclSize;
319  ProbeForRead(InputAcl,
320  AclSize,
321  sizeof(ULONG));
322  }
324  {
325  /* Return the exception code */
327  }
328  _SEH2_END;
329 
331  AclSize,
332  TAG_ACL);
333  if (NewAcl != NULL)
334  {
335  _SEH2_TRY
336  {
337  RtlCopyMemory(NewAcl,
338  InputAcl,
339  AclSize);
340 
341  *CapturedAcl = NewAcl;
342  }
344  {
345  /* Free the ACL and return the exception code */
346  ExFreePoolWithTag(NewAcl, TAG_ACL);
348  }
349  _SEH2_END;
350  }
351  else
352  {
354  }
355  }
356  else if (!CaptureIfKernel)
357  {
358  *CapturedAcl = InputAcl;
359  }
360  else
361  {
362  AclSize = InputAcl->AclSize;
363 
365  AclSize,
366  TAG_ACL);
367 
368  if (NewAcl != NULL)
369  {
370  RtlCopyMemory(NewAcl,
371  InputAcl,
372  AclSize);
373 
374  *CapturedAcl = NewAcl;
375  }
376  else
377  {
379  }
380  }
381 
382  return Status;
383 }
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
LONG NTSTATUS
Definition: precomp.h:26
_SEH2_TRY
Definition: create.c:4226
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
Status
Definition: gdiplustypes.h:24
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define TAG_ACL
Definition: tag.h:174
_SEH2_END
Definition: create.c:4400
#define NULL
Definition: types.h:112
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define PAGED_CODE()

Referenced by NtCreateToken(), and NtSetInformationToken().

◆ SepCreateImpersonationTokenDacl()

NTSTATUS NTAPI SepCreateImpersonationTokenDacl ( _In_ PTOKEN  Token,
_In_ PTOKEN  PrimaryToken,
_Out_ PACL Dacl 
)

Definition at line 251 of file acl.c.

255 {
257  PACL TokenDacl;
258 
259  PAGED_CODE();
260 
261  *Dacl = NULL;
262 
263  AclLength = sizeof(ACL) +
264  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
265  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
266  (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
267  (sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
268  (sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
269 
271  if (TokenDacl == NULL)
272  {
274  }
275 
276  RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
278  Token->UserAndGroups->Sid);
280  PrimaryToken->UserAndGroups->Sid);
285 
286  if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
287  {
290  }
291 
292  *Dacl = TokenDacl;
293 
294  return STATUS_SUCCESS;
295 }
#define GENERIC_ALL
Definition: nt_native.h:92
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
PSID SeRestrictedCodeSid
Definition: sid.c:42
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
struct _ACL ACL
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
PSID SeAliasAdminsSid
Definition: sid.c:43
#define TAG_ACL
Definition: tag.h:174
NTSTATUS NTAPI RtlAddAccessAllowedAce(IN OUT PACL Acl, IN ULONG Revision, IN ACCESS_MASK AccessMask, IN PSID Sid)
Definition: acl.c:262
NTSTATUS NTAPI RtlCreateAcl(IN PACL Acl, IN ULONG AclSize, IN ULONG AclRevision)
Definition: acl.c:677
#define NULL
Definition: types.h:112
#define ACL_REVISION
Definition: setypes.h:39
PSID SeLocalSystemSid
Definition: sid.c:40
unsigned int ULONG
Definition: retypes.h:1
#define STATUS_SUCCESS
Definition: shellext.h:65
Definition: rtltypes.h:990
_In_ ULONG AclLength
Definition: rtlfuncs.h:1844
#define PAGED_CODE()

Referenced by NtOpenThreadTokenEx().

◆ SepInitDACLs()

BOOLEAN NTAPI SepInitDACLs ( VOID  )

Definition at line 31 of file acl.c.

32 {
34 
35  /* create PublicDefaultDacl */
36  AclLength = sizeof(ACL) +
37  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
38  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
39  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
40 
42  AclLength,
43  TAG_ACL);
45  return FALSE;
46 
48  AclLength,
49  ACL_REVISION);
50 
54  SeWorldSid);
55 
60 
65 
66  /* create PublicDefaultUnrestrictedDacl */
67  AclLength = sizeof(ACL) +
68  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
69  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
70  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
72 
74  AclLength,
75  TAG_ACL);
77  return FALSE;
78 
80  AclLength,
81  ACL_REVISION);
82 
86  SeWorldSid);
87 
92 
97 
102 
103  /* create PublicOpenDacl */
104  AclLength = sizeof(ACL) +
105  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
106  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
107  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
108 
110  AclLength,
111  TAG_ACL);
112  if (SePublicOpenDacl == NULL)
113  return FALSE;
114 
116  AclLength,
117  ACL_REVISION);
118 
120  ACL_REVISION,
122  SeWorldSid);
123 
125  ACL_REVISION,
126  GENERIC_ALL,
128 
130  ACL_REVISION,
131  GENERIC_ALL,
133 
134  /* create PublicOpenUnrestrictedDacl */
135  AclLength = sizeof(ACL) +
136  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
137  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
138  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
139  (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
140 
142  AclLength,
143  TAG_ACL);
145  return FALSE;
146 
148  AclLength,
149  ACL_REVISION);
150 
152  ACL_REVISION,
153  GENERIC_ALL,
154  SeWorldSid);
155 
157  ACL_REVISION,
158  GENERIC_ALL,
160 
162  ACL_REVISION,
163  GENERIC_ALL,
165 
167  ACL_REVISION,
170 
171  /* create SystemDefaultDacl */
172  AclLength = sizeof(ACL) +
173  (sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
174  (sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
175 
177  AclLength,
178  TAG_ACL);
179  if (SeSystemDefaultDacl == NULL)
180  return FALSE;
181 
183  AclLength,
184  ACL_REVISION);
185 
187  ACL_REVISION,
188  GENERIC_ALL,
190 
192  ACL_REVISION,
195 
196  /* create UnrestrictedDacl */
197  AclLength = sizeof(ACL) +
198  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
199  (sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
200 
202  AclLength,
203  TAG_ACL);
204  if (SeUnrestrictedDacl == NULL)
205  return FALSE;
206 
208  AclLength,
209  ACL_REVISION);
210 
212  ACL_REVISION,
213  GENERIC_ALL,
214  SeWorldSid);
215 
217  ACL_REVISION,
220 
221  /* create SystemAnonymousLogonDacl */
222  AclLength = sizeof(ACL) +
223  (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
224  (sizeof(ACE) + RtlLengthSid(SeAnonymousLogonSid));
225 
227  AclLength,
228  TAG_ACL);
230  return FALSE;
231 
233  AclLength,
234  ACL_REVISION);
235 
237  ACL_REVISION,
238  GENERIC_ALL,
239  SeWorldSid);
240 
242  ACL_REVISION,
243  GENERIC_ALL,
245 
246  return TRUE;
247 }
#define GENERIC_ALL
Definition: nt_native.h:92
PSID SeRestrictedCodeSid
Definition: sid.c:42
#define TRUE
Definition: types.h:120
PACL SeSystemDefaultDacl
Definition: acl.c:19
PACL SePublicOpenDacl
Definition: acl.c:21
PACL SeSystemAnonymousLogonDacl
Definition: acl.c:24
PACL SePublicOpenUnrestrictedDacl
Definition: acl.c:22
#define FALSE
Definition: types.h:117
PACL SeUnrestrictedDacl
Definition: acl.c:23
#define GENERIC_WRITE
Definition: nt_native.h:90
struct _ACL ACL
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define READ_CONTROL
Definition: nt_native.h:58
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
PSID SeAliasAdminsSid
Definition: sid.c:43
PACL SePublicDefaultUnrestrictedDacl
Definition: acl.c:20
#define GENERIC_READ
Definition: compat.h:135
PSID SeWorldSid
Definition: sid.c:27
#define TAG_ACL
Definition: tag.h:174
PACL SePublicDefaultDacl
Definition: acl.c:18
NTSTATUS NTAPI RtlAddAccessAllowedAce(IN OUT PACL Acl, IN ULONG Revision, IN ACCESS_MASK AccessMask, IN PSID Sid)
Definition: acl.c:262
NTSTATUS NTAPI RtlCreateAcl(IN PACL Acl, IN ULONG AclSize, IN ULONG AclRevision)
Definition: acl.c:677
#define NULL
Definition: types.h:112
#define ACL_REVISION
Definition: setypes.h:39
PSID SeLocalSystemSid
Definition: sid.c:40
unsigned int ULONG
Definition: retypes.h:1
PSID SeAnonymousLogonSid
Definition: se.h:155
#define GENERIC_EXECUTE
Definition: nt_native.h:91
Definition: rtltypes.h:990
_In_ ULONG AclLength
Definition: rtlfuncs.h:1844

Referenced by SepInitializationPhase0().

◆ SepPropagateAcl()

NTSTATUS SepPropagateAcl ( _Out_writes_bytes_opt_(AclLength) PACL  AclDest,
_Inout_ PULONG  AclLength,
_In_reads_bytes_(AclSource->AclSize) PACL  AclSource,
_In_ PSID  Owner,
_In_ PSID  Group,
_In_ BOOLEAN  IsInherited,
_In_ BOOLEAN  IsDirectoryObject,
_In_ PGENERIC_MAPPING  GenericMapping 
)

Definition at line 450 of file acl.c.

459 {
461  PACCESS_ALLOWED_ACE AceSource;
462  PACCESS_ALLOWED_ACE AceDest;
463  PUCHAR CurrentDest;
464  PUCHAR CurrentSource;
465  ULONG i;
466  ULONG Written;
467  UCHAR AceFlags;
468  USHORT AceSize;
469  USHORT AceCount = 0;
470  PSID Sid;
471  BOOLEAN WriteTwoAces;
472 
473  ASSERT(RtlValidAcl(AclSource));
474  ASSERT(AclSource->AclSize % sizeof(ULONG) == 0);
475  ASSERT(AclSource->Sbz1 == 0);
476  ASSERT(AclSource->Sbz2 == 0);
477 
478  Written = 0;
479  if (*AclLength >= Written + sizeof(ACL))
480  {
481  RtlCopyMemory(AclDest,
482  AclSource,
483  sizeof(ACL));
484  }
485  Written += sizeof(ACL);
486 
487  CurrentDest = (PUCHAR)(AclDest + 1);
488  CurrentSource = (PUCHAR)(AclSource + 1);
489  for (i = 0; i < AclSource->AceCount; i++)
490  {
491  ASSERT((ULONG_PTR)CurrentDest % sizeof(ULONG) == 0);
492  ASSERT((ULONG_PTR)CurrentSource % sizeof(ULONG) == 0);
493  AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
494  AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
495 
496  if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
497  {
498  /* FIXME: handle object & compound ACEs */
499  AceSize = AceSource->Header.AceSize;
500 
501  if (*AclLength >= Written + AceSize)
502  {
503  RtlCopyMemory(AceDest, AceSource, AceSize);
504  }
505  CurrentDest += AceSize;
506  CurrentSource += AceSize;
507  Written += AceSize;
508  AceCount++;
509  continue;
510  }
511 
512  /* These all have the same structure */
514  AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
515  AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
516  AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
517 
518  ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
519  ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
520  if (!SepShouldPropagateAce(AceSource->Header.AceFlags,
521  &AceFlags,
522  IsInherited,
524  {
525  CurrentSource += AceSource->Header.AceSize;
526  continue;
527  }
528 
529  /* FIXME: filter out duplicate ACEs */
530  AceSize = AceSource->Header.AceSize;
531  Mask = AceSource->Mask;
532  Sid = (PSID)&AceSource->SidStart;
533  ASSERT(AceSize >= FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid));
534 
535  WriteTwoAces = FALSE;
536  /* Map effective ACE to specific rights */
537  if (!(AceFlags & INHERIT_ONLY_ACE))
538  {
541 
542  if (IsInherited)
543  {
545  Sid = Owner;
546  else if (RtlEqualSid(Sid, SeCreatorGroupSid))
547  Sid = Group;
548  AceSize = FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid);
549 
550  /*
551  * A generic container ACE becomes two ACEs:
552  * - a specific effective ACE with no inheritance flags
553  * - an inherit-only ACE that keeps the generic rights
554  */
555  if (IsDirectoryObject &&
557  (Mask != AceSource->Mask || Sid != (PSID)&AceSource->SidStart))
558  {
559  WriteTwoAces = TRUE;
560  }
561  }
562  }
563 
564  while (1)
565  {
566  if (*AclLength >= Written + AceSize)
567  {
568  AceDest->Header.AceType = AceSource->Header.AceType;
569  AceDest->Header.AceFlags = WriteTwoAces ? AceFlags & ~VALID_INHERIT_FLAGS
570  : AceFlags;
571  AceDest->Header.AceSize = AceSize;
572  AceDest->Mask = Mask;
573  RtlCopySid(AceSize - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart),
574  (PSID)&AceDest->SidStart,
575  Sid);
576  }
577  Written += AceSize;
578 
579  AceCount++;
580  CurrentDest += AceSize;
581 
582  if (!WriteTwoAces)
583  break;
584 
585  /* Second ACE keeps all the generics from the source ACE */
586  WriteTwoAces = FALSE;
587  AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
588  AceSize = AceSource->Header.AceSize;
589  Mask = AceSource->Mask;
590  Sid = (PSID)&AceSource->SidStart;
592  }
593 
594  CurrentSource += AceSource->Header.AceSize;
595  }
596 
597  if (*AclLength >= sizeof(ACL))
598  {
599  AclDest->AceCount = AceCount;
600  AclDest->AclSize = Written;
601  }
602 
603  if (Written > *AclLength)
604  {
605  *AclLength = Written;
607  }
608  *AclLength = Written;
609  return STATUS_SUCCESS;
610 }
UCHAR AceFlags
Definition: ms-dtyp.idl:211
#define ACCESS_MAX_MS_V2_ACE_TYPE
Definition: setypes.h:689
#define VALID_INHERIT_FLAGS
Definition: setypes.h:719
#define TRUE
Definition: types.h:120
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:29
_In_opt_ PSID Group
Definition: rtlfuncs.h:1605
unsigned char * PUCHAR
Definition: retypes.h:3
ACE_HEADER Header
Definition: ms-dtyp.idl:216
BOOLEAN SepShouldPropagateAce(_In_ UCHAR AceFlags, _Out_ PUCHAR NewAceFlags, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject)
Definition: acl.c:402
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
uint32_t ULONG_PTR
Definition: typedefs.h:65
USHORT AceSize
Definition: ms-dtyp.idl:212
#define FALSE
Definition: types.h:117
PSID SeCreatorGroupSid
Definition: sid.c:30
unsigned char BOOLEAN
struct _ACL ACL
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:715
#define ASSERT(a)
Definition: mode.c:44
BOOLEAN NTAPI RtlValidAcl(IN PACL Acl)
Definition: acl.c:837
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:685
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:686
struct _SID * PSID
Definition: eventlog.c:35
unsigned char UCHAR
Definition: xmlstorage.h:181
UCHAR AceType
Definition: ms-dtyp.idl:210
PSID SeCreatorOwnerSid
Definition: sid.c:29
NTSYSAPI BOOLEAN WINAPI RtlCopySid(DWORD, PSID, PSID)
processorSet Mask
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
#define SYSTEM_ALARM_ACE_TYPE
Definition: setypes.h:688
struct _ACCESS_ALLOWED_ACE * PACCESS_ALLOWED_ACE
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
ACCESS_MASK Mask
Definition: ms-dtyp.idl:217
unsigned short USHORT
Definition: pedump.c:61
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1556
unsigned int ULONG
Definition: retypes.h:1
#define SYSTEM_AUDIT_ACE_TYPE
Definition: setypes.h:687
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
#define STATUS_SUCCESS
Definition: shellext.h:65
ACCESS_MASK GenericAll
Definition: nt_native.h:568
ULONG ACCESS_MASK
Definition: nt_native.h:40
_In_ ULONG AclLength
Definition: rtlfuncs.h:1844
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
static const ACEFLAG AceFlags[]
Definition: security.c:2300

Referenced by SepSelectAcl().

◆ SepReleaseAcl()

VOID NTAPI SepReleaseAcl ( IN PACL  CapturedAcl,
IN KPROCESSOR_MODE  AccessMode,
IN BOOLEAN  CaptureIfKernel 
)

Definition at line 387 of file acl.c.

390 {
391  PAGED_CODE();
392 
393  if (CapturedAcl != NULL &&
394  (AccessMode != KernelMode ||
395  (AccessMode == KernelMode && CaptureIfKernel)))
396  {
397  ExFreePoolWithTag(CapturedAcl, TAG_ACL);
398  }
399 }
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
#define TAG_ACL
Definition: tag.h:174
#define NULL
Definition: types.h:112
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define PAGED_CODE()

Referenced by NtCreateToken().

◆ SepSelectAcl()

PACL SepSelectAcl ( _In_opt_ PACL  ExplicitAcl,
_In_ BOOLEAN  ExplicitPresent,
_In_ BOOLEAN  ExplicitDefaulted,
_In_opt_ PACL  ParentAcl,
_In_opt_ PACL  DefaultAcl,
_Out_ PULONG  AclLength,
_In_ PSID  Owner,
_In_ PSID  Group,
_Out_ PBOOLEAN  AclPresent,
_Out_ PBOOLEAN  IsInherited,
_In_ BOOLEAN  IsDirectoryObject,
_In_ PGENERIC_MAPPING  GenericMapping 
)

Definition at line 613 of file acl.c.

626 {
627  PACL Acl;
629 
630  *AclPresent = TRUE;
631  if (ExplicitPresent && !ExplicitDefaulted)
632  {
633  Acl = ExplicitAcl;
634  }
635  else
636  {
637  if (ParentAcl)
638  {
639  *IsInherited = TRUE;
640  *AclLength = 0;
642  AclLength,
643  ParentAcl,
644  Owner,
645  Group,
646  *IsInherited,
650 
651  /* Use the parent ACL only if it's not empty */
652  if (*AclLength != sizeof(ACL))
653  return ParentAcl;
654  }
655 
656  if (ExplicitPresent)
657  {
658  Acl = ExplicitAcl;
659  }
660  else if (DefaultAcl)
661  {
662  Acl = DefaultAcl;
663  }
664  else
665  {
666  *AclPresent = FALSE;
667  Acl = NULL;
668  }
669  }
670 
671  *IsInherited = FALSE;
672  *AclLength = 0;
673  if (Acl)
674  {
675  /* Get the length */
677  AclLength,
678  Acl,
679  Owner,
680  Group,
681  *IsInherited,
685  }
686  return Acl;
687 }
#define TRUE
Definition: types.h:120
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:29
_In_opt_ PSID Group
Definition: rtlfuncs.h:1605
LONG NTSTATUS
Definition: precomp.h:26
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define FALSE
Definition: types.h:117
Status
Definition: gdiplustypes.h:24
#define ASSERT(a)
Definition: mode.c:44
NTSTATUS SepPropagateAcl(_Out_writes_bytes_opt_(AclLength) PACL AclDest, _Inout_ PULONG AclLength, _In_reads_bytes_(AclSource->AclSize) PACL AclSource, _In_ PSID Owner, _In_ PSID Group, _In_ BOOLEAN IsInherited, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping)
Definition: acl.c:450
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1556
#define NULL
Definition: types.h:112
_In_ ULONG AclLength
Definition: rtlfuncs.h:1844

◆ SepShouldPropagateAce()

BOOLEAN SepShouldPropagateAce ( _In_ UCHAR  AceFlags,
_Out_ PUCHAR  NewAceFlags,
_In_ BOOLEAN  IsInherited,
_In_ BOOLEAN  IsDirectoryObject 
)

Definition at line 402 of file acl.c.

407 {
408  if (!IsInherited)
409  {
410  *NewAceFlags = AceFlags;
411  return TRUE;
412  }
413 
414  if (!IsDirectoryObject)
415  {
417  {
418  *NewAceFlags = AceFlags & ~VALID_INHERIT_FLAGS;
419  return TRUE;
420  }
421  return FALSE;
422  }
423 
425  {
427  {
428  *NewAceFlags = AceFlags & ~VALID_INHERIT_FLAGS;
429  return TRUE;
430  }
431  return FALSE;
432  }
433 
435  {
437  return TRUE;
438  }
439 
441  {
443  return TRUE;
444  }
445 
446  return FALSE;
447 }
#define VALID_INHERIT_FLAGS
Definition: setypes.h:719
#define TRUE
Definition: types.h:120
_In_opt_ PSECURITY_DESCRIPTOR _Out_ PSECURITY_DESCRIPTOR _In_ BOOLEAN IsDirectoryObject
Definition: sefuncs.h:29
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:716
#define FALSE
Definition: types.h:117
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:715
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
#define OBJECT_INHERIT_ACE
Definition: setypes.h:714
static const ACEFLAG AceFlags[]
Definition: security.c:2300

Referenced by SepPropagateAcl().

Variable Documentation

◆ SePublicDefaultDacl

PACL SePublicDefaultDacl = NULL

Definition at line 18 of file acl.c.

Referenced by IopCreateSecurityDescriptorPerType(), SepInitDACLs(), and SepInitSDs().

◆ SePublicDefaultUnrestrictedDacl

PACL SePublicDefaultUnrestrictedDacl = NULL

◆ SePublicOpenDacl

PACL SePublicOpenDacl = NULL

Definition at line 21 of file acl.c.

Referenced by IopCreateSecurityDescriptorPerType(), SepInitDACLs(), and SepInitSDs().

◆ SePublicOpenUnrestrictedDacl

PACL SePublicOpenUnrestrictedDacl = NULL

Definition at line 22 of file acl.c.

Referenced by IopCreateSecurityDescriptorPerType(), SepInitDACLs(), and SepInitSDs().

◆ SeSystemAnonymousLogonDacl

PACL SeSystemAnonymousLogonDacl = NULL

◆ SeSystemDefaultDacl

PACL SeSystemDefaultDacl = NULL

◆ SeUnrestrictedDacl

PACL SeUnrestrictedDacl = NULL

Definition at line 23 of file acl.c.

Referenced by SepInitDACLs(), and SepInitSDs().