ReactOS  0.4.15-dev-2701-g34593d9
Macros | Functions | Variables
access.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for access.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

BOOLEAN NTAPI SepSidInTokenEx (IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
 
BOOLEAN NTAPI SepSidInToken (IN PACCESS_TOKEN _Token, IN PSID Sid)
 
BOOLEAN NTAPI SepTokenIsOwner (IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
 
VOID NTAPI SeGetTokenControlInformation (IN PACCESS_TOKEN _Token, OUT PTOKEN_CONTROL TokenControl)
 
NTSTATUS NTAPI SepCreateClientSecurity (IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
VOID NTAPI SeCaptureSubjectContextEx (IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeCaptureSubjectContext (OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeLockSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeUnlockSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeReleaseSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
NTSTATUS NTAPI SeCreateAccessStateEx (IN PETHREAD Thread, IN PEPROCESS Process, IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI SeCreateAccessState (IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
 
VOID NTAPI SeDeleteAccessState (IN PACCESS_STATE AccessState)
 
VOID NTAPI SeSetAccessStateGenericMapping (IN PACCESS_STATE AccessState, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI SeCreateClientSecurity (IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE Qos, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
NTSTATUS NTAPI SeImpersonateClientEx (IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
 
VOID NTAPI SeImpersonateClient (IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
 

Variables

ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file access.c.

Function Documentation

◆ SeCaptureSubjectContext()

VOID NTAPI SeCaptureSubjectContext ( OUT PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 301 of file access.c.

302 {
303  /* Call the extended API */
304  SeCaptureSubjectContextEx(PsGetCurrentThread(),
305  PsGetCurrentProcess(),
306  SubjectContext);
307 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
SeCaptureSubjectContextEx
VOID NTAPI SeCaptureSubjectContextEx(IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:266
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17

Referenced by create_directory_fcb(), create_subvol(), fcb_get_sd(), HasPrivilege(), KsCreateDefaultSecurity(), mknod(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), START_TEST(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeCaptureSubjectContextEx()

VOID NTAPI SeCaptureSubjectContextEx ( IN PETHREAD  Thread,
IN PEPROCESS  Process,
OUT PSECURITY_SUBJECT_CONTEXT  SubjectContext 
)

Definition at line 266 of file access.c.

269 {
270  BOOLEAN CopyOnOpen, EffectiveOnly;
271 
272  PAGED_CODE();
273 
274  /* Save the unique ID */
275  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
276 
277  /* Check if we have a thread */
278  if (!Thread)
279  {
280  /* We don't, so no token */
281  SubjectContext->ClientToken = NULL;
282  }
283  else
284  {
285  /* Get the impersonation token */
286  SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
287  &CopyOnOpen,
288  &EffectiveOnly,
289  &SubjectContext->ImpersonationLevel);
290  }
291 
292  /* Get the primary token */
293  SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
294 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PsReferenceImpersonationToken
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
NULL
#define NULL
Definition: types.h:112
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by SeCaptureSubjectContext(), and SeCreateAccessStateEx().

◆ SeCreateAccessState()

NTSTATUS NTAPI SeCreateAccessState ( IN OUT PACCESS_STATE  AccessState,
IN PAUX_ACCESS_DATA  AuxData,
IN ACCESS_MASK  Access,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 439 of file access.c.

443 {
444  PAGED_CODE();
445 
446  /* Call the extended API */
447  return SeCreateAccessStateEx(PsGetCurrentThread(),
448  PsGetCurrentProcess(),
449  AccessState,
450  AuxData,
451  Access,
452  GenericMapping);
453 }
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
SeCreateAccessStateEx
NTSTATUS NTAPI SeCreateAccessStateEx(IN PETHREAD Thread, IN PEPROCESS Process, IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:378
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by NtOpenProcess(), NtOpenThread(), ObDuplicateObject(), ObInsertObject(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObReferenceObjectByName(), and START_TEST().

◆ SeCreateAccessStateEx()

NTSTATUS NTAPI SeCreateAccessStateEx ( IN PETHREAD  Thread,
IN PEPROCESS  Process,
IN OUT PACCESS_STATE  AccessState,
IN PAUX_ACCESS_DATA  AuxData,
IN ACCESS_MASK  Access,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 378 of file access.c.

384 {
385  ACCESS_MASK AccessMask = Access;
386  PTOKEN Token;
387  PAGED_CODE();
388 
389  /* Map the Generic Acess to Specific Access if we have a Mapping */
390  if ((Access & GENERIC_ACCESS) && (GenericMapping))
391  {
392  RtlMapGenericMask(&AccessMask, GenericMapping);
393  }
394 
395  /* Initialize the Access State */
396  RtlZeroMemory(AccessState, sizeof(ACCESS_STATE));
397  ASSERT(AccessState->SecurityDescriptor == NULL);
398  ASSERT(AccessState->PrivilegesAllocated == FALSE);
399 
400  /* Initialize and save aux data */
401  RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
402  AccessState->AuxData = AuxData;
403 
404  /* Capture the Subject Context */
405  SeCaptureSubjectContextEx(Thread,
406  Process,
407  &AccessState->SubjectSecurityContext);
408 
409  /* Set Access State Data */
410  AccessState->RemainingDesiredAccess = AccessMask;
411  AccessState->OriginalDesiredAccess = AccessMask;
412  ExAllocateLocallyUniqueId(&AccessState->OperationID);
413 
414  /* Get the Token to use */
415  Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
416 
417  /* Check for Travers Privilege */
418  if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
419  {
420  /* Preserve the Traverse Privilege */
421  AccessState->Flags = TOKEN_HAS_TRAVERSE_PRIVILEGE;
422  }
423 
424  /* Set the Auxiliary Data */
425  AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
426  FIELD_OFFSET(ACCESS_STATE,
427  Privileges));
428  if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
429 
430  /* Return Sucess */
431  return STATUS_SUCCESS;
432 }
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
GENERIC_ACCESS
#define GENERIC_ACCESS
Definition: wlx.c:26
TOKEN_HAS_TRAVERSE_PRIVILEGE
#define TOKEN_HAS_TRAVERSE_PRIVILEGE
Definition: setypes.h:1124
SeCaptureSubjectContextEx
VOID NTAPI SeCaptureSubjectContextEx(IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:266
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:65
FALSE
#define FALSE
Definition: types.h:117
_ACCESS_STATE
Definition: setypes.h:196
ASSERT
#define ASSERT(a)
Definition: mode.c:44
RtlMapGenericMask
VOID NTAPI RtlMapGenericMask(IN OUT PACCESS_MASK AccessMask, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:50
AccessMask
_In_ ACCESS_MASK AccessMask
Definition: exfuncs.h:186
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
SeQuerySubjectContextToken
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_AUX_ACCESS_DATA
Definition: setypes.h:232
PPRIVILEGE_SET
struct _PRIVILEGE_SET * PPRIVILEGE_SET
ExAllocateLocallyUniqueId
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:335
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
NULL
#define NULL
Definition: types.h:112
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
_TOKEN
Definition: setypes.h:197
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by PspCreateProcess(), PspCreateThread(), and SeCreateAccessState().

◆ SeCreateClientSecurity()

NTSTATUS NTAPI SeCreateClientSecurity ( IN PETHREAD  Thread,
IN PSECURITY_QUALITY_OF_SERVICE  Qos,
IN BOOLEAN  RemoteClient,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 506 of file access.c.

510 {
511  TOKEN_TYPE TokenType;
512  BOOLEAN ThreadEffectiveOnly;
513  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
514  PACCESS_TOKEN Token;
515  NTSTATUS Status;
516  PAGED_CODE();
517 
518  /* Reference the correct token */
519  Token = PsReferenceEffectiveToken(Thread,
520  &TokenType,
521  &ThreadEffectiveOnly,
522  &ImpersonationLevel);
523 
524  /* Create client security from it */
525  Status = SepCreateClientSecurity(Token,
526  Qos,
527  RemoteClient,
528  TokenType,
529  ThreadEffectiveOnly,
530  ImpersonationLevel,
531  ClientContext);
532 
533  /* Check if we failed or static tracking was used */
534  if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
535  {
536  /* Dereference our copy since it's not being used */
537  ObDereferenceObject(Token);
538  }
539 
540  /* Return status */
541  return Status;
542 }
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
SepCreateClientSecurity
NTSTATUS NTAPI SepCreateClientSecurity(IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:174
SECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
Status
Status
Definition: gdiplustypes.h:24
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
ObDereferenceObject
#define ObDereferenceObject
Definition: obfuncs.h:203
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
PsReferenceEffectiveToken
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:780
TOKEN_TYPE
enum _TOKEN_TYPE TOKEN_TYPE
SECURITY_STATIC_TRACKING
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
TokenType
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by CmLoadKey(), NpGetClientSecurityContext(), NpInitializeSecurity(), NtImpersonateClientOfPort(), NtImpersonateThread(), NtSecureConnectPort(), and VfdOpenCheck().

◆ SeCreateClientSecurityFromSubjectContext()

NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext,
IN PSECURITY_QUALITY_OF_SERVICE  ClientSecurityQos,
IN BOOLEAN  ServerIsRemote,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 549 of file access.c.

553 {
554  PACCESS_TOKEN Token;
555  NTSTATUS Status;
556  PAGED_CODE();
557 
558  /* Get the right token and reference it */
559  Token = SeQuerySubjectContextToken(SubjectContext);
560  ObReferenceObject(Token);
561 
562  /* Create the context */
563  Status = SepCreateClientSecurity(Token,
564  ClientSecurityQos,
565  ServerIsRemote,
566  SubjectContext->ClientToken ?
567  TokenImpersonation : TokenPrimary,
568  FALSE,
569  SubjectContext->ImpersonationLevel,
570  ClientContext);
571 
572  /* Check if we failed or static tracking was used */
573  if (!(NT_SUCCESS(Status)) ||
574  (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
575  {
576  /* Dereference our copy since it's not being used */
577  ObDereferenceObject(Token);
578  }
579 
580  /* Return status */
581  return Status;
582 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
SepCreateClientSecurity
NTSTATUS NTAPI SepCreateClientSecurity(IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:174
FALSE
#define FALSE
Definition: types.h:117
Status
Status
Definition: gdiplustypes.h:24
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
ObDereferenceObject
#define ObDereferenceObject
Definition: obfuncs.h:203
SeQuerySubjectContextToken
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
SECURITY_STATIC_TRACKING
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
ObReferenceObject
#define ObReferenceObject
Definition: obfuncs.h:204
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by nfs41_get_sec_ctx(), nfs41_GetLUID(), and nfs41_UpcallCreate().

◆ SeDeleteAccessState()

VOID NTAPI SeDeleteAccessState ( IN PACCESS_STATE  AccessState)

Definition at line 460 of file access.c.

461 {
462  PAUX_ACCESS_DATA AuxData;
463  PAGED_CODE();
464 
465  /* Get the Auxiliary Data */
466  AuxData = AccessState->AuxData;
467 
468  /* Deallocate Privileges */
469  if (AccessState->PrivilegesAllocated)
470  ExFreePoolWithTag(AuxData->PrivilegeSet, TAG_PRIVILEGE_SET);
471 
472  /* Deallocate Name and Type Name */
473  if (AccessState->ObjectName.Buffer)
474  {
475  ExFreePool(AccessState->ObjectName.Buffer);
476  }
477 
478  if (AccessState->ObjectTypeName.Buffer)
479  {
480  ExFreePool(AccessState->ObjectTypeName.Buffer);
481  }
482 
483  /* Release the Subject Context */
484  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
485 }
_AUX_ACCESS_DATA::PrivilegeSet
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:234
SeReleaseSubjectContext
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
_AUX_ACCESS_DATA
Definition: setypes.h:232
TAG_PRIVILEGE_SET
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
ExFreePool
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by NtOpenProcess(), NtOpenThread(), ObDuplicateObject(), ObInsertObject(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObReferenceObjectByName(), PspCreateProcess(), PspCreateThread(), and START_TEST().

◆ SeGetTokenControlInformation()

VOID NTAPI SeGetTokenControlInformation ( IN PACCESS_TOKEN  _Token,
OUT PTOKEN_CONTROL  TokenControl 
)

Definition at line 151 of file access.c.

153 {
154  PTOKEN Token = _Token;
155  PAGED_CODE();
156 
157  /* Capture the main fields */
158  TokenControl->AuthenticationId = Token->AuthenticationId;
159  TokenControl->TokenId = Token->TokenId;
160  TokenControl->TokenSource = Token->TokenSource;
161 
162  /* Lock the token */
163  SepAcquireTokenLockShared(Token);
164 
165  /* Capture the modified ID */
166  TokenControl->ModifiedId = Token->ModifiedId;
167 
168  /* Unlock it */
169  SepReleaseTokenLock(Token);
170 }
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:227
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:221
_TOKEN
Definition: setypes.h:197
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by SepCreateClientSecurity().

◆ SeImpersonateClient()

VOID NTAPI SeImpersonateClient ( IN PSECURITY_CLIENT_CONTEXT  ClientContext,
IN PETHREAD ServerThread  OPTIONAL 
)

Definition at line 623 of file access.c.

625 {
626  PAGED_CODE();
627 
628  /* Call the new API */
629  SeImpersonateClientEx(ClientContext, ServerThread);
630 }
ServerThread
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
Definition: NtAcceptConnectPort.c:33
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
SeImpersonateClientEx
NTSTATUS NTAPI SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:589
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by NtImpersonateThread(), and VfdIoCtlThread().

◆ SeImpersonateClientEx()

NTSTATUS NTAPI SeImpersonateClientEx ( IN PSECURITY_CLIENT_CONTEXT  ClientContext,
IN PETHREAD ServerThread  OPTIONAL 
)

Definition at line 589 of file access.c.

591 {
592  BOOLEAN EffectiveOnly;
593  PAGED_CODE();
594 
595  /* Check if direct access is requested */
596  if (!ClientContext->DirectlyAccessClientToken)
597  {
598  /* No, so get the flag from QOS */
599  EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
600  }
601  else
602  {
603  /* Yes, so see if direct access should be effective only */
604  EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
605  }
606 
607  /* Use the current thread if one was not passed */
608  if (!ServerThread) ServerThread = PsGetCurrentThread();
609 
610  /* Call the lower layer routine */
611  return PsImpersonateClient(ServerThread,
612  ClientContext->ClientToken,
613  TRUE,
614  EffectiveOnly,
615  ClientContext->SecurityQos.ImpersonationLevel);
616 }
PsImpersonateClient
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
TRUE
#define TRUE
Definition: types.h:120
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
ServerThread
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
Definition: NtAcceptConnectPort.c:33
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by CmpCmdHiveOpen(), handle_upcall(), NpImpersonateClientContext(), NtImpersonateClientOfPort(), and SeImpersonateClient().

◆ SeLockSubjectContext()

VOID NTAPI SeLockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 314 of file access.c.

315 {
316  PTOKEN PrimaryToken, ClientToken;
317  PAGED_CODE();
318 
319  /* Read both tokens */
320  PrimaryToken = SubjectContext->PrimaryToken;
321  ClientToken = SubjectContext->ClientToken;
322 
323  /* Always lock the primary */
324  SepAcquireTokenLockShared(PrimaryToken);
325 
326  /* Lock the impersonation one if it's there */
327  if (!ClientToken) return;
328  SepAcquireTokenLockShared(ClientToken);
329 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:221
_TOKEN
Definition: setypes.h:197
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), and START_TEST().

◆ SepCreateClientSecurity()

NTSTATUS NTAPI SepCreateClientSecurity ( IN PACCESS_TOKEN  Token,
IN PSECURITY_QUALITY_OF_SERVICE  ClientSecurityQos,
IN BOOLEAN  ServerIsRemote,
IN TOKEN_TYPE  TokenType,
IN BOOLEAN  ThreadEffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 174 of file access.c.

181 {
182  NTSTATUS Status;
183  PACCESS_TOKEN NewToken;
184  PAGED_CODE();
185 
186  /* Check for bogus impersonation level */
187  if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
188  {
189  /* Fail the call */
190  return STATUS_INVALID_PARAMETER;
191  }
192 
193  /* Check what kind of token this is */
194  if (TokenType != TokenImpersonation)
195  {
196  /* On a primary token, if we do direct access, copy the flag from the QOS */
197  ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
198  }
199  else
200  {
201  /* This is an impersonation token, is the level ok? */
202  if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
203  {
204  /* Nope, fail */
205  return STATUS_BAD_IMPERSONATION_LEVEL;
206  }
207 
208  /* Is the level too low, or are we doing something other than delegation remotely */
209  if ((ImpersonationLevel == SecurityAnonymous) ||
210  (ImpersonationLevel == SecurityIdentification) ||
211  ((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
212  {
213  /* Fail the call */
214  return STATUS_BAD_IMPERSONATION_LEVEL;
215  }
216 
217  /* Pick either the thread setting or the QOS setting */
218  ClientContext->DirectAccessEffectiveOnly =
219  ((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
220  }
221 
222  /* Is this static tracking */
223  if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
224  {
225  /* Do not use direct access and make a copy */
226  ClientContext->DirectlyAccessClientToken = FALSE;
227  Status = SeCopyClientToken(Token,
228  ClientSecurityQos->ImpersonationLevel,
229  KernelMode,
230  &NewToken);
231  if (!NT_SUCCESS(Status))
232  return Status;
233  }
234  else
235  {
236  /* Use direct access and check if this is local */
237  ClientContext->DirectlyAccessClientToken = TRUE;
238  if (ServerIsRemote)
239  {
240  /* We are doing delegation, so make a copy of the control data */
241  SeGetTokenControlInformation(Token,
242  &ClientContext->ClientTokenControl);
243  }
244 
245  /* Keep the same token */
246  NewToken = Token;
247  }
248 
249  /* Fill out the context and return success */
250  ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
251  ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
252  ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
253  ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
254  ClientContext->ServerIsRemote = ServerIsRemote;
255  ClientContext->ClientToken = NewToken;
256  return STATUS_SUCCESS;
257 }
SeCopyClientToken
NTSTATUS NTAPI SeCopyClientToken(IN PACCESS_TOKEN Token, IN SECURITY_IMPERSONATION_LEVEL Level, IN KPROCESSOR_MODE PreviousMode, OUT PACCESS_TOKEN *NewToken)
Definition: token.c:1137
STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
VALID_IMPERSONATION_LEVEL
#define VALID_IMPERSONATION_LEVEL(Level)
Definition: setypes.h:101
TRUE
#define TRUE
Definition: types.h:120
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
FALSE
#define FALSE
Definition: types.h:117
Status
Status
Definition: gdiplustypes.h:24
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
_LSA_STRING::Length
USHORT Length
Definition: ntsecapi.h:172
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
SECURITY_STATIC_TRACKING
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
SECURITY_QUALITY_OF_SERVICE
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
SeGetTokenControlInformation
VOID NTAPI SeGetTokenControlInformation(IN PACCESS_TOKEN _Token, OUT PTOKEN_CONTROL TokenControl)
Definition: access.c:151
TokenType
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by SeCreateClientSecurity(), and SeCreateClientSecurityFromSubjectContext().

◆ SepSidInToken()

BOOLEAN NTAPI SepSidInToken ( IN PACCESS_TOKEN  _Token,
IN PSID  Sid 
)

Definition at line 111 of file access.c.

113 {
114  /* Call extended API */
115  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
116 }
FALSE
#define FALSE
Definition: types.h:117
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
NULL
#define NULL
Definition: types.h:112
SepSidInTokenEx
BOOLEAN NTAPI SepSidInTokenEx(IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
Definition: access.c:25

Referenced by SepAccessCheck(), and SepTokenIsOwner().

◆ SepSidInTokenEx()

BOOLEAN NTAPI SepSidInTokenEx ( IN PACCESS_TOKEN  _Token,
IN PSID  PrincipalSelfSid,
IN PSID  _Sid,
IN BOOLEAN  Deny,
IN BOOLEAN  Restricted 
)

Definition at line 25 of file access.c.

30 {
31  ULONG i;
32  PTOKEN Token = (PTOKEN)_Token;
33  PISID TokenSid, Sid = (PISID)_Sid;
34  PSID_AND_ATTRIBUTES SidAndAttributes;
35  ULONG SidCount, SidLength;
36  USHORT SidMetadata;
37  PAGED_CODE();
38 
39  /* Not yet supported */
40  ASSERT(PrincipalSelfSid == NULL);
41  ASSERT(Restricted == FALSE);
42 
43  /* Check if a principal SID was given, and this is our current SID already */
44  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
45  {
46  /* Just use the principal SID in this case */
47  Sid = PrincipalSelfSid;
48  }
49 
50  /* Check if this is a restricted token or not */
51  if (Restricted)
52  {
53  /* Use the restricted SIDs and count */
54  SidAndAttributes = Token->RestrictedSids;
55  SidCount = Token->RestrictedSidCount;
56  }
57  else
58  {
59  /* Use the normal SIDs and count */
60  SidAndAttributes = Token->UserAndGroups;
61  SidCount = Token->UserAndGroupCount;
62  }
63 
64  /* Do checks here by hand instead of the usual 4 function calls */
65  SidLength = FIELD_OFFSET(SID,
66  SubAuthority[Sid->SubAuthorityCount]);
67  SidMetadata = *(PUSHORT)&Sid->Revision;
68 
69  /* Loop every SID */
70  for (i = 0; i < SidCount; i++)
71  {
72  TokenSid = (PISID)SidAndAttributes->Sid;
73 #if SE_SID_DEBUG
74  UNICODE_STRING sidString;
75  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
76  DPRINT1("SID in Token: %wZ\n", &sidString);
77  RtlFreeUnicodeString(&sidString);
78 #endif
79  /* Check if the SID metadata matches */
80  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
81  {
82  /* Check if the SID data matches */
83  if (RtlEqualMemory(Sid, TokenSid, SidLength))
84  {
85  /* Check if the group is enabled, or used for deny only */
86  if ((!(i) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
87  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
88  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
89  {
90  /* SID is present */
91  return TRUE;
92  }
93  else
94  {
95  /* SID is not present */
96  return FALSE;
97  }
98  }
99  }
100 
101  /* Move to the next SID */
102  SidAndAttributes++;
103  }
104 
105  /* SID is not present */
106  return FALSE;
107 }
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:478
_SID
Definition: ms-dtyp.idl:198
TRUE
#define TRUE
Definition: types.h:120
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
FALSE
#define FALSE
Definition: types.h:117
SePrincipalSelfSid
PSID SePrincipalSelfSid
Definition: sid.c:39
PISID
struct _SID * PISID
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
Restricted
UNICODE_STRING Restricted
Definition: utils.c:24
ASSERT
#define ASSERT(a)
Definition: mode.c:44
RtlEqualMemory
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
SE_GROUP_ENABLED
#define SE_GROUP_ENABLED
Definition: setypes.h:92
_SID_AND_ATTRIBUTES
Definition: setypes.h:474
for
#define for
Definition: utility.h:88
RtlFreeUnicodeString
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
RtlConvertSidToUnicodeString
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
SE_GROUP_USE_FOR_DENY_ONLY
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
_UNICODE_STRING
Definition: env_spec_w32.h:368
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
USHORT
unsigned short USHORT
Definition: pedump.c:61
PTOKEN
struct _TOKEN * PTOKEN
_SID_AND_ATTRIBUTES::Attributes
$ULONG Attributes
Definition: setypes.h:480
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
_SID::SubAuthorityCount
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
NULL
#define NULL
Definition: types.h:112
DPRINT1
#define DPRINT1
Definition: precomp.h:8
ULONG
unsigned int ULONG
Definition: retypes.h:1
_SID::Revision
BYTE Revision
Definition: ms-dtyp.idl:199
_TOKEN
Definition: setypes.h:197
PUSHORT
unsigned short * PUSHORT
Definition: retypes.h:2
RtlEqualSid
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by SepSidInToken(), and SepTokenIsOwner().

◆ SepTokenIsOwner()

BOOLEAN NTAPI SepTokenIsOwner ( IN PACCESS_TOKEN  _Token,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN BOOLEAN  TokenLocked 
)

Definition at line 120 of file access.c.

123 {
124  PSID Sid;
125  BOOLEAN Result;
126  PTOKEN Token = _Token;
127 
128  /* Get the owner SID */
129  Sid = SepGetOwnerFromDescriptor(SecurityDescriptor);
130  ASSERT(Sid != NULL);
131 
132  /* Lock the token if needed */
133  if (!TokenLocked) SepAcquireTokenLockShared(Token);
134 
135  /* Check if the owner SID is found, handling restricted case as well */
136  Result = SepSidInToken(Token, Sid);
137  if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
138  {
139  Result = SepSidInTokenEx(Token, NULL, Sid, FALSE, TRUE);
140  }
141 
142  /* Release the lock if we had acquired it */
143  if (!TokenLocked) SepReleaseTokenLock(Token);
144 
145  /* Return the result */
146  return Result;
147 }
_SID
Definition: ms-dtyp.idl:198
TRUE
#define TRUE
Definition: types.h:120
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
FALSE
#define FALSE
Definition: types.h:117
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
Result
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
SepGetOwnerFromDescriptor
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:58
ASSERT
#define ASSERT(a)
Definition: mode.c:44
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:227
NULL
#define NULL
Definition: types.h:112
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:221
SepSidInToken
BOOLEAN NTAPI SepSidInToken(IN PACCESS_TOKEN _Token, IN PSID Sid)
Definition: access.c:111
_TOKEN
Definition: setypes.h:197
TOKEN_IS_RESTRICTED
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1129
SepSidInTokenEx
BOOLEAN NTAPI SepSidInTokenEx(IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
Definition: access.c:25

Referenced by NtAccessCheck(), and SeAccessCheck().

◆ SeReleaseSubjectContext()

VOID NTAPI SeReleaseSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 360 of file access.c.

361 {
362  PAGED_CODE();
363 
364  /* Drop reference on the primary */
365  ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
366  SubjectContext->PrimaryToken = NULL;
367 
368  /* Drop reference on the impersonation, if there was one */
369  PsDereferenceImpersonationToken(SubjectContext->ClientToken);
370  SubjectContext->ClientToken = NULL;
371 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17
NULL
#define NULL
Definition: types.h:112
ObFastDereferenceObject
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
PsDereferenceImpersonationToken
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888

Referenced by FatExplicitDeviceAccessGranted(), FsRtlCancelNotify(), FsRtlNotifyCleanup(), FsRtlNotifyFilterChangeDirectory(), HasPrivilege(), KsCreateDefaultSecurity(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SeDeleteAccessState(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeSetAccessStateGenericMapping()

VOID NTAPI SeSetAccessStateGenericMapping ( IN PACCESS_STATE  AccessState,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 492 of file access.c.

494 {
495  PAGED_CODE();
496 
497  /* Set the Generic Mapping */
498  ((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
499 }
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
PAUX_ACCESS_DATA
struct _AUX_ACCESS_DATA * PAUX_ACCESS_DATA
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by IopParseDevice().

◆ SeUnlockSubjectContext()

VOID NTAPI SeUnlockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 336 of file access.c.

337 {
338  PTOKEN PrimaryToken, ClientToken;
339  PAGED_CODE();
340 
341  /* Read both tokens */
342  PrimaryToken = SubjectContext->PrimaryToken;
343  ClientToken = SubjectContext->ClientToken;
344 
345  /* Unlock the impersonation one if it's there */
346  if (ClientToken)
347  {
348  SepReleaseTokenLock(ClientToken);
349  }
350 
351  /* Always unlock the primary one */
352  SepReleaseTokenLock(PrimaryToken);
353 }
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:227
_TOKEN
Definition: setypes.h:197
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), START_TEST(), and TestSeAssignSecurity().

Variable Documentation

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock

Definition at line 19 of file access.c.

Referenced by SepInitializationPhase0().