ReactOS  0.4.13-dev-464-g6b95727
access.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for access.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

BOOLEAN NTAPI SepSidInTokenEx (IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
 
BOOLEAN NTAPI SepSidInToken (IN PACCESS_TOKEN _Token, IN PSID Sid)
 
BOOLEAN NTAPI SepTokenIsOwner (IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
 
VOID NTAPI SeGetTokenControlInformation (IN PACCESS_TOKEN _Token, OUT PTOKEN_CONTROL TokenControl)
 
NTSTATUS NTAPI SepCreateClientSecurity (IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
VOID NTAPI SeCaptureSubjectContextEx (IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeCaptureSubjectContext (OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeLockSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeUnlockSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
VOID NTAPI SeReleaseSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
 
NTSTATUS NTAPI SeCreateAccessStateEx (IN PETHREAD Thread, IN PEPROCESS Process, IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI SeCreateAccessState (IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
 
VOID NTAPI SeDeleteAccessState (IN PACCESS_STATE AccessState)
 
VOID NTAPI SeSetAccessStateGenericMapping (IN PACCESS_STATE AccessState, IN PGENERIC_MAPPING GenericMapping)
 
NTSTATUS NTAPI SeCreateClientSecurity (IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE Qos, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext (IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
 
NTSTATUS NTAPI SeImpersonateClientEx (IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
 
VOID NTAPI SeImpersonateClient (IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
 

Variables

ERESOURCE SepSubjectContextLock
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 14 of file access.c.

Function Documentation

◆ SeCaptureSubjectContext()

VOID NTAPI SeCaptureSubjectContext ( OUT PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 301 of file access.c.

302 {
303  /* Call the extended API */
307 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID NTAPI SeCaptureSubjectContextEx(IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:266
#define PsGetCurrentProcess
Definition: psfuncs.h:17

Referenced by create_directory_fcb(), create_subvol(), fcb_get_sd(), HasPrivilege(), KsCreateDefaultSecurity(), mknod(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), START_TEST(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeCaptureSubjectContextEx()

VOID NTAPI SeCaptureSubjectContextEx ( IN PETHREAD  Thread,
IN PEPROCESS  Process,
OUT PSECURITY_SUBJECT_CONTEXT  SubjectContext 
)

Definition at line 266 of file access.c.

269 {
271 
272  PAGED_CODE();
273 
274  /* Save the unique ID */
275  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
276 
277  /* Check if we have a thread */
278  if (!Thread)
279  {
280  /* We don't, so no token */
281  SubjectContext->ClientToken = NULL;
282  }
283  else
284  {
285  /* Get the impersonation token */
287  &CopyOnOpen,
288  &EffectiveOnly,
289  &SubjectContext->ImpersonationLevel);
290  }
291 
292  /* Get the primary token */
294 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define PAGED_CODE()
Definition: video.h:57
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:782
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417

Referenced by SeCaptureSubjectContext(), and SeCreateAccessStateEx().

◆ SeCreateAccessState()

NTSTATUS NTAPI SeCreateAccessState ( IN OUT PACCESS_STATE  AccessState,
IN PAUX_ACCESS_DATA  AuxData,
IN ACCESS_MASK  Access,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 439 of file access.c.

443 {
444  PAGED_CODE();
445 
446  /* Call the extended API */
449  AccessState,
450  AuxData,
451  Access,
453 }
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PAGED_CODE()
Definition: video.h:57
#define PsGetCurrentProcess
Definition: psfuncs.h:17
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTSTATUS NTAPI SeCreateAccessStateEx(IN PETHREAD Thread, IN PEPROCESS Process, IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:378

Referenced by NtOpenProcess(), NtOpenThread(), ObDuplicateObject(), ObInsertObject(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObReferenceObjectByName(), and START_TEST().

◆ SeCreateAccessStateEx()

NTSTATUS NTAPI SeCreateAccessStateEx ( IN PETHREAD  Thread,
IN PEPROCESS  Process,
IN OUT PACCESS_STATE  AccessState,
IN PAUX_ACCESS_DATA  AuxData,
IN ACCESS_MASK  Access,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 378 of file access.c.

384 {
385  ACCESS_MASK AccessMask = Access;
386  PTOKEN Token;
387  PAGED_CODE();
388 
389  /* Map the Generic Acess to Specific Access if we have a Mapping */
390  if ((Access & GENERIC_ACCESS) && (GenericMapping))
391  {
393  }
394 
395  /* Initialize the Access State */
397  ASSERT(AccessState->SecurityDescriptor == NULL);
398  ASSERT(AccessState->PrivilegesAllocated == FALSE);
399 
400  /* Initialize and save aux data */
401  RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
402  AccessState->AuxData = AuxData;
403 
404  /* Capture the Subject Context */
406  Process,
407  &AccessState->SubjectSecurityContext);
408 
409  /* Set Access State Data */
410  AccessState->RemainingDesiredAccess = AccessMask;
411  AccessState->OriginalDesiredAccess = AccessMask;
412  ExAllocateLocallyUniqueId(&AccessState->OperationID);
413 
414  /* Get the Token to use */
415  Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
416 
417  /* Check for Travers Privilege */
418  if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
419  {
420  /* Preserve the Traverse Privilege */
422  }
423 
424  /* Set the Auxiliary Data */
425  AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
427  Privileges));
428  if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
429 
430  /* Return Sucess */
431  return STATUS_SUCCESS;
432 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define GENERIC_ACCESS
Definition: wlx.c:26
#define TOKEN_HAS_TRAVERSE_PRIVILEGE
Definition: setypes.h:1124
#define PAGED_CODE()
Definition: video.h:57
VOID NTAPI SeCaptureSubjectContextEx(IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:266
uint32_t ULONG_PTR
Definition: typedefs.h:63
smooth NULL
Definition: ftsmooth.c:416
VOID NTAPI RtlMapGenericMask(IN OUT PACCESS_MASK AccessMask, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:50
_In_ ACCESS_MASK AccessMask
Definition: exfuncs.h:186
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
struct _PRIVILEGE_SET * PPRIVILEGE_SET
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:340
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:261
return STATUS_SUCCESS
Definition: btrfs.c:2777
ULONG ACCESS_MASK
Definition: nt_native.h:40

Referenced by PspCreateProcess(), PspCreateThread(), and SeCreateAccessState().

◆ SeCreateClientSecurity()

NTSTATUS NTAPI SeCreateClientSecurity ( IN PETHREAD  Thread,
IN PSECURITY_QUALITY_OF_SERVICE  Qos,
IN BOOLEAN  RemoteClient,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 506 of file access.c.

510 {
512  BOOLEAN ThreadEffectiveOnly;
516  PAGED_CODE();
517 
518  /* Reference the correct token */
520  &TokenType,
521  &ThreadEffectiveOnly,
523 
524  /* Create client security from it */
526  Qos,
527  RemoteClient,
528  TokenType,
529  ThreadEffectiveOnly,
531  ClientContext);
532 
533  /* Check if we failed or static tracking was used */
534  if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
535  {
536  /* Dereference our copy since it's not being used */
538  }
539 
540  /* Return status */
541  return Status;
542 }
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SepCreateClientSecurity(IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:174
#define PAGED_CODE()
Definition: video.h:57
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
unsigned char BOOLEAN
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:713
enum _TOKEN_TYPE TOKEN_TYPE
Status
Definition: gdiplustypes.h:24
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417

Referenced by CmLoadKey(), NpGetClientSecurityContext(), NpInitializeSecurity(), NtImpersonateClientOfPort(), NtImpersonateThread(), NtSecureConnectPort(), and VfdOpenCheck().

◆ SeCreateClientSecurityFromSubjectContext()

NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext,
IN PSECURITY_QUALITY_OF_SERVICE  ClientSecurityQos,
IN BOOLEAN  ServerIsRemote,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 549 of file access.c.

553 {
556  PAGED_CODE();
557 
558  /* Get the right token and reference it */
561 
562  /* Create the context */
564  ClientSecurityQos,
565  ServerIsRemote,
566  SubjectContext->ClientToken ?
568  FALSE,
569  SubjectContext->ImpersonationLevel,
570  ClientContext);
571 
572  /* Check if we failed or static tracking was used */
573  if (!(NT_SUCCESS(Status)) ||
574  (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
575  {
576  /* Dereference our copy since it's not being used */
578  }
579 
580  /* Return status */
581  return Status;
582 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SepCreateClientSecurity(IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:174
#define PAGED_CODE()
Definition: video.h:57
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
Status
Definition: gdiplustypes.h:24
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
#define ObReferenceObject
Definition: obfuncs.h:204

Referenced by nfs41_get_sec_ctx(), nfs41_GetLUID(), and nfs41_UpcallCreate().

◆ SeDeleteAccessState()

VOID NTAPI SeDeleteAccessState ( IN PACCESS_STATE  AccessState)

Definition at line 460 of file access.c.

461 {
462  PAUX_ACCESS_DATA AuxData;
463  PAGED_CODE();
464 
465  /* Get the Auxiliary Data */
466  AuxData = AccessState->AuxData;
467 
468  /* Deallocate Privileges */
469  if (AccessState->PrivilegesAllocated)
471 
472  /* Deallocate Name and Type Name */
473  if (AccessState->ObjectName.Buffer)
474  {
475  ExFreePool(AccessState->ObjectName.Buffer);
476  }
477 
478  if (AccessState->ObjectTypeName.Buffer)
479  {
480  ExFreePool(AccessState->ObjectTypeName.Buffer);
481  }
482 
483  /* Release the Subject Context */
484  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
485 }
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:187
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
#define PAGED_CODE()
Definition: video.h:57
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
#define ExFreePool(addr)
Definition: env_spec_w32.h:352

Referenced by NtOpenProcess(), NtOpenThread(), ObDuplicateObject(), ObInsertObject(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObReferenceObjectByName(), PspCreateProcess(), PspCreateThread(), and START_TEST().

◆ SeGetTokenControlInformation()

VOID NTAPI SeGetTokenControlInformation ( IN PACCESS_TOKEN  _Token,
OUT PTOKEN_CONTROL  TokenControl 
)

Definition at line 151 of file access.c.

153 {
154  PTOKEN Token = _Token;
155  PAGED_CODE();
156 
157  /* Capture the main fields */
158  TokenControl->AuthenticationId = Token->AuthenticationId;
159  TokenControl->TokenId = Token->TokenId;
160  TokenControl->TokenSource = Token->TokenSource;
161 
162  /* Lock the token */
164 
165  /* Capture the modified ID */
166  TokenControl->ModifiedId = Token->ModifiedId;
167 
168  /* Unlock it */
170 }
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
#define SepReleaseTokenLock(Token)
Definition: se.h:211
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205

Referenced by SepCreateClientSecurity().

◆ SeImpersonateClient()

VOID NTAPI SeImpersonateClient ( IN PSECURITY_CLIENT_CONTEXT  ClientContext,
IN PETHREAD ServerThread  OPTIONAL 
)

Definition at line 623 of file access.c.

625 {
626  PAGED_CODE();
627 
628  /* Call the new API */
630 }
#define PAGED_CODE()
Definition: video.h:57
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
_In_ PVOID ClientContext
Definition: netioddk.h:55
NTSTATUS NTAPI SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:589

Referenced by NtImpersonateThread(), and VfdIoCtlThread().

◆ SeImpersonateClientEx()

NTSTATUS NTAPI SeImpersonateClientEx ( IN PSECURITY_CLIENT_CONTEXT  ClientContext,
IN PETHREAD ServerThread  OPTIONAL 
)

Definition at line 589 of file access.c.

591 {
593  PAGED_CODE();
594 
595  /* Check if direct access is requested */
596  if (!ClientContext->DirectlyAccessClientToken)
597  {
598  /* No, so get the flag from QOS */
599  EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
600  }
601  else
602  {
603  /* Yes, so see if direct access should be effective only */
604  EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
605  }
606 
607  /* Use the current thread if one was not passed */
609 
610  /* Call the lower layer routine */
612  ClientContext->ClientToken,
613  TRUE,
615  ClientContext->SecurityQos.ImpersonationLevel);
616 }
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
#define TRUE
Definition: types.h:120
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
#define PAGED_CODE()
Definition: video.h:57
unsigned char BOOLEAN
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
_In_ PVOID ClientContext
Definition: netioddk.h:55
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417

Referenced by CmpCmdHiveOpen(), handle_upcall(), NpImpersonateClientContext(), NtImpersonateClientOfPort(), and SeImpersonateClient().

◆ SeLockSubjectContext()

VOID NTAPI SeLockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 314 of file access.c.

315 {
316  PTOKEN PrimaryToken, ClientToken;
317  PAGED_CODE();
318 
319  /* Read both tokens */
320  PrimaryToken = SubjectContext->PrimaryToken;
321  ClientToken = SubjectContext->ClientToken;
322 
323  /* Always lock the primary */
324  SepAcquireTokenLockShared(PrimaryToken);
325 
326  /* Lock the impersonation one if it's there */
327  if (!ClientToken) return;
328  SepAcquireTokenLockShared(ClientToken);
329 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
#define PAGED_CODE()
Definition: video.h:57
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), and START_TEST().

◆ SepCreateClientSecurity()

NTSTATUS NTAPI SepCreateClientSecurity ( IN PACCESS_TOKEN  Token,
IN PSECURITY_QUALITY_OF_SERVICE  ClientSecurityQos,
IN BOOLEAN  ServerIsRemote,
IN TOKEN_TYPE  TokenType,
IN BOOLEAN  ThreadEffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel,
OUT PSECURITY_CLIENT_CONTEXT  ClientContext 
)

Definition at line 174 of file access.c.

181 {
183  PACCESS_TOKEN NewToken;
184  PAGED_CODE();
185 
186  /* Check for bogus impersonation level */
187  if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
188  {
189  /* Fail the call */
191  }
192 
193  /* Check what kind of token this is */
195  {
196  /* On a primary token, if we do direct access, copy the flag from the QOS */
197  ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
198  }
199  else
200  {
201  /* This is an impersonation token, is the level ok? */
202  if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
203  {
204  /* Nope, fail */
206  }
207 
208  /* Is the level too low, or are we doing something other than delegation remotely */
211  ((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
212  {
213  /* Fail the call */
215  }
216 
217  /* Pick either the thread setting or the QOS setting */
218  ClientContext->DirectAccessEffectiveOnly =
219  ((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
220  }
221 
222  /* Is this static tracking */
223  if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
224  {
225  /* Do not use direct access and make a copy */
226  ClientContext->DirectlyAccessClientToken = FALSE;
228  ClientSecurityQos->ImpersonationLevel,
229  KernelMode,
230  &NewToken);
231  if (!NT_SUCCESS(Status))
232  return Status;
233  }
234  else
235  {
236  /* Use direct access and check if this is local */
237  ClientContext->DirectlyAccessClientToken = TRUE;
238  if (ServerIsRemote)
239  {
240  /* We are doing delegation, so make a copy of the control data */
242  &ClientContext->ClientTokenControl);
243  }
244 
245  /* Keep the same token */
246  NewToken = Token;
247  }
248 
249  /* Fill out the context and return success */
250  ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
251  ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
252  ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
253  ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
254  ClientContext->ServerIsRemote = ServerIsRemote;
255  ClientContext->ClientToken = NewToken;
256  return STATUS_SUCCESS;
257 }
NTSTATUS NTAPI SeCopyClientToken(IN PACCESS_TOKEN Token, IN SECURITY_IMPERSONATION_LEVEL Level, IN KPROCESSOR_MODE PreviousMode, OUT PACCESS_TOKEN *NewToken)
Definition: token.c:788
#define TRUE
Definition: types.h:120
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define VALID_IMPERSONATION_LEVEL(Level)
Definition: setypes.h:101
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
_In_ PVOID ClientContext
Definition: netioddk.h:55
USHORT Length
Definition: ntsecapi.h:172
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
Status
Definition: gdiplustypes.h:24
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
return STATUS_SUCCESS
Definition: btrfs.c:2777
VOID NTAPI SeGetTokenControlInformation(IN PACCESS_TOKEN _Token, OUT PTOKEN_CONTROL TokenControl)
Definition: access.c:151
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417

Referenced by SeCreateClientSecurity(), and SeCreateClientSecurityFromSubjectContext().

◆ SepSidInToken()

BOOLEAN NTAPI SepSidInToken ( IN PACCESS_TOKEN  _Token,
IN PSID  Sid 
)

Definition at line 111 of file access.c.

113 {
114  /* Call extended API */
115  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
116 }
smooth NULL
Definition: ftsmooth.c:416
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
BOOLEAN NTAPI SepSidInTokenEx(IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
Definition: access.c:25

Referenced by SepAccessCheck(), and SepTokenIsOwner().

◆ SepSidInTokenEx()

BOOLEAN NTAPI SepSidInTokenEx ( IN PACCESS_TOKEN  _Token,
IN PSID  PrincipalSelfSid,
IN PSID  _Sid,
IN BOOLEAN  Deny,
IN BOOLEAN  Restricted 
)

Definition at line 25 of file access.c.

30 {
31  ULONG i;
32  PTOKEN Token = (PTOKEN)_Token;
33  PISID TokenSid, Sid = (PISID)_Sid;
34  PSID_AND_ATTRIBUTES SidAndAttributes;
35  ULONG SidCount, SidLength;
36  USHORT SidMetadata;
37  PAGED_CODE();
38 
39  /* Not yet supported */
40  ASSERT(PrincipalSelfSid == NULL);
42 
43  /* Check if a principal SID was given, and this is our current SID already */
44  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
45  {
46  /* Just use the principal SID in this case */
47  Sid = PrincipalSelfSid;
48  }
49 
50  /* Check if this is a restricted token or not */
51  if (Restricted)
52  {
53  /* Use the restricted SIDs and count */
54  SidAndAttributes = Token->RestrictedSids;
55  SidCount = Token->RestrictedSidCount;
56  }
57  else
58  {
59  /* Use the normal SIDs and count */
60  SidAndAttributes = Token->UserAndGroups;
61  SidCount = Token->UserAndGroupCount;
62  }
63 
64  /* Do checks here by hand instead of the usual 4 function calls */
65  SidLength = FIELD_OFFSET(SID,
66  SubAuthority[Sid->SubAuthorityCount]);
67  SidMetadata = *(PUSHORT)&Sid->Revision;
68 
69  /* Loop every SID */
70  for (i = 0; i < SidCount; i++)
71  {
72  TokenSid = (PISID)SidAndAttributes->Sid;
73 #if SE_SID_DEBUG
74  UNICODE_STRING sidString;
75  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
76  DPRINT1("SID in Token: %wZ\n", &sidString);
77  RtlFreeUnicodeString(&sidString);
78 #endif
79  /* Check if the SID metadata matches */
80  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
81  {
82  /* Check if the SID data matches */
83  if (RtlEqualMemory(Sid, TokenSid, SidLength))
84  {
85  /* Check if the group is enabled, or used for deny only */
86  if ((!(i) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
87  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
88  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
89  {
90  /* SID is present */
91  return TRUE;
92  }
93  else
94  {
95  /* SID is not present */
96  return FALSE;
97  }
98  }
99  }
100 
101  /* Move to the next SID */
102  SidAndAttributes++;
103  }
104 
105  /* SID is not present */
106  return FALSE;
107 }
#define TRUE
Definition: types.h:120
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
PSID SePrincipalSelfSid
Definition: sid.c:43
struct _SID * PISID
smooth NULL
Definition: ftsmooth.c:416
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
UNICODE_STRING Restricted
Definition: utils.c:24
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
#define SE_GROUP_ENABLED
Definition: setypes.h:92
#define for
Definition: utility.h:88
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
unsigned short USHORT
Definition: pedump.c:61
struct _TOKEN * PTOKEN
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define DPRINT1
Definition: precomp.h:8
unsigned int ULONG
Definition: retypes.h:1
BYTE Revision
Definition: ms-dtyp.idl:199
unsigned short * PUSHORT
Definition: retypes.h:2
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)

Referenced by SepSidInToken(), and SepTokenIsOwner().

◆ SepTokenIsOwner()

BOOLEAN NTAPI SepTokenIsOwner ( IN PACCESS_TOKEN  _Token,
IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN BOOLEAN  TokenLocked 
)

Definition at line 120 of file access.c.

123 {
124  PSID Sid;
125  BOOLEAN Result;
126  PTOKEN Token = _Token;
127 
128  /* Get the owner SID */
130  ASSERT(Sid != NULL);
131 
132  /* Lock the token if needed */
133  if (!TokenLocked) SepAcquireTokenLockShared(Token);
134 
135  /* Check if the owner SID is found, handling restricted case as well */
137  if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
138  {
140  }
141 
142  /* Release the lock if we had acquired it */
143  if (!TokenLocked) SepReleaseTokenLock(Token);
144 
145  /* Return the result */
146  return Result;
147 }
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:48
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
#define SepReleaseTokenLock(Token)
Definition: se.h:211
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205
BOOLEAN NTAPI SepSidInToken(IN PACCESS_TOKEN _Token, IN PSID Sid)
Definition: access.c:111
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1129
BOOLEAN NTAPI SepSidInTokenEx(IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
Definition: access.c:25

Referenced by NtAccessCheck(), and SeAccessCheck().

◆ SeReleaseSubjectContext()

VOID NTAPI SeReleaseSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 360 of file access.c.

361 {
362  PAGED_CODE();
363 
364  /* Drop reference on the primary */
366  SubjectContext->PrimaryToken = NULL;
367 
368  /* Drop reference on the impersonation, if there was one */
370  SubjectContext->ClientToken = NULL;
371 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define PAGED_CODE()
Definition: video.h:57
#define PsGetCurrentProcess
Definition: psfuncs.h:17
smooth NULL
Definition: ftsmooth.c:416
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:821

Referenced by FatExplicitDeviceAccessGranted(), FsRtlCancelNotify(), FsRtlNotifyCleanup(), FsRtlNotifyFilterChangeDirectory(), HasPrivilege(), KsCreateDefaultSecurity(), nfs41_get_sec_ctx(), nfs41_GetLUID(), nfs41_UpcallCreate(), NtAccessCheck(), NtCloseObjectAuditAlarm(), NtOpenObjectAuditAlarm(), NtPrivilegedServiceAuditAlarm(), NtSetUuidSeed(), RxStartMinirdr(), SeCheckPrivilegedObject(), SeDeleteAccessState(), SepAccessCheckAndAuditAlarm(), SeReportSecurityEvent(), SeSinglePrivilegeCheck(), set_link_information(), set_rename_information(), SystemThread(), UDFCheckAccessRights(), and UDFSetAccessRights().

◆ SeSetAccessStateGenericMapping()

VOID NTAPI SeSetAccessStateGenericMapping ( IN PACCESS_STATE  AccessState,
IN PGENERIC_MAPPING  GenericMapping 
)

Definition at line 492 of file access.c.

494 {
495  PAGED_CODE();
496 
497  /* Set the Generic Mapping */
498  ((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
499 }
#define PAGED_CODE()
Definition: video.h:57
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
struct _AUX_ACCESS_DATA * PAUX_ACCESS_DATA

Referenced by IopParseDevice().

◆ SeUnlockSubjectContext()

VOID NTAPI SeUnlockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT  SubjectContext)

Definition at line 336 of file access.c.

337 {
338  PTOKEN PrimaryToken, ClientToken;
339  PAGED_CODE();
340 
341  /* Read both tokens */
342  PrimaryToken = SubjectContext->PrimaryToken;
343  ClientToken = SubjectContext->ClientToken;
344 
345  /* Unlock the impersonation one if it's there */
346  if (ClientToken)
347  {
348  SepReleaseTokenLock(ClientToken);
349  }
350 
351  /* Always unlock the primary one */
352  SepReleaseTokenLock(PrimaryToken);
353 }
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
#define PAGED_CODE()
Definition: video.h:57
#define SepReleaseTokenLock(Token)
Definition: se.h:211

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), HasPrivilege(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), NpCreateNewNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), SeAccessCheck(), START_TEST(), and TestSeAssignSecurity().

Variable Documentation

◆ SepSubjectContextLock

ERESOURCE SepSubjectContextLock

Definition at line 19 of file access.c.

Referenced by SepInitializationPhase0().