ReactOS  0.4.13-dev-455-g28ed234
access.c
Go to the documentation of this file.
1 /*
2  * COPYRIGHT: See COPYING in the top level directory
3  * PROJECT: ReactOS kernel
4  * FILE: ntoskrnl/se/access.c
5  * PURPOSE: Access state functions
6  *
7  * PROGRAMMERS: Alex Ionescu (alex@relsoft.net) -
8  * Based on patch by Javier M. Mellid
9  */
10 
11 /* INCLUDES *******************************************************************/
12 
13 #include <ntoskrnl.h>
14 #define NDEBUG
15 #include <debug.h>
16 
17 /* GLOBALS ********************************************************************/
18 
20 
21 /* PRIVATE FUNCTIONS **********************************************************/
22 
23 BOOLEAN
24 NTAPI
26  IN PSID PrincipalSelfSid,
27  IN PSID _Sid,
28  IN BOOLEAN Deny,
30 {
31  ULONG i;
32  PTOKEN Token = (PTOKEN)_Token;
33  PISID TokenSid, Sid = (PISID)_Sid;
34  PSID_AND_ATTRIBUTES SidAndAttributes;
35  ULONG SidCount, SidLength;
36  USHORT SidMetadata;
37  PAGED_CODE();
38 
39  /* Not yet supported */
40  ASSERT(PrincipalSelfSid == NULL);
42 
43  /* Check if a principal SID was given, and this is our current SID already */
44  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
45  {
46  /* Just use the principal SID in this case */
47  Sid = PrincipalSelfSid;
48  }
49 
50  /* Check if this is a restricted token or not */
51  if (Restricted)
52  {
53  /* Use the restricted SIDs and count */
54  SidAndAttributes = Token->RestrictedSids;
55  SidCount = Token->RestrictedSidCount;
56  }
57  else
58  {
59  /* Use the normal SIDs and count */
60  SidAndAttributes = Token->UserAndGroups;
61  SidCount = Token->UserAndGroupCount;
62  }
63 
64  /* Do checks here by hand instead of the usual 4 function calls */
65  SidLength = FIELD_OFFSET(SID,
66  SubAuthority[Sid->SubAuthorityCount]);
67  SidMetadata = *(PUSHORT)&Sid->Revision;
68 
69  /* Loop every SID */
70  for (i = 0; i < SidCount; i++)
71  {
72  TokenSid = (PISID)SidAndAttributes->Sid;
73 #if SE_SID_DEBUG
74  UNICODE_STRING sidString;
75  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
76  DPRINT1("SID in Token: %wZ\n", &sidString);
77  RtlFreeUnicodeString(&sidString);
78 #endif
79  /* Check if the SID metadata matches */
80  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
81  {
82  /* Check if the SID data matches */
83  if (RtlEqualMemory(Sid, TokenSid, SidLength))
84  {
85  /* Check if the group is enabled, or used for deny only */
86  if ((!(i) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
87  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
88  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
89  {
90  /* SID is present */
91  return TRUE;
92  }
93  else
94  {
95  /* SID is not present */
96  return FALSE;
97  }
98  }
99  }
100 
101  /* Move to the next SID */
102  SidAndAttributes++;
103  }
104 
105  /* SID is not present */
106  return FALSE;
107 }
108 
109 BOOLEAN
110 NTAPI
112  IN PSID Sid)
113 {
114  /* Call extended API */
115  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
116 }
117 
118 BOOLEAN
119 NTAPI
122  IN BOOLEAN TokenLocked)
123 {
124  PSID Sid;
125  BOOLEAN Result;
126  PTOKEN Token = _Token;
127 
128  /* Get the owner SID */
130  ASSERT(Sid != NULL);
131 
132  /* Lock the token if needed */
133  if (!TokenLocked) SepAcquireTokenLockShared(Token);
134 
135  /* Check if the owner SID is found, handling restricted case as well */
137  if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
138  {
140  }
141 
142  /* Release the lock if we had acquired it */
143  if (!TokenLocked) SepReleaseTokenLock(Token);
144 
145  /* Return the result */
146  return Result;
147 }
148 
149 VOID
150 NTAPI
152  OUT PTOKEN_CONTROL TokenControl)
153 {
154  PTOKEN Token = _Token;
155  PAGED_CODE();
156 
157  /* Capture the main fields */
158  TokenControl->AuthenticationId = Token->AuthenticationId;
159  TokenControl->TokenId = Token->TokenId;
160  TokenControl->TokenSource = Token->TokenSource;
161 
162  /* Lock the token */
164 
165  /* Capture the modified ID */
166  TokenControl->ModifiedId = Token->ModifiedId;
167 
168  /* Unlock it */
170 }
171 
172 NTSTATUS
173 NTAPI
175  IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
176  IN BOOLEAN ServerIsRemote,
178  IN BOOLEAN ThreadEffectiveOnly,
181 {
183  PACCESS_TOKEN NewToken;
184  PAGED_CODE();
185 
186  /* Check for bogus impersonation level */
187  if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
188  {
189  /* Fail the call */
191  }
192 
193  /* Check what kind of token this is */
195  {
196  /* On a primary token, if we do direct access, copy the flag from the QOS */
197  ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
198  }
199  else
200  {
201  /* This is an impersonation token, is the level ok? */
202  if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
203  {
204  /* Nope, fail */
206  }
207 
208  /* Is the level too low, or are we doing something other than delegation remotely */
211  ((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
212  {
213  /* Fail the call */
215  }
216 
217  /* Pick either the thread setting or the QOS setting */
218  ClientContext->DirectAccessEffectiveOnly =
219  ((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
220  }
221 
222  /* Is this static tracking */
223  if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
224  {
225  /* Do not use direct access and make a copy */
226  ClientContext->DirectlyAccessClientToken = FALSE;
228  ClientSecurityQos->ImpersonationLevel,
229  KernelMode,
230  &NewToken);
231  if (!NT_SUCCESS(Status))
232  return Status;
233  }
234  else
235  {
236  /* Use direct access and check if this is local */
237  ClientContext->DirectlyAccessClientToken = TRUE;
238  if (ServerIsRemote)
239  {
240  /* We are doing delegation, so make a copy of the control data */
242  &ClientContext->ClientTokenControl);
243  }
244 
245  /* Keep the same token */
246  NewToken = Token;
247  }
248 
249  /* Fill out the context and return success */
250  ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
251  ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
252  ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
253  ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
254  ClientContext->ServerIsRemote = ServerIsRemote;
255  ClientContext->ClientToken = NewToken;
256  return STATUS_SUCCESS;
257 }
258 
259 /* PUBLIC FUNCTIONS ***********************************************************/
260 
261 /*
262  * @implemented
263  */
264 VOID
265 NTAPI
269 {
271 
272  PAGED_CODE();
273 
274  /* Save the unique ID */
275  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
276 
277  /* Check if we have a thread */
278  if (!Thread)
279  {
280  /* We don't, so no token */
281  SubjectContext->ClientToken = NULL;
282  }
283  else
284  {
285  /* Get the impersonation token */
287  &CopyOnOpen,
288  &EffectiveOnly,
289  &SubjectContext->ImpersonationLevel);
290  }
291 
292  /* Get the primary token */
294 }
295 
296 /*
297  * @implemented
298  */
299 VOID
300 NTAPI
302 {
303  /* Call the extended API */
307 }
308 
309 /*
310  * @implemented
311  */
312 VOID
313 NTAPI
315 {
316  PTOKEN PrimaryToken, ClientToken;
317  PAGED_CODE();
318 
319  /* Read both tokens */
320  PrimaryToken = SubjectContext->PrimaryToken;
321  ClientToken = SubjectContext->ClientToken;
322 
323  /* Always lock the primary */
324  SepAcquireTokenLockShared(PrimaryToken);
325 
326  /* Lock the impersonation one if it's there */
327  if (!ClientToken) return;
328  SepAcquireTokenLockShared(ClientToken);
329 }
330 
331 /*
332  * @implemented
333  */
334 VOID
335 NTAPI
337 {
338  PTOKEN PrimaryToken, ClientToken;
339  PAGED_CODE();
340 
341  /* Read both tokens */
342  PrimaryToken = SubjectContext->PrimaryToken;
343  ClientToken = SubjectContext->ClientToken;
344 
345  /* Unlock the impersonation one if it's there */
346  if (ClientToken)
347  {
348  SepReleaseTokenLock(ClientToken);
349  }
350 
351  /* Always unlock the primary one */
352  SepReleaseTokenLock(PrimaryToken);
353 }
354 
355 /*
356  * @implemented
357  */
358 VOID
359 NTAPI
361 {
362  PAGED_CODE();
363 
364  /* Drop reference on the primary */
366  SubjectContext->PrimaryToken = NULL;
367 
368  /* Drop reference on the impersonation, if there was one */
370  SubjectContext->ClientToken = NULL;
371 }
372 
373 /*
374  * @implemented
375  */
376 NTSTATUS
377 NTAPI
381  IN PAUX_ACCESS_DATA AuxData,
382  IN ACCESS_MASK Access,
384 {
385  ACCESS_MASK AccessMask = Access;
386  PTOKEN Token;
387  PAGED_CODE();
388 
389  /* Map the Generic Acess to Specific Access if we have a Mapping */
390  if ((Access & GENERIC_ACCESS) && (GenericMapping))
391  {
393  }
394 
395  /* Initialize the Access State */
397  ASSERT(AccessState->SecurityDescriptor == NULL);
398  ASSERT(AccessState->PrivilegesAllocated == FALSE);
399 
400  /* Initialize and save aux data */
401  RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
402  AccessState->AuxData = AuxData;
403 
404  /* Capture the Subject Context */
406  Process,
407  &AccessState->SubjectSecurityContext);
408 
409  /* Set Access State Data */
410  AccessState->RemainingDesiredAccess = AccessMask;
411  AccessState->OriginalDesiredAccess = AccessMask;
412  ExAllocateLocallyUniqueId(&AccessState->OperationID);
413 
414  /* Get the Token to use */
415  Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
416 
417  /* Check for Travers Privilege */
418  if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
419  {
420  /* Preserve the Traverse Privilege */
422  }
423 
424  /* Set the Auxiliary Data */
425  AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
427  Privileges));
428  if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
429 
430  /* Return Sucess */
431  return STATUS_SUCCESS;
432 }
433 
434 /*
435  * @implemented
436  */
437 NTSTATUS
438 NTAPI
440  IN PAUX_ACCESS_DATA AuxData,
441  IN ACCESS_MASK Access,
443 {
444  PAGED_CODE();
445 
446  /* Call the extended API */
449  AccessState,
450  AuxData,
451  Access,
453 }
454 
455 /*
456  * @implemented
457  */
458 VOID
459 NTAPI
461 {
462  PAUX_ACCESS_DATA AuxData;
463  PAGED_CODE();
464 
465  /* Get the Auxiliary Data */
466  AuxData = AccessState->AuxData;
467 
468  /* Deallocate Privileges */
469  if (AccessState->PrivilegesAllocated)
471 
472  /* Deallocate Name and Type Name */
473  if (AccessState->ObjectName.Buffer)
474  {
475  ExFreePool(AccessState->ObjectName.Buffer);
476  }
477 
478  if (AccessState->ObjectTypeName.Buffer)
479  {
480  ExFreePool(AccessState->ObjectTypeName.Buffer);
481  }
482 
483  /* Release the Subject Context */
484  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
485 }
486 
487 /*
488  * @implemented
489  */
490 VOID
491 NTAPI
494 {
495  PAGED_CODE();
496 
497  /* Set the Generic Mapping */
498  ((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
499 }
500 
501 /*
502  * @implemented
503  */
504 NTSTATUS
505 NTAPI
508  IN BOOLEAN RemoteClient,
510 {
512  BOOLEAN ThreadEffectiveOnly;
516  PAGED_CODE();
517 
518  /* Reference the correct token */
520  &TokenType,
521  &ThreadEffectiveOnly,
523 
524  /* Create client security from it */
526  Qos,
527  RemoteClient,
528  TokenType,
529  ThreadEffectiveOnly,
531  ClientContext);
532 
533  /* Check if we failed or static tracking was used */
534  if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
535  {
536  /* Dereference our copy since it's not being used */
538  }
539 
540  /* Return status */
541  return Status;
542 }
543 
544 /*
545  * @implemented
546  */
547 NTSTATUS
548 NTAPI
550  IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
551  IN BOOLEAN ServerIsRemote,
553 {
556  PAGED_CODE();
557 
558  /* Get the right token and reference it */
561 
562  /* Create the context */
564  ClientSecurityQos,
565  ServerIsRemote,
566  SubjectContext->ClientToken ?
568  FALSE,
569  SubjectContext->ImpersonationLevel,
570  ClientContext);
571 
572  /* Check if we failed or static tracking was used */
573  if (!(NT_SUCCESS(Status)) ||
574  (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
575  {
576  /* Dereference our copy since it's not being used */
578  }
579 
580  /* Return status */
581  return Status;
582 }
583 
584 /*
585  * @implemented
586  */
587 NTSTATUS
588 NTAPI
591 {
593  PAGED_CODE();
594 
595  /* Check if direct access is requested */
596  if (!ClientContext->DirectlyAccessClientToken)
597  {
598  /* No, so get the flag from QOS */
599  EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
600  }
601  else
602  {
603  /* Yes, so see if direct access should be effective only */
604  EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
605  }
606 
607  /* Use the current thread if one was not passed */
609 
610  /* Call the lower layer routine */
612  ClientContext->ClientToken,
613  TRUE,
615  ClientContext->SecurityQos.ImpersonationLevel);
616 }
617 
618 /*
619  * @implemented
620  */
621 VOID
622 NTAPI
625 {
626  PAGED_CODE();
627 
628  /* Call the new API */
630 }
631 
632 /* EOF */
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:187
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
NTSTATUS NTAPI SeCopyClientToken(IN PACCESS_TOKEN Token, IN SECURITY_IMPERSONATION_LEVEL Level, IN KPROCESSOR_MODE PreviousMode, OUT PACCESS_TOKEN *NewToken)
Definition: token.c:788
#define IN
Definition: typedefs.h:38
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2239
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
BOOLEAN NTAPI SepTokenIsOwner(IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
Definition: access.c:120
#define TRUE
Definition: types.h:120
NTSTATUS NTAPI SeCreateAccessState(IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:439
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define VALID_IMPERSONATION_LEVEL(Level)
Definition: setypes.h:101
NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE Qos, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:506
VOID NTAPI SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:336
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
VOID NTAPI SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:314
#define GENERIC_ACCESS
Definition: wlx.c:26
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define TOKEN_HAS_TRAVERSE_PRIVILEGE
Definition: setypes.h:1124
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
NTSTATUS NTAPI SepCreateClientSecurity(IN PACCESS_TOKEN Token, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, IN TOKEN_TYPE TokenType, IN BOOLEAN ThreadEffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:174
#define PAGED_CODE()
Definition: video.h:57
VOID NTAPI SeCaptureSubjectContextEx(IN PETHREAD Thread, IN PEPROCESS Process, OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:266
ERESOURCE SepSubjectContextLock
Definition: access.c:19
uint32_t ULONG_PTR
Definition: typedefs.h:63
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
PSID SePrincipalSelfSid
Definition: sid.c:43
struct _SID * PISID
#define PsGetCurrentProcess
Definition: psfuncs.h:17
unsigned char BOOLEAN
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
smooth NULL
Definition: ftsmooth.c:416
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
VOID NTAPI SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:623
NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, IN BOOLEAN ServerIsRemote, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
Definition: access.c:549
UNICODE_STRING Restricted
Definition: utils.c:24
FORCEINLINE PSID SepGetOwnerFromDescriptor(PVOID _Descriptor)
Definition: se.h:48
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
VOID NTAPI RtlMapGenericMask(IN OUT PACCESS_MASK AccessMask, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:50
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SE_GROUP_ENABLED
Definition: setypes.h:92
_In_ PVOID ClientContext
Definition: netioddk.h:55
USHORT Length
Definition: ntsecapi.h:172
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
_In_ ACCESS_MASK AccessMask
Definition: exfuncs.h:186
#define for
Definition: utility.h:88
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2653
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define SepReleaseTokenLock(Token)
Definition: se.h:211
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:713
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
enum _TOKEN_TYPE TOKEN_TYPE
NTSTATUS NTAPI SeImpersonateClientEx(IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL)
Definition: access.c:589
Status
Definition: gdiplustypes.h:24
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:782
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTSTATUS NTAPI SeCreateAccessStateEx(IN PETHREAD Thread, IN PEPROCESS Process, IN OUT PACCESS_STATE AccessState, IN PAUX_ACCESS_DATA AuxData, IN ACCESS_MASK Access, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:378
unsigned short USHORT
Definition: pedump.c:61
struct _TOKEN * PTOKEN
struct _PRIVILEGE_SET * PPRIVILEGE_SET
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:340
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:254
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
VOID NTAPI SeDeleteAccessState(IN PACCESS_STATE AccessState)
Definition: access.c:460
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
struct _AUX_ACCESS_DATA * PAUX_ACCESS_DATA
#define DPRINT1
Definition: precomp.h:8
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:169
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205
#define OUT
Definition: typedefs.h:39
#define ObReferenceObject
Definition: obfuncs.h:204
ULONG ERESOURCE
Definition: env_spec_w32.h:594
unsigned int ULONG
Definition: retypes.h:1
VOID NTAPI SeSetAccessStateGenericMapping(IN PACCESS_STATE AccessState, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:492
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:261
BOOLEAN NTAPI SepSidInToken(IN PACCESS_TOKEN _Token, IN PSID Sid)
Definition: access.c:111
BYTE Revision
Definition: ms-dtyp.idl:199
#define TAG_PRIVILEGE_SET
Definition: tag.h:179
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:417
return STATUS_SUCCESS
Definition: btrfs.c:2777
unsigned short * PUSHORT
Definition: retypes.h:2
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
VOID NTAPI SeGetTokenControlInformation(IN PACCESS_TOKEN _Token, OUT PTOKEN_CONTROL TokenControl)
Definition: access.c:151
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:417
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1129
BOOLEAN NTAPI SepSidInTokenEx(IN PACCESS_TOKEN _Token, IN PSID PrincipalSelfSid, IN PSID _Sid, IN BOOLEAN Deny, IN BOOLEAN Restricted)
Definition: access.c:25
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:821