ReactOS  0.4.15-dev-3291-gea4c1a0
access.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security access state functions support
5  * COPYRIGHT: Copyright Alex Ionescu <alex@relsoft.net>
6  */
7 
8 /* INCLUDES *******************************************************************/
9 
10 #include <ntoskrnl.h>
11 #define NDEBUG
12 #include <debug.h>
13 
14 /* GLOBALS ********************************************************************/
15 
16 ERESOURCE SepSubjectContextLock;
17 
18 /* PRIVATE FUNCTIONS **********************************************************/
19 
46 BOOLEAN
47 NTAPI
48 SepSidInTokenEx(
49  _In_ PACCESS_TOKEN _Token,
50  _In_ PSID PrincipalSelfSid,
51  _In_ PSID _Sid,
52  _In_ BOOLEAN Deny,
53  _In_ BOOLEAN Restricted)
54 {
55  ULONG i;
56  PTOKEN Token = (PTOKEN)_Token;
57  PISID TokenSid, Sid = (PISID)_Sid;
58  PSID_AND_ATTRIBUTES SidAndAttributes;
59  ULONG SidCount, SidLength;
60  USHORT SidMetadata;
61  PAGED_CODE();
62 
63  /* Not yet supported */
64  ASSERT(PrincipalSelfSid == NULL);
65  ASSERT(Restricted == FALSE);
66 
67  /* Check if a principal SID was given, and this is our current SID already */
68  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
69  {
70  /* Just use the principal SID in this case */
71  Sid = PrincipalSelfSid;
72  }
73 
74  /* Check if this is a restricted token or not */
75  if (Restricted)
76  {
77  /* Use the restricted SIDs and count */
78  SidAndAttributes = Token->RestrictedSids;
79  SidCount = Token->RestrictedSidCount;
80  }
81  else
82  {
83  /* Use the normal SIDs and count */
84  SidAndAttributes = Token->UserAndGroups;
85  SidCount = Token->UserAndGroupCount;
86  }
87 
88  /* Do checks here by hand instead of the usual 4 function calls */
89  SidLength = FIELD_OFFSET(SID,
90  SubAuthority[Sid->SubAuthorityCount]);
91  SidMetadata = *(PUSHORT)&Sid->Revision;
92 
93  /* Loop every SID */
94  for (i = 0; i < SidCount; i++)
95  {
96  TokenSid = (PISID)SidAndAttributes->Sid;
97 #if SE_SID_DEBUG
98  UNICODE_STRING sidString;
99  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
100  DPRINT1("SID in Token: %wZ\n", &sidString);
101  RtlFreeUnicodeString(&sidString);
102 #endif
103  /* Check if the SID metadata matches */
104  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
105  {
106  /* Check if the SID data matches */
107  if (RtlEqualMemory(Sid, TokenSid, SidLength))
108  {
109  /* Check if the group is enabled, or used for deny only */
110  if ((!(i) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
111  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
112  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
113  {
114  /* SID is present */
115  return TRUE;
116  }
117  else
118  {
119  /* SID is not present */
120  return FALSE;
121  }
122  }
123  }
124 
125  /* Move to the next SID */
126  SidAndAttributes++;
127  }
128 
129  /* SID is not present */
130  return FALSE;
131 }
132 
147 BOOLEAN
148 NTAPI
149 SepSidInToken(
150  _In_ PACCESS_TOKEN _Token,
151  _In_ PSID Sid)
152 {
153  /* Call extended API */
154  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
155 }
156 
175 BOOLEAN
176 NTAPI
177 SepTokenIsOwner(
178  _In_ PACCESS_TOKEN _Token,
179  _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
180  _In_ BOOLEAN TokenLocked)
181 {
182  PSID Sid;
183  BOOLEAN Result;
184  PTOKEN Token = _Token;
185 
186  /* Get the owner SID */
187  Sid = SepGetOwnerFromDescriptor(SecurityDescriptor);
188  ASSERT(Sid != NULL);
189 
190  /* Lock the token if needed */
191  if (!TokenLocked) SepAcquireTokenLockShared(Token);
192 
193  /* Check if the owner SID is found, handling restricted case as well */
194  Result = SepSidInToken(Token, Sid);
195  if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
196  {
197  Result = SepSidInTokenEx(Token, NULL, Sid, FALSE, TRUE);
198  }
199 
200  /* Release the lock if we had acquired it */
201  if (!TokenLocked) SepReleaseTokenLock(Token);
202 
203  /* Return the result */
204  return Result;
205 }
206 
220 VOID
221 NTAPI
222 SeGetTokenControlInformation(
223  _In_ PACCESS_TOKEN _Token,
224  _Out_ PTOKEN_CONTROL TokenControl)
225 {
226  PTOKEN Token = _Token;
227  PAGED_CODE();
228 
229  /* Capture the main fields */
230  TokenControl->AuthenticationId = Token->AuthenticationId;
231  TokenControl->TokenId = Token->TokenId;
232  TokenControl->TokenSource = Token->TokenSource;
233 
234  /* Lock the token */
235  SepAcquireTokenLockShared(Token);
236 
237  /* Capture the modified ID */
238  TokenControl->ModifiedId = Token->ModifiedId;
239 
240  /* Unlock it */
241  SepReleaseTokenLock(Token);
242 }
243 
279 NTSTATUS
280 NTAPI
281 SepCreateClientSecurity(
282  _In_ PACCESS_TOKEN Token,
283  _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
284  _In_ BOOLEAN ServerIsRemote,
285  _In_ TOKEN_TYPE TokenType,
286  _In_ BOOLEAN ThreadEffectiveOnly,
287  _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
288  _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
289 {
290  NTSTATUS Status;
291  PACCESS_TOKEN NewToken;
292  PAGED_CODE();
293 
294  /* Check for bogus impersonation level */
295  if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
296  {
297  /* Fail the call */
298  return STATUS_INVALID_PARAMETER;
299  }
300 
301  /* Check what kind of token this is */
302  if (TokenType != TokenImpersonation)
303  {
304  /* On a primary token, if we do direct access, copy the flag from the QOS */
305  ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
306  }
307  else
308  {
309  /* This is an impersonation token, is the level ok? */
310  if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
311  {
312  /* Nope, fail */
313  return STATUS_BAD_IMPERSONATION_LEVEL;
314  }
315 
316  /* Is the level too low, or are we doing something other than delegation remotely */
317  if ((ImpersonationLevel == SecurityAnonymous) ||
318  (ImpersonationLevel == SecurityIdentification) ||
319  ((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
320  {
321  /* Fail the call */
322  return STATUS_BAD_IMPERSONATION_LEVEL;
323  }
324 
325  /* Pick either the thread setting or the QOS setting */
326  ClientContext->DirectAccessEffectiveOnly =
327  ((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
328  }
329 
330  /* Is this static tracking */
331  if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
332  {
333  /* Do not use direct access and make a copy */
334  ClientContext->DirectlyAccessClientToken = FALSE;
335  Status = SeCopyClientToken(Token,
336  ClientSecurityQos->ImpersonationLevel,
337  KernelMode,
338  &NewToken);
339  if (!NT_SUCCESS(Status))
340  return Status;
341  }
342  else
343  {
344  /* Use direct access and check if this is local */
345  ClientContext->DirectlyAccessClientToken = TRUE;
346  if (ServerIsRemote)
347  {
348  /* We are doing delegation, so make a copy of the control data */
349  SeGetTokenControlInformation(Token,
350  &ClientContext->ClientTokenControl);
351  }
352 
353  /* Keep the same token */
354  NewToken = Token;
355  }
356 
357  /* Fill out the context and return success */
358  ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
359  ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
360  ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
361  ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
362  ClientContext->ServerIsRemote = ServerIsRemote;
363  ClientContext->ClientToken = NewToken;
364  return STATUS_SUCCESS;
365 }
366 
367 /* PUBLIC FUNCTIONS ***********************************************************/
368 
388 VOID
389 NTAPI
390 SeCaptureSubjectContextEx(
391  _In_ PETHREAD Thread,
392  _In_ PEPROCESS Process,
393  _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
394 {
395  BOOLEAN CopyOnOpen, EffectiveOnly;
396 
397  PAGED_CODE();
398 
399  /* Save the unique ID */
400  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
401 
402  /* Check if we have a thread */
403  if (!Thread)
404  {
405  /* We don't, so no token */
406  SubjectContext->ClientToken = NULL;
407  }
408  else
409  {
410  /* Get the impersonation token */
411  SubjectContext->ClientToken = PsReferenceImpersonationToken(Thread,
412  &CopyOnOpen,
413  &EffectiveOnly,
414  &SubjectContext->ImpersonationLevel);
415  }
416 
417  /* Get the primary token */
418  SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
419 }
420 
432 VOID
433 NTAPI
434 SeCaptureSubjectContext(
435  _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
436 {
437  /* Call the extended API */
438  SeCaptureSubjectContextEx(PsGetCurrentThread(),
439  PsGetCurrentProcess(),
440  SubjectContext);
441 }
442 
454 VOID
455 NTAPI
456 SeLockSubjectContext(
457  _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
458 {
459  PTOKEN PrimaryToken, ClientToken;
460  PAGED_CODE();
461 
462  /* Read both tokens */
463  PrimaryToken = SubjectContext->PrimaryToken;
464  ClientToken = SubjectContext->ClientToken;
465 
466  /* Always lock the primary */
467  SepAcquireTokenLockShared(PrimaryToken);
468 
469  /* Lock the impersonation one if it's there */
470  if (!ClientToken) return;
471  SepAcquireTokenLockShared(ClientToken);
472 }
473 
485 VOID
486 NTAPI
487 SeUnlockSubjectContext(
488  _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
489 {
490  PTOKEN PrimaryToken, ClientToken;
491  PAGED_CODE();
492 
493  /* Read both tokens */
494  PrimaryToken = SubjectContext->PrimaryToken;
495  ClientToken = SubjectContext->ClientToken;
496 
497  /* Unlock the impersonation one if it's there */
498  if (ClientToken)
499  {
500  SepReleaseTokenLock(ClientToken);
501  }
502 
503  /* Always unlock the primary one */
504  SepReleaseTokenLock(PrimaryToken);
505 }
506 
518 VOID
519 NTAPI
520 SeReleaseSubjectContext(
521  _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
522 {
523  PAGED_CODE();
524 
525  /* Drop reference on the primary */
526  ObFastDereferenceObject(&PsGetCurrentProcess()->Token, SubjectContext->PrimaryToken);
527  SubjectContext->PrimaryToken = NULL;
528 
529  /* Drop reference on the impersonation, if there was one */
530  PsDereferenceImpersonationToken(SubjectContext->ClientToken);
531  SubjectContext->ClientToken = NULL;
532 }
533 
559 NTSTATUS
560 NTAPI
561 SeCreateAccessStateEx(
562  _In_ PETHREAD Thread,
563  _In_ PEPROCESS Process,
564  _Inout_ PACCESS_STATE AccessState,
565  _In_ PAUX_ACCESS_DATA AuxData,
566  _In_ ACCESS_MASK Access,
567  _In_ PGENERIC_MAPPING GenericMapping)
568 {
569  ACCESS_MASK AccessMask = Access;
570  PTOKEN Token;
571  PAGED_CODE();
572 
573  /* Map the Generic Acess to Specific Access if we have a Mapping */
574  if ((Access & GENERIC_ACCESS) && (GenericMapping))
575  {
576  RtlMapGenericMask(&AccessMask, GenericMapping);
577  }
578 
579  /* Initialize the Access State */
580  RtlZeroMemory(AccessState, sizeof(ACCESS_STATE));
581  ASSERT(AccessState->SecurityDescriptor == NULL);
582  ASSERT(AccessState->PrivilegesAllocated == FALSE);
583 
584  /* Initialize and save aux data */
585  RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
586  AccessState->AuxData = AuxData;
587 
588  /* Capture the Subject Context */
589  SeCaptureSubjectContextEx(Thread,
590  Process,
591  &AccessState->SubjectSecurityContext);
592 
593  /* Set Access State Data */
594  AccessState->RemainingDesiredAccess = AccessMask;
595  AccessState->OriginalDesiredAccess = AccessMask;
596  ExAllocateLocallyUniqueId(&AccessState->OperationID);
597 
598  /* Get the Token to use */
599  Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
600 
601  /* Check for Travers Privilege */
602  if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
603  {
604  /* Preserve the Traverse Privilege */
605  AccessState->Flags = TOKEN_HAS_TRAVERSE_PRIVILEGE;
606  }
607 
608  /* Set the Auxiliary Data */
609  AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
610  FIELD_OFFSET(ACCESS_STATE,
611  Privileges));
612  if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
613 
614  /* Return Sucess */
615  return STATUS_SUCCESS;
616 }
617 
637 NTSTATUS
638 NTAPI
639 SeCreateAccessState(
640  _Inout_ PACCESS_STATE AccessState,
641  _In_ PAUX_ACCESS_DATA AuxData,
642  _In_ ACCESS_MASK Access,
643  _In_ PGENERIC_MAPPING GenericMapping)
644 {
645  PAGED_CODE();
646 
647  /* Call the extended API */
648  return SeCreateAccessStateEx(PsGetCurrentThread(),
649  PsGetCurrentProcess(),
650  AccessState,
651  AuxData,
652  Access,
653  GenericMapping);
654 }
655 
666 VOID
667 NTAPI
668 SeDeleteAccessState(
669  _In_ PACCESS_STATE AccessState)
670 {
671  PAUX_ACCESS_DATA AuxData;
672  PAGED_CODE();
673 
674  /* Get the Auxiliary Data */
675  AuxData = AccessState->AuxData;
676 
677  /* Deallocate Privileges */
678  if (AccessState->PrivilegesAllocated)
679  ExFreePoolWithTag(AuxData->PrivilegeSet, TAG_PRIVILEGE_SET);
680 
681  /* Deallocate Name and Type Name */
682  if (AccessState->ObjectName.Buffer)
683  {
684  ExFreePool(AccessState->ObjectName.Buffer);
685  }
686 
687  if (AccessState->ObjectTypeName.Buffer)
688  {
689  ExFreePool(AccessState->ObjectTypeName.Buffer);
690  }
691 
692  /* Release the Subject Context */
693  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
694 }
695 
709 VOID
710 NTAPI
711 SeSetAccessStateGenericMapping(
712  _In_ PACCESS_STATE AccessState,
713  _In_ PGENERIC_MAPPING GenericMapping)
714 {
715  PAGED_CODE();
716 
717  /* Set the Generic Mapping */
718  ((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
719 }
720 
740 NTSTATUS
741 NTAPI
742 SeCreateClientSecurity(
743  _In_ PETHREAD Thread,
744  _In_ PSECURITY_QUALITY_OF_SERVICE Qos,
745  _In_ BOOLEAN RemoteClient,
746  _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
747 {
748  TOKEN_TYPE TokenType;
749  BOOLEAN ThreadEffectiveOnly;
750  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
751  PACCESS_TOKEN Token;
752  NTSTATUS Status;
753  PAGED_CODE();
754 
755  /* Reference the correct token */
756  Token = PsReferenceEffectiveToken(Thread,
757  &TokenType,
758  &ThreadEffectiveOnly,
759  &ImpersonationLevel);
760 
761  /* Create client security from it */
762  Status = SepCreateClientSecurity(Token,
763  Qos,
764  RemoteClient,
765  TokenType,
766  ThreadEffectiveOnly,
767  ImpersonationLevel,
768  ClientContext);
769 
770  /* Check if we failed or static tracking was used */
771  if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
772  {
773  /* Dereference our copy since it's not being used */
774  ObDereferenceObject(Token);
775  }
776 
777  /* Return status */
778  return Status;
779 }
780 
802 NTSTATUS
803 NTAPI
804 SeCreateClientSecurityFromSubjectContext(
805  _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
806  _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
807  _In_ BOOLEAN ServerIsRemote,
808  _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
809 {
810  PACCESS_TOKEN Token;
811  NTSTATUS Status;
812  PAGED_CODE();
813 
814  /* Get the right token and reference it */
815  Token = SeQuerySubjectContextToken(SubjectContext);
816  ObReferenceObject(Token);
817 
818  /* Create the context */
819  Status = SepCreateClientSecurity(Token,
820  ClientSecurityQos,
821  ServerIsRemote,
822  SubjectContext->ClientToken ?
823  TokenImpersonation : TokenPrimary,
824  FALSE,
825  SubjectContext->ImpersonationLevel,
826  ClientContext);
827 
828  /* Check if we failed or static tracking was used */
829  if (!(NT_SUCCESS(Status)) ||
830  (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
831  {
832  /* Dereference our copy since it's not being used */
833  ObDereferenceObject(Token);
834  }
835 
836  /* Return status */
837  return Status;
838 }
839 
854 NTSTATUS
855 NTAPI
856 SeImpersonateClientEx(
857  _In_ PSECURITY_CLIENT_CONTEXT ClientContext,
858  _In_opt_ PETHREAD ServerThread)
859 {
860  BOOLEAN EffectiveOnly;
861  PAGED_CODE();
862 
863  /* Check if direct access is requested */
864  if (!ClientContext->DirectlyAccessClientToken)
865  {
866  /* No, so get the flag from QOS */
867  EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
868  }
869  else
870  {
871  /* Yes, so see if direct access should be effective only */
872  EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
873  }
874 
875  /* Use the current thread if one was not passed */
876  if (!ServerThread) ServerThread = PsGetCurrentThread();
877 
878  /* Call the lower layer routine */
879  return PsImpersonateClient(ServerThread,
880  ClientContext->ClientToken,
881  TRUE,
882  EffectiveOnly,
883  ClientContext->SecurityQos.ImpersonationLevel);
884 }
885 
899 VOID
900 NTAPI
901 SeImpersonateClient(
902  _In_ PSECURITY_CLIENT_CONTEXT ClientContext,
903  _In_opt_ PETHREAD ServerThread)
904 {
905  PAGED_CODE();
906 
907  /* Call the new API */
908  SeImpersonateClientEx(ClientContext, ServerThread);
909 }
910 
911 /* EOF */
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_AUX_ACCESS_DATA::PrivilegeSet
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:234
PsImpersonateClient
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
SubjectContext
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
SepSidInTokenEx
BOOLEAN NTAPI SepSidInTokenEx(_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
Checks if a SID is present in a token.
Definition: access.c:48
STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:493
VALID_IMPERSONATION_LEVEL
#define VALID_IMPERSONATION_LEVEL(Level)
Definition: setypes.h:101
_In_opt_
#define _In_opt_
Definition: ms_sal.h:309
_Inout_
#define _Inout_
Definition: ms_sal.h:378
_SID
Definition: ms-dtyp.idl:198
PsGetCurrentThread
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
SeCaptureSubjectContextEx
VOID NTAPI SeCaptureSubjectContextEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
An extended function that captures the security subject context based upon the specified thread and p...
Definition: access.c:390
_Out_
#define _Out_
Definition: ms_sal.h:345
SepSidInToken
BOOLEAN NTAPI SepSidInToken(_In_ PACCESS_TOKEN _Token, _In_ PSID Sid)
Checks if a SID is present in a token.
Definition: access.c:149
TRUE
#define TRUE
Definition: types.h:120
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
SeGetTokenControlInformation
VOID NTAPI SeGetTokenControlInformation(_In_ PACCESS_TOKEN _Token, _Out_ PTOKEN_CONTROL TokenControl)
Retrieves token control information.
Definition: access.c:222
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
GENERIC_ACCESS
#define GENERIC_ACCESS
Definition: wlx.c:26
CopyOnOpen
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
TOKEN_HAS_TRAVERSE_PRIVILEGE
#define TOKEN_HAS_TRAVERSE_PRIVILEGE
Definition: setypes.h:1143
_EPROCESS
Definition: pstypes.h:1260
SepGetOwnerFromDescriptor
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:59
SeDeleteAccessState
VOID NTAPI SeDeleteAccessState(_In_ PACCESS_STATE AccessState)
Deletes an allocated access state from the memory.
Definition: access.c:668
SeSetAccessStateGenericMapping
VOID NTAPI SeSetAccessStateGenericMapping(_In_ PACCESS_STATE AccessState, _In_ PGENERIC_MAPPING GenericMapping)
Sets a new generic mapping for an allocated access state.
Definition: access.c:711
SepCreateClientSecurity
NTSTATUS NTAPI SepCreateClientSecurity(_In_ PACCESS_TOKEN Token, _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, _In_ BOOLEAN ServerIsRemote, _In_ TOKEN_TYPE TokenType, _In_ BOOLEAN ThreadEffectiveOnly, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context based upon an access token.
Definition: access.c:281
SepSubjectContextLock
ERESOURCE SepSubjectContextLock
Definition: access.c:16
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:65
SeCreateAccessState
NTSTATUS NTAPI SeCreateAccessState(_Inout_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
Creates an access state.
Definition: access.c:639
NTAPI
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
SeLockSubjectContext
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:456
FALSE
#define FALSE
Definition: types.h:117
_SECURITY_CLIENT_CONTEXT
Definition: imports.h:289
SECURITY_IMPERSONATION_LEVEL
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
SePrincipalSelfSid
PSID SePrincipalSelfSid
Definition: sid.c:37
PISID
struct _SID * PISID
PsGetCurrentProcess
#define PsGetCurrentProcess
Definition: psfuncs.h:17
SeCreateClientSecurityFromSubjectContext
NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, _In_ BOOLEAN ServerIsRemote, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context based upon the captured security subject context.
Definition: access.c:804
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
ServerThread
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
Definition: NtAcceptConnectPort.c:33
Result
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
_In_
#define _In_
Definition: ms_sal.h:308
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
_ETHREAD
Definition: pstypes.h:1101
SeUnlockSubjectContext
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:487
Restricted
UNICODE_STRING Restricted
Definition: utils.c:24
Status
Status
Definition: gdiplustypes.h:24
SeCreateClientSecurity
NTSTATUS NTAPI SeCreateClientSecurity(_In_ PETHREAD Thread, _In_ PSECURITY_QUALITY_OF_SERVICE Qos, _In_ BOOLEAN RemoteClient, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context.
Definition: access.c:742
SepTokenIsOwner
BOOLEAN NTAPI SepTokenIsOwner(_In_ PACCESS_TOKEN _Token, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN TokenLocked)
Checks if a token belongs to the main user, being the owner.
Definition: access.c:177
_ACCESS_STATE
Definition: setypes.h:211
ASSERT
#define ASSERT(a)
Definition: mode.c:44
RtlEqualMemory
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
_GENERIC_MAPPING
Definition: nt_native.h:564
RtlMapGenericMask
VOID NTAPI RtlMapGenericMask(IN OUT PACCESS_MASK AccessMask, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:50
SeImpersonateClient
VOID NTAPI SeImpersonateClient(_In_ PSECURITY_CLIENT_CONTEXT ClientContext, _In_opt_ PETHREAD ServerThread)
Impersonates a client user.
Definition: access.c:901
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
SE_GROUP_ENABLED
#define SE_GROUP_ENABLED
Definition: setypes.h:92
ClientContext
_In_ PVOID ClientContext
Definition: netioddk.h:55
SeCaptureSubjectContext
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:434
_SID_AND_ATTRIBUTES
Definition: setypes.h:489
_LSA_STRING::Length
USHORT Length
Definition: ntsecapi.h:172
ImpersonationLevel
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
ObDereferenceObject
#define ObDereferenceObject
Definition: obfuncs.h:203
AccessMask
_In_ ACCESS_MASK AccessMask
Definition: exfuncs.h:186
for
#define for
Definition: utility.h:88
Thread
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2652
RtlFreeUnicodeString
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
_SECURITY_QUALITY_OF_SERVICE
Definition: lsa.idl:63
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
RtlConvertSidToUnicodeString
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:231
SE_GROUP_USE_FOR_DENY_ONLY
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
_TOKEN_CONTROL
Definition: imports.h:282
PsReferenceEffectiveToken
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:780
PsReferencePrimaryToken
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
SeQuerySubjectContextToken
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
TOKEN_TYPE
enum _TOKEN_TYPE TOKEN_TYPE
PsReferenceImpersonationToken
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
SeCopyClientToken
NTSTATUS NTAPI SeCopyClientToken(_In_ PACCESS_TOKEN Token, _In_ SECURITY_IMPERSONATION_LEVEL Level, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PACCESS_TOKEN *NewToken)
Copies an existing access token (technically duplicating a new one).
Definition: token.c:1482
_UNICODE_STRING
Definition: env_spec_w32.h:368
_AUX_ACCESS_DATA
Definition: setypes.h:232
SeImpersonateClientEx
NTSTATUS NTAPI SeImpersonateClientEx(_In_ PSECURITY_CLIENT_CONTEXT ClientContext, _In_opt_ PETHREAD ServerThread)
Extended function that impersonates a client.
Definition: access.c:856
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
USHORT
unsigned short USHORT
Definition: pedump.c:61
PTOKEN
struct _TOKEN * PTOKEN
_SID_AND_ATTRIBUTES::Attributes
$ULONG Attributes
Definition: setypes.h:495
SeCreateAccessStateEx
NTSTATUS NTAPI SeCreateAccessStateEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Inout_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
An extended function that creates an access state.
Definition: access.c:561
PPRIVILEGE_SET
struct _PRIVILEGE_SET * PPRIVILEGE_SET
ExAllocateLocallyUniqueId
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:335
SECURITY_STATIC_TRACKING
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
SECURITY_QUALITY_OF_SERVICE
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
_SID::SubAuthorityCount
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
NULL
#define NULL
Definition: types.h:112
SeReleaseSubjectContext
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:520
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:204
PAUX_ACCESS_DATA
struct _AUX_ACCESS_DATA * PAUX_ACCESS_DATA
DPRINT1
#define DPRINT1
Definition: precomp.h:8
ObFastDereferenceObject
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
Process
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:225
ObReferenceObject
#define ObReferenceObject
Definition: obfuncs.h:204
ERESOURCE
ULONG ERESOURCE
Definition: env_spec_w32.h:594
ULONG
unsigned int ULONG
Definition: retypes.h:1
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
_SID::Revision
BYTE Revision
Definition: ms-dtyp.idl:199
TAG_PRIVILEGE_SET
#define TAG_PRIVILEGE_SET
Definition: tag.h:180
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
EffectiveOnly
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:388
_TOKEN
Definition: setypes.h:197
ExFreePoolWithTag
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
PUSHORT
unsigned short * PUSHORT
Definition: retypes.h:2
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
ExFreePool
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
RtlEqualSid
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
TokenType
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:388
TOKEN_IS_RESTRICTED
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1148
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
PsDereferenceImpersonationToken
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888