ReactOS  0.4.15-dev-4570-g4f8bbd1
access.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security access state functions support
5  * COPYRIGHT: Copyright Alex Ionescu <alex@relsoft.net>
6  */
7 
8 /* INCLUDES *******************************************************************/
9 
10 #include <ntoskrnl.h>
11 #define NDEBUG
12 #include <debug.h>
13 
14 /* GLOBALS ********************************************************************/
15 
17 
18 /* PRIVATE FUNCTIONS **********************************************************/
19 
46 BOOLEAN
47 NTAPI
49  _In_ PACCESS_TOKEN _Token,
50  _In_ PSID PrincipalSelfSid,
51  _In_ PSID _Sid,
52  _In_ BOOLEAN Deny,
54 {
55  ULONG SidIndex;
56  PTOKEN Token = (PTOKEN)_Token;
57  PISID TokenSid, Sid = (PISID)_Sid;
58  PSID_AND_ATTRIBUTES SidAndAttributes;
59  ULONG SidCount, SidLength;
60  USHORT SidMetadata;
61  PAGED_CODE();
62 
63  /* Check if a principal SID was given, and this is our current SID already */
64  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
65  {
66  /* Just use the principal SID in this case */
67  Sid = PrincipalSelfSid;
68  }
69 
70  /* Check if this is a restricted token or not */
71  if (Restricted)
72  {
73  /* Use the restricted SIDs and count */
74  SidAndAttributes = Token->RestrictedSids;
75  SidCount = Token->RestrictedSidCount;
76  }
77  else
78  {
79  /* Use the normal SIDs and count */
80  SidAndAttributes = Token->UserAndGroups;
81  SidCount = Token->UserAndGroupCount;
82  }
83 
84  /* Do checks here by hand instead of the usual 4 function calls */
85  SidLength = FIELD_OFFSET(SID,
86  SubAuthority[Sid->SubAuthorityCount]);
87  SidMetadata = *(PUSHORT)&Sid->Revision;
88 
89  /* Loop every SID */
90  for (SidIndex = 0; SidIndex < SidCount; SidIndex++)
91  {
92  TokenSid = (PISID)SidAndAttributes->Sid;
93 #if SE_SID_DEBUG
94  UNICODE_STRING sidString;
95  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
96  DPRINT1("SID in Token: %wZ\n", &sidString);
97  RtlFreeUnicodeString(&sidString);
98 #endif
99  /* Check if the SID metadata matches */
100  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
101  {
102  /* Check if the SID data matches */
103  if (RtlEqualMemory(Sid, TokenSid, SidLength))
104  {
105  /*
106  * Check if the group is enabled, or used for deny only.
107  * Otherwise we have to check if this is the first user.
108  * We understand that by looking if this SID is not
109  * restricted, this is the first element we are iterating
110  * and that it doesn't have SE_GROUP_USE_FOR_DENY_ONLY
111  * attribute.
112  */
113  if ((!Restricted && (SidIndex == 0) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
114  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
115  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
116  {
117  /* SID is present */
118  return TRUE;
119  }
120  else
121  {
122  /* SID is not present */
123  return FALSE;
124  }
125  }
126  }
127 
128  /* Move to the next SID */
129  SidAndAttributes++;
130  }
131 
132  /* SID is not present */
133  return FALSE;
134 }
135 
150 BOOLEAN
151 NTAPI
153  _In_ PACCESS_TOKEN _Token,
154  _In_ PSID Sid)
155 {
156  /* Call extended API */
157  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
158 }
159 
178 BOOLEAN
179 NTAPI
181  _In_ PACCESS_TOKEN _Token,
183  _In_ BOOLEAN TokenLocked)
184 {
185  PSID Sid;
186  BOOLEAN Result;
187  PTOKEN Token = _Token;
188 
189  /* Get the owner SID */
191  ASSERT(Sid != NULL);
192 
193  /* Lock the token if needed */
194  if (!TokenLocked) SepAcquireTokenLockShared(Token);
195 
196  /* Check if the owner SID is found, handling restricted case as well */
198  if ((Result) && (Token->TokenFlags & TOKEN_IS_RESTRICTED))
199  {
201  }
202 
203  /* Release the lock if we had acquired it */
204  if (!TokenLocked) SepReleaseTokenLock(Token);
205 
206  /* Return the result */
207  return Result;
208 }
209 
223 VOID
224 NTAPI
226  _In_ PACCESS_TOKEN _Token,
227  _Out_ PTOKEN_CONTROL TokenControl)
228 {
229  PTOKEN Token = _Token;
230  PAGED_CODE();
231 
232  /* Capture the main fields */
233  TokenControl->AuthenticationId = Token->AuthenticationId;
234  TokenControl->TokenId = Token->TokenId;
235  TokenControl->TokenSource = Token->TokenSource;
236 
237  /* Lock the token */
239 
240  /* Capture the modified ID */
241  TokenControl->ModifiedId = Token->ModifiedId;
242 
243  /* Unlock it */
245 }
246 
282 NTSTATUS
283 NTAPI
286  _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
287  _In_ BOOLEAN ServerIsRemote,
289  _In_ BOOLEAN ThreadEffectiveOnly,
292 {
294  PACCESS_TOKEN NewToken;
295  PAGED_CODE();
296 
297  /* Check for bogus impersonation level */
298  if (!VALID_IMPERSONATION_LEVEL(ClientSecurityQos->ImpersonationLevel))
299  {
300  /* Fail the call */
302  }
303 
304  /* Check what kind of token this is */
306  {
307  /* On a primary token, if we do direct access, copy the flag from the QOS */
308  ClientContext->DirectAccessEffectiveOnly = ClientSecurityQos->EffectiveOnly;
309  }
310  else
311  {
312  /* This is an impersonation token, is the level ok? */
313  if (ClientSecurityQos->ImpersonationLevel > ImpersonationLevel)
314  {
315  /* Nope, fail */
317  }
318 
319  /* Is the level too low, or are we doing something other than delegation remotely */
322  ((ServerIsRemote) && (ImpersonationLevel != SecurityDelegation)))
323  {
324  /* Fail the call */
326  }
327 
328  /* Pick either the thread setting or the QOS setting */
329  ClientContext->DirectAccessEffectiveOnly =
330  ((ThreadEffectiveOnly) || (ClientSecurityQos->EffectiveOnly)) ? TRUE : FALSE;
331  }
332 
333  /* Is this static tracking */
334  if (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING)
335  {
336  /* Do not use direct access and make a copy */
337  ClientContext->DirectlyAccessClientToken = FALSE;
339  ClientSecurityQos->ImpersonationLevel,
340  KernelMode,
341  &NewToken);
342  if (!NT_SUCCESS(Status))
343  return Status;
344  }
345  else
346  {
347  /* Use direct access and check if this is local */
348  ClientContext->DirectlyAccessClientToken = TRUE;
349  if (ServerIsRemote)
350  {
351  /* We are doing delegation, so make a copy of the control data */
353  &ClientContext->ClientTokenControl);
354  }
355 
356  /* Keep the same token */
357  NewToken = Token;
358  }
359 
360  /* Fill out the context and return success */
361  ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
362  ClientContext->SecurityQos.ImpersonationLevel = ClientSecurityQos->ImpersonationLevel;
363  ClientContext->SecurityQos.ContextTrackingMode = ClientSecurityQos->ContextTrackingMode;
364  ClientContext->SecurityQos.EffectiveOnly = ClientSecurityQos->EffectiveOnly;
365  ClientContext->ServerIsRemote = ServerIsRemote;
366  ClientContext->ClientToken = NewToken;
367  return STATUS_SUCCESS;
368 }
369 
370 /* PUBLIC FUNCTIONS ***********************************************************/
371 
391 VOID
392 NTAPI
397 {
399 
400  PAGED_CODE();
401 
402  /* Save the unique ID */
403  SubjectContext->ProcessAuditId = Process->UniqueProcessId;
404 
405  /* Check if we have a thread */
406  if (!Thread)
407  {
408  /* We don't, so no token */
409  SubjectContext->ClientToken = NULL;
410  }
411  else
412  {
413  /* Get the impersonation token */
415  &CopyOnOpen,
416  &EffectiveOnly,
417  &SubjectContext->ImpersonationLevel);
418  }
419 
420  /* Get the primary token */
422 }
423 
435 VOID
436 NTAPI
439 {
440  /* Call the extended API */
444 }
445 
457 VOID
458 NTAPI
461 {
462  PTOKEN PrimaryToken, ClientToken;
463  PAGED_CODE();
464 
465  /* Read both tokens */
466  PrimaryToken = SubjectContext->PrimaryToken;
467  ClientToken = SubjectContext->ClientToken;
468 
469  /* Always lock the primary */
470  SepAcquireTokenLockShared(PrimaryToken);
471 
472  /* Lock the impersonation one if it's there */
473  if (!ClientToken) return;
474  SepAcquireTokenLockShared(ClientToken);
475 }
476 
488 VOID
489 NTAPI
492 {
493  PTOKEN PrimaryToken, ClientToken;
494  PAGED_CODE();
495 
496  /* Read both tokens */
497  PrimaryToken = SubjectContext->PrimaryToken;
498  ClientToken = SubjectContext->ClientToken;
499 
500  /* Unlock the impersonation one if it's there */
501  if (ClientToken)
502  {
503  SepReleaseTokenLock(ClientToken);
504  }
505 
506  /* Always unlock the primary one */
507  SepReleaseTokenLock(PrimaryToken);
508 }
509 
521 VOID
522 NTAPI
525 {
526  PAGED_CODE();
527 
528  /* Drop reference on the primary */
530  SubjectContext->PrimaryToken = NULL;
531 
532  /* Drop reference on the impersonation, if there was one */
534  SubjectContext->ClientToken = NULL;
535 }
536 
562 NTSTATUS
563 NTAPI
568  _In_ PAUX_ACCESS_DATA AuxData,
569  _In_ ACCESS_MASK Access,
571 {
572  ACCESS_MASK AccessMask = Access;
573  PTOKEN Token;
574  PAGED_CODE();
575 
576  /* Map the Generic Acess to Specific Access if we have a Mapping */
577  if ((Access & GENERIC_ACCESS) && (GenericMapping))
578  {
580  }
581 
582  /* Initialize the Access State */
584  ASSERT(AccessState->SecurityDescriptor == NULL);
585  ASSERT(AccessState->PrivilegesAllocated == FALSE);
586 
587  /* Initialize and save aux data */
588  RtlZeroMemory(AuxData, sizeof(AUX_ACCESS_DATA));
589  AccessState->AuxData = AuxData;
590 
591  /* Capture the Subject Context */
593  Process,
594  &AccessState->SubjectSecurityContext);
595 
596  /* Set Access State Data */
597  AccessState->RemainingDesiredAccess = AccessMask;
598  AccessState->OriginalDesiredAccess = AccessMask;
599  ExAllocateLocallyUniqueId(&AccessState->OperationID);
600 
601  /* Get the Token to use */
602  Token = SeQuerySubjectContextToken(&AccessState->SubjectSecurityContext);
603 
604  /* Check for Travers Privilege */
605  if (Token->TokenFlags & TOKEN_HAS_TRAVERSE_PRIVILEGE)
606  {
607  /* Preserve the Traverse Privilege */
609  }
610 
611  /* Set the Auxiliary Data */
612  AuxData->PrivilegeSet = (PPRIVILEGE_SET)((ULONG_PTR)AccessState +
614  Privileges));
615  if (GenericMapping) AuxData->GenericMapping = *GenericMapping;
616 
617  /* Return Sucess */
618  return STATUS_SUCCESS;
619 }
620 
640 NTSTATUS
641 NTAPI
644  _In_ PAUX_ACCESS_DATA AuxData,
645  _In_ ACCESS_MASK Access,
647 {
648  PAGED_CODE();
649 
650  /* Call the extended API */
653  AccessState,
654  AuxData,
655  Access,
657 }
658 
669 VOID
670 NTAPI
673 {
674  PAUX_ACCESS_DATA AuxData;
675  PAGED_CODE();
676 
677  /* Get the Auxiliary Data */
678  AuxData = AccessState->AuxData;
679 
680  /* Deallocate Privileges */
681  if (AccessState->PrivilegesAllocated)
683 
684  /* Deallocate Name and Type Name */
685  if (AccessState->ObjectName.Buffer)
686  {
687  ExFreePool(AccessState->ObjectName.Buffer);
688  }
689 
690  if (AccessState->ObjectTypeName.Buffer)
691  {
692  ExFreePool(AccessState->ObjectTypeName.Buffer);
693  }
694 
695  /* Release the Subject Context */
696  SeReleaseSubjectContext(&AccessState->SubjectSecurityContext);
697 }
698 
712 VOID
713 NTAPI
717 {
718  PAGED_CODE();
719 
720  /* Set the Generic Mapping */
721  ((PAUX_ACCESS_DATA)AccessState->AuxData)->GenericMapping = *GenericMapping;
722 }
723 
743 NTSTATUS
744 NTAPI
748  _In_ BOOLEAN RemoteClient,
750 {
752  BOOLEAN ThreadEffectiveOnly;
756  PAGED_CODE();
757 
758  /* Reference the correct token */
760  &TokenType,
761  &ThreadEffectiveOnly,
763 
764  /* Create client security from it */
766  Qos,
767  RemoteClient,
768  TokenType,
769  ThreadEffectiveOnly,
771  ClientContext);
772 
773  /* Check if we failed or static tracking was used */
774  if (!(NT_SUCCESS(Status)) || (Qos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
775  {
776  /* Dereference our copy since it's not being used */
778  }
779 
780  /* Return status */
781  return Status;
782 }
783 
805 NTSTATUS
806 NTAPI
809  _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
810  _In_ BOOLEAN ServerIsRemote,
812 {
815  PAGED_CODE();
816 
817  /* Get the right token and reference it */
820 
821  /* Create the context */
823  ClientSecurityQos,
824  ServerIsRemote,
825  SubjectContext->ClientToken ?
827  FALSE,
828  SubjectContext->ImpersonationLevel,
829  ClientContext);
830 
831  /* Check if we failed or static tracking was used */
832  if (!(NT_SUCCESS(Status)) ||
833  (ClientSecurityQos->ContextTrackingMode == SECURITY_STATIC_TRACKING))
834  {
835  /* Dereference our copy since it's not being used */
837  }
838 
839  /* Return status */
840  return Status;
841 }
842 
857 NTSTATUS
858 NTAPI
862 {
864  PAGED_CODE();
865 
866  /* Check if direct access is requested */
867  if (!ClientContext->DirectlyAccessClientToken)
868  {
869  /* No, so get the flag from QOS */
870  EffectiveOnly = ClientContext->SecurityQos.EffectiveOnly;
871  }
872  else
873  {
874  /* Yes, so see if direct access should be effective only */
875  EffectiveOnly = ClientContext->DirectAccessEffectiveOnly;
876  }
877 
878  /* Use the current thread if one was not passed */
880 
881  /* Call the lower layer routine */
883  ClientContext->ClientToken,
884  TRUE,
886  ClientContext->SecurityQos.ImpersonationLevel);
887 }
888 
902 VOID
903 NTAPI
907 {
908  PAGED_CODE();
909 
910  /* Call the new API */
912 }
913 
914 /* EOF */
PPRIVILEGE_SET PrivilegeSet
Definition: setypes.h:258
NTSTATUS NTAPI PsImpersonateClient(IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:610
_Inout_ PLIST_ENTRY _In_ PVOID _In_ PSTRING _In_ BOOLEAN _In_ BOOLEAN _In_ ULONG _In_ PFLT_CALLBACK_DATA _In_opt_ PCHECK_FOR_TRAVERSE_ACCESS _In_opt_ PSECURITY_SUBJECT_CONTEXT SubjectContext
Definition: fltkernel.h:2238
BOOLEAN NTAPI SepSidInTokenEx(_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
Checks if a SID is present in a token.
Definition: access.c:48
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:401
#define VALID_IMPERSONATION_LEVEL(Level)
Definition: setypes.h:101
#define _In_opt_
Definition: ms_sal.h:309
#define _Inout_
Definition: ms_sal.h:378
#define PsGetCurrentThread()
Definition: env_spec_w32.h:81
VOID NTAPI SeCaptureSubjectContextEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
An extended function that captures the security subject context based upon the specified thread and p...
Definition: access.c:393
#define _Out_
Definition: ms_sal.h:345
BOOLEAN NTAPI SepSidInToken(_In_ PACCESS_TOKEN _Token, _In_ PSID Sid)
Checks if a SID is present in a token.
Definition: access.c:152
#define TRUE
Definition: types.h:120
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
VOID NTAPI SeGetTokenControlInformation(_In_ PACCESS_TOKEN _Token, _Out_ PTOKEN_CONTROL TokenControl)
Retrieves token control information.
Definition: access.c:225
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
_Out_ PBOOLEAN CopyOnOpen
Definition: psfuncs.h:154
#define TOKEN_HAS_TRAVERSE_PRIVILEGE
Definition: setypes.h:1174
FORCEINLINE PSID SepGetOwnerFromDescriptor(_Inout_ PVOID _Descriptor)
Definition: se.h:76
VOID NTAPI SeDeleteAccessState(_In_ PACCESS_STATE AccessState)
Deletes an allocated access state from the memory.
Definition: access.c:671
VOID NTAPI SeSetAccessStateGenericMapping(_In_ PACCESS_STATE AccessState, _In_ PGENERIC_MAPPING GenericMapping)
Sets a new generic mapping for an allocated access state.
Definition: access.c:714
NTSTATUS NTAPI SepCreateClientSecurity(_In_ PACCESS_TOKEN Token, _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, _In_ BOOLEAN ServerIsRemote, _In_ TOKEN_TYPE TokenType, _In_ BOOLEAN ThreadEffectiveOnly, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context based upon an access token.
Definition: access.c:284
ERESOURCE SepSubjectContextLock
Definition: access.c:16
uint32_t ULONG_PTR
Definition: typedefs.h:65
NTSTATUS NTAPI SeCreateAccessState(_Inout_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
Creates an access state.
Definition: access.c:642
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
VOID NTAPI SeLockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Locks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:459
#define FALSE
Definition: types.h:117
enum _SECURITY_IMPERSONATION_LEVEL SECURITY_IMPERSONATION_LEVEL
PSID SePrincipalSelfSid
Definition: sid.c:37
struct _SID * PISID
#define PsGetCurrentProcess
Definition: psfuncs.h:17
NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos, _In_ BOOLEAN ServerIsRemote, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context based upon the captured security subject context.
Definition: access.c:807
unsigned char BOOLEAN
UINT CALLBACK ServerThread(_Inout_ PVOID Parameter)
_At_(*)(_In_ PWSK_CLIENT Client, _In_opt_ PUNICODE_STRING NodeName, _In_opt_ PUNICODE_STRING ServiceName, _In_opt_ ULONG NameSpace, _In_opt_ GUID *Provider, _In_opt_ PADDRINFOEXW Hints, _Outptr_ PADDRINFOEXW *Result, _In_opt_ PEPROCESS OwningProcess, _In_opt_ PETHREAD OwningThread, _Inout_ PIRP Irp Result)(Mem)) NTSTATUS(WSKAPI *PFN_WSK_GET_ADDRESS_INFO
Definition: wsk.h:426
#define _In_
Definition: ms_sal.h:308
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
VOID NTAPI SeUnlockSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Unlocks both the referenced primary and client access tokens of a security subject context.
Definition: access.c:490
UNICODE_STRING Restricted
Definition: utils.c:24
Status
Definition: gdiplustypes.h:24
NTSTATUS NTAPI SeCreateClientSecurity(_In_ PETHREAD Thread, _In_ PSECURITY_QUALITY_OF_SERVICE Qos, _In_ BOOLEAN RemoteClient, _Out_ PSECURITY_CLIENT_CONTEXT ClientContext)
Creates a client security context.
Definition: access.c:745
BOOLEAN NTAPI SepTokenIsOwner(_In_ PACCESS_TOKEN _Token, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN TokenLocked)
Checks if a token belongs to the main user, being the owner.
Definition: access.c:180
#define ASSERT(a)
Definition: mode.c:44
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
VOID NTAPI RtlMapGenericMask(IN OUT PACCESS_MASK AccessMask, IN PGENERIC_MAPPING GenericMapping)
Definition: access.c:50
VOID NTAPI SeImpersonateClient(_In_ PSECURITY_CLIENT_CONTEXT ClientContext, _In_opt_ PETHREAD ServerThread)
Impersonates a client user.
Definition: access.c:904
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SE_GROUP_ENABLED
Definition: setypes.h:92
_In_ PVOID ClientContext
Definition: netioddk.h:55
VOID NTAPI SeCaptureSubjectContext(_Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Captures the security subject context of the calling thread and calling process.
Definition: access.c:437
USHORT Length
Definition: ntsecapi.h:172
_Out_ PBOOLEAN _Out_ PBOOLEAN _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: psfuncs.h:154
#define ObDereferenceObject
Definition: obfuncs.h:203
_In_ ACCESS_MASK AccessMask
Definition: exfuncs.h:186
#define for
Definition: utility.h:88
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
Definition: fltkernel.h:2652
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PVOID Sid, IN BOOLEAN AllocateDestinationString)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
#define SepReleaseTokenLock(Token)
Definition: se.h:248
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
PACCESS_TOKEN NTAPI PsReferenceEffectiveToken(IN PETHREAD Thread, OUT IN PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:780
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
Definition: security.c:440
#define SeQuerySubjectContextToken(SubjectContext)
Definition: sefuncs.h:583
enum _TOKEN_TYPE TOKEN_TYPE
PACCESS_TOKEN NTAPI PsReferenceImpersonationToken(IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
Definition: security.c:849
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NTSTATUS NTAPI SeCopyClientToken(_In_ PACCESS_TOKEN Token, _In_ SECURITY_IMPERSONATION_LEVEL Level, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PACCESS_TOKEN *NewToken)
Copies an existing access token (technically duplicating a new one).
Definition: token.c:1501
NTSTATUS NTAPI SeImpersonateClientEx(_In_ PSECURITY_CLIENT_CONTEXT ClientContext, _In_opt_ PETHREAD ServerThread)
Extended function that impersonates a client.
Definition: access.c:859
unsigned short USHORT
Definition: pedump.c:61
struct _TOKEN * PTOKEN
NTSTATUS NTAPI SeCreateAccessStateEx(_In_ PETHREAD Thread, _In_ PEPROCESS Process, _Inout_ PACCESS_STATE AccessState, _In_ PAUX_ACCESS_DATA AuxData, _In_ ACCESS_MASK Access, _In_ PGENERIC_MAPPING GenericMapping)
An extended function that creates an access state.
Definition: access.c:564
struct _PRIVILEGE_SET * PPRIVILEGE_SET
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:335
#define SECURITY_STATIC_TRACKING
Definition: setypes.h:104
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
struct _SECURITY_QUALITY_OF_SERVICE SECURITY_QUALITY_OF_SERVICE
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
#define NULL
Definition: types.h:112
VOID NTAPI SeReleaseSubjectContext(_In_ PSECURITY_SUBJECT_CONTEXT SubjectContext)
Releases both the primary and client tokens of a security subject context.
Definition: access.c:523
struct _AUX_ACCESS_DATA * PAUX_ACCESS_DATA
#define GENERIC_ACCESS
Definition: security.c:35
#define DPRINT1
Definition: precomp.h:8
VOID FASTCALL ObFastDereferenceObject(IN PEX_FAST_REF FastRef, IN PVOID Object)
Definition: obref.c:167
_Must_inspect_result_ _In_ PLARGE_INTEGER _In_ PLARGE_INTEGER _In_ ULONG _In_ PFILE_OBJECT _In_ PVOID Process
Definition: fsrtlfuncs.h:219
#define SepAcquireTokenLockShared(Token)
Definition: se.h:242
#define ObReferenceObject
Definition: obfuncs.h:204
ULONG ERESOURCE
Definition: env_spec_w32.h:594
unsigned int ULONG
Definition: retypes.h:1
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
BYTE Revision
Definition: ms-dtyp.idl:199
#define TAG_PRIVILEGE_SET
Definition: tag.h:152
#define STATUS_SUCCESS
Definition: shellext.h:65
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN EffectiveOnly
Definition: sefuncs.h:401
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
unsigned short * PUSHORT
Definition: retypes.h:2
ULONG ACCESS_MASK
Definition: nt_native.h:40
#define ExFreePool(addr)
Definition: env_spec_w32.h:352
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
_In_ ACCESS_MASK _In_opt_ POBJECT_ATTRIBUTES _In_ BOOLEAN _In_ TOKEN_TYPE TokenType
Definition: sefuncs.h:401
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1179
#define PAGED_CODE()
VOID NTAPI PsDereferenceImpersonationToken(IN PACCESS_TOKEN ImpersonationToken)
Definition: security.c:888