ReactOS  0.4.15-dev-5146-g069b08d
tokenadj.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Access token ajusting Groups/Privileges support routines
5  * COPYRIGHT: Copyright David Welch <welch@cwcom.net>
6  * Copyright 2021-2022 George BiČ™oc <george.bisoc@reactos.org>
7  */
8 
9 /* INCLUDES *******************************************************************/
10 
11 #include <ntoskrnl.h>
12 #define NDEBUG
13 #include <debug.h>
14 
15 /* PRIVATE FUNCTIONS *********************************************************/
16 
54 static
58  _In_ BOOLEAN DisableAllPrivileges,
60  _In_ ULONG NewStateCount,
63  _Out_ PULONG ChangedPrivileges,
64  _Out_ PBOOLEAN ChangesMade)
65 {
66  ULONG i, j, PrivilegeCount, ChangeCount, NewAttributes;
67 
68  PAGED_CODE();
69 
70  /* Count the found privileges and those that need to be changed */
71  PrivilegeCount = 0;
72  ChangeCount = 0;
73  *ChangesMade = FALSE;
74 
75  /* Loop all privileges in the token */
76  for (i = 0; i < Token->PrivilegeCount; i++)
77  {
78  /* Shall all of them be disabled? */
79  if (DisableAllPrivileges)
80  {
81  /* The new attributes are the old ones, but disabled */
82  NewAttributes = Token->Privileges[i].Attributes & ~SE_PRIVILEGE_ENABLED;
83  }
84  else
85  {
86  /* Otherwise loop all provided privileges */
87  for (j = 0; j < NewStateCount; j++)
88  {
89  /* Check if this is the LUID we are looking for */
90  if (RtlEqualLuid(&Token->Privileges[i].Luid, &NewState[j].Luid))
91  {
92  DPRINT("Found privilege\n");
93 
94  /* Copy SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED */
95  NewAttributes = NewState[j].Attributes;
96  NewAttributes &= (SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_REMOVED);
97  NewAttributes |= Token->Privileges[i].Attributes & ~SE_PRIVILEGE_ENABLED;
98 
99  /* Stop looking */
100  break;
101  }
102  }
103 
104  /* Check if we didn't find the privilege */
105  if (j == NewStateCount)
106  {
107  /* Continue with the token's next privilege */
108  continue;
109  }
110  }
111 
112  /* We found a privilege, count it */
113  PrivilegeCount++;
114 
115  /* Does the privilege need to be changed? */
116  if (Token->Privileges[i].Attributes != NewAttributes)
117  {
118  /* Does the caller want the old privileges? */
119  if (PreviousState != NULL)
120  {
121  /* Copy the old privilege */
122  PreviousState->Privileges[ChangeCount] = Token->Privileges[i];
123  }
124 
125  /* Does the caller want to apply the changes? */
126  if (ApplyChanges)
127  {
128  /* Shall we remove the privilege? */
129  if (NewAttributes & SE_PRIVILEGE_REMOVED)
130  {
131  /* Set the token as disabled and update flags for it */
132  Token->Privileges[i].Attributes &= ~SE_PRIVILEGE_ENABLED;
134 
135  /* Remove the privilege */
137 
138  *ChangesMade = TRUE;
139 
140  /* Fix the running index and continue with next one */
141  i--;
142  continue;
143  }
144 
145  /* Set the new attributes and update flags */
146  Token->Privileges[i].Attributes = NewAttributes;
148  *ChangesMade = TRUE;
149  }
150 
151  /* Increment the change count */
152  ChangeCount++;
153  }
154  }
155 
156  /* Set the number of saved privileges */
157  if (PreviousState != NULL)
158  PreviousState->PrivilegeCount = ChangeCount;
159 
160  /* Return the number of changed privileges */
161  *ChangedPrivileges = ChangeCount;
162 
163  /* Check if we missed some */
164  if (!DisableAllPrivileges && (PrivilegeCount < NewStateCount))
165  {
167  }
168 
169  return STATUS_SUCCESS;
170 }
171 
244 static
245 NTSTATUS
247  _In_ PTOKEN Token,
248  _In_opt_ PSID_AND_ATTRIBUTES NewState,
249  _In_ ULONG NewStateCount,
251  _In_ BOOLEAN ResetToDefaultStates,
252  _Out_ PBOOLEAN ChangesMade,
253  _Out_opt_ PTOKEN_GROUPS PreviousGroupsState,
254  _Out_ PULONG ChangedGroups)
255 {
256  ULONG GroupsInToken, GroupsInList;
257  ULONG ChangeCount, GroupsCount, NewAttributes;
258 
259  PAGED_CODE();
260 
261  /* Ensure that the token we get is valid */
262  ASSERT(Token);
263 
264  /* Initialize the counters and begin the work */
265  *ChangesMade = FALSE;
266  GroupsCount = 0;
267  ChangeCount = 0;
268 
269  /* Begin looping all the groups in the token */
270  for (GroupsInToken = 0; GroupsInToken < Token->UserAndGroupCount; GroupsInToken++)
271  {
272  /* Does the caller want to reset groups to default states? */
273  if (ResetToDefaultStates)
274  {
275  /*
276  * SE_GROUP_ENABLED_BY_DEFAULT is a special indicator that informs us
277  * if a certain group has been enabled by default or not. In case
278  * a group is enabled by default but it is not currently enabled then
279  * at that point we must enable it back by default. For now just
280  * assign the respective SE_GROUP_ENABLED attribute as we'll do the
281  * eventual work later.
282  */
283  if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) &&
284  (Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED) == 0)
285  {
286  NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes |= SE_GROUP_ENABLED;
287  }
288 
289  /*
290  * Unlike the case above, a group that hasn't been enabled by
291  * default but it's currently enabled then we must disable
292  * it back.
293  */
294  if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) == 0 &&
295  (Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_ENABLED))
296  {
297  NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes & ~SE_GROUP_ENABLED;
298  }
299  }
300  else
301  {
302  /* Loop the provided groups in the list then */
303  for (GroupsInList = 0; GroupsInList < NewStateCount; GroupsInList++)
304  {
305  /* Does this group exist in the token? */
306  if (RtlEqualSid(&Token->UserAndGroups[GroupsInToken].Sid,
307  &NewState[GroupsInList].Sid))
308  {
309  /*
310  * This is the group that we're looking for.
311  * However, it could be that the group is a
312  * mandatory group which we are not allowed
313  * and cannot disable it.
314  */
315  if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_MANDATORY) &&
316  (NewState[GroupsInList].Attributes & SE_GROUP_ENABLED) == 0)
317  {
318  /* It is mandatory, forget about this group */
319  DPRINT1("SepAdjustGroups(): The SID group is mandatory!\n");
321  }
322 
323  /*
324  * We've to ensure that apart the group mustn't be
325  * mandatory, it mustn't be a restricted group as
326  * well. That is, the group is marked with
327  * SE_GROUP_USE_FOR_DENY_ONLY flag and no one
328  * can enable it because it's for "deny" use only.
329  */
330  if ((Token->UserAndGroups[GroupsInToken].Attributes & SE_GROUP_USE_FOR_DENY_ONLY) &&
331  (NewState[GroupsInList].Attributes & SE_GROUP_ENABLED))
332  {
333  /* This group is restricted, forget about it */
334  DPRINT1("SepAdjustGroups(): The SID group is for use deny only!\n");
336  }
337 
338  /* Copy the attributes and stop searching */
339  NewAttributes = NewState[GroupsInList].Attributes;
340  NewAttributes &= SE_GROUP_ENABLED;
341  NewAttributes = Token->UserAndGroups[GroupsInToken].Attributes & ~SE_GROUP_ENABLED;
342  break;
343  }
344 
345  /* Did we find the specific group we wanted? */
346  if (GroupsInList == NewStateCount)
347  {
348  /* We didn't, continue with the next token's group */
349  continue;
350  }
351  }
352 
353  /* Count the group that we found it */
354  GroupsCount++;
355 
356  /* Does the token have the same attributes as the caller requested them? */
357  if (Token->UserAndGroups[GroupsInToken].Attributes != NewAttributes)
358  {
359  /*
360  * No, then it's time to make some adjustment to the
361  * token's groups. Does the caller want the previous states
362  * of groups?
363  */
364  if (PreviousGroupsState != NULL)
365  {
366  PreviousGroupsState->Groups[ChangeCount] = Token->UserAndGroups[GroupsInToken];
367  }
368 
369  /* Time to apply the changes now? */
370  if (ApplyChanges)
371  {
372  /* The caller gave us consent, apply and report that we made changes! */
373  Token->UserAndGroups[GroupsInToken].Attributes = NewAttributes;
374  *ChangesMade = TRUE;
375  }
376 
377  /* Increment the count change */
378  ChangeCount++;
379  }
380  }
381  }
382 
383  /* Report the number of previous saved groups */
384  if (PreviousGroupsState != NULL)
385  {
386  PreviousGroupsState->GroupCount = ChangeCount;
387  }
388 
389  /* Report the number of changed groups */
390  *ChangedGroups = ChangeCount;
391 
392  /* Did we miss some groups? */
393  if (!ResetToDefaultStates && (GroupsCount < NewStateCount))
394  {
395  /*
396  * If we're at this stage then we are in a situation
397  * where the adjust changes done to token's groups is
398  * not deterministic as the caller might have wanted
399  * as per NewState parameter.
400  */
401  DPRINT1("SepAdjustGroups(): The token hasn't all the groups assigned!\n");
403  }
404 
405  return STATUS_SUCCESS;
406 }
407 
408 /* SYSTEM CALLS ***************************************************************/
409 
449 NTSTATUS
450 NTAPI
453  _In_ BOOLEAN DisableAllPrivileges,
454  _In_opt_ PTOKEN_PRIVILEGES NewState,
459 {
462  PTOKEN Token;
463  PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
464  ULONG CapturedCount = 0;
465  ULONG CapturedLength = 0;
466  ULONG NewStateSize = 0;
467  ULONG ChangeCount;
469  BOOLEAN ChangesMade = FALSE;
470 
471  PAGED_CODE();
472 
473  DPRINT("NtAdjustPrivilegesToken() called\n");
474 
475  /* Fail, if we do not disable all privileges but NewState is NULL */
476  if (DisableAllPrivileges == FALSE && NewState == NULL)
478 
480  if (PreviousMode != KernelMode)
481  {
482  _SEH2_TRY
483  {
484  /* Probe NewState */
485  if (DisableAllPrivileges == FALSE)
486  {
487  /* First probe the header */
488  ProbeForRead(NewState, sizeof(TOKEN_PRIVILEGES), sizeof(ULONG));
489 
490  CapturedCount = NewState->PrivilegeCount;
491  NewStateSize = FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges[CapturedCount]);
492 
493  ProbeForRead(NewState, NewStateSize, sizeof(ULONG));
494  }
495 
496  /* Probe PreviousState and ReturnLength */
497  if (PreviousState != NULL)
498  {
500  ProbeForWrite(ReturnLength, sizeof(ULONG), sizeof(ULONG));
501  }
502  }
504  {
505  /* Return the exception code */
507  }
508  _SEH2_END;
509  }
510  else
511  {
512  /* This is kernel mode, we trust the caller */
513  if (DisableAllPrivileges == FALSE)
514  CapturedCount = NewState->PrivilegeCount;
515  }
516 
517  /* Do we need to capture the new state? */
518  if (DisableAllPrivileges == FALSE)
519  {
520  _SEH2_TRY
521  {
522  /* Capture the new state array of privileges */
523  Status = SeCaptureLuidAndAttributesArray(NewState->Privileges,
524  CapturedCount,
525  PreviousMode,
526  NULL,
527  0,
528  PagedPool,
529  TRUE,
530  &CapturedPrivileges,
531  &CapturedLength);
532  }
534  {
535  /* Return the exception code */
537  }
538  _SEH2_END;
539 
540  if (!NT_SUCCESS(Status))
541  return Status;
542  }
543 
544  /* Reference the token */
548  PreviousMode,
549  (PVOID*)&Token,
550  NULL);
551  if (!NT_SUCCESS(Status))
552  {
553  DPRINT1("Failed to reference token (Status 0x%lx)\n", Status);
554 
555  /* Release the captured privileges */
556  if (CapturedPrivileges != NULL)
557  {
558  SeReleaseLuidAndAttributesArray(CapturedPrivileges,
559  PreviousMode,
560  TRUE);
561  }
562 
563  return Status;
564  }
565 
566  /* Lock the token */
568 
569  /* Count the privileges that need to be changed, do not apply them yet */
571  DisableAllPrivileges,
572  CapturedPrivileges,
573  CapturedCount,
574  NULL,
575  FALSE,
576  &ChangeCount,
577  &ChangesMade);
578 
579  /* Check if the caller asked for the previous state */
580  if (PreviousState != NULL)
581  {
582  /* Calculate the required length */
584 
585  /* Try to return the required buffer length */
586  _SEH2_TRY
587  {
589  }
591  {
592  /* Do cleanup and return the exception code */
594  _SEH2_YIELD(goto Cleanup);
595  }
596  _SEH2_END;
597 
598  /* Fail, if the buffer length is smaller than the required length */
600  {
602  goto Cleanup;
603  }
604  }
605 
606  /* Now enter SEH, since we might return the old privileges */
607  _SEH2_TRY
608  {
609  /* This time apply the changes */
611  DisableAllPrivileges,
612  CapturedPrivileges,
613  CapturedCount,
615  TRUE,
616  &ChangeCount,
617  &ChangesMade);
618  }
620  {
621  /* Do cleanup and return the exception code */
623  ChangesMade = TRUE; // Force write.
624  _SEH2_YIELD(goto Cleanup);
625  }
626  _SEH2_END;
627 
628 Cleanup:
629  /* Touch the token if we made changes */
630  if (ChangesMade)
631  ExAllocateLocallyUniqueId(&Token->ModifiedId);
632 
633  /* Unlock and dereference the token */
636 
637  /* Release the captured privileges */
638  if (CapturedPrivileges != NULL)
639  {
640  SeReleaseLuidAndAttributesArray(CapturedPrivileges,
641  PreviousMode,
642  TRUE);
643  }
644 
645  DPRINT("NtAdjustPrivilegesToken() done\n");
646  return Status;
647 }
648 
693 NTSTATUS
694 NTAPI
697  _In_ BOOLEAN ResetToDefault,
698  _In_ PTOKEN_GROUPS NewState,
703 {
704  PTOKEN Token;
707  ULONG ChangeCount, RequiredLength;
708  ULONG CapturedCount = 0;
709  ULONG CapturedLength = 0;
710  ULONG NewStateSize = 0;
711  PSID_AND_ATTRIBUTES CapturedGroups = NULL;
712  BOOLEAN ChangesMade = FALSE;
713 
714  PAGED_CODE();
715 
716  /*
717  * If the caller doesn't want to reset the groups of an
718  * access token to default states then at least we must
719  * expect a list of groups to be adjusted based on NewState
720  * parameter. Otherwise bail out because the caller has
721  * no idea what they're doing.
722  */
723  if (!ResetToDefault && !NewState)
724  {
725  DPRINT1("NtAdjustGroupsToken(): The caller hasn't provided any list of groups to adjust!\n");
727  }
728 
730 
731  if (PreviousMode != KernelMode)
732  {
733  _SEH2_TRY
734  {
735  /* Probe NewState */
736  if (!ResetToDefault)
737  {
738  /* Probe the header */
739  ProbeForRead(NewState, sizeof(*NewState), sizeof(ULONG));
740 
741  CapturedCount = NewState->GroupCount;
742  NewStateSize = FIELD_OFFSET(TOKEN_GROUPS, Groups[CapturedCount]);
743 
744  ProbeForRead(NewState, NewStateSize, sizeof(ULONG));
745  }
746 
747  if (PreviousState != NULL)
748  {
750  ProbeForWrite(ReturnLength, sizeof(*ReturnLength), sizeof(ULONG));
751  }
752  }
754  {
755  /* Return the exception code */
757  }
758  _SEH2_END;
759  }
760  else
761  {
762  /*
763  * We're calling directly from the kernel, just retrieve
764  * the number count of captured groups outright.
765  */
766  if (!ResetToDefault)
767  {
768  CapturedCount = NewState->GroupCount;
769  }
770  }
771 
772  /* Time to capture the NewState list */
773  if (!ResetToDefault)
774  {
775  _SEH2_TRY
776  {
777  Status = SeCaptureSidAndAttributesArray(NewState->Groups,
778  CapturedCount,
779  PreviousMode,
780  NULL,
781  0,
782  PagedPool,
783  TRUE,
784  &CapturedGroups,
785  &CapturedLength);
786  }
788  {
790  }
791  _SEH2_END;
792 
793  if (!NT_SUCCESS(Status))
794  {
795  DPRINT1("NtAdjustGroupsToken(): Failed to capture the NewState list of groups (Status 0x%lx)\n", Status);
796  return Status;
797  }
798  }
799 
800  /* Time to reference the token */
804  PreviousMode,
805  (PVOID*)&Token,
806  NULL);
807  if (!NT_SUCCESS(Status))
808  {
809  /* We couldn't reference the access token, bail out */
810  DPRINT1("NtAdjustGroupsToken(): Failed to reference the token (Status 0x%lx)\n", Status);
811 
812  if (CapturedGroups != NULL)
813  {
814  SeReleaseSidAndAttributesArray(CapturedGroups,
815  PreviousMode,
816  TRUE);
817  }
818 
819  return Status;
820  }
821 
822  /* Lock the token */
824 
825  /* Count the number of groups to be changed */
827  CapturedGroups,
828  CapturedCount,
829  FALSE,
830  ResetToDefault,
831  &ChangesMade,
832  NULL,
833  &ChangeCount);
834 
835  /* Does the caller want the previous state of groups? */
836  if (PreviousState != NULL)
837  {
838  /* Calculate the required length */
840 
841  /* Return the required length to the caller */
842  _SEH2_TRY
843  {
845  }
847  {
848  /* Bail out and return the exception code */
850  _SEH2_YIELD(goto Quit);
851  }
852  _SEH2_END;
853 
854  /* The buffer length provided is smaller than the required length, bail out */
856  {
858  goto Quit;
859  }
860  }
861 
862  /*
863  * Now it's time to apply changes. Wrap the code
864  * in SEH as we are returning the old groups state
865  * list to the caller since PreviousState is a
866  * UM pointer.
867  */
868  _SEH2_TRY
869  {
871  CapturedGroups,
872  CapturedCount,
873  TRUE,
874  ResetToDefault,
875  &ChangesMade,
877  &ChangeCount);
878  }
880  {
881  /* Bail out and return the exception code */
883 
884  /* Force the write as we touched the token still */
885  ChangesMade = TRUE;
886  _SEH2_YIELD(goto Quit);
887  }
888  _SEH2_END;
889 
890 Quit:
891  /* Allocate a new ID for the token as we made changes */
892  if (ChangesMade)
893  ExAllocateLocallyUniqueId(&Token->ModifiedId);
894 
895  /* Unlock and dereference the token */
898 
899  /* Release the captured groups */
900  if (CapturedGroups != NULL)
901  {
902  SeReleaseSidAndAttributesArray(CapturedGroups,
903  PreviousMode,
904  TRUE);
905  }
906 
907  return Status;
908 }
909 
910 /* EOF */
_SEH2_TRY
Definition: create.c:4226
#define SepAcquireTokenLockExclusive(Token)
Definition: se.h:275
IN CINT OUT PVOID IN ULONG OUT PULONG ReturnLength
Definition: dumpinfo.c:39
#define STATUS_NOT_ALL_ASSIGNED
Definition: ntstatus.h:85
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG BufferLength
Definition: wdfdevice.h:3767
#define _In_opt_
Definition: ms_sal.h:309
#define _Inout_
Definition: ms_sal.h:378
NTSTATUS NTAPI NtAdjustGroupsToken(_In_ HANDLE TokenHandle, _In_ BOOLEAN ResetToDefault, _In_ PTOKEN_GROUPS NewState, _In_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, _When_(PreviousState !=NULL, _Out_) PULONG ReturnLength)
Changes the list of groups by enabling or disabling them in an access token. Unlike NtAdjustPrivilege...
Definition: tokenadj.c:695
VOID NTAPI SeReleaseSidAndAttributesArray(_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID with attributes.
Definition: sid.c:979
#define _Out_
Definition: ms_sal.h:345
NTSTATUS NTAPI SeCaptureLuidAndAttributesArray(_In_ PLUID_AND_ATTRIBUTES Src, _In_ ULONG PrivilegeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_ PLUID_AND_ATTRIBUTES AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PLUID_AND_ATTRIBUTES *Dest, _Inout_ PULONG Length)
#define TRUE
Definition: types.h:120
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
BOOL ApplyChanges(HWND hwndDlg)
Definition: sounds.c:987
#define KeGetPreviousMode()
Definition: ketypes.h:1108
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define SE_PRIVILEGE_REMOVED
Definition: setypes.h:64
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3062
#define _When_(expr, annos)
Definition: ms_sal.h:254
_SEH2_END
Definition: create.c:4400
TOpcodeData Groups[17][8]
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define SE_PRIVILEGE_ENABLED
Definition: setypes.h:63
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:494
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
#define RtlEqualLuid(Luid1, Luid2)
Definition: rtlfuncs.h:301
unsigned char BOOLEAN
POBJECT_TYPE SeTokenObjectType
Definition: token.c:17
#define SE_GROUP_ENABLED_BY_DEFAULT
Definition: setypes.h:91
#define _In_
Definition: ms_sal.h:308
#define STATUS_CANT_DISABLE_MANDATORY
Definition: ntstatus.h:329
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint GLint GLint j
Definition: glfuncs.h:250
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
#define TOKEN_ADJUST_GROUPS
Definition: setypes.h:927
#define TOKEN_QUERY
Definition: setypes.h:924
#define __kernel_entry
Definition: specstrings.h:355
#define ASSERT(a)
Definition: mode.c:44
VOID NTAPI SeReleaseLuidAndAttributesArray(_In_ PLUID_AND_ATTRIBUTES Privilege, _In_ KPROCESSOR_MODE PreviousMode, _In_ BOOLEAN CaptureIfKernel)
Releases a LUID with attributes structure.
Definition: priv.c:554
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SE_GROUP_ENABLED
Definition: setypes.h:92
static NTSTATUS SepAdjustPrivileges(_Inout_ PTOKEN Token, _In_ BOOLEAN DisableAllPrivileges, _In_opt_ PLUID_AND_ATTRIBUTES NewState, _In_ ULONG NewStateCount, _Out_opt_ PTOKEN_PRIVILEGES PreviousState, _In_ BOOLEAN ApplyChanges, _Out_ PULONG ChangedPrivileges, _Out_ PBOOLEAN ChangesMade)
Removes a certain amount of privileges of a token based upon the request by the caller.
Definition: tokenadj.c:56
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
#define ObDereferenceObject
Definition: obfuncs.h:203
#define SE_GROUP_MANDATORY
Definition: setypes.h:90
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
char * PBOOLEAN
Definition: retypes.h:11
static NTSTATUS SepAdjustGroups(_In_ PTOKEN Token, _In_opt_ PSID_AND_ATTRIBUTES NewState, _In_ ULONG NewStateCount, _In_ BOOLEAN ApplyChanges, _In_ BOOLEAN ResetToDefaultStates, _Out_ PBOOLEAN ChangesMade, _Out_opt_ PTOKEN_GROUPS PreviousGroupsState, _Out_ PULONG ChangedGroups)
Private routine that iterates over the groups of an access token to be adjusted as per on request by ...
Definition: tokenadj.c:246
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define SepReleaseTokenLock(Token)
Definition: se.h:286
NTSTATUS NTAPI SeCaptureSidAndAttributesArray(_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, _In_ ULONG AttributeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_opt_ PVOID AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, _Out_ PULONG ResultLength)
Captures a SID with attributes.
Definition: sid.c:696
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
VOID SepRemovePrivilegeToken(_Inout_ PTOKEN Token, _In_ ULONG Index)
Removes a privilege from the token.
Definition: token.c:582
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtAdjustPrivilegesToken(_In_ HANDLE TokenHandle, _In_ BOOLEAN DisableAllPrivileges, _In_opt_ PTOKEN_PRIVILEGES NewState, _In_ ULONG BufferLength, _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, _When_(PreviousState!=NULL, _Out_) PULONG ReturnLength)
Removes a certain amount of privileges of a token based upon the request by the caller.
Definition: tokenadj.c:451
static const WCHAR Cleanup[]
Definition: register.c:80
#define _Out_writes_bytes_to_opt_(size, count)
Definition: ms_sal.h:361
#define _Must_inspect_result_
Definition: ms_sal.h:558
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
VOID SepUpdateSinglePrivilegeFlagToken(_Inout_ PTOKEN Token, _In_ ULONG Index)
Updates the token's flags based upon the privilege that the token has been granted....
Definition: token.c:442
VOID NTAPI ExAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
Definition: uuid.c:335
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
#define _Out_opt_
Definition: ms_sal.h:346
_In_ ULONG _Out_opt_ PULONG RequiredLength
Definition: wmifuncs.h:29
unsigned int * PULONG
Definition: retypes.h:1
#define NULL
Definition: types.h:112
#define DPRINT1
Definition: precomp.h:8
#define STATUS_CANT_ENABLE_DENY_ONLY
Definition: ntstatus.h:806
unsigned int ULONG
Definition: retypes.h:1
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
#define DPRINT
Definition: sndvol32.h:71
#define TOKEN_ADJUST_PRIVILEGES
Definition: setypes.h:926
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
_In_ WDF_POWER_DEVICE_STATE PreviousState
Definition: wdfdevice.h:829
#define PAGED_CODE()