ReactOS  0.4.15-dev-439-g292f67a
Macros | Functions
accesschk.c File Reference
#include <ntoskrnl.h>
#include <debug.h>
Include dependency graph for accesschk.c:

Go to the source code of this file.

Macros

#define NDEBUG
 

Functions

BOOLEAN NTAPI SepAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccessList, OUT PNTSTATUS AccessStatusList, IN BOOLEAN UseResultList)
 
static PSID SepGetSDOwner (IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
 
static PSID SepGetSDGroup (IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
 
static ULONG SepGetPrivilegeSetLength (IN PPRIVILEGE_SET PrivilegeSet)
 
BOOLEAN NTAPI SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
 
BOOLEAN NTAPI SeFastTraverseCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN ACCESS_MASK DesiredAccess, IN KPROCESSOR_MODE AccessMode)
 
NTSTATUS NTAPI NtAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
 
NTSTATUS NTAPI NtAccessCheckByType (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
 
NTSTATUS NTAPI NtAccessCheckByTypeResultList (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 13 of file accesschk.c.

Function Documentation

◆ NtAccessCheck()

NTSTATUS NTAPI NtAccessCheck ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN HANDLE  TokenHandle,
IN ACCESS_MASK  DesiredAccess,
IN PGENERIC_MAPPING  GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet  OPTIONAL,
IN OUT PULONG  PrivilegeSetLength,
OUT PACCESS_MASK  GrantedAccess,
OUT PNTSTATUS  AccessStatus 
)

Definition at line 529 of file accesschk.c.

537 {
538  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor = NULL;
539  SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
540  KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
541  ACCESS_MASK PreviouslyGrantedAccess = 0;
542  PPRIVILEGE_SET Privileges = NULL;
543  ULONG CapturedPrivilegeSetLength, RequiredPrivilegeSetLength;
544  PTOKEN Token;
545  NTSTATUS Status;
546  PAGED_CODE();
547 
548  /* Check if this is kernel mode */
549  if (PreviousMode == KernelMode)
550  {
551  /* Check if kernel wants everything */
552  if (DesiredAccess & MAXIMUM_ALLOWED)
553  {
554  /* Give it */
555  *GrantedAccess = GenericMapping->GenericAll;
556  *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
557  }
558  else
559  {
560  /* Just give the desired access */
561  *GrantedAccess = DesiredAccess;
562  }
563 
564  /* Success */
565  *AccessStatus = STATUS_SUCCESS;
566  return STATUS_SUCCESS;
567  }
568 
569  /* Protect probe in SEH */
570  _SEH2_TRY
571  {
572  /* Probe all pointers */
573  ProbeForRead(GenericMapping, sizeof(GENERIC_MAPPING), sizeof(ULONG));
574  ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
575  ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
576  ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
577  ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
578 
579  /* Capture the privilege set length and the mapping */
580  CapturedPrivilegeSetLength = *PrivilegeSetLength;
581  }
582  _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
583  {
584  /* Return the exception code */
585  _SEH2_YIELD(return _SEH2_GetExceptionCode());
586  }
587  _SEH2_END;
588 
589  /* Check for unmapped access rights */
590  if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
591  return STATUS_GENERIC_NOT_MAPPED;
592 
593  /* Reference the token */
594  Status = ObReferenceObjectByHandle(TokenHandle,
595  TOKEN_QUERY,
596  SeTokenObjectType,
597  PreviousMode,
598  (PVOID*)&Token,
599  NULL);
600  if (!NT_SUCCESS(Status))
601  {
602  DPRINT("Failed to reference token (Status %lx)\n", Status);
603  return Status;
604  }
605 
606  /* Check token type */
607  if (Token->TokenType != TokenImpersonation)
608  {
609  DPRINT("No impersonation token\n");
610  ObDereferenceObject(Token);
611  return STATUS_NO_IMPERSONATION_TOKEN;
612  }
613 
614  /* Check the impersonation level */
615  if (Token->ImpersonationLevel < SecurityIdentification)
616  {
617  DPRINT("Impersonation level < SecurityIdentification\n");
618  ObDereferenceObject(Token);
619  return STATUS_BAD_IMPERSONATION_LEVEL;
620  }
621 
622  /* Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access */
623  Status = SePrivilegePolicyCheck(&DesiredAccess,
624  &PreviouslyGrantedAccess,
625  NULL,
626  Token,
627  &Privileges,
628  PreviousMode);
629  if (!NT_SUCCESS(Status))
630  {
631  DPRINT("SePrivilegePolicyCheck failed (Status 0x%08lx)\n", Status);
632  ObDereferenceObject(Token);
633  *AccessStatus = Status;
634  *GrantedAccess = 0;
635  return STATUS_SUCCESS;
636  }
637 
638  /* Check the size of the privilege set and return the privileges */
639  if (Privileges != NULL)
640  {
641  DPRINT("Privileges != NULL\n");
642 
643  /* Calculate the required privilege set buffer size */
644  RequiredPrivilegeSetLength = SepGetPrivilegeSetLength(Privileges);
645 
646  /* Fail if the privilege set buffer is too small */
647  if (CapturedPrivilegeSetLength < RequiredPrivilegeSetLength)
648  {
649  ObDereferenceObject(Token);
650  SeFreePrivileges(Privileges);
651  *PrivilegeSetLength = RequiredPrivilegeSetLength;
652  return STATUS_BUFFER_TOO_SMALL;
653  }
654 
655  /* Copy the privilege set to the caller */
656  RtlCopyMemory(PrivilegeSet,
657  Privileges,
658  RequiredPrivilegeSetLength);
659 
660  /* Free the local privilege set */
661  SeFreePrivileges(Privileges);
662  }
663  else
664  {
665  DPRINT("Privileges == NULL\n");
666 
667  /* Fail if the privilege set buffer is too small */
668  if (CapturedPrivilegeSetLength < sizeof(PRIVILEGE_SET))
669  {
670  ObDereferenceObject(Token);
671  *PrivilegeSetLength = sizeof(PRIVILEGE_SET);
672  return STATUS_BUFFER_TOO_SMALL;
673  }
674 
675  /* Initialize the privilege set */
676  PrivilegeSet->PrivilegeCount = 0;
677  PrivilegeSet->Control = 0;
678  }
679 
680  /* Capture the security descriptor */
681  Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
682  PreviousMode,
683  PagedPool,
684  FALSE,
685  &CapturedSecurityDescriptor);
686  if (!NT_SUCCESS(Status))
687  {
688  DPRINT("Failed to capture the Security Descriptor\n");
689  ObDereferenceObject(Token);
690  return Status;
691  }
692 
693  /* Check the captured security descriptor */
694  if (CapturedSecurityDescriptor == NULL)
695  {
696  DPRINT("Security Descriptor is NULL\n");
697  ObDereferenceObject(Token);
698  return STATUS_INVALID_SECURITY_DESCR;
699  }
700 
701  /* Check security descriptor for valid owner and group */
702  if (SepGetSDOwner(SecurityDescriptor) == NULL || // FIXME: use CapturedSecurityDescriptor
703  SepGetSDGroup(SecurityDescriptor) == NULL) // FIXME: use CapturedSecurityDescriptor
704  {
705  DPRINT("Security Descriptor does not have a valid group or owner\n");
706  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
707  PreviousMode,
708  FALSE);
709  ObDereferenceObject(Token);
710  return STATUS_INVALID_SECURITY_DESCR;
711  }
712 
713  /* Set up the subject context, and lock it */
714  SeCaptureSubjectContext(&SubjectSecurityContext);
715 
716  /* Lock the token */
717  SepAcquireTokenLockShared(Token);
718 
719  /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
720  if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
721  {
722  if (SepTokenIsOwner(Token, SecurityDescriptor, FALSE)) // FIXME: use CapturedSecurityDescriptor
723  {
724  if (DesiredAccess & MAXIMUM_ALLOWED)
725  PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
726  else
727  PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
728 
729  DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
730  }
731  }
732 
733  if (DesiredAccess == 0)
734  {
735  *GrantedAccess = PreviouslyGrantedAccess;
736  *AccessStatus = STATUS_SUCCESS;
737  }
738  else
739  {
740  /* Now perform the access check */
741  SepAccessCheck(SecurityDescriptor, // FIXME: use CapturedSecurityDescriptor
742  &SubjectSecurityContext,
743  DesiredAccess,
744  NULL,
745  0,
746  PreviouslyGrantedAccess,
747  &PrivilegeSet, //FIXME
748  GenericMapping,
749  PreviousMode,
750  GrantedAccess,
751  AccessStatus,
752  FALSE);
753  }
754 
755  /* Release subject context and unlock the token */
756  SeReleaseSubjectContext(&SubjectSecurityContext);
757  SepReleaseTokenLock(Token);
758 
759  /* Release the captured security descriptor */
760  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
761  PreviousMode,
762  FALSE);
763 
764  /* Dereference the token */
765  ObDereferenceObject(Token);
766 
767  /* Check succeeded */
768  return STATUS_SUCCESS;
769 }
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
SeCaptureSubjectContext
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
SeReleaseSubjectContext
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
GENERIC_ALL
#define GENERIC_ALL
Definition: nt_native.h:92
RtlCopyMemory
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
STATUS_INVALID_SECURITY_DESCR
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:343
STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
PRIVILEGE_SET
struct _PRIVILEGE_SET PRIVILEGE_SET
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
_PRIVILEGE_SET
Definition: setypes.h:85
ExGetPreviousMode
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:3066
ObDereferenceObject
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
ProbeForWrite
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
SepTokenIsOwner
BOOLEAN NTAPI SepTokenIsOwner(IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
Definition: access.c:120
SeReleaseSecurityDescriptor
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:766
STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SEH2_TRY
_SEH2_TRY
Definition: create.c:4226
ObReferenceObjectByHandle
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
GENERIC_WRITE
#define GENERIC_WRITE
Definition: nt_native.h:90
STATUS_GENERIC_NOT_MAPPED
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:452
EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
NULL
smooth NULL
Definition: ftsmooth.c:416
SeTokenObjectType
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
DPRINT
void DPRINT(...)
Definition: polytest.cpp:61
TokenHandle
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
SepGetSDOwner
static PSID SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
Definition: accesschk.c:290
STATUS_NO_IMPERSONATION_TOKEN
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:314
PreviousMode
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:874
_SEH2_YIELD
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
_GENERIC_MAPPING
Definition: nt_native.h:564
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
SepGetPrivilegeSetLength
static ULONG SepGetPrivilegeSetLength(IN PPRIVILEGE_SET PrivilegeSet)
Definition: accesschk.c:321
WRITE_DAC
#define WRITE_DAC
Definition: nt_native.h:59
KPROCESSOR_MODE
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58
ProbeForRead
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
SepReleaseTokenLock
#define SepReleaseTokenLock(Token)
Definition: se.h:211
SePrivilegePolicyCheck
NTSTATUS NTAPI SePrivilegePolicyCheck(_Inout_ PACCESS_MASK DesiredAccess, _Inout_ PACCESS_MASK GrantedAccess, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PTOKEN Token, _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:158
GENERIC_READ
#define GENERIC_READ
Definition: compat.h:124
Status
Status
Definition: gdiplustypes.h:24
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
_SEH2_END
_SEH2_END
Definition: create.c:4400
SeFreePrivileges
VOID NTAPI SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
Definition: priv.c:480
DesiredAccess
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
_SECURITY_SUBJECT_CONTEXT
Definition: setypes.h:189
SepAcquireTokenLockShared
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205
PreviouslyGrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
Definition: sefuncs.h:13
SepGetSDGroup
static PSID SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
Definition: accesschk.c:305
ULONG
unsigned int ULONG
Definition: retypes.h:1
_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
SeCaptureSecurityDescriptor
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:434
_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
_GENERIC_MAPPING::GenericAll
ACCESS_MASK GenericAll
Definition: nt_native.h:568
SepAccessCheck
BOOLEAN NTAPI SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccessList, OUT PNTSTATUS AccessStatusList, IN BOOLEAN UseResultList)
Definition: accesschk.c:25
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
GENERIC_EXECUTE
#define GENERIC_EXECUTE
Definition: nt_native.h:91
STATUS_SUCCESS
return STATUS_SUCCESS
Definition: btrfs.c:3014
_TOKEN
Definition: setypes.h:151
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13

Referenced by AccessCheck(), and CheckTokenMembership().

◆ NtAccessCheckByType()

NTSTATUS NTAPI NtAccessCheckByType ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSID  PrincipalSelfSid,
IN HANDLE  ClientToken,
IN ACCESS_MASK  DesiredAccess,
IN POBJECT_TYPE_LIST  ObjectTypeList,
IN ULONG  ObjectTypeLength,
IN PGENERIC_MAPPING  GenericMapping,
IN PPRIVILEGE_SET  PrivilegeSet,
IN OUT PULONG  PrivilegeSetLength,
OUT PACCESS_MASK  GrantedAccess,
OUT PNTSTATUS  AccessStatus 
)

Definition at line 774 of file accesschk.c.

785 {
786  UNIMPLEMENTED;
787  return STATUS_NOT_IMPLEMENTED;
788 }
STATUS_NOT_IMPLEMENTED
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

◆ NtAccessCheckByTypeResultList()

NTSTATUS NTAPI NtAccessCheckByTypeResultList ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSID  PrincipalSelfSid,
IN HANDLE  ClientToken,
IN ACCESS_MASK  DesiredAccess,
IN POBJECT_TYPE_LIST  ObjectTypeList,
IN ULONG  ObjectTypeLength,
IN PGENERIC_MAPPING  GenericMapping,
IN PPRIVILEGE_SET  PrivilegeSet,
IN OUT PULONG  PrivilegeSetLength,
OUT PACCESS_MASK  GrantedAccess,
OUT PNTSTATUS  AccessStatus 
)

Definition at line 792 of file accesschk.c.

803 {
804  UNIMPLEMENTED;
805  return STATUS_NOT_IMPLEMENTED;
806 }
STATUS_NOT_IMPLEMENTED
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

◆ SeAccessCheck()

BOOLEAN NTAPI SeAccessCheck ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext,
IN BOOLEAN  SubjectContextLocked,
IN ACCESS_MASK  DesiredAccess,
IN ACCESS_MASK  PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET Privileges,
IN PGENERIC_MAPPING  GenericMapping,
IN KPROCESSOR_MODE  AccessMode,
OUT PACCESS_MASK  GrantedAccess,
OUT PNTSTATUS  AccessStatus 
)

Definition at line 340 of file accesschk.c.

350 {
351  BOOLEAN ret;
352 
353  PAGED_CODE();
354 
355  /* Check if this is kernel mode */
356  if (AccessMode == KernelMode)
357  {
358  /* Check if kernel wants everything */
359  if (DesiredAccess & MAXIMUM_ALLOWED)
360  {
361  /* Give it */
362  *GrantedAccess = GenericMapping->GenericAll;
363  *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
364  *GrantedAccess |= PreviouslyGrantedAccess;
365  }
366  else
367  {
368  /* Give the desired and previous access */
369  *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
370  }
371 
372  /* Success */
373  *AccessStatus = STATUS_SUCCESS;
374  return TRUE;
375  }
376 
377  /* Check if we didn't get an SD */
378  if (!SecurityDescriptor)
379  {
380  /* Automatic failure */
381  *AccessStatus = STATUS_ACCESS_DENIED;
382  return FALSE;
383  }
384 
385  /* Check for invalid impersonation */
386  if ((SubjectSecurityContext->ClientToken) &&
387  (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
388  {
389  *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
390  return FALSE;
391  }
392 
393  /* Acquire the lock if needed */
394  if (!SubjectContextLocked)
395  SeLockSubjectContext(SubjectSecurityContext);
396 
397  /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
398  if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
399  {
400  PACCESS_TOKEN Token = SubjectSecurityContext->ClientToken ?
401  SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
402 
403  if (SepTokenIsOwner(Token,
404  SecurityDescriptor,
405  FALSE))
406  {
407  if (DesiredAccess & MAXIMUM_ALLOWED)
408  PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
409  else
410  PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
411 
412  DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
413  }
414  }
415 
416  if (DesiredAccess == 0)
417  {
418  *GrantedAccess = PreviouslyGrantedAccess;
419  if (PreviouslyGrantedAccess == 0)
420  {
421  DPRINT1("Request for zero access to an object. Denying.\n");
422  *AccessStatus = STATUS_ACCESS_DENIED;
423  ret = FALSE;
424  }
425  else
426  {
427  *AccessStatus = STATUS_SUCCESS;
428  ret = TRUE;
429  }
430  }
431  else
432  {
433  /* Call the internal function */
434  ret = SepAccessCheck(SecurityDescriptor,
435  SubjectSecurityContext,
436  DesiredAccess,
437  NULL,
438  0,
439  PreviouslyGrantedAccess,
440  Privileges,
441  GenericMapping,
442  AccessMode,
443  GrantedAccess,
444  AccessStatus,
445  FALSE);
446  }
447 
448  /* Release the lock if needed */
449  if (!SubjectContextLocked)
450  SeUnlockSubjectContext(SubjectSecurityContext);
451 
452  return ret;
453 }
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
TRUE
#define TRUE
Definition: types.h:120
STATUS_BAD_IMPERSONATION_LEVEL
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
SeUnlockSubjectContext
VOID NTAPI SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:336
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
SeLockSubjectContext
VOID NTAPI SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:314
SepTokenIsOwner
BOOLEAN NTAPI SepTokenIsOwner(IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
Definition: access.c:120
AccessMode
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
NULL
smooth NULL
Definition: ftsmooth.c:416
SubjectContextLocked
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN SubjectContextLocked
Definition: sefuncs.h:13
_SECURITY_SUBJECT_CONTEXT::PrimaryToken
PACCESS_TOKEN PrimaryToken
Definition: setypes.h:192
WRITE_DAC
#define WRITE_DAC
Definition: nt_native.h:59
STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58
ret
int ret
Definition: wcstombs-tests.c:31
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
DesiredAccess
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
DPRINT1
#define DPRINT1
Definition: precomp.h:8
_SECURITY_SUBJECT_CONTEXT::ImpersonationLevel
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:191
PreviouslyGrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
Definition: sefuncs.h:13
_GENERIC_MAPPING::GenericAll
ACCESS_MASK GenericAll
Definition: nt_native.h:568
SepAccessCheck
BOOLEAN NTAPI SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccessList, OUT PNTSTATUS AccessStatusList, IN BOOLEAN UseResultList)
Definition: accesschk.c:25
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
STATUS_SUCCESS
return STATUS_SUCCESS
Definition: btrfs.c:3014
_SECURITY_SUBJECT_CONTEXT::ClientToken
PACCESS_TOKEN ClientToken
Definition: setypes.h:190
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13

Referenced by create_stream(), FatExplicitDeviceAccessGranted(), file_create(), IopParseDevice(), NpCreateClientEnd(), NpCreateExistingNamedPipe(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), open_file2(), PspCreateProcess(), PspCreateThread(), PspSetPrimaryToken(), set_link_information(), set_rename_information(), START_TEST(), and UDFCheckAccessRights().

◆ SeFastTraverseCheck()

BOOLEAN NTAPI SeFastTraverseCheck ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PACCESS_STATE  AccessState,
IN ACCESS_MASK  DesiredAccess,
IN KPROCESSOR_MODE  AccessMode 
)

Definition at line 460 of file accesschk.c.

464 {
465  PACL Dacl;
466  ULONG AceIndex;
467  PKNOWN_ACE Ace;
468 
469  PAGED_CODE();
470 
471  ASSERT(AccessMode != KernelMode);
472 
473  if (SecurityDescriptor == NULL)
474  return FALSE;
475 
476  /* Get DACL */
477  Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
478  /* If no DACL, grant access */
479  if (Dacl == NULL)
480  return TRUE;
481 
482  /* No ACE -> Deny */
483  if (!Dacl->AceCount)
484  return FALSE;
485 
486  /* Can't perform the check on restricted token */
487  if (AccessState->Flags & TOKEN_IS_RESTRICTED)
488  return FALSE;
489 
490  /* Browse the ACEs */
491  for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
492  AceIndex < Dacl->AceCount;
493  AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
494  {
495  if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
496  continue;
497 
498  /* If access-allowed ACE */
499  if (Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
500  {
501  /* Check if all accesses are granted */
502  if (!(Ace->Mask & DesiredAccess))
503  continue;
504 
505  /* Check SID and grant access if matching */
506  if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
507  return TRUE;
508  }
509  /* If access-denied ACE */
510  else if (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE)
511  {
512  /* Here, only check if it denies any access wanted and deny if so */
513  if (Ace->Mask & DesiredAccess)
514  return FALSE;
515  }
516  }
517 
518  /* Faulty, deny */
519  return FALSE;
520 }
PKNOWN_ACE
struct _KNOWN_ACE * PKNOWN_ACE
TRUE
#define TRUE
Definition: types.h:120
_KNOWN_ACE
Definition: se.h:3
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_ACL
Definition: ms-dtyp.idl:293
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:64
AccessMode
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
Ace
Definition: card.h:12
NULL
smooth NULL
Definition: ftsmooth.c:416
ACCESS_ALLOWED_ACE_TYPE
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:685
ACCESS_DENIED_ACE_TYPE
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:686
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
AccessState
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
AceIndex
_In_ ULONG AceIndex
Definition: rtlfuncs.h:1864
SeWorldSid
PSID SeWorldSid
Definition: sid.c:31
SepGetDaclFromDescriptor
FORCEINLINE PACL SepGetDaclFromDescriptor(PVOID _Descriptor)
Definition: se.h:67
DesiredAccess
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
ULONG
unsigned int ULONG
Definition: retypes.h:1
INHERIT_ONLY_ACE
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
RtlEqualSid
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
TOKEN_IS_RESTRICTED
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1129
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89

Referenced by IopParseDevice(), and ObpCheckTraverseAccess().

◆ SepAccessCheck()

BOOLEAN NTAPI SepAccessCheck ( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext,
IN ACCESS_MASK  DesiredAccess,
IN POBJECT_TYPE_LIST  ObjectTypeList,
IN ULONG  ObjectTypeListLength,
IN ACCESS_MASK  PreviouslyGrantedAccess,
OUT PPRIVILEGE_SET Privileges,
IN PGENERIC_MAPPING  GenericMapping,
IN KPROCESSOR_MODE  AccessMode,
OUT PACCESS_MASK  GrantedAccessList,
OUT PNTSTATUS  AccessStatusList,
IN BOOLEAN  UseResultList 
)

Definition at line 25 of file accesschk.c.

37 {
38  ACCESS_MASK RemainingAccess;
39  ACCESS_MASK TempAccess;
40  ACCESS_MASK TempGrantedAccess = 0;
41  ACCESS_MASK TempDeniedAccess = 0;
42  PACCESS_TOKEN Token;
43  ULONG i, ResultListLength;
44  PACL Dacl;
45  BOOLEAN Present;
46  BOOLEAN Defaulted;
47  PACE CurrentAce;
48  PSID Sid;
49  NTSTATUS Status;
50  PAGED_CODE();
51 
52  DPRINT("SepAccessCheck()\n");
53 
54  /* Check for no access desired */
55  if (!DesiredAccess)
56  {
57  /* Check if we had no previous access */
58  if (!PreviouslyGrantedAccess)
59  {
60  /* Then there's nothing to give */
61  Status = STATUS_ACCESS_DENIED;
62  goto ReturnCommonStatus;
63  }
64 
65  /* Return the previous access only */
66  Status = STATUS_SUCCESS;
67  *Privileges = NULL;
68  goto ReturnCommonStatus;
69  }
70 
71  /* Map given accesses */
72  RtlMapGenericMask(&DesiredAccess, GenericMapping);
73  if (PreviouslyGrantedAccess)
74  RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
75 
76  /* Initialize remaining access rights */
77  RemainingAccess = DesiredAccess;
78 
79  Token = SubjectSecurityContext->ClientToken ?
80  SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
81 
82  /* Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access */
83  Status = SePrivilegePolicyCheck(&RemainingAccess,
84  &PreviouslyGrantedAccess,
85  NULL,
86  Token,
87  NULL,
88  UserMode);
89  if (!NT_SUCCESS(Status))
90  {
91  goto ReturnCommonStatus;
92  }
93 
94  /* Succeed if there are no more rights to grant */
95  if (RemainingAccess == 0)
96  {
97  Status = STATUS_SUCCESS;
98  goto ReturnCommonStatus;
99  }
100 
101  /* Get the DACL */
102  Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
103  &Present,
104  &Dacl,
105  &Defaulted);
106  if (!NT_SUCCESS(Status))
107  {
108  goto ReturnCommonStatus;
109  }
110 
111  /* RULE 1: Grant desired access if the object is unprotected */
112  if (Present == FALSE || Dacl == NULL)
113  {
114  PreviouslyGrantedAccess |= RemainingAccess;
115  if (RemainingAccess & MAXIMUM_ALLOWED)
116  {
117  PreviouslyGrantedAccess &= ~MAXIMUM_ALLOWED;
118  PreviouslyGrantedAccess |= GenericMapping->GenericAll;
119  }
120 
121  Status = STATUS_SUCCESS;
122  goto ReturnCommonStatus;
123  }
124 
125  /* Deny access if the DACL is empty */
126  if (Dacl->AceCount == 0)
127  {
128  if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
129  {
130  Status = STATUS_SUCCESS;
131  }
132  else
133  {
134  PreviouslyGrantedAccess = 0;
135  Status = STATUS_ACCESS_DENIED;
136  }
137  goto ReturnCommonStatus;
138  }
139 
140  /* Determine the MAXIMUM_ALLOWED access rights according to the DACL */
141  if (DesiredAccess & MAXIMUM_ALLOWED)
142  {
143  CurrentAce = (PACE)(Dacl + 1);
144  for (i = 0; i < Dacl->AceCount; i++)
145  {
146  if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
147  {
148  Sid = (PSID)(CurrentAce + 1);
149  if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
150  {
151  if (SepSidInToken(Token, Sid))
152  {
153  /* Map access rights from the ACE */
154  TempAccess = CurrentAce->AccessMask;
155  RtlMapGenericMask(&TempAccess, GenericMapping);
156 
157  /* Deny access rights that have not been granted yet */
158  TempDeniedAccess |= (TempAccess & ~TempGrantedAccess);
159  }
160  }
161  else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
162  {
163  if (SepSidInToken(Token, Sid))
164  {
165  /* Map access rights from the ACE */
166  TempAccess = CurrentAce->AccessMask;
167  RtlMapGenericMask(&TempAccess, GenericMapping);
168 
169  /* Grant access rights that have not been denied yet */
170  TempGrantedAccess |= (TempAccess & ~TempDeniedAccess);
171  }
172  }
173  else
174  {
175  DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
176  }
177  }
178 
179  /* Get the next ACE */
180  CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
181  }
182 
183  /* Fail if some rights have not been granted */
184  RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess);
185  if (RemainingAccess != 0)
186  {
187  PreviouslyGrantedAccess = 0;
188  Status = STATUS_ACCESS_DENIED;
189  goto ReturnCommonStatus;
190  }
191 
192  /* Set granted access right and access status */
193  PreviouslyGrantedAccess |= TempGrantedAccess;
194  if (PreviouslyGrantedAccess != 0)
195  {
196  Status = STATUS_SUCCESS;
197  }
198  else
199  {
200  Status = STATUS_ACCESS_DENIED;
201  }
202  goto ReturnCommonStatus;
203  }
204 
205  /* RULE 4: Grant rights according to the DACL */
206  CurrentAce = (PACE)(Dacl + 1);
207  for (i = 0; i < Dacl->AceCount; i++)
208  {
209  if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
210  {
211  Sid = (PSID)(CurrentAce + 1);
212  if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
213  {
214  if (SepSidInToken(Token, Sid))
215  {
216  /* Map access rights from the ACE */
217  TempAccess = CurrentAce->AccessMask;
218  RtlMapGenericMask(&TempAccess, GenericMapping);
219 
220  /* Leave if a remaining right must be denied */
221  if (RemainingAccess & TempAccess)
222  break;
223  }
224  }
225  else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
226  {
227  if (SepSidInToken(Token, Sid))
228  {
229  /* Map access rights from the ACE */
230  TempAccess = CurrentAce->AccessMask;
231  DPRINT("TempAccess 0x%08lx\n", TempAccess);
232  RtlMapGenericMask(&TempAccess, GenericMapping);
233 
234  /* Remove granted rights */
235  DPRINT("RemainingAccess 0x%08lx TempAccess 0x%08lx\n", RemainingAccess, TempAccess);
236  RemainingAccess &= ~TempAccess;
237  DPRINT("RemainingAccess 0x%08lx\n", RemainingAccess);
238  }
239  }
240  else
241  {
242  DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
243  }
244  }
245 
246  /* Get the next ACE */
247  CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
248  }
249 
250  DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
251  DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
252 
253  /* Fail if some rights have not been granted */
254  if (RemainingAccess != 0)
255  {
256  DPRINT("HACK: RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n", RemainingAccess, DesiredAccess);
257 #if 0
258  /* HACK HACK HACK */
259  Status = STATUS_ACCESS_DENIED;
260  goto ReturnCommonStatus;
261 #endif
262  }
263 
264  /* Set granted access rights */
265  PreviouslyGrantedAccess |= DesiredAccess;
266 
267  /* Fail if no rights have been granted */
268  if (PreviouslyGrantedAccess == 0)
269  {
270  DPRINT1("PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n", DesiredAccess);
271  Status = STATUS_ACCESS_DENIED;
272  goto ReturnCommonStatus;
273  }
274 
275  Status = STATUS_SUCCESS;
276  goto ReturnCommonStatus;
277 
278 ReturnCommonStatus:
279  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
280  for (i = 0; i < ResultListLength; i++)
281  {
282  GrantedAccessList[i] = PreviouslyGrantedAccess;
283  AccessStatusList[i] = Status;
284  }
285 
286  return NT_SUCCESS(Status);
287 }
MAXIMUM_ALLOWED
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
_ACE_HEADER::AceFlags
UCHAR AceFlags
Definition: ms-dtyp.idl:211
_SID
Definition: ms-dtyp.idl:198
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_ACL
Definition: ms-dtyp.idl:293
PACE
struct _ACE * PACE
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Token
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
Definition: ntifs.template.h:711
_ACE::AccessMask
ACCESS_MASK AccessMask
Definition: rtltypes.h:993
RtlGetDaclSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:64
_ACE_HEADER::AceSize
USHORT AceSize
Definition: ms-dtyp.idl:212
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
NULL
smooth NULL
Definition: ftsmooth.c:416
Sid
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1103
DPRINT
void DPRINT(...)
Definition: polytest.cpp:61
_SECURITY_SUBJECT_CONTEXT::PrimaryToken
PACCESS_TOKEN PrimaryToken
Definition: setypes.h:192
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
ACCESS_ALLOWED_ACE_TYPE
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:685
STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
ACCESS_DENIED_ACE_TYPE
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:686
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
PSID
struct _SID * PSID
Definition: eventlog.c:35
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
_ACE_HEADER::AceType
UCHAR AceType
Definition: ms-dtyp.idl:210
SepSidInToken
BOOLEAN NTAPI SepSidInToken(IN PACCESS_TOKEN _Token, IN PSID Sid)
Definition: access.c:111
SePrivilegePolicyCheck
NTSTATUS NTAPI SePrivilegePolicyCheck(_Inout_ PACCESS_MASK DesiredAccess, _Inout_ PACCESS_MASK GrantedAccess, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PTOKEN Token, _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:158
Status
Status
Definition: gdiplustypes.h:24
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
DesiredAccess
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4137
DPRINT1
#define DPRINT1
Definition: precomp.h:8
PreviouslyGrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
Definition: sefuncs.h:13
ULONG
unsigned int ULONG
Definition: retypes.h:1
INHERIT_ONLY_ACE
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
_GENERIC_MAPPING::GenericAll
ACCESS_MASK GenericAll
Definition: nt_native.h:568
STATUS_SUCCESS
return STATUS_SUCCESS
Definition: btrfs.c:3014
_SECURITY_SUBJECT_CONTEXT::ClientToken
PACCESS_TOKEN ClientToken
Definition: setypes.h:190
_ACE
Definition: rtltypes.h:990
_ACE::Header
ACE_HEADER Header
Definition: rtltypes.h:992
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
RtlMapGenericMask
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
PAGED_CODE
#define PAGED_CODE()
Definition: Bus_PDO_QueryResourceRequirements.c:89
SubjectSecurityContext
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13

Referenced by NtAccessCheck(), and SeAccessCheck().

◆ SepGetPrivilegeSetLength()

static ULONG SepGetPrivilegeSetLength ( IN PPRIVILEGE_SET  PrivilegeSet)
static

Definition at line 321 of file accesschk.c.

322 {
323  if (PrivilegeSet == NULL)
324  return 0;
325 
326  if (PrivilegeSet->PrivilegeCount == 0)
327  return (ULONG)(sizeof(PRIVILEGE_SET) - sizeof(LUID_AND_ATTRIBUTES));
328 
329  return (ULONG)(sizeof(PRIVILEGE_SET) +
330  (PrivilegeSet->PrivilegeCount - 1) * sizeof(LUID_AND_ATTRIBUTES));
331 }
_LUID_AND_ATTRIBUTES
Definition: setypes.h:73
PRIVILEGE_SET
struct _PRIVILEGE_SET PRIVILEGE_SET
LUID_AND_ATTRIBUTES
struct _LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES
NULL
smooth NULL
Definition: ftsmooth.c:416
ULONG
unsigned int ULONG
Definition: retypes.h:1

Referenced by NtAccessCheck().

◆ SepGetSDGroup()

static PSID SepGetSDGroup ( IN PSECURITY_DESCRIPTOR  _SecurityDescriptor)
static

Definition at line 305 of file accesschk.c.

306 {
307  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
308  PSID Group;
309 
310  if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
311  Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
312  (ULONG_PTR)SecurityDescriptor);
313  else
314  Group = (PSID)SecurityDescriptor->Group;
315 
316  return Group;
317 }
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
SE_SELF_RELATIVE
#define SE_SELF_RELATIVE
Definition: setypes.h:780
_SID
Definition: ms-dtyp.idl:198
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
Group
_In_opt_ PSID Group
Definition: rtlfuncs.h:1605
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:64
PSID
struct _SID * PSID
Definition: eventlog.c:35
ULONG_PTR
#define ULONG_PTR
Definition: config.h:101

Referenced by NtAccessCheck().

◆ SepGetSDOwner()

static PSID SepGetSDOwner ( IN PSECURITY_DESCRIPTOR  _SecurityDescriptor)
static

Definition at line 290 of file accesschk.c.

291 {
292  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
293  PSID Owner;
294 
295  if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
296  Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
297  (ULONG_PTR)SecurityDescriptor);
298  else
299  Owner = (PSID)SecurityDescriptor->Owner;
300 
301  return Owner;
302 }
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
SE_SELF_RELATIVE
#define SE_SELF_RELATIVE
Definition: setypes.h:780
_SID
Definition: ms-dtyp.idl:198
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:64
_SECURITY_DESCRIPTOR::Owner
ULONG Owner
Definition: ms-dtyp.idl:305
PSID
struct _SID * PSID
Definition: eventlog.c:35
Owner
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1556
ULONG_PTR
#define ULONG_PTR
Definition: config.h:101

Referenced by NtAccessCheck().