accesschk.c

Go to the documentation of this file.

/*
 * PROJECT:     ReactOS Kernel
 * LICENSE:     GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
 * PURPOSE:     Security access check control implementation
 * COPYRIGHT:   Copyright 2014 Timo Kreuzer <timo.kreuzer@reactos.org>
 *              Copyright 2014 Eric Kohl
 *              Copyright 2022-2023 George Bișoc <george.bisoc@reactos.org>
 */
 
/* INCLUDES *******************************************************************/
 
#include <ntoskrnl.h>
#define NDEBUG
#include <debug.h>
 
/* PRIVATE FUNCTIONS **********************************************************/
 
static
VOID
SepDenyAccessObjectTypeResultList(
    _Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ ACCESS_MASK AccessMask,
    _In_opt_ PGUID ObjectTypeGuid)
{
    ULONG ObjectTypeIndex;
    ULONG ReturnedObjectIndex;
    USHORT Level;
 
    PAGED_CODE();
 
    DPRINT("Access rights 0x%08lx\n", AccessMask);
 
    /*
     * The object type of interest is the one that was supplied
     * by the creator who made the ACE. If the object type was
     * not supplied then we have no clear indication from where
     * shall we start updating the access rights of objects on
     * this list, so we have to begin from the root (aka the
     * object itself).
     */
    if (!ObjectTypeGuid)
    {
        DPRINT("No object type provided, updating access rights from root\n");
        ReturnedObjectIndex = 0;
        goto LoopAndUpdateRightsObjects;
    }
 
    /* Check if that object exists in the list */
    if (SepObjectTypeGuidInList(ObjectTypeList,
                                ObjectTypeListLength,
                                ObjectTypeGuid,
                                &ReturnedObjectIndex))
    {
LoopAndUpdateRightsObjects:
        /* Update the access rights of the target object */
        ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights |=
            (AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights);
        DPRINT("Denied rights 0x%08lx of target object at index %lu\n",
            ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights, ReturnedObjectIndex);
 
        /* And update the children of the target object */
        for (ObjectTypeIndex = ReturnedObjectIndex + 1;
             ObjectTypeIndex < ObjectTypeListLength;
             ObjectTypeIndex++)
        {
            /*
             * Stop looking for children objects if we hit an object that has
             * the same level as the target object or less.
             */
            Level = ObjectTypeList[ObjectTypeIndex].Level;
            if (Level <= ObjectTypeList[ReturnedObjectIndex].Level)
            {
                DPRINT("We looked for all children objects, stop looking\n");
                break;
            }
 
            /* Update the access right of the child */
            ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights |=
                (AccessMask & ~ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights);
            DPRINT("Denied rights 0x%08lx of child object at index %lu\n",
                ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights, ObjectTypeIndex);
        }
    }
}
 
static
VOID
SepAllowAccessObjectTypeResultList(
    _Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ ACCESS_MASK AccessMask,
    _In_opt_ PGUID ObjectTypeGuid)
{
    ULONG ObjectTypeIndex;
    ULONG ReturnedObjectIndex;
    USHORT Level;
 
    PAGED_CODE();
 
    DPRINT("Access rights 0x%08lx\n", AccessMask);
 
    /*
     * Begin updating the access rights from the root object
     * (see comment in SepDenyAccessObjectTypeListMaximum).
     */
    if (!ObjectTypeGuid)
    {
        DPRINT("No object type provided, updating access rights from root\n");
        ReturnedObjectIndex = 0;
        goto LoopAndUpdateRightsObjects;
    }
 
    /* Check if that object exists in the list */
    if (SepObjectTypeGuidInList(ObjectTypeList,
                                ObjectTypeListLength,
                                ObjectTypeGuid,
                                &ReturnedObjectIndex))
    {
LoopAndUpdateRightsObjects:
        /* Update the access rights of the target object */
        ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights |=
            (AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights);
        DPRINT("Granted rights 0x%08lx of target object at index %lu\n",
            ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights, ReturnedObjectIndex);
 
        /* And update the children of the target object */
        for (ObjectTypeIndex = ReturnedObjectIndex + 1;
             ObjectTypeIndex < ObjectTypeListLength;
             ObjectTypeIndex++)
        {
            /*
             * Stop looking for children objects if we hit an object that has
             * the same level as the target object or less.
             */
            Level = ObjectTypeList[ObjectTypeIndex].Level;
            if (Level <= ObjectTypeList[ReturnedObjectIndex].Level)
            {
                break;
            }
 
            /* Update the access right of the child */
            ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights |=
                (AccessMask & ~ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.DeniedAccessRights);
            DPRINT("Granted rights 0x%08lx of child object at index %lu\n",
                ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights, ObjectTypeIndex);
        }
    }
}
 
static
VOID
SepDenyAccessObjectTypeList(
    _Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ ACCESS_MASK AccessMask,
    _In_opt_ PGUID ObjectTypeGuid,
    _Out_opt_ PBOOLEAN BreakOnDeny)
{
    ULONG ReturnedObjectIndex;
    BOOLEAN MustBreak;
 
    PAGED_CODE();
 
    DPRINT("Access rights 0x%08lx\n", AccessMask);
 
    /* Assume we do not want to break at first */
    MustBreak = FALSE;
 
    /*
     * If no object type was supplied then tell the caller it has to break on
     * searching for other ACEs if the requested remaining access right is
     * denied by the deny ACE itself. Track down that denied right too.
     */
    if (!ObjectTypeGuid)
    {
        if (ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights & AccessMask)
        {
            DPRINT("Root object requests remaining access right that is denied 0x%08lx\n", AccessMask);
            MustBreak = TRUE;
        }
 
        ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights |=
            (AccessMask & ~ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights);
        DPRINT("Denied rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights);
        goto Quit;
    }
 
    /*
     * If the object exists tell the caller it has to break down if the requested
     * remaining access right is denied by the ACE. Track down the denied right too.
     */
    if (SepObjectTypeGuidInList(ObjectTypeList,
                                ObjectTypeListLength,
                                ObjectTypeGuid,
                                &ReturnedObjectIndex))
    {
        if (ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights & AccessMask)
        {
            DPRINT("Object at index %lu requests remaining access right that is denied 0x%08lx\n", ReturnedObjectIndex, AccessMask);
            MustBreak = TRUE;
        }
 
        ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights |=
            (AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights);
        DPRINT("Denied rights 0x%08lx of object at index %lu\n",
            ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights, ReturnedObjectIndex);
    }
 
Quit:
    /* Signal the caller he has to break if he wants to */
    if (BreakOnDeny)
    {
        *BreakOnDeny = MustBreak;
    }
}
 
static
VOID
SepAllowAccessObjectTypeList(
    _Inout_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ ACCESS_MASK AccessMask,
    _In_ BOOLEAN RemoveRemainingRights,
    _In_opt_ PGUID ObjectTypeGuid)
{
    ULONG ReturnedObjectIndex;
 
    PAGED_CODE();
 
    DPRINT("Access rights 0x%08lx\n", AccessMask);
 
    /*
     * If no object type was supplied then remove the remaining rights
     * of the object itself, the root. Track down that right to the
     * granted rights as well.
     */
    if (!ObjectTypeGuid)
    {
        if (RemoveRemainingRights)
        {
            ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights &= ~AccessMask;
            DPRINT("Remaining rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.RemainingAccessRights);
        }
 
        ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights |=
            (AccessMask & ~ObjectTypeList[0].ObjectAccessRights.DeniedAccessRights);
        DPRINT("Granted rights of root object 0x%08lx\n", ObjectTypeList[0].ObjectAccessRights.GrantedAccessRights);
        return;
    }
 
    /*
     * Grant access to the object if it exists by removing the remaining
     * rights. Unlike the NtAccessCheckByTypeResultList variant we do not
     * care about the children of the target object beccause NtAccessCheckByType
     * will either grant or deny access to the entire hierarchy of the list.
     */
    if (SepObjectTypeGuidInList(ObjectTypeList,
                                ObjectTypeListLength,
                                ObjectTypeGuid,
                                &ReturnedObjectIndex))
    {
        /* Remove the remaining rights of that object */
        if (RemoveRemainingRights)
        {
            ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights &= ~AccessMask;
            DPRINT("Remaining rights of object 0x%08lx at index %lu\n",
                ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.RemainingAccessRights, ReturnedObjectIndex);
        }
 
        /* And track it down to the granted access rights */
        ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights |=
            (AccessMask & ~ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.DeniedAccessRights);
        DPRINT("Granted rights of object 0x%08lx at index %lu\n",
            ObjectTypeList[ReturnedObjectIndex].ObjectAccessRights.GrantedAccessRights, ReturnedObjectIndex);
    }
}
 
static
VOID
SepAnalyzeAcesFromDacl(
    _In_ ACCESS_CHECK_RIGHT_TYPE ActionType,
    _In_ ACCESS_MASK RemainingAccess,
    _In_ PACL Dacl,
    _In_ PACCESS_TOKEN AccessToken,
    _In_ PACCESS_TOKEN PrimaryAccessToken,
    _In_ BOOLEAN IsTokenRestricted,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_opt_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ BOOLEAN UseResultList,
    _Inout_ PACCESS_CHECK_RIGHTS AccessCheckRights)
{
    NTSTATUS Status;
    PACE CurrentAce;
    ULONG AceIndex;
    ULONG ObjectTypeIndex;
    PSID Sid;
    PGUID ObjectTypeGuid;
    ACCESS_MASK Access;
    BOOLEAN BreakOnDeny;
 
    PAGED_CODE();
 
    /* These parameters are really needed */
    ASSERT(Dacl);
    ASSERT(AccessToken);
 
    /* TODO: To be removed once we support compound ACEs handling in Se */
    DBG_UNREFERENCED_PARAMETER(PrimaryAccessToken);
 
    /* Determine how we should analyze the ACEs */
    switch (ActionType)
    {
        /*
         * We got the acknowledgement the calling thread desires
         * maximum rights (as according to MAXIMUM_ALLOWED access
         * mask). Analyze the ACE of the given DACL.
         */
        case AccessCheckMaximum:
        {
            /* Loop over the DACL to retrieve ACEs */
            for (AceIndex = 0; AceIndex < Dacl->AceCount; AceIndex++)
            {
                /* Obtain a ACE now */
                Status = RtlGetAce(Dacl, AceIndex, (PVOID*)&CurrentAce);
 
                /* Getting this ACE is important, otherwise something is seriously wrong */
                ASSERT(NT_SUCCESS(Status));
 
                /*
                 * Now it's time to analyze it based upon the
                 * type of this ACE we're being given.
                 */
                if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
                {
                    if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
                    {
                        /* Get the SID from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* Deny access rights that have not been granted yet */
                            AccessCheckRights->DeniedAccessRights |= (Access & ~AccessCheckRights->GrantedAccessRights);
                            DPRINT("DeniedAccessRights 0x%08lx\n", AccessCheckRights->DeniedAccessRights);
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
                    {
                        /* Get the SID from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* Grant access rights that have not been denied yet */
                            AccessCheckRights->GrantedAccessRights |= (Access & ~AccessCheckRights->DeniedAccessRights);
                            DPRINT("GrantedAccessRights 0x%08lx\n", AccessCheckRights->GrantedAccessRights);
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE)
                    {
                        /* Get the SID and object type from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* If no list was passed treat this is as ACCESS_DENIED_ACE_TYPE */
                            if (!ObjectTypeList && !ObjectTypeListLength)
                            {
                                AccessCheckRights->DeniedAccessRights |= (Access & ~AccessCheckRights->GrantedAccessRights);
                                DPRINT("DeniedAccessRights 0x%08lx\n", AccessCheckRights->DeniedAccessRights);
                            }
                            else if (!UseResultList)
                            {
                                /*
                                 * We have an object type list but the caller wants to deny access
                                 * to the entire hierarchy list. Evaluate the rights of the object
                                 * for the whole list. Ignore what the function tells us if we have
                                 * to break on deny or not because we only want to keep track of
                                 * denied rights.
                                 */
                               SepDenyAccessObjectTypeList(ObjectTypeList,
                                                           ObjectTypeListLength,
                                                           Access,
                                                           ObjectTypeGuid,
                                                           NULL);
                            }
                            else
                            {
                                /* Otherwise evaluate the access rights for each sub-object */
                                SepDenyAccessObjectTypeResultList(ObjectTypeList,
                                                                  ObjectTypeListLength,
                                                                  Access,
                                                                  ObjectTypeGuid);
                            }
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE)
                    {
                        /* Get the SID and object type from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* If no list was passed treat this is as ACCESS_ALLOWED_ACE_TYPE */
                            if (!ObjectTypeList && !ObjectTypeListLength)
                            {
                                AccessCheckRights->GrantedAccessRights |= (Access & ~AccessCheckRights->DeniedAccessRights);
                                DPRINT("GrantedAccessRights 0x%08lx\n", AccessCheckRights->GrantedAccessRights);
                            }
                            else if (!UseResultList)
                            {
                                /*
                                 * We have an object type list but the caller wants to allow access
                                 * to the entire hierarchy list. Evaluate the rights of the object
                                 * for the whole list.
                                 */
                                SepAllowAccessObjectTypeList(ObjectTypeList,
                                                             ObjectTypeListLength,
                                                             Access,
                                                             FALSE,
                                                             ObjectTypeGuid);
                            }
                            else
                            {
                                /* Otherwise evaluate the access rights for each sub-object */
                                SepAllowAccessObjectTypeResultList(ObjectTypeList,
                                                                   ObjectTypeListLength,
                                                                   Access,
                                                                   ObjectTypeGuid);
                            }
                        }
                    }
                    else
                    {
                        DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
                    }
                }
            }
 
            /* We're done here */
            break;
        }
 
        /*
         * We got the acknowledgement the calling thread desires
         * only a subset of rights therefore we have to act a little
         * different here.
         */
        case AccessCheckRegular:
        {
            /* Cache the remaining access rights to be addressed */
            ASSERT(RemainingAccess != 0);
            AccessCheckRights->RemainingAccessRights = RemainingAccess;
 
            /* Fill the remaining rights of each object in the list if we have one */
            if (ObjectTypeList && (ObjectTypeListLength != 0))
            {
                for (ObjectTypeIndex = 0;
                     ObjectTypeIndex < ObjectTypeListLength;
                     ObjectTypeIndex++)
                {
                    ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights = RemainingAccess;
                }
            }
 
            /* Loop over the DACL to retrieve ACEs */
            for (AceIndex = 0; AceIndex < Dacl->AceCount; AceIndex++)
            {
                /* Obtain a ACE now */
                Status = RtlGetAce(Dacl, AceIndex, (PVOID*)&CurrentAce);
 
                /* Getting this ACE is important, otherwise something is seriously wrong */
                ASSERT(NT_SUCCESS(Status));
 
                /*
                 * Now it's time to analyze it based upon the
                 * type of this ACE we're being given.
                 */
                if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
                {
                    if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
                    {
                        /* Get the SID from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /*
                             * The caller requests a right that cannot be
                             * granted. Access is implicitly denied for
                             * the calling thread. Track this access right.
                             */
                            if (AccessCheckRights->RemainingAccessRights & Access)
                            {
                                DPRINT("Refuted access 0x%08lx\n", Access);
                                AccessCheckRights->DeniedAccessRights |= Access;
                                break;
                            }
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
                    {
                        /* Get the SID from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* Remove the remaining rights */
                            DPRINT("RemainingAccessRights 0x%08lx  Access 0x%08lx\n", AccessCheckRights->RemainingAccessRights, Access);
                            AccessCheckRights->RemainingAccessRights &= ~Access;
                            DPRINT("RemainingAccessRights 0x%08lx\n", AccessCheckRights->RemainingAccessRights);
 
                            /* Track the granted access right */
                            AccessCheckRights->GrantedAccessRights |= Access;
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_DENIED_OBJECT_ACE_TYPE)
                    {
                        /* Get the SID and object type from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, TRUE);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, TRUE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* If no list was passed treat this is as ACCESS_DENIED_ACE_TYPE */
                            if (!ObjectTypeList && !ObjectTypeListLength)
                            {
                                if (AccessCheckRights->RemainingAccessRights & Access)
                                {
                                    DPRINT("Refuted access 0x%08lx\n", Access);
                                    AccessCheckRights->DeniedAccessRights |= Access;
                                    break;
                                }
                            }
                            else
                            {
                                /*
                                 * Otherwise evaluate the rights of the object for the entire list.
                                 * The function will signal us if the caller requested a right that is
                                 * denied by the ACE of an object in the list.
                                 */
                                SepDenyAccessObjectTypeList(ObjectTypeList,
                                                            ObjectTypeListLength,
                                                            Access,
                                                            ObjectTypeGuid,
                                                            &BreakOnDeny);
 
                                /* We are acknowledged the caller requested a denied right */
                                if (BreakOnDeny)
                                {
                                    DPRINT("Refuted access 0x%08lx\n", Access);
                                    break;
                                }
                            }
                        }
                    }
                    else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE)
                    {
                        /* Get the SID and object type from this ACE */
                        Sid = SepGetSidFromAce(CurrentAce);
                        ObjectTypeGuid = SepGetObjectTypeGuidFromAce(CurrentAce, FALSE);
                        ASSERT(Sid);
 
                        if (SepSidInTokenEx(AccessToken, PrincipalSelfSid, Sid, FALSE, IsTokenRestricted))
                        {
                            /* Get this access right from the ACE */
                            Access = CurrentAce->AccessMask;
 
                            /* Map this access right if it has a generic mask right */
                            if ((Access & GENERIC_ACCESS) && GenericMapping)
                            {
                                RtlMapGenericMask(&Access, GenericMapping);
                            }
 
                            /* If no list was passed treat this is as ACCESS_ALLOWED_ACE_TYPE */
                            if (!ObjectTypeList && !ObjectTypeListLength)
                            {
                                /* Remove the remaining rights */
                                DPRINT("RemainingAccessRights 0x%08lx  Access 0x%08lx\n", AccessCheckRights->RemainingAccessRights, Access);
                                AccessCheckRights->RemainingAccessRights &= ~Access;
                                DPRINT("RemainingAccessRights 0x%08lx\n", AccessCheckRights->RemainingAccessRights);
 
                                /* Track the granted access right */
                                AccessCheckRights->GrantedAccessRights |= Access;
                            }
                            else
                            {
                                /* Otherwise evaluate the rights of the object for the entire list */
                                SepAllowAccessObjectTypeList(ObjectTypeList,
                                                             ObjectTypeListLength,
                                                             Access,
                                                             TRUE,
                                                             ObjectTypeGuid);
                            }
                        }
                    }
                    else
                    {
                        DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
                    }
                }
            }
 
            /* We're done here */
            break;
        }
 
        /* We shouldn't reach here */
        DEFAULT_UNREACHABLE;
    }
}
 
static
BOOLEAN
SepAccessCheckWorker(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_opt_ PACCESS_TOKEN ClientAccessToken,
    _In_ PACCESS_TOKEN PrimaryAccessToken,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ ACCESS_MASK PreviouslyGrantedAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ KPROCESSOR_MODE AccessMode,
    _In_ BOOLEAN UseResultList,
    _Out_opt_ PPRIVILEGE_SET* Privileges,
    _Out_ PACCESS_MASK GrantedAccessList,
    _Out_ PNTSTATUS AccessStatusList)
{
    ACCESS_MASK RemainingAccess;
    ACCESS_MASK WantedRights;
    ACCESS_MASK MaskDesired;
    ACCESS_MASK GrantedRights = 0;
    ULONG ResultListIndex;
    ULONG ObjectTypeIndex;
    PACL Dacl;
    BOOLEAN Present;
    BOOLEAN Defaulted;
    NTSTATUS Status;
    BOOLEAN AccessIsGranted = FALSE;
    PACCESS_TOKEN Token = NULL;
    ACCESS_CHECK_RIGHTS AccessCheckRights = {0};
 
    PAGED_CODE();
 
    /* A security descriptor must be expected for access checks */
    ASSERT(SecurityDescriptor);
 
    /* Check for no access desired */
    if (!DesiredAccess)
    {
        /* Check if we had no previous access */
        if (!PreviouslyGrantedAccess)
        {
            /* Then there's nothing to give */
            DPRINT1("The caller has no previously granted access gained!\n");
            Status = STATUS_ACCESS_DENIED;
            goto ReturnCommonStatus;
        }
 
        /* Return the previous access only */
        Status = STATUS_SUCCESS;
        *Privileges = NULL;
        goto ReturnCommonStatus;
    }
 
    /* Map given accesses */
    RtlMapGenericMask(&DesiredAccess, GenericMapping);
    if (PreviouslyGrantedAccess)
        RtlMapGenericMask(&PreviouslyGrantedAccess, GenericMapping);
 
    /* Initialize remaining access rights */
    RemainingAccess = DesiredAccess;
 
    /*
     * Initialize the required rights if the caller wants to know access
     * for the object and each sub-object in the list.
     */
    if (UseResultList)
    {
        if (DesiredAccess & MAXIMUM_ALLOWED)
        {
            WantedRights = (DesiredAccess | PreviouslyGrantedAccess) & ~MAXIMUM_ALLOWED;
            MaskDesired = ~MAXIMUM_ALLOWED;
        }
        else
        {
            WantedRights = MaskDesired = DesiredAccess | PreviouslyGrantedAccess;
        }
    }
 
    /*
     * Obtain the token provided by the caller. Client (or also
     * called impersonation or thread) token takes precedence over
     * the primary token which is the token associated with the security
     * context of the main calling process. This is because it is the
     * client itself that requests access of an object or subset of
     * multiple objects. Otherwise obtain the security context of the
     * main process (the actual primary token).
     */
    Token = ClientAccessToken ? ClientAccessToken : PrimaryAccessToken;
 
    /*
     * We should at least expect a primary token
     * to be present if client token is not
     * available.
     */
    ASSERT(Token);
 
    /*
     * Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access.
     * Write down a set of privileges that have been checked
     * if the caller wants it.
     */
    Status = SePrivilegePolicyCheck(&RemainingAccess,
                                    &PreviouslyGrantedAccess,
                                    NULL,
                                    Token,
                                    Privileges,
                                    AccessMode);
    if (!NT_SUCCESS(Status))
    {
        goto ReturnCommonStatus;
    }
 
    /* Succeed if there are no more rights to grant */
    if (RemainingAccess == 0)
    {
        Status = STATUS_SUCCESS;
        goto ReturnCommonStatus;
    }
 
    /*
     * HACK: Temporary hack that checks if the caller passed an empty
     * generic mapping. In such cases we cannot mask out the remaining
     * access rights without a proper mapping so the only option we
     * can do is to check if the client is an administrator,
     * since they are powerful users.
     *
     * See CORE-18576 for information.
     */
    if (GenericMapping->GenericRead == 0 &&
        GenericMapping->GenericWrite == 0 &&
        GenericMapping->GenericExecute == 0 &&
        GenericMapping->GenericAll == 0)
    {
        if (SeTokenIsAdmin(Token))
        {
            /* Grant him access */
            PreviouslyGrantedAccess |= RemainingAccess;
            Status = STATUS_SUCCESS;
            goto ReturnCommonStatus;
        }
 
        /* It's not an admin so bail out */
        PreviouslyGrantedAccess = 0;
        Status = STATUS_ACCESS_DENIED;
        goto ReturnCommonStatus;
    }
 
    /* Get the DACL */
    Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
                                          &Present,
                                          &Dacl,
                                          &Defaulted);
    if (!NT_SUCCESS(Status))
    {
        goto ReturnCommonStatus;
    }
 
    /* Grant desired access if the object is unprotected */
    if (Present == FALSE || Dacl == NULL)
    {
        PreviouslyGrantedAccess |= RemainingAccess;
        if (RemainingAccess & MAXIMUM_ALLOWED)
        {
            PreviouslyGrantedAccess &= ~MAXIMUM_ALLOWED;
            PreviouslyGrantedAccess |= GenericMapping->GenericAll;
        }
 
        Status = STATUS_SUCCESS;
        goto ReturnCommonStatus;
    }
 
    /* Deny access if the DACL is empty */
    if (Dacl->AceCount == 0)
    {
        if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
        {
            Status = STATUS_SUCCESS;
        }
        else
        {
            DPRINT1("The DACL has no ACEs and the caller has no previously granted access!\n");
            PreviouslyGrantedAccess = 0;
            Status = STATUS_ACCESS_DENIED;
        }
        goto ReturnCommonStatus;
    }
 
    /*
     * Determine the MAXIMUM_ALLOWED access rights according to the DACL.
     * Or if the caller is supplying a list of object types then determine
     * the rights of each object on that list.
     */
    if ((DesiredAccess & MAXIMUM_ALLOWED) || UseResultList)
    {
        /* Perform access checks against ACEs from this DACL */
        SepAnalyzeAcesFromDacl(AccessCheckMaximum,
                               0,
                               Dacl,
                               Token,
                               PrimaryAccessToken,
                               FALSE,
                               PrincipalSelfSid,
                               GenericMapping,
                               ObjectTypeList,
                               ObjectTypeListLength,
                               UseResultList,
                               &AccessCheckRights);
 
        /*
         * Perform further access checks if this token
         * has restricted SIDs.
         */
        if (SeTokenIsRestricted(Token))
        {
            SepAnalyzeAcesFromDacl(AccessCheckMaximum,
                                   0,
                                   Dacl,
                                   Token,
                                   PrimaryAccessToken,
                                   TRUE,
                                   PrincipalSelfSid,
                                   GenericMapping,
                                   ObjectTypeList,
                                   ObjectTypeListLength,
                                   UseResultList,
                                   &AccessCheckRights);
        }
 
        /* The caller did not provide an object type list, check access only for that object */
        if (!ObjectTypeList && !ObjectTypeListLength)
        {
            /* Fail if some rights have not been granted */
            RemainingAccess &= ~(MAXIMUM_ALLOWED | AccessCheckRights.GrantedAccessRights);
            if (RemainingAccess != 0)
            {
                DPRINT("Failed to grant access rights, access denied. RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n", RemainingAccess, DesiredAccess);
                PreviouslyGrantedAccess = 0;
                Status = STATUS_ACCESS_DENIED;
                goto ReturnCommonStatus;
            }
 
            /* Set granted access right and access status */
            PreviouslyGrantedAccess |= AccessCheckRights.GrantedAccessRights;
            if (PreviouslyGrantedAccess != 0)
            {
                Status = STATUS_SUCCESS;
            }
            else
            {
                DPRINT("Failed to grant access rights, access denied. PreviouslyGrantedAccess == 0  DesiredAccess = %08lx\n", DesiredAccess);
                Status = STATUS_ACCESS_DENIED;
            }
 
            /* We are done here */
            goto ReturnCommonStatus;
        }
        else if (!UseResultList)
        {
            /*
             * We have a list but the caller wants to know if access can be granted
             * to an object in the list. Access will either be granted or denied
             * to the whole hierarchy of the list. Look for every object in the list
             * that has granted access rights and collect them.
             */
            for (ObjectTypeIndex = 0;
                 ObjectTypeIndex < ObjectTypeListLength;
                 ObjectTypeIndex++)
            {
                if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights != 0)
                {
                    GrantedRights |= ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights;
                }
            }
 
            /* Now check if acccess can be granted */
            RemainingAccess &= ~(MAXIMUM_ALLOWED | GrantedRights);
            if (RemainingAccess != 0)
            {
                DPRINT("Failed to grant access rights to the whole object hierarchy list, access denied. RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n",
                    RemainingAccess, DesiredAccess);
                PreviouslyGrantedAccess = 0;
                Status = STATUS_ACCESS_DENIED;
                goto ReturnCommonStatus;
            }
 
            /* Set granted access right and access status */
            PreviouslyGrantedAccess |= GrantedRights;
            if (PreviouslyGrantedAccess != 0)
            {
                Status = STATUS_SUCCESS;
            }
            else
            {
                DPRINT("Failed to grant access rights to the whole object hierarchy list, access denied. PreviouslyGrantedAccess == 0  DesiredAccess = %08lx\n",
                    DesiredAccess);
                Status = STATUS_ACCESS_DENIED;
            }
 
            /* We are done here */
            goto ReturnCommonStatus;
        }
        else
        {
            /*
             * We have a list and the caller wants to know access for each
             * sub-object in the list. Report the access status and granted
             * rights for the object and each sub-object in the list.
             */
            for (ObjectTypeIndex = 0;
                 ObjectTypeIndex < ObjectTypeListLength;
                 ObjectTypeIndex++)
            {
                /* Check if we have some rights */
                GrantedRights = (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.GrantedAccessRights | PreviouslyGrantedAccess) & MaskDesired;
                if (GrantedRights != 0)
                {
                    /*
                     * If we still have some remaining rights to grant the ultimate
                     * conclusion is that the caller has no access to the object itself.
                     */
                    RemainingAccess = (~GrantedRights & WantedRights);
                    if (RemainingAccess != 0)
                    {
                        DPRINT("Failed to grant access rights at specific object at index %lu, access denied. RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n",
                            ObjectTypeIndex, RemainingAccess, DesiredAccess);
                        AccessStatusList[ObjectTypeIndex] = STATUS_ACCESS_DENIED;
                    }
                    else
                    {
                        AccessStatusList[ObjectTypeIndex] = STATUS_SUCCESS;
                    }
                }
                else
                {
                    /* No access is given */
                    DPRINT("Failed to grant access rights at specific object at index %lu. No access is given\n", ObjectTypeIndex);
                    AccessStatusList[ObjectTypeIndex] = STATUS_ACCESS_DENIED;
                }
 
                /* Return the access rights to the caller */
                GrantedAccessList[ObjectTypeIndex] = GrantedRights;
            }
 
            /*
             * We have built a list of access statuses for each object but
             * we still need to figure out the common status for the
             * function. The same status code will be used to check if
             * we should report any security debug stuff once we are done.
             */
            Status = STATUS_SUCCESS;
            for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
            {
                /* There is at least one sub-object of which access cannot be granted */
                if (AccessStatusList[ResultListIndex] == STATUS_ACCESS_DENIED)
                {
                    Status = AccessStatusList[ResultListIndex];
                    break;
                }
            }
 
            /* We are done here */
            goto ReturnCommonStatus;
        }
    }
 
    /* Grant rights according to the DACL */
    SepAnalyzeAcesFromDacl(AccessCheckRegular,
                           RemainingAccess,
                           Dacl,
                           Token,
                           PrimaryAccessToken,
                           FALSE,
                           PrincipalSelfSid,
                           GenericMapping,
                           ObjectTypeList,
                           ObjectTypeListLength,
                           UseResultList,
                           &AccessCheckRights);
 
    /* The caller did not provide an object type list, check access only for that object */
    if (!ObjectTypeList && !ObjectTypeListLength)
    {
        /* Fail if some rights have not been granted */
        if (AccessCheckRights.RemainingAccessRights != 0)
        {
            DPRINT("Failed to grant access rights, access denied. RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n", AccessCheckRights.RemainingAccessRights, DesiredAccess);
            PreviouslyGrantedAccess = 0;
            Status = STATUS_ACCESS_DENIED;
            goto ReturnCommonStatus;
        }
    }
    else
    {
        /*
         * We have an object type list, look for the object of which
         * remaining rights are all granted.
         */
        for (ObjectTypeIndex = 0;
             ObjectTypeIndex < ObjectTypeListLength;
             ObjectTypeIndex++)
        {
            if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights == 0)
            {
                AccessIsGranted = TRUE;
                break;
            }
        }
 
        if (!AccessIsGranted)
        {
            DPRINT("Failed to grant access rights to the whole object hierarchy list, access denied. DesiredAccess = 0x%08lx\n", DesiredAccess);
            PreviouslyGrantedAccess = 0;
            Status = STATUS_ACCESS_DENIED;
            goto ReturnCommonStatus;
        }
    }
 
    /*
     * Perform further access checks if this token
     * has restricted SIDs.
     */
    if (SeTokenIsRestricted(Token))
    {
        SepAnalyzeAcesFromDacl(AccessCheckRegular,
                               RemainingAccess,
                               Dacl,
                               Token,
                               PrimaryAccessToken,
                               TRUE,
                               PrincipalSelfSid,
                               GenericMapping,
                               ObjectTypeList,
                               ObjectTypeListLength,
                               UseResultList,
                               &AccessCheckRights);
 
        /* The caller did not provide an object type list, check access only for that object */
        if (!ObjectTypeList && !ObjectTypeListLength)
        {
            /* Fail if some rights have not been granted */
            if (AccessCheckRights.RemainingAccessRights != 0)
            {
                DPRINT("Failed to grant access rights, access denied. RemainingAccess = 0x%08lx  DesiredAccess = 0x%08lx\n", AccessCheckRights.RemainingAccessRights, DesiredAccess);
                PreviouslyGrantedAccess = 0;
                Status = STATUS_ACCESS_DENIED;
                goto ReturnCommonStatus;
            }
        }
        else
        {
            /*
             * We have an object type list, look for the object of which remaining
             * rights are all granted. The user may have access to the requested
             * object but on a restricted token case the user is only granted partial
             * access. If access is denied to restricted SIDs, the bottom line is that
             * access is denied to the user.
             */
            AccessIsGranted = FALSE;
            for (ObjectTypeIndex = 0;
                 ObjectTypeIndex < ObjectTypeListLength;
                 ObjectTypeIndex++)
            {
                if (ObjectTypeList[ObjectTypeIndex].ObjectAccessRights.RemainingAccessRights == 0)
                {
                    AccessIsGranted = TRUE;
                    break;
                }
            }
 
            if (!AccessIsGranted)
            {
                DPRINT("Failed to grant access rights to the whole object hierarchy list, access denied. DesiredAccess = 0x%08lx\n", DesiredAccess);
                PreviouslyGrantedAccess = 0;
                Status = STATUS_ACCESS_DENIED;
                goto ReturnCommonStatus;
            }
        }
    }
 
    /* Set granted access rights */
    PreviouslyGrantedAccess |= DesiredAccess;
 
    /* Fail if no rights have been granted */
    if (PreviouslyGrantedAccess == 0)
    {
        DPRINT("Failed to grant access rights, access denied. PreviouslyGrantedAccess == 0  DesiredAccess = %08lx\n", DesiredAccess);
        Status = STATUS_ACCESS_DENIED;
        goto ReturnCommonStatus;
    }
 
    /*
     * If we're here then we granted all the desired
     * access rights the caller wanted.
     */
    Status = STATUS_SUCCESS;
 
ReturnCommonStatus:
    if (!UseResultList)
    {
        *GrantedAccessList = PreviouslyGrantedAccess;
        *AccessStatusList = Status;
    }
 
#if DBG
    /* Dump security debug info on access denied case */
    if (Status == STATUS_ACCESS_DENIED)
    {
        SepDumpSdDebugInfo(SecurityDescriptor);
        SepDumpTokenDebugInfo(Token);
 
        if (ObjectTypeList && (ObjectTypeListLength != 0))
        {
            SepDumpAccessAndStatusList(GrantedAccessList,
                                       AccessStatusList,
                                       UseResultList,
                                       ObjectTypeList,
                                       ObjectTypeListLength);
        }
        else
        {
            SepDumpAccessRightsStats(&AccessCheckRights);
        }
    }
#endif
 
    return NT_SUCCESS(Status);
}
 
static
ULONG
SepGetPrivilegeSetLength(
    _In_ PPRIVILEGE_SET PrivilegeSet)
{
    if (PrivilegeSet == NULL)
        return 0;
 
    if (PrivilegeSet->PrivilegeCount == 0)
        return (ULONG)(sizeof(PRIVILEGE_SET) - sizeof(LUID_AND_ATTRIBUTES));
 
    return (ULONG)(sizeof(PRIVILEGE_SET) +
                   (PrivilegeSet->PrivilegeCount - 1) * sizeof(LUID_AND_ATTRIBUTES));
}
 
static
NTSTATUS
SepAccessCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ HANDLE ClientToken,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ BOOLEAN UseResultList,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus)
{
    PSECURITY_DESCRIPTOR CapturedSecurityDescriptor = NULL;
    POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList = NULL;
    PSID CapturedPrincipalSelfSid = NULL;
    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
    ACCESS_MASK PreviouslyGrantedAccess = 0;
    PPRIVILEGE_SET Privileges = NULL;
    ULONG CapturedPrivilegeSetLength, RequiredPrivilegeSetLength;
    ULONG ResultListIndex;
    PTOKEN Token;
    NTSTATUS Status;
 
    PAGED_CODE();
 
    /* Check if this is kernel mode */
    if (PreviousMode == KernelMode)
    {
        /* Check if kernel wants everything */
        if (DesiredAccess & MAXIMUM_ALLOWED)
        {
            /* Give it */
            *GrantedAccess = GenericMapping->GenericAll;
            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
        }
        else
        {
            /* Just give the desired access */
            *GrantedAccess = DesiredAccess;
        }
 
        /* Success */
        *AccessStatus = STATUS_SUCCESS;
        return STATUS_SUCCESS;
    }
 
    /* Protect probe in SEH */
    _SEH2_TRY
    {
        /* Probe all pointers */
        ProbeForRead(GenericMapping, sizeof(GENERIC_MAPPING), sizeof(ULONG));
        ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
        ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
 
        /*
         * Probe the access and status list based on the way
         * we are going to fill data in.
         */
        if (UseResultList)
        {
            /* Bail out on an empty list */
            if (!ObjectTypeListLength)
            {
                DPRINT1("The object type list is empty\n");
                _SEH2_YIELD(return STATUS_INVALID_PARAMETER);
            }
 
            ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK) * ObjectTypeListLength, sizeof(ULONG));
            ProbeForWrite(AccessStatus, sizeof(NTSTATUS) * ObjectTypeListLength, sizeof(ULONG));
        }
        else
        {
            ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
            ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
        }
 
        /* Capture the privilege set length and the mapping */
        CapturedPrivilegeSetLength = *PrivilegeSetLength;
    }
    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
    {
        /* Return the exception code */
        _SEH2_YIELD(return _SEH2_GetExceptionCode());
    }
    _SEH2_END;
 
    /* Check for unmapped access rights */
    if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
    {
        DPRINT1("Some generic rights are not mapped\n");
        return STATUS_GENERIC_NOT_MAPPED;
    }
 
    /* Reference the token */
    Status = ObReferenceObjectByHandle(ClientToken,
                                       TOKEN_QUERY,
                                       SeTokenObjectType,
                                       PreviousMode,
                                       (PVOID*)&Token,
                                       NULL);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("Failed to reference token (Status 0x%08lx)\n", Status);
        return Status;
    }
 
    /* Check token type */
    if (Token->TokenType != TokenImpersonation)
    {
        DPRINT("No impersonation token\n");
        ObDereferenceObject(Token);
        return STATUS_NO_IMPERSONATION_TOKEN;
    }
 
    /* Check the impersonation level */
    if (Token->ImpersonationLevel < SecurityIdentification)
    {
        DPRINT1("Impersonation level < SecurityIdentification\n");
        ObDereferenceObject(Token);
        return STATUS_BAD_IMPERSONATION_LEVEL;
    }
 
    /* Capture the object type list, the list is probed by the function itself */
    Status = SeCaptureObjectTypeList(ObjectTypeList,
                                     ObjectTypeListLength,
                                     PreviousMode,
                                     &CapturedObjectTypeList);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("Failed to capture the object type list (Status 0x%08lx)\n", Status);
        ObDereferenceObject(Token);
        return Status;
    }
 
    /* Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access */
    Status = SePrivilegePolicyCheck(&DesiredAccess,
                                    &PreviouslyGrantedAccess,
                                    NULL,
                                    Token,
                                    &Privileges,
                                    PreviousMode);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("SePrivilegePolicyCheck failed (Status 0x%08lx)\n", Status);
        SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
        ObDereferenceObject(Token);
 
        /*
         * The caller does not have the required access to do an access check.
         * Propagate the access and status for the whole hierarchy of the list
         * or just to single target object.
         */
        if (UseResultList)
        {
            for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
            {
                AccessStatus[ResultListIndex] = Status;
                GrantedAccess[ResultListIndex] = 0;
            }
        }
        else
        {
            *AccessStatus = Status;
            *GrantedAccess = 0;
        }
 
        return STATUS_SUCCESS;
    }
 
    /* Check the size of the privilege set and return the privileges */
    if (Privileges != NULL)
    {
        DPRINT("Privileges != NULL\n");
 
        /* Calculate the required privilege set buffer size */
        RequiredPrivilegeSetLength = SepGetPrivilegeSetLength(Privileges);
 
        /* Fail if the privilege set buffer is too small */
        if (CapturedPrivilegeSetLength < RequiredPrivilegeSetLength)
        {
            SeFreePrivileges(Privileges);
            SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
            ObDereferenceObject(Token);
            *PrivilegeSetLength = RequiredPrivilegeSetLength;
            return STATUS_BUFFER_TOO_SMALL;
        }
 
        /* Copy the privilege set to the caller */
        RtlCopyMemory(PrivilegeSet,
                      Privileges,
                      RequiredPrivilegeSetLength);
 
        /* Free the local privilege set */
        SeFreePrivileges(Privileges);
    }
    else
    {
        DPRINT("Privileges == NULL\n");
 
        /* Fail if the privilege set buffer is too small */
        if (CapturedPrivilegeSetLength < sizeof(PRIVILEGE_SET))
        {
            SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
            ObDereferenceObject(Token);
            *PrivilegeSetLength = sizeof(PRIVILEGE_SET);
            return STATUS_BUFFER_TOO_SMALL;
        }
 
        /* Initialize the privilege set */
        PrivilegeSet->PrivilegeCount = 0;
        PrivilegeSet->Control = 0;
    }
 
    /* Capture the security descriptor */
    Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
                                         PreviousMode,
                                         PagedPool,
                                         FALSE,
                                         &CapturedSecurityDescriptor);
    if (!NT_SUCCESS(Status))
    {
        DPRINT1("Failed to capture the Security Descriptor\n");
        SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
        ObDereferenceObject(Token);
        return Status;
    }
 
    /* Check the captured security descriptor */
    if (CapturedSecurityDescriptor == NULL)
    {
        DPRINT1("Security Descriptor is NULL\n");
        SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
        ObDereferenceObject(Token);
        return STATUS_INVALID_SECURITY_DESCR;
    }
 
    /* Check security descriptor for valid owner and group */
    if (SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL ||
        SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL)
    {
        DPRINT1("Security Descriptor does not have a valid group or owner\n");
        SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
                                    PreviousMode,
                                    FALSE);
        SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
        ObDereferenceObject(Token);
        return STATUS_INVALID_SECURITY_DESCR;
    }
 
    /* Capture the principal self SID if we have one */
    if (PrincipalSelfSid)
    {
        Status = SepCaptureSid(PrincipalSelfSid,
                               PreviousMode,
                               PagedPool,
                               TRUE,
                               &CapturedPrincipalSelfSid);
        if (!NT_SUCCESS(Status))
        {
            DPRINT1("Failed to capture the principal self SID (Status 0x%08lx)\n", Status);
            SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
                                        PreviousMode,
                                        FALSE);
            SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
            ObDereferenceObject(Token);
            return Status;
        }
    }
 
    /* Set up the subject context, and lock it */
    SeCaptureSubjectContext(&SubjectSecurityContext);
 
    /* Lock the token */
    SepAcquireTokenLockShared(Token);
 
    /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
    if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
    {
        if (SepTokenIsOwner(Token, CapturedSecurityDescriptor, FALSE))
        {
            if (DesiredAccess & MAXIMUM_ALLOWED)
                PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
            else
                PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
 
            DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
        }
    }
 
    if (DesiredAccess == 0)
    {
        /*
         * Propagate the access and status for the whole hierarchy
         * of the list or just to single target object.
         */
        if (UseResultList)
        {
            for (ResultListIndex = 0; ResultListIndex < ObjectTypeListLength; ResultListIndex++)
            {
                AccessStatus[ResultListIndex] = STATUS_SUCCESS;
                GrantedAccess[ResultListIndex] = PreviouslyGrantedAccess;
            }
        }
        else
        {
            *GrantedAccess = PreviouslyGrantedAccess;
            *AccessStatus = STATUS_SUCCESS;
        }
    }
    else
    {
        /* Now perform the access check */
        SepAccessCheckWorker(CapturedSecurityDescriptor,
                             Token,
                             &SubjectSecurityContext.PrimaryToken,
                             CapturedPrincipalSelfSid,
                             DesiredAccess,
                             CapturedObjectTypeList,
                             ObjectTypeListLength,
                             PreviouslyGrantedAccess,
                             GenericMapping,
                             PreviousMode,
                             UseResultList,
                             NULL,
                             GrantedAccess,
                             AccessStatus);
    }
 
    /* Release subject context and unlock the token */
    SeReleaseSubjectContext(&SubjectSecurityContext);
    SepReleaseTokenLock(Token);
 
    /* Release the caputed principal self SID */
    SepReleaseSid(CapturedPrincipalSelfSid,
                  PreviousMode,
                  TRUE);
 
    /* Release the captured security descriptor */
    SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
                                PreviousMode,
                                FALSE);
 
    /* Release the object type list */
    SeReleaseObjectTypeList(CapturedObjectTypeList, PreviousMode);
 
    /* Dereference the token */
    ObDereferenceObject(Token);
 
    /* Check succeeded */
    return STATUS_SUCCESS;
}
 
/* PUBLIC FUNCTIONS ***********************************************************/
 
BOOLEAN
NTAPI
SeAccessCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
    _In_ BOOLEAN SubjectContextLocked,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ACCESS_MASK PreviouslyGrantedAccess,
    _Out_ PPRIVILEGE_SET* Privileges,
    _In_ PGENERIC_MAPPING GenericMapping,
    _In_ KPROCESSOR_MODE AccessMode,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus)
{
    BOOLEAN ret;
 
    PAGED_CODE();
 
    /* Check if this is kernel mode */
    if (AccessMode == KernelMode)
    {
        /* Check if kernel wants everything */
        if (DesiredAccess & MAXIMUM_ALLOWED)
        {
            /* Give it */
            *GrantedAccess = GenericMapping->GenericAll;
            *GrantedAccess |= (DesiredAccess &~ MAXIMUM_ALLOWED);
            *GrantedAccess |= PreviouslyGrantedAccess;
        }
        else
        {
            /* Give the desired and previous access */
            *GrantedAccess = DesiredAccess | PreviouslyGrantedAccess;
        }
 
        /* Success */
        *AccessStatus = STATUS_SUCCESS;
        return TRUE;
    }
 
    /* Check if we didn't get an SD */
    if (!SecurityDescriptor)
    {
        /* Automatic failure */
        *AccessStatus = STATUS_ACCESS_DENIED;
        return FALSE;
    }
 
    /* Check for invalid impersonation */
    if ((SubjectSecurityContext->ClientToken) &&
        (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation))
    {
        *AccessStatus = STATUS_BAD_IMPERSONATION_LEVEL;
        return FALSE;
    }
 
    /* Acquire the lock if needed */
    if (!SubjectContextLocked)
        SeLockSubjectContext(SubjectSecurityContext);
 
    /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
    if (DesiredAccess & (WRITE_DAC | READ_CONTROL | MAXIMUM_ALLOWED))
    {
         PACCESS_TOKEN Token = SubjectSecurityContext->ClientToken ?
             SubjectSecurityContext->ClientToken : SubjectSecurityContext->PrimaryToken;
 
        if (SepTokenIsOwner(Token,
                            SecurityDescriptor,
                            FALSE))
        {
            if (DesiredAccess & MAXIMUM_ALLOWED)
                PreviouslyGrantedAccess |= (WRITE_DAC | READ_CONTROL);
            else
                PreviouslyGrantedAccess |= (DesiredAccess & (WRITE_DAC | READ_CONTROL));
 
            DesiredAccess &= ~(WRITE_DAC | READ_CONTROL);
        }
    }
 
    if (DesiredAccess == 0)
    {
        *GrantedAccess = PreviouslyGrantedAccess;
        if (PreviouslyGrantedAccess == 0)
        {
            DPRINT1("Request for zero access to an object. Denying.\n");
            *AccessStatus = STATUS_ACCESS_DENIED;
            ret = FALSE;
        }
        else
        {
            *AccessStatus = STATUS_SUCCESS;
            ret = TRUE;
        }
    }
    else
    {
        /* Call the internal function */
        ret = SepAccessCheckWorker(SecurityDescriptor,
                                   SubjectSecurityContext->ClientToken,
                                   SubjectSecurityContext->PrimaryToken,
                                   NULL,
                                   DesiredAccess,
                                   NULL,
                                   0,
                                   PreviouslyGrantedAccess,
                                   GenericMapping,
                                   AccessMode,
                                   FALSE,
                                   Privileges,
                                   GrantedAccess,
                                   AccessStatus);
    }
 
    /* Release the lock if needed */
    if (!SubjectContextLocked)
        SeUnlockSubjectContext(SubjectSecurityContext);
 
    return ret;
}
 
BOOLEAN
NTAPI
SeFastTraverseCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ PACCESS_STATE AccessState,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ KPROCESSOR_MODE AccessMode)
{
    PACL Dacl;
    ULONG AceIndex;
    PKNOWN_ACE Ace;
 
    PAGED_CODE();
 
    ASSERT(AccessMode != KernelMode);
 
    if (SecurityDescriptor == NULL)
        return FALSE;
 
    /* Get DACL */
    Dacl = SepGetDaclFromDescriptor(SecurityDescriptor);
    /* If no DACL, grant access */
    if (Dacl == NULL)
        return TRUE;
 
    /* No ACE -> Deny */
    if (!Dacl->AceCount)
        return FALSE;
 
    /* Can't perform the check on restricted token */
    if (AccessState->Flags & TOKEN_IS_RESTRICTED)
        return FALSE;
 
    /* Browse the ACEs */
    for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
         AceIndex < Dacl->AceCount;
         AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
    {
        if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
            continue;
 
        /* If access-allowed ACE */
        if (Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
        {
            /* Check if all accesses are granted */
            if (!(Ace->Mask & DesiredAccess))
                continue;
 
            /* Check SID and grant access if matching */
            if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
                return TRUE;
        }
        /* If access-denied ACE */
        else if (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE)
        {
            /* Here, only check if it denies any access wanted and deny if so */
            if (Ace->Mask & DesiredAccess)
                return FALSE;
        }
    }
 
    /* Faulty, deny */
    return FALSE;
}
 
/* SYSTEM CALLS ***************************************************************/
 
NTSTATUS
NTAPI
NtAccessCheck(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus)
{
    PAGED_CODE();
 
    /* Invoke the internal function to do the job */
    return SepAccessCheck(SecurityDescriptor,
                          ClientToken,
                          NULL,
                          DesiredAccess,
                          GenericMapping,
                          PrivilegeSet,
                          PrivilegeSetLength,
                          NULL,
                          0,
                          FALSE,
                          GrantedAccess,
                          AccessStatus);
}
 
NTSTATUS
NTAPI
NtAccessCheckByType(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _Out_ PACCESS_MASK GrantedAccess,
    _Out_ PNTSTATUS AccessStatus)
{
    PAGED_CODE();
 
    /* Invoke the internal function to do the job */
    return SepAccessCheck(SecurityDescriptor,
                          ClientToken,
                          PrincipalSelfSid,
                          DesiredAccess,
                          GenericMapping,
                          PrivilegeSet,
                          PrivilegeSetLength,
                          ObjectTypeList,
                          ObjectTypeListLength,
                          FALSE,
                          GrantedAccess,
                          AccessStatus);
}
 
NTSTATUS
NTAPI
NtAccessCheckByTypeResultList(
    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
    _In_opt_ PSID PrincipalSelfSid,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
    _In_ ULONG ObjectTypeListLength,
    _In_ PGENERIC_MAPPING GenericMapping,
    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
    _Inout_ PULONG PrivilegeSetLength,
    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus)
{
    PAGED_CODE();
 
    /* Invoke the internal function to do the job */
    return SepAccessCheck(SecurityDescriptor,
                          ClientToken,
                          PrincipalSelfSid,
                          DesiredAccess,
                          GenericMapping,
                          PrivilegeSet,
                          PrivilegeSetLength,
                          ObjectTypeList,
                          ObjectTypeListLength,
                          TRUE,
                          GrantedAccess,
                          AccessStatus);
}
 
/* EOF */