ReactOS  0.4.13-dev-99-g7e18b6d
accesschk.c
Go to the documentation of this file.
1 /*
2  * COPYRIGHT: See COPYING in the top level directory
3  * PROJECT: ReactOS kernel
4  * FILE: ntoskrnl/se/accesschk.c
5  * PURPOSE: Security manager
6  *
7  * PROGRAMMERS: No programmer listed.
8  */
9 
10 /* INCLUDES *******************************************************************/
11 
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15 
16 /* GLOBALS ********************************************************************/
17 
18 
19 /* PRIVATE FUNCTIONS **********************************************************/
20 
21 /*
22  * FIXME: Incomplete!
23  */
28  IN POBJECT_TYPE_LIST ObjectTypeList,
29  IN ULONG ObjectTypeListLength,
34  OUT PACCESS_MASK GrantedAccessList,
35  OUT PNTSTATUS AccessStatusList,
36  IN BOOLEAN UseResultList)
37 {
38  ACCESS_MASK RemainingAccess;
39  ACCESS_MASK TempAccess;
40  ACCESS_MASK TempGrantedAccess = 0;
41  ACCESS_MASK TempDeniedAccess = 0;
43  ULONG i, ResultListLength;
44  PACL Dacl;
45  BOOLEAN Present;
46  BOOLEAN Defaulted;
47  PACE CurrentAce;
48  PSID Sid;
50  PAGED_CODE();
51 
52  DPRINT("SepAccessCheck()\n");
53 
54  /* Check for no access desired */
55  if (!DesiredAccess)
56  {
57  /* Check if we had no previous access */
59  {
60  /* Then there's nothing to give */
62  goto ReturnCommonStatus;
63  }
64 
65  /* Return the previous access only */
67  *Privileges = NULL;
68  goto ReturnCommonStatus;
69  }
70 
71  /* Map given accesses */
75 
76  /* Initialize remaining access rights */
77  RemainingAccess = DesiredAccess;
78 
81 
82  /* Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access */
83  Status = SePrivilegePolicyCheck(&RemainingAccess,
85  NULL,
86  Token,
87  NULL,
88  UserMode);
89  if (!NT_SUCCESS(Status))
90  {
91  goto ReturnCommonStatus;
92  }
93 
94  /* Succeed if there are no more rights to grant */
95  if (RemainingAccess == 0)
96  {
98  goto ReturnCommonStatus;
99  }
100 
101  /* Get the DACL */
103  &Present,
104  &Dacl,
105  &Defaulted);
106  if (!NT_SUCCESS(Status))
107  {
108  goto ReturnCommonStatus;
109  }
110 
111  /* RULE 1: Grant desired access if the object is unprotected */
112  if (Present == FALSE || Dacl == NULL)
113  {
114  PreviouslyGrantedAccess |= RemainingAccess;
115  if (RemainingAccess & MAXIMUM_ALLOWED)
116  {
119  }
120 
122  goto ReturnCommonStatus;
123  }
124 
125  /* Deny access if the DACL is empty */
126  if (Dacl->AceCount == 0)
127  {
128  if (RemainingAccess == MAXIMUM_ALLOWED && PreviouslyGrantedAccess != 0)
129  {
131  }
132  else
133  {
136  }
137  goto ReturnCommonStatus;
138  }
139 
140  /* Determine the MAXIMUM_ALLOWED access rights according to the DACL */
142  {
143  CurrentAce = (PACE)(Dacl + 1);
144  for (i = 0; i < Dacl->AceCount; i++)
145  {
146  if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
147  {
148  Sid = (PSID)(CurrentAce + 1);
149  if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
150  {
151  if (SepSidInToken(Token, Sid))
152  {
153  /* Map access rights from the ACE */
154  TempAccess = CurrentAce->AccessMask;
155  RtlMapGenericMask(&TempAccess, GenericMapping);
156 
157  /* Deny access rights that have not been granted yet */
158  TempDeniedAccess |= (TempAccess & ~TempGrantedAccess);
159  }
160  }
161  else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
162  {
163  if (SepSidInToken(Token, Sid))
164  {
165  /* Map access rights from the ACE */
166  TempAccess = CurrentAce->AccessMask;
167  RtlMapGenericMask(&TempAccess, GenericMapping);
168 
169  /* Grant access rights that have not been denied yet */
170  TempGrantedAccess |= (TempAccess & ~TempDeniedAccess);
171  }
172  }
173  else
174  {
175  DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
176  }
177  }
178 
179  /* Get the next ACE */
180  CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
181  }
182 
183  /* Fail if some rights have not been granted */
184  RemainingAccess &= ~(MAXIMUM_ALLOWED | TempGrantedAccess);
185  if (RemainingAccess != 0)
186  {
189  goto ReturnCommonStatus;
190  }
191 
192  /* Set granted access right and access status */
193  PreviouslyGrantedAccess |= TempGrantedAccess;
194  if (PreviouslyGrantedAccess != 0)
195  {
197  }
198  else
199  {
201  }
202  goto ReturnCommonStatus;
203  }
204 
205  /* RULE 4: Grant rights according to the DACL */
206  CurrentAce = (PACE)(Dacl + 1);
207  for (i = 0; i < Dacl->AceCount; i++)
208  {
209  if (!(CurrentAce->Header.AceFlags & INHERIT_ONLY_ACE))
210  {
211  Sid = (PSID)(CurrentAce + 1);
212  if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
213  {
214  if (SepSidInToken(Token, Sid))
215  {
216  /* Map access rights from the ACE */
217  TempAccess = CurrentAce->AccessMask;
218  RtlMapGenericMask(&TempAccess, GenericMapping);
219 
220  /* Leave if a remaining right must be denied */
221  if (RemainingAccess & TempAccess)
222  break;
223  }
224  }
225  else if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
226  {
227  if (SepSidInToken(Token, Sid))
228  {
229  /* Map access rights from the ACE */
230  TempAccess = CurrentAce->AccessMask;
231  DPRINT("TempAccess 0x%08lx\n", TempAccess);
232  RtlMapGenericMask(&TempAccess, GenericMapping);
233 
234  /* Remove granted rights */
235  DPRINT("RemainingAccess 0x%08lx TempAccess 0x%08lx\n", RemainingAccess, TempAccess);
236  RemainingAccess &= ~TempAccess;
237  DPRINT("RemainingAccess 0x%08lx\n", RemainingAccess);
238  }
239  }
240  else
241  {
242  DPRINT1("Unsupported ACE type 0x%lx\n", CurrentAce->Header.AceType);
243  }
244  }
245 
246  /* Get the next ACE */
247  CurrentAce = (PACE)((ULONG_PTR)CurrentAce + CurrentAce->Header.AceSize);
248  }
249 
250  DPRINT("DesiredAccess %08lx\nPreviouslyGrantedAccess %08lx\nRemainingAccess %08lx\n",
251  DesiredAccess, PreviouslyGrantedAccess, RemainingAccess);
252 
253  /* Fail if some rights have not been granted */
254  if (RemainingAccess != 0)
255  {
256  DPRINT("HACK: RemainingAccess = 0x%08lx DesiredAccess = 0x%08lx\n", RemainingAccess, DesiredAccess);
257 #if 0
258  /* HACK HACK HACK */
260  goto ReturnCommonStatus;
261 #endif
262  }
263 
264  /* Set granted access rights */
266 
267  /* Fail if no rights have been granted */
268  if (PreviouslyGrantedAccess == 0)
269  {
270  DPRINT1("PreviouslyGrantedAccess == 0 DesiredAccess = %08lx\n", DesiredAccess);
272  goto ReturnCommonStatus;
273  }
274 
276  goto ReturnCommonStatus;
277 
278 ReturnCommonStatus:
279  ResultListLength = UseResultList ? ObjectTypeListLength : 1;
280  for (i = 0; i < ResultListLength; i++)
281  {
282  GrantedAccessList[i] = PreviouslyGrantedAccess;
283  AccessStatusList[i] = Status;
284  }
285 
286  return NT_SUCCESS(Status);
287 }
288 
289 static PSID
291 {
292  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
293  PSID Owner;
294 
295  if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
296  Owner = (PSID)((ULONG_PTR)SecurityDescriptor->Owner +
298  else
300 
301  return Owner;
302 }
303 
304 static PSID
306 {
307  PISECURITY_DESCRIPTOR SecurityDescriptor = _SecurityDescriptor;
308  PSID Group;
309 
310  if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
311  Group = (PSID)((ULONG_PTR)SecurityDescriptor->Group +
313  else
314  Group = (PSID)SecurityDescriptor->Group;
315 
316  return Group;
317 }
318 
319 static
320 ULONG
322 {
323  if (PrivilegeSet == NULL)
324  return 0;
325 
326  if (PrivilegeSet->PrivilegeCount == 0)
327  return (ULONG)(sizeof(PRIVILEGE_SET) - sizeof(LUID_AND_ATTRIBUTES));
328 
329  return (ULONG)(sizeof(PRIVILEGE_SET) +
330  (PrivilegeSet->PrivilegeCount - 1) * sizeof(LUID_AND_ATTRIBUTES));
331 }
332 
333 /* PUBLIC FUNCTIONS ***********************************************************/
334 
335 /*
336  * @implemented
337  */
338 BOOLEAN
339 NTAPI
350 {
351  BOOLEAN ret;
352 
353  PAGED_CODE();
354 
355  /* Check if this is kernel mode */
356  if (AccessMode == KernelMode)
357  {
358  /* Check if kernel wants everything */
360  {
361  /* Give it */
365  }
366  else
367  {
368  /* Give the desired and previous access */
370  }
371 
372  /* Success */
374  return TRUE;
375  }
376 
377  /* Check if we didn't get an SD */
378  if (!SecurityDescriptor)
379  {
380  /* Automatic failure */
382  return FALSE;
383  }
384 
385  /* Check for invalid impersonation */
388  {
390  return FALSE;
391  }
392 
393  /* Acquire the lock if needed */
396 
397  /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
399  {
402 
405  FALSE))
406  {
409  else
411 
413  }
414  }
415 
416  if (DesiredAccess == 0)
417  {
419  if (PreviouslyGrantedAccess == 0)
420  {
421  DPRINT1("Request for zero access to an object. Denying.\n");
423  ret = FALSE;
424  }
425  else
426  {
428  ret = TRUE;
429  }
430  }
431  else
432  {
433  /* Call the internal function */
437  NULL,
438  0,
440  Privileges,
442  AccessMode,
444  AccessStatus,
445  FALSE);
446  }
447 
448  /* Release the lock if needed */
451 
452  return ret;
453 }
454 
455 /*
456  * @implemented
457  */
458 BOOLEAN
459 NTAPI
464 {
465  PACL Dacl;
466  ULONG AceIndex;
467  PKNOWN_ACE Ace;
468 
469  PAGED_CODE();
470 
472 
473  if (SecurityDescriptor == NULL)
474  return FALSE;
475 
476  /* Get DACL */
478  /* If no DACL, grant access */
479  if (Dacl == NULL)
480  return TRUE;
481 
482  /* No ACE -> Deny */
483  if (!Dacl->AceCount)
484  return FALSE;
485 
486  /* Can't perform the check on restricted token */
487  if (AccessState->Flags & TOKEN_IS_RESTRICTED)
488  return FALSE;
489 
490  /* Browse the ACEs */
491  for (AceIndex = 0, Ace = (PKNOWN_ACE)((ULONG_PTR)Dacl + sizeof(ACL));
492  AceIndex < Dacl->AceCount;
493  AceIndex++, Ace = (PKNOWN_ACE)((ULONG_PTR)Ace + Ace->Header.AceSize))
494  {
495  if (Ace->Header.AceFlags & INHERIT_ONLY_ACE)
496  continue;
497 
498  /* If access-allowed ACE */
499  if (Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
500  {
501  /* Check if all accesses are granted */
502  if (!(Ace->Mask & DesiredAccess))
503  continue;
504 
505  /* Check SID and grant access if matching */
506  if (RtlEqualSid(SeWorldSid, &(Ace->SidStart)))
507  return TRUE;
508  }
509  /* If access-denied ACE */
510  else if (Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE)
511  {
512  /* Here, only check if it denies any access wanted and deny if so */
513  if (Ace->Mask & DesiredAccess)
514  return FALSE;
515  }
516  }
517 
518  /* Faulty, deny */
519  return FALSE;
520 }
521 
522 /* SYSTEM CALLS ***************************************************************/
523 
524 /*
525  * @implemented
526  */
527 NTSTATUS
528 NTAPI
533  OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
534  IN OUT PULONG PrivilegeSetLength,
537 {
538  PSECURITY_DESCRIPTOR CapturedSecurityDescriptor = NULL;
543  ULONG CapturedPrivilegeSetLength, RequiredPrivilegeSetLength;
544  PTOKEN Token;
546  PAGED_CODE();
547 
548  /* Check if this is kernel mode */
549  if (PreviousMode == KernelMode)
550  {
551  /* Check if kernel wants everything */
553  {
554  /* Give it */
557  }
558  else
559  {
560  /* Just give the desired access */
562  }
563 
564  /* Success */
566  return STATUS_SUCCESS;
567  }
568 
569  /* Protect probe in SEH */
570  _SEH2_TRY
571  {
572  /* Probe all pointers */
574  ProbeForRead(PrivilegeSetLength, sizeof(ULONG), sizeof(ULONG));
575  ProbeForWrite(PrivilegeSet, *PrivilegeSetLength, sizeof(ULONG));
576  ProbeForWrite(GrantedAccess, sizeof(ACCESS_MASK), sizeof(ULONG));
577  ProbeForWrite(AccessStatus, sizeof(NTSTATUS), sizeof(ULONG));
578 
579  /* Capture the privilege set length and the mapping */
580  CapturedPrivilegeSetLength = *PrivilegeSetLength;
581  }
583  {
584  /* Return the exception code */
586  }
587  _SEH2_END;
588 
589  /* Check for unmapped access rights */
592 
593  /* Reference the token */
595  TOKEN_QUERY,
597  PreviousMode,
598  (PVOID*)&Token,
599  NULL);
600  if (!NT_SUCCESS(Status))
601  {
602  DPRINT("Failed to reference token (Status %lx)\n", Status);
603  return Status;
604  }
605 
606  /* Check token type */
607  if (Token->TokenType != TokenImpersonation)
608  {
609  DPRINT("No impersonation token\n");
612  }
613 
614  /* Check the impersonation level */
615  if (Token->ImpersonationLevel < SecurityIdentification)
616  {
617  DPRINT("Impersonation level < SecurityIdentification\n");
620  }
621 
622  /* Check for ACCESS_SYSTEM_SECURITY and WRITE_OWNER access */
625  NULL,
626  Token,
627  &Privileges,
628  PreviousMode);
629  if (!NT_SUCCESS(Status))
630  {
631  DPRINT("SePrivilegePolicyCheck failed (Status 0x%08lx)\n", Status);
633  *AccessStatus = Status;
634  *GrantedAccess = 0;
635  return STATUS_SUCCESS;
636  }
637 
638  /* Check the size of the privilege set and return the privileges */
639  if (Privileges != NULL)
640  {
641  DPRINT("Privileges != NULL\n");
642 
643  /* Calculate the required privilege set buffer size */
644  RequiredPrivilegeSetLength = SepGetPrivilegeSetLength(Privileges);
645 
646  /* Fail if the privilege set buffer is too small */
647  if (CapturedPrivilegeSetLength < RequiredPrivilegeSetLength)
648  {
651  *PrivilegeSetLength = RequiredPrivilegeSetLength;
653  }
654 
655  /* Copy the privilege set to the caller */
656  RtlCopyMemory(PrivilegeSet,
657  Privileges,
658  RequiredPrivilegeSetLength);
659 
660  /* Free the local privilege set */
662  }
663  else
664  {
665  DPRINT("Privileges == NULL\n");
666 
667  /* Fail if the privilege set buffer is too small */
668  if (CapturedPrivilegeSetLength < sizeof(PRIVILEGE_SET))
669  {
671  *PrivilegeSetLength = sizeof(PRIVILEGE_SET);
673  }
674 
675  /* Initialize the privilege set */
676  PrivilegeSet->PrivilegeCount = 0;
677  PrivilegeSet->Control = 0;
678  }
679 
680  /* Capture the security descriptor */
682  PreviousMode,
683  PagedPool,
684  FALSE,
685  &CapturedSecurityDescriptor);
686  if (!NT_SUCCESS(Status))
687  {
688  DPRINT("Failed to capture the Security Descriptor\n");
690  return Status;
691  }
692 
693  /* Check the captured security descriptor */
694  if (CapturedSecurityDescriptor == NULL)
695  {
696  DPRINT("Security Descriptor is NULL\n");
699  }
700 
701  /* Check security descriptor for valid owner and group */
702  if (SepGetSDOwner(SecurityDescriptor) == NULL || // FIXME: use CapturedSecurityDescriptor
703  SepGetSDGroup(SecurityDescriptor) == NULL) // FIXME: use CapturedSecurityDescriptor
704  {
705  DPRINT("Security Descriptor does not have a valid group or owner\n");
706  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
707  PreviousMode,
708  FALSE);
711  }
712 
713  /* Set up the subject context, and lock it */
715 
716  /* Lock the token */
718 
719  /* Check if the token is the owner and grant WRITE_DAC and READ_CONTROL rights */
721  {
722  if (SepTokenIsOwner(Token, SecurityDescriptor, FALSE)) // FIXME: use CapturedSecurityDescriptor
723  {
726  else
728 
730  }
731  }
732 
733  if (DesiredAccess == 0)
734  {
737  }
738  else
739  {
740  /* Now perform the access check */
741  SepAccessCheck(SecurityDescriptor, // FIXME: use CapturedSecurityDescriptor
744  NULL,
745  0,
747  &PrivilegeSet, //FIXME
749  PreviousMode,
751  AccessStatus,
752  FALSE);
753  }
754 
755  /* Release subject context and unlock the token */
758 
759  /* Release the captured security descriptor */
760  SeReleaseSecurityDescriptor(CapturedSecurityDescriptor,
761  PreviousMode,
762  FALSE);
763 
764  /* Dereference the token */
766 
767  /* Check succeeded */
768  return STATUS_SUCCESS;
769 }
770 
771 
772 NTSTATUS
773 NTAPI
775  IN PSID PrincipalSelfSid,
776  IN HANDLE ClientToken,
778  IN POBJECT_TYPE_LIST ObjectTypeList,
779  IN ULONG ObjectTypeLength,
781  IN PPRIVILEGE_SET PrivilegeSet,
782  IN OUT PULONG PrivilegeSetLength,
785 {
787  return STATUS_NOT_IMPLEMENTED;
788 }
789 
790 NTSTATUS
791 NTAPI
793  IN PSID PrincipalSelfSid,
794  IN HANDLE ClientToken,
796  IN POBJECT_TYPE_LIST ObjectTypeList,
797  IN ULONG ObjectTypeLength,
799  IN PPRIVILEGE_SET PrivilegeSet,
800  IN OUT PULONG PrivilegeSetLength,
803 {
805  return STATUS_NOT_IMPLEMENTED;
806 }
807 
808 /* EOF */
struct _KNOWN_ACE * PKNOWN_ACE
* PNTSTATUS
Definition: strlen.c:14
#define MAXIMUM_ALLOWED
Definition: nt_native.h:83
VOID NTAPI SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:301
BOOLEAN NTAPI SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:340
#define IN
Definition: typedefs.h:38
VOID NTAPI SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:360
#define GENERIC_ALL
Definition: nt_native.h:92
UCHAR AceFlags
Definition: ms-dtyp.idl:211
#define TRUE
Definition: types.h:120
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
#define STATUS_INVALID_SECURITY_DESCR
Definition: ntstatus.h:343
#define STATUS_BAD_IMPERSONATION_LEVEL
Definition: ntstatus.h:387
#define SE_SELF_RELATIVE
Definition: setypes.h:780
VOID NTAPI SeUnlockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:336
struct _PRIVILEGE_SET PRIVILEGE_SET
Definition: se.h:3
#define STATUS_NOT_IMPLEMENTED
Definition: ntstatus.h:225
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182
_In_opt_ PSID Group
Definition: rtlfuncs.h:1606
struct _ACE * PACE
LONG NTSTATUS
Definition: precomp.h:26
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
struct _LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES
VOID NTAPI SeLockSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext)
Definition: access.c:314
KPROCESSOR_MODE NTAPI ExGetPreviousMode(VOID)
Definition: sysinfo.c:2966
VOID NTAPI ObDereferenceObject(IN PVOID Object)
Definition: obref.c:375
ACCESS_MASK AccessMask
Definition: rtltypes.h:991
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:143
BOOLEAN NTAPI SepTokenIsOwner(IN PACCESS_TOKEN _Token, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN TokenLocked)
Definition: access.c:120
#define PAGED_CODE()
Definition: video.h:57
NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted)
NTSTATUS NTAPI SeReleaseSecurityDescriptor(IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN BOOLEAN CaptureIfKernelMode)
Definition: sd.c:766
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
_SEH2_TRY
Definition: create.c:4250
uint32_t ULONG_PTR
Definition: typedefs.h:63
USHORT AceSize
Definition: ms-dtyp.idl:212
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
Definition: obref.c:496
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define GENERIC_WRITE
Definition: nt_native.h:90
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:396
#define STATUS_GENERIC_NOT_MAPPED
Definition: ntstatus.h:452
Definition: card.h:12
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
unsigned char BOOLEAN
smooth NULL
Definition: ftsmooth.c:416
POBJECT_TYPE SeTokenObjectType
Definition: token.c:34
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1104
NTSTATUS NTAPI NtAccessCheckByType(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:774
void DPRINT(...)
Definition: polytest.cpp:61
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715
static PSID SepGetSDOwner(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
Definition: accesschk.c:290
#define STATUS_NO_IMPERSONATION_TOKEN
Definition: ntstatus.h:314
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN SubjectContextLocked
Definition: sefuncs.h:13
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
PACCESS_TOKEN PrimaryToken
Definition: setypes.h:192
#define TOKEN_QUERY
Definition: setypes.h:874
#define _SEH2_YIELD(STMT_)
Definition: pseh2_64.h:8
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
static ULONG SepGetPrivilegeSetLength(IN PPRIVILEGE_SET PrivilegeSet)
Definition: accesschk.c:321
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:685
#define WRITE_DAC
Definition: nt_native.h:59
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:686
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13
struct _SID * PSID
Definition: eventlog.c:35
#define READ_CONTROL
Definition: nt_native.h:58
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel) ?(CompletionRoutine !=NULL) :TRUE)
_In_opt_ PVOID _In_opt_ PUNICODE_STRING _In_ PSECURITY_DESCRIPTOR _In_ PACCESS_STATE AccessState
Definition: sefuncs.h:414
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1553
int ret
UCHAR AceType
Definition: ms-dtyp.idl:210
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
#define SepReleaseTokenLock(Token)
Definition: se.h:211
BOOLEAN NTAPI SepSidInToken(IN PACCESS_TOKEN _Token, IN PSID Sid)
Definition: access.c:111
NTSTATUS NTAPI SePrivilegePolicyCheck(_Inout_ PACCESS_MASK DesiredAccess, _Inout_ PACCESS_MASK GrantedAccess, _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, _In_ PTOKEN Token, _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, _In_ KPROCESSOR_MODE PreviousMode)
Definition: priv.c:158
#define GENERIC_READ
Definition: compat.h:124
_In_ ULONG AceIndex
Definition: rtlfuncs.h:1864
PSID SeWorldSid
Definition: sid.c:31
Status
Definition: gdiplustypes.h:24
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
FORCEINLINE PACL SepGetDaclFromDescriptor(PVOID _Descriptor)
Definition: se.h:67
_SEH2_END
Definition: create.c:4424
VOID NTAPI SeFreePrivileges(IN PPRIVILEGE_SET Privileges)
Definition: priv.c:480
NTSTATUS NTAPI NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:529
NTSTATUS NTAPI NtAccessCheckByTypeResultList(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeLength, IN PGENERIC_MAPPING GenericMapping, IN PPRIVILEGE_SET PrivilegeSet, IN OUT PULONG PrivilegeSetLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus)
Definition: accesschk.c:792
_In_ PIO_STACK_LOCATION _Inout_ PFILE_OBJECT _Inout_ PVCB _Outptr_result_maybenull_ PDCB _In_ PDCB _In_ PDIRENT _In_ ULONG _In_ ULONG _In_ PUNICODE_STRING _In_ PACCESS_MASK DesiredAccess
Definition: create.c:4157
unsigned int * PULONG
Definition: retypes.h:1
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ OwnerSize PSID Owner
Definition: rtlfuncs.h:1557
#define DPRINT1
Definition: precomp.h:8
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
Definition: setypes.h:191
#define SepAcquireTokenLockShared(Token)
Definition: se.h:205
#define OUT
Definition: typedefs.h:39
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK PreviouslyGrantedAccess
Definition: sefuncs.h:13
static PSID SepGetSDGroup(IN PSECURITY_DESCRIPTOR _SecurityDescriptor)
Definition: accesschk.c:305
unsigned int ULONG
Definition: retypes.h:1
ACCESS_MASK * PACCESS_MASK
Definition: nt_native.h:41
#define UNIMPLEMENTED
Definition: debug.h:114
#define ULONG_PTR
Definition: config.h:101
#define INHERIT_ONLY_ACE
Definition: setypes.h:717
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:6
NTSTATUS NTAPI SeCaptureSecurityDescriptor(IN PSECURITY_DESCRIPTOR _OriginalSecurityDescriptor, IN KPROCESSOR_MODE CurrentMode, IN POOL_TYPE PoolType, IN BOOLEAN CaptureIfKernel, OUT PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor)
Definition: sd.c:434
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:12
ACCESS_MASK GenericAll
Definition: nt_native.h:568
BOOLEAN NTAPI SepAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, IN ACCESS_MASK PreviouslyGrantedAccess, OUT PPRIVILEGE_SET *Privileges, IN PGENERIC_MAPPING GenericMapping, IN KPROCESSOR_MODE AccessMode, OUT PACCESS_MASK GrantedAccessList, OUT PNTSTATUS AccessStatusList, IN BOOLEAN UseResultList)
Definition: accesschk.c:25
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13
#define GENERIC_EXECUTE
Definition: nt_native.h:91
BOOLEAN NTAPI SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN ACCESS_MASK DesiredAccess, IN KPROCESSOR_MODE AccessMode)
Definition: accesschk.c:460
return STATUS_SUCCESS
Definition: btrfs.c:2725
PACCESS_TOKEN ClientToken
Definition: setypes.h:190
Definition: rtltypes.h:988
ACE_HEADER Header
Definition: rtltypes.h:990
ULONG ACCESS_MASK
Definition: nt_native.h:40
NTSYSAPI VOID NTAPI RtlMapGenericMask(PACCESS_MASK AccessMask, PGENERIC_MAPPING GenericMapping)
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
#define TOKEN_IS_RESTRICTED
Definition: setypes.h:1129
_In_ PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext
Definition: sefuncs.h:13
PULONG MinorVersion OPTIONAL
Definition: CrossNt.h:68