1 /*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: ntoskrnl/ob/obsecure.c
5 * PURPOSE: SRM Interface of the Object Manager
6 * PROGRAMMERS: Alex Ionescu (alex@relsoft.net)
7 * Eric Kohl
8 */
9
10 /* INCLUDES *****************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 /* PRIVATE FUNCTIONS *********************************************************/
17
18 NTSTATUS
19 NTAPI
ObAssignObjectSecurityDescriptor(IN PVOID Object,IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,IN POOL_TYPE PoolType)20 ObAssignObjectSecurityDescriptor(IN PVOID Object,
21 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
22 IN POOL_TYPE PoolType)
23 {
24 POBJECT_HEADER ObjectHeader;
25 NTSTATUS Status;
26 PSECURITY_DESCRIPTOR NewSd;
27 PEX_FAST_REF FastRef;
28 PAGED_CODE();
29
30 /* Get the object header */
31 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
32 FastRef = (PEX_FAST_REF)&ObjectHeader->SecurityDescriptor;
33 if (!SecurityDescriptor)
34 {
35 /* Nothing to assign */
36 ExInitializeFastReference(FastRef, NULL);
37 return STATUS_SUCCESS;
38 }
39
40 /* Add it to our internal cache */
41 Status = ObLogSecurityDescriptor(SecurityDescriptor,
42 &NewSd,
43 MAX_FAST_REFS + 1);
44 if (NT_SUCCESS(Status))
45 {
46 /* Free the old copy */
47 ExFreePoolWithTag(SecurityDescriptor, TAG_SD);
48
49 /* Set the new pointer */
50 ASSERT(NewSd);
51 ExInitializeFastReference(FastRef, NewSd);
52 }
53
54 /* Return status */
55 return Status;
56 }
57
58 NTSTATUS
59 NTAPI
ObDeassignSecurity(IN OUT PSECURITY_DESCRIPTOR * SecurityDescriptor)60 ObDeassignSecurity(IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor)
61 {
62 EX_FAST_REF FastRef;
63 ULONG Count;
64 PSECURITY_DESCRIPTOR OldSecurityDescriptor;
65
66 /* Get the fast reference and capture it */
67 FastRef = *(PEX_FAST_REF)SecurityDescriptor;
68
69 /* Don't free again later */
70 *SecurityDescriptor = NULL;
71
72 /* Get the descriptor and reference count */
73 OldSecurityDescriptor = ExGetObjectFastReference(FastRef);
74 Count = ExGetCountFastReference(FastRef);
75
76 /* Dereference the descriptor */
77 ObDereferenceSecurityDescriptor(OldSecurityDescriptor, Count + 1);
78
79 /* All done */
80 return STATUS_SUCCESS;
81 }
82
83 NTSTATUS
84 NTAPI
ObQuerySecurityDescriptorInfo(IN PVOID Object,IN PSECURITY_INFORMATION SecurityInformation,OUT PSECURITY_DESCRIPTOR SecurityDescriptor,IN OUT PULONG Length,IN PSECURITY_DESCRIPTOR * OutputSecurityDescriptor)85 ObQuerySecurityDescriptorInfo(IN PVOID Object,
86 IN PSECURITY_INFORMATION SecurityInformation,
87 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
88 IN OUT PULONG Length,
89 IN PSECURITY_DESCRIPTOR *OutputSecurityDescriptor)
90 {
91 POBJECT_HEADER ObjectHeader;
92 NTSTATUS Status;
93 PSECURITY_DESCRIPTOR ObjectSd;
94 PAGED_CODE();
95
96 /* Get the object header */
97 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
98
99 /* Get the SD */
100 ObjectSd = ObpReferenceSecurityDescriptor(ObjectHeader);
101
102 /* Query the information */
103 Status = SeQuerySecurityDescriptorInfo(SecurityInformation,
104 SecurityDescriptor,
105 Length,
106 &ObjectSd);
107
108 /* Check if we have an object SD and dereference it, if so */
109 if (ObjectSd) ObDereferenceSecurityDescriptor(ObjectSd, 1);
110
111 /* Return status */
112 return Status;
113 }
114
115 NTSTATUS
116 NTAPI
ObSetSecurityDescriptorInfo(IN PVOID Object,IN PSECURITY_INFORMATION SecurityInformation,IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,IN OUT PSECURITY_DESCRIPTOR * OutputSecurityDescriptor,IN POOL_TYPE PoolType,IN PGENERIC_MAPPING GenericMapping)117 ObSetSecurityDescriptorInfo(IN PVOID Object,
118 IN PSECURITY_INFORMATION SecurityInformation,
119 IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
120 IN OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor,
121 IN POOL_TYPE PoolType,
122 IN PGENERIC_MAPPING GenericMapping)
123 {
124 NTSTATUS Status;
125 POBJECT_HEADER ObjectHeader;
126 PSECURITY_DESCRIPTOR OldDescriptor, NewDescriptor, CachedDescriptor;
127 PEX_FAST_REF FastRef;
128 EX_FAST_REF OldValue;
129 ULONG Count;
130 PAGED_CODE();
131
132 /* Get the object header */
133 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
134 while (TRUE)
135 {
136 /* Reference the old descriptor */
137 OldDescriptor = ObpReferenceSecurityDescriptor(ObjectHeader);
138 NewDescriptor = OldDescriptor;
139
140 /* Set the SD information */
141 Status = SeSetSecurityDescriptorInfo(Object,
142 SecurityInformation,
143 SecurityDescriptor,
144 &NewDescriptor,
145 PoolType,
146 GenericMapping);
147 if (!NT_SUCCESS(Status))
148 {
149 /* We failed, dereference the old one */
150 if (OldDescriptor) ObDereferenceSecurityDescriptor(OldDescriptor, 1);
151 break;
152 }
153
154 /* Now add this to the cache */
155 Status = ObLogSecurityDescriptor(NewDescriptor,
156 &CachedDescriptor,
157 MAX_FAST_REFS + 1);
158
159 /* Let go of our uncached copy */
160 ExFreePool(NewDescriptor);
161
162 /* Check for success */
163 if (!NT_SUCCESS(Status))
164 {
165 /* We failed, dereference the old one */
166 ObDereferenceSecurityDescriptor(OldDescriptor, 1);
167 break;
168 }
169
170 /* Do the swap */
171 FastRef = (PEX_FAST_REF)OutputSecurityDescriptor;
172 OldValue = ExCompareSwapFastReference(FastRef,
173 CachedDescriptor,
174 OldDescriptor);
175
176 /* Make sure the swap worked */
177 if (ExGetObjectFastReference(OldValue) == OldDescriptor)
178 {
179 /* Flush waiters */
180 ObpAcquireObjectLock(ObjectHeader);
181 ObpReleaseObjectLock(ObjectHeader);
182
183 /* And dereference the old one */
184 Count = ExGetCountFastReference(OldValue);
185 ObDereferenceSecurityDescriptor(OldDescriptor, Count + 2);
186 break;
187 }
188 else
189 {
190 /* Someone changed it behind our back -- try again */
191 ObDereferenceSecurityDescriptor(OldDescriptor, 1);
192 ObDereferenceSecurityDescriptor(CachedDescriptor,
193 MAX_FAST_REFS + 1);
194 }
195 }
196
197 /* Return status */
198 return Status;
199 }
200
201 BOOLEAN
202 NTAPI
ObCheckCreateObjectAccess(IN PVOID Object,IN ACCESS_MASK CreateAccess,IN PACCESS_STATE AccessState,IN PUNICODE_STRING ComponentName,IN BOOLEAN LockHeld,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS AccessStatus)203 ObCheckCreateObjectAccess(IN PVOID Object,
204 IN ACCESS_MASK CreateAccess,
205 IN PACCESS_STATE AccessState,
206 IN PUNICODE_STRING ComponentName,
207 IN BOOLEAN LockHeld,
208 IN KPROCESSOR_MODE AccessMode,
209 OUT PNTSTATUS AccessStatus)
210 {
211 POBJECT_HEADER ObjectHeader;
212 POBJECT_TYPE ObjectType;
213 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
214 BOOLEAN SdAllocated;
215 BOOLEAN Result = TRUE;
216 ACCESS_MASK GrantedAccess = 0;
217 PPRIVILEGE_SET Privileges = NULL;
218 NTSTATUS Status;
219 PAGED_CODE();
220
221 /* Get the header and type */
222 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
223 ObjectType = ObjectHeader->Type;
224
225 /* Get the security descriptor */
226 Status = ObGetObjectSecurity(Object, &SecurityDescriptor, &SdAllocated);
227 if (!NT_SUCCESS(Status))
228 {
229 /* We failed */
230 *AccessStatus = Status;
231 return FALSE;
232 }
233
234 /* Lock the security context */
235 SeLockSubjectContext(&AccessState->SubjectSecurityContext);
236
237 /* Check if we have an SD */
238 if (SecurityDescriptor)
239 {
240 /* Now do the entire access check */
241 Result = SeAccessCheck(SecurityDescriptor,
242 &AccessState->SubjectSecurityContext,
243 TRUE,
244 CreateAccess,
245 0,
246 &Privileges,
247 &ObjectType->TypeInfo.GenericMapping,
248 AccessMode,
249 &GrantedAccess,
250 AccessStatus);
251 if (Privileges)
252 {
253 /* We got privileges, append them to the access state and free them */
254 Status = SeAppendPrivileges(AccessState, Privileges);
255 SeFreePrivileges(Privileges);
256 }
257 }
258
259 /* We're done, unlock the context and release security */
260 SeUnlockSubjectContext(&AccessState->SubjectSecurityContext);
261 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
262 return Result;
263 }
264
265 BOOLEAN
266 NTAPI
ObpCheckTraverseAccess(IN PVOID Object,IN ACCESS_MASK TraverseAccess,IN PACCESS_STATE AccessState OPTIONAL,IN BOOLEAN LockHeld,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS AccessStatus)267 ObpCheckTraverseAccess(IN PVOID Object,
268 IN ACCESS_MASK TraverseAccess,
269 IN PACCESS_STATE AccessState OPTIONAL,
270 IN BOOLEAN LockHeld,
271 IN KPROCESSOR_MODE AccessMode,
272 OUT PNTSTATUS AccessStatus)
273 {
274 POBJECT_HEADER ObjectHeader;
275 POBJECT_TYPE ObjectType;
276 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
277 BOOLEAN SdAllocated;
278 BOOLEAN Result;
279 ACCESS_MASK GrantedAccess = 0;
280 PPRIVILEGE_SET Privileges = NULL;
281 NTSTATUS Status;
282 PAGED_CODE();
283
284 /* Get the header and type */
285 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
286 ObjectType = ObjectHeader->Type;
287
288 /* Get the security descriptor */
289 Status = ObGetObjectSecurity(Object, &SecurityDescriptor, &SdAllocated);
290 if (!NT_SUCCESS(Status))
291 {
292 /* We failed */
293 *AccessStatus = Status;
294 return FALSE;
295 }
296
297 /* First try to perform a fast traverse check
298 * If it fails, then the entire access check will
299 * have to be done.
300 */
301 Result = SeFastTraverseCheck(SecurityDescriptor,
302 AccessState,
303 FILE_WRITE_DATA,
304 AccessMode);
305 if (Result)
306 {
307 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
308 return TRUE;
309 }
310
311 /* Lock the security context */
312 SeLockSubjectContext(&AccessState->SubjectSecurityContext);
313
314 /* Now do the entire access check */
315 Result = SeAccessCheck(SecurityDescriptor,
316 &AccessState->SubjectSecurityContext,
317 TRUE,
318 TraverseAccess,
319 0,
320 &Privileges,
321 &ObjectType->TypeInfo.GenericMapping,
322 AccessMode,
323 &GrantedAccess,
324 AccessStatus);
325 if (Privileges)
326 {
327 /* We got privileges, append them to the access state and free them */
328 Status = SeAppendPrivileges(AccessState, Privileges);
329 SeFreePrivileges(Privileges);
330 }
331
332 /* We're done, unlock the context and release security */
333 SeUnlockSubjectContext(&AccessState->SubjectSecurityContext);
334 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
335 return Result;
336 }
337
338 BOOLEAN
339 NTAPI
ObpCheckObjectReference(IN PVOID Object,IN OUT PACCESS_STATE AccessState,IN BOOLEAN LockHeld,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS AccessStatus)340 ObpCheckObjectReference(IN PVOID Object,
341 IN OUT PACCESS_STATE AccessState,
342 IN BOOLEAN LockHeld,
343 IN KPROCESSOR_MODE AccessMode,
344 OUT PNTSTATUS AccessStatus)
345 {
346 POBJECT_HEADER ObjectHeader;
347 POBJECT_TYPE ObjectType;
348 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
349 BOOLEAN SdAllocated;
350 BOOLEAN Result;
351 ACCESS_MASK GrantedAccess = 0;
352 PPRIVILEGE_SET Privileges = NULL;
353 NTSTATUS Status;
354 PAGED_CODE();
355
356 /* Get the header and type */
357 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
358 ObjectType = ObjectHeader->Type;
359
360 /* Get the security descriptor */
361 Status = ObGetObjectSecurity(Object, &SecurityDescriptor, &SdAllocated);
362 if (!NT_SUCCESS(Status))
363 {
364 /* We failed */
365 *AccessStatus = Status;
366 return FALSE;
367 }
368
369 /* Lock the security context */
370 SeLockSubjectContext(&AccessState->SubjectSecurityContext);
371
372 /* Now do the entire access check */
373 Result = SeAccessCheck(SecurityDescriptor,
374 &AccessState->SubjectSecurityContext,
375 TRUE,
376 AccessState->RemainingDesiredAccess,
377 AccessState->PreviouslyGrantedAccess,
378 &Privileges,
379 &ObjectType->TypeInfo.GenericMapping,
380 AccessMode,
381 &GrantedAccess,
382 AccessStatus);
383 if (Result)
384 {
385 /* Update the access state */
386 AccessState->RemainingDesiredAccess &= ~GrantedAccess;
387 AccessState->PreviouslyGrantedAccess |= GrantedAccess;
388 }
389
390 /* Check if we have an SD */
391 if (SecurityDescriptor)
392 {
393 /* Do audit alarm */
394 #if 0
395 SeObjectReferenceAuditAlarm(&AccessState->OperationID,
396 Object,
397 SecurityDescriptor,
398 &AccessState->SubjectSecurityContext,
399 AccessState->RemainingDesiredAccess |
400 AccessState->PreviouslyGrantedAccess,
401 ((PAUX_ACCESS_DATA)(AccessState->AuxData))->
402 PrivilegeSet,
403 Result,
404 AccessMode);
405 #endif
406 }
407
408 /* We're done, unlock the context and release security */
409 SeUnlockSubjectContext(&AccessState->SubjectSecurityContext);
410 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
411 return Result;
412 }
413
414 /*++
415 * @name ObCheckObjectAccess
416 *
417 * The ObCheckObjectAccess routine <FILLMEIN>
418 *
419 * @param Object
420 * <FILLMEIN>
421 *
422 * @param AccessState
423 * <FILLMEIN>
424 *
425 * @param LockHeld
426 * <FILLMEIN>
427 *
428 * @param AccessMode
429 * <FILLMEIN>
430 *
431 * @param ReturnedStatus
432 * <FILLMEIN>
433 *
434 * @return TRUE if access was granted, FALSE otherwise.
435 *
436 * @remarks None.
437 *
438 *--*/
439 BOOLEAN
440 NTAPI
ObCheckObjectAccess(IN PVOID Object,IN OUT PACCESS_STATE AccessState,IN BOOLEAN LockHeld,IN KPROCESSOR_MODE AccessMode,OUT PNTSTATUS ReturnedStatus)441 ObCheckObjectAccess(IN PVOID Object,
442 IN OUT PACCESS_STATE AccessState,
443 IN BOOLEAN LockHeld,
444 IN KPROCESSOR_MODE AccessMode,
445 OUT PNTSTATUS ReturnedStatus)
446 {
447 POBJECT_HEADER ObjectHeader;
448 POBJECT_TYPE ObjectType;
449 PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
450 BOOLEAN SdAllocated;
451 NTSTATUS Status;
452 BOOLEAN Result;
453 ACCESS_MASK GrantedAccess;
454 PPRIVILEGE_SET Privileges = NULL;
455 PAGED_CODE();
456
457 /* Get the object header and type */
458 ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
459 ObjectType = ObjectHeader->Type;
460
461 /* Get security information */
462 Status = ObGetObjectSecurity(Object, &SecurityDescriptor, &SdAllocated);
463 if (!NT_SUCCESS(Status))
464 {
465 /* Return failure */
466 *ReturnedStatus = Status;
467 return FALSE;
468 }
469 else if (!SecurityDescriptor)
470 {
471 /* Otherwise, if we don't actually have an SD, return success */
472 *ReturnedStatus = Status;
473 return TRUE;
474 }
475
476 /* Lock the security context */
477 SeLockSubjectContext(&AccessState->SubjectSecurityContext);
478
479 /* Now do the entire access check */
480 Result = SeAccessCheck(SecurityDescriptor,
481 &AccessState->SubjectSecurityContext,
482 TRUE,
483 AccessState->RemainingDesiredAccess,
484 AccessState->PreviouslyGrantedAccess,
485 &Privileges,
486 &ObjectType->TypeInfo.GenericMapping,
487 AccessMode,
488 &GrantedAccess,
489 ReturnedStatus);
490 if (Privileges)
491 {
492 /* We got privileges, append them to the access state and free them */
493 Status = SeAppendPrivileges(AccessState, Privileges);
494 SeFreePrivileges(Privileges);
495 }
496
497 /* Check if access was granted */
498 if (Result)
499 {
500 /* Update the access state */
501 AccessState->RemainingDesiredAccess &= ~(GrantedAccess |
502 MAXIMUM_ALLOWED);
503 AccessState->PreviouslyGrantedAccess |= GrantedAccess;
504 }
505
506 /* Do audit alarm */
507 SeOpenObjectAuditAlarm(&ObjectType->Name,
508 Object,
509 NULL,
510 SecurityDescriptor,
511 AccessState,
512 FALSE,
513 Result,
514 AccessMode,
515 &AccessState->GenerateOnClose);
516
517 /* We're done, unlock the context and release security */
518 SeUnlockSubjectContext(&AccessState->SubjectSecurityContext);
519 ObReleaseObjectSecurity(SecurityDescriptor, SdAllocated);
520 return Result;
521 }
522
523 /* PUBLIC FUNCTIONS **********************************************************/
524
525 /*++
526 * @name ObAssignSecurity
527 * @implemented NT4
528 *
529 * The ObAssignSecurity routine <FILLMEIN>
530 *
531 * @param AccessState
532 * <FILLMEIN>
533 *
534 * @param SecurityDescriptor
535 * <FILLMEIN>
536 *
537 * @param Object
538 * <FILLMEIN>
539 *
540 * @param Type
541 * <FILLMEIN>
542 *
543 * @return STATUS_SUCCESS or appropriate error value.
544 *
545 * @remarks None.
546 *
547 *--*/
548 NTSTATUS
549 NTAPI
ObAssignSecurity(IN PACCESS_STATE AccessState,IN PSECURITY_DESCRIPTOR SecurityDescriptor,IN PVOID Object,IN POBJECT_TYPE Type)550 ObAssignSecurity(IN PACCESS_STATE AccessState,
551 IN PSECURITY_DESCRIPTOR SecurityDescriptor,
552 IN PVOID Object,
553 IN POBJECT_TYPE Type)
554 {
555 PSECURITY_DESCRIPTOR NewDescriptor;
556 NTSTATUS Status;
557 KIRQL CalloutIrql;
558 PAGED_CODE();
559
560 /* Build the new security descriptor */
561 Status = SeAssignSecurity(SecurityDescriptor,
562 AccessState->SecurityDescriptor,
563 &NewDescriptor,
564 (Type == ObpDirectoryObjectType),
565 &AccessState->SubjectSecurityContext,
566 &Type->TypeInfo.GenericMapping,
567 PagedPool);
568 if (!NT_SUCCESS(Status)) return Status;
569
570 /* Call the security method */
571 ObpCalloutStart(&CalloutIrql);
572 Status = Type->TypeInfo.SecurityProcedure(Object,
573 AssignSecurityDescriptor,
574 NULL,
575 NewDescriptor,
576 NULL,
577 NULL,
578 PagedPool,
579 &Type->TypeInfo.GenericMapping);
580 ObpCalloutEnd(CalloutIrql, "Security", Type, Object);
581
582 /* Check for failure and deassign security if so */
583 if (!NT_SUCCESS(Status)) SeDeassignSecurity(&NewDescriptor);
584
585 /* Return to caller */
586 return Status;
587 }
588
589 /*++
590 * @name ObGetObjectSecurity
591 * @implemented NT4
592 *
593 * The ObGetObjectSecurity routine <FILLMEIN>
594 *
595 * @param Object
596 * <FILLMEIN>
597 *
598 * @param SecurityDescriptor
599 * <FILLMEIN>
600 *
601 * @param MemoryAllocated
602 * <FILLMEIN>
603 *
604 * @return STATUS_SUCCESS or appropriate error value.
605 *
606 * @remarks None.
607 *
608 *--*/
609 NTSTATUS
610 NTAPI
ObGetObjectSecurity(IN PVOID Object,OUT PSECURITY_DESCRIPTOR * SecurityDescriptor,OUT PBOOLEAN MemoryAllocated)611 ObGetObjectSecurity(IN PVOID Object,
612 OUT PSECURITY_DESCRIPTOR *SecurityDescriptor,
613 OUT PBOOLEAN MemoryAllocated)
614 {
615 POBJECT_HEADER Header;
616 POBJECT_TYPE Type;
617 ULONG Length = 0;
618 NTSTATUS Status;
619 SECURITY_INFORMATION SecurityInformation;
620 KIRQL CalloutIrql;
621 PAGED_CODE();
622
623 /* Get the object header and type */
624 Header = OBJECT_TO_OBJECT_HEADER(Object);
625 Type = Header->Type;
626
627 /* Tell the caller that we didn't have to allocate anything yet */
628 *MemoryAllocated = FALSE;
629
630 /* Check if the object uses default security */
631 if (Type->TypeInfo.SecurityProcedure == SeDefaultObjectMethod)
632 {
633 /* Reference the descriptor */
634 *SecurityDescriptor = ObpReferenceSecurityDescriptor(Header);
635 return STATUS_SUCCESS;
636 }
637
638 /* Set mask to query */
639 SecurityInformation = OWNER_SECURITY_INFORMATION |
640 GROUP_SECURITY_INFORMATION |
641 DACL_SECURITY_INFORMATION |
642 SACL_SECURITY_INFORMATION;
643
644 /* Get the security descriptor size */
645 ObpCalloutStart(&CalloutIrql);
646 Status = Type->TypeInfo.SecurityProcedure(Object,
647 QuerySecurityDescriptor,
648 &SecurityInformation,
649 *SecurityDescriptor,
650 &Length,
651 &Header->SecurityDescriptor,
652 Type->TypeInfo.PoolType,
653 &Type->TypeInfo.GenericMapping);
654 ObpCalloutEnd(CalloutIrql, "Security", Type, Object);
655
656 /* Check for failure */
657 if (Status != STATUS_BUFFER_TOO_SMALL) return Status;
658
659 /* Allocate security descriptor */
660 *SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
661 Length,
662 TAG_SEC_QUERY);
663 if (!(*SecurityDescriptor)) return STATUS_INSUFFICIENT_RESOURCES;
664 *MemoryAllocated = TRUE;
665
666 /* Query security descriptor */
667 ObpCalloutStart(&CalloutIrql);
668 Status = Type->TypeInfo.SecurityProcedure(Object,
669 QuerySecurityDescriptor,
670 &SecurityInformation,
671 *SecurityDescriptor,
672 &Length,
673 &Header->SecurityDescriptor,
674 Type->TypeInfo.PoolType,
675 &Type->TypeInfo.GenericMapping);
676 ObpCalloutEnd(CalloutIrql, "Security", Type, Object);
677
678 /* Check for failure */
679 if (!NT_SUCCESS(Status))
680 {
681 /* Free the descriptor and tell the caller we failed */
682 ExFreePoolWithTag(*SecurityDescriptor, TAG_SEC_QUERY);
683 *MemoryAllocated = FALSE;
684 }
685
686 /* Return status */
687 return Status;
688 }
689
690 /*++
691 * @name ObReleaseObjectSecurity
692 * @implemented NT4
693 *
694 * The ObReleaseObjectSecurity routine <FILLMEIN>
695 *
696 * @param SecurityDescriptor
697 * <FILLMEIN>
698 *
699 * @param MemoryAllocated
700 * <FILLMEIN>
701 *
702 * @return STATUS_SUCCESS or appropriate error value.
703 *
704 * @remarks None.
705 *
706 *--*/
707 VOID
708 NTAPI
ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor,IN BOOLEAN MemoryAllocated)709 ObReleaseObjectSecurity(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
710 IN BOOLEAN MemoryAllocated)
711 {
712 PAGED_CODE();
713
714 /* Nothing to do in this case */
715 if (!SecurityDescriptor) return;
716
717 /* Check if we had allocated it from memory */
718 if (MemoryAllocated)
719 {
720 /* Free it */
721 ExFreePoolWithTag(SecurityDescriptor, TAG_SEC_QUERY);
722 }
723 else
724 {
725 /* Otherwise this means we used an internal descriptor */
726 ObDereferenceSecurityDescriptor(SecurityDescriptor, 1);
727 }
728 }
729
730 /*++
731 * @name ObSetSecurityObjectByPointer
732 * @implemented NT5.1
733 *
734 * The ObSetSecurityObjectByPointer routine <FILLMEIN>
735 *
736 * @param SecurityDescriptor
737 * <FILLMEIN>
738 *
739 * @param MemoryAllocated
740 * <FILLMEIN>
741 *
742 * @return STATUS_SUCCESS or appropriate error value.
743 *
744 * @remarks None.
745 *
746 *--*/
747 NTSTATUS
748 NTAPI
ObSetSecurityObjectByPointer(IN PVOID Object,IN SECURITY_INFORMATION SecurityInformation,IN PSECURITY_DESCRIPTOR SecurityDescriptor)749 ObSetSecurityObjectByPointer(IN PVOID Object,
750 IN SECURITY_INFORMATION SecurityInformation,
751 IN PSECURITY_DESCRIPTOR SecurityDescriptor)
752 {
753 POBJECT_TYPE Type;
754 POBJECT_HEADER Header;
755 PAGED_CODE();
756
757 /* Get the header and type */
758 Header = OBJECT_TO_OBJECT_HEADER(Object);
759 Type = Header->Type;
760
761 /* Sanity check */
762 ASSERT(SecurityDescriptor);
763
764 /* Call the security procedure */
765 return Type->TypeInfo.SecurityProcedure(Object,
766 SetSecurityDescriptor,
767 &SecurityInformation,
768 SecurityDescriptor,
769 NULL,
770 &Header->SecurityDescriptor,
771 Type->TypeInfo.PoolType,
772 &Type->TypeInfo.GenericMapping);
773 }
774
775 /*++
776 * @name NtQuerySecurityObject
777 * @implemented NT4
778 *
779 * The NtQuerySecurityObject routine <FILLMEIN>
780 *
781 * @param Handle
782 * <FILLMEIN>
783 *
784 * @param SecurityInformation
785 * <FILLMEIN>
786 *
787 * @param SecurityDescriptor
788 * <FILLMEIN>
789 *
790 * @param Length
791 * <FILLMEIN>
792 *
793 * @param ResultLength
794 * <FILLMEIN>
795 *
796 * @return STATUS_SUCCESS or appropriate error value.
797 *
798 * @remarks None.
799 *
800 *--*/
801 NTSTATUS
802 NTAPI
NtQuerySecurityObject(IN HANDLE Handle,IN SECURITY_INFORMATION SecurityInformation,OUT PSECURITY_DESCRIPTOR SecurityDescriptor,IN ULONG Length,OUT PULONG ResultLength)803 NtQuerySecurityObject(IN HANDLE Handle,
804 IN SECURITY_INFORMATION SecurityInformation,
805 OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
806 IN ULONG Length,
807 OUT PULONG ResultLength)
808 {
809 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
810 PVOID Object;
811 POBJECT_HEADER Header;
812 POBJECT_TYPE Type;
813 ACCESS_MASK DesiredAccess;
814 NTSTATUS Status;
815 PAGED_CODE();
816
817 /* Check if we came from user mode */
818 if (PreviousMode != KernelMode)
819 {
820 /* Enter SEH */
821 _SEH2_TRY
822 {
823 /* Probe the SD and the length pointer */
824 ProbeForWrite(SecurityDescriptor, Length, sizeof(ULONG));
825 ProbeForWriteUlong(ResultLength);
826 }
827 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
828 {
829 /* Return the exception code */
830 _SEH2_YIELD(return _SEH2_GetExceptionCode());
831 }
832 _SEH2_END;
833 }
834
835 /* Get the required access rights for the operation */
836 SeQuerySecurityAccessMask(SecurityInformation, &DesiredAccess);
837
838 /* Reference the object */
839 Status = ObReferenceObjectByHandle(Handle,
840 DesiredAccess,
841 NULL,
842 PreviousMode,
843 &Object,
844 NULL);
845 if (!NT_SUCCESS(Status)) return Status;
846
847 /* Get the Object Header and Type */
848 Header = OBJECT_TO_OBJECT_HEADER(Object);
849 Type = Header->Type;
850
851 /* Call the security procedure's query function */
852 Status = Type->TypeInfo.SecurityProcedure(Object,
853 QuerySecurityDescriptor,
854 &SecurityInformation,
855 SecurityDescriptor,
856 &Length,
857 &Header->SecurityDescriptor,
858 Type->TypeInfo.PoolType,
859 &Type->TypeInfo.GenericMapping);
860
861 /* Dereference the object */
862 ObDereferenceObject(Object);
863
864 /* Protect write with SEH */
865 _SEH2_TRY
866 {
867 /* Return the needed length */
868 *ResultLength = Length;
869 }
870 _SEH2_EXCEPT(ExSystemExceptionFilter())
871 {
872 /* Get the exception code */
873 Status = _SEH2_GetExceptionCode();
874 }
875 _SEH2_END;
876
877 /* Return status */
878 return Status;
879 }
880
881 /*++
882 * @name NtSetSecurityObject
883 * @implemented NT4
884 *
885 * The NtSetSecurityObject routine <FILLMEIN>
886 *
887 * @param Handle
888 * <FILLMEIN>
889 *
890 * @param SecurityInformation
891 * <FILLMEIN>
892 *
893 * @param SecurityDescriptor
894 * <FILLMEIN>
895 *
896 * @return STATUS_SUCCESS or appropriate error value.
897 *
898 * @remarks None.
899 *
900 *--*/
901 NTSTATUS
902 NTAPI
NtSetSecurityObject(IN HANDLE Handle,IN SECURITY_INFORMATION SecurityInformation,IN PSECURITY_DESCRIPTOR SecurityDescriptor)903 NtSetSecurityObject(IN HANDLE Handle,
904 IN SECURITY_INFORMATION SecurityInformation,
905 IN PSECURITY_DESCRIPTOR SecurityDescriptor)
906 {
907 KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
908 PVOID Object;
909 SECURITY_DESCRIPTOR_RELATIVE *CapturedDescriptor;
910 ACCESS_MASK DesiredAccess = 0;
911 NTSTATUS Status;
912 PAGED_CODE();
913
914 /* Make sure the caller doesn't pass a NULL security descriptor! */
915 if (!SecurityDescriptor) return STATUS_ACCESS_VIOLATION;
916
917 /* Set the required access rights for the operation */
918 SeSetSecurityAccessMask(SecurityInformation, &DesiredAccess);
919
920 /* Reference the object */
921 Status = ObReferenceObjectByHandle(Handle,
922 DesiredAccess,
923 NULL,
924 PreviousMode,
925 &Object,
926 NULL);
927 if (NT_SUCCESS(Status))
928 {
929 /* Capture and make a copy of the security descriptor */
930 Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
931 PreviousMode,
932 PagedPool,
933 TRUE,
934 (PSECURITY_DESCRIPTOR*)
935 &CapturedDescriptor);
936 if (!NT_SUCCESS(Status))
937 {
938 /* Fail */
939 ObDereferenceObject(Object);
940 return Status;
941 }
942
943 /* Sanity check */
944 ASSERT(CapturedDescriptor->Control & SE_SELF_RELATIVE);
945
946 /*
947 * Make sure the security descriptor passed by the caller
948 * is valid for the operation we're about to perform
949 */
950 if (((SecurityInformation & OWNER_SECURITY_INFORMATION) &&
951 !(CapturedDescriptor->Owner)) ||
952 ((SecurityInformation & GROUP_SECURITY_INFORMATION) &&
953 !(CapturedDescriptor->Group)))
954 {
955 /* Set the failure status */
956 Status = STATUS_INVALID_SECURITY_DESCR;
957 }
958 else
959 {
960 /* Set security */
961 Status = ObSetSecurityObjectByPointer(Object,
962 SecurityInformation,
963 CapturedDescriptor);
964 }
965
966 /* Release the descriptor and return status */
967 SeReleaseSecurityDescriptor((PSECURITY_DESCRIPTOR)CapturedDescriptor,
968 PreviousMode,
969 TRUE);
970
971 /* Now we can dereference the object */
972 ObDereferenceObject(Object);
973 }
974
975 return Status;
976 }
977
978 /*++
979 * @name ObQueryObjectAuditingByHandle
980 * @implemented NT5
981 *
982 * The ObDereferenceSecurityDescriptor routine <FILLMEIN>
983 *
984 * @param SecurityDescriptor
985 * <FILLMEIN>
986 *
987 * @param Count
988 * <FILLMEIN>
989 *
990 * @return STATUS_SUCCESS or appropriate error value.
991 *
992 * @remarks None.
993 *
994 *--*/
995 NTSTATUS
996 NTAPI
ObQueryObjectAuditingByHandle(IN HANDLE Handle,OUT PBOOLEAN GenerateOnClose)997 ObQueryObjectAuditingByHandle(IN HANDLE Handle,
998 OUT PBOOLEAN GenerateOnClose)
999 {
1000 PHANDLE_TABLE_ENTRY HandleEntry;
1001 PVOID HandleTable;
1002 NTSTATUS Status = STATUS_SUCCESS;
1003 PAGED_CODE();
1004
1005 /* Check if we're dealing with a kernel handle */
1006 if (ObpIsKernelHandle(Handle, ExGetPreviousMode()))
1007 {
1008 /* Use the kernel table and convert the handle */
1009 HandleTable = ObpKernelHandleTable;
1010 Handle = ObKernelHandleToHandle(Handle);
1011 }
1012 else
1013 {
1014 /* Use the process's handle table */
1015 HandleTable = PsGetCurrentProcess()->ObjectTable;
1016 }
1017
1018 /* Enter a critical region while we touch the handle table */
1019 KeEnterCriticalRegion();
1020
1021 /* Map the handle */
1022 HandleEntry = ExMapHandleToPointer(HandleTable, Handle);
1023 if(HandleEntry)
1024 {
1025 /* Check if the flag is set */
1026 *GenerateOnClose = HandleEntry->ObAttributes & OBJ_AUDIT_OBJECT_CLOSE;
1027
1028 /* Unlock the entry */
1029 ExUnlockHandleTableEntry(HandleTable, HandleEntry);
1030 }
1031 else
1032 {
1033 /* Otherwise, fail */
1034 Status = STATUS_INVALID_HANDLE;
1035 }
1036
1037 /* Leave the critical region and return the status */
1038 KeLeaveCriticalRegion();
1039 return Status;
1040 }
1041
1042 /* EOF */
1043