1 /*
2 * PROJECT: ReactOS Kernel
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Internal header for the Security Manager
5 * COPYRIGHT: Copyright Eric Kohl
6 * Copyright 2022-2023 George Bișoc <george.bisoc@reactos.org>
7 */
8
9 #pragma once
10
11 //
12 // Internal ACE type structures
13 //
14 typedef struct _KNOWN_ACE
15 {
16 ACE_HEADER Header;
17 ACCESS_MASK Mask;
18 ULONG SidStart;
19 } KNOWN_ACE, *PKNOWN_ACE;
20
21 typedef struct _KNOWN_OBJECT_ACE
22 {
23 ACE_HEADER Header;
24 ACCESS_MASK Mask;
25 ULONG Flags;
26 ULONG SidStart;
27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
28
29 typedef struct _KNOWN_COMPOUND_ACE
30 {
31 ACE_HEADER Header;
32 ACCESS_MASK Mask;
33 USHORT CompoundAceType;
34 USHORT Reserved;
35 ULONG SidStart;
36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
37
38 //
39 // Access Check Rights
40 //
41 typedef struct _ACCESS_CHECK_RIGHTS
42 {
43 ACCESS_MASK RemainingAccessRights;
44 ACCESS_MASK GrantedAccessRights;
45 ACCESS_MASK DeniedAccessRights;
46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS;
47
48 //
49 // Internal object type list structure
50 //
51 typedef struct _OBJECT_TYPE_LIST_INTERNAL
52 {
53 GUID ObjectTypeGuid;
54 USHORT Level;
55 ACCESS_CHECK_RIGHTS ObjectAccessRights;
56 } OBJECT_TYPE_LIST_INTERNAL, *POBJECT_TYPE_LIST_INTERNAL;
57
58 typedef enum _ACCESS_CHECK_RIGHT_TYPE
59 {
60 AccessCheckMaximum,
61 AccessCheckRegular
62 } ACCESS_CHECK_RIGHT_TYPE;
63
64 //
65 // Token Audit Policy Information structure
66 //
67 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION
68 {
69 ULONG PolicyCount;
70 struct
71 {
72 ULONG Category;
73 UCHAR Value;
74 } Policies[1];
75 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION;
76
77 //
78 // Token creation method defines (for debugging purposes)
79 //
80 #define TOKEN_CREATE_METHOD 0xCUL
81 #define TOKEN_DUPLICATE_METHOD 0xDUL
82 #define TOKEN_FILTER_METHOD 0xFUL
83
84 //
85 // Security descriptor internal helpers
86 //
87 FORCEINLINE
88 PSID
SepGetGroupFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)89 SepGetGroupFromDescriptor(
90 _Inout_ PSECURITY_DESCRIPTOR _Descriptor)
91 {
92 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
93 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
94
95 if (Descriptor->Control & SE_SELF_RELATIVE)
96 {
97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98 if (!SdRel->Group) return NULL;
99 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
100 }
101 else
102 {
103 return Descriptor->Group;
104 }
105 }
106
107 FORCEINLINE
108 PSID
SepGetOwnerFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)109 SepGetOwnerFromDescriptor(
110 _Inout_ PSECURITY_DESCRIPTOR _Descriptor)
111 {
112 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
113 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
114
115 if (Descriptor->Control & SE_SELF_RELATIVE)
116 {
117 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
118 if (!SdRel->Owner) return NULL;
119 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
120 }
121 else
122 {
123 return Descriptor->Owner;
124 }
125 }
126
127 FORCEINLINE
128 PACL
SepGetDaclFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)129 SepGetDaclFromDescriptor(
130 _Inout_ PSECURITY_DESCRIPTOR _Descriptor)
131 {
132 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
133 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
134
135 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
136
137 if (Descriptor->Control & SE_SELF_RELATIVE)
138 {
139 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
140 if (!SdRel->Dacl) return NULL;
141 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
142 }
143 else
144 {
145 return Descriptor->Dacl;
146 }
147 }
148
149 FORCEINLINE
150 PACL
SepGetSaclFromDescriptor(_Inout_ PSECURITY_DESCRIPTOR _Descriptor)151 SepGetSaclFromDescriptor(
152 _Inout_ PSECURITY_DESCRIPTOR _Descriptor)
153 {
154 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
155 PISECURITY_DESCRIPTOR_RELATIVE SdRel;
156
157 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
158
159 if (Descriptor->Control & SE_SELF_RELATIVE)
160 {
161 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
162 if (!SdRel->Sacl) return NULL;
163 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
164 }
165 else
166 {
167 return Descriptor->Sacl;
168 }
169 }
170
171 #ifndef RTL_H
172
173 //
174 // SID Authorities
175 //
176 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
177 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
178 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
179 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
180 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
181
182 //
183 // SIDs
184 //
185 extern PSID SeNullSid;
186 extern PSID SeWorldSid;
187 extern PSID SeLocalSid;
188 extern PSID SeCreatorOwnerSid;
189 extern PSID SeCreatorGroupSid;
190 extern PSID SeCreatorOwnerServerSid;
191 extern PSID SeCreatorGroupServerSid;
192 extern PSID SeNtAuthoritySid;
193 extern PSID SeDialupSid;
194 extern PSID SeNetworkSid;
195 extern PSID SeBatchSid;
196 extern PSID SeInteractiveSid;
197 extern PSID SeServiceSid;
198 extern PSID SeAnonymousLogonSid;
199 extern PSID SePrincipalSelfSid;
200 extern PSID SeLocalSystemSid;
201 extern PSID SeAuthenticatedUserSid;
202 extern PSID SeRestrictedCodeSid;
203 extern PSID SeAliasAdminsSid;
204 extern PSID SeAliasUsersSid;
205 extern PSID SeAliasGuestsSid;
206 extern PSID SeAliasPowerUsersSid;
207 extern PSID SeAliasAccountOpsSid;
208 extern PSID SeAliasSystemOpsSid;
209 extern PSID SeAliasPrintOpsSid;
210 extern PSID SeAliasBackupOpsSid;
211 extern PSID SeAuthenticatedUsersSid;
212 extern PSID SeRestrictedSid;
213 extern PSID SeAnonymousLogonSid;
214 extern PSID SeLocalServiceSid;
215 extern PSID SeNetworkServiceSid;
216
217 //
218 // Privileges
219 //
220 extern const LUID SeCreateTokenPrivilege;
221 extern const LUID SeAssignPrimaryTokenPrivilege;
222 extern const LUID SeLockMemoryPrivilege;
223 extern const LUID SeIncreaseQuotaPrivilege;
224 extern const LUID SeUnsolicitedInputPrivilege;
225 extern const LUID SeTcbPrivilege;
226 extern const LUID SeSecurityPrivilege;
227 extern const LUID SeTakeOwnershipPrivilege;
228 extern const LUID SeLoadDriverPrivilege;
229 extern const LUID SeSystemProfilePrivilege;
230 extern const LUID SeSystemtimePrivilege;
231 extern const LUID SeProfileSingleProcessPrivilege;
232 extern const LUID SeIncreaseBasePriorityPrivilege;
233 extern const LUID SeCreatePagefilePrivilege;
234 extern const LUID SeCreatePermanentPrivilege;
235 extern const LUID SeBackupPrivilege;
236 extern const LUID SeRestorePrivilege;
237 extern const LUID SeShutdownPrivilege;
238 extern const LUID SeDebugPrivilege;
239 extern const LUID SeAuditPrivilege;
240 extern const LUID SeSystemEnvironmentPrivilege;
241 extern const LUID SeChangeNotifyPrivilege;
242 extern const LUID SeRemoteShutdownPrivilege;
243 extern const LUID SeUndockPrivilege;
244 extern const LUID SeSyncAgentPrivilege;
245 extern const LUID SeEnableDelegationPrivilege;
246 extern const LUID SeManageVolumePrivilege;
247 extern const LUID SeImpersonatePrivilege;
248 extern const LUID SeCreateGlobalPrivilege;
249 extern const LUID SeTrustedCredmanPrivilege;
250 extern const LUID SeRelabelPrivilege;
251 extern const LUID SeIncreaseWorkingSetPrivilege;
252 extern const LUID SeTimeZonePrivilege;
253 extern const LUID SeCreateSymbolicLinkPrivilege;
254
255 //
256 // DACLs
257 //
258 extern PACL SePublicDefaultUnrestrictedDacl;
259 extern PACL SePublicOpenDacl;
260 extern PACL SePublicOpenUnrestrictedDacl;
261 extern PACL SeUnrestrictedDacl;
262 extern PACL SeSystemAnonymousLogonDacl;
263
264 //
265 // SDs
266 //
267 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
268 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
269 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
270 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
271 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
272 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
273 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;
274
275 //
276 // Anonymous Logon Tokens
277 //
278 extern PTOKEN SeAnonymousLogonToken;
279 extern PTOKEN SeAnonymousLogonTokenNoEveryone;
280
281
282 //
283 // Token lock management macros
284 //
285 #define SepAcquireTokenLockExclusive(Token) \
286 { \
287 KeEnterCriticalRegion(); \
288 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \
289 }
290 #define SepAcquireTokenLockShared(Token) \
291 { \
292 KeEnterCriticalRegion(); \
293 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \
294 }
295
296 #define SepReleaseTokenLock(Token) \
297 { \
298 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \
299 KeLeaveCriticalRegion(); \
300 }
301
302 #if DBG
303 //
304 // Security Debug Utility Functions
305 //
306 VOID
307 SepDumpSdDebugInfo(
308 _In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor);
309
310 VOID
311 SepDumpTokenDebugInfo(
312 _In_opt_ PTOKEN Token);
313
314 VOID
315 SepDumpAccessRightsStats(
316 _In_ PACCESS_CHECK_RIGHTS AccessRights);
317
318 VOID
319 SepDumpAccessAndStatusList(
320 _In_ PACCESS_MASK GrantedAccessList,
321 _In_ PNTSTATUS AccessStatusList,
322 _In_ BOOLEAN IsResultList,
323 _In_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
324 _In_ ULONG ObjectTypeListLength);
325 #endif // DBG
326
327 //
328 // Token Functions
329 //
330 CODE_SEG("INIT")
331 VOID
332 NTAPI
333 SepInitializeTokenImplementation(VOID);
334
335 CODE_SEG("INIT")
336 PTOKEN
337 NTAPI
338 SepCreateSystemProcessToken(VOID);
339
340 CODE_SEG("INIT")
341 PTOKEN
342 SepCreateSystemAnonymousLogonToken(VOID);
343
344 CODE_SEG("INIT")
345 PTOKEN
346 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID);
347
348 NTSTATUS
349 NTAPI
350 SepDuplicateToken(
351 _In_ PTOKEN Token,
352 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
353 _In_ BOOLEAN EffectiveOnly,
354 _In_ TOKEN_TYPE TokenType,
355 _In_ SECURITY_IMPERSONATION_LEVEL Level,
356 _In_ KPROCESSOR_MODE PreviousMode,
357 _Out_ PTOKEN* NewAccessToken);
358
359 NTSTATUS
360 NTAPI
361 SepCreateToken(
362 _Out_ PHANDLE TokenHandle,
363 _In_ KPROCESSOR_MODE PreviousMode,
364 _In_ ACCESS_MASK DesiredAccess,
365 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
366 _In_ TOKEN_TYPE TokenType,
367 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
368 _In_ PLUID AuthenticationId,
369 _In_ PLARGE_INTEGER ExpirationTime,
370 _In_ PSID_AND_ATTRIBUTES User,
371 _In_ ULONG GroupCount,
372 _In_ PSID_AND_ATTRIBUTES Groups,
373 _In_ ULONG GroupsLength,
374 _In_ ULONG PrivilegeCount,
375 _In_ PLUID_AND_ATTRIBUTES Privileges,
376 _In_opt_ PSID Owner,
377 _In_ PSID PrimaryGroup,
378 _In_opt_ PACL DefaultDacl,
379 _In_ PTOKEN_SOURCE TokenSource,
380 _In_ BOOLEAN SystemToken);
381
382 BOOLEAN
383 NTAPI
384 SepTokenIsOwner(
385 _In_ PACCESS_TOKEN _Token,
386 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
387 _In_ BOOLEAN TokenLocked);
388
389 NTSTATUS
390 SepCreateTokenLock(
391 _Inout_ PTOKEN Token);
392
393 VOID
394 SepDeleteTokenLock(
395 _Inout_ PTOKEN Token);
396
397 VOID
398 SepUpdatePrivilegeFlagsToken(
399 _Inout_ PTOKEN Token);
400
401 NTSTATUS
402 SepFindPrimaryGroupAndDefaultOwner(
403 _In_ PTOKEN Token,
404 _In_ PSID PrimaryGroup,
405 _In_opt_ PSID DefaultOwner,
406 _Out_opt_ PULONG PrimaryGroupIndex,
407 _Out_opt_ PULONG DefaultOwnerIndex);
408
409 VOID
410 SepUpdateSinglePrivilegeFlagToken(
411 _Inout_ PTOKEN Token,
412 _In_ ULONG Index);
413
414 VOID
415 SepUpdatePrivilegeFlagsToken(
416 _Inout_ PTOKEN Token);
417
418 VOID
419 SepRemovePrivilegeToken(
420 _Inout_ PTOKEN Token,
421 _In_ ULONG Index);
422
423 VOID
424 SepRemoveUserGroupToken(
425 _Inout_ PTOKEN Token,
426 _In_ ULONG Index);
427
428 ULONG
429 SepComputeAvailableDynamicSpace(
430 _In_ ULONG DynamicCharged,
431 _In_ PSID PrimaryGroup,
432 _In_opt_ PACL DefaultDacl);
433
434 NTSTATUS
435 SepRebuildDynamicPartOfToken(
436 _In_ PTOKEN Token,
437 _In_ ULONG NewDynamicPartSize);
438
439 BOOLEAN
440 NTAPI
441 SeTokenCanImpersonate(
442 _In_ PTOKEN ProcessToken,
443 _In_ PTOKEN TokenToImpersonate,
444 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
445
446 VOID
447 NTAPI
448 SeGetTokenControlInformation(
449 _In_ PACCESS_TOKEN _Token,
450 _Out_ PTOKEN_CONTROL TokenControl);
451
452 VOID
453 NTAPI
454 SeDeassignPrimaryToken(
455 _Inout_ PEPROCESS Process);
456
457 NTSTATUS
458 NTAPI
459 SeSubProcessToken(
460 _In_ PTOKEN Parent,
461 _Out_ PTOKEN *Token,
462 _In_ BOOLEAN InUse,
463 _In_ ULONG SessionId);
464
465 NTSTATUS
466 NTAPI
467 SeIsTokenChild(
468 _In_ PTOKEN Token,
469 _Out_ PBOOLEAN IsChild);
470
471 NTSTATUS
472 NTAPI
473 SeIsTokenSibling(
474 _In_ PTOKEN Token,
475 _Out_ PBOOLEAN IsSibling);
476
477 NTSTATUS
478 NTAPI
479 SeExchangePrimaryToken(
480 _In_ PEPROCESS Process,
481 _In_ PACCESS_TOKEN NewAccessToken,
482 _Out_ PACCESS_TOKEN* OldAccessToken);
483
484 NTSTATUS
485 NTAPI
486 SeCopyClientToken(
487 _In_ PACCESS_TOKEN Token,
488 _In_ SECURITY_IMPERSONATION_LEVEL Level,
489 _In_ KPROCESSOR_MODE PreviousMode,
490 _Out_ PACCESS_TOKEN* NewToken);
491
492 BOOLEAN
493 NTAPI
494 SeTokenIsInert(
495 _In_ PTOKEN Token);
496
497 ULONG
498 RtlLengthSidAndAttributes(
499 _In_ ULONG Count,
500 _In_ PSID_AND_ATTRIBUTES Src);
501
502 //
503 // Security Manager (SeMgr) functions
504 //
505 CODE_SEG("INIT")
506 BOOLEAN
507 NTAPI
508 SeInitSystem(VOID);
509
510 NTSTATUS
511 NTAPI
512 SeDefaultObjectMethod(
513 _In_ PVOID Object,
514 _In_ SECURITY_OPERATION_CODE OperationType,
515 _In_ PSECURITY_INFORMATION SecurityInformation,
516 _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
517 _Inout_opt_ PULONG ReturnLength,
518 _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
519 _In_ POOL_TYPE PoolType,
520 _In_ PGENERIC_MAPPING GenericMapping);
521
522 VOID
523 NTAPI
524 SeQuerySecurityAccessMask(
525 _In_ SECURITY_INFORMATION SecurityInformation,
526 _Out_ PACCESS_MASK DesiredAccess);
527
528 VOID
529 NTAPI
530 SeSetSecurityAccessMask(
531 _In_ SECURITY_INFORMATION SecurityInformation,
532 _Out_ PACCESS_MASK DesiredAccess);
533
534 //
535 // Privilege functions
536 //
537 CODE_SEG("INIT")
538 VOID
539 NTAPI
540 SepInitPrivileges(VOID);
541
542 BOOLEAN
543 NTAPI
544 SepPrivilegeCheck(
545 _In_ PTOKEN Token,
546 _In_ PLUID_AND_ATTRIBUTES Privileges,
547 _In_ ULONG PrivilegeCount,
548 _In_ ULONG PrivilegeControl,
549 _In_ KPROCESSOR_MODE PreviousMode);
550
551 NTSTATUS
552 NTAPI
553 SePrivilegePolicyCheck(
554 _Inout_ PACCESS_MASK DesiredAccess,
555 _Inout_ PACCESS_MASK GrantedAccess,
556 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
557 _In_ PTOKEN Token,
558 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
559 _In_ KPROCESSOR_MODE PreviousMode);
560
561 BOOLEAN
562 NTAPI
563 SeCheckAuditPrivilege(
564 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
565 _In_ KPROCESSOR_MODE PreviousMode);
566
567 BOOLEAN
568 NTAPI
569 SeCheckPrivilegedObject(
570 _In_ LUID PrivilegeValue,
571 _In_ HANDLE ObjectHandle,
572 _In_ ACCESS_MASK DesiredAccess,
573 _In_ KPROCESSOR_MODE PreviousMode);
574
575 NTSTATUS
576 NTAPI
577 SeCaptureLuidAndAttributesArray(
578 _In_ PLUID_AND_ATTRIBUTES Src,
579 _In_ ULONG PrivilegeCount,
580 _In_ KPROCESSOR_MODE PreviousMode,
581 _In_ PLUID_AND_ATTRIBUTES AllocatedMem,
582 _In_ ULONG AllocatedLength,
583 _In_ POOL_TYPE PoolType,
584 _In_ BOOLEAN CaptureIfKernel,
585 _Out_ PLUID_AND_ATTRIBUTES* Dest,
586 _Inout_ PULONG Length);
587
588 VOID
589 NTAPI
590 SeReleaseLuidAndAttributesArray(
591 _In_ PLUID_AND_ATTRIBUTES Privilege,
592 _In_ KPROCESSOR_MODE PreviousMode,
593 _In_ BOOLEAN CaptureIfKernel);
594
595 //
596 // SID functions
597 //
598 CODE_SEG("INIT")
599 BOOLEAN
600 NTAPI
601 SepInitSecurityIDs(VOID);
602
603 NTSTATUS
604 NTAPI
605 SepCaptureSid(
606 _In_ PSID InputSid,
607 _In_ KPROCESSOR_MODE AccessMode,
608 _In_ POOL_TYPE PoolType,
609 _In_ BOOLEAN CaptureIfKernel,
610 _Out_ PSID *CapturedSid);
611
612 VOID
613 NTAPI
614 SepReleaseSid(
615 _In_ PSID CapturedSid,
616 _In_ KPROCESSOR_MODE AccessMode,
617 _In_ BOOLEAN CaptureIfKernel);
618
619 BOOLEAN
620 NTAPI
621 SepSidInToken(
622 _In_ PACCESS_TOKEN _Token,
623 _In_ PSID Sid);
624
625 BOOLEAN
626 NTAPI
627 SepSidInTokenEx(
628 _In_ PACCESS_TOKEN _Token,
629 _In_ PSID PrincipalSelfSid,
630 _In_ PSID _Sid,
631 _In_ BOOLEAN Deny,
632 _In_ BOOLEAN Restricted);
633
634 PSID
635 NTAPI
636 SepGetSidFromAce(
637 _In_ PACE Ace);
638
639 NTSTATUS
640 NTAPI
641 SeCaptureSidAndAttributesArray(
642 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
643 _In_ ULONG AttributeCount,
644 _In_ KPROCESSOR_MODE PreviousMode,
645 _In_opt_ PVOID AllocatedMem,
646 _In_ ULONG AllocatedLength,
647 _In_ POOL_TYPE PoolType,
648 _In_ BOOLEAN CaptureIfKernel,
649 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
650 _Out_ PULONG ResultLength);
651
652 VOID
653 NTAPI
654 SeReleaseSidAndAttributesArray(
655 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
656 _In_ KPROCESSOR_MODE AccessMode,
657 _In_ BOOLEAN CaptureIfKernel);
658
659 //
660 // ACL functions
661 //
662 CODE_SEG("INIT")
663 BOOLEAN
664 NTAPI
665 SepInitDACLs(VOID);
666
667 NTSTATUS
668 NTAPI
669 SepCreateImpersonationTokenDacl(
670 _In_ PTOKEN Token,
671 _In_ PTOKEN PrimaryToken,
672 _Out_ PACL* Dacl);
673
674 NTSTATUS
675 NTAPI
676 SepCaptureAcl(
677 _In_ PACL InputAcl,
678 _In_ KPROCESSOR_MODE AccessMode,
679 _In_ POOL_TYPE PoolType,
680 _In_ BOOLEAN CaptureIfKernel,
681 _Out_ PACL *CapturedAcl);
682
683 VOID
684 NTAPI
685 SepReleaseAcl(
686 _In_ PACL CapturedAcl,
687 _In_ KPROCESSOR_MODE AccessMode,
688 _In_ BOOLEAN CaptureIfKernel);
689
690 NTSTATUS
691 SepPropagateAcl(
692 _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
693 _Inout_ PULONG AclLength,
694 _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
695 _In_ PSID Owner,
696 _In_ PSID Group,
697 _In_ BOOLEAN IsInherited,
698 _In_ BOOLEAN IsDirectoryObject,
699 _In_ PGENERIC_MAPPING GenericMapping);
700
701 PACL
702 SepSelectAcl(
703 _In_opt_ PACL ExplicitAcl,
704 _In_ BOOLEAN ExplicitPresent,
705 _In_ BOOLEAN ExplicitDefaulted,
706 _In_opt_ PACL ParentAcl,
707 _In_opt_ PACL DefaultAcl,
708 _Out_ PULONG AclLength,
709 _In_ PSID Owner,
710 _In_ PSID Group,
711 _Out_ PBOOLEAN AclPresent,
712 _Out_ PBOOLEAN IsInherited,
713 _In_ BOOLEAN IsDirectoryObject,
714 _In_ PGENERIC_MAPPING GenericMapping);
715
716 //
717 // SD functions
718 //
719 CODE_SEG("INIT")
720 BOOLEAN
721 NTAPI
722 SepInitSDs(VOID);
723
724 NTSTATUS
725 NTAPI
726 SeSetWorldSecurityDescriptor(
727 _In_ SECURITY_INFORMATION SecurityInformation,
728 _In_ PISECURITY_DESCRIPTOR SecurityDescriptor,
729 _In_ PULONG BufferLength);
730
731 NTSTATUS
732 NTAPI
733 SeComputeQuotaInformationSize(
734 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
735 _Out_ PULONG QuotaInfoSize);
736
737 //
738 // Security Reference Monitor (SeRm) functions
739 //
740 BOOLEAN
741 NTAPI
742 SeRmInitPhase0(VOID);
743
744 BOOLEAN
745 NTAPI
746 SeRmInitPhase1(VOID);
747
748 NTSTATUS
749 NTAPI
750 SepRmInsertLogonSessionIntoToken(
751 _Inout_ PTOKEN Token);
752
753 NTSTATUS
754 NTAPI
755 SepRmRemoveLogonSessionFromToken(
756 _Inout_ PTOKEN Token);
757
758 NTSTATUS
759 SepRmReferenceLogonSession(
760 _Inout_ PLUID LogonLuid);
761
762 NTSTATUS
763 SepRmDereferenceLogonSession(
764 _Inout_ PLUID LogonLuid);
765
766 NTSTATUS
767 NTAPI
768 SepRegQueryHelper(
769 _In_ PCWSTR KeyName,
770 _In_ PCWSTR ValueName,
771 _In_ ULONG ValueType,
772 _In_ ULONG DataLength,
773 _Out_ PVOID ValueData);
774
775 NTSTATUS
776 NTAPI
777 SeGetLogonIdDeviceMap(
778 _In_ PLUID LogonId,
779 _Out_ PDEVICE_MAP *DeviceMap);
780
781 //
782 // Audit functions
783 //
784 NTSTATUS
785 NTAPI
786 SeInitializeProcessAuditName(
787 _In_ PFILE_OBJECT FileObject,
788 _In_ BOOLEAN DoAudit,
789 _Out_ POBJECT_NAME_INFORMATION *AuditInfo);
790
791 BOOLEAN
792 NTAPI
793 SeDetailedAuditingWithToken(
794 _In_ PTOKEN Token);
795
796 VOID
797 NTAPI
798 SeAuditProcessExit(
799 _In_ PEPROCESS Process);
800
801 VOID
802 NTAPI
803 SeAuditProcessCreate(
804 _In_ PEPROCESS Process);
805
806 VOID
807 NTAPI
808 SePrivilegedServiceAuditAlarm(
809 _In_opt_ PUNICODE_STRING ServiceName,
810 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
811 _In_ PPRIVILEGE_SET PrivilegeSet,
812 _In_ BOOLEAN AccessGranted);
813
814 //
815 // Subject functions
816 //
817 VOID
818 NTAPI
819 SeCaptureSubjectContextEx(
820 _In_ PETHREAD Thread,
821 _In_ PEPROCESS Process,
822 _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext);
823
824 //
825 // Security Quality of Service (SQoS) functions
826 //
827 NTSTATUS
828 NTAPI
829 SepCaptureSecurityQualityOfService(
830 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
831 _In_ KPROCESSOR_MODE AccessMode,
832 _In_ POOL_TYPE PoolType,
833 _In_ BOOLEAN CaptureIfKernel,
834 _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
835 _Out_ PBOOLEAN Present);
836
837 VOID
838 NTAPI
839 SepReleaseSecurityQualityOfService(
840 _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService,
841 _In_ KPROCESSOR_MODE AccessMode,
842 _In_ BOOLEAN CaptureIfKernel);
843
844 //
845 // Object type list functions
846 //
847 PGUID
848 SepGetObjectTypeGuidFromAce(
849 _In_ PACE Ace,
850 _In_ BOOLEAN IsAceDenied);
851
852 BOOLEAN
853 SepObjectTypeGuidInList(
854 _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList,
855 _In_ ULONG ObjectTypeListLength,
856 _In_ PGUID ObjectTypeGuid,
857 _Out_ PULONG ObjectIndex);
858
859 NTSTATUS
860 SeCaptureObjectTypeList(
861 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
862 _In_ ULONG ObjectTypeListLength,
863 _In_ KPROCESSOR_MODE PreviousMode,
864 _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList);
865
866 VOID
867 SeReleaseObjectTypeList(
868 _In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList,
869 _In_ KPROCESSOR_MODE PreviousMode);
870
871 //
872 // Access state functions
873 //
874 NTSTATUS
875 NTAPI
876 SeCreateAccessStateEx(
877 _In_ PETHREAD Thread,
878 _In_ PEPROCESS Process,
879 _In_ OUT PACCESS_STATE AccessState,
880 _In_ PAUX_ACCESS_DATA AuxData,
881 _In_ ACCESS_MASK Access,
882 _In_ PGENERIC_MAPPING GenericMapping);
883
884 //
885 // Access check functions
886 //
887 BOOLEAN
888 NTAPI
889 SeFastTraverseCheck(
890 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
891 _In_ PACCESS_STATE AccessState,
892 _In_ ACCESS_MASK DesiredAccess,
893 _In_ KPROCESSOR_MODE AccessMode);
894
895 #endif
896
897 /* EOF */
898