xref: /reactos/ntoskrnl/include/internal/se.h (revision 3e1f4074)
1 /*
2  * PROJECT:         ReactOS Kernel
3  * LICENSE:         GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE:         Internal header for the Security Manager
5  * COPYRIGHT:       Copyright Eric Kohl
6  *                  Copyright 2022 George Bișoc <george.bisoc@reactos.org>
7  */
8 
9 #pragma once
10 
11 //
12 // Internal ACE type structures
13 //
14 typedef struct _KNOWN_ACE
15 {
16     ACE_HEADER Header;
17     ACCESS_MASK Mask;
18     ULONG SidStart;
19 } KNOWN_ACE, *PKNOWN_ACE;
20 
21 typedef struct _KNOWN_OBJECT_ACE
22 {
23     ACE_HEADER Header;
24     ACCESS_MASK Mask;
25     ULONG Flags;
26     ULONG SidStart;
27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
28 
29 typedef struct _KNOWN_COMPOUND_ACE
30 {
31     ACE_HEADER Header;
32     ACCESS_MASK Mask;
33     USHORT CompoundAceType;
34     USHORT Reserved;
35     ULONG SidStart;
36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
37 
38 //
39 // Access Check Rights
40 //
41 typedef struct _ACCESS_CHECK_RIGHTS
42 {
43     ACCESS_MASK RemainingAccessRights;
44     ACCESS_MASK GrantedAccessRights;
45     ACCESS_MASK DeniedAccessRights;
46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS;
47 
48 typedef enum _ACCESS_CHECK_RIGHT_TYPE
49 {
50     AccessCheckMaximum,
51     AccessCheckRegular
52 } ACCESS_CHECK_RIGHT_TYPE;
53 
54 //
55 // Token Audit Policy Information structure
56 //
57 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION
58 {
59     ULONG PolicyCount;
60     struct
61     {
62         ULONG Category;
63         UCHAR Value;
64     } Policies[1];
65 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION;
66 
67 //
68 // Token creation method defines (for debugging purposes)
69 //
70 #define TOKEN_CREATE_METHOD    0xCUL
71 #define TOKEN_DUPLICATE_METHOD 0xDUL
72 #define TOKEN_FILTER_METHOD    0xFUL
73 
74 //
75 // Security descriptor internal helpers
76 //
77 FORCEINLINE
78 PSID
79 SepGetGroupFromDescriptor(
80     _Inout_ PVOID _Descriptor)
81 {
82     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
83     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
84 
85     if (Descriptor->Control & SE_SELF_RELATIVE)
86     {
87         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
88         if (!SdRel->Group) return NULL;
89         return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
90     }
91     else
92     {
93         return Descriptor->Group;
94     }
95 }
96 
97 FORCEINLINE
98 PSID
99 SepGetOwnerFromDescriptor(
100     _Inout_ PVOID _Descriptor)
101 {
102     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
103     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
104 
105     if (Descriptor->Control & SE_SELF_RELATIVE)
106     {
107         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
108         if (!SdRel->Owner) return NULL;
109         return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
110     }
111     else
112     {
113         return Descriptor->Owner;
114     }
115 }
116 
117 FORCEINLINE
118 PACL
119 SepGetDaclFromDescriptor(
120     _Inout_ PVOID _Descriptor)
121 {
122     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
123     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
124 
125     if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
126 
127     if (Descriptor->Control & SE_SELF_RELATIVE)
128     {
129         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
130         if (!SdRel->Dacl) return NULL;
131         return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
132     }
133     else
134     {
135         return Descriptor->Dacl;
136     }
137 }
138 
139 FORCEINLINE
140 PACL
141 SepGetSaclFromDescriptor(
142     _Inout_ PVOID _Descriptor)
143 {
144     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
145     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
146 
147     if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
148 
149     if (Descriptor->Control & SE_SELF_RELATIVE)
150     {
151         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
152         if (!SdRel->Sacl) return NULL;
153         return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
154     }
155     else
156     {
157         return Descriptor->Sacl;
158     }
159 }
160 
161 #ifndef RTL_H
162 
163 //
164 // SID Authorities
165 //
166 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
167 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
168 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
169 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
170 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
171 
172 //
173 // SIDs
174 //
175 extern PSID SeNullSid;
176 extern PSID SeWorldSid;
177 extern PSID SeLocalSid;
178 extern PSID SeCreatorOwnerSid;
179 extern PSID SeCreatorGroupSid;
180 extern PSID SeCreatorOwnerServerSid;
181 extern PSID SeCreatorGroupServerSid;
182 extern PSID SeNtAuthoritySid;
183 extern PSID SeDialupSid;
184 extern PSID SeNetworkSid;
185 extern PSID SeBatchSid;
186 extern PSID SeInteractiveSid;
187 extern PSID SeServiceSid;
188 extern PSID SeAnonymousLogonSid;
189 extern PSID SePrincipalSelfSid;
190 extern PSID SeLocalSystemSid;
191 extern PSID SeAuthenticatedUserSid;
192 extern PSID SeRestrictedCodeSid;
193 extern PSID SeAliasAdminsSid;
194 extern PSID SeAliasUsersSid;
195 extern PSID SeAliasGuestsSid;
196 extern PSID SeAliasPowerUsersSid;
197 extern PSID SeAliasAccountOpsSid;
198 extern PSID SeAliasSystemOpsSid;
199 extern PSID SeAliasPrintOpsSid;
200 extern PSID SeAliasBackupOpsSid;
201 extern PSID SeAuthenticatedUsersSid;
202 extern PSID SeRestrictedSid;
203 extern PSID SeAnonymousLogonSid;
204 extern PSID SeLocalServiceSid;
205 extern PSID SeNetworkServiceSid;
206 
207 //
208 // Privileges
209 //
210 extern const LUID SeCreateTokenPrivilege;
211 extern const LUID SeAssignPrimaryTokenPrivilege;
212 extern const LUID SeLockMemoryPrivilege;
213 extern const LUID SeIncreaseQuotaPrivilege;
214 extern const LUID SeUnsolicitedInputPrivilege;
215 extern const LUID SeTcbPrivilege;
216 extern const LUID SeSecurityPrivilege;
217 extern const LUID SeTakeOwnershipPrivilege;
218 extern const LUID SeLoadDriverPrivilege;
219 extern const LUID SeSystemProfilePrivilege;
220 extern const LUID SeSystemtimePrivilege;
221 extern const LUID SeProfileSingleProcessPrivilege;
222 extern const LUID SeIncreaseBasePriorityPrivilege;
223 extern const LUID SeCreatePagefilePrivilege;
224 extern const LUID SeCreatePermanentPrivilege;
225 extern const LUID SeBackupPrivilege;
226 extern const LUID SeRestorePrivilege;
227 extern const LUID SeShutdownPrivilege;
228 extern const LUID SeDebugPrivilege;
229 extern const LUID SeAuditPrivilege;
230 extern const LUID SeSystemEnvironmentPrivilege;
231 extern const LUID SeChangeNotifyPrivilege;
232 extern const LUID SeRemoteShutdownPrivilege;
233 extern const LUID SeUndockPrivilege;
234 extern const LUID SeSyncAgentPrivilege;
235 extern const LUID SeEnableDelegationPrivilege;
236 extern const LUID SeManageVolumePrivilege;
237 extern const LUID SeImpersonatePrivilege;
238 extern const LUID SeCreateGlobalPrivilege;
239 extern const LUID SeTrustedCredmanPrivilege;
240 extern const LUID SeRelabelPrivilege;
241 extern const LUID SeIncreaseWorkingSetPrivilege;
242 extern const LUID SeTimeZonePrivilege;
243 extern const LUID SeCreateSymbolicLinkPrivilege;
244 
245 //
246 // DACLs
247 //
248 extern PACL SePublicDefaultUnrestrictedDacl;
249 extern PACL SePublicOpenDacl;
250 extern PACL SePublicOpenUnrestrictedDacl;
251 extern PACL SeUnrestrictedDacl;
252 extern PACL SeSystemAnonymousLogonDacl;
253 
254 //
255 // SDs
256 //
257 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
258 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
259 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
260 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
261 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
262 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
263 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;
264 
265 //
266 // Anonymous Logon Tokens
267 //
268 extern PTOKEN SeAnonymousLogonToken;
269 extern PTOKEN SeAnonymousLogonTokenNoEveryone;
270 
271 
272 //
273 // Token lock management macros
274 //
275 #define SepAcquireTokenLockExclusive(Token)                                    \
276 {                                                                              \
277     KeEnterCriticalRegion();                                                   \
278     ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE);          \
279 }
280 #define SepAcquireTokenLockShared(Token)                                       \
281 {                                                                              \
282     KeEnterCriticalRegion();                                                   \
283     ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE);             \
284 }
285 
286 #define SepReleaseTokenLock(Token)                                             \
287 {                                                                              \
288     ExReleaseResourceLite(((PTOKEN)Token)->TokenLock);                         \
289     KeLeaveCriticalRegion();                                                   \
290 }
291 
292 //
293 // Token Functions
294 //
295 CODE_SEG("INIT")
296 VOID
297 NTAPI
298 SepInitializeTokenImplementation(VOID);
299 
300 CODE_SEG("INIT")
301 PTOKEN
302 NTAPI
303 SepCreateSystemProcessToken(VOID);
304 
305 CODE_SEG("INIT")
306 PTOKEN
307 SepCreateSystemAnonymousLogonToken(VOID);
308 
309 CODE_SEG("INIT")
310 PTOKEN
311 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID);
312 
313 NTSTATUS
314 NTAPI
315 SepDuplicateToken(
316     _In_ PTOKEN Token,
317     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
318     _In_ BOOLEAN EffectiveOnly,
319     _In_ TOKEN_TYPE TokenType,
320     _In_ SECURITY_IMPERSONATION_LEVEL Level,
321     _In_ KPROCESSOR_MODE PreviousMode,
322     _Out_ PTOKEN* NewAccessToken);
323 
324 NTSTATUS
325 NTAPI
326 SepCreateToken(
327     _Out_ PHANDLE TokenHandle,
328     _In_ KPROCESSOR_MODE PreviousMode,
329     _In_ ACCESS_MASK DesiredAccess,
330     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
331     _In_ TOKEN_TYPE TokenType,
332     _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
333     _In_ PLUID AuthenticationId,
334     _In_ PLARGE_INTEGER ExpirationTime,
335     _In_ PSID_AND_ATTRIBUTES User,
336     _In_ ULONG GroupCount,
337     _In_ PSID_AND_ATTRIBUTES Groups,
338     _In_ ULONG GroupsLength,
339     _In_ ULONG PrivilegeCount,
340     _In_ PLUID_AND_ATTRIBUTES Privileges,
341     _In_opt_ PSID Owner,
342     _In_ PSID PrimaryGroup,
343     _In_opt_ PACL DefaultDacl,
344     _In_ PTOKEN_SOURCE TokenSource,
345     _In_ BOOLEAN SystemToken);
346 
347 BOOLEAN
348 NTAPI
349 SepTokenIsOwner(
350     _In_ PACCESS_TOKEN _Token,
351     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
352     _In_ BOOLEAN TokenLocked);
353 
354 NTSTATUS
355 SepCreateTokenLock(
356     _Inout_ PTOKEN Token);
357 
358 VOID
359 SepDeleteTokenLock(
360     _Inout_ PTOKEN Token);
361 
362 VOID
363 SepUpdatePrivilegeFlagsToken(
364     _Inout_ PTOKEN Token);
365 
366 NTSTATUS
367 SepFindPrimaryGroupAndDefaultOwner(
368     _In_ PTOKEN Token,
369     _In_ PSID PrimaryGroup,
370     _In_opt_ PSID DefaultOwner,
371     _Out_opt_ PULONG PrimaryGroupIndex,
372     _Out_opt_ PULONG DefaultOwnerIndex);
373 
374 VOID
375 SepUpdateSinglePrivilegeFlagToken(
376     _Inout_ PTOKEN Token,
377     _In_ ULONG Index);
378 
379 VOID
380 SepUpdatePrivilegeFlagsToken(
381     _Inout_ PTOKEN Token);
382 
383 VOID
384 SepRemovePrivilegeToken(
385     _Inout_ PTOKEN Token,
386     _In_ ULONG Index);
387 
388 VOID
389 SepRemoveUserGroupToken(
390     _Inout_ PTOKEN Token,
391     _In_ ULONG Index);
392 
393 ULONG
394 SepComputeAvailableDynamicSpace(
395     _In_ ULONG DynamicCharged,
396     _In_ PSID PrimaryGroup,
397     _In_opt_ PACL DefaultDacl);
398 
399 NTSTATUS
400 SepRebuildDynamicPartOfToken(
401     _In_ PTOKEN Token,
402     _In_ ULONG NewDynamicPartSize);
403 
404 BOOLEAN
405 NTAPI
406 SeTokenCanImpersonate(
407     _In_ PTOKEN ProcessToken,
408     _In_ PTOKEN TokenToImpersonate,
409     _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
410 
411 VOID
412 NTAPI
413 SeGetTokenControlInformation(
414     _In_ PACCESS_TOKEN _Token,
415     _Out_ PTOKEN_CONTROL TokenControl);
416 
417 VOID
418 NTAPI
419 SeDeassignPrimaryToken(
420     _Inout_ PEPROCESS Process);
421 
422 NTSTATUS
423 NTAPI
424 SeSubProcessToken(
425     _In_ PTOKEN Parent,
426     _Out_ PTOKEN *Token,
427     _In_ BOOLEAN InUse,
428     _In_ ULONG SessionId);
429 
430 NTSTATUS
431 NTAPI
432 SeIsTokenChild(
433     _In_ PTOKEN Token,
434     _Out_ PBOOLEAN IsChild);
435 
436 NTSTATUS
437 NTAPI
438 SeIsTokenSibling(
439     _In_ PTOKEN Token,
440     _Out_ PBOOLEAN IsSibling);
441 
442 NTSTATUS
443 NTAPI
444 SeExchangePrimaryToken(
445     _In_ PEPROCESS Process,
446     _In_ PACCESS_TOKEN NewAccessToken,
447     _Out_ PACCESS_TOKEN* OldAccessToken);
448 
449 NTSTATUS
450 NTAPI
451 SeCopyClientToken(
452     _In_ PACCESS_TOKEN Token,
453     _In_ SECURITY_IMPERSONATION_LEVEL Level,
454     _In_ KPROCESSOR_MODE PreviousMode,
455     _Out_ PACCESS_TOKEN* NewToken);
456 
457 BOOLEAN
458 NTAPI
459 SeTokenIsInert(
460     _In_ PTOKEN Token);
461 
462 ULONG
463 RtlLengthSidAndAttributes(
464     _In_ ULONG Count,
465     _In_ PSID_AND_ATTRIBUTES Src);
466 
467 //
468 // Security Manager (SeMgr) functions
469 //
470 CODE_SEG("INIT")
471 BOOLEAN
472 NTAPI
473 SeInitSystem(VOID);
474 
475 NTSTATUS
476 NTAPI
477 SeDefaultObjectMethod(
478     _In_ PVOID Object,
479     _In_ SECURITY_OPERATION_CODE OperationType,
480     _In_ PSECURITY_INFORMATION SecurityInformation,
481     _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
482     _Inout_opt_ PULONG ReturnLength,
483     _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
484     _In_ POOL_TYPE PoolType,
485     _In_ PGENERIC_MAPPING GenericMapping);
486 
487 VOID
488 NTAPI
489 SeQuerySecurityAccessMask(
490     _In_ SECURITY_INFORMATION SecurityInformation,
491     _Out_ PACCESS_MASK DesiredAccess);
492 
493 VOID
494 NTAPI
495 SeSetSecurityAccessMask(
496     _In_ SECURITY_INFORMATION SecurityInformation,
497     _Out_ PACCESS_MASK DesiredAccess);
498 
499 //
500 // Privilege functions
501 //
502 CODE_SEG("INIT")
503 VOID
504 NTAPI
505 SepInitPrivileges(VOID);
506 
507 BOOLEAN
508 NTAPI
509 SepPrivilegeCheck(
510     _In_ PTOKEN Token,
511     _In_ PLUID_AND_ATTRIBUTES Privileges,
512     _In_ ULONG PrivilegeCount,
513     _In_ ULONG PrivilegeControl,
514     _In_ KPROCESSOR_MODE PreviousMode);
515 
516 NTSTATUS
517 NTAPI
518 SePrivilegePolicyCheck(
519     _Inout_ PACCESS_MASK DesiredAccess,
520     _Inout_ PACCESS_MASK GrantedAccess,
521     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
522     _In_ PTOKEN Token,
523     _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
524     _In_ KPROCESSOR_MODE PreviousMode);
525 
526 BOOLEAN
527 NTAPI
528 SeCheckAuditPrivilege(
529     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
530     _In_ KPROCESSOR_MODE PreviousMode);
531 
532 BOOLEAN
533 NTAPI
534 SeCheckPrivilegedObject(
535     _In_ LUID PrivilegeValue,
536     _In_ HANDLE ObjectHandle,
537     _In_ ACCESS_MASK DesiredAccess,
538     _In_ KPROCESSOR_MODE PreviousMode);
539 
540 NTSTATUS
541 NTAPI
542 SeCaptureLuidAndAttributesArray(
543     _In_ PLUID_AND_ATTRIBUTES Src,
544     _In_ ULONG PrivilegeCount,
545     _In_ KPROCESSOR_MODE PreviousMode,
546     _In_ PLUID_AND_ATTRIBUTES AllocatedMem,
547     _In_ ULONG AllocatedLength,
548     _In_ POOL_TYPE PoolType,
549     _In_ BOOLEAN CaptureIfKernel,
550     _Out_ PLUID_AND_ATTRIBUTES* Dest,
551     _Inout_ PULONG Length);
552 
553 VOID
554 NTAPI
555 SeReleaseLuidAndAttributesArray(
556     _In_ PLUID_AND_ATTRIBUTES Privilege,
557     _In_ KPROCESSOR_MODE PreviousMode,
558     _In_ BOOLEAN CaptureIfKernel);
559 
560 //
561 // SID functions
562 //
563 CODE_SEG("INIT")
564 BOOLEAN
565 NTAPI
566 SepInitSecurityIDs(VOID);
567 
568 NTSTATUS
569 NTAPI
570 SepCaptureSid(
571     _In_ PSID InputSid,
572     _In_ KPROCESSOR_MODE AccessMode,
573     _In_ POOL_TYPE PoolType,
574     _In_ BOOLEAN CaptureIfKernel,
575     _Out_ PSID *CapturedSid);
576 
577 VOID
578 NTAPI
579 SepReleaseSid(
580     _In_ PSID CapturedSid,
581     _In_ KPROCESSOR_MODE AccessMode,
582     _In_ BOOLEAN CaptureIfKernel);
583 
584 BOOLEAN
585 NTAPI
586 SepSidInToken(
587     _In_ PACCESS_TOKEN _Token,
588     _In_ PSID Sid);
589 
590 BOOLEAN
591 NTAPI
592 SepSidInTokenEx(
593     _In_ PACCESS_TOKEN _Token,
594     _In_ PSID PrincipalSelfSid,
595     _In_ PSID _Sid,
596     _In_ BOOLEAN Deny,
597     _In_ BOOLEAN Restricted);
598 
599 PSID
600 NTAPI
601 SepGetSidFromAce(
602     _In_ UCHAR AceType,
603     _In_ PACE Ace);
604 
605 NTSTATUS
606 NTAPI
607 SeCaptureSidAndAttributesArray(
608     _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
609     _In_ ULONG AttributeCount,
610     _In_ KPROCESSOR_MODE PreviousMode,
611     _In_opt_ PVOID AllocatedMem,
612     _In_ ULONG AllocatedLength,
613     _In_ POOL_TYPE PoolType,
614     _In_ BOOLEAN CaptureIfKernel,
615     _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
616     _Out_ PULONG ResultLength);
617 
618 VOID
619 NTAPI
620 SeReleaseSidAndAttributesArray(
621     _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
622     _In_ KPROCESSOR_MODE AccessMode,
623     _In_ BOOLEAN CaptureIfKernel);
624 
625 //
626 // ACL functions
627 //
628 CODE_SEG("INIT")
629 BOOLEAN
630 NTAPI
631 SepInitDACLs(VOID);
632 
633 NTSTATUS
634 NTAPI
635 SepCreateImpersonationTokenDacl(
636     _In_ PTOKEN Token,
637     _In_ PTOKEN PrimaryToken,
638     _Out_ PACL* Dacl);
639 
640 NTSTATUS
641 NTAPI
642 SepCaptureAcl(
643     _In_ PACL InputAcl,
644     _In_ KPROCESSOR_MODE AccessMode,
645     _In_ POOL_TYPE PoolType,
646     _In_ BOOLEAN CaptureIfKernel,
647     _Out_ PACL *CapturedAcl);
648 
649 VOID
650 NTAPI
651 SepReleaseAcl(
652     _In_ PACL CapturedAcl,
653     _In_ KPROCESSOR_MODE AccessMode,
654     _In_ BOOLEAN CaptureIfKernel);
655 
656 NTSTATUS
657 SepPropagateAcl(
658     _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
659     _Inout_ PULONG AclLength,
660     _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
661     _In_ PSID Owner,
662     _In_ PSID Group,
663     _In_ BOOLEAN IsInherited,
664     _In_ BOOLEAN IsDirectoryObject,
665     _In_ PGENERIC_MAPPING GenericMapping);
666 
667 PACL
668 SepSelectAcl(
669     _In_opt_ PACL ExplicitAcl,
670     _In_ BOOLEAN ExplicitPresent,
671     _In_ BOOLEAN ExplicitDefaulted,
672     _In_opt_ PACL ParentAcl,
673     _In_opt_ PACL DefaultAcl,
674     _Out_ PULONG AclLength,
675     _In_ PSID Owner,
676     _In_ PSID Group,
677     _Out_ PBOOLEAN AclPresent,
678     _Out_ PBOOLEAN IsInherited,
679     _In_ BOOLEAN IsDirectoryObject,
680     _In_ PGENERIC_MAPPING GenericMapping);
681 
682 //
683 // SD functions
684 //
685 CODE_SEG("INIT")
686 BOOLEAN
687 NTAPI
688 SepInitSDs(VOID);
689 
690 NTSTATUS
691 NTAPI
692 SeSetWorldSecurityDescriptor(
693     _In_ SECURITY_INFORMATION SecurityInformation,
694     _In_ PISECURITY_DESCRIPTOR SecurityDescriptor,
695     _In_ PULONG BufferLength);
696 
697 NTSTATUS
698 NTAPI
699 SeComputeQuotaInformationSize(
700     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
701     _Out_ PULONG QuotaInfoSize);
702 
703 //
704 // Security Reference Monitor (SeRm) functions
705 //
706 BOOLEAN
707 NTAPI
708 SeRmInitPhase0(VOID);
709 
710 BOOLEAN
711 NTAPI
712 SeRmInitPhase1(VOID);
713 
714 NTSTATUS
715 NTAPI
716 SepRmInsertLogonSessionIntoToken(
717     _Inout_ PTOKEN Token);
718 
719 NTSTATUS
720 NTAPI
721 SepRmRemoveLogonSessionFromToken(
722     _Inout_ PTOKEN Token);
723 
724 NTSTATUS
725 SepRmReferenceLogonSession(
726     _Inout_ PLUID LogonLuid);
727 
728 NTSTATUS
729 SepRmDereferenceLogonSession(
730     _Inout_ PLUID LogonLuid);
731 
732 NTSTATUS
733 NTAPI
734 SepRegQueryHelper(
735     _In_ PCWSTR KeyName,
736     _In_ PCWSTR ValueName,
737     _In_ ULONG ValueType,
738     _In_ ULONG DataLength,
739     _Out_ PVOID ValueData);
740 
741 NTSTATUS
742 NTAPI
743 SeGetLogonIdDeviceMap(
744     _In_ PLUID LogonId,
745     _Out_ PDEVICE_MAP *DeviceMap);
746 
747 //
748 // Audit functions
749 //
750 NTSTATUS
751 NTAPI
752 SeInitializeProcessAuditName(
753     _In_ PFILE_OBJECT FileObject,
754     _In_ BOOLEAN DoAudit,
755     _Out_ POBJECT_NAME_INFORMATION *AuditInfo);
756 
757 BOOLEAN
758 NTAPI
759 SeDetailedAuditingWithToken(
760     _In_ PTOKEN Token);
761 
762 VOID
763 NTAPI
764 SeAuditProcessExit(
765     _In_ PEPROCESS Process);
766 
767 VOID
768 NTAPI
769 SeAuditProcessCreate(
770     _In_ PEPROCESS Process);
771 
772 VOID
773 NTAPI
774 SePrivilegedServiceAuditAlarm(
775     _In_opt_ PUNICODE_STRING ServiceName,
776     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
777     _In_ PPRIVILEGE_SET PrivilegeSet,
778     _In_ BOOLEAN AccessGranted);
779 
780 //
781 // Subject functions
782 //
783 VOID
784 NTAPI
785 SeCaptureSubjectContextEx(
786     _In_ PETHREAD Thread,
787     _In_ PEPROCESS Process,
788     _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext);
789 
790 //
791 // Security Quality of Service (SQoS) functions
792 //
793 NTSTATUS
794 NTAPI
795 SepCaptureSecurityQualityOfService(
796     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
797     _In_ KPROCESSOR_MODE AccessMode,
798     _In_ POOL_TYPE PoolType,
799     _In_ BOOLEAN CaptureIfKernel,
800     _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
801     _Out_ PBOOLEAN Present);
802 
803 VOID
804 NTAPI
805 SepReleaseSecurityQualityOfService(
806     _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService,
807     _In_ KPROCESSOR_MODE AccessMode,
808     _In_ BOOLEAN CaptureIfKernel);
809 
810 //
811 // Object type list functions
812 //
813 NTSTATUS
814 SeCaptureObjectTypeList(
815     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
816     _In_ ULONG ObjectTypeListLength,
817     _In_ KPROCESSOR_MODE PreviousMode,
818     _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList);
819 
820 VOID
821 SeReleaseObjectTypeList(
822     _In_  _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList,
823     _In_ KPROCESSOR_MODE PreviousMode);
824 
825 //
826 // Access state functions
827 //
828 NTSTATUS
829 NTAPI
830 SeCreateAccessStateEx(
831     _In_ PETHREAD Thread,
832     _In_ PEPROCESS Process,
833     _In_ OUT PACCESS_STATE AccessState,
834     _In_ PAUX_ACCESS_DATA AuxData,
835     _In_ ACCESS_MASK Access,
836     _In_ PGENERIC_MAPPING GenericMapping);
837 
838 //
839 // Access check functions
840 //
841 BOOLEAN
842 NTAPI
843 SeFastTraverseCheck(
844     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
845     _In_ PACCESS_STATE AccessState,
846     _In_ ACCESS_MASK DesiredAccess,
847     _In_ KPROCESSOR_MODE AccessMode);
848 
849 #endif
850 
851 /* EOF */
852