1 /* 2 * PROJECT: ReactOS Kernel 3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) 4 * PURPOSE: Internal header for the Security Manager 5 * COPYRIGHT: Copyright Eric Kohl 6 * Copyright 2022 George Bișoc <george.bisoc@reactos.org> 7 */ 8 9 #pragma once 10 11 // 12 // Internal ACE type structures 13 // 14 typedef struct _KNOWN_ACE 15 { 16 ACE_HEADER Header; 17 ACCESS_MASK Mask; 18 ULONG SidStart; 19 } KNOWN_ACE, *PKNOWN_ACE; 20 21 typedef struct _KNOWN_OBJECT_ACE 22 { 23 ACE_HEADER Header; 24 ACCESS_MASK Mask; 25 ULONG Flags; 26 ULONG SidStart; 27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 28 29 typedef struct _KNOWN_COMPOUND_ACE 30 { 31 ACE_HEADER Header; 32 ACCESS_MASK Mask; 33 USHORT CompoundAceType; 34 USHORT Reserved; 35 ULONG SidStart; 36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 37 38 // 39 // Access Check Rights 40 // 41 typedef struct _ACCESS_CHECK_RIGHTS 42 { 43 ACCESS_MASK RemainingAccessRights; 44 ACCESS_MASK GrantedAccessRights; 45 ACCESS_MASK DeniedAccessRights; 46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS; 47 48 typedef enum _ACCESS_CHECK_RIGHT_TYPE 49 { 50 AccessCheckMaximum, 51 AccessCheckRegular 52 } ACCESS_CHECK_RIGHT_TYPE; 53 54 // 55 // Token Audit Policy Information structure 56 // 57 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION 58 { 59 ULONG PolicyCount; 60 struct 61 { 62 ULONG Category; 63 UCHAR Value; 64 } Policies[1]; 65 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION; 66 67 // 68 // Token creation method defines (for debugging purposes) 69 // 70 #define TOKEN_CREATE_METHOD 0xCUL 71 #define TOKEN_DUPLICATE_METHOD 0xDUL 72 #define TOKEN_FILTER_METHOD 0xFUL 73 74 // 75 // Security descriptor internal helpers 76 // 77 FORCEINLINE 78 PSID 79 SepGetGroupFromDescriptor( 80 _Inout_ PVOID _Descriptor) 81 { 82 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 83 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 84 85 if (Descriptor->Control & SE_SELF_RELATIVE) 86 { 87 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 88 if (!SdRel->Group) return NULL; 89 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 90 } 91 else 92 { 93 return Descriptor->Group; 94 } 95 } 96 97 FORCEINLINE 98 PSID 99 SepGetOwnerFromDescriptor( 100 _Inout_ PVOID _Descriptor) 101 { 102 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 103 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 104 105 if (Descriptor->Control & SE_SELF_RELATIVE) 106 { 107 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 108 if (!SdRel->Owner) return NULL; 109 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 110 } 111 else 112 { 113 return Descriptor->Owner; 114 } 115 } 116 117 FORCEINLINE 118 PACL 119 SepGetDaclFromDescriptor( 120 _Inout_ PVOID _Descriptor) 121 { 122 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 123 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 124 125 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 126 127 if (Descriptor->Control & SE_SELF_RELATIVE) 128 { 129 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 130 if (!SdRel->Dacl) return NULL; 131 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 132 } 133 else 134 { 135 return Descriptor->Dacl; 136 } 137 } 138 139 FORCEINLINE 140 PACL 141 SepGetSaclFromDescriptor( 142 _Inout_ PVOID _Descriptor) 143 { 144 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 145 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 146 147 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 148 149 if (Descriptor->Control & SE_SELF_RELATIVE) 150 { 151 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 152 if (!SdRel->Sacl) return NULL; 153 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 154 } 155 else 156 { 157 return Descriptor->Sacl; 158 } 159 } 160 161 #ifndef RTL_H 162 163 // 164 // SID Authorities 165 // 166 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 167 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 168 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 169 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 170 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 171 172 // 173 // SIDs 174 // 175 extern PSID SeNullSid; 176 extern PSID SeWorldSid; 177 extern PSID SeLocalSid; 178 extern PSID SeCreatorOwnerSid; 179 extern PSID SeCreatorGroupSid; 180 extern PSID SeCreatorOwnerServerSid; 181 extern PSID SeCreatorGroupServerSid; 182 extern PSID SeNtAuthoritySid; 183 extern PSID SeDialupSid; 184 extern PSID SeNetworkSid; 185 extern PSID SeBatchSid; 186 extern PSID SeInteractiveSid; 187 extern PSID SeServiceSid; 188 extern PSID SeAnonymousLogonSid; 189 extern PSID SePrincipalSelfSid; 190 extern PSID SeLocalSystemSid; 191 extern PSID SeAuthenticatedUserSid; 192 extern PSID SeRestrictedCodeSid; 193 extern PSID SeAliasAdminsSid; 194 extern PSID SeAliasUsersSid; 195 extern PSID SeAliasGuestsSid; 196 extern PSID SeAliasPowerUsersSid; 197 extern PSID SeAliasAccountOpsSid; 198 extern PSID SeAliasSystemOpsSid; 199 extern PSID SeAliasPrintOpsSid; 200 extern PSID SeAliasBackupOpsSid; 201 extern PSID SeAuthenticatedUsersSid; 202 extern PSID SeRestrictedSid; 203 extern PSID SeAnonymousLogonSid; 204 extern PSID SeLocalServiceSid; 205 extern PSID SeNetworkServiceSid; 206 207 // 208 // Privileges 209 // 210 extern const LUID SeCreateTokenPrivilege; 211 extern const LUID SeAssignPrimaryTokenPrivilege; 212 extern const LUID SeLockMemoryPrivilege; 213 extern const LUID SeIncreaseQuotaPrivilege; 214 extern const LUID SeUnsolicitedInputPrivilege; 215 extern const LUID SeTcbPrivilege; 216 extern const LUID SeSecurityPrivilege; 217 extern const LUID SeTakeOwnershipPrivilege; 218 extern const LUID SeLoadDriverPrivilege; 219 extern const LUID SeSystemProfilePrivilege; 220 extern const LUID SeSystemtimePrivilege; 221 extern const LUID SeProfileSingleProcessPrivilege; 222 extern const LUID SeIncreaseBasePriorityPrivilege; 223 extern const LUID SeCreatePagefilePrivilege; 224 extern const LUID SeCreatePermanentPrivilege; 225 extern const LUID SeBackupPrivilege; 226 extern const LUID SeRestorePrivilege; 227 extern const LUID SeShutdownPrivilege; 228 extern const LUID SeDebugPrivilege; 229 extern const LUID SeAuditPrivilege; 230 extern const LUID SeSystemEnvironmentPrivilege; 231 extern const LUID SeChangeNotifyPrivilege; 232 extern const LUID SeRemoteShutdownPrivilege; 233 extern const LUID SeUndockPrivilege; 234 extern const LUID SeSyncAgentPrivilege; 235 extern const LUID SeEnableDelegationPrivilege; 236 extern const LUID SeManageVolumePrivilege; 237 extern const LUID SeImpersonatePrivilege; 238 extern const LUID SeCreateGlobalPrivilege; 239 extern const LUID SeTrustedCredmanPrivilege; 240 extern const LUID SeRelabelPrivilege; 241 extern const LUID SeIncreaseWorkingSetPrivilege; 242 extern const LUID SeTimeZonePrivilege; 243 extern const LUID SeCreateSymbolicLinkPrivilege; 244 245 // 246 // DACLs 247 // 248 extern PACL SePublicDefaultUnrestrictedDacl; 249 extern PACL SePublicOpenDacl; 250 extern PACL SePublicOpenUnrestrictedDacl; 251 extern PACL SeUnrestrictedDacl; 252 extern PACL SeSystemAnonymousLogonDacl; 253 254 // 255 // SDs 256 // 257 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 258 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 259 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 260 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 261 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 262 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 263 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd; 264 265 // 266 // Anonymous Logon Tokens 267 // 268 extern PTOKEN SeAnonymousLogonToken; 269 extern PTOKEN SeAnonymousLogonTokenNoEveryone; 270 271 272 // 273 // Token lock management macros 274 // 275 #define SepAcquireTokenLockExclusive(Token) \ 276 { \ 277 KeEnterCriticalRegion(); \ 278 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 279 } 280 #define SepAcquireTokenLockShared(Token) \ 281 { \ 282 KeEnterCriticalRegion(); \ 283 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 284 } 285 286 #define SepReleaseTokenLock(Token) \ 287 { \ 288 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 289 KeLeaveCriticalRegion(); \ 290 } 291 292 // 293 // Token Functions 294 // 295 CODE_SEG("INIT") 296 VOID 297 NTAPI 298 SepInitializeTokenImplementation(VOID); 299 300 CODE_SEG("INIT") 301 PTOKEN 302 NTAPI 303 SepCreateSystemProcessToken(VOID); 304 305 CODE_SEG("INIT") 306 PTOKEN 307 SepCreateSystemAnonymousLogonToken(VOID); 308 309 CODE_SEG("INIT") 310 PTOKEN 311 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); 312 313 NTSTATUS 314 NTAPI 315 SepDuplicateToken( 316 _In_ PTOKEN Token, 317 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 318 _In_ BOOLEAN EffectiveOnly, 319 _In_ TOKEN_TYPE TokenType, 320 _In_ SECURITY_IMPERSONATION_LEVEL Level, 321 _In_ KPROCESSOR_MODE PreviousMode, 322 _Out_ PTOKEN* NewAccessToken); 323 324 NTSTATUS 325 NTAPI 326 SepCreateToken( 327 _Out_ PHANDLE TokenHandle, 328 _In_ KPROCESSOR_MODE PreviousMode, 329 _In_ ACCESS_MASK DesiredAccess, 330 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 331 _In_ TOKEN_TYPE TokenType, 332 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, 333 _In_ PLUID AuthenticationId, 334 _In_ PLARGE_INTEGER ExpirationTime, 335 _In_ PSID_AND_ATTRIBUTES User, 336 _In_ ULONG GroupCount, 337 _In_ PSID_AND_ATTRIBUTES Groups, 338 _In_ ULONG GroupsLength, 339 _In_ ULONG PrivilegeCount, 340 _In_ PLUID_AND_ATTRIBUTES Privileges, 341 _In_opt_ PSID Owner, 342 _In_ PSID PrimaryGroup, 343 _In_opt_ PACL DefaultDacl, 344 _In_ PTOKEN_SOURCE TokenSource, 345 _In_ BOOLEAN SystemToken); 346 347 BOOLEAN 348 NTAPI 349 SepTokenIsOwner( 350 _In_ PACCESS_TOKEN _Token, 351 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 352 _In_ BOOLEAN TokenLocked); 353 354 NTSTATUS 355 SepCreateTokenLock( 356 _Inout_ PTOKEN Token); 357 358 VOID 359 SepDeleteTokenLock( 360 _Inout_ PTOKEN Token); 361 362 VOID 363 SepUpdatePrivilegeFlagsToken( 364 _Inout_ PTOKEN Token); 365 366 NTSTATUS 367 SepFindPrimaryGroupAndDefaultOwner( 368 _In_ PTOKEN Token, 369 _In_ PSID PrimaryGroup, 370 _In_opt_ PSID DefaultOwner, 371 _Out_opt_ PULONG PrimaryGroupIndex, 372 _Out_opt_ PULONG DefaultOwnerIndex); 373 374 VOID 375 SepUpdateSinglePrivilegeFlagToken( 376 _Inout_ PTOKEN Token, 377 _In_ ULONG Index); 378 379 VOID 380 SepUpdatePrivilegeFlagsToken( 381 _Inout_ PTOKEN Token); 382 383 VOID 384 SepRemovePrivilegeToken( 385 _Inout_ PTOKEN Token, 386 _In_ ULONG Index); 387 388 VOID 389 SepRemoveUserGroupToken( 390 _Inout_ PTOKEN Token, 391 _In_ ULONG Index); 392 393 BOOLEAN 394 NTAPI 395 SeTokenCanImpersonate( 396 _In_ PTOKEN ProcessToken, 397 _In_ PTOKEN TokenToImpersonate, 398 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); 399 400 VOID 401 NTAPI 402 SeGetTokenControlInformation( 403 _In_ PACCESS_TOKEN _Token, 404 _Out_ PTOKEN_CONTROL TokenControl); 405 406 VOID 407 NTAPI 408 SeDeassignPrimaryToken( 409 _Inout_ PEPROCESS Process); 410 411 NTSTATUS 412 NTAPI 413 SeSubProcessToken( 414 _In_ PTOKEN Parent, 415 _Out_ PTOKEN *Token, 416 _In_ BOOLEAN InUse, 417 _In_ ULONG SessionId); 418 419 NTSTATUS 420 NTAPI 421 SeIsTokenChild( 422 _In_ PTOKEN Token, 423 _Out_ PBOOLEAN IsChild); 424 425 NTSTATUS 426 NTAPI 427 SeIsTokenSibling( 428 _In_ PTOKEN Token, 429 _Out_ PBOOLEAN IsSibling); 430 431 NTSTATUS 432 NTAPI 433 SeExchangePrimaryToken( 434 _In_ PEPROCESS Process, 435 _In_ PACCESS_TOKEN NewAccessToken, 436 _Out_ PACCESS_TOKEN* OldAccessToken); 437 438 NTSTATUS 439 NTAPI 440 SeCopyClientToken( 441 _In_ PACCESS_TOKEN Token, 442 _In_ SECURITY_IMPERSONATION_LEVEL Level, 443 _In_ KPROCESSOR_MODE PreviousMode, 444 _Out_ PACCESS_TOKEN* NewToken); 445 446 BOOLEAN 447 NTAPI 448 SeTokenIsInert( 449 _In_ PTOKEN Token); 450 451 ULONG 452 RtlLengthSidAndAttributes( 453 _In_ ULONG Count, 454 _In_ PSID_AND_ATTRIBUTES Src); 455 456 // 457 // Security Manager (SeMgr) functions 458 // 459 CODE_SEG("INIT") 460 BOOLEAN 461 NTAPI 462 SeInitSystem(VOID); 463 464 NTSTATUS 465 NTAPI 466 SeDefaultObjectMethod( 467 _In_ PVOID Object, 468 _In_ SECURITY_OPERATION_CODE OperationType, 469 _In_ PSECURITY_INFORMATION SecurityInformation, 470 _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, 471 _Inout_opt_ PULONG ReturnLength, 472 _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 473 _In_ POOL_TYPE PoolType, 474 _In_ PGENERIC_MAPPING GenericMapping); 475 476 VOID 477 NTAPI 478 SeQuerySecurityAccessMask( 479 _In_ SECURITY_INFORMATION SecurityInformation, 480 _Out_ PACCESS_MASK DesiredAccess); 481 482 VOID 483 NTAPI 484 SeSetSecurityAccessMask( 485 _In_ SECURITY_INFORMATION SecurityInformation, 486 _Out_ PACCESS_MASK DesiredAccess); 487 488 // 489 // Privilege functions 490 // 491 CODE_SEG("INIT") 492 VOID 493 NTAPI 494 SepInitPrivileges(VOID); 495 496 BOOLEAN 497 NTAPI 498 SepPrivilegeCheck( 499 _In_ PTOKEN Token, 500 _In_ PLUID_AND_ATTRIBUTES Privileges, 501 _In_ ULONG PrivilegeCount, 502 _In_ ULONG PrivilegeControl, 503 _In_ KPROCESSOR_MODE PreviousMode); 504 505 NTSTATUS 506 NTAPI 507 SePrivilegePolicyCheck( 508 _Inout_ PACCESS_MASK DesiredAccess, 509 _Inout_ PACCESS_MASK GrantedAccess, 510 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 511 _In_ PTOKEN Token, 512 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 513 _In_ KPROCESSOR_MODE PreviousMode); 514 515 BOOLEAN 516 NTAPI 517 SeCheckAuditPrivilege( 518 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 519 _In_ KPROCESSOR_MODE PreviousMode); 520 521 BOOLEAN 522 NTAPI 523 SeCheckPrivilegedObject( 524 _In_ LUID PrivilegeValue, 525 _In_ HANDLE ObjectHandle, 526 _In_ ACCESS_MASK DesiredAccess, 527 _In_ KPROCESSOR_MODE PreviousMode); 528 529 NTSTATUS 530 NTAPI 531 SeCaptureLuidAndAttributesArray( 532 _In_ PLUID_AND_ATTRIBUTES Src, 533 _In_ ULONG PrivilegeCount, 534 _In_ KPROCESSOR_MODE PreviousMode, 535 _In_ PLUID_AND_ATTRIBUTES AllocatedMem, 536 _In_ ULONG AllocatedLength, 537 _In_ POOL_TYPE PoolType, 538 _In_ BOOLEAN CaptureIfKernel, 539 _Out_ PLUID_AND_ATTRIBUTES* Dest, 540 _Inout_ PULONG Length); 541 542 VOID 543 NTAPI 544 SeReleaseLuidAndAttributesArray( 545 _In_ PLUID_AND_ATTRIBUTES Privilege, 546 _In_ KPROCESSOR_MODE PreviousMode, 547 _In_ BOOLEAN CaptureIfKernel); 548 549 // 550 // SID functions 551 // 552 CODE_SEG("INIT") 553 BOOLEAN 554 NTAPI 555 SepInitSecurityIDs(VOID); 556 557 NTSTATUS 558 NTAPI 559 SepCaptureSid( 560 _In_ PSID InputSid, 561 _In_ KPROCESSOR_MODE AccessMode, 562 _In_ POOL_TYPE PoolType, 563 _In_ BOOLEAN CaptureIfKernel, 564 _Out_ PSID *CapturedSid); 565 566 VOID 567 NTAPI 568 SepReleaseSid( 569 _In_ PSID CapturedSid, 570 _In_ KPROCESSOR_MODE AccessMode, 571 _In_ BOOLEAN CaptureIfKernel); 572 573 BOOLEAN 574 NTAPI 575 SepSidInToken( 576 _In_ PACCESS_TOKEN _Token, 577 _In_ PSID Sid); 578 579 BOOLEAN 580 NTAPI 581 SepSidInTokenEx( 582 _In_ PACCESS_TOKEN _Token, 583 _In_ PSID PrincipalSelfSid, 584 _In_ PSID _Sid, 585 _In_ BOOLEAN Deny, 586 _In_ BOOLEAN Restricted); 587 588 PSID 589 NTAPI 590 SepGetSidFromAce( 591 _In_ UCHAR AceType, 592 _In_ PACE Ace); 593 594 NTSTATUS 595 NTAPI 596 SeCaptureSidAndAttributesArray( 597 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 598 _In_ ULONG AttributeCount, 599 _In_ KPROCESSOR_MODE PreviousMode, 600 _In_opt_ PVOID AllocatedMem, 601 _In_ ULONG AllocatedLength, 602 _In_ POOL_TYPE PoolType, 603 _In_ BOOLEAN CaptureIfKernel, 604 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 605 _Out_ PULONG ResultLength); 606 607 VOID 608 NTAPI 609 SeReleaseSidAndAttributesArray( 610 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 611 _In_ KPROCESSOR_MODE AccessMode, 612 _In_ BOOLEAN CaptureIfKernel); 613 614 // 615 // ACL functions 616 // 617 CODE_SEG("INIT") 618 BOOLEAN 619 NTAPI 620 SepInitDACLs(VOID); 621 622 NTSTATUS 623 NTAPI 624 SepCreateImpersonationTokenDacl( 625 _In_ PTOKEN Token, 626 _In_ PTOKEN PrimaryToken, 627 _Out_ PACL* Dacl); 628 629 NTSTATUS 630 NTAPI 631 SepCaptureAcl( 632 _In_ PACL InputAcl, 633 _In_ KPROCESSOR_MODE AccessMode, 634 _In_ POOL_TYPE PoolType, 635 _In_ BOOLEAN CaptureIfKernel, 636 _Out_ PACL *CapturedAcl); 637 638 VOID 639 NTAPI 640 SepReleaseAcl( 641 _In_ PACL CapturedAcl, 642 _In_ KPROCESSOR_MODE AccessMode, 643 _In_ BOOLEAN CaptureIfKernel); 644 645 NTSTATUS 646 SepPropagateAcl( 647 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 648 _Inout_ PULONG AclLength, 649 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 650 _In_ PSID Owner, 651 _In_ PSID Group, 652 _In_ BOOLEAN IsInherited, 653 _In_ BOOLEAN IsDirectoryObject, 654 _In_ PGENERIC_MAPPING GenericMapping); 655 656 PACL 657 SepSelectAcl( 658 _In_opt_ PACL ExplicitAcl, 659 _In_ BOOLEAN ExplicitPresent, 660 _In_ BOOLEAN ExplicitDefaulted, 661 _In_opt_ PACL ParentAcl, 662 _In_opt_ PACL DefaultAcl, 663 _Out_ PULONG AclLength, 664 _In_ PSID Owner, 665 _In_ PSID Group, 666 _Out_ PBOOLEAN AclPresent, 667 _Out_ PBOOLEAN IsInherited, 668 _In_ BOOLEAN IsDirectoryObject, 669 _In_ PGENERIC_MAPPING GenericMapping); 670 671 // 672 // SD functions 673 // 674 CODE_SEG("INIT") 675 BOOLEAN 676 NTAPI 677 SepInitSDs(VOID); 678 679 NTSTATUS 680 NTAPI 681 SeSetWorldSecurityDescriptor( 682 _In_ SECURITY_INFORMATION SecurityInformation, 683 _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, 684 _In_ PULONG BufferLength); 685 686 NTSTATUS 687 NTAPI 688 SeComputeQuotaInformationSize( 689 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 690 _Out_ PULONG QuotaInfoSize); 691 692 // 693 // Security Reference Monitor (SeRm) functions 694 // 695 BOOLEAN 696 NTAPI 697 SeRmInitPhase0(VOID); 698 699 BOOLEAN 700 NTAPI 701 SeRmInitPhase1(VOID); 702 703 NTSTATUS 704 NTAPI 705 SepRmInsertLogonSessionIntoToken( 706 _Inout_ PTOKEN Token); 707 708 NTSTATUS 709 NTAPI 710 SepRmRemoveLogonSessionFromToken( 711 _Inout_ PTOKEN Token); 712 713 NTSTATUS 714 SepRmReferenceLogonSession( 715 _Inout_ PLUID LogonLuid); 716 717 NTSTATUS 718 SepRmDereferenceLogonSession( 719 _Inout_ PLUID LogonLuid); 720 721 NTSTATUS 722 NTAPI 723 SepRegQueryHelper( 724 _In_ PCWSTR KeyName, 725 _In_ PCWSTR ValueName, 726 _In_ ULONG ValueType, 727 _In_ ULONG DataLength, 728 _Out_ PVOID ValueData); 729 730 NTSTATUS 731 NTAPI 732 SeGetLogonIdDeviceMap( 733 _In_ PLUID LogonId, 734 _Out_ PDEVICE_MAP *DeviceMap); 735 736 // 737 // Audit functions 738 // 739 NTSTATUS 740 NTAPI 741 SeInitializeProcessAuditName( 742 _In_ PFILE_OBJECT FileObject, 743 _In_ BOOLEAN DoAudit, 744 _Out_ POBJECT_NAME_INFORMATION *AuditInfo); 745 746 BOOLEAN 747 NTAPI 748 SeDetailedAuditingWithToken( 749 _In_ PTOKEN Token); 750 751 VOID 752 NTAPI 753 SeAuditProcessExit( 754 _In_ PEPROCESS Process); 755 756 VOID 757 NTAPI 758 SeAuditProcessCreate( 759 _In_ PEPROCESS Process); 760 761 VOID 762 NTAPI 763 SePrivilegedServiceAuditAlarm( 764 _In_opt_ PUNICODE_STRING ServiceName, 765 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 766 _In_ PPRIVILEGE_SET PrivilegeSet, 767 _In_ BOOLEAN AccessGranted); 768 769 // 770 // Subject functions 771 // 772 VOID 773 NTAPI 774 SeCaptureSubjectContextEx( 775 _In_ PETHREAD Thread, 776 _In_ PEPROCESS Process, 777 _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext); 778 779 // 780 // Security Quality of Service (SQoS) functions 781 // 782 NTSTATUS 783 NTAPI 784 SepCaptureSecurityQualityOfService( 785 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 786 _In_ KPROCESSOR_MODE AccessMode, 787 _In_ POOL_TYPE PoolType, 788 _In_ BOOLEAN CaptureIfKernel, 789 _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 790 _Out_ PBOOLEAN Present); 791 792 VOID 793 NTAPI 794 SepReleaseSecurityQualityOfService( 795 _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService, 796 _In_ KPROCESSOR_MODE AccessMode, 797 _In_ BOOLEAN CaptureIfKernel); 798 799 // 800 // Object type list functions 801 // 802 NTSTATUS 803 SeCaptureObjectTypeList( 804 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 805 _In_ ULONG ObjectTypeListLength, 806 _In_ KPROCESSOR_MODE PreviousMode, 807 _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList); 808 809 VOID 810 SeReleaseObjectTypeList( 811 _In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, 812 _In_ KPROCESSOR_MODE PreviousMode); 813 814 // 815 // Access state functions 816 // 817 NTSTATUS 818 NTAPI 819 SeCreateAccessStateEx( 820 _In_ PETHREAD Thread, 821 _In_ PEPROCESS Process, 822 _In_ OUT PACCESS_STATE AccessState, 823 _In_ PAUX_ACCESS_DATA AuxData, 824 _In_ ACCESS_MASK Access, 825 _In_ PGENERIC_MAPPING GenericMapping); 826 827 // 828 // Access check functions 829 // 830 BOOLEAN 831 NTAPI 832 SeFastTraverseCheck( 833 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 834 _In_ PACCESS_STATE AccessState, 835 _In_ ACCESS_MASK DesiredAccess, 836 _In_ KPROCESSOR_MODE AccessMode); 837 838 #endif 839 840 /* EOF */ 841