xref: /reactos/ntoskrnl/include/internal/se.h (revision 6a31fe6c) 
1 #pragma once
2 
3 typedef struct _KNOWN_ACE
4 {
5     ACE_HEADER Header;
6     ACCESS_MASK Mask;
7     ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9 
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12     ACE_HEADER Header;
13     ACCESS_MASK Mask;
14     ULONG Flags;
15     ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17 
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20     ACE_HEADER Header;
21     ACCESS_MASK Mask;
22     USHORT CompoundAceType;
23     USHORT Reserved;
24     ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26 
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33 
34     if (Descriptor->Control & SE_SELF_RELATIVE)
35     {
36         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37         if (!SdRel->Group) return NULL;
38         return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39     }
40     else
41     {
42         return Descriptor->Group;
43     }
44 }
45 
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52 
53     if (Descriptor->Control & SE_SELF_RELATIVE)
54     {
55         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56         if (!SdRel->Owner) return NULL;
57         return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58     }
59     else
60     {
61         return Descriptor->Owner;
62     }
63 }
64 
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71 
72     if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73 
74     if (Descriptor->Control & SE_SELF_RELATIVE)
75     {
76         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77         if (!SdRel->Dacl) return NULL;
78         return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79     }
80     else
81     {
82         return Descriptor->Dacl;
83     }
84 }
85 
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92 
93     if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94 
95     if (Descriptor->Control & SE_SELF_RELATIVE)
96     {
97         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98         if (!SdRel->Sacl) return NULL;
99         return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100     }
101     else
102     {
103         return Descriptor->Sacl;
104     }
105 }
106 
107 #ifndef RTL_H
108 
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115 
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146 extern PSID SeLocalServiceSid;
147 extern PSID SeNetworkServiceSid;
148 
149 /* Privileges */
150 extern const LUID SeCreateTokenPrivilege;
151 extern const LUID SeAssignPrimaryTokenPrivilege;
152 extern const LUID SeLockMemoryPrivilege;
153 extern const LUID SeIncreaseQuotaPrivilege;
154 extern const LUID SeUnsolicitedInputPrivilege;
155 extern const LUID SeTcbPrivilege;
156 extern const LUID SeSecurityPrivilege;
157 extern const LUID SeTakeOwnershipPrivilege;
158 extern const LUID SeLoadDriverPrivilege;
159 extern const LUID SeSystemProfilePrivilege;
160 extern const LUID SeSystemtimePrivilege;
161 extern const LUID SeProfileSingleProcessPrivilege;
162 extern const LUID SeIncreaseBasePriorityPrivilege;
163 extern const LUID SeCreatePagefilePrivilege;
164 extern const LUID SeCreatePermanentPrivilege;
165 extern const LUID SeBackupPrivilege;
166 extern const LUID SeRestorePrivilege;
167 extern const LUID SeShutdownPrivilege;
168 extern const LUID SeDebugPrivilege;
169 extern const LUID SeAuditPrivilege;
170 extern const LUID SeSystemEnvironmentPrivilege;
171 extern const LUID SeChangeNotifyPrivilege;
172 extern const LUID SeRemoteShutdownPrivilege;
173 extern const LUID SeUndockPrivilege;
174 extern const LUID SeSyncAgentPrivilege;
175 extern const LUID SeEnableDelegationPrivilege;
176 extern const LUID SeManageVolumePrivilege;
177 extern const LUID SeImpersonatePrivilege;
178 extern const LUID SeCreateGlobalPrivilege;
179 extern const LUID SeTrustedCredmanPrivilege;
180 extern const LUID SeRelabelPrivilege;
181 extern const LUID SeIncreaseWorkingSetPrivilege;
182 extern const LUID SeTimeZonePrivilege;
183 extern const LUID SeCreateSymbolicLinkPrivilege;
184 
185 /* DACLs */
186 extern PACL SePublicDefaultUnrestrictedDacl;
187 extern PACL SePublicOpenDacl;
188 extern PACL SePublicOpenUnrestrictedDacl;
189 extern PACL SeUnrestrictedDacl;
190 
191 /* SDs */
192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
198 
199 
200 #define SepAcquireTokenLockExclusive(Token)                                    \
201 {                                                                              \
202     KeEnterCriticalRegion();                                                   \
203     ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE);          \
204 }
205 #define SepAcquireTokenLockShared(Token)                                       \
206 {                                                                              \
207     KeEnterCriticalRegion();                                                   \
208     ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE);             \
209 }
210 
211 #define SepReleaseTokenLock(Token)                                             \
212 {                                                                              \
213     ExReleaseResourceLite(((PTOKEN)Token)->TokenLock);                         \
214     KeLeaveCriticalRegion();                                                   \
215 }
216 
217 //
218 // Token Functions
219 //
220 BOOLEAN
221 NTAPI
222 SepTokenIsOwner(
223     IN PACCESS_TOKEN _Token,
224     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
225     IN BOOLEAN TokenLocked
226 );
227 
228 BOOLEAN
229 NTAPI
230 SepSidInToken(
231     IN PACCESS_TOKEN _Token,
232     IN PSID Sid
233 );
234 
235 BOOLEAN
236 NTAPI
237 SepSidInTokenEx(
238     IN PACCESS_TOKEN _Token,
239     IN PSID PrincipalSelfSid,
240     IN PSID _Sid,
241     IN BOOLEAN Deny,
242     IN BOOLEAN Restricted
243 );
244 
245 /* Functions */
246 BOOLEAN
247 NTAPI
248 SeInitSystem(VOID);
249 
250 VOID
251 NTAPI
252 SepInitPrivileges(VOID);
253 
254 BOOLEAN
255 NTAPI
256 SepInitSecurityIDs(VOID);
257 
258 BOOLEAN
259 NTAPI
260 SepInitDACLs(VOID);
261 
262 BOOLEAN
263 NTAPI
264 SepInitSDs(VOID);
265 
266 BOOLEAN
267 NTAPI
268 SeRmInitPhase0(VOID);
269 
270 BOOLEAN
271 NTAPI
272 SeRmInitPhase1(VOID);
273 
274 VOID
275 NTAPI
276 SeDeassignPrimaryToken(struct _EPROCESS *Process);
277 
278 NTSTATUS
279 NTAPI
280 SeSubProcessToken(
281     IN PTOKEN Parent,
282     OUT PTOKEN *Token,
283     IN BOOLEAN InUse,
284     IN ULONG SessionId
285 );
286 
287 NTSTATUS
288 NTAPI
289 SeInitializeProcessAuditName(
290     IN PFILE_OBJECT FileObject,
291     IN BOOLEAN DoAudit,
292     OUT POBJECT_NAME_INFORMATION *AuditInfo
293 );
294 
295 NTSTATUS
296 NTAPI
297 SeCreateAccessStateEx(
298     IN PETHREAD Thread,
299     IN PEPROCESS Process,
300     IN OUT PACCESS_STATE AccessState,
301     IN PAUX_ACCESS_DATA AuxData,
302     IN ACCESS_MASK Access,
303     IN PGENERIC_MAPPING GenericMapping
304 );
305 
306 NTSTATUS
307 NTAPI
308 SeIsTokenChild(
309     IN PTOKEN Token,
310     OUT PBOOLEAN IsChild
311 );
312 
313 NTSTATUS
314 NTAPI
315 SeIsTokenSibling(
316     IN PTOKEN Token,
317     OUT PBOOLEAN IsSibling
318 );
319 
320 NTSTATUS
321 NTAPI
322 SepCreateImpersonationTokenDacl(
323     _In_ PTOKEN Token,
324     _In_ PTOKEN PrimaryToken,
325     _Out_ PACL* Dacl
326 );
327 
328 VOID
329 NTAPI
330 SepInitializeTokenImplementation(VOID);
331 
332 PTOKEN
333 NTAPI
334 SepCreateSystemProcessToken(VOID);
335 
336 BOOLEAN
337 NTAPI
338 SeDetailedAuditingWithToken(IN PTOKEN Token);
339 
340 VOID
341 NTAPI
342 SeAuditProcessExit(IN PEPROCESS Process);
343 
344 VOID
345 NTAPI
346 SeAuditProcessCreate(IN PEPROCESS Process);
347 
348 NTSTATUS
349 NTAPI
350 SeExchangePrimaryToken(
351     _In_ PEPROCESS Process,
352     _In_ PACCESS_TOKEN NewAccessToken,
353     _Out_ PACCESS_TOKEN* OldAccessToken
354 );
355 
356 VOID
357 NTAPI
358 SeCaptureSubjectContextEx(
359     IN PETHREAD Thread,
360     IN PEPROCESS Process,
361     OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
362 );
363 
364 NTSTATUS
365 NTAPI
366 SeCaptureLuidAndAttributesArray(
367     PLUID_AND_ATTRIBUTES Src,
368     ULONG PrivilegeCount,
369     KPROCESSOR_MODE PreviousMode,
370     PLUID_AND_ATTRIBUTES AllocatedMem,
371     ULONG AllocatedLength,
372     POOL_TYPE PoolType,
373     BOOLEAN CaptureIfKernel,
374     PLUID_AND_ATTRIBUTES* Dest,
375     PULONG Length
376 );
377 
378 VOID
379 NTAPI
380 SeReleaseLuidAndAttributesArray(
381     PLUID_AND_ATTRIBUTES Privilege,
382     KPROCESSOR_MODE PreviousMode,
383     BOOLEAN CaptureIfKernel
384 );
385 
386 BOOLEAN
387 NTAPI
388 SepPrivilegeCheck(
389     PTOKEN Token,
390     PLUID_AND_ATTRIBUTES Privileges,
391     ULONG PrivilegeCount,
392     ULONG PrivilegeControl,
393     KPROCESSOR_MODE PreviousMode
394 );
395 
396 NTSTATUS
397 NTAPI
398 SePrivilegePolicyCheck(
399     _Inout_ PACCESS_MASK DesiredAccess,
400     _Inout_ PACCESS_MASK GrantedAccess,
401     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
402     _In_ PTOKEN Token,
403     _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
404     _In_ KPROCESSOR_MODE PreviousMode);
405 
406 BOOLEAN
407 NTAPI
408 SeCheckPrivilegedObject(
409     IN LUID PrivilegeValue,
410     IN HANDLE ObjectHandle,
411     IN ACCESS_MASK DesiredAccess,
412     IN KPROCESSOR_MODE PreviousMode
413 );
414 
415 NTSTATUS
416 NTAPI
417 SepDuplicateToken(
418     _In_ PTOKEN Token,
419     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
420     _In_ BOOLEAN EffectiveOnly,
421     _In_ TOKEN_TYPE TokenType,
422     _In_ SECURITY_IMPERSONATION_LEVEL Level,
423     _In_ KPROCESSOR_MODE PreviousMode,
424     _Out_ PTOKEN* NewAccessToken
425 );
426 
427 NTSTATUS
428 NTAPI
429 SepCaptureSecurityQualityOfService(
430     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
431     IN KPROCESSOR_MODE AccessMode,
432     IN POOL_TYPE PoolType,
433     IN BOOLEAN CaptureIfKernel,
434     OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
435     OUT PBOOLEAN Present
436 );
437 
438 VOID
439 NTAPI
440 SepReleaseSecurityQualityOfService(
441     IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
442     IN KPROCESSOR_MODE AccessMode,
443     IN BOOLEAN CaptureIfKernel
444 );
445 
446 NTSTATUS
447 NTAPI
448 SepCaptureSid(
449     IN PSID InputSid,
450     IN KPROCESSOR_MODE AccessMode,
451     IN POOL_TYPE PoolType,
452     IN BOOLEAN CaptureIfKernel,
453     OUT PSID *CapturedSid
454 );
455 
456 VOID
457 NTAPI
458 SepReleaseSid(
459     IN PSID CapturedSid,
460     IN KPROCESSOR_MODE AccessMode,
461     IN BOOLEAN CaptureIfKernel
462 );
463 
464 NTSTATUS
465 NTAPI
466 SeCaptureSidAndAttributesArray(
467     _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
468     _In_ ULONG AttributeCount,
469     _In_ KPROCESSOR_MODE PreviousMode,
470     _In_opt_ PVOID AllocatedMem,
471     _In_ ULONG AllocatedLength,
472     _In_ POOL_TYPE PoolType,
473     _In_ BOOLEAN CaptureIfKernel,
474     _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
475     _Out_ PULONG ResultLength);
476 
477 VOID
478 NTAPI
479 SeReleaseSidAndAttributesArray(
480     _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
481     _In_ KPROCESSOR_MODE AccessMode,
482     _In_ BOOLEAN CaptureIfKernel);
483 
484 NTSTATUS
485 NTAPI
486 SeComputeQuotaInformationSize(
487     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
488     _Out_ PULONG QuotaInfoSize);
489 
490 NTSTATUS
491 NTAPI
492 SepCaptureAcl(
493     IN PACL InputAcl,
494     IN KPROCESSOR_MODE AccessMode,
495     IN POOL_TYPE PoolType,
496     IN BOOLEAN CaptureIfKernel,
497     OUT PACL *CapturedAcl
498 );
499 
500 VOID
501 NTAPI
502 SepReleaseAcl(
503     IN PACL CapturedAcl,
504     IN KPROCESSOR_MODE AccessMode,
505     IN BOOLEAN CaptureIfKernel
506 );
507 
508 NTSTATUS
509 SepPropagateAcl(
510     _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
511     _Inout_ PULONG AclLength,
512     _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
513     _In_ PSID Owner,
514     _In_ PSID Group,
515     _In_ BOOLEAN IsInherited,
516     _In_ BOOLEAN IsDirectoryObject,
517     _In_ PGENERIC_MAPPING GenericMapping);
518 
519 PACL
520 SepSelectAcl(
521     _In_opt_ PACL ExplicitAcl,
522     _In_ BOOLEAN ExplicitPresent,
523     _In_ BOOLEAN ExplicitDefaulted,
524     _In_opt_ PACL ParentAcl,
525     _In_opt_ PACL DefaultAcl,
526     _Out_ PULONG AclLength,
527     _In_ PSID Owner,
528     _In_ PSID Group,
529     _Out_ PBOOLEAN AclPresent,
530     _Out_ PBOOLEAN IsInherited,
531     _In_ BOOLEAN IsDirectoryObject,
532     _In_ PGENERIC_MAPPING GenericMapping);
533 
534 NTSTATUS
535 NTAPI
536 SeDefaultObjectMethod(
537     PVOID Object,
538     SECURITY_OPERATION_CODE OperationType,
539     PSECURITY_INFORMATION SecurityInformation,
540     PSECURITY_DESCRIPTOR NewSecurityDescriptor,
541     PULONG ReturnLength,
542     PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
543     POOL_TYPE PoolType,
544     PGENERIC_MAPPING GenericMapping
545 );
546 
547 NTSTATUS
548 NTAPI
549 SeSetWorldSecurityDescriptor(
550     SECURITY_INFORMATION SecurityInformation,
551     PISECURITY_DESCRIPTOR SecurityDescriptor,
552     PULONG BufferLength
553 );
554 
555 NTSTATUS
556 NTAPI
557 SeCopyClientToken(
558     IN PACCESS_TOKEN Token,
559     IN SECURITY_IMPERSONATION_LEVEL Level,
560     IN KPROCESSOR_MODE PreviousMode,
561     OUT PACCESS_TOKEN* NewToken
562 );
563 
564 VOID NTAPI
565 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
566                           OUT PACCESS_MASK DesiredAccess);
567 
568 VOID NTAPI
569 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
570                         OUT PACCESS_MASK DesiredAccess);
571 
572 BOOLEAN
573 NTAPI
574 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
575                     IN PACCESS_STATE AccessState,
576                     IN ACCESS_MASK DesiredAccess,
577                     IN KPROCESSOR_MODE AccessMode);
578 
579 BOOLEAN
580 NTAPI
581 SeCheckAuditPrivilege(
582     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
583     _In_ KPROCESSOR_MODE PreviousMode);
584 
585 VOID
586 NTAPI
587 SePrivilegedServiceAuditAlarm(
588     _In_opt_ PUNICODE_STRING ServiceName,
589     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
590     _In_ PPRIVILEGE_SET PrivilegeSet,
591     _In_ BOOLEAN AccessGranted);
592 
593 NTSTATUS
594 SepRmReferenceLogonSession(
595     PLUID LogonLuid);
596 
597 NTSTATUS
598 SepRmDereferenceLogonSession(
599     PLUID LogonLuid);
600 
601 NTSTATUS
602 NTAPI
603 SeGetLogonIdDeviceMap(
604     IN PLUID LogonId,
605     OUT PDEVICE_MAP * DeviceMap);
606 
607 #endif
608 
609 /* EOF */
610