xref: /reactos/ntoskrnl/include/internal/se.h (revision a6726659)
1 #pragma once
2 
3 typedef struct _KNOWN_ACE
4 {
5     ACE_HEADER Header;
6     ACCESS_MASK Mask;
7     ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9 
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12     ACE_HEADER Header;
13     ACCESS_MASK Mask;
14     ULONG Flags;
15     ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17 
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20     ACE_HEADER Header;
21     ACCESS_MASK Mask;
22     USHORT CompoundAceType;
23     USHORT Reserved;
24     ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26 
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33 
34     if (Descriptor->Control & SE_SELF_RELATIVE)
35     {
36         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37         if (!SdRel->Group) return NULL;
38         return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39     }
40     else
41     {
42         return Descriptor->Group;
43     }
44 }
45 
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52 
53     if (Descriptor->Control & SE_SELF_RELATIVE)
54     {
55         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56         if (!SdRel->Owner) return NULL;
57         return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58     }
59     else
60     {
61         return Descriptor->Owner;
62     }
63 }
64 
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71 
72     if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73 
74     if (Descriptor->Control & SE_SELF_RELATIVE)
75     {
76         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77         if (!SdRel->Dacl) return NULL;
78         return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79     }
80     else
81     {
82         return Descriptor->Dacl;
83     }
84 }
85 
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92 
93     if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94 
95     if (Descriptor->Control & SE_SELF_RELATIVE)
96     {
97         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98         if (!SdRel->Sacl) return NULL;
99         return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100     }
101     else
102     {
103         return Descriptor->Sacl;
104     }
105 }
106 
107 #ifndef RTL_H
108 
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115 
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146 extern PSID SeLocalServiceSid;
147 extern PSID SeNetworkServiceSid;
148 
149 /* Privileges */
150 extern const LUID SeCreateTokenPrivilege;
151 extern const LUID SeAssignPrimaryTokenPrivilege;
152 extern const LUID SeLockMemoryPrivilege;
153 extern const LUID SeIncreaseQuotaPrivilege;
154 extern const LUID SeUnsolicitedInputPrivilege;
155 extern const LUID SeTcbPrivilege;
156 extern const LUID SeSecurityPrivilege;
157 extern const LUID SeTakeOwnershipPrivilege;
158 extern const LUID SeLoadDriverPrivilege;
159 extern const LUID SeSystemProfilePrivilege;
160 extern const LUID SeSystemtimePrivilege;
161 extern const LUID SeProfileSingleProcessPrivilege;
162 extern const LUID SeIncreaseBasePriorityPrivilege;
163 extern const LUID SeCreatePagefilePrivilege;
164 extern const LUID SeCreatePermanentPrivilege;
165 extern const LUID SeBackupPrivilege;
166 extern const LUID SeRestorePrivilege;
167 extern const LUID SeShutdownPrivilege;
168 extern const LUID SeDebugPrivilege;
169 extern const LUID SeAuditPrivilege;
170 extern const LUID SeSystemEnvironmentPrivilege;
171 extern const LUID SeChangeNotifyPrivilege;
172 extern const LUID SeRemoteShutdownPrivilege;
173 extern const LUID SeUndockPrivilege;
174 extern const LUID SeSyncAgentPrivilege;
175 extern const LUID SeEnableDelegationPrivilege;
176 extern const LUID SeManageVolumePrivilege;
177 extern const LUID SeImpersonatePrivilege;
178 extern const LUID SeCreateGlobalPrivilege;
179 extern const LUID SeTrustedCredmanPrivilege;
180 extern const LUID SeRelabelPrivilege;
181 extern const LUID SeIncreaseWorkingSetPrivilege;
182 extern const LUID SeTimeZonePrivilege;
183 extern const LUID SeCreateSymbolicLinkPrivilege;
184 
185 /* DACLs */
186 extern PACL SePublicDefaultUnrestrictedDacl;
187 extern PACL SePublicOpenDacl;
188 extern PACL SePublicOpenUnrestrictedDacl;
189 extern PACL SeUnrestrictedDacl;
190 
191 /* SDs */
192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
198 
199 
200 #define SepAcquireTokenLockExclusive(Token)                                    \
201 {                                                                              \
202     KeEnterCriticalRegion();                                                   \
203     ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE);          \
204 }
205 #define SepAcquireTokenLockShared(Token)                                       \
206 {                                                                              \
207     KeEnterCriticalRegion();                                                   \
208     ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE);             \
209 }
210 
211 #define SepReleaseTokenLock(Token)                                             \
212 {                                                                              \
213     ExReleaseResourceLite(((PTOKEN)Token)->TokenLock);                         \
214     KeLeaveCriticalRegion();                                                   \
215 }
216 
217 //
218 // Token Functions
219 //
220 BOOLEAN
221 NTAPI
222 SepTokenIsOwner(
223     IN PACCESS_TOKEN _Token,
224     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
225     IN BOOLEAN TokenLocked
226 );
227 
228 BOOLEAN
229 NTAPI
230 SepSidInToken(
231     IN PACCESS_TOKEN _Token,
232     IN PSID Sid
233 );
234 
235 BOOLEAN
236 NTAPI
237 SepSidInTokenEx(
238     IN PACCESS_TOKEN _Token,
239     IN PSID PrincipalSelfSid,
240     IN PSID _Sid,
241     IN BOOLEAN Deny,
242     IN BOOLEAN Restricted
243 );
244 
245 /* Functions */
246 INIT_FUNCTION
247 BOOLEAN
248 NTAPI
249 SeInitSystem(VOID);
250 
251 INIT_FUNCTION
252 VOID
253 NTAPI
254 SepInitPrivileges(VOID);
255 
256 INIT_FUNCTION
257 BOOLEAN
258 NTAPI
259 SepInitSecurityIDs(VOID);
260 
261 INIT_FUNCTION
262 BOOLEAN
263 NTAPI
264 SepInitDACLs(VOID);
265 
266 INIT_FUNCTION
267 BOOLEAN
268 NTAPI
269 SepInitSDs(VOID);
270 
271 BOOLEAN
272 NTAPI
273 SeRmInitPhase0(VOID);
274 
275 BOOLEAN
276 NTAPI
277 SeRmInitPhase1(VOID);
278 
279 VOID
280 NTAPI
281 SeDeassignPrimaryToken(struct _EPROCESS *Process);
282 
283 NTSTATUS
284 NTAPI
285 SeSubProcessToken(
286     IN PTOKEN Parent,
287     OUT PTOKEN *Token,
288     IN BOOLEAN InUse,
289     IN ULONG SessionId
290 );
291 
292 NTSTATUS
293 NTAPI
294 SeInitializeProcessAuditName(
295     IN PFILE_OBJECT FileObject,
296     IN BOOLEAN DoAudit,
297     OUT POBJECT_NAME_INFORMATION *AuditInfo
298 );
299 
300 NTSTATUS
301 NTAPI
302 SeCreateAccessStateEx(
303     IN PETHREAD Thread,
304     IN PEPROCESS Process,
305     IN OUT PACCESS_STATE AccessState,
306     IN PAUX_ACCESS_DATA AuxData,
307     IN ACCESS_MASK Access,
308     IN PGENERIC_MAPPING GenericMapping
309 );
310 
311 NTSTATUS
312 NTAPI
313 SeIsTokenChild(
314     IN PTOKEN Token,
315     OUT PBOOLEAN IsChild
316 );
317 
318 NTSTATUS
319 NTAPI
320 SeIsTokenSibling(
321     IN PTOKEN Token,
322     OUT PBOOLEAN IsSibling
323 );
324 
325 NTSTATUS
326 NTAPI
327 SepCreateImpersonationTokenDacl(
328     _In_ PTOKEN Token,
329     _In_ PTOKEN PrimaryToken,
330     _Out_ PACL* Dacl
331 );
332 
333 INIT_FUNCTION
334 VOID
335 NTAPI
336 SepInitializeTokenImplementation(VOID);
337 
338 PTOKEN
339 NTAPI
340 SepCreateSystemProcessToken(VOID);
341 
342 BOOLEAN
343 NTAPI
344 SeDetailedAuditingWithToken(IN PTOKEN Token);
345 
346 VOID
347 NTAPI
348 SeAuditProcessExit(IN PEPROCESS Process);
349 
350 VOID
351 NTAPI
352 SeAuditProcessCreate(IN PEPROCESS Process);
353 
354 NTSTATUS
355 NTAPI
356 SeExchangePrimaryToken(
357     _In_ PEPROCESS Process,
358     _In_ PACCESS_TOKEN NewAccessToken,
359     _Out_ PACCESS_TOKEN* OldAccessToken
360 );
361 
362 VOID
363 NTAPI
364 SeCaptureSubjectContextEx(
365     IN PETHREAD Thread,
366     IN PEPROCESS Process,
367     OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
368 );
369 
370 NTSTATUS
371 NTAPI
372 SeCaptureLuidAndAttributesArray(
373     PLUID_AND_ATTRIBUTES Src,
374     ULONG PrivilegeCount,
375     KPROCESSOR_MODE PreviousMode,
376     PLUID_AND_ATTRIBUTES AllocatedMem,
377     ULONG AllocatedLength,
378     POOL_TYPE PoolType,
379     BOOLEAN CaptureIfKernel,
380     PLUID_AND_ATTRIBUTES* Dest,
381     PULONG Length
382 );
383 
384 VOID
385 NTAPI
386 SeReleaseLuidAndAttributesArray(
387     PLUID_AND_ATTRIBUTES Privilege,
388     KPROCESSOR_MODE PreviousMode,
389     BOOLEAN CaptureIfKernel
390 );
391 
392 BOOLEAN
393 NTAPI
394 SepPrivilegeCheck(
395     PTOKEN Token,
396     PLUID_AND_ATTRIBUTES Privileges,
397     ULONG PrivilegeCount,
398     ULONG PrivilegeControl,
399     KPROCESSOR_MODE PreviousMode
400 );
401 
402 NTSTATUS
403 NTAPI
404 SePrivilegePolicyCheck(
405     _Inout_ PACCESS_MASK DesiredAccess,
406     _Inout_ PACCESS_MASK GrantedAccess,
407     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
408     _In_ PTOKEN Token,
409     _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
410     _In_ KPROCESSOR_MODE PreviousMode);
411 
412 BOOLEAN
413 NTAPI
414 SeCheckPrivilegedObject(
415     IN LUID PrivilegeValue,
416     IN HANDLE ObjectHandle,
417     IN ACCESS_MASK DesiredAccess,
418     IN KPROCESSOR_MODE PreviousMode
419 );
420 
421 NTSTATUS
422 NTAPI
423 SepDuplicateToken(
424     _In_ PTOKEN Token,
425     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
426     _In_ BOOLEAN EffectiveOnly,
427     _In_ TOKEN_TYPE TokenType,
428     _In_ SECURITY_IMPERSONATION_LEVEL Level,
429     _In_ KPROCESSOR_MODE PreviousMode,
430     _Out_ PTOKEN* NewAccessToken
431 );
432 
433 NTSTATUS
434 NTAPI
435 SepCaptureSecurityQualityOfService(
436     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
437     IN KPROCESSOR_MODE AccessMode,
438     IN POOL_TYPE PoolType,
439     IN BOOLEAN CaptureIfKernel,
440     OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
441     OUT PBOOLEAN Present
442 );
443 
444 VOID
445 NTAPI
446 SepReleaseSecurityQualityOfService(
447     IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
448     IN KPROCESSOR_MODE AccessMode,
449     IN BOOLEAN CaptureIfKernel
450 );
451 
452 NTSTATUS
453 NTAPI
454 SepCaptureSid(
455     IN PSID InputSid,
456     IN KPROCESSOR_MODE AccessMode,
457     IN POOL_TYPE PoolType,
458     IN BOOLEAN CaptureIfKernel,
459     OUT PSID *CapturedSid
460 );
461 
462 VOID
463 NTAPI
464 SepReleaseSid(
465     IN PSID CapturedSid,
466     IN KPROCESSOR_MODE AccessMode,
467     IN BOOLEAN CaptureIfKernel
468 );
469 
470 NTSTATUS
471 NTAPI
472 SeCaptureSidAndAttributesArray(
473     _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
474     _In_ ULONG AttributeCount,
475     _In_ KPROCESSOR_MODE PreviousMode,
476     _In_opt_ PVOID AllocatedMem,
477     _In_ ULONG AllocatedLength,
478     _In_ POOL_TYPE PoolType,
479     _In_ BOOLEAN CaptureIfKernel,
480     _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
481     _Out_ PULONG ResultLength);
482 
483 VOID
484 NTAPI
485 SeReleaseSidAndAttributesArray(
486     _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
487     _In_ KPROCESSOR_MODE AccessMode,
488     _In_ BOOLEAN CaptureIfKernel);
489 
490 NTSTATUS
491 NTAPI
492 SeComputeQuotaInformationSize(
493     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
494     _Out_ PULONG QuotaInfoSize);
495 
496 NTSTATUS
497 NTAPI
498 SepCaptureAcl(
499     IN PACL InputAcl,
500     IN KPROCESSOR_MODE AccessMode,
501     IN POOL_TYPE PoolType,
502     IN BOOLEAN CaptureIfKernel,
503     OUT PACL *CapturedAcl
504 );
505 
506 VOID
507 NTAPI
508 SepReleaseAcl(
509     IN PACL CapturedAcl,
510     IN KPROCESSOR_MODE AccessMode,
511     IN BOOLEAN CaptureIfKernel
512 );
513 
514 NTSTATUS
515 SepPropagateAcl(
516     _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
517     _Inout_ PULONG AclLength,
518     _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
519     _In_ PSID Owner,
520     _In_ PSID Group,
521     _In_ BOOLEAN IsInherited,
522     _In_ BOOLEAN IsDirectoryObject,
523     _In_ PGENERIC_MAPPING GenericMapping);
524 
525 PACL
526 SepSelectAcl(
527     _In_opt_ PACL ExplicitAcl,
528     _In_ BOOLEAN ExplicitPresent,
529     _In_ BOOLEAN ExplicitDefaulted,
530     _In_opt_ PACL ParentAcl,
531     _In_opt_ PACL DefaultAcl,
532     _Out_ PULONG AclLength,
533     _In_ PSID Owner,
534     _In_ PSID Group,
535     _Out_ PBOOLEAN AclPresent,
536     _Out_ PBOOLEAN IsInherited,
537     _In_ BOOLEAN IsDirectoryObject,
538     _In_ PGENERIC_MAPPING GenericMapping);
539 
540 NTSTATUS
541 NTAPI
542 SeDefaultObjectMethod(
543     PVOID Object,
544     SECURITY_OPERATION_CODE OperationType,
545     PSECURITY_INFORMATION SecurityInformation,
546     PSECURITY_DESCRIPTOR NewSecurityDescriptor,
547     PULONG ReturnLength,
548     PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
549     POOL_TYPE PoolType,
550     PGENERIC_MAPPING GenericMapping
551 );
552 
553 NTSTATUS
554 NTAPI
555 SeSetWorldSecurityDescriptor(
556     SECURITY_INFORMATION SecurityInformation,
557     PISECURITY_DESCRIPTOR SecurityDescriptor,
558     PULONG BufferLength
559 );
560 
561 NTSTATUS
562 NTAPI
563 SeCopyClientToken(
564     IN PACCESS_TOKEN Token,
565     IN SECURITY_IMPERSONATION_LEVEL Level,
566     IN KPROCESSOR_MODE PreviousMode,
567     OUT PACCESS_TOKEN* NewToken
568 );
569 
570 VOID NTAPI
571 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
572                           OUT PACCESS_MASK DesiredAccess);
573 
574 VOID NTAPI
575 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
576                         OUT PACCESS_MASK DesiredAccess);
577 
578 BOOLEAN
579 NTAPI
580 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
581                     IN PACCESS_STATE AccessState,
582                     IN ACCESS_MASK DesiredAccess,
583                     IN KPROCESSOR_MODE AccessMode);
584 
585 BOOLEAN
586 NTAPI
587 SeCheckAuditPrivilege(
588     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
589     _In_ KPROCESSOR_MODE PreviousMode);
590 
591 VOID
592 NTAPI
593 SePrivilegedServiceAuditAlarm(
594     _In_opt_ PUNICODE_STRING ServiceName,
595     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
596     _In_ PPRIVILEGE_SET PrivilegeSet,
597     _In_ BOOLEAN AccessGranted);
598 
599 NTSTATUS
600 SepRmReferenceLogonSession(
601     PLUID LogonLuid);
602 
603 NTSTATUS
604 SepRmDereferenceLogonSession(
605     PLUID LogonLuid);
606 
607 #endif
608 
609 /* EOF */
610