xref: /reactos/sdk/include/ndk/sefuncs.h (revision 4514e91d)
1 /*++ NDK Version: 0098
2 
3 Copyright (c) Alex Ionescu.  All rights reserved.
4 
5 Header Name:
6 
7     sefuncs.h
8 
9 Abstract:
10 
11     Function definitions for the security manager.
12 
13 Author:
14 
15     Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
16     George Bișoc (george.bisoc@reactos.org) - Updated - 23-Apr-2023
17 
18 --*/
19 
20 #ifndef _SEFUNCS_H
21 #define _SEFUNCS_H
22 
23 //
24 // Dependencies
25 //
26 #include <umtypes.h>
27 
28 #ifndef NTOS_MODE_USER
29 
30 //
31 // Security Descriptors
32 //
33 NTKERNELAPI
34 NTSTATUS
35 NTAPI
36 SeCaptureSecurityDescriptor(
37     _In_ PSECURITY_DESCRIPTOR OriginalSecurityDescriptor,
38     _In_ KPROCESSOR_MODE CurrentMode,
39     _In_ POOL_TYPE PoolType,
40     _In_ BOOLEAN CaptureIfKernel,
41     _Out_ PSECURITY_DESCRIPTOR *CapturedSecurityDescriptor);
42 
43 NTKERNELAPI
44 NTSTATUS
45 NTAPI
46 SeReleaseSecurityDescriptor(
47     _In_ PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
48     _In_ KPROCESSOR_MODE CurrentMode,
49     _In_ BOOLEAN CaptureIfKernelMode);
50 
51 //
52 // Access States
53 //
54 NTKERNELAPI
55 NTSTATUS
56 NTAPI
57 SeCreateAccessState(
58     _In_ PACCESS_STATE AccessState,
59     _In_ PAUX_ACCESS_DATA AuxData,
60     _In_ ACCESS_MASK Access,
61     _In_ PGENERIC_MAPPING GenericMapping);
62 
63 NTKERNELAPI
64 VOID
65 NTAPI
66 SeDeleteAccessState(
67     _In_ PACCESS_STATE AccessState);
68 
69 //
70 // Impersonation
71 //
72 NTKERNELAPI
73 SECURITY_IMPERSONATION_LEVEL
74 NTAPI
75 SeTokenImpersonationLevel(
76     _In_ PACCESS_TOKEN Token);
77 
78 #endif
79 
80 //
81 // Native Calls
82 //
83 _Must_inspect_result_
84 __kernel_entry
85 NTSYSCALLAPI
86 NTSTATUS
87 NTAPI
88 NtAccessCheck(
89     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
90     _In_ HANDLE ClientToken,
91     _In_ ACCESS_MASK DesiredAccess,
92     _In_ PGENERIC_MAPPING GenericMapping,
93     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
94     _Inout_ PULONG PrivilegeSetLength,
95     _Out_ PACCESS_MASK GrantedAccess,
96     _Out_ PNTSTATUS AccessStatus);
97 
98 _Must_inspect_result_
99 NTSYSCALLAPI
100 NTSTATUS
101 NTAPI
102 NtAccessCheckByType(
103     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
104     _In_opt_ PSID PrincipalSelfSid,
105     _In_ HANDLE ClientToken,
106     _In_ ACCESS_MASK DesiredAccess,
107     _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
108     _In_ ULONG ObjectTypeListLength,
109     _In_ PGENERIC_MAPPING GenericMapping,
110     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
111     _Inout_ PULONG PrivilegeSetLength,
112     _Out_ PACCESS_MASK GrantedAccess,
113     _Out_ PNTSTATUS AccessStatus);
114 
115 _Must_inspect_result_
116 NTSYSCALLAPI
117 NTSTATUS
118 NTAPI
119 NtAccessCheckByTypeResultList(
120     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
121     _In_opt_ PSID PrincipalSelfSid,
122     _In_ HANDLE ClientToken,
123     _In_ ACCESS_MASK DesiredAccess,
124     _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
125     _In_ ULONG ObjectTypeListLength,
126     _In_ PGENERIC_MAPPING GenericMapping,
127     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
128     _Inout_ PULONG PrivilegeSetLength,
129     _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
130     _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
131 
132 _Must_inspect_result_
133 __kernel_entry NTSYSCALLAPI
134 NTSTATUS
135 NTAPI
136 NtAccessCheckAndAuditAlarm(
137     _In_ PUNICODE_STRING SubsystemName,
138     _In_opt_ PVOID HandleId,
139     _In_ PUNICODE_STRING ObjectTypeName,
140     _In_ PUNICODE_STRING ObjectName,
141     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
142     _In_ ACCESS_MASK DesiredAccess,
143     _In_ PGENERIC_MAPPING GenericMapping,
144     _In_ BOOLEAN ObjectCreation,
145     _Out_ PACCESS_MASK GrantedAccess,
146     _Out_ PNTSTATUS AccessStatus,
147     _Out_ PBOOLEAN GenerateOnClose);
148 
149 _Must_inspect_result_
150 __kernel_entry
151 NTSYSCALLAPI
152 NTSTATUS
153 NTAPI
154 NtAdjustGroupsToken(
155     _In_ HANDLE TokenHandle,
156     _In_ BOOLEAN ResetToDefault,
157     _In_opt_ PTOKEN_GROUPS NewState,
158     _In_opt_ ULONG BufferLength,
159     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
160     _When_(PreviousState != NULL, _Out_) PULONG ReturnLength);
161 
162 _Must_inspect_result_
163 __kernel_entry
164 NTSYSCALLAPI
165 NTSTATUS
166 NTAPI
167 NtAdjustPrivilegesToken(
168     _In_ HANDLE TokenHandle,
169     _In_ BOOLEAN DisableAllPrivileges,
170     _In_opt_ PTOKEN_PRIVILEGES NewState,
171     _In_ ULONG BufferLength,
172     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
173     _When_(PreviousState != NULL, _Out_) PULONG ReturnLength);
174 
175 NTSYSCALLAPI
176 NTSTATUS
177 NTAPI
178 NtAllocateLocallyUniqueId(
179     _Out_ LUID *LocallyUniqueId);
180 
181 NTSYSCALLAPI
182 NTSTATUS
183 NTAPI
184 NtAllocateUuids(
185     _Out_ PULARGE_INTEGER Time,
186     _Out_ PULONG Range,
187     _Out_ PULONG Sequence,
188     _Out_ PUCHAR Seed);
189 
190 NTSYSCALLAPI
191 NTSTATUS
192 NTAPI
193 NtCompareTokens(
194     _In_ HANDLE FirstTokenHandle,
195     _In_ HANDLE SecondTokenHandle,
196     _Out_ PBOOLEAN Equal);
197 
198 __kernel_entry
199 NTSYSCALLAPI
200 NTSTATUS
201 NTAPI
202 NtCreateToken(
203     _Out_ PHANDLE TokenHandle,
204     _In_ ACCESS_MASK DesiredAccess,
205     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
206     _In_ TOKEN_TYPE TokenType,
207     _In_ PLUID AuthenticationId,
208     _In_ PLARGE_INTEGER ExpirationTime,
209     _In_ PTOKEN_USER TokenUser,
210     _In_ PTOKEN_GROUPS TokenGroups,
211     _In_ PTOKEN_PRIVILEGES TokenPrivileges,
212     _In_opt_ PTOKEN_OWNER TokenOwner,
213     _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
214     _In_opt_ PTOKEN_DEFAULT_DACL TokenDefaultDacl,
215     _In_ PTOKEN_SOURCE TokenSource);
216 
217 _Must_inspect_result_
218 __kernel_entry
219 NTSYSCALLAPI
220 NTSTATUS
221 NTAPI
222 NtDuplicateToken(
223     _In_ HANDLE ExistingTokenHandle,
224     _In_ ACCESS_MASK DesiredAccess,
225     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
226     _In_ BOOLEAN EffectiveOnly,
227     _In_ TOKEN_TYPE TokenType,
228     _Out_ PHANDLE NewTokenHandle);
229 
230 _Must_inspect_result_
231 __kernel_entry
232 NTSYSCALLAPI
233 NTSTATUS
234 NTAPI
235 NtFilterToken(
236     _In_ HANDLE ExistingTokenHandle,
237     _In_ ULONG Flags,
238     _In_opt_ PTOKEN_GROUPS SidsToDisable,
239     _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
240     _In_opt_ PTOKEN_GROUPS RestrictedSids,
241     _Out_ PHANDLE NewTokenHandle);
242 
243 NTSYSCALLAPI
244 NTSTATUS
245 NTAPI
246 NtImpersonateAnonymousToken(
247     _In_ HANDLE ThreadHandle);
248 
249 __kernel_entry
250 NTSYSCALLAPI
251 NTSTATUS
252 NTAPI
253 NtOpenObjectAuditAlarm(
254     _In_ PUNICODE_STRING SubsystemName,
255     _In_opt_ PVOID HandleId,
256     _In_ PUNICODE_STRING ObjectTypeName,
257     _In_ PUNICODE_STRING ObjectName,
258     _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
259     _In_ HANDLE ClientToken,
260     _In_ ACCESS_MASK DesiredAccess,
261     _In_ ACCESS_MASK GrantedAccess,
262     _In_opt_ PPRIVILEGE_SET Privileges,
263     _In_ BOOLEAN ObjectCreation,
264     _In_ BOOLEAN AccessGranted,
265     _Out_ PBOOLEAN GenerateOnClose);
266 
267 NTSYSCALLAPI
268 NTSTATUS
269 NTAPI
270 NtOpenProcessTokenEx(
271     _In_ HANDLE ProcessHandle,
272     _In_ ACCESS_MASK DesiredAccess,
273     _In_ ULONG HandleAttributes,
274     _Out_ PHANDLE TokenHandle);
275 
276 _Must_inspect_result_
277 __kernel_entry
278 NTSYSCALLAPI
279 NTSTATUS
280 NTAPI
281 NtPrivilegeCheck(
282     _In_ HANDLE ClientToken,
283     _Inout_ PPRIVILEGE_SET RequiredPrivileges,
284     _Out_ PBOOLEAN Result);
285 
286 NTSYSCALLAPI
287 NTSTATUS
288 NTAPI
289 NtPrivilegedServiceAuditAlarm(
290     _In_ PUNICODE_STRING SubsystemName,
291     _In_ PUNICODE_STRING ServiceName,
292     _In_ HANDLE ClientToken,
293     _In_ PPRIVILEGE_SET Privileges,
294     _In_ BOOLEAN AccessGranted);
295 
296 __kernel_entry
297 NTSYSCALLAPI
298 NTSTATUS
299 NTAPI
300 NtPrivilegeObjectAuditAlarm(
301     _In_ PUNICODE_STRING SubsystemName,
302     _In_opt_ PVOID HandleId,
303     _In_ HANDLE ClientToken,
304     _In_ ACCESS_MASK DesiredAccess,
305     _In_ PPRIVILEGE_SET Privileges,
306     _In_ BOOLEAN AccessGranted);
307 
308 _When_(TokenInformationClass == TokenAccessInformation,
309     _At_(TokenInformationLength, _In_range_(>=, sizeof(TOKEN_ACCESS_INFORMATION))))
310 _Must_inspect_result_
311 __kernel_entry
312 NTSYSCALLAPI
313 NTSTATUS
314 NTAPI
315 NtQueryInformationToken(
316     _In_ HANDLE TokenHandle,
317     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
318     _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
319     _In_ ULONG TokenInformationLength,
320     _Out_ PULONG ReturnLength);
321 
322 _Must_inspect_result_
323 __kernel_entry
324 NTSYSCALLAPI
325 NTSTATUS
326 NTAPI
327 NtSetInformationToken(
328     _In_ HANDLE TokenHandle,
329     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
330     _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
331     _In_ ULONG TokenInformationLength);
332 
333 NTSYSAPI
334 NTSTATUS
335 NTAPI
336 ZwAccessCheck(
337     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
338     _In_ HANDLE ClientToken,
339     _In_ ACCESS_MASK DesiredAccess,
340     _In_ PGENERIC_MAPPING GenericMapping,
341     _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
342     _Out_ PULONG PrivilegeSetLength,
343     _Out_ PACCESS_MASK GrantedAccess,
344     _Out_ PNTSTATUS AccessStatus);
345 
346 NTSYSAPI
347 NTSTATUS
348 NTAPI
349 ZwAdjustGroupsToken(
350     _In_ HANDLE TokenHandle,
351     _In_ BOOLEAN ResetToDefault,
352     _In_ PTOKEN_GROUPS NewState,
353     _In_ ULONG BufferLength,
354     _Out_opt_ PTOKEN_GROUPS PreviousState,
355     _Out_ PULONG ReturnLength);
356 
357 _Must_inspect_result_
358 NTSYSAPI
359 NTSTATUS
360 NTAPI
361 ZwAdjustPrivilegesToken(
362     _In_ HANDLE TokenHandle,
363     _In_ BOOLEAN DisableAllPrivileges,
364     _In_opt_ PTOKEN_PRIVILEGES NewState,
365     _In_ ULONG BufferLength,
366     _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
367     _When_(PreviousState != NULL, _Out_) PULONG ReturnLength);
368 
369 NTSYSAPI
370 NTSTATUS
371 NTAPI
372 ZwAllocateLocallyUniqueId(
373     _Out_ LUID *LocallyUniqueId);
374 
375 NTSYSAPI
376 NTSTATUS
377 NTAPI
378 ZwAllocateUuids(
379     _Out_ PULARGE_INTEGER Time,
380     _Out_ PULONG Range,
381     _Out_ PULONG Sequence,
382     _Out_ PUCHAR Seed);
383 
384 NTSYSAPI
385 NTSTATUS
386 NTAPI
387 ZwCreateToken(
388     _Out_ PHANDLE TokenHandle,
389     _In_ ACCESS_MASK DesiredAccess,
390     _In_ POBJECT_ATTRIBUTES ObjectAttributes,
391     _In_ TOKEN_TYPE TokenType,
392     _In_ PLUID AuthenticationId,
393     _In_ PLARGE_INTEGER ExpirationTime,
394     _In_ PTOKEN_USER TokenUser,
395     _In_ PTOKEN_GROUPS TokenGroups,
396     _In_ PTOKEN_PRIVILEGES TokenPrivileges,
397     _In_ PTOKEN_OWNER TokenOwner,
398     _In_ PTOKEN_PRIMARY_GROUP TokenPrimaryGroup,
399     _In_ PTOKEN_DEFAULT_DACL TokenDefaultDacl,
400     _In_ PTOKEN_SOURCE TokenSource);
401 
402 _IRQL_requires_max_(PASSIVE_LEVEL)
403 NTSYSAPI
404 NTSTATUS
405 NTAPI
406 ZwDuplicateToken(
407     _In_ HANDLE ExistingTokenHandle,
408     _In_ ACCESS_MASK DesiredAccess,
409     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
410     _In_ BOOLEAN EffectiveOnly,
411     _In_ TOKEN_TYPE TokenType,
412     _Out_ PHANDLE NewTokenHandle);
413 
414 NTSYSAPI
415 NTSTATUS
416 NTAPI
417 ZwImpersonateAnonymousToken(
418     _In_ HANDLE Thread);
419 
420 NTSYSAPI
421 NTSTATUS
422 NTAPI
423 ZwOpenObjectAuditAlarm(
424     _In_ PUNICODE_STRING SubsystemName,
425     _In_ PVOID HandleId,
426     _In_ PUNICODE_STRING ObjectTypeName,
427     _In_ PUNICODE_STRING ObjectName,
428     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
429     _In_ HANDLE ClientToken,
430     _In_ ULONG DesiredAccess,
431     _In_ ULONG GrantedAccess,
432     _In_ PPRIVILEGE_SET Privileges,
433     _In_ BOOLEAN ObjectCreation,
434     _In_ BOOLEAN AccessGranted,
435     _Out_ PBOOLEAN GenerateOnClose);
436 
437 _IRQL_requires_max_(PASSIVE_LEVEL)
438 NTSYSAPI
439 NTSTATUS
440 NTAPI
441 ZwOpenProcessToken(
442     _In_ HANDLE ProcessHandle,
443     _In_ ACCESS_MASK DesiredAccess,
444     _Out_ PHANDLE TokenHandle);
445 
446 NTSYSAPI
447 NTSTATUS
448 NTAPI
449 ZwOpenProcessTokenEx(
450     _In_ HANDLE ProcessHandle,
451     _In_ ACCESS_MASK DesiredAccess,
452     _In_ ULONG HandleAttributes,
453     _Out_ PHANDLE TokenHandle);
454 
455 NTSYSAPI
456 NTSTATUS
457 NTAPI
458 ZwPrivilegeCheck(
459     _In_ HANDLE ClientToken,
460     _In_ PPRIVILEGE_SET RequiredPrivileges,
461     _In_ PBOOLEAN Result);
462 
463 NTSYSAPI
464 NTSTATUS
465 NTAPI
466 ZwPrivilegedServiceAuditAlarm(
467     _In_ PUNICODE_STRING SubsystemName,
468     _In_ PUNICODE_STRING ServiceName,
469     _In_ HANDLE ClientToken,
470     _In_ PPRIVILEGE_SET Privileges,
471     _In_ BOOLEAN AccessGranted);
472 
473 NTSYSAPI
474 NTSTATUS
475 NTAPI
476 ZwPrivilegeObjectAuditAlarm(
477     _In_ PUNICODE_STRING SubsystemName,
478     _In_ PVOID HandleId,
479     _In_ HANDLE ClientToken,
480     _In_ ULONG DesiredAccess,
481     _In_ PPRIVILEGE_SET Privileges,
482     _In_ BOOLEAN AccessGranted);
483 
484 _IRQL_requires_max_(PASSIVE_LEVEL)
485 NTSYSAPI
486 NTSTATUS
487 NTAPI
488 ZwQueryInformationToken(
489     _In_ HANDLE TokenHandle,
490     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
491     _Out_writes_bytes_to_opt_(Length,*ResultLength) PVOID TokenInformation,
492     _In_ ULONG Length,
493     _Out_ PULONG ResultLength);
494 
495 NTSYSAPI
496 NTSTATUS
497 NTAPI
498 ZwSetInformationToken(
499     _In_ HANDLE TokenHandle,
500     _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
501     _Out_ PVOID TokenInformation,
502     _In_ ULONG TokenInformationLength);
503 
504 #endif
505