1 /* 2 * PROJECT: ReactOS Kernel 3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) 4 * PURPOSE: Internal header for the Security Manager 5 * COPYRIGHT: Copyright Eric Kohl 6 * Copyright 2022 George Bișoc <george.bisoc@reactos.org> 7 */ 8 9 #pragma once 10 11 // 12 // Internal ACE type structures 13 // 14 typedef struct _KNOWN_ACE 15 { 16 ACE_HEADER Header; 17 ACCESS_MASK Mask; 18 ULONG SidStart; 19 } KNOWN_ACE, *PKNOWN_ACE; 20 21 typedef struct _KNOWN_OBJECT_ACE 22 { 23 ACE_HEADER Header; 24 ACCESS_MASK Mask; 25 ULONG Flags; 26 ULONG SidStart; 27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 28 29 typedef struct _KNOWN_COMPOUND_ACE 30 { 31 ACE_HEADER Header; 32 ACCESS_MASK Mask; 33 USHORT CompoundAceType; 34 USHORT Reserved; 35 ULONG SidStart; 36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 37 38 // 39 // Access Check Rights 40 // 41 typedef struct _ACCESS_CHECK_RIGHTS 42 { 43 ACCESS_MASK RemainingAccessRights; 44 ACCESS_MASK GrantedAccessRights; 45 ACCESS_MASK DeniedAccessRights; 46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS; 47 48 typedef enum _ACCESS_CHECK_RIGHT_TYPE 49 { 50 AccessCheckMaximum, 51 AccessCheckRegular 52 } ACCESS_CHECK_RIGHT_TYPE; 53 54 // 55 // Token Audit Policy Information structure 56 // 57 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION 58 { 59 ULONG PolicyCount; 60 struct 61 { 62 ULONG Category; 63 UCHAR Value; 64 } Policies[1]; 65 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION; 66 67 // 68 // Token creation method defines (for debugging purposes) 69 // 70 #define TOKEN_CREATE_METHOD 0xCUL 71 #define TOKEN_DUPLICATE_METHOD 0xDUL 72 #define TOKEN_FILTER_METHOD 0xFUL 73 74 // 75 // Security descriptor internal helpers 76 // 77 FORCEINLINE 78 PSID 79 SepGetGroupFromDescriptor( 80 _Inout_ PVOID _Descriptor) 81 { 82 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 83 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 84 85 if (Descriptor->Control & SE_SELF_RELATIVE) 86 { 87 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 88 if (!SdRel->Group) return NULL; 89 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 90 } 91 else 92 { 93 return Descriptor->Group; 94 } 95 } 96 97 FORCEINLINE 98 PSID 99 SepGetOwnerFromDescriptor( 100 _Inout_ PVOID _Descriptor) 101 { 102 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 103 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 104 105 if (Descriptor->Control & SE_SELF_RELATIVE) 106 { 107 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 108 if (!SdRel->Owner) return NULL; 109 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 110 } 111 else 112 { 113 return Descriptor->Owner; 114 } 115 } 116 117 FORCEINLINE 118 PACL 119 SepGetDaclFromDescriptor( 120 _Inout_ PVOID _Descriptor) 121 { 122 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 123 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 124 125 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 126 127 if (Descriptor->Control & SE_SELF_RELATIVE) 128 { 129 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 130 if (!SdRel->Dacl) return NULL; 131 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 132 } 133 else 134 { 135 return Descriptor->Dacl; 136 } 137 } 138 139 FORCEINLINE 140 PACL 141 SepGetSaclFromDescriptor( 142 _Inout_ PVOID _Descriptor) 143 { 144 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 145 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 146 147 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 148 149 if (Descriptor->Control & SE_SELF_RELATIVE) 150 { 151 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 152 if (!SdRel->Sacl) return NULL; 153 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 154 } 155 else 156 { 157 return Descriptor->Sacl; 158 } 159 } 160 161 #ifndef RTL_H 162 163 // 164 // SID Authorities 165 // 166 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 167 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 168 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 169 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 170 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 171 172 // 173 // SIDs 174 // 175 extern PSID SeNullSid; 176 extern PSID SeWorldSid; 177 extern PSID SeLocalSid; 178 extern PSID SeCreatorOwnerSid; 179 extern PSID SeCreatorGroupSid; 180 extern PSID SeCreatorOwnerServerSid; 181 extern PSID SeCreatorGroupServerSid; 182 extern PSID SeNtAuthoritySid; 183 extern PSID SeDialupSid; 184 extern PSID SeNetworkSid; 185 extern PSID SeBatchSid; 186 extern PSID SeInteractiveSid; 187 extern PSID SeServiceSid; 188 extern PSID SeAnonymousLogonSid; 189 extern PSID SePrincipalSelfSid; 190 extern PSID SeLocalSystemSid; 191 extern PSID SeAuthenticatedUserSid; 192 extern PSID SeRestrictedCodeSid; 193 extern PSID SeAliasAdminsSid; 194 extern PSID SeAliasUsersSid; 195 extern PSID SeAliasGuestsSid; 196 extern PSID SeAliasPowerUsersSid; 197 extern PSID SeAliasAccountOpsSid; 198 extern PSID SeAliasSystemOpsSid; 199 extern PSID SeAliasPrintOpsSid; 200 extern PSID SeAliasBackupOpsSid; 201 extern PSID SeAuthenticatedUsersSid; 202 extern PSID SeRestrictedSid; 203 extern PSID SeAnonymousLogonSid; 204 extern PSID SeLocalServiceSid; 205 extern PSID SeNetworkServiceSid; 206 207 // 208 // Privileges 209 // 210 extern const LUID SeCreateTokenPrivilege; 211 extern const LUID SeAssignPrimaryTokenPrivilege; 212 extern const LUID SeLockMemoryPrivilege; 213 extern const LUID SeIncreaseQuotaPrivilege; 214 extern const LUID SeUnsolicitedInputPrivilege; 215 extern const LUID SeTcbPrivilege; 216 extern const LUID SeSecurityPrivilege; 217 extern const LUID SeTakeOwnershipPrivilege; 218 extern const LUID SeLoadDriverPrivilege; 219 extern const LUID SeSystemProfilePrivilege; 220 extern const LUID SeSystemtimePrivilege; 221 extern const LUID SeProfileSingleProcessPrivilege; 222 extern const LUID SeIncreaseBasePriorityPrivilege; 223 extern const LUID SeCreatePagefilePrivilege; 224 extern const LUID SeCreatePermanentPrivilege; 225 extern const LUID SeBackupPrivilege; 226 extern const LUID SeRestorePrivilege; 227 extern const LUID SeShutdownPrivilege; 228 extern const LUID SeDebugPrivilege; 229 extern const LUID SeAuditPrivilege; 230 extern const LUID SeSystemEnvironmentPrivilege; 231 extern const LUID SeChangeNotifyPrivilege; 232 extern const LUID SeRemoteShutdownPrivilege; 233 extern const LUID SeUndockPrivilege; 234 extern const LUID SeSyncAgentPrivilege; 235 extern const LUID SeEnableDelegationPrivilege; 236 extern const LUID SeManageVolumePrivilege; 237 extern const LUID SeImpersonatePrivilege; 238 extern const LUID SeCreateGlobalPrivilege; 239 extern const LUID SeTrustedCredmanPrivilege; 240 extern const LUID SeRelabelPrivilege; 241 extern const LUID SeIncreaseWorkingSetPrivilege; 242 extern const LUID SeTimeZonePrivilege; 243 extern const LUID SeCreateSymbolicLinkPrivilege; 244 245 // 246 // DACLs 247 // 248 extern PACL SePublicDefaultUnrestrictedDacl; 249 extern PACL SePublicOpenDacl; 250 extern PACL SePublicOpenUnrestrictedDacl; 251 extern PACL SeUnrestrictedDacl; 252 extern PACL SeSystemAnonymousLogonDacl; 253 254 // 255 // SDs 256 // 257 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 258 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 259 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 260 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 261 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 262 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 263 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd; 264 265 // 266 // Anonymous Logon Tokens 267 // 268 extern PTOKEN SeAnonymousLogonToken; 269 extern PTOKEN SeAnonymousLogonTokenNoEveryone; 270 271 272 // 273 // Token lock management macros 274 // 275 #define SepAcquireTokenLockExclusive(Token) \ 276 { \ 277 KeEnterCriticalRegion(); \ 278 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 279 } 280 #define SepAcquireTokenLockShared(Token) \ 281 { \ 282 KeEnterCriticalRegion(); \ 283 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 284 } 285 286 #define SepReleaseTokenLock(Token) \ 287 { \ 288 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 289 KeLeaveCriticalRegion(); \ 290 } 291 292 #if DBG 293 // 294 // Security Debug Utility Functions 295 // 296 VOID 297 SepDumpSdDebugInfo( 298 _In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor); 299 300 VOID 301 SepDumpTokenDebugInfo( 302 _In_opt_ PTOKEN Token); 303 304 VOID 305 SepDumpAccessRightsStats( 306 _In_opt_ PACCESS_CHECK_RIGHTS AccessRights); 307 #endif // DBG 308 309 // 310 // Token Functions 311 // 312 CODE_SEG("INIT") 313 VOID 314 NTAPI 315 SepInitializeTokenImplementation(VOID); 316 317 CODE_SEG("INIT") 318 PTOKEN 319 NTAPI 320 SepCreateSystemProcessToken(VOID); 321 322 CODE_SEG("INIT") 323 PTOKEN 324 SepCreateSystemAnonymousLogonToken(VOID); 325 326 CODE_SEG("INIT") 327 PTOKEN 328 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); 329 330 NTSTATUS 331 NTAPI 332 SepDuplicateToken( 333 _In_ PTOKEN Token, 334 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 335 _In_ BOOLEAN EffectiveOnly, 336 _In_ TOKEN_TYPE TokenType, 337 _In_ SECURITY_IMPERSONATION_LEVEL Level, 338 _In_ KPROCESSOR_MODE PreviousMode, 339 _Out_ PTOKEN* NewAccessToken); 340 341 NTSTATUS 342 NTAPI 343 SepCreateToken( 344 _Out_ PHANDLE TokenHandle, 345 _In_ KPROCESSOR_MODE PreviousMode, 346 _In_ ACCESS_MASK DesiredAccess, 347 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 348 _In_ TOKEN_TYPE TokenType, 349 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, 350 _In_ PLUID AuthenticationId, 351 _In_ PLARGE_INTEGER ExpirationTime, 352 _In_ PSID_AND_ATTRIBUTES User, 353 _In_ ULONG GroupCount, 354 _In_ PSID_AND_ATTRIBUTES Groups, 355 _In_ ULONG GroupsLength, 356 _In_ ULONG PrivilegeCount, 357 _In_ PLUID_AND_ATTRIBUTES Privileges, 358 _In_opt_ PSID Owner, 359 _In_ PSID PrimaryGroup, 360 _In_opt_ PACL DefaultDacl, 361 _In_ PTOKEN_SOURCE TokenSource, 362 _In_ BOOLEAN SystemToken); 363 364 BOOLEAN 365 NTAPI 366 SepTokenIsOwner( 367 _In_ PACCESS_TOKEN _Token, 368 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 369 _In_ BOOLEAN TokenLocked); 370 371 NTSTATUS 372 SepCreateTokenLock( 373 _Inout_ PTOKEN Token); 374 375 VOID 376 SepDeleteTokenLock( 377 _Inout_ PTOKEN Token); 378 379 VOID 380 SepUpdatePrivilegeFlagsToken( 381 _Inout_ PTOKEN Token); 382 383 NTSTATUS 384 SepFindPrimaryGroupAndDefaultOwner( 385 _In_ PTOKEN Token, 386 _In_ PSID PrimaryGroup, 387 _In_opt_ PSID DefaultOwner, 388 _Out_opt_ PULONG PrimaryGroupIndex, 389 _Out_opt_ PULONG DefaultOwnerIndex); 390 391 VOID 392 SepUpdateSinglePrivilegeFlagToken( 393 _Inout_ PTOKEN Token, 394 _In_ ULONG Index); 395 396 VOID 397 SepUpdatePrivilegeFlagsToken( 398 _Inout_ PTOKEN Token); 399 400 VOID 401 SepRemovePrivilegeToken( 402 _Inout_ PTOKEN Token, 403 _In_ ULONG Index); 404 405 VOID 406 SepRemoveUserGroupToken( 407 _Inout_ PTOKEN Token, 408 _In_ ULONG Index); 409 410 ULONG 411 SepComputeAvailableDynamicSpace( 412 _In_ ULONG DynamicCharged, 413 _In_ PSID PrimaryGroup, 414 _In_opt_ PACL DefaultDacl); 415 416 NTSTATUS 417 SepRebuildDynamicPartOfToken( 418 _In_ PTOKEN Token, 419 _In_ ULONG NewDynamicPartSize); 420 421 BOOLEAN 422 NTAPI 423 SeTokenCanImpersonate( 424 _In_ PTOKEN ProcessToken, 425 _In_ PTOKEN TokenToImpersonate, 426 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); 427 428 VOID 429 NTAPI 430 SeGetTokenControlInformation( 431 _In_ PACCESS_TOKEN _Token, 432 _Out_ PTOKEN_CONTROL TokenControl); 433 434 VOID 435 NTAPI 436 SeDeassignPrimaryToken( 437 _Inout_ PEPROCESS Process); 438 439 NTSTATUS 440 NTAPI 441 SeSubProcessToken( 442 _In_ PTOKEN Parent, 443 _Out_ PTOKEN *Token, 444 _In_ BOOLEAN InUse, 445 _In_ ULONG SessionId); 446 447 NTSTATUS 448 NTAPI 449 SeIsTokenChild( 450 _In_ PTOKEN Token, 451 _Out_ PBOOLEAN IsChild); 452 453 NTSTATUS 454 NTAPI 455 SeIsTokenSibling( 456 _In_ PTOKEN Token, 457 _Out_ PBOOLEAN IsSibling); 458 459 NTSTATUS 460 NTAPI 461 SeExchangePrimaryToken( 462 _In_ PEPROCESS Process, 463 _In_ PACCESS_TOKEN NewAccessToken, 464 _Out_ PACCESS_TOKEN* OldAccessToken); 465 466 NTSTATUS 467 NTAPI 468 SeCopyClientToken( 469 _In_ PACCESS_TOKEN Token, 470 _In_ SECURITY_IMPERSONATION_LEVEL Level, 471 _In_ KPROCESSOR_MODE PreviousMode, 472 _Out_ PACCESS_TOKEN* NewToken); 473 474 BOOLEAN 475 NTAPI 476 SeTokenIsInert( 477 _In_ PTOKEN Token); 478 479 ULONG 480 RtlLengthSidAndAttributes( 481 _In_ ULONG Count, 482 _In_ PSID_AND_ATTRIBUTES Src); 483 484 // 485 // Security Manager (SeMgr) functions 486 // 487 CODE_SEG("INIT") 488 BOOLEAN 489 NTAPI 490 SeInitSystem(VOID); 491 492 NTSTATUS 493 NTAPI 494 SeDefaultObjectMethod( 495 _In_ PVOID Object, 496 _In_ SECURITY_OPERATION_CODE OperationType, 497 _In_ PSECURITY_INFORMATION SecurityInformation, 498 _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, 499 _Inout_opt_ PULONG ReturnLength, 500 _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 501 _In_ POOL_TYPE PoolType, 502 _In_ PGENERIC_MAPPING GenericMapping); 503 504 VOID 505 NTAPI 506 SeQuerySecurityAccessMask( 507 _In_ SECURITY_INFORMATION SecurityInformation, 508 _Out_ PACCESS_MASK DesiredAccess); 509 510 VOID 511 NTAPI 512 SeSetSecurityAccessMask( 513 _In_ SECURITY_INFORMATION SecurityInformation, 514 _Out_ PACCESS_MASK DesiredAccess); 515 516 // 517 // Privilege functions 518 // 519 CODE_SEG("INIT") 520 VOID 521 NTAPI 522 SepInitPrivileges(VOID); 523 524 BOOLEAN 525 NTAPI 526 SepPrivilegeCheck( 527 _In_ PTOKEN Token, 528 _In_ PLUID_AND_ATTRIBUTES Privileges, 529 _In_ ULONG PrivilegeCount, 530 _In_ ULONG PrivilegeControl, 531 _In_ KPROCESSOR_MODE PreviousMode); 532 533 NTSTATUS 534 NTAPI 535 SePrivilegePolicyCheck( 536 _Inout_ PACCESS_MASK DesiredAccess, 537 _Inout_ PACCESS_MASK GrantedAccess, 538 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 539 _In_ PTOKEN Token, 540 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 541 _In_ KPROCESSOR_MODE PreviousMode); 542 543 BOOLEAN 544 NTAPI 545 SeCheckAuditPrivilege( 546 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 547 _In_ KPROCESSOR_MODE PreviousMode); 548 549 BOOLEAN 550 NTAPI 551 SeCheckPrivilegedObject( 552 _In_ LUID PrivilegeValue, 553 _In_ HANDLE ObjectHandle, 554 _In_ ACCESS_MASK DesiredAccess, 555 _In_ KPROCESSOR_MODE PreviousMode); 556 557 NTSTATUS 558 NTAPI 559 SeCaptureLuidAndAttributesArray( 560 _In_ PLUID_AND_ATTRIBUTES Src, 561 _In_ ULONG PrivilegeCount, 562 _In_ KPROCESSOR_MODE PreviousMode, 563 _In_ PLUID_AND_ATTRIBUTES AllocatedMem, 564 _In_ ULONG AllocatedLength, 565 _In_ POOL_TYPE PoolType, 566 _In_ BOOLEAN CaptureIfKernel, 567 _Out_ PLUID_AND_ATTRIBUTES* Dest, 568 _Inout_ PULONG Length); 569 570 VOID 571 NTAPI 572 SeReleaseLuidAndAttributesArray( 573 _In_ PLUID_AND_ATTRIBUTES Privilege, 574 _In_ KPROCESSOR_MODE PreviousMode, 575 _In_ BOOLEAN CaptureIfKernel); 576 577 // 578 // SID functions 579 // 580 CODE_SEG("INIT") 581 BOOLEAN 582 NTAPI 583 SepInitSecurityIDs(VOID); 584 585 NTSTATUS 586 NTAPI 587 SepCaptureSid( 588 _In_ PSID InputSid, 589 _In_ KPROCESSOR_MODE AccessMode, 590 _In_ POOL_TYPE PoolType, 591 _In_ BOOLEAN CaptureIfKernel, 592 _Out_ PSID *CapturedSid); 593 594 VOID 595 NTAPI 596 SepReleaseSid( 597 _In_ PSID CapturedSid, 598 _In_ KPROCESSOR_MODE AccessMode, 599 _In_ BOOLEAN CaptureIfKernel); 600 601 BOOLEAN 602 NTAPI 603 SepSidInToken( 604 _In_ PACCESS_TOKEN _Token, 605 _In_ PSID Sid); 606 607 BOOLEAN 608 NTAPI 609 SepSidInTokenEx( 610 _In_ PACCESS_TOKEN _Token, 611 _In_ PSID PrincipalSelfSid, 612 _In_ PSID _Sid, 613 _In_ BOOLEAN Deny, 614 _In_ BOOLEAN Restricted); 615 616 PSID 617 NTAPI 618 SepGetSidFromAce( 619 _In_ UCHAR AceType, 620 _In_ PACE Ace); 621 622 NTSTATUS 623 NTAPI 624 SeCaptureSidAndAttributesArray( 625 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 626 _In_ ULONG AttributeCount, 627 _In_ KPROCESSOR_MODE PreviousMode, 628 _In_opt_ PVOID AllocatedMem, 629 _In_ ULONG AllocatedLength, 630 _In_ POOL_TYPE PoolType, 631 _In_ BOOLEAN CaptureIfKernel, 632 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 633 _Out_ PULONG ResultLength); 634 635 VOID 636 NTAPI 637 SeReleaseSidAndAttributesArray( 638 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 639 _In_ KPROCESSOR_MODE AccessMode, 640 _In_ BOOLEAN CaptureIfKernel); 641 642 // 643 // ACL functions 644 // 645 CODE_SEG("INIT") 646 BOOLEAN 647 NTAPI 648 SepInitDACLs(VOID); 649 650 NTSTATUS 651 NTAPI 652 SepCreateImpersonationTokenDacl( 653 _In_ PTOKEN Token, 654 _In_ PTOKEN PrimaryToken, 655 _Out_ PACL* Dacl); 656 657 NTSTATUS 658 NTAPI 659 SepCaptureAcl( 660 _In_ PACL InputAcl, 661 _In_ KPROCESSOR_MODE AccessMode, 662 _In_ POOL_TYPE PoolType, 663 _In_ BOOLEAN CaptureIfKernel, 664 _Out_ PACL *CapturedAcl); 665 666 VOID 667 NTAPI 668 SepReleaseAcl( 669 _In_ PACL CapturedAcl, 670 _In_ KPROCESSOR_MODE AccessMode, 671 _In_ BOOLEAN CaptureIfKernel); 672 673 NTSTATUS 674 SepPropagateAcl( 675 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 676 _Inout_ PULONG AclLength, 677 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 678 _In_ PSID Owner, 679 _In_ PSID Group, 680 _In_ BOOLEAN IsInherited, 681 _In_ BOOLEAN IsDirectoryObject, 682 _In_ PGENERIC_MAPPING GenericMapping); 683 684 PACL 685 SepSelectAcl( 686 _In_opt_ PACL ExplicitAcl, 687 _In_ BOOLEAN ExplicitPresent, 688 _In_ BOOLEAN ExplicitDefaulted, 689 _In_opt_ PACL ParentAcl, 690 _In_opt_ PACL DefaultAcl, 691 _Out_ PULONG AclLength, 692 _In_ PSID Owner, 693 _In_ PSID Group, 694 _Out_ PBOOLEAN AclPresent, 695 _Out_ PBOOLEAN IsInherited, 696 _In_ BOOLEAN IsDirectoryObject, 697 _In_ PGENERIC_MAPPING GenericMapping); 698 699 // 700 // SD functions 701 // 702 CODE_SEG("INIT") 703 BOOLEAN 704 NTAPI 705 SepInitSDs(VOID); 706 707 NTSTATUS 708 NTAPI 709 SeSetWorldSecurityDescriptor( 710 _In_ SECURITY_INFORMATION SecurityInformation, 711 _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, 712 _In_ PULONG BufferLength); 713 714 NTSTATUS 715 NTAPI 716 SeComputeQuotaInformationSize( 717 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 718 _Out_ PULONG QuotaInfoSize); 719 720 // 721 // Security Reference Monitor (SeRm) functions 722 // 723 BOOLEAN 724 NTAPI 725 SeRmInitPhase0(VOID); 726 727 BOOLEAN 728 NTAPI 729 SeRmInitPhase1(VOID); 730 731 NTSTATUS 732 NTAPI 733 SepRmInsertLogonSessionIntoToken( 734 _Inout_ PTOKEN Token); 735 736 NTSTATUS 737 NTAPI 738 SepRmRemoveLogonSessionFromToken( 739 _Inout_ PTOKEN Token); 740 741 NTSTATUS 742 SepRmReferenceLogonSession( 743 _Inout_ PLUID LogonLuid); 744 745 NTSTATUS 746 SepRmDereferenceLogonSession( 747 _Inout_ PLUID LogonLuid); 748 749 NTSTATUS 750 NTAPI 751 SepRegQueryHelper( 752 _In_ PCWSTR KeyName, 753 _In_ PCWSTR ValueName, 754 _In_ ULONG ValueType, 755 _In_ ULONG DataLength, 756 _Out_ PVOID ValueData); 757 758 NTSTATUS 759 NTAPI 760 SeGetLogonIdDeviceMap( 761 _In_ PLUID LogonId, 762 _Out_ PDEVICE_MAP *DeviceMap); 763 764 // 765 // Audit functions 766 // 767 NTSTATUS 768 NTAPI 769 SeInitializeProcessAuditName( 770 _In_ PFILE_OBJECT FileObject, 771 _In_ BOOLEAN DoAudit, 772 _Out_ POBJECT_NAME_INFORMATION *AuditInfo); 773 774 BOOLEAN 775 NTAPI 776 SeDetailedAuditingWithToken( 777 _In_ PTOKEN Token); 778 779 VOID 780 NTAPI 781 SeAuditProcessExit( 782 _In_ PEPROCESS Process); 783 784 VOID 785 NTAPI 786 SeAuditProcessCreate( 787 _In_ PEPROCESS Process); 788 789 VOID 790 NTAPI 791 SePrivilegedServiceAuditAlarm( 792 _In_opt_ PUNICODE_STRING ServiceName, 793 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 794 _In_ PPRIVILEGE_SET PrivilegeSet, 795 _In_ BOOLEAN AccessGranted); 796 797 // 798 // Subject functions 799 // 800 VOID 801 NTAPI 802 SeCaptureSubjectContextEx( 803 _In_ PETHREAD Thread, 804 _In_ PEPROCESS Process, 805 _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext); 806 807 // 808 // Security Quality of Service (SQoS) functions 809 // 810 NTSTATUS 811 NTAPI 812 SepCaptureSecurityQualityOfService( 813 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 814 _In_ KPROCESSOR_MODE AccessMode, 815 _In_ POOL_TYPE PoolType, 816 _In_ BOOLEAN CaptureIfKernel, 817 _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 818 _Out_ PBOOLEAN Present); 819 820 VOID 821 NTAPI 822 SepReleaseSecurityQualityOfService( 823 _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService, 824 _In_ KPROCESSOR_MODE AccessMode, 825 _In_ BOOLEAN CaptureIfKernel); 826 827 // 828 // Object type list functions 829 // 830 NTSTATUS 831 SeCaptureObjectTypeList( 832 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 833 _In_ ULONG ObjectTypeListLength, 834 _In_ KPROCESSOR_MODE PreviousMode, 835 _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList); 836 837 VOID 838 SeReleaseObjectTypeList( 839 _In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, 840 _In_ KPROCESSOR_MODE PreviousMode); 841 842 // 843 // Access state functions 844 // 845 NTSTATUS 846 NTAPI 847 SeCreateAccessStateEx( 848 _In_ PETHREAD Thread, 849 _In_ PEPROCESS Process, 850 _In_ OUT PACCESS_STATE AccessState, 851 _In_ PAUX_ACCESS_DATA AuxData, 852 _In_ ACCESS_MASK Access, 853 _In_ PGENERIC_MAPPING GenericMapping); 854 855 // 856 // Access check functions 857 // 858 BOOLEAN 859 NTAPI 860 SeFastTraverseCheck( 861 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 862 _In_ PACCESS_STATE AccessState, 863 _In_ ACCESS_MASK DesiredAccess, 864 _In_ KPROCESSOR_MODE AccessMode); 865 866 #endif 867 868 /* EOF */ 869