1 /* 2 * PROJECT: ReactOS Kernel 3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) 4 * PURPOSE: Internal header for the Security Manager 5 * COPYRIGHT: Copyright Eric Kohl 6 * Copyright 2022-2023 George Bișoc <george.bisoc@reactos.org> 7 */ 8 9 #pragma once 10 11 // 12 // Internal ACE type structures 13 // 14 typedef struct _KNOWN_ACE 15 { 16 ACE_HEADER Header; 17 ACCESS_MASK Mask; 18 ULONG SidStart; 19 } KNOWN_ACE, *PKNOWN_ACE; 20 21 typedef struct _KNOWN_OBJECT_ACE 22 { 23 ACE_HEADER Header; 24 ACCESS_MASK Mask; 25 ULONG Flags; 26 ULONG SidStart; 27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 28 29 typedef struct _KNOWN_COMPOUND_ACE 30 { 31 ACE_HEADER Header; 32 ACCESS_MASK Mask; 33 USHORT CompoundAceType; 34 USHORT Reserved; 35 ULONG SidStart; 36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 37 38 // 39 // Access Check Rights 40 // 41 typedef struct _ACCESS_CHECK_RIGHTS 42 { 43 ACCESS_MASK RemainingAccessRights; 44 ACCESS_MASK GrantedAccessRights; 45 ACCESS_MASK DeniedAccessRights; 46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS; 47 48 // 49 // Internal object type list structure 50 // 51 typedef struct _OBJECT_TYPE_LIST_INTERNAL 52 { 53 GUID ObjectTypeGuid; 54 USHORT Level; 55 ACCESS_CHECK_RIGHTS ObjectAccessRights; 56 } OBJECT_TYPE_LIST_INTERNAL, *POBJECT_TYPE_LIST_INTERNAL; 57 58 typedef enum _ACCESS_CHECK_RIGHT_TYPE 59 { 60 AccessCheckMaximum, 61 AccessCheckRegular 62 } ACCESS_CHECK_RIGHT_TYPE; 63 64 // 65 // Token Audit Policy Information structure 66 // 67 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION 68 { 69 ULONG PolicyCount; 70 struct 71 { 72 ULONG Category; 73 UCHAR Value; 74 } Policies[1]; 75 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION; 76 77 // 78 // Token creation method defines (for debugging purposes) 79 // 80 #define TOKEN_CREATE_METHOD 0xCUL 81 #define TOKEN_DUPLICATE_METHOD 0xDUL 82 #define TOKEN_FILTER_METHOD 0xFUL 83 84 // 85 // Security descriptor internal helpers 86 // 87 FORCEINLINE 88 PSID 89 SepGetGroupFromDescriptor( 90 _Inout_ PSECURITY_DESCRIPTOR _Descriptor) 91 { 92 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 93 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 94 95 if (Descriptor->Control & SE_SELF_RELATIVE) 96 { 97 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 98 if (!SdRel->Group) return NULL; 99 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 100 } 101 else 102 { 103 return Descriptor->Group; 104 } 105 } 106 107 FORCEINLINE 108 PSID 109 SepGetOwnerFromDescriptor( 110 _Inout_ PSECURITY_DESCRIPTOR _Descriptor) 111 { 112 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 113 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 114 115 if (Descriptor->Control & SE_SELF_RELATIVE) 116 { 117 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 118 if (!SdRel->Owner) return NULL; 119 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 120 } 121 else 122 { 123 return Descriptor->Owner; 124 } 125 } 126 127 FORCEINLINE 128 PACL 129 SepGetDaclFromDescriptor( 130 _Inout_ PSECURITY_DESCRIPTOR _Descriptor) 131 { 132 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 133 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 134 135 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 136 137 if (Descriptor->Control & SE_SELF_RELATIVE) 138 { 139 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 140 if (!SdRel->Dacl) return NULL; 141 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 142 } 143 else 144 { 145 return Descriptor->Dacl; 146 } 147 } 148 149 FORCEINLINE 150 PACL 151 SepGetSaclFromDescriptor( 152 _Inout_ PSECURITY_DESCRIPTOR _Descriptor) 153 { 154 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 155 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 156 157 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 158 159 if (Descriptor->Control & SE_SELF_RELATIVE) 160 { 161 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 162 if (!SdRel->Sacl) return NULL; 163 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 164 } 165 else 166 { 167 return Descriptor->Sacl; 168 } 169 } 170 171 #ifndef RTL_H 172 173 // 174 // SID Authorities 175 // 176 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 177 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 178 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 179 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 180 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 181 182 // 183 // SIDs 184 // 185 extern PSID SeNullSid; 186 extern PSID SeWorldSid; 187 extern PSID SeLocalSid; 188 extern PSID SeCreatorOwnerSid; 189 extern PSID SeCreatorGroupSid; 190 extern PSID SeCreatorOwnerServerSid; 191 extern PSID SeCreatorGroupServerSid; 192 extern PSID SeNtAuthoritySid; 193 extern PSID SeDialupSid; 194 extern PSID SeNetworkSid; 195 extern PSID SeBatchSid; 196 extern PSID SeInteractiveSid; 197 extern PSID SeServiceSid; 198 extern PSID SeAnonymousLogonSid; 199 extern PSID SePrincipalSelfSid; 200 extern PSID SeLocalSystemSid; 201 extern PSID SeAuthenticatedUserSid; 202 extern PSID SeRestrictedCodeSid; 203 extern PSID SeAliasAdminsSid; 204 extern PSID SeAliasUsersSid; 205 extern PSID SeAliasGuestsSid; 206 extern PSID SeAliasPowerUsersSid; 207 extern PSID SeAliasAccountOpsSid; 208 extern PSID SeAliasSystemOpsSid; 209 extern PSID SeAliasPrintOpsSid; 210 extern PSID SeAliasBackupOpsSid; 211 extern PSID SeAuthenticatedUsersSid; 212 extern PSID SeRestrictedSid; 213 extern PSID SeAnonymousLogonSid; 214 extern PSID SeLocalServiceSid; 215 extern PSID SeNetworkServiceSid; 216 217 // 218 // Privileges 219 // 220 extern const LUID SeCreateTokenPrivilege; 221 extern const LUID SeAssignPrimaryTokenPrivilege; 222 extern const LUID SeLockMemoryPrivilege; 223 extern const LUID SeIncreaseQuotaPrivilege; 224 extern const LUID SeUnsolicitedInputPrivilege; 225 extern const LUID SeTcbPrivilege; 226 extern const LUID SeSecurityPrivilege; 227 extern const LUID SeTakeOwnershipPrivilege; 228 extern const LUID SeLoadDriverPrivilege; 229 extern const LUID SeSystemProfilePrivilege; 230 extern const LUID SeSystemtimePrivilege; 231 extern const LUID SeProfileSingleProcessPrivilege; 232 extern const LUID SeIncreaseBasePriorityPrivilege; 233 extern const LUID SeCreatePagefilePrivilege; 234 extern const LUID SeCreatePermanentPrivilege; 235 extern const LUID SeBackupPrivilege; 236 extern const LUID SeRestorePrivilege; 237 extern const LUID SeShutdownPrivilege; 238 extern const LUID SeDebugPrivilege; 239 extern const LUID SeAuditPrivilege; 240 extern const LUID SeSystemEnvironmentPrivilege; 241 extern const LUID SeChangeNotifyPrivilege; 242 extern const LUID SeRemoteShutdownPrivilege; 243 extern const LUID SeUndockPrivilege; 244 extern const LUID SeSyncAgentPrivilege; 245 extern const LUID SeEnableDelegationPrivilege; 246 extern const LUID SeManageVolumePrivilege; 247 extern const LUID SeImpersonatePrivilege; 248 extern const LUID SeCreateGlobalPrivilege; 249 extern const LUID SeTrustedCredmanPrivilege; 250 extern const LUID SeRelabelPrivilege; 251 extern const LUID SeIncreaseWorkingSetPrivilege; 252 extern const LUID SeTimeZonePrivilege; 253 extern const LUID SeCreateSymbolicLinkPrivilege; 254 255 // 256 // DACLs 257 // 258 extern PACL SePublicDefaultUnrestrictedDacl; 259 extern PACL SePublicOpenDacl; 260 extern PACL SePublicOpenUnrestrictedDacl; 261 extern PACL SeUnrestrictedDacl; 262 extern PACL SeSystemAnonymousLogonDacl; 263 264 // 265 // SDs 266 // 267 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 268 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 269 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 270 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 271 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 272 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 273 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd; 274 275 // 276 // Anonymous Logon Tokens 277 // 278 extern PTOKEN SeAnonymousLogonToken; 279 extern PTOKEN SeAnonymousLogonTokenNoEveryone; 280 281 282 // 283 // Token lock management macros 284 // 285 #define SepAcquireTokenLockExclusive(Token) \ 286 { \ 287 KeEnterCriticalRegion(); \ 288 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 289 } 290 #define SepAcquireTokenLockShared(Token) \ 291 { \ 292 KeEnterCriticalRegion(); \ 293 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 294 } 295 296 #define SepReleaseTokenLock(Token) \ 297 { \ 298 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 299 KeLeaveCriticalRegion(); \ 300 } 301 302 #if DBG 303 // 304 // Security Debug Utility Functions 305 // 306 VOID 307 SepDumpSdDebugInfo( 308 _In_opt_ PISECURITY_DESCRIPTOR SecurityDescriptor); 309 310 VOID 311 SepDumpTokenDebugInfo( 312 _In_opt_ PTOKEN Token); 313 314 VOID 315 SepDumpAccessRightsStats( 316 _In_ PACCESS_CHECK_RIGHTS AccessRights); 317 318 VOID 319 SepDumpAccessAndStatusList( 320 _In_ PACCESS_MASK GrantedAccessList, 321 _In_ PNTSTATUS AccessStatusList, 322 _In_ BOOLEAN IsResultList, 323 _In_ POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, 324 _In_ ULONG ObjectTypeListLength); 325 #endif // DBG 326 327 // 328 // Token Functions 329 // 330 CODE_SEG("INIT") 331 VOID 332 NTAPI 333 SepInitializeTokenImplementation(VOID); 334 335 CODE_SEG("INIT") 336 PTOKEN 337 NTAPI 338 SepCreateSystemProcessToken(VOID); 339 340 CODE_SEG("INIT") 341 PTOKEN 342 SepCreateSystemAnonymousLogonToken(VOID); 343 344 CODE_SEG("INIT") 345 PTOKEN 346 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); 347 348 NTSTATUS 349 NTAPI 350 SepDuplicateToken( 351 _In_ PTOKEN Token, 352 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 353 _In_ BOOLEAN EffectiveOnly, 354 _In_ TOKEN_TYPE TokenType, 355 _In_ SECURITY_IMPERSONATION_LEVEL Level, 356 _In_ KPROCESSOR_MODE PreviousMode, 357 _Out_ PTOKEN* NewAccessToken); 358 359 NTSTATUS 360 NTAPI 361 SepCreateToken( 362 _Out_ PHANDLE TokenHandle, 363 _In_ KPROCESSOR_MODE PreviousMode, 364 _In_ ACCESS_MASK DesiredAccess, 365 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 366 _In_ TOKEN_TYPE TokenType, 367 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, 368 _In_ PLUID AuthenticationId, 369 _In_ PLARGE_INTEGER ExpirationTime, 370 _In_ PSID_AND_ATTRIBUTES User, 371 _In_ ULONG GroupCount, 372 _In_ PSID_AND_ATTRIBUTES Groups, 373 _In_ ULONG GroupsLength, 374 _In_ ULONG PrivilegeCount, 375 _In_ PLUID_AND_ATTRIBUTES Privileges, 376 _In_opt_ PSID Owner, 377 _In_ PSID PrimaryGroup, 378 _In_opt_ PACL DefaultDacl, 379 _In_ PTOKEN_SOURCE TokenSource, 380 _In_ BOOLEAN SystemToken); 381 382 BOOLEAN 383 NTAPI 384 SepTokenIsOwner( 385 _In_ PACCESS_TOKEN _Token, 386 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 387 _In_ BOOLEAN TokenLocked); 388 389 NTSTATUS 390 SepCreateTokenLock( 391 _Inout_ PTOKEN Token); 392 393 VOID 394 SepDeleteTokenLock( 395 _Inout_ PTOKEN Token); 396 397 VOID 398 SepUpdatePrivilegeFlagsToken( 399 _Inout_ PTOKEN Token); 400 401 NTSTATUS 402 SepFindPrimaryGroupAndDefaultOwner( 403 _In_ PTOKEN Token, 404 _In_ PSID PrimaryGroup, 405 _In_opt_ PSID DefaultOwner, 406 _Out_opt_ PULONG PrimaryGroupIndex, 407 _Out_opt_ PULONG DefaultOwnerIndex); 408 409 VOID 410 SepUpdateSinglePrivilegeFlagToken( 411 _Inout_ PTOKEN Token, 412 _In_ ULONG Index); 413 414 VOID 415 SepUpdatePrivilegeFlagsToken( 416 _Inout_ PTOKEN Token); 417 418 VOID 419 SepRemovePrivilegeToken( 420 _Inout_ PTOKEN Token, 421 _In_ ULONG Index); 422 423 VOID 424 SepRemoveUserGroupToken( 425 _Inout_ PTOKEN Token, 426 _In_ ULONG Index); 427 428 ULONG 429 SepComputeAvailableDynamicSpace( 430 _In_ ULONG DynamicCharged, 431 _In_ PSID PrimaryGroup, 432 _In_opt_ PACL DefaultDacl); 433 434 NTSTATUS 435 SepRebuildDynamicPartOfToken( 436 _In_ PTOKEN Token, 437 _In_ ULONG NewDynamicPartSize); 438 439 BOOLEAN 440 NTAPI 441 SeTokenCanImpersonate( 442 _In_ PTOKEN ProcessToken, 443 _In_ PTOKEN TokenToImpersonate, 444 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); 445 446 VOID 447 NTAPI 448 SeGetTokenControlInformation( 449 _In_ PACCESS_TOKEN _Token, 450 _Out_ PTOKEN_CONTROL TokenControl); 451 452 VOID 453 NTAPI 454 SeDeassignPrimaryToken( 455 _Inout_ PEPROCESS Process); 456 457 NTSTATUS 458 NTAPI 459 SeSubProcessToken( 460 _In_ PTOKEN Parent, 461 _Out_ PTOKEN *Token, 462 _In_ BOOLEAN InUse, 463 _In_ ULONG SessionId); 464 465 NTSTATUS 466 NTAPI 467 SeIsTokenChild( 468 _In_ PTOKEN Token, 469 _Out_ PBOOLEAN IsChild); 470 471 NTSTATUS 472 NTAPI 473 SeIsTokenSibling( 474 _In_ PTOKEN Token, 475 _Out_ PBOOLEAN IsSibling); 476 477 NTSTATUS 478 NTAPI 479 SeExchangePrimaryToken( 480 _In_ PEPROCESS Process, 481 _In_ PACCESS_TOKEN NewAccessToken, 482 _Out_ PACCESS_TOKEN* OldAccessToken); 483 484 NTSTATUS 485 NTAPI 486 SeCopyClientToken( 487 _In_ PACCESS_TOKEN Token, 488 _In_ SECURITY_IMPERSONATION_LEVEL Level, 489 _In_ KPROCESSOR_MODE PreviousMode, 490 _Out_ PACCESS_TOKEN* NewToken); 491 492 BOOLEAN 493 NTAPI 494 SeTokenIsInert( 495 _In_ PTOKEN Token); 496 497 ULONG 498 RtlLengthSidAndAttributes( 499 _In_ ULONG Count, 500 _In_ PSID_AND_ATTRIBUTES Src); 501 502 // 503 // Security Manager (SeMgr) functions 504 // 505 CODE_SEG("INIT") 506 BOOLEAN 507 NTAPI 508 SeInitSystem(VOID); 509 510 NTSTATUS 511 NTAPI 512 SeDefaultObjectMethod( 513 _In_ PVOID Object, 514 _In_ SECURITY_OPERATION_CODE OperationType, 515 _In_ PSECURITY_INFORMATION SecurityInformation, 516 _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, 517 _Inout_opt_ PULONG ReturnLength, 518 _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 519 _In_ POOL_TYPE PoolType, 520 _In_ PGENERIC_MAPPING GenericMapping); 521 522 VOID 523 NTAPI 524 SeQuerySecurityAccessMask( 525 _In_ SECURITY_INFORMATION SecurityInformation, 526 _Out_ PACCESS_MASK DesiredAccess); 527 528 VOID 529 NTAPI 530 SeSetSecurityAccessMask( 531 _In_ SECURITY_INFORMATION SecurityInformation, 532 _Out_ PACCESS_MASK DesiredAccess); 533 534 // 535 // Privilege functions 536 // 537 CODE_SEG("INIT") 538 VOID 539 NTAPI 540 SepInitPrivileges(VOID); 541 542 BOOLEAN 543 NTAPI 544 SepPrivilegeCheck( 545 _In_ PTOKEN Token, 546 _In_ PLUID_AND_ATTRIBUTES Privileges, 547 _In_ ULONG PrivilegeCount, 548 _In_ ULONG PrivilegeControl, 549 _In_ KPROCESSOR_MODE PreviousMode); 550 551 NTSTATUS 552 NTAPI 553 SePrivilegePolicyCheck( 554 _Inout_ PACCESS_MASK DesiredAccess, 555 _Inout_ PACCESS_MASK GrantedAccess, 556 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 557 _In_ PTOKEN Token, 558 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 559 _In_ KPROCESSOR_MODE PreviousMode); 560 561 BOOLEAN 562 NTAPI 563 SeCheckAuditPrivilege( 564 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 565 _In_ KPROCESSOR_MODE PreviousMode); 566 567 BOOLEAN 568 NTAPI 569 SeCheckPrivilegedObject( 570 _In_ LUID PrivilegeValue, 571 _In_ HANDLE ObjectHandle, 572 _In_ ACCESS_MASK DesiredAccess, 573 _In_ KPROCESSOR_MODE PreviousMode); 574 575 NTSTATUS 576 NTAPI 577 SeCaptureLuidAndAttributesArray( 578 _In_ PLUID_AND_ATTRIBUTES Src, 579 _In_ ULONG PrivilegeCount, 580 _In_ KPROCESSOR_MODE PreviousMode, 581 _In_ PLUID_AND_ATTRIBUTES AllocatedMem, 582 _In_ ULONG AllocatedLength, 583 _In_ POOL_TYPE PoolType, 584 _In_ BOOLEAN CaptureIfKernel, 585 _Out_ PLUID_AND_ATTRIBUTES* Dest, 586 _Inout_ PULONG Length); 587 588 VOID 589 NTAPI 590 SeReleaseLuidAndAttributesArray( 591 _In_ PLUID_AND_ATTRIBUTES Privilege, 592 _In_ KPROCESSOR_MODE PreviousMode, 593 _In_ BOOLEAN CaptureIfKernel); 594 595 // 596 // SID functions 597 // 598 CODE_SEG("INIT") 599 BOOLEAN 600 NTAPI 601 SepInitSecurityIDs(VOID); 602 603 NTSTATUS 604 NTAPI 605 SepCaptureSid( 606 _In_ PSID InputSid, 607 _In_ KPROCESSOR_MODE AccessMode, 608 _In_ POOL_TYPE PoolType, 609 _In_ BOOLEAN CaptureIfKernel, 610 _Out_ PSID *CapturedSid); 611 612 VOID 613 NTAPI 614 SepReleaseSid( 615 _In_ PSID CapturedSid, 616 _In_ KPROCESSOR_MODE AccessMode, 617 _In_ BOOLEAN CaptureIfKernel); 618 619 BOOLEAN 620 NTAPI 621 SepSidInToken( 622 _In_ PACCESS_TOKEN _Token, 623 _In_ PSID Sid); 624 625 BOOLEAN 626 NTAPI 627 SepSidInTokenEx( 628 _In_ PACCESS_TOKEN _Token, 629 _In_ PSID PrincipalSelfSid, 630 _In_ PSID _Sid, 631 _In_ BOOLEAN Deny, 632 _In_ BOOLEAN Restricted); 633 634 PSID 635 NTAPI 636 SepGetSidFromAce( 637 _In_ PACE Ace); 638 639 NTSTATUS 640 NTAPI 641 SeCaptureSidAndAttributesArray( 642 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 643 _In_ ULONG AttributeCount, 644 _In_ KPROCESSOR_MODE PreviousMode, 645 _In_opt_ PVOID AllocatedMem, 646 _In_ ULONG AllocatedLength, 647 _In_ POOL_TYPE PoolType, 648 _In_ BOOLEAN CaptureIfKernel, 649 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 650 _Out_ PULONG ResultLength); 651 652 VOID 653 NTAPI 654 SeReleaseSidAndAttributesArray( 655 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 656 _In_ KPROCESSOR_MODE AccessMode, 657 _In_ BOOLEAN CaptureIfKernel); 658 659 // 660 // ACL functions 661 // 662 CODE_SEG("INIT") 663 BOOLEAN 664 NTAPI 665 SepInitDACLs(VOID); 666 667 NTSTATUS 668 NTAPI 669 SepCreateImpersonationTokenDacl( 670 _In_ PTOKEN Token, 671 _In_ PTOKEN PrimaryToken, 672 _Out_ PACL* Dacl); 673 674 NTSTATUS 675 NTAPI 676 SepCaptureAcl( 677 _In_ PACL InputAcl, 678 _In_ KPROCESSOR_MODE AccessMode, 679 _In_ POOL_TYPE PoolType, 680 _In_ BOOLEAN CaptureIfKernel, 681 _Out_ PACL *CapturedAcl); 682 683 VOID 684 NTAPI 685 SepReleaseAcl( 686 _In_ PACL CapturedAcl, 687 _In_ KPROCESSOR_MODE AccessMode, 688 _In_ BOOLEAN CaptureIfKernel); 689 690 NTSTATUS 691 SepPropagateAcl( 692 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 693 _Inout_ PULONG AclLength, 694 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 695 _In_ PSID Owner, 696 _In_ PSID Group, 697 _In_ BOOLEAN IsInherited, 698 _In_ BOOLEAN IsDirectoryObject, 699 _In_ PGENERIC_MAPPING GenericMapping); 700 701 PACL 702 SepSelectAcl( 703 _In_opt_ PACL ExplicitAcl, 704 _In_ BOOLEAN ExplicitPresent, 705 _In_ BOOLEAN ExplicitDefaulted, 706 _In_opt_ PACL ParentAcl, 707 _In_opt_ PACL DefaultAcl, 708 _Out_ PULONG AclLength, 709 _In_ PSID Owner, 710 _In_ PSID Group, 711 _Out_ PBOOLEAN AclPresent, 712 _Out_ PBOOLEAN IsInherited, 713 _In_ BOOLEAN IsDirectoryObject, 714 _In_ PGENERIC_MAPPING GenericMapping); 715 716 // 717 // SD functions 718 // 719 CODE_SEG("INIT") 720 BOOLEAN 721 NTAPI 722 SepInitSDs(VOID); 723 724 NTSTATUS 725 NTAPI 726 SeSetWorldSecurityDescriptor( 727 _In_ SECURITY_INFORMATION SecurityInformation, 728 _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, 729 _In_ PULONG BufferLength); 730 731 NTSTATUS 732 NTAPI 733 SeComputeQuotaInformationSize( 734 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 735 _Out_ PULONG QuotaInfoSize); 736 737 // 738 // Security Reference Monitor (SeRm) functions 739 // 740 BOOLEAN 741 NTAPI 742 SeRmInitPhase0(VOID); 743 744 BOOLEAN 745 NTAPI 746 SeRmInitPhase1(VOID); 747 748 NTSTATUS 749 NTAPI 750 SepRmInsertLogonSessionIntoToken( 751 _Inout_ PTOKEN Token); 752 753 NTSTATUS 754 NTAPI 755 SepRmRemoveLogonSessionFromToken( 756 _Inout_ PTOKEN Token); 757 758 NTSTATUS 759 SepRmReferenceLogonSession( 760 _Inout_ PLUID LogonLuid); 761 762 NTSTATUS 763 SepRmDereferenceLogonSession( 764 _Inout_ PLUID LogonLuid); 765 766 NTSTATUS 767 NTAPI 768 SepRegQueryHelper( 769 _In_ PCWSTR KeyName, 770 _In_ PCWSTR ValueName, 771 _In_ ULONG ValueType, 772 _In_ ULONG DataLength, 773 _Out_ PVOID ValueData); 774 775 NTSTATUS 776 NTAPI 777 SeGetLogonIdDeviceMap( 778 _In_ PLUID LogonId, 779 _Out_ PDEVICE_MAP *DeviceMap); 780 781 // 782 // Audit functions 783 // 784 NTSTATUS 785 NTAPI 786 SeInitializeProcessAuditName( 787 _In_ PFILE_OBJECT FileObject, 788 _In_ BOOLEAN DoAudit, 789 _Out_ POBJECT_NAME_INFORMATION *AuditInfo); 790 791 BOOLEAN 792 NTAPI 793 SeDetailedAuditingWithToken( 794 _In_ PTOKEN Token); 795 796 VOID 797 NTAPI 798 SeAuditProcessExit( 799 _In_ PEPROCESS Process); 800 801 VOID 802 NTAPI 803 SeAuditProcessCreate( 804 _In_ PEPROCESS Process); 805 806 VOID 807 NTAPI 808 SePrivilegedServiceAuditAlarm( 809 _In_opt_ PUNICODE_STRING ServiceName, 810 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 811 _In_ PPRIVILEGE_SET PrivilegeSet, 812 _In_ BOOLEAN AccessGranted); 813 814 // 815 // Subject functions 816 // 817 VOID 818 NTAPI 819 SeCaptureSubjectContextEx( 820 _In_ PETHREAD Thread, 821 _In_ PEPROCESS Process, 822 _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext); 823 824 // 825 // Security Quality of Service (SQoS) functions 826 // 827 NTSTATUS 828 NTAPI 829 SepCaptureSecurityQualityOfService( 830 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 831 _In_ KPROCESSOR_MODE AccessMode, 832 _In_ POOL_TYPE PoolType, 833 _In_ BOOLEAN CaptureIfKernel, 834 _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 835 _Out_ PBOOLEAN Present); 836 837 VOID 838 NTAPI 839 SepReleaseSecurityQualityOfService( 840 _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService, 841 _In_ KPROCESSOR_MODE AccessMode, 842 _In_ BOOLEAN CaptureIfKernel); 843 844 // 845 // Object type list functions 846 // 847 PGUID 848 SepGetObjectTypeGuidFromAce( 849 _In_ PACE Ace, 850 _In_ BOOLEAN IsAceDenied); 851 852 BOOLEAN 853 SepObjectTypeGuidInList( 854 _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST_INTERNAL ObjectTypeList, 855 _In_ ULONG ObjectTypeListLength, 856 _In_ PGUID ObjectTypeGuid, 857 _Out_ PULONG ObjectIndex); 858 859 NTSTATUS 860 SeCaptureObjectTypeList( 861 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 862 _In_ ULONG ObjectTypeListLength, 863 _In_ KPROCESSOR_MODE PreviousMode, 864 _Out_ POBJECT_TYPE_LIST_INTERNAL *CapturedObjectTypeList); 865 866 VOID 867 SeReleaseObjectTypeList( 868 _In_ _Post_invalid_ POBJECT_TYPE_LIST_INTERNAL CapturedObjectTypeList, 869 _In_ KPROCESSOR_MODE PreviousMode); 870 871 // 872 // Access state functions 873 // 874 NTSTATUS 875 NTAPI 876 SeCreateAccessStateEx( 877 _In_ PETHREAD Thread, 878 _In_ PEPROCESS Process, 879 _In_ OUT PACCESS_STATE AccessState, 880 _In_ PAUX_ACCESS_DATA AuxData, 881 _In_ ACCESS_MASK Access, 882 _In_ PGENERIC_MAPPING GenericMapping); 883 884 // 885 // Access check functions 886 // 887 BOOLEAN 888 NTAPI 889 SeFastTraverseCheck( 890 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 891 _In_ PACCESS_STATE AccessState, 892 _In_ ACCESS_MASK DesiredAccess, 893 _In_ KPROCESSOR_MODE AccessMode); 894 895 #endif 896 897 /* EOF */ 898