xref: /reactos/ntoskrnl/include/internal/se.h (revision 44898a4e) 
1 #pragma once
2 
3 typedef struct _KNOWN_ACE
4 {
5     ACE_HEADER Header;
6     ACCESS_MASK Mask;
7     ULONG SidStart;
8 } KNOWN_ACE, *PKNOWN_ACE;
9 
10 typedef struct _KNOWN_OBJECT_ACE
11 {
12     ACE_HEADER Header;
13     ACCESS_MASK Mask;
14     ULONG Flags;
15     ULONG SidStart;
16 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE;
17 
18 typedef struct _KNOWN_COMPOUND_ACE
19 {
20     ACE_HEADER Header;
21     ACCESS_MASK Mask;
22     USHORT CompoundAceType;
23     USHORT Reserved;
24     ULONG SidStart;
25 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE;
26 
27 FORCEINLINE
28 PSID
29 SepGetGroupFromDescriptor(PVOID _Descriptor)
30 {
31     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
32     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
33 
34     if (Descriptor->Control & SE_SELF_RELATIVE)
35     {
36         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
37         if (!SdRel->Group) return NULL;
38         return (PSID)((ULONG_PTR)Descriptor + SdRel->Group);
39     }
40     else
41     {
42         return Descriptor->Group;
43     }
44 }
45 
46 FORCEINLINE
47 PSID
48 SepGetOwnerFromDescriptor(PVOID _Descriptor)
49 {
50     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
51     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
52 
53     if (Descriptor->Control & SE_SELF_RELATIVE)
54     {
55         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
56         if (!SdRel->Owner) return NULL;
57         return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner);
58     }
59     else
60     {
61         return Descriptor->Owner;
62     }
63 }
64 
65 FORCEINLINE
66 PACL
67 SepGetDaclFromDescriptor(PVOID _Descriptor)
68 {
69     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
70     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
71 
72     if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL;
73 
74     if (Descriptor->Control & SE_SELF_RELATIVE)
75     {
76         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
77         if (!SdRel->Dacl) return NULL;
78         return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl);
79     }
80     else
81     {
82         return Descriptor->Dacl;
83     }
84 }
85 
86 FORCEINLINE
87 PACL
88 SepGetSaclFromDescriptor(PVOID _Descriptor)
89 {
90     PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor;
91     PISECURITY_DESCRIPTOR_RELATIVE SdRel;
92 
93     if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL;
94 
95     if (Descriptor->Control & SE_SELF_RELATIVE)
96     {
97         SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor;
98         if (!SdRel->Sacl) return NULL;
99         return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl);
100     }
101     else
102     {
103         return Descriptor->Sacl;
104     }
105 }
106 
107 #ifndef RTL_H
108 
109 /* SID Authorities */
110 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority;
111 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
112 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority;
113 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority;
114 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority;
115 
116 /* SIDs */
117 extern PSID SeNullSid;
118 extern PSID SeWorldSid;
119 extern PSID SeLocalSid;
120 extern PSID SeCreatorOwnerSid;
121 extern PSID SeCreatorGroupSid;
122 extern PSID SeCreatorOwnerServerSid;
123 extern PSID SeCreatorGroupServerSid;
124 extern PSID SeNtAuthoritySid;
125 extern PSID SeDialupSid;
126 extern PSID SeNetworkSid;
127 extern PSID SeBatchSid;
128 extern PSID SeInteractiveSid;
129 extern PSID SeServiceSid;
130 extern PSID SeAnonymousLogonSid;
131 extern PSID SePrincipalSelfSid;
132 extern PSID SeLocalSystemSid;
133 extern PSID SeAuthenticatedUserSid;
134 extern PSID SeRestrictedCodeSid;
135 extern PSID SeAliasAdminsSid;
136 extern PSID SeAliasUsersSid;
137 extern PSID SeAliasGuestsSid;
138 extern PSID SeAliasPowerUsersSid;
139 extern PSID SeAliasAccountOpsSid;
140 extern PSID SeAliasSystemOpsSid;
141 extern PSID SeAliasPrintOpsSid;
142 extern PSID SeAliasBackupOpsSid;
143 extern PSID SeAuthenticatedUsersSid;
144 extern PSID SeRestrictedSid;
145 extern PSID SeAnonymousLogonSid;
146 extern PSID SeLocalServiceSid;
147 extern PSID SeNetworkServiceSid;
148 
149 /* Privileges */
150 extern const LUID SeCreateTokenPrivilege;
151 extern const LUID SeAssignPrimaryTokenPrivilege;
152 extern const LUID SeLockMemoryPrivilege;
153 extern const LUID SeIncreaseQuotaPrivilege;
154 extern const LUID SeUnsolicitedInputPrivilege;
155 extern const LUID SeTcbPrivilege;
156 extern const LUID SeSecurityPrivilege;
157 extern const LUID SeTakeOwnershipPrivilege;
158 extern const LUID SeLoadDriverPrivilege;
159 extern const LUID SeSystemProfilePrivilege;
160 extern const LUID SeSystemtimePrivilege;
161 extern const LUID SeProfileSingleProcessPrivilege;
162 extern const LUID SeIncreaseBasePriorityPrivilege;
163 extern const LUID SeCreatePagefilePrivilege;
164 extern const LUID SeCreatePermanentPrivilege;
165 extern const LUID SeBackupPrivilege;
166 extern const LUID SeRestorePrivilege;
167 extern const LUID SeShutdownPrivilege;
168 extern const LUID SeDebugPrivilege;
169 extern const LUID SeAuditPrivilege;
170 extern const LUID SeSystemEnvironmentPrivilege;
171 extern const LUID SeChangeNotifyPrivilege;
172 extern const LUID SeRemoteShutdownPrivilege;
173 extern const LUID SeUndockPrivilege;
174 extern const LUID SeSyncAgentPrivilege;
175 extern const LUID SeEnableDelegationPrivilege;
176 extern const LUID SeManageVolumePrivilege;
177 extern const LUID SeImpersonatePrivilege;
178 extern const LUID SeCreateGlobalPrivilege;
179 extern const LUID SeTrustedCredmanPrivilege;
180 extern const LUID SeRelabelPrivilege;
181 extern const LUID SeIncreaseWorkingSetPrivilege;
182 extern const LUID SeTimeZonePrivilege;
183 extern const LUID SeCreateSymbolicLinkPrivilege;
184 
185 /* DACLs */
186 extern PACL SePublicDefaultUnrestrictedDacl;
187 extern PACL SePublicOpenDacl;
188 extern PACL SePublicOpenUnrestrictedDacl;
189 extern PACL SeUnrestrictedDacl;
190 
191 /* SDs */
192 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
193 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
194 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
195 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
196 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
197 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
198 
199 
200 #define SepAcquireTokenLockExclusive(Token)                                    \
201 {                                                                              \
202     KeEnterCriticalRegion();                                                   \
203     ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE);          \
204 }
205 #define SepAcquireTokenLockShared(Token)                                       \
206 {                                                                              \
207     KeEnterCriticalRegion();                                                   \
208     ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE);             \
209 }
210 
211 #define SepReleaseTokenLock(Token)                                             \
212 {                                                                              \
213     ExReleaseResourceLite(((PTOKEN)Token)->TokenLock);                         \
214     KeLeaveCriticalRegion();                                                   \
215 }
216 
217 //
218 // Token Functions
219 //
220 BOOLEAN
221 NTAPI
222 SepTokenIsOwner(
223     IN PACCESS_TOKEN _Token,
224     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
225     IN BOOLEAN TokenLocked
226 );
227 
228 BOOLEAN
229 NTAPI
230 SepSidInToken(
231     IN PACCESS_TOKEN _Token,
232     IN PSID Sid
233 );
234 
235 BOOLEAN
236 NTAPI
237 SepSidInTokenEx(
238     IN PACCESS_TOKEN _Token,
239     IN PSID PrincipalSelfSid,
240     IN PSID _Sid,
241     IN BOOLEAN Deny,
242     IN BOOLEAN Restricted
243 );
244 
245 /* Functions */
246 BOOLEAN
247 NTAPI
248 SeInitSystem(VOID);
249 
250 VOID
251 NTAPI
252 ExpInitLuid(VOID);
253 
254 VOID
255 NTAPI
256 SepInitPrivileges(VOID);
257 
258 BOOLEAN
259 NTAPI
260 SepInitSecurityIDs(VOID);
261 
262 BOOLEAN
263 NTAPI
264 SepInitDACLs(VOID);
265 
266 BOOLEAN
267 NTAPI
268 SepInitSDs(VOID);
269 
270 BOOLEAN
271 NTAPI
272 SeRmInitPhase0(VOID);
273 
274 BOOLEAN
275 NTAPI
276 SeRmInitPhase1(VOID);
277 
278 VOID
279 NTAPI
280 SeDeassignPrimaryToken(struct _EPROCESS *Process);
281 
282 NTSTATUS
283 NTAPI
284 SeSubProcessToken(
285     IN PTOKEN Parent,
286     OUT PTOKEN *Token,
287     IN BOOLEAN InUse,
288     IN ULONG SessionId
289 );
290 
291 NTSTATUS
292 NTAPI
293 SeInitializeProcessAuditName(
294     IN PFILE_OBJECT FileObject,
295     IN BOOLEAN DoAudit,
296     OUT POBJECT_NAME_INFORMATION *AuditInfo
297 );
298 
299 NTSTATUS
300 NTAPI
301 SeCreateAccessStateEx(
302     IN PETHREAD Thread,
303     IN PEPROCESS Process,
304     IN OUT PACCESS_STATE AccessState,
305     IN PAUX_ACCESS_DATA AuxData,
306     IN ACCESS_MASK Access,
307     IN PGENERIC_MAPPING GenericMapping
308 );
309 
310 NTSTATUS
311 NTAPI
312 SeIsTokenChild(
313     IN PTOKEN Token,
314     OUT PBOOLEAN IsChild
315 );
316 
317 NTSTATUS
318 NTAPI
319 SeIsTokenSibling(
320     IN PTOKEN Token,
321     OUT PBOOLEAN IsSibling
322 );
323 
324 NTSTATUS
325 NTAPI
326 SepCreateImpersonationTokenDacl(
327     _In_ PTOKEN Token,
328     _In_ PTOKEN PrimaryToken,
329     _Out_ PACL* Dacl
330 );
331 
332 VOID
333 NTAPI
334 SepInitializeTokenImplementation(VOID);
335 
336 PTOKEN
337 NTAPI
338 SepCreateSystemProcessToken(VOID);
339 
340 BOOLEAN
341 NTAPI
342 SeDetailedAuditingWithToken(IN PTOKEN Token);
343 
344 VOID
345 NTAPI
346 SeAuditProcessExit(IN PEPROCESS Process);
347 
348 VOID
349 NTAPI
350 SeAuditProcessCreate(IN PEPROCESS Process);
351 
352 NTSTATUS
353 NTAPI
354 SeExchangePrimaryToken(
355     _In_ PEPROCESS Process,
356     _In_ PACCESS_TOKEN NewAccessToken,
357     _Out_ PACCESS_TOKEN* OldAccessToken
358 );
359 
360 VOID
361 NTAPI
362 SeCaptureSubjectContextEx(
363     IN PETHREAD Thread,
364     IN PEPROCESS Process,
365     OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
366 );
367 
368 NTSTATUS
369 NTAPI
370 SeCaptureLuidAndAttributesArray(
371     PLUID_AND_ATTRIBUTES Src,
372     ULONG PrivilegeCount,
373     KPROCESSOR_MODE PreviousMode,
374     PLUID_AND_ATTRIBUTES AllocatedMem,
375     ULONG AllocatedLength,
376     POOL_TYPE PoolType,
377     BOOLEAN CaptureIfKernel,
378     PLUID_AND_ATTRIBUTES* Dest,
379     PULONG Length
380 );
381 
382 VOID
383 NTAPI
384 SeReleaseLuidAndAttributesArray(
385     PLUID_AND_ATTRIBUTES Privilege,
386     KPROCESSOR_MODE PreviousMode,
387     BOOLEAN CaptureIfKernel
388 );
389 
390 BOOLEAN
391 NTAPI
392 SepPrivilegeCheck(
393     PTOKEN Token,
394     PLUID_AND_ATTRIBUTES Privileges,
395     ULONG PrivilegeCount,
396     ULONG PrivilegeControl,
397     KPROCESSOR_MODE PreviousMode
398 );
399 
400 NTSTATUS
401 NTAPI
402 SePrivilegePolicyCheck(
403     _Inout_ PACCESS_MASK DesiredAccess,
404     _Inout_ PACCESS_MASK GrantedAccess,
405     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
406     _In_ PTOKEN Token,
407     _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet,
408     _In_ KPROCESSOR_MODE PreviousMode);
409 
410 BOOLEAN
411 NTAPI
412 SeCheckPrivilegedObject(
413     IN LUID PrivilegeValue,
414     IN HANDLE ObjectHandle,
415     IN ACCESS_MASK DesiredAccess,
416     IN KPROCESSOR_MODE PreviousMode
417 );
418 
419 NTSTATUS
420 NTAPI
421 SepDuplicateToken(
422     _In_ PTOKEN Token,
423     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
424     _In_ BOOLEAN EffectiveOnly,
425     _In_ TOKEN_TYPE TokenType,
426     _In_ SECURITY_IMPERSONATION_LEVEL Level,
427     _In_ KPROCESSOR_MODE PreviousMode,
428     _Out_ PTOKEN* NewAccessToken
429 );
430 
431 NTSTATUS
432 NTAPI
433 SepCaptureSecurityQualityOfService(
434     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
435     IN KPROCESSOR_MODE AccessMode,
436     IN POOL_TYPE PoolType,
437     IN BOOLEAN CaptureIfKernel,
438     OUT PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService,
439     OUT PBOOLEAN Present
440 );
441 
442 VOID
443 NTAPI
444 SepReleaseSecurityQualityOfService(
445     IN PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService OPTIONAL,
446     IN KPROCESSOR_MODE AccessMode,
447     IN BOOLEAN CaptureIfKernel
448 );
449 
450 NTSTATUS
451 NTAPI
452 SepCaptureSid(
453     IN PSID InputSid,
454     IN KPROCESSOR_MODE AccessMode,
455     IN POOL_TYPE PoolType,
456     IN BOOLEAN CaptureIfKernel,
457     OUT PSID *CapturedSid
458 );
459 
460 VOID
461 NTAPI
462 SepReleaseSid(
463     IN PSID CapturedSid,
464     IN KPROCESSOR_MODE AccessMode,
465     IN BOOLEAN CaptureIfKernel
466 );
467 
468 NTSTATUS
469 NTAPI
470 SeCaptureSidAndAttributesArray(
471     _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
472     _In_ ULONG AttributeCount,
473     _In_ KPROCESSOR_MODE PreviousMode,
474     _In_opt_ PVOID AllocatedMem,
475     _In_ ULONG AllocatedLength,
476     _In_ POOL_TYPE PoolType,
477     _In_ BOOLEAN CaptureIfKernel,
478     _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
479     _Out_ PULONG ResultLength);
480 
481 VOID
482 NTAPI
483 SeReleaseSidAndAttributesArray(
484     _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
485     _In_ KPROCESSOR_MODE AccessMode,
486     _In_ BOOLEAN CaptureIfKernel);
487 
488 NTSTATUS
489 NTAPI
490 SepCaptureAcl(
491     IN PACL InputAcl,
492     IN KPROCESSOR_MODE AccessMode,
493     IN POOL_TYPE PoolType,
494     IN BOOLEAN CaptureIfKernel,
495     OUT PACL *CapturedAcl
496 );
497 
498 VOID
499 NTAPI
500 SepReleaseAcl(
501     IN PACL CapturedAcl,
502     IN KPROCESSOR_MODE AccessMode,
503     IN BOOLEAN CaptureIfKernel
504 );
505 
506 NTSTATUS
507 SepPropagateAcl(
508     _Out_writes_bytes_opt_(DaclLength) PACL AclDest,
509     _Inout_ PULONG AclLength,
510     _In_reads_bytes_(AclSource->AclSize) PACL AclSource,
511     _In_ PSID Owner,
512     _In_ PSID Group,
513     _In_ BOOLEAN IsInherited,
514     _In_ BOOLEAN IsDirectoryObject,
515     _In_ PGENERIC_MAPPING GenericMapping);
516 
517 PACL
518 SepSelectAcl(
519     _In_opt_ PACL ExplicitAcl,
520     _In_ BOOLEAN ExplicitPresent,
521     _In_ BOOLEAN ExplicitDefaulted,
522     _In_opt_ PACL ParentAcl,
523     _In_opt_ PACL DefaultAcl,
524     _Out_ PULONG AclLength,
525     _In_ PSID Owner,
526     _In_ PSID Group,
527     _Out_ PBOOLEAN AclPresent,
528     _Out_ PBOOLEAN IsInherited,
529     _In_ BOOLEAN IsDirectoryObject,
530     _In_ PGENERIC_MAPPING GenericMapping);
531 
532 NTSTATUS
533 NTAPI
534 SeDefaultObjectMethod(
535     PVOID Object,
536     SECURITY_OPERATION_CODE OperationType,
537     PSECURITY_INFORMATION SecurityInformation,
538     PSECURITY_DESCRIPTOR NewSecurityDescriptor,
539     PULONG ReturnLength,
540     PSECURITY_DESCRIPTOR *OldSecurityDescriptor,
541     POOL_TYPE PoolType,
542     PGENERIC_MAPPING GenericMapping
543 );
544 
545 NTSTATUS
546 NTAPI
547 SeSetWorldSecurityDescriptor(
548     SECURITY_INFORMATION SecurityInformation,
549     PISECURITY_DESCRIPTOR SecurityDescriptor,
550     PULONG BufferLength
551 );
552 
553 NTSTATUS
554 NTAPI
555 SeCopyClientToken(
556     IN PACCESS_TOKEN Token,
557     IN SECURITY_IMPERSONATION_LEVEL Level,
558     IN KPROCESSOR_MODE PreviousMode,
559     OUT PACCESS_TOKEN* NewToken
560 );
561 
562 VOID NTAPI
563 SeQuerySecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
564                           OUT PACCESS_MASK DesiredAccess);
565 
566 VOID NTAPI
567 SeSetSecurityAccessMask(IN SECURITY_INFORMATION SecurityInformation,
568                         OUT PACCESS_MASK DesiredAccess);
569 
570 BOOLEAN
571 NTAPI
572 SeFastTraverseCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor,
573                     IN PACCESS_STATE AccessState,
574                     IN ACCESS_MASK DesiredAccess,
575                     IN KPROCESSOR_MODE AccessMode);
576 
577 BOOLEAN
578 NTAPI
579 SeCheckAuditPrivilege(
580     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
581     _In_ KPROCESSOR_MODE PreviousMode);
582 
583 VOID
584 NTAPI
585 SePrivilegedServiceAuditAlarm(
586     _In_opt_ PUNICODE_STRING ServiceName,
587     _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
588     _In_ PPRIVILEGE_SET PrivilegeSet,
589     _In_ BOOLEAN AccessGranted);
590 
591 NTSTATUS
592 SepRmReferenceLogonSession(
593     PLUID LogonLuid);
594 
595 NTSTATUS
596 SepRmDereferenceLogonSession(
597     PLUID LogonLuid);
598 
599 #endif
600 
601 /* EOF */
602