1 /* 2 * PROJECT: ReactOS Kernel 3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) 4 * PURPOSE: Internal header for the Security Manager 5 * COPYRIGHT: Copyright Eric Kohl 6 * Copyright 2022 George Bișoc <george.bisoc@reactos.org> 7 */ 8 9 #pragma once 10 11 // 12 // Internal ACE type structures 13 // 14 typedef struct _KNOWN_ACE 15 { 16 ACE_HEADER Header; 17 ACCESS_MASK Mask; 18 ULONG SidStart; 19 } KNOWN_ACE, *PKNOWN_ACE; 20 21 typedef struct _KNOWN_OBJECT_ACE 22 { 23 ACE_HEADER Header; 24 ACCESS_MASK Mask; 25 ULONG Flags; 26 ULONG SidStart; 27 } KNOWN_OBJECT_ACE, *PKNOWN_OBJECT_ACE; 28 29 typedef struct _KNOWN_COMPOUND_ACE 30 { 31 ACE_HEADER Header; 32 ACCESS_MASK Mask; 33 USHORT CompoundAceType; 34 USHORT Reserved; 35 ULONG SidStart; 36 } KNOWN_COMPOUND_ACE, *PKNOWN_COMPOUND_ACE; 37 38 // 39 // Access Check Rights 40 // 41 typedef struct _ACCESS_CHECK_RIGHTS 42 { 43 ACCESS_MASK RemainingAccessRights; 44 ACCESS_MASK GrantedAccessRights; 45 ACCESS_MASK DeniedAccessRights; 46 } ACCESS_CHECK_RIGHTS, *PACCESS_CHECK_RIGHTS; 47 48 typedef enum _ACCESS_CHECK_RIGHT_TYPE 49 { 50 AccessCheckMaximum, 51 AccessCheckRegular 52 } ACCESS_CHECK_RIGHT_TYPE; 53 54 // 55 // Token Audit Policy Information structure 56 // 57 typedef struct _TOKEN_AUDIT_POLICY_INFORMATION 58 { 59 ULONG PolicyCount; 60 struct 61 { 62 ULONG Category; 63 UCHAR Value; 64 } Policies[1]; 65 } TOKEN_AUDIT_POLICY_INFORMATION, *PTOKEN_AUDIT_POLICY_INFORMATION; 66 67 // 68 // Token creation method defines (for debugging purposes) 69 // 70 #define TOKEN_CREATE_METHOD 0xCUL 71 #define TOKEN_DUPLICATE_METHOD 0xDUL 72 #define TOKEN_FILTER_METHOD 0xFUL 73 74 // 75 // Security descriptor internal helpers 76 // 77 FORCEINLINE 78 PSID 79 SepGetGroupFromDescriptor( 80 _Inout_ PVOID _Descriptor) 81 { 82 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 83 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 84 85 if (Descriptor->Control & SE_SELF_RELATIVE) 86 { 87 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 88 if (!SdRel->Group) return NULL; 89 return (PSID)((ULONG_PTR)Descriptor + SdRel->Group); 90 } 91 else 92 { 93 return Descriptor->Group; 94 } 95 } 96 97 FORCEINLINE 98 PSID 99 SepGetOwnerFromDescriptor( 100 _Inout_ PVOID _Descriptor) 101 { 102 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 103 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 104 105 if (Descriptor->Control & SE_SELF_RELATIVE) 106 { 107 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 108 if (!SdRel->Owner) return NULL; 109 return (PSID)((ULONG_PTR)Descriptor + SdRel->Owner); 110 } 111 else 112 { 113 return Descriptor->Owner; 114 } 115 } 116 117 FORCEINLINE 118 PACL 119 SepGetDaclFromDescriptor( 120 _Inout_ PVOID _Descriptor) 121 { 122 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 123 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 124 125 if (!(Descriptor->Control & SE_DACL_PRESENT)) return NULL; 126 127 if (Descriptor->Control & SE_SELF_RELATIVE) 128 { 129 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 130 if (!SdRel->Dacl) return NULL; 131 return (PACL)((ULONG_PTR)Descriptor + SdRel->Dacl); 132 } 133 else 134 { 135 return Descriptor->Dacl; 136 } 137 } 138 139 FORCEINLINE 140 PACL 141 SepGetSaclFromDescriptor( 142 _Inout_ PVOID _Descriptor) 143 { 144 PISECURITY_DESCRIPTOR Descriptor = (PISECURITY_DESCRIPTOR)_Descriptor; 145 PISECURITY_DESCRIPTOR_RELATIVE SdRel; 146 147 if (!(Descriptor->Control & SE_SACL_PRESENT)) return NULL; 148 149 if (Descriptor->Control & SE_SELF_RELATIVE) 150 { 151 SdRel = (PISECURITY_DESCRIPTOR_RELATIVE)Descriptor; 152 if (!SdRel->Sacl) return NULL; 153 return (PACL)((ULONG_PTR)Descriptor + SdRel->Sacl); 154 } 155 else 156 { 157 return Descriptor->Sacl; 158 } 159 } 160 161 #ifndef RTL_H 162 163 // 164 // SID Authorities 165 // 166 extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; 167 extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; 168 extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; 169 extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; 170 extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; 171 172 // 173 // SIDs 174 // 175 extern PSID SeNullSid; 176 extern PSID SeWorldSid; 177 extern PSID SeLocalSid; 178 extern PSID SeCreatorOwnerSid; 179 extern PSID SeCreatorGroupSid; 180 extern PSID SeCreatorOwnerServerSid; 181 extern PSID SeCreatorGroupServerSid; 182 extern PSID SeNtAuthoritySid; 183 extern PSID SeDialupSid; 184 extern PSID SeNetworkSid; 185 extern PSID SeBatchSid; 186 extern PSID SeInteractiveSid; 187 extern PSID SeServiceSid; 188 extern PSID SeAnonymousLogonSid; 189 extern PSID SePrincipalSelfSid; 190 extern PSID SeLocalSystemSid; 191 extern PSID SeAuthenticatedUserSid; 192 extern PSID SeRestrictedCodeSid; 193 extern PSID SeAliasAdminsSid; 194 extern PSID SeAliasUsersSid; 195 extern PSID SeAliasGuestsSid; 196 extern PSID SeAliasPowerUsersSid; 197 extern PSID SeAliasAccountOpsSid; 198 extern PSID SeAliasSystemOpsSid; 199 extern PSID SeAliasPrintOpsSid; 200 extern PSID SeAliasBackupOpsSid; 201 extern PSID SeAuthenticatedUsersSid; 202 extern PSID SeRestrictedSid; 203 extern PSID SeAnonymousLogonSid; 204 extern PSID SeLocalServiceSid; 205 extern PSID SeNetworkServiceSid; 206 207 // 208 // Privileges 209 // 210 extern const LUID SeCreateTokenPrivilege; 211 extern const LUID SeAssignPrimaryTokenPrivilege; 212 extern const LUID SeLockMemoryPrivilege; 213 extern const LUID SeIncreaseQuotaPrivilege; 214 extern const LUID SeUnsolicitedInputPrivilege; 215 extern const LUID SeTcbPrivilege; 216 extern const LUID SeSecurityPrivilege; 217 extern const LUID SeTakeOwnershipPrivilege; 218 extern const LUID SeLoadDriverPrivilege; 219 extern const LUID SeSystemProfilePrivilege; 220 extern const LUID SeSystemtimePrivilege; 221 extern const LUID SeProfileSingleProcessPrivilege; 222 extern const LUID SeIncreaseBasePriorityPrivilege; 223 extern const LUID SeCreatePagefilePrivilege; 224 extern const LUID SeCreatePermanentPrivilege; 225 extern const LUID SeBackupPrivilege; 226 extern const LUID SeRestorePrivilege; 227 extern const LUID SeShutdownPrivilege; 228 extern const LUID SeDebugPrivilege; 229 extern const LUID SeAuditPrivilege; 230 extern const LUID SeSystemEnvironmentPrivilege; 231 extern const LUID SeChangeNotifyPrivilege; 232 extern const LUID SeRemoteShutdownPrivilege; 233 extern const LUID SeUndockPrivilege; 234 extern const LUID SeSyncAgentPrivilege; 235 extern const LUID SeEnableDelegationPrivilege; 236 extern const LUID SeManageVolumePrivilege; 237 extern const LUID SeImpersonatePrivilege; 238 extern const LUID SeCreateGlobalPrivilege; 239 extern const LUID SeTrustedCredmanPrivilege; 240 extern const LUID SeRelabelPrivilege; 241 extern const LUID SeIncreaseWorkingSetPrivilege; 242 extern const LUID SeTimeZonePrivilege; 243 extern const LUID SeCreateSymbolicLinkPrivilege; 244 245 // 246 // DACLs 247 // 248 extern PACL SePublicDefaultUnrestrictedDacl; 249 extern PACL SePublicOpenDacl; 250 extern PACL SePublicOpenUnrestrictedDacl; 251 extern PACL SeUnrestrictedDacl; 252 extern PACL SeSystemAnonymousLogonDacl; 253 254 // 255 // SDs 256 // 257 extern PSECURITY_DESCRIPTOR SePublicDefaultSd; 258 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd; 259 extern PSECURITY_DESCRIPTOR SePublicOpenSd; 260 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; 261 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; 262 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; 263 extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd; 264 265 // 266 // Anonymous Logon Tokens 267 // 268 extern PTOKEN SeAnonymousLogonToken; 269 extern PTOKEN SeAnonymousLogonTokenNoEveryone; 270 271 272 // 273 // Token lock management macros 274 // 275 #define SepAcquireTokenLockExclusive(Token) \ 276 { \ 277 KeEnterCriticalRegion(); \ 278 ExAcquireResourceExclusiveLite(((PTOKEN)Token)->TokenLock, TRUE); \ 279 } 280 #define SepAcquireTokenLockShared(Token) \ 281 { \ 282 KeEnterCriticalRegion(); \ 283 ExAcquireResourceSharedLite(((PTOKEN)Token)->TokenLock, TRUE); \ 284 } 285 286 #define SepReleaseTokenLock(Token) \ 287 { \ 288 ExReleaseResourceLite(((PTOKEN)Token)->TokenLock); \ 289 KeLeaveCriticalRegion(); \ 290 } 291 292 // 293 // Token Functions 294 // 295 CODE_SEG("INIT") 296 VOID 297 NTAPI 298 SepInitializeTokenImplementation(VOID); 299 300 CODE_SEG("INIT") 301 PTOKEN 302 NTAPI 303 SepCreateSystemProcessToken(VOID); 304 305 CODE_SEG("INIT") 306 PTOKEN 307 SepCreateSystemAnonymousLogonToken(VOID); 308 309 CODE_SEG("INIT") 310 PTOKEN 311 SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); 312 313 NTSTATUS 314 NTAPI 315 SepDuplicateToken( 316 _In_ PTOKEN Token, 317 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 318 _In_ BOOLEAN EffectiveOnly, 319 _In_ TOKEN_TYPE TokenType, 320 _In_ SECURITY_IMPERSONATION_LEVEL Level, 321 _In_ KPROCESSOR_MODE PreviousMode, 322 _Out_ PTOKEN* NewAccessToken); 323 324 NTSTATUS 325 NTAPI 326 SepCreateToken( 327 _Out_ PHANDLE TokenHandle, 328 _In_ KPROCESSOR_MODE PreviousMode, 329 _In_ ACCESS_MASK DesiredAccess, 330 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 331 _In_ TOKEN_TYPE TokenType, 332 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, 333 _In_ PLUID AuthenticationId, 334 _In_ PLARGE_INTEGER ExpirationTime, 335 _In_ PSID_AND_ATTRIBUTES User, 336 _In_ ULONG GroupCount, 337 _In_ PSID_AND_ATTRIBUTES Groups, 338 _In_ ULONG GroupsLength, 339 _In_ ULONG PrivilegeCount, 340 _In_ PLUID_AND_ATTRIBUTES Privileges, 341 _In_opt_ PSID Owner, 342 _In_ PSID PrimaryGroup, 343 _In_opt_ PACL DefaultDacl, 344 _In_ PTOKEN_SOURCE TokenSource, 345 _In_ BOOLEAN SystemToken); 346 347 BOOLEAN 348 NTAPI 349 SepTokenIsOwner( 350 _In_ PACCESS_TOKEN _Token, 351 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 352 _In_ BOOLEAN TokenLocked); 353 354 NTSTATUS 355 SepCreateTokenLock( 356 _Inout_ PTOKEN Token); 357 358 VOID 359 SepDeleteTokenLock( 360 _Inout_ PTOKEN Token); 361 362 VOID 363 SepUpdatePrivilegeFlagsToken( 364 _Inout_ PTOKEN Token); 365 366 NTSTATUS 367 SepFindPrimaryGroupAndDefaultOwner( 368 _In_ PTOKEN Token, 369 _In_ PSID PrimaryGroup, 370 _In_opt_ PSID DefaultOwner, 371 _Out_opt_ PULONG PrimaryGroupIndex, 372 _Out_opt_ PULONG DefaultOwnerIndex); 373 374 VOID 375 SepUpdateSinglePrivilegeFlagToken( 376 _Inout_ PTOKEN Token, 377 _In_ ULONG Index); 378 379 VOID 380 SepUpdatePrivilegeFlagsToken( 381 _Inout_ PTOKEN Token); 382 383 VOID 384 SepRemovePrivilegeToken( 385 _Inout_ PTOKEN Token, 386 _In_ ULONG Index); 387 388 VOID 389 SepRemoveUserGroupToken( 390 _Inout_ PTOKEN Token, 391 _In_ ULONG Index); 392 393 ULONG 394 SepComputeAvailableDynamicSpace( 395 _In_ ULONG DynamicCharged, 396 _In_ PSID PrimaryGroup, 397 _In_opt_ PACL DefaultDacl); 398 399 NTSTATUS 400 SepRebuildDynamicPartOfToken( 401 _In_ PTOKEN Token, 402 _In_ ULONG NewDynamicPartSize); 403 404 BOOLEAN 405 NTAPI 406 SeTokenCanImpersonate( 407 _In_ PTOKEN ProcessToken, 408 _In_ PTOKEN TokenToImpersonate, 409 _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); 410 411 VOID 412 NTAPI 413 SeGetTokenControlInformation( 414 _In_ PACCESS_TOKEN _Token, 415 _Out_ PTOKEN_CONTROL TokenControl); 416 417 VOID 418 NTAPI 419 SeDeassignPrimaryToken( 420 _Inout_ PEPROCESS Process); 421 422 NTSTATUS 423 NTAPI 424 SeSubProcessToken( 425 _In_ PTOKEN Parent, 426 _Out_ PTOKEN *Token, 427 _In_ BOOLEAN InUse, 428 _In_ ULONG SessionId); 429 430 NTSTATUS 431 NTAPI 432 SeIsTokenChild( 433 _In_ PTOKEN Token, 434 _Out_ PBOOLEAN IsChild); 435 436 NTSTATUS 437 NTAPI 438 SeIsTokenSibling( 439 _In_ PTOKEN Token, 440 _Out_ PBOOLEAN IsSibling); 441 442 NTSTATUS 443 NTAPI 444 SeExchangePrimaryToken( 445 _In_ PEPROCESS Process, 446 _In_ PACCESS_TOKEN NewAccessToken, 447 _Out_ PACCESS_TOKEN* OldAccessToken); 448 449 NTSTATUS 450 NTAPI 451 SeCopyClientToken( 452 _In_ PACCESS_TOKEN Token, 453 _In_ SECURITY_IMPERSONATION_LEVEL Level, 454 _In_ KPROCESSOR_MODE PreviousMode, 455 _Out_ PACCESS_TOKEN* NewToken); 456 457 BOOLEAN 458 NTAPI 459 SeTokenIsInert( 460 _In_ PTOKEN Token); 461 462 ULONG 463 RtlLengthSidAndAttributes( 464 _In_ ULONG Count, 465 _In_ PSID_AND_ATTRIBUTES Src); 466 467 // 468 // Security Manager (SeMgr) functions 469 // 470 CODE_SEG("INIT") 471 BOOLEAN 472 NTAPI 473 SeInitSystem(VOID); 474 475 NTSTATUS 476 NTAPI 477 SeDefaultObjectMethod( 478 _In_ PVOID Object, 479 _In_ SECURITY_OPERATION_CODE OperationType, 480 _In_ PSECURITY_INFORMATION SecurityInformation, 481 _Inout_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, 482 _Inout_opt_ PULONG ReturnLength, 483 _Inout_opt_ PSECURITY_DESCRIPTOR *OldSecurityDescriptor, 484 _In_ POOL_TYPE PoolType, 485 _In_ PGENERIC_MAPPING GenericMapping); 486 487 VOID 488 NTAPI 489 SeQuerySecurityAccessMask( 490 _In_ SECURITY_INFORMATION SecurityInformation, 491 _Out_ PACCESS_MASK DesiredAccess); 492 493 VOID 494 NTAPI 495 SeSetSecurityAccessMask( 496 _In_ SECURITY_INFORMATION SecurityInformation, 497 _Out_ PACCESS_MASK DesiredAccess); 498 499 // 500 // Privilege functions 501 // 502 CODE_SEG("INIT") 503 VOID 504 NTAPI 505 SepInitPrivileges(VOID); 506 507 BOOLEAN 508 NTAPI 509 SepPrivilegeCheck( 510 _In_ PTOKEN Token, 511 _In_ PLUID_AND_ATTRIBUTES Privileges, 512 _In_ ULONG PrivilegeCount, 513 _In_ ULONG PrivilegeControl, 514 _In_ KPROCESSOR_MODE PreviousMode); 515 516 NTSTATUS 517 NTAPI 518 SePrivilegePolicyCheck( 519 _Inout_ PACCESS_MASK DesiredAccess, 520 _Inout_ PACCESS_MASK GrantedAccess, 521 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 522 _In_ PTOKEN Token, 523 _Out_opt_ PPRIVILEGE_SET *OutPrivilegeSet, 524 _In_ KPROCESSOR_MODE PreviousMode); 525 526 BOOLEAN 527 NTAPI 528 SeCheckAuditPrivilege( 529 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 530 _In_ KPROCESSOR_MODE PreviousMode); 531 532 BOOLEAN 533 NTAPI 534 SeCheckPrivilegedObject( 535 _In_ LUID PrivilegeValue, 536 _In_ HANDLE ObjectHandle, 537 _In_ ACCESS_MASK DesiredAccess, 538 _In_ KPROCESSOR_MODE PreviousMode); 539 540 NTSTATUS 541 NTAPI 542 SeCaptureLuidAndAttributesArray( 543 _In_ PLUID_AND_ATTRIBUTES Src, 544 _In_ ULONG PrivilegeCount, 545 _In_ KPROCESSOR_MODE PreviousMode, 546 _In_ PLUID_AND_ATTRIBUTES AllocatedMem, 547 _In_ ULONG AllocatedLength, 548 _In_ POOL_TYPE PoolType, 549 _In_ BOOLEAN CaptureIfKernel, 550 _Out_ PLUID_AND_ATTRIBUTES* Dest, 551 _Inout_ PULONG Length); 552 553 VOID 554 NTAPI 555 SeReleaseLuidAndAttributesArray( 556 _In_ PLUID_AND_ATTRIBUTES Privilege, 557 _In_ KPROCESSOR_MODE PreviousMode, 558 _In_ BOOLEAN CaptureIfKernel); 559 560 // 561 // SID functions 562 // 563 CODE_SEG("INIT") 564 BOOLEAN 565 NTAPI 566 SepInitSecurityIDs(VOID); 567 568 NTSTATUS 569 NTAPI 570 SepCaptureSid( 571 _In_ PSID InputSid, 572 _In_ KPROCESSOR_MODE AccessMode, 573 _In_ POOL_TYPE PoolType, 574 _In_ BOOLEAN CaptureIfKernel, 575 _Out_ PSID *CapturedSid); 576 577 VOID 578 NTAPI 579 SepReleaseSid( 580 _In_ PSID CapturedSid, 581 _In_ KPROCESSOR_MODE AccessMode, 582 _In_ BOOLEAN CaptureIfKernel); 583 584 BOOLEAN 585 NTAPI 586 SepSidInToken( 587 _In_ PACCESS_TOKEN _Token, 588 _In_ PSID Sid); 589 590 BOOLEAN 591 NTAPI 592 SepSidInTokenEx( 593 _In_ PACCESS_TOKEN _Token, 594 _In_ PSID PrincipalSelfSid, 595 _In_ PSID _Sid, 596 _In_ BOOLEAN Deny, 597 _In_ BOOLEAN Restricted); 598 599 PSID 600 NTAPI 601 SepGetSidFromAce( 602 _In_ UCHAR AceType, 603 _In_ PACE Ace); 604 605 NTSTATUS 606 NTAPI 607 SeCaptureSidAndAttributesArray( 608 _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, 609 _In_ ULONG AttributeCount, 610 _In_ KPROCESSOR_MODE PreviousMode, 611 _In_opt_ PVOID AllocatedMem, 612 _In_ ULONG AllocatedLength, 613 _In_ POOL_TYPE PoolType, 614 _In_ BOOLEAN CaptureIfKernel, 615 _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, 616 _Out_ PULONG ResultLength); 617 618 VOID 619 NTAPI 620 SeReleaseSidAndAttributesArray( 621 _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, 622 _In_ KPROCESSOR_MODE AccessMode, 623 _In_ BOOLEAN CaptureIfKernel); 624 625 // 626 // ACL functions 627 // 628 CODE_SEG("INIT") 629 BOOLEAN 630 NTAPI 631 SepInitDACLs(VOID); 632 633 NTSTATUS 634 NTAPI 635 SepCreateImpersonationTokenDacl( 636 _In_ PTOKEN Token, 637 _In_ PTOKEN PrimaryToken, 638 _Out_ PACL* Dacl); 639 640 NTSTATUS 641 NTAPI 642 SepCaptureAcl( 643 _In_ PACL InputAcl, 644 _In_ KPROCESSOR_MODE AccessMode, 645 _In_ POOL_TYPE PoolType, 646 _In_ BOOLEAN CaptureIfKernel, 647 _Out_ PACL *CapturedAcl); 648 649 VOID 650 NTAPI 651 SepReleaseAcl( 652 _In_ PACL CapturedAcl, 653 _In_ KPROCESSOR_MODE AccessMode, 654 _In_ BOOLEAN CaptureIfKernel); 655 656 NTSTATUS 657 SepPropagateAcl( 658 _Out_writes_bytes_opt_(DaclLength) PACL AclDest, 659 _Inout_ PULONG AclLength, 660 _In_reads_bytes_(AclSource->AclSize) PACL AclSource, 661 _In_ PSID Owner, 662 _In_ PSID Group, 663 _In_ BOOLEAN IsInherited, 664 _In_ BOOLEAN IsDirectoryObject, 665 _In_ PGENERIC_MAPPING GenericMapping); 666 667 PACL 668 SepSelectAcl( 669 _In_opt_ PACL ExplicitAcl, 670 _In_ BOOLEAN ExplicitPresent, 671 _In_ BOOLEAN ExplicitDefaulted, 672 _In_opt_ PACL ParentAcl, 673 _In_opt_ PACL DefaultAcl, 674 _Out_ PULONG AclLength, 675 _In_ PSID Owner, 676 _In_ PSID Group, 677 _Out_ PBOOLEAN AclPresent, 678 _Out_ PBOOLEAN IsInherited, 679 _In_ BOOLEAN IsDirectoryObject, 680 _In_ PGENERIC_MAPPING GenericMapping); 681 682 // 683 // SD functions 684 // 685 CODE_SEG("INIT") 686 BOOLEAN 687 NTAPI 688 SepInitSDs(VOID); 689 690 NTSTATUS 691 NTAPI 692 SeSetWorldSecurityDescriptor( 693 _In_ SECURITY_INFORMATION SecurityInformation, 694 _In_ PISECURITY_DESCRIPTOR SecurityDescriptor, 695 _In_ PULONG BufferLength); 696 697 NTSTATUS 698 NTAPI 699 SeComputeQuotaInformationSize( 700 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 701 _Out_ PULONG QuotaInfoSize); 702 703 // 704 // Security Reference Monitor (SeRm) functions 705 // 706 BOOLEAN 707 NTAPI 708 SeRmInitPhase0(VOID); 709 710 BOOLEAN 711 NTAPI 712 SeRmInitPhase1(VOID); 713 714 NTSTATUS 715 NTAPI 716 SepRmInsertLogonSessionIntoToken( 717 _Inout_ PTOKEN Token); 718 719 NTSTATUS 720 NTAPI 721 SepRmRemoveLogonSessionFromToken( 722 _Inout_ PTOKEN Token); 723 724 NTSTATUS 725 SepRmReferenceLogonSession( 726 _Inout_ PLUID LogonLuid); 727 728 NTSTATUS 729 SepRmDereferenceLogonSession( 730 _Inout_ PLUID LogonLuid); 731 732 NTSTATUS 733 NTAPI 734 SepRegQueryHelper( 735 _In_ PCWSTR KeyName, 736 _In_ PCWSTR ValueName, 737 _In_ ULONG ValueType, 738 _In_ ULONG DataLength, 739 _Out_ PVOID ValueData); 740 741 NTSTATUS 742 NTAPI 743 SeGetLogonIdDeviceMap( 744 _In_ PLUID LogonId, 745 _Out_ PDEVICE_MAP *DeviceMap); 746 747 // 748 // Audit functions 749 // 750 NTSTATUS 751 NTAPI 752 SeInitializeProcessAuditName( 753 _In_ PFILE_OBJECT FileObject, 754 _In_ BOOLEAN DoAudit, 755 _Out_ POBJECT_NAME_INFORMATION *AuditInfo); 756 757 BOOLEAN 758 NTAPI 759 SeDetailedAuditingWithToken( 760 _In_ PTOKEN Token); 761 762 VOID 763 NTAPI 764 SeAuditProcessExit( 765 _In_ PEPROCESS Process); 766 767 VOID 768 NTAPI 769 SeAuditProcessCreate( 770 _In_ PEPROCESS Process); 771 772 VOID 773 NTAPI 774 SePrivilegedServiceAuditAlarm( 775 _In_opt_ PUNICODE_STRING ServiceName, 776 _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext, 777 _In_ PPRIVILEGE_SET PrivilegeSet, 778 _In_ BOOLEAN AccessGranted); 779 780 // 781 // Subject functions 782 // 783 VOID 784 NTAPI 785 SeCaptureSubjectContextEx( 786 _In_ PETHREAD Thread, 787 _In_ PEPROCESS Process, 788 _Out_ PSECURITY_SUBJECT_CONTEXT SubjectContext); 789 790 // 791 // Security Quality of Service (SQoS) functions 792 // 793 NTSTATUS 794 NTAPI 795 SepCaptureSecurityQualityOfService( 796 _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 797 _In_ KPROCESSOR_MODE AccessMode, 798 _In_ POOL_TYPE PoolType, 799 _In_ BOOLEAN CaptureIfKernel, 800 _Out_ PSECURITY_QUALITY_OF_SERVICE *CapturedSecurityQualityOfService, 801 _Out_ PBOOLEAN Present); 802 803 VOID 804 NTAPI 805 SepReleaseSecurityQualityOfService( 806 _In_opt_ PSECURITY_QUALITY_OF_SERVICE CapturedSecurityQualityOfService, 807 _In_ KPROCESSOR_MODE AccessMode, 808 _In_ BOOLEAN CaptureIfKernel); 809 810 // 811 // Object type list functions 812 // 813 NTSTATUS 814 SeCaptureObjectTypeList( 815 _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, 816 _In_ ULONG ObjectTypeListLength, 817 _In_ KPROCESSOR_MODE PreviousMode, 818 _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList); 819 820 VOID 821 SeReleaseObjectTypeList( 822 _In_ _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList, 823 _In_ KPROCESSOR_MODE PreviousMode); 824 825 // 826 // Access state functions 827 // 828 NTSTATUS 829 NTAPI 830 SeCreateAccessStateEx( 831 _In_ PETHREAD Thread, 832 _In_ PEPROCESS Process, 833 _In_ OUT PACCESS_STATE AccessState, 834 _In_ PAUX_ACCESS_DATA AuxData, 835 _In_ ACCESS_MASK Access, 836 _In_ PGENERIC_MAPPING GenericMapping); 837 838 // 839 // Access check functions 840 // 841 BOOLEAN 842 NTAPI 843 SeFastTraverseCheck( 844 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 845 _In_ PACCESS_STATE AccessState, 846 _In_ ACCESS_MASK DesiredAccess, 847 _In_ KPROCESSOR_MODE AccessMode); 848 849 #endif 850 851 /* EOF */ 852