2008-03-09 22:11:42 +08:00
|
|
|
/*
|
2005-01-26 21:58:37 +08:00
|
|
|
* COPYRIGHT: See COPYING in the top level directory
|
|
|
|
* PROJECT: ReactOS kernel
|
|
|
|
* FILE: ntoskrnl/se/acl.c
|
|
|
|
* PURPOSE: Security manager
|
2005-05-09 09:38:29 +08:00
|
|
|
*
|
2005-01-26 21:58:37 +08:00
|
|
|
* PROGRAMMERS: David Welch <welch@cwcom.net>
|
1999-12-26 23:50:53 +08:00
|
|
|
*/
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* INCLUDES *******************************************************************/
|
1999-12-26 23:50:53 +08:00
|
|
|
|
2004-08-16 00:39:12 +08:00
|
|
|
#include <ntoskrnl.h>
|
2008-04-24 04:38:37 +08:00
|
|
|
#define NDEBUG
|
|
|
|
#include <debug.h>
|
1999-12-26 23:50:53 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* GLOBALS ********************************************************************/
|
2002-02-21 04:16:49 +08:00
|
|
|
|
2005-06-22 07:42:58 +08:00
|
|
|
PACL SePublicDefaultDacl = NULL;
|
|
|
|
PACL SeSystemDefaultDacl = NULL;
|
2002-02-21 04:16:49 +08:00
|
|
|
PACL SePublicDefaultUnrestrictedDacl = NULL;
|
|
|
|
PACL SePublicOpenDacl = NULL;
|
|
|
|
PACL SePublicOpenUnrestrictedDacl = NULL;
|
|
|
|
PACL SeUnrestrictedDacl = NULL;
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* FUNCTIONS ******************************************************************/
|
2002-02-21 04:16:49 +08:00
|
|
|
|
2020-10-07 03:44:01 +08:00
|
|
|
CODE_SEG("INIT")
|
2020-05-23 21:56:10 +08:00
|
|
|
BOOLEAN
|
2005-09-14 07:28:21 +08:00
|
|
|
NTAPI
|
2002-02-21 04:16:49 +08:00
|
|
|
SepInitDACLs(VOID)
|
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
ULONG AclLength;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create PublicDefaultDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
2017-03-04 22:38:13 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SePublicDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SePublicDefaultDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SePublicDefaultDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_EXECUTE,
|
|
|
|
SeWorldSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2017-03-04 22:38:13 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create PublicDefaultUnrestrictedDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SePublicDefaultUnrestrictedDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SePublicDefaultUnrestrictedDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_EXECUTE,
|
|
|
|
SeWorldSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeAliasAdminsSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
|
|
|
SeRestrictedCodeSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create PublicOpenDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SePublicOpenDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SePublicOpenDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SePublicOpenDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
|
|
|
|
SeWorldSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeAliasAdminsSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create PublicOpenUnrestrictedDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SePublicOpenUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SePublicOpenUnrestrictedDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SePublicOpenUnrestrictedDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeWorldSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeAliasAdminsSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SePublicOpenUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE,
|
|
|
|
SeRestrictedCodeSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create SystemDefaultDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid));
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SeSystemDefaultDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SeSystemDefaultDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SeSystemDefaultDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SeSystemDefaultDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
|
|
|
|
SeAliasAdminsSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
/* create UnrestrictedDacl */
|
|
|
|
AclLength = sizeof(ACL) +
|
2010-05-29 00:28:27 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid));
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
SeUnrestrictedDacl = ExAllocatePoolWithTag(PagedPool,
|
|
|
|
AclLength,
|
|
|
|
TAG_ACL);
|
|
|
|
if (SeUnrestrictedDacl == NULL)
|
|
|
|
return FALSE;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(SeUnrestrictedDacl,
|
|
|
|
AclLength,
|
|
|
|
ACL_REVISION);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_ALL,
|
|
|
|
SeWorldSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(SeUnrestrictedDacl,
|
|
|
|
ACL_REVISION,
|
|
|
|
GENERIC_READ | GENERIC_EXECUTE,
|
|
|
|
SeRestrictedCodeSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
|
|
|
return TRUE;
|
2002-02-21 04:16:49 +08:00
|
|
|
}
|
|
|
|
|
2018-06-25 21:24:44 +08:00
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
SepCreateImpersonationTokenDacl(
|
|
|
|
_In_ PTOKEN Token,
|
|
|
|
_In_ PTOKEN PrimaryToken,
|
|
|
|
_Out_ PACL* Dacl)
|
2004-12-11 00:50:38 +08:00
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
ULONG AclLength;
|
2018-06-25 21:24:44 +08:00
|
|
|
PACL TokenDacl;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
PAGED_CODE();
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2018-06-25 21:24:44 +08:00
|
|
|
*Dacl = NULL;
|
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
AclLength = sizeof(ACL) +
|
2018-06-25 21:24:44 +08:00
|
|
|
(sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeLocalSystemSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(SeRestrictedCodeSid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(Token->UserAndGroups->Sid)) +
|
|
|
|
(sizeof(ACE) + RtlLengthSid(PrimaryToken->UserAndGroups->Sid));
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
TokenDacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_ACL);
|
|
|
|
if (TokenDacl == NULL)
|
2004-12-11 00:50:38 +08:00
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
2004-12-11 00:50:38 +08:00
|
|
|
}
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlCreateAcl(TokenDacl, AclLength, ACL_REVISION);
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
Token->UserAndGroups->Sid);
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
PrimaryToken->UserAndGroups->Sid);
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
SeAliasAdminsSid);
|
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
SeLocalSystemSid);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
if (Token->RestrictedSids != NULL || PrimaryToken->RestrictedSids != NULL)
|
2004-12-11 00:50:38 +08:00
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
RtlAddAccessAllowedAce(TokenDacl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
SeRestrictedCodeSid);
|
2004-12-11 00:50:38 +08:00
|
|
|
}
|
2018-06-25 21:24:44 +08:00
|
|
|
|
|
|
|
*Dacl = TokenDacl;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
return STATUS_SUCCESS;
|
2004-12-11 00:50:38 +08:00
|
|
|
}
|
|
|
|
|
2005-03-13 06:16:02 +08:00
|
|
|
NTSTATUS
|
2005-09-14 07:28:21 +08:00
|
|
|
NTAPI
|
2005-03-13 06:16:02 +08:00
|
|
|
SepCaptureAcl(IN PACL InputAcl,
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
IN POOL_TYPE PoolType,
|
|
|
|
IN BOOLEAN CaptureIfKernel,
|
|
|
|
OUT PACL *CapturedAcl)
|
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
PACL NewAcl;
|
|
|
|
ULONG AclSize = 0;
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
PAGED_CODE();
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2009-08-27 01:31:02 +08:00
|
|
|
if (AccessMode != KernelMode)
|
2005-03-13 06:16:02 +08:00
|
|
|
{
|
2008-11-24 21:40:26 +08:00
|
|
|
_SEH2_TRY
|
2005-03-13 06:16:02 +08:00
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
ProbeForRead(InputAcl,
|
|
|
|
sizeof(ACL),
|
|
|
|
sizeof(ULONG));
|
|
|
|
AclSize = InputAcl->AclSize;
|
|
|
|
ProbeForRead(InputAcl,
|
|
|
|
AclSize,
|
|
|
|
sizeof(ULONG));
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
2008-11-24 21:40:26 +08:00
|
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
2005-03-13 06:16:02 +08:00
|
|
|
{
|
2009-08-27 01:31:02 +08:00
|
|
|
/* Return the exception code */
|
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
2008-11-24 21:40:26 +08:00
|
|
|
_SEH2_END;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2012-06-26 15:21:45 +08:00
|
|
|
NewAcl = ExAllocatePoolWithTag(PoolType,
|
|
|
|
AclSize,
|
|
|
|
TAG_ACL);
|
2010-05-29 00:28:27 +08:00
|
|
|
if (NewAcl != NULL)
|
2008-04-24 04:38:37 +08:00
|
|
|
{
|
2009-08-27 01:31:02 +08:00
|
|
|
_SEH2_TRY
|
2008-04-24 04:38:37 +08:00
|
|
|
{
|
2009-08-27 01:31:02 +08:00
|
|
|
RtlCopyMemory(NewAcl,
|
|
|
|
InputAcl,
|
|
|
|
AclSize);
|
|
|
|
|
|
|
|
*CapturedAcl = NewAcl;
|
2008-04-24 04:38:37 +08:00
|
|
|
}
|
2009-08-27 01:31:02 +08:00
|
|
|
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
|
2008-04-24 04:38:37 +08:00
|
|
|
{
|
2009-08-27 01:31:02 +08:00
|
|
|
/* Free the ACL and return the exception code */
|
2011-06-01 21:39:36 +08:00
|
|
|
ExFreePoolWithTag(NewAcl, TAG_ACL);
|
2009-08-27 01:31:02 +08:00
|
|
|
_SEH2_YIELD(return _SEH2_GetExceptionCode());
|
2008-04-24 04:38:37 +08:00
|
|
|
}
|
2009-08-27 01:31:02 +08:00
|
|
|
_SEH2_END;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
2008-04-24 04:38:37 +08:00
|
|
|
}
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
2010-05-29 00:28:27 +08:00
|
|
|
else if (!CaptureIfKernel)
|
2005-03-13 06:16:02 +08:00
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
*CapturedAcl = InputAcl;
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
AclSize = InputAcl->AclSize;
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2012-06-26 15:21:45 +08:00
|
|
|
NewAcl = ExAllocatePoolWithTag(PoolType,
|
|
|
|
AclSize,
|
|
|
|
TAG_ACL);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
|
|
|
if (NewAcl != NULL)
|
2008-04-24 04:38:37 +08:00
|
|
|
{
|
|
|
|
RtlCopyMemory(NewAcl,
|
|
|
|
InputAcl,
|
|
|
|
AclSize);
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
*CapturedAcl = NewAcl;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
}
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
2010-05-29 00:28:27 +08:00
|
|
|
|
2008-04-24 04:38:37 +08:00
|
|
|
return Status;
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
2005-09-14 07:28:21 +08:00
|
|
|
NTAPI
|
2005-03-13 06:16:02 +08:00
|
|
|
SepReleaseAcl(IN PACL CapturedAcl,
|
|
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
|
|
IN BOOLEAN CaptureIfKernel)
|
|
|
|
{
|
2008-04-24 04:38:37 +08:00
|
|
|
PAGED_CODE();
|
2010-05-29 00:28:27 +08:00
|
|
|
|
|
|
|
if (CapturedAcl != NULL &&
|
|
|
|
(AccessMode != KernelMode ||
|
|
|
|
(AccessMode == KernelMode && CaptureIfKernel)))
|
2008-04-24 04:38:37 +08:00
|
|
|
{
|
2011-06-01 21:39:36 +08:00
|
|
|
ExFreePoolWithTag(CapturedAcl, TAG_ACL);
|
2008-04-24 04:38:37 +08:00
|
|
|
}
|
2005-03-13 06:16:02 +08:00
|
|
|
}
|
|
|
|
|
2014-11-05 06:44:50 +08:00
|
|
|
BOOLEAN
|
|
|
|
SepShouldPropagateAce(
|
|
|
|
_In_ UCHAR AceFlags,
|
|
|
|
_Out_ PUCHAR NewAceFlags,
|
|
|
|
_In_ BOOLEAN IsInherited,
|
|
|
|
_In_ BOOLEAN IsDirectoryObject)
|
|
|
|
{
|
|
|
|
if (!IsInherited)
|
|
|
|
{
|
|
|
|
*NewAceFlags = AceFlags;
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!IsDirectoryObject)
|
|
|
|
{
|
|
|
|
if (AceFlags & OBJECT_INHERIT_ACE)
|
|
|
|
{
|
|
|
|
*NewAceFlags = AceFlags & ~VALID_INHERIT_FLAGS;
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (AceFlags & NO_PROPAGATE_INHERIT_ACE)
|
|
|
|
{
|
|
|
|
if (AceFlags & CONTAINER_INHERIT_ACE)
|
|
|
|
{
|
|
|
|
*NewAceFlags = AceFlags & ~VALID_INHERIT_FLAGS;
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (AceFlags & CONTAINER_INHERIT_ACE)
|
|
|
|
{
|
|
|
|
*NewAceFlags = CONTAINER_INHERIT_ACE | (AceFlags & OBJECT_INHERIT_ACE) | (AceFlags & ~VALID_INHERIT_FLAGS);
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (AceFlags & OBJECT_INHERIT_ACE)
|
|
|
|
{
|
|
|
|
*NewAceFlags = INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | (AceFlags & ~VALID_INHERIT_FLAGS);
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
SepPropagateAcl(
|
2015-08-02 20:17:10 +08:00
|
|
|
_Out_writes_bytes_opt_(AclLength) PACL AclDest,
|
2014-11-05 06:44:50 +08:00
|
|
|
_Inout_ PULONG AclLength,
|
|
|
|
_In_reads_bytes_(AclSource->AclSize) PACL AclSource,
|
|
|
|
_In_ PSID Owner,
|
|
|
|
_In_ PSID Group,
|
|
|
|
_In_ BOOLEAN IsInherited,
|
|
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
|
|
_In_ PGENERIC_MAPPING GenericMapping)
|
|
|
|
{
|
|
|
|
ACCESS_MASK Mask;
|
|
|
|
PACCESS_ALLOWED_ACE AceSource;
|
|
|
|
PACCESS_ALLOWED_ACE AceDest;
|
|
|
|
PUCHAR CurrentDest;
|
|
|
|
PUCHAR CurrentSource;
|
|
|
|
ULONG i;
|
|
|
|
ULONG Written;
|
|
|
|
UCHAR AceFlags;
|
|
|
|
USHORT AceSize;
|
|
|
|
USHORT AceCount = 0;
|
|
|
|
PSID Sid;
|
|
|
|
BOOLEAN WriteTwoAces;
|
|
|
|
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(RtlValidAcl(AclSource));
|
|
|
|
ASSERT(AclSource->AclSize % sizeof(ULONG) == 0);
|
|
|
|
ASSERT(AclSource->Sbz1 == 0);
|
|
|
|
ASSERT(AclSource->Sbz2 == 0);
|
2014-11-05 06:44:50 +08:00
|
|
|
|
|
|
|
Written = 0;
|
|
|
|
if (*AclLength >= Written + sizeof(ACL))
|
|
|
|
{
|
|
|
|
RtlCopyMemory(AclDest,
|
|
|
|
AclSource,
|
|
|
|
sizeof(ACL));
|
|
|
|
}
|
|
|
|
Written += sizeof(ACL);
|
|
|
|
|
|
|
|
CurrentDest = (PUCHAR)(AclDest + 1);
|
|
|
|
CurrentSource = (PUCHAR)(AclSource + 1);
|
|
|
|
for (i = 0; i < AclSource->AceCount; i++)
|
|
|
|
{
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT((ULONG_PTR)CurrentDest % sizeof(ULONG) == 0);
|
|
|
|
ASSERT((ULONG_PTR)CurrentSource % sizeof(ULONG) == 0);
|
2014-11-05 06:44:50 +08:00
|
|
|
AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
|
|
|
|
AceSource = (PACCESS_ALLOWED_ACE)CurrentSource;
|
|
|
|
|
2016-05-09 16:49:18 +08:00
|
|
|
if (AceSource->Header.AceType > ACCESS_MAX_MS_V2_ACE_TYPE)
|
|
|
|
{
|
|
|
|
/* FIXME: handle object & compound ACEs */
|
|
|
|
AceSize = AceSource->Header.AceSize;
|
|
|
|
|
|
|
|
if (*AclLength >= Written + AceSize)
|
|
|
|
{
|
|
|
|
RtlCopyMemory(AceDest, AceSource, AceSize);
|
|
|
|
}
|
|
|
|
CurrentDest += AceSize;
|
|
|
|
CurrentSource += AceSize;
|
|
|
|
Written += AceSize;
|
|
|
|
AceCount++;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2014-11-05 06:44:50 +08:00
|
|
|
/* These all have the same structure */
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(AceSource->Header.AceType == ACCESS_ALLOWED_ACE_TYPE ||
|
2016-05-09 16:49:18 +08:00
|
|
|
AceSource->Header.AceType == ACCESS_DENIED_ACE_TYPE ||
|
|
|
|
AceSource->Header.AceType == SYSTEM_AUDIT_ACE_TYPE ||
|
|
|
|
AceSource->Header.AceType == SYSTEM_ALARM_ACE_TYPE);
|
2014-11-05 06:44:50 +08:00
|
|
|
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(AceSource->Header.AceSize % sizeof(ULONG) == 0);
|
|
|
|
ASSERT(AceSource->Header.AceSize >= sizeof(*AceSource));
|
2014-11-05 06:44:50 +08:00
|
|
|
if (!SepShouldPropagateAce(AceSource->Header.AceFlags,
|
|
|
|
&AceFlags,
|
|
|
|
IsInherited,
|
|
|
|
IsDirectoryObject))
|
|
|
|
{
|
|
|
|
CurrentSource += AceSource->Header.AceSize;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* FIXME: filter out duplicate ACEs */
|
|
|
|
AceSize = AceSource->Header.AceSize;
|
|
|
|
Mask = AceSource->Mask;
|
|
|
|
Sid = (PSID)&AceSource->SidStart;
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(AceSize >= FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid));
|
2014-11-05 06:44:50 +08:00
|
|
|
|
|
|
|
WriteTwoAces = FALSE;
|
|
|
|
/* Map effective ACE to specific rights */
|
|
|
|
if (!(AceFlags & INHERIT_ONLY_ACE))
|
|
|
|
{
|
|
|
|
RtlMapGenericMask(&Mask, GenericMapping);
|
|
|
|
Mask &= GenericMapping->GenericAll;
|
|
|
|
|
|
|
|
if (IsInherited)
|
|
|
|
{
|
|
|
|
if (RtlEqualSid(Sid, SeCreatorOwnerSid))
|
|
|
|
Sid = Owner;
|
|
|
|
else if (RtlEqualSid(Sid, SeCreatorGroupSid))
|
|
|
|
Sid = Group;
|
|
|
|
AceSize = FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + RtlLengthSid(Sid);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* A generic container ACE becomes two ACEs:
|
|
|
|
* - a specific effective ACE with no inheritance flags
|
|
|
|
* - an inherit-only ACE that keeps the generic rights
|
|
|
|
*/
|
|
|
|
if (IsDirectoryObject &&
|
|
|
|
(AceFlags & CONTAINER_INHERIT_ACE) &&
|
|
|
|
(Mask != AceSource->Mask || Sid != (PSID)&AceSource->SidStart))
|
|
|
|
{
|
|
|
|
WriteTwoAces = TRUE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
while (1)
|
|
|
|
{
|
|
|
|
if (*AclLength >= Written + AceSize)
|
|
|
|
{
|
|
|
|
AceDest->Header.AceType = AceSource->Header.AceType;
|
|
|
|
AceDest->Header.AceFlags = WriteTwoAces ? AceFlags & ~VALID_INHERIT_FLAGS
|
|
|
|
: AceFlags;
|
|
|
|
AceDest->Header.AceSize = AceSize;
|
|
|
|
AceDest->Mask = Mask;
|
|
|
|
RtlCopySid(AceSize - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart),
|
|
|
|
(PSID)&AceDest->SidStart,
|
|
|
|
Sid);
|
|
|
|
}
|
|
|
|
Written += AceSize;
|
|
|
|
|
|
|
|
AceCount++;
|
|
|
|
CurrentDest += AceSize;
|
|
|
|
|
|
|
|
if (!WriteTwoAces)
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Second ACE keeps all the generics from the source ACE */
|
|
|
|
WriteTwoAces = FALSE;
|
|
|
|
AceDest = (PACCESS_ALLOWED_ACE)CurrentDest;
|
|
|
|
AceSize = AceSource->Header.AceSize;
|
|
|
|
Mask = AceSource->Mask;
|
|
|
|
Sid = (PSID)&AceSource->SidStart;
|
|
|
|
AceFlags |= INHERIT_ONLY_ACE;
|
|
|
|
}
|
|
|
|
|
|
|
|
CurrentSource += AceSource->Header.AceSize;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (*AclLength >= sizeof(ACL))
|
|
|
|
{
|
|
|
|
AclDest->AceCount = AceCount;
|
|
|
|
AclDest->AclSize = Written;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (Written > *AclLength)
|
|
|
|
{
|
|
|
|
*AclLength = Written;
|
|
|
|
return STATUS_BUFFER_TOO_SMALL;
|
|
|
|
}
|
|
|
|
*AclLength = Written;
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
PACL
|
|
|
|
SepSelectAcl(
|
|
|
|
_In_opt_ PACL ExplicitAcl,
|
|
|
|
_In_ BOOLEAN ExplicitPresent,
|
|
|
|
_In_ BOOLEAN ExplicitDefaulted,
|
|
|
|
_In_opt_ PACL ParentAcl,
|
|
|
|
_In_opt_ PACL DefaultAcl,
|
|
|
|
_Out_ PULONG AclLength,
|
|
|
|
_In_ PSID Owner,
|
|
|
|
_In_ PSID Group,
|
|
|
|
_Out_ PBOOLEAN AclPresent,
|
|
|
|
_Out_ PBOOLEAN IsInherited,
|
|
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
|
|
_In_ PGENERIC_MAPPING GenericMapping)
|
|
|
|
{
|
|
|
|
PACL Acl;
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
*AclPresent = TRUE;
|
|
|
|
if (ExplicitPresent && !ExplicitDefaulted)
|
|
|
|
{
|
|
|
|
Acl = ExplicitAcl;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
if (ParentAcl)
|
|
|
|
{
|
|
|
|
*IsInherited = TRUE;
|
|
|
|
*AclLength = 0;
|
|
|
|
Status = SepPropagateAcl(NULL,
|
|
|
|
AclLength,
|
|
|
|
ParentAcl,
|
|
|
|
Owner,
|
|
|
|
Group,
|
|
|
|
*IsInherited,
|
|
|
|
IsDirectoryObject,
|
|
|
|
GenericMapping);
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
|
2014-11-05 06:44:50 +08:00
|
|
|
|
|
|
|
/* Use the parent ACL only if it's not empty */
|
|
|
|
if (*AclLength != sizeof(ACL))
|
|
|
|
return ParentAcl;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ExplicitPresent)
|
|
|
|
{
|
|
|
|
Acl = ExplicitAcl;
|
|
|
|
}
|
|
|
|
else if (DefaultAcl)
|
|
|
|
{
|
|
|
|
Acl = DefaultAcl;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
*AclPresent = FALSE;
|
|
|
|
Acl = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*IsInherited = FALSE;
|
|
|
|
*AclLength = 0;
|
|
|
|
if (Acl)
|
|
|
|
{
|
|
|
|
/* Get the length */
|
|
|
|
Status = SepPropagateAcl(NULL,
|
|
|
|
AclLength,
|
|
|
|
Acl,
|
|
|
|
Owner,
|
|
|
|
Group,
|
|
|
|
*IsInherited,
|
|
|
|
IsDirectoryObject,
|
|
|
|
GenericMapping);
|
2015-09-01 09:45:59 +08:00
|
|
|
ASSERT(Status == STATUS_BUFFER_TOO_SMALL);
|
2014-11-05 06:44:50 +08:00
|
|
|
}
|
|
|
|
return Acl;
|
|
|
|
}
|
|
|
|
|
1999-12-27 01:22:19 +08:00
|
|
|
/* EOF */
|