diff options
Diffstat (limited to '')
-rw-r--r-- | private/ntos/se/seglobal.c | 965 |
1 files changed, 965 insertions, 0 deletions
diff --git a/private/ntos/se/seglobal.c b/private/ntos/se/seglobal.c new file mode 100644 index 000000000..1526aac8b --- /dev/null +++ b/private/ntos/se/seglobal.c @@ -0,0 +1,965 @@ +/*++ + +Copyright (c) 1989 Microsoft Corporation + +Module Name: + + seglobal.c + +Abstract: + + This module contains the global variables used and exported by the security + component. + +Author: + + Jim Kelly (JimK) 5-Aug-1990 + +Environment: + + Kernel mode only. + +Revision History: + + +--*/ + +#include "sep.h" +#include "adt.h" +#include "seopaque.h" + +VOID +SepInitializePrivilegeSets( VOID ); + + +VOID +SepInitSystemDacls( VOID ); + + +#ifdef ALLOC_PRAGMA +#pragma alloc_text(INIT,SepVariableInitialization) +#pragma alloc_text(INIT,SepInitializePrivilegeSets) +#pragma alloc_text(INIT,SepInitSystemDacls) +#pragma alloc_text(INIT,SepInitializeWorkList) +#pragma alloc_text(PAGE,SepAssemblePrivileges) +#endif + +#ifdef SE_DIAGNOSTICS_ENABLED + +// +// Used to control the active SE diagnostic support provided +// + +ULONG SeGlobalFlag = 0; + +#endif // SE_DIAGNOSTICS_ENABLED + + + +//////////////////////////////////////////////////////////////////////// +// // +// Global, READ ONLY, Security variables // +// // +//////////////////////////////////////////////////////////////////////// + +// +// Authentication ID and source name used for system processes +// + +TOKEN_SOURCE SeSystemTokenSource = {"*SYSTEM*", 0}; +LUID SeSystemAuthenticationId = SYSTEM_LUID; + + +// +// Universal well known SIDs +// + +PSID SeNullSid; +PSID SeWorldSid; +PSID SeLocalSid; +PSID SeCreatorOwnerSid; +PSID SeCreatorGroupSid; +PSID SeCreatorGroupServerSid; +PSID SeCreatorOwnerServerSid; + +// +// Sids defined by NT +// + +PSID SeNtAuthoritySid; + +PSID SeDialupSid; +PSID SeNetworkSid; +PSID SeBatchSid; +PSID SeInteractiveSid; +PSID SeServiceSid; +PSID SeLocalSystemSid; +PSID SeAliasAdminsSid; +PSID SeAliasUsersSid; +PSID SeAliasGuestsSid; +PSID SeAliasPowerUsersSid; +PSID SeAliasAccountOpsSid; +PSID SeAliasSystemOpsSid; +PSID SeAliasPrintOpsSid; +PSID SeAliasBackupOpsSid; + + +// +// System default DACLs & Security Descriptors +// +// SePublicDefaultDacl - Protects objects so that WORLD:E, Admins:ALL, System: ALL. +// Not inherited by sub-objects. +// +// SePublicOpenDacl - Protects so that WORLD can RWE and Admins: All. +// Not inherited by sub-objects. +// +// SeSystemDefaultDacl - Protects objects so that SYSTEM & ADMIN can use them. +// Not inherited by subobjects. +// + +PSECURITY_DESCRIPTOR SePublicDefaultSd; +SECURITY_DESCRIPTOR SepPublicDefaultSd; +PSECURITY_DESCRIPTOR SePublicOpenSd; +SECURITY_DESCRIPTOR SepPublicOpenSd; +PSECURITY_DESCRIPTOR SeSystemDefaultSd; +SECURITY_DESCRIPTOR SepSystemDefaultSd; + +PACL SePublicDefaultDacl; +PACL SePublicOpenDacl; +PACL SeSystemDefaultDacl; + +// +// Sid of primary domain, and admin account in that domain +// + +PSID SepPrimaryDomainSid; +PSID SepPrimaryDomainAdminSid; + + + +// +// Well known privilege values +// + + +LUID SeCreateTokenPrivilege; +LUID SeAssignPrimaryTokenPrivilege; +LUID SeLockMemoryPrivilege; +LUID SeIncreaseQuotaPrivilege; +LUID SeUnsolicitedInputPrivilege; +LUID SeTcbPrivilege; +LUID SeSecurityPrivilege; +LUID SeTakeOwnershipPrivilege; +LUID SeLoadDriverPrivilege; +LUID SeCreatePagefilePrivilege; +LUID SeIncreaseBasePriorityPrivilege; +LUID SeSystemProfilePrivilege; +LUID SeSystemtimePrivilege; +LUID SeProfileSingleProcessPrivilege; +LUID SeCreatePermanentPrivilege; +LUID SeBackupPrivilege; +LUID SeRestorePrivilege; +LUID SeShutdownPrivilege; +LUID SeDebugPrivilege; +LUID SeAuditPrivilege; +LUID SeSystemEnvironmentPrivilege; +LUID SeChangeNotifyPrivilege; +LUID SeRemoteShutdownPrivilege; + + +// +// Define the following structures for export from the kernel. +// This will allow us to export pointers to these structures +// rather than a pointer for each element in the structure. +// + +PSE_EXPORTS SeExports; +SE_EXPORTS SepExports; + + +static SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY; +static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY; +static SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY; +static SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY; +static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY; + + +// +// Some variables we are going to use to help speed up access +// checking. +// + +static ULONG SinglePrivilegeSetSize; +static ULONG DoublePrivilegeSetSize; + +static PPRIVILEGE_SET SepSystemSecurityPrivilegeSet; +static PPRIVILEGE_SET SepTakeOwnershipPrivilegeSet; +static PPRIVILEGE_SET SepDoublePrivilegeSet; + + +// +// Array containing information describing what is to be audited +// + +SE_AUDITING_STATE SeAuditingState[POLICY_AUDIT_EVENT_TYPE_COUNT] = + { + { FALSE, FALSE }, + { FALSE, FALSE }, + { FALSE, FALSE }, + { FALSE, FALSE }, + { FALSE, FALSE }, + { FALSE, FALSE }, + { FALSE, FALSE } + }; + +// +// Boolean indicating whether or not auditing is enabled for the system +// + +BOOLEAN SepAdtAuditingEnabled = FALSE; + +// +// Boolean to hold whether or not the user wants the system to crash when +// an audit fails. +// + +BOOLEAN SepCrashOnAuditFail = FALSE; + +// +// Handle to the LSA process +// + +HANDLE SepLsaHandle; + +// +// Boolean indicating that we're auditing detailed events +// such as process creation. +// + +BOOLEAN SeDetailedAuditing = FALSE; + +UNICODE_STRING SeSubsystemName; + + +// +// Mutex protecting the queue of work being passed to LSA +// + +ERESOURCE SepLsaQueueLock; + +// +// Doubly linked list of work items queued to worker threads. +// + +LIST_ENTRY SepLsaQueue; + +// +// Count to tell us how long the queue gets in SepRmCallLsa +// + +ULONG SepLsaQueueLength = 0; + +SEP_WORK_ITEM SepExWorkItem; + + + +//////////////////////////////////////////////////////////////////////// +// // +// Variable Initialization Routines // +// // +//////////////////////////////////////////////////////////////////////// + +BOOLEAN +SepVariableInitialization() +/*++ + +Routine Description: + + This function initializes the global variables used by and exposed + by security. + +Arguments: + + None. + +Return Value: + + TRUE if variables successfully initialized. + FALSE if not successfully initialized. + +--*/ +{ + + ULONG SidWithZeroSubAuthorities; + ULONG SidWithOneSubAuthority; + ULONG SidWithTwoSubAuthorities; + ULONG SidWithThreeSubAuthorities; + + SID_IDENTIFIER_AUTHORITY NullSidAuthority; + SID_IDENTIFIER_AUTHORITY WorldSidAuthority; + SID_IDENTIFIER_AUTHORITY LocalSidAuthority; + SID_IDENTIFIER_AUTHORITY CreatorSidAuthority; + SID_IDENTIFIER_AUTHORITY SeNtAuthority; + + PAGED_CODE(); + + NullSidAuthority = SepNullSidAuthority; + WorldSidAuthority = SepWorldSidAuthority; + LocalSidAuthority = SepLocalSidAuthority; + CreatorSidAuthority = SepCreatorSidAuthority; + SeNtAuthority = SepNtAuthority; + + + // + // The following SID sizes need to be allocated + // + + SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 ); + SidWithOneSubAuthority = RtlLengthRequiredSid( 1 ); + SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 ); + SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 ); + + // + // Allocate and initialize the universal SIDs + // + + SeNullSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeWorldSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeLocalSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeCreatorOwnerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeCreatorGroupSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeCreatorOwnerServerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeCreatorGroupServerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + + // + // Fail initialization if we didn't get enough memory for the universal + // SIDs. + // + + if ( (SeNullSid == NULL) || + (SeWorldSid == NULL) || + (SeLocalSid == NULL) || + (SeCreatorOwnerSid == NULL) || + (SeCreatorGroupSid == NULL) || + (SeCreatorOwnerServerSid == NULL ) || + (SeCreatorGroupServerSid == NULL ) + ) { + + return( FALSE ); + } + + RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 ); + RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 ); + RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 ); + RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 ); + RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 ); + RtlInitializeSid( SeCreatorOwnerServerSid, &CreatorSidAuthority, 1 ); + RtlInitializeSid( SeCreatorGroupServerSid, &CreatorSidAuthority, 1 ); + + *(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID; + *(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID; + *(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID; + *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID; + *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID; + *(RtlSubAuthoritySid( SeCreatorOwnerServerSid, 0 )) = SECURITY_CREATOR_OWNER_SERVER_RID; + *(RtlSubAuthoritySid( SeCreatorGroupServerSid, 0 )) = SECURITY_CREATOR_GROUP_SERVER_RID; + + // + // Allocate and initialize the NT defined SIDs + // + + SeNtAuthoritySid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithZeroSubAuthorities,'iSeS'); + SeDialupSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeNetworkSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeBatchSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeInteractiveSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + SeLocalSystemSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS'); + + SeAliasAdminsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasGuestsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasPowerUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasAccountOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasSystemOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasPrintOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + SeAliasBackupOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS'); + + // + // Fail initialization if we didn't get enough memory for the NT SIDs. + // + + if ( (SeNtAuthoritySid == NULL) || + (SeDialupSid == NULL) || + (SeNetworkSid == NULL) || + (SeBatchSid == NULL) || + (SeInteractiveSid == NULL) || + (SeServiceSid == NULL) || + (SeLocalSystemSid == NULL) || + (SeAliasAdminsSid == NULL) || + (SeAliasUsersSid == NULL) || + (SeAliasGuestsSid == NULL) || + (SeAliasPowerUsersSid == NULL) || + (SeAliasAccountOpsSid == NULL) || + (SeAliasSystemOpsSid == NULL) || + (SeAliasPrintOpsSid == NULL) || + (SeAliasBackupOpsSid == NULL) + ) { + + return( FALSE ); + } + + RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 ); + RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 ); + RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 ); + RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 ); + RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 ); + RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 ); + RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 ); + + RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2); + RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2); + + *(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID; + *(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID; + *(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID; + *(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID; + *(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID; + *(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID; + + + *(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; + + *(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS; + *(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS; + *(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS; + *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS; + *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS; + *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS; + *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS; + *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS; + + + + // + // Initialize system default dacl + // + + SepInitSystemDacls(); + + + // + // Initialize the well known privilege values + // + + SeCreateTokenPrivilege = + RtlConvertLongToLuid(SE_CREATE_TOKEN_PRIVILEGE); + SeAssignPrimaryTokenPrivilege = + RtlConvertLongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE); + SeLockMemoryPrivilege = + RtlConvertLongToLuid(SE_LOCK_MEMORY_PRIVILEGE); + SeIncreaseQuotaPrivilege = + RtlConvertLongToLuid(SE_INCREASE_QUOTA_PRIVILEGE); + SeUnsolicitedInputPrivilege = + RtlConvertLongToLuid(SE_UNSOLICITED_INPUT_PRIVILEGE); + SeTcbPrivilege = + RtlConvertLongToLuid(SE_TCB_PRIVILEGE); + SeSecurityPrivilege = + RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE); + SeTakeOwnershipPrivilege = + RtlConvertLongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE); + SeLoadDriverPrivilege = + RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE); + SeCreatePagefilePrivilege = + RtlConvertLongToLuid(SE_CREATE_PAGEFILE_PRIVILEGE); + SeIncreaseBasePriorityPrivilege = + RtlConvertLongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE); + SeSystemProfilePrivilege = + RtlConvertLongToLuid(SE_SYSTEM_PROFILE_PRIVILEGE); + SeSystemtimePrivilege = + RtlConvertLongToLuid(SE_SYSTEMTIME_PRIVILEGE); + SeProfileSingleProcessPrivilege = + RtlConvertLongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE); + SeCreatePermanentPrivilege = + RtlConvertLongToLuid(SE_CREATE_PERMANENT_PRIVILEGE); + SeBackupPrivilege = + RtlConvertLongToLuid(SE_BACKUP_PRIVILEGE); + SeRestorePrivilege = + RtlConvertLongToLuid(SE_RESTORE_PRIVILEGE); + SeShutdownPrivilege = + RtlConvertLongToLuid(SE_SHUTDOWN_PRIVILEGE); + SeDebugPrivilege = + RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE); + SeAuditPrivilege = + RtlConvertLongToLuid(SE_AUDIT_PRIVILEGE); + SeSystemEnvironmentPrivilege = + RtlConvertLongToLuid(SE_SYSTEM_ENVIRONMENT_PRIVILEGE); + SeChangeNotifyPrivilege = + RtlConvertLongToLuid(SE_CHANGE_NOTIFY_PRIVILEGE); + SeRemoteShutdownPrivilege = + RtlConvertLongToLuid(SE_REMOTE_SHUTDOWN_PRIVILEGE); + + + + // + // Initialize the SeExports structure for exporting all + // of the information we've created out of the kernel. + // + + // + // Package these together for export + // + + + SepExports.SeNullSid = SeNullSid; + SepExports.SeWorldSid = SeWorldSid; + SepExports.SeLocalSid = SeLocalSid; + SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid; + SepExports.SeCreatorGroupSid = SeCreatorGroupSid; + + + SepExports.SeNtAuthoritySid = SeNtAuthoritySid; + SepExports.SeDialupSid = SeDialupSid; + SepExports.SeNetworkSid = SeNetworkSid; + SepExports.SeBatchSid = SeBatchSid; + SepExports.SeInteractiveSid = SeInteractiveSid; + SepExports.SeLocalSystemSid = SeLocalSystemSid; + SepExports.SeAliasAdminsSid = SeAliasAdminsSid; + SepExports.SeAliasUsersSid = SeAliasUsersSid; + SepExports.SeAliasGuestsSid = SeAliasGuestsSid; + SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid; + SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid; + SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid; + SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid; + SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid; + + + + SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege; + SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege; + SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege; + SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege; + SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege; + SepExports.SeTcbPrivilege = SeTcbPrivilege; + SepExports.SeSecurityPrivilege = SeSecurityPrivilege; + SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege; + SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege; + SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege; + SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege; + SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege; + SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege; + SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege; + SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege; + SepExports.SeBackupPrivilege = SeBackupPrivilege; + SepExports.SeRestorePrivilege = SeRestorePrivilege; + SepExports.SeShutdownPrivilege = SeShutdownPrivilege; + SepExports.SeDebugPrivilege = SeDebugPrivilege; + SepExports.SeAuditPrivilege = SeAuditPrivilege; + SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege; + SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege; + SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege; + + SeExports = &SepExports; + + // + // Initialize frequently used privilege sets to speed up access + // validation. + // + + SepInitializePrivilegeSets(); + + return TRUE; + +} + +VOID +SepInitSystemDacls( VOID ) +/*++ + +Routine Description: + + This function initializes the system's default dacls & security + descriptors. + +Arguments: + + None. + +Return Value: + + None. + + +--*/ +{ + + NTSTATUS + Status; + + ULONG + PublicLength, + SystemLength, + PublicOpenLength; + + + PAGED_CODE(); + + // + // Set up a default ACLs + // + // Public: WORLD:execute, SYSTEM:all, ADMINS:all + // Public Open: WORLD:(Read|Write|Execute), ADMINS:(all), SYSTEM:all + // System: SYSTEM:all, ADMINS:(read|execute|read_control) + + SystemLength = (ULONG)sizeof(ACL) + + (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) + + SeLengthSid( SeLocalSystemSid ) + + SeLengthSid( SeAliasAdminsSid ) + + 8; // The 8 is just for good measure + + PublicLength = SystemLength + + ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) + + SeLengthSid( SeWorldSid ); + + PublicOpenLength = PublicLength; + + + SePublicDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool, PublicLength, 'cAeS'); + SePublicOpenDacl = (PACL)ExAllocatePoolWithTag(PagedPool, PublicOpenLength, 'cAeS'); + SeSystemDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool, SystemLength, 'cAeS'); + ASSERT(SePublicDefaultDacl != NULL); + ASSERT(SePublicOpenDacl != NULL); + ASSERT(SeSystemDefaultDacl != NULL); + + + + Status = RtlCreateAcl( SePublicDefaultDacl, PublicLength, ACL_REVISION2); + ASSERT( NT_SUCCESS(Status) ); + Status = RtlCreateAcl( SePublicOpenDacl, PublicOpenLength, ACL_REVISION2); + ASSERT( NT_SUCCESS(Status) ); + Status = RtlCreateAcl( SeSystemDefaultDacl, SystemLength, ACL_REVISION2); + ASSERT( NT_SUCCESS(Status) ); + + + // + // WORLD access (Public DACLs only) + // + + Status = RtlAddAccessAllowedAce ( + SePublicDefaultDacl, + ACL_REVISION2, + GENERIC_EXECUTE, + SeWorldSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + Status = RtlAddAccessAllowedAce ( + SePublicOpenDacl, + ACL_REVISION2, + (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE), + SeWorldSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + + // + // SYSTEM access (PublicDefault, PublicOpen, and SystemDefault) + // + + + Status = RtlAddAccessAllowedAce ( + SePublicDefaultDacl, + ACL_REVISION2, + GENERIC_ALL, + SeLocalSystemSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + Status = RtlAddAccessAllowedAce ( + SePublicOpenDacl, + ACL_REVISION2, + GENERIC_ALL, + SeLocalSystemSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + Status = RtlAddAccessAllowedAce ( + SeSystemDefaultDacl, + ACL_REVISION2, + GENERIC_ALL, + SeLocalSystemSid + ); + ASSERT( NT_SUCCESS(Status) ); + + // + // ADMINISTRATORS access (PublicDefault, PublicOpen, and SystemDefault) + // + + Status = RtlAddAccessAllowedAce ( + SePublicDefaultDacl, + ACL_REVISION2, + GENERIC_ALL, + SeAliasAdminsSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + Status = RtlAddAccessAllowedAce ( + SePublicOpenDacl, + ACL_REVISION2, + GENERIC_ALL, + SeAliasAdminsSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + Status = RtlAddAccessAllowedAce ( + SeSystemDefaultDacl, + ACL_REVISION2, + GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, + SeAliasAdminsSid + ); + ASSERT( NT_SUCCESS(Status) ); + + + + // + // Now initialize security descriptors + // that export this protection + // + + + SePublicDefaultSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultSd; + Status = RtlCreateSecurityDescriptor( + SePublicDefaultSd, + SECURITY_DESCRIPTOR_REVISION1 + ); + ASSERT( NT_SUCCESS(Status) ); + Status = RtlSetDaclSecurityDescriptor( + SePublicDefaultSd, + TRUE, // DaclPresent + SePublicDefaultDacl, + FALSE // DaclDefaulted + ); + ASSERT( NT_SUCCESS(Status) ); + + + SePublicOpenSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenSd; + Status = RtlCreateSecurityDescriptor( + SePublicOpenSd, + SECURITY_DESCRIPTOR_REVISION1 + ); + ASSERT( NT_SUCCESS(Status) ); + Status = RtlSetDaclSecurityDescriptor( + SePublicOpenSd, + TRUE, // DaclPresent + SePublicOpenDacl, + FALSE // DaclDefaulted + ); + ASSERT( NT_SUCCESS(Status) ); + + + SeSystemDefaultSd = (PSECURITY_DESCRIPTOR)&SepSystemDefaultSd; + Status = RtlCreateSecurityDescriptor( + SeSystemDefaultSd, + SECURITY_DESCRIPTOR_REVISION1 + ); + ASSERT( NT_SUCCESS(Status) ); + Status = RtlSetDaclSecurityDescriptor( + SeSystemDefaultSd, + TRUE, // DaclPresent + SeSystemDefaultDacl, + FALSE // DaclDefaulted + ); + ASSERT( NT_SUCCESS(Status) ); + + + return; + +} + + +VOID +SepInitializePrivilegeSets( VOID ) +/*++ + +Routine Description: + + This routine is called once during system initialization to pre-allocate + and initialize some commonly used privilege sets. + +Arguments: + + None + +Return Value: + + None. + +--*/ +{ + PAGED_CODE(); + + SinglePrivilegeSetSize = sizeof( PRIVILEGE_SET ); + DoublePrivilegeSetSize = sizeof( PRIVILEGE_SET ) + + (ULONG)sizeof( LUID_AND_ATTRIBUTES ); + + SepSystemSecurityPrivilegeSet = ExAllocatePoolWithTag( PagedPool, SinglePrivilegeSetSize, 'rPeS' ); + SepTakeOwnershipPrivilegeSet = ExAllocatePoolWithTag( PagedPool, SinglePrivilegeSetSize, 'rPeS' ); + SepDoublePrivilegeSet = ExAllocatePoolWithTag( PagedPool, DoublePrivilegeSetSize, 'rPeS' ); + + SepSystemSecurityPrivilegeSet->PrivilegeCount = 1; + SepSystemSecurityPrivilegeSet->Control = 0; + SepSystemSecurityPrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege; + SepSystemSecurityPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; + + SepTakeOwnershipPrivilegeSet->PrivilegeCount = 1; + SepTakeOwnershipPrivilegeSet->Control = 0; + SepTakeOwnershipPrivilegeSet->Privilege[0].Luid = SeTakeOwnershipPrivilege; + SepTakeOwnershipPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; + + SepDoublePrivilegeSet->PrivilegeCount = 2; + SepDoublePrivilegeSet->Control = 0; + + SepDoublePrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege; + SepDoublePrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; + + SepDoublePrivilegeSet->Privilege[1].Luid = SeTakeOwnershipPrivilege; + SepDoublePrivilegeSet->Privilege[1].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; + +} + + + +VOID +SepAssemblePrivileges( + IN ULONG PrivilegeCount, + IN BOOLEAN SystemSecurity, + IN BOOLEAN WriteOwner, + OUT PPRIVILEGE_SET *Privileges + ) +/*++ + +Routine Description: + + This routine takes the results of the various privilege checks + in SeAccessCheck and returns an appropriate privilege set. + +Arguments: + + PrivilegeCount - The number of privileges granted. + + SystemSecurity - Provides a boolean indicating whether to put + SeSecurityPrivilege into the output privilege set. + + WriteOwner - Provides a boolean indicating whether to put + SeTakeOwnershipPrivilege into the output privilege set. + + Privileges - Supplies a pointer that will return the privilege + set. Should be freed with ExFreePool when no longer needed. + +Return Value: + + None. + +--*/ +{ + PPRIVILEGE_SET PrivilegeSet; + ULONG SizeRequired; + + PAGED_CODE(); + + ASSERT( (PrivilegeCount != 0) && (PrivilegeCount <= 2) ); + + if ( !ARGUMENT_PRESENT( Privileges ) ) { + return; + } + + if ( PrivilegeCount == 1 ) { + + SizeRequired = SinglePrivilegeSetSize; + + if ( SystemSecurity ) { + + PrivilegeSet = SepSystemSecurityPrivilegeSet; + + } else { + + ASSERT( WriteOwner ); + + PrivilegeSet = SepTakeOwnershipPrivilegeSet; + } + + } else { + + SizeRequired = DoublePrivilegeSetSize; + PrivilegeSet = SepDoublePrivilegeSet; + } + + *Privileges = ExAllocatePoolWithTag( PagedPool, SizeRequired, 'rPeS' ); + + if ( *Privileges != NULL ) { + + RtlMoveMemory ( + *Privileges, + PrivilegeSet, + SizeRequired + ); + } +} + + + + + +BOOLEAN +SepInitializeWorkList( + VOID + ) + +/*++ + +Routine Description: + + Initializes the mutex and list head used to queue work from the + Executive to LSA. This mechanism operates on top of the normal ExWorkerThread + mechanism by capturing the first thread to perform LSA work and keeping it + until all the current work is done. + + The reduces the number of worker threads that are blocked on I/O to LSA. + +Arguments: + + None. + + +Return Value: + + TRUE if successful, FALSE otherwise. + +--*/ + +{ + PAGED_CODE(); + + ExInitializeResource(&SepLsaQueueLock); + InitializeListHead(&SepLsaQueue); + return( TRUE ); +} |