summaryrefslogtreecommitdiffstats
path: root/private/ntos/se/seglobal.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--private/ntos/se/seglobal.c965
1 files changed, 965 insertions, 0 deletions
diff --git a/private/ntos/se/seglobal.c b/private/ntos/se/seglobal.c
new file mode 100644
index 000000000..1526aac8b
--- /dev/null
+++ b/private/ntos/se/seglobal.c
@@ -0,0 +1,965 @@
+/*++
+
+Copyright (c) 1989 Microsoft Corporation
+
+Module Name:
+
+ seglobal.c
+
+Abstract:
+
+ This module contains the global variables used and exported by the security
+ component.
+
+Author:
+
+ Jim Kelly (JimK) 5-Aug-1990
+
+Environment:
+
+ Kernel mode only.
+
+Revision History:
+
+
+--*/
+
+#include "sep.h"
+#include "adt.h"
+#include "seopaque.h"
+
+VOID
+SepInitializePrivilegeSets( VOID );
+
+
+VOID
+SepInitSystemDacls( VOID );
+
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(INIT,SepVariableInitialization)
+#pragma alloc_text(INIT,SepInitializePrivilegeSets)
+#pragma alloc_text(INIT,SepInitSystemDacls)
+#pragma alloc_text(INIT,SepInitializeWorkList)
+#pragma alloc_text(PAGE,SepAssemblePrivileges)
+#endif
+
+#ifdef SE_DIAGNOSTICS_ENABLED
+
+//
+// Used to control the active SE diagnostic support provided
+//
+
+ULONG SeGlobalFlag = 0;
+
+#endif // SE_DIAGNOSTICS_ENABLED
+
+
+
+////////////////////////////////////////////////////////////////////////
+// //
+// Global, READ ONLY, Security variables //
+// //
+////////////////////////////////////////////////////////////////////////
+
+//
+// Authentication ID and source name used for system processes
+//
+
+TOKEN_SOURCE SeSystemTokenSource = {"*SYSTEM*", 0};
+LUID SeSystemAuthenticationId = SYSTEM_LUID;
+
+
+//
+// Universal well known SIDs
+//
+
+PSID SeNullSid;
+PSID SeWorldSid;
+PSID SeLocalSid;
+PSID SeCreatorOwnerSid;
+PSID SeCreatorGroupSid;
+PSID SeCreatorGroupServerSid;
+PSID SeCreatorOwnerServerSid;
+
+//
+// Sids defined by NT
+//
+
+PSID SeNtAuthoritySid;
+
+PSID SeDialupSid;
+PSID SeNetworkSid;
+PSID SeBatchSid;
+PSID SeInteractiveSid;
+PSID SeServiceSid;
+PSID SeLocalSystemSid;
+PSID SeAliasAdminsSid;
+PSID SeAliasUsersSid;
+PSID SeAliasGuestsSid;
+PSID SeAliasPowerUsersSid;
+PSID SeAliasAccountOpsSid;
+PSID SeAliasSystemOpsSid;
+PSID SeAliasPrintOpsSid;
+PSID SeAliasBackupOpsSid;
+
+
+//
+// System default DACLs & Security Descriptors
+//
+// SePublicDefaultDacl - Protects objects so that WORLD:E, Admins:ALL, System: ALL.
+// Not inherited by sub-objects.
+//
+// SePublicOpenDacl - Protects so that WORLD can RWE and Admins: All.
+// Not inherited by sub-objects.
+//
+// SeSystemDefaultDacl - Protects objects so that SYSTEM & ADMIN can use them.
+// Not inherited by subobjects.
+//
+
+PSECURITY_DESCRIPTOR SePublicDefaultSd;
+SECURITY_DESCRIPTOR SepPublicDefaultSd;
+PSECURITY_DESCRIPTOR SePublicOpenSd;
+SECURITY_DESCRIPTOR SepPublicOpenSd;
+PSECURITY_DESCRIPTOR SeSystemDefaultSd;
+SECURITY_DESCRIPTOR SepSystemDefaultSd;
+
+PACL SePublicDefaultDacl;
+PACL SePublicOpenDacl;
+PACL SeSystemDefaultDacl;
+
+//
+// Sid of primary domain, and admin account in that domain
+//
+
+PSID SepPrimaryDomainSid;
+PSID SepPrimaryDomainAdminSid;
+
+
+
+//
+// Well known privilege values
+//
+
+
+LUID SeCreateTokenPrivilege;
+LUID SeAssignPrimaryTokenPrivilege;
+LUID SeLockMemoryPrivilege;
+LUID SeIncreaseQuotaPrivilege;
+LUID SeUnsolicitedInputPrivilege;
+LUID SeTcbPrivilege;
+LUID SeSecurityPrivilege;
+LUID SeTakeOwnershipPrivilege;
+LUID SeLoadDriverPrivilege;
+LUID SeCreatePagefilePrivilege;
+LUID SeIncreaseBasePriorityPrivilege;
+LUID SeSystemProfilePrivilege;
+LUID SeSystemtimePrivilege;
+LUID SeProfileSingleProcessPrivilege;
+LUID SeCreatePermanentPrivilege;
+LUID SeBackupPrivilege;
+LUID SeRestorePrivilege;
+LUID SeShutdownPrivilege;
+LUID SeDebugPrivilege;
+LUID SeAuditPrivilege;
+LUID SeSystemEnvironmentPrivilege;
+LUID SeChangeNotifyPrivilege;
+LUID SeRemoteShutdownPrivilege;
+
+
+//
+// Define the following structures for export from the kernel.
+// This will allow us to export pointers to these structures
+// rather than a pointer for each element in the structure.
+//
+
+PSE_EXPORTS SeExports;
+SE_EXPORTS SepExports;
+
+
+static SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
+static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
+static SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
+static SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
+static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY;
+
+
+//
+// Some variables we are going to use to help speed up access
+// checking.
+//
+
+static ULONG SinglePrivilegeSetSize;
+static ULONG DoublePrivilegeSetSize;
+
+static PPRIVILEGE_SET SepSystemSecurityPrivilegeSet;
+static PPRIVILEGE_SET SepTakeOwnershipPrivilegeSet;
+static PPRIVILEGE_SET SepDoublePrivilegeSet;
+
+
+//
+// Array containing information describing what is to be audited
+//
+
+SE_AUDITING_STATE SeAuditingState[POLICY_AUDIT_EVENT_TYPE_COUNT] =
+ {
+ { FALSE, FALSE },
+ { FALSE, FALSE },
+ { FALSE, FALSE },
+ { FALSE, FALSE },
+ { FALSE, FALSE },
+ { FALSE, FALSE },
+ { FALSE, FALSE }
+ };
+
+//
+// Boolean indicating whether or not auditing is enabled for the system
+//
+
+BOOLEAN SepAdtAuditingEnabled = FALSE;
+
+//
+// Boolean to hold whether or not the user wants the system to crash when
+// an audit fails.
+//
+
+BOOLEAN SepCrashOnAuditFail = FALSE;
+
+//
+// Handle to the LSA process
+//
+
+HANDLE SepLsaHandle;
+
+//
+// Boolean indicating that we're auditing detailed events
+// such as process creation.
+//
+
+BOOLEAN SeDetailedAuditing = FALSE;
+
+UNICODE_STRING SeSubsystemName;
+
+
+//
+// Mutex protecting the queue of work being passed to LSA
+//
+
+ERESOURCE SepLsaQueueLock;
+
+//
+// Doubly linked list of work items queued to worker threads.
+//
+
+LIST_ENTRY SepLsaQueue;
+
+//
+// Count to tell us how long the queue gets in SepRmCallLsa
+//
+
+ULONG SepLsaQueueLength = 0;
+
+SEP_WORK_ITEM SepExWorkItem;
+
+
+
+////////////////////////////////////////////////////////////////////////
+// //
+// Variable Initialization Routines //
+// //
+////////////////////////////////////////////////////////////////////////
+
+BOOLEAN
+SepVariableInitialization()
+/*++
+
+Routine Description:
+
+ This function initializes the global variables used by and exposed
+ by security.
+
+Arguments:
+
+ None.
+
+Return Value:
+
+ TRUE if variables successfully initialized.
+ FALSE if not successfully initialized.
+
+--*/
+{
+
+ ULONG SidWithZeroSubAuthorities;
+ ULONG SidWithOneSubAuthority;
+ ULONG SidWithTwoSubAuthorities;
+ ULONG SidWithThreeSubAuthorities;
+
+ SID_IDENTIFIER_AUTHORITY NullSidAuthority;
+ SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
+ SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
+ SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
+ SID_IDENTIFIER_AUTHORITY SeNtAuthority;
+
+ PAGED_CODE();
+
+ NullSidAuthority = SepNullSidAuthority;
+ WorldSidAuthority = SepWorldSidAuthority;
+ LocalSidAuthority = SepLocalSidAuthority;
+ CreatorSidAuthority = SepCreatorSidAuthority;
+ SeNtAuthority = SepNtAuthority;
+
+
+ //
+ // The following SID sizes need to be allocated
+ //
+
+ SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
+ SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
+ SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 );
+ SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
+
+ //
+ // Allocate and initialize the universal SIDs
+ //
+
+ SeNullSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeWorldSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeLocalSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeCreatorOwnerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeCreatorGroupSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeCreatorOwnerServerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeCreatorGroupServerSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+
+ //
+ // Fail initialization if we didn't get enough memory for the universal
+ // SIDs.
+ //
+
+ if ( (SeNullSid == NULL) ||
+ (SeWorldSid == NULL) ||
+ (SeLocalSid == NULL) ||
+ (SeCreatorOwnerSid == NULL) ||
+ (SeCreatorGroupSid == NULL) ||
+ (SeCreatorOwnerServerSid == NULL ) ||
+ (SeCreatorGroupServerSid == NULL )
+ ) {
+
+ return( FALSE );
+ }
+
+ RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 );
+ RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 );
+ RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 );
+ RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
+ RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
+ RtlInitializeSid( SeCreatorOwnerServerSid, &CreatorSidAuthority, 1 );
+ RtlInitializeSid( SeCreatorGroupServerSid, &CreatorSidAuthority, 1 );
+
+ *(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID;
+ *(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID;
+ *(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID;
+ *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
+ *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
+ *(RtlSubAuthoritySid( SeCreatorOwnerServerSid, 0 )) = SECURITY_CREATOR_OWNER_SERVER_RID;
+ *(RtlSubAuthoritySid( SeCreatorGroupServerSid, 0 )) = SECURITY_CREATOR_GROUP_SERVER_RID;
+
+ //
+ // Allocate and initialize the NT defined SIDs
+ //
+
+ SeNtAuthoritySid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithZeroSubAuthorities,'iSeS');
+ SeDialupSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeNetworkSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeBatchSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeInteractiveSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+ SeLocalSystemSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithOneSubAuthority,'iSeS');
+
+ SeAliasAdminsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasGuestsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasPowerUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasAccountOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasSystemOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasPrintOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+ SeAliasBackupOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool,SidWithTwoSubAuthorities,'iSeS');
+
+ //
+ // Fail initialization if we didn't get enough memory for the NT SIDs.
+ //
+
+ if ( (SeNtAuthoritySid == NULL) ||
+ (SeDialupSid == NULL) ||
+ (SeNetworkSid == NULL) ||
+ (SeBatchSid == NULL) ||
+ (SeInteractiveSid == NULL) ||
+ (SeServiceSid == NULL) ||
+ (SeLocalSystemSid == NULL) ||
+ (SeAliasAdminsSid == NULL) ||
+ (SeAliasUsersSid == NULL) ||
+ (SeAliasGuestsSid == NULL) ||
+ (SeAliasPowerUsersSid == NULL) ||
+ (SeAliasAccountOpsSid == NULL) ||
+ (SeAliasSystemOpsSid == NULL) ||
+ (SeAliasPrintOpsSid == NULL) ||
+ (SeAliasBackupOpsSid == NULL)
+ ) {
+
+ return( FALSE );
+ }
+
+ RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 );
+ RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 );
+ RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 );
+ RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 );
+ RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 );
+ RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 );
+ RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 );
+
+ RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2);
+ RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2);
+
+ *(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID;
+ *(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID;
+ *(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID;
+ *(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
+ *(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID;
+ *(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
+
+
+ *(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+ *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
+
+ *(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
+ *(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS;
+ *(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS;
+ *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
+ *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
+ *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
+ *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
+ *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
+
+
+
+ //
+ // Initialize system default dacl
+ //
+
+ SepInitSystemDacls();
+
+
+ //
+ // Initialize the well known privilege values
+ //
+
+ SeCreateTokenPrivilege =
+ RtlConvertLongToLuid(SE_CREATE_TOKEN_PRIVILEGE);
+ SeAssignPrimaryTokenPrivilege =
+ RtlConvertLongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE);
+ SeLockMemoryPrivilege =
+ RtlConvertLongToLuid(SE_LOCK_MEMORY_PRIVILEGE);
+ SeIncreaseQuotaPrivilege =
+ RtlConvertLongToLuid(SE_INCREASE_QUOTA_PRIVILEGE);
+ SeUnsolicitedInputPrivilege =
+ RtlConvertLongToLuid(SE_UNSOLICITED_INPUT_PRIVILEGE);
+ SeTcbPrivilege =
+ RtlConvertLongToLuid(SE_TCB_PRIVILEGE);
+ SeSecurityPrivilege =
+ RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
+ SeTakeOwnershipPrivilege =
+ RtlConvertLongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE);
+ SeLoadDriverPrivilege =
+ RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE);
+ SeCreatePagefilePrivilege =
+ RtlConvertLongToLuid(SE_CREATE_PAGEFILE_PRIVILEGE);
+ SeIncreaseBasePriorityPrivilege =
+ RtlConvertLongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE);
+ SeSystemProfilePrivilege =
+ RtlConvertLongToLuid(SE_SYSTEM_PROFILE_PRIVILEGE);
+ SeSystemtimePrivilege =
+ RtlConvertLongToLuid(SE_SYSTEMTIME_PRIVILEGE);
+ SeProfileSingleProcessPrivilege =
+ RtlConvertLongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
+ SeCreatePermanentPrivilege =
+ RtlConvertLongToLuid(SE_CREATE_PERMANENT_PRIVILEGE);
+ SeBackupPrivilege =
+ RtlConvertLongToLuid(SE_BACKUP_PRIVILEGE);
+ SeRestorePrivilege =
+ RtlConvertLongToLuid(SE_RESTORE_PRIVILEGE);
+ SeShutdownPrivilege =
+ RtlConvertLongToLuid(SE_SHUTDOWN_PRIVILEGE);
+ SeDebugPrivilege =
+ RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
+ SeAuditPrivilege =
+ RtlConvertLongToLuid(SE_AUDIT_PRIVILEGE);
+ SeSystemEnvironmentPrivilege =
+ RtlConvertLongToLuid(SE_SYSTEM_ENVIRONMENT_PRIVILEGE);
+ SeChangeNotifyPrivilege =
+ RtlConvertLongToLuid(SE_CHANGE_NOTIFY_PRIVILEGE);
+ SeRemoteShutdownPrivilege =
+ RtlConvertLongToLuid(SE_REMOTE_SHUTDOWN_PRIVILEGE);
+
+
+
+ //
+ // Initialize the SeExports structure for exporting all
+ // of the information we've created out of the kernel.
+ //
+
+ //
+ // Package these together for export
+ //
+
+
+ SepExports.SeNullSid = SeNullSid;
+ SepExports.SeWorldSid = SeWorldSid;
+ SepExports.SeLocalSid = SeLocalSid;
+ SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
+ SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
+
+
+ SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
+ SepExports.SeDialupSid = SeDialupSid;
+ SepExports.SeNetworkSid = SeNetworkSid;
+ SepExports.SeBatchSid = SeBatchSid;
+ SepExports.SeInteractiveSid = SeInteractiveSid;
+ SepExports.SeLocalSystemSid = SeLocalSystemSid;
+ SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
+ SepExports.SeAliasUsersSid = SeAliasUsersSid;
+ SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
+ SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
+ SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
+ SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
+ SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
+ SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
+
+
+
+ SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
+ SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
+ SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
+ SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
+ SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
+ SepExports.SeTcbPrivilege = SeTcbPrivilege;
+ SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
+ SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
+ SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
+ SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
+ SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
+ SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
+ SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
+ SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
+ SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
+ SepExports.SeBackupPrivilege = SeBackupPrivilege;
+ SepExports.SeRestorePrivilege = SeRestorePrivilege;
+ SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
+ SepExports.SeDebugPrivilege = SeDebugPrivilege;
+ SepExports.SeAuditPrivilege = SeAuditPrivilege;
+ SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
+ SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
+ SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
+
+ SeExports = &SepExports;
+
+ //
+ // Initialize frequently used privilege sets to speed up access
+ // validation.
+ //
+
+ SepInitializePrivilegeSets();
+
+ return TRUE;
+
+}
+
+VOID
+SepInitSystemDacls( VOID )
+/*++
+
+Routine Description:
+
+ This function initializes the system's default dacls & security
+ descriptors.
+
+Arguments:
+
+ None.
+
+Return Value:
+
+ None.
+
+
+--*/
+{
+
+ NTSTATUS
+ Status;
+
+ ULONG
+ PublicLength,
+ SystemLength,
+ PublicOpenLength;
+
+
+ PAGED_CODE();
+
+ //
+ // Set up a default ACLs
+ //
+ // Public: WORLD:execute, SYSTEM:all, ADMINS:all
+ // Public Open: WORLD:(Read|Write|Execute), ADMINS:(all), SYSTEM:all
+ // System: SYSTEM:all, ADMINS:(read|execute|read_control)
+
+ SystemLength = (ULONG)sizeof(ACL) +
+ (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) +
+ SeLengthSid( SeLocalSystemSid ) +
+ SeLengthSid( SeAliasAdminsSid ) +
+ 8; // The 8 is just for good measure
+
+ PublicLength = SystemLength +
+ ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) +
+ SeLengthSid( SeWorldSid );
+
+ PublicOpenLength = PublicLength;
+
+
+ SePublicDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool, PublicLength, 'cAeS');
+ SePublicOpenDacl = (PACL)ExAllocatePoolWithTag(PagedPool, PublicOpenLength, 'cAeS');
+ SeSystemDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool, SystemLength, 'cAeS');
+ ASSERT(SePublicDefaultDacl != NULL);
+ ASSERT(SePublicOpenDacl != NULL);
+ ASSERT(SeSystemDefaultDacl != NULL);
+
+
+
+ Status = RtlCreateAcl( SePublicDefaultDacl, PublicLength, ACL_REVISION2);
+ ASSERT( NT_SUCCESS(Status) );
+ Status = RtlCreateAcl( SePublicOpenDacl, PublicOpenLength, ACL_REVISION2);
+ ASSERT( NT_SUCCESS(Status) );
+ Status = RtlCreateAcl( SeSystemDefaultDacl, SystemLength, ACL_REVISION2);
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ //
+ // WORLD access (Public DACLs only)
+ //
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicDefaultDacl,
+ ACL_REVISION2,
+ GENERIC_EXECUTE,
+ SeWorldSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicOpenDacl,
+ ACL_REVISION2,
+ (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE),
+ SeWorldSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+
+ //
+ // SYSTEM access (PublicDefault, PublicOpen, and SystemDefault)
+ //
+
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicDefaultDacl,
+ ACL_REVISION2,
+ GENERIC_ALL,
+ SeLocalSystemSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicOpenDacl,
+ ACL_REVISION2,
+ GENERIC_ALL,
+ SeLocalSystemSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ Status = RtlAddAccessAllowedAce (
+ SeSystemDefaultDacl,
+ ACL_REVISION2,
+ GENERIC_ALL,
+ SeLocalSystemSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+ //
+ // ADMINISTRATORS access (PublicDefault, PublicOpen, and SystemDefault)
+ //
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicDefaultDacl,
+ ACL_REVISION2,
+ GENERIC_ALL,
+ SeAliasAdminsSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ Status = RtlAddAccessAllowedAce (
+ SePublicOpenDacl,
+ ACL_REVISION2,
+ GENERIC_ALL,
+ SeAliasAdminsSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ Status = RtlAddAccessAllowedAce (
+ SeSystemDefaultDacl,
+ ACL_REVISION2,
+ GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
+ SeAliasAdminsSid
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+
+ //
+ // Now initialize security descriptors
+ // that export this protection
+ //
+
+
+ SePublicDefaultSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultSd;
+ Status = RtlCreateSecurityDescriptor(
+ SePublicDefaultSd,
+ SECURITY_DESCRIPTOR_REVISION1
+ );
+ ASSERT( NT_SUCCESS(Status) );
+ Status = RtlSetDaclSecurityDescriptor(
+ SePublicDefaultSd,
+ TRUE, // DaclPresent
+ SePublicDefaultDacl,
+ FALSE // DaclDefaulted
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ SePublicOpenSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenSd;
+ Status = RtlCreateSecurityDescriptor(
+ SePublicOpenSd,
+ SECURITY_DESCRIPTOR_REVISION1
+ );
+ ASSERT( NT_SUCCESS(Status) );
+ Status = RtlSetDaclSecurityDescriptor(
+ SePublicOpenSd,
+ TRUE, // DaclPresent
+ SePublicOpenDacl,
+ FALSE // DaclDefaulted
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ SeSystemDefaultSd = (PSECURITY_DESCRIPTOR)&SepSystemDefaultSd;
+ Status = RtlCreateSecurityDescriptor(
+ SeSystemDefaultSd,
+ SECURITY_DESCRIPTOR_REVISION1
+ );
+ ASSERT( NT_SUCCESS(Status) );
+ Status = RtlSetDaclSecurityDescriptor(
+ SeSystemDefaultSd,
+ TRUE, // DaclPresent
+ SeSystemDefaultDacl,
+ FALSE // DaclDefaulted
+ );
+ ASSERT( NT_SUCCESS(Status) );
+
+
+ return;
+
+}
+
+
+VOID
+SepInitializePrivilegeSets( VOID )
+/*++
+
+Routine Description:
+
+ This routine is called once during system initialization to pre-allocate
+ and initialize some commonly used privilege sets.
+
+Arguments:
+
+ None
+
+Return Value:
+
+ None.
+
+--*/
+{
+ PAGED_CODE();
+
+ SinglePrivilegeSetSize = sizeof( PRIVILEGE_SET );
+ DoublePrivilegeSetSize = sizeof( PRIVILEGE_SET ) +
+ (ULONG)sizeof( LUID_AND_ATTRIBUTES );
+
+ SepSystemSecurityPrivilegeSet = ExAllocatePoolWithTag( PagedPool, SinglePrivilegeSetSize, 'rPeS' );
+ SepTakeOwnershipPrivilegeSet = ExAllocatePoolWithTag( PagedPool, SinglePrivilegeSetSize, 'rPeS' );
+ SepDoublePrivilegeSet = ExAllocatePoolWithTag( PagedPool, DoublePrivilegeSetSize, 'rPeS' );
+
+ SepSystemSecurityPrivilegeSet->PrivilegeCount = 1;
+ SepSystemSecurityPrivilegeSet->Control = 0;
+ SepSystemSecurityPrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege;
+ SepSystemSecurityPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
+
+ SepTakeOwnershipPrivilegeSet->PrivilegeCount = 1;
+ SepTakeOwnershipPrivilegeSet->Control = 0;
+ SepTakeOwnershipPrivilegeSet->Privilege[0].Luid = SeTakeOwnershipPrivilege;
+ SepTakeOwnershipPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
+
+ SepDoublePrivilegeSet->PrivilegeCount = 2;
+ SepDoublePrivilegeSet->Control = 0;
+
+ SepDoublePrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege;
+ SepDoublePrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
+
+ SepDoublePrivilegeSet->Privilege[1].Luid = SeTakeOwnershipPrivilege;
+ SepDoublePrivilegeSet->Privilege[1].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
+
+}
+
+
+
+VOID
+SepAssemblePrivileges(
+ IN ULONG PrivilegeCount,
+ IN BOOLEAN SystemSecurity,
+ IN BOOLEAN WriteOwner,
+ OUT PPRIVILEGE_SET *Privileges
+ )
+/*++
+
+Routine Description:
+
+ This routine takes the results of the various privilege checks
+ in SeAccessCheck and returns an appropriate privilege set.
+
+Arguments:
+
+ PrivilegeCount - The number of privileges granted.
+
+ SystemSecurity - Provides a boolean indicating whether to put
+ SeSecurityPrivilege into the output privilege set.
+
+ WriteOwner - Provides a boolean indicating whether to put
+ SeTakeOwnershipPrivilege into the output privilege set.
+
+ Privileges - Supplies a pointer that will return the privilege
+ set. Should be freed with ExFreePool when no longer needed.
+
+Return Value:
+
+ None.
+
+--*/
+{
+ PPRIVILEGE_SET PrivilegeSet;
+ ULONG SizeRequired;
+
+ PAGED_CODE();
+
+ ASSERT( (PrivilegeCount != 0) && (PrivilegeCount <= 2) );
+
+ if ( !ARGUMENT_PRESENT( Privileges ) ) {
+ return;
+ }
+
+ if ( PrivilegeCount == 1 ) {
+
+ SizeRequired = SinglePrivilegeSetSize;
+
+ if ( SystemSecurity ) {
+
+ PrivilegeSet = SepSystemSecurityPrivilegeSet;
+
+ } else {
+
+ ASSERT( WriteOwner );
+
+ PrivilegeSet = SepTakeOwnershipPrivilegeSet;
+ }
+
+ } else {
+
+ SizeRequired = DoublePrivilegeSetSize;
+ PrivilegeSet = SepDoublePrivilegeSet;
+ }
+
+ *Privileges = ExAllocatePoolWithTag( PagedPool, SizeRequired, 'rPeS' );
+
+ if ( *Privileges != NULL ) {
+
+ RtlMoveMemory (
+ *Privileges,
+ PrivilegeSet,
+ SizeRequired
+ );
+ }
+}
+
+
+
+
+
+BOOLEAN
+SepInitializeWorkList(
+ VOID
+ )
+
+/*++
+
+Routine Description:
+
+ Initializes the mutex and list head used to queue work from the
+ Executive to LSA. This mechanism operates on top of the normal ExWorkerThread
+ mechanism by capturing the first thread to perform LSA work and keeping it
+ until all the current work is done.
+
+ The reduces the number of worker threads that are blocked on I/O to LSA.
+
+Arguments:
+
+ None.
+
+
+Return Value:
+
+ TRUE if successful, FALSE otherwise.
+
+--*/
+
+{
+ PAGED_CODE();
+
+ ExInitializeResource(&SepLsaQueueLock);
+ InitializeListHead(&SepLsaQueue);
+ return( TRUE );
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-24 21:41:20 +0200