00001 /*++ 00002 00003 Copyright (c) 1989 Microsoft Corporation 00004 00005 Module Name: 00006 00007 seinit.c 00008 00009 Abstract: 00010 00011 Executive security components Initialization. 00012 00013 Author: 00014 00015 Jim Kelly (JimK) 10-May-1990 00016 00017 Revision History: 00018 00019 --*/ 00020 00021 #include <nt.h> 00022 #include "sep.h" 00023 #include "tokenp.h" 00024 #include "adt.h" 00025 #include <string.h> 00026 00027 // 00028 // Security Database Constants 00029 // 00030 00031 #define SEP_INITIAL_KEY_COUNT 15 00032 #define SEP_INITIAL_LEVEL_COUNT 6L 00033 00034 #ifdef ALLOC_PRAGMA 00035 #pragma alloc_text(INIT,SeInitSystem) 00036 #pragma alloc_text(INIT,SepInitializationPhase0) 00037 #pragma alloc_text(INIT,SepInitializationPhase1) 00038 #endif 00039 00040 BOOLEAN 00041 SeInitSystem( VOID ) 00042 00043 /*++ 00044 00045 Routine Description: 00046 00047 Perform security related system initialization functions. 00048 00049 Arguments: 00050 00051 None. 00052 00053 Return Value: 00054 00055 TRUE - Initialization succeeded. 00056 00057 FALSE - Initialization failed. 00058 00059 --*/ 00060 00061 { 00062 PAGED_CODE(); 00063 00064 switch ( InitializationPhase ) { 00065 00066 case 0 : 00067 return SepInitializationPhase0(); 00068 case 1 : 00069 return SepInitializationPhase1(); 00070 default: 00071 KeBugCheck(UNEXPECTED_INITIALIZATION_CALL); 00072 } 00073 return 0; // Bash compiler warning 00074 } 00075 00076 00077 BOOLEAN 00078 SepInitializationPhase0( VOID ) 00079 00080 /*++ 00081 00082 Routine Description: 00083 00084 Perform phase 0 security initialization. 00085 00086 This includes: 00087 00088 - Initialize LUID allocation 00089 - Initialize security global variables 00090 - initialize the token object. 00091 - Initialize the necessary security components of the boot thread/process 00092 00093 00094 Arguments: 00095 00096 None. 00097 00098 Return Value: 00099 00100 TRUE - Initialization was successful. 00101 00102 FALSE - Initialization Failed. 00103 00104 --*/ 00105 00106 { 00107 00108 PAGED_CODE(); 00109 00110 // 00111 // LUID allocation services are needed by security prior to phase 0 00112 // Executive initialization. So, LUID initialization is performed 00113 // here 00114 // 00115 00116 if (ExLuidInitialization() == FALSE) { 00117 KdPrint(("Security: Locally Unique ID initialization failed.\n")); 00118 return FALSE; 00119 } 00120 00121 // 00122 // Initialize security global variables 00123 // 00124 00125 if (!SepVariableInitialization()) { 00126 KdPrint(("Security: Global variable initialization failed.\n")); 00127 return FALSE; 00128 } 00129 00130 // 00131 // Perform Phase 0 Reference Monitor Initialization. 00132 // 00133 00134 if (!SepRmInitPhase0()) { 00135 KdPrint(("Security: Ref Mon state initialization failed.\n")); 00136 return FALSE; 00137 } 00138 00139 // 00140 // Initialize the token object type. 00141 // 00142 00143 if (!SepTokenInitialization()) { 00144 KdPrint(("Security: Token object initialization failed.\n")); 00145 return FALSE; 00146 } 00147 00148 // // 00149 // // Initialize auditing structures 00150 // // 00151 // 00152 // if (!SepAdtInitializePhase0()) { 00153 // KdPrint(("Security: Auditing initialization failed.\n")); 00154 // return FALSE; 00155 // } 00156 // 00157 // 00158 // Initialize SpinLock and list for the LSA worker thread 00159 // 00160 00161 // 00162 // Initialize the work queue spinlock, list head, and semaphore 00163 // for each of the work queues. 00164 // 00165 00166 if (!SepInitializeWorkList()) { 00167 KdPrint(("Security: Unable to initialize work queue\n")); 00168 return FALSE; 00169 } 00170 00171 // 00172 // Initialize the security fields of the boot thread. 00173 // 00174 00175 PsGetCurrentProcess()->Token = SeMakeSystemToken(); 00176 PsGetCurrentThread()->ImpersonationInfo = NULL; 00177 PsGetCurrentThread()->ActiveImpersonationInfo = FALSE; 00178 00179 return ( PsGetCurrentProcess()->Token != NULL ); 00180 } 00181 00182 00183 BOOLEAN 00184 SepInitializationPhase1( VOID ) 00185 00186 /*++ 00187 00188 Routine Description: 00189 00190 Perform phase 1 security initialization. 00191 00192 This includes: 00193 00194 - Create an object directory for security related objects. 00195 (\Security). 00196 00197 - Create an event to be signalled after the LSA has initialized. 00198 (\Security\LSA_Initialized) 00199 00200 00201 00202 00203 Arguments: 00204 00205 None. 00206 00207 Return Value: 00208 00209 TRUE - Initialization was successful. 00210 00211 FALSE - Initialization Failed. 00212 00213 --*/ 00214 00215 { 00216 00217 NTSTATUS Status; 00218 STRING Name; 00219 UNICODE_STRING UnicodeName; 00220 OBJECT_ATTRIBUTES ObjectAttributes; 00221 HANDLE SecurityRoot, TemporaryHandle; 00222 PSECURITY_DESCRIPTOR SD ; 00223 UCHAR SDBuffer[ SECURITY_DESCRIPTOR_MIN_LENGTH ]; 00224 PACL Dacl ; 00225 00226 PAGED_CODE(); 00227 00228 SeAnonymousLogonToken = SeMakeAnonymousLogonToken(); 00229 ASSERT(SeAnonymousLogonToken != NULL); 00230 00231 // 00232 // Create the security object directory. 00233 // 00234 00235 RtlInitString( &Name, "\\Security" ); 00236 Status = RtlAnsiStringToUnicodeString( 00237 &UnicodeName, 00238 &Name, 00239 TRUE ); ASSERT( NT_SUCCESS(Status) ); 00240 00241 // 00242 // Build up the security descriptor 00243 // 00244 00245 SD = (PSECURITY_DESCRIPTOR) SDBuffer ; 00246 00247 RtlCreateSecurityDescriptor( SD, 00248 SECURITY_DESCRIPTOR_REVISION ); 00249 00250 Dacl = ExAllocatePool( 00251 NonPagedPool, 00252 256 ); 00253 00254 if ( !Dacl ) 00255 { 00256 return FALSE ; 00257 } 00258 00259 RtlCreateAcl( Dacl, 256, ACL_REVISION ); 00260 00261 RtlAddAccessAllowedAce( Dacl, 00262 ACL_REVISION, 00263 DIRECTORY_ALL_ACCESS, 00264 SeLocalSystemSid ); 00265 00266 RtlAddAccessAllowedAce( Dacl, 00267 ACL_REVISION, 00268 DIRECTORY_QUERY | DIRECTORY_TRAVERSE | 00269 READ_CONTROL, 00270 SeAliasAdminsSid ); 00271 00272 RtlAddAccessAllowedAce( Dacl, 00273 ACL_REVISION, 00274 DIRECTORY_TRAVERSE, 00275 SeWorldSid ); 00276 00277 RtlSetDaclSecurityDescriptor( 00278 SD, 00279 TRUE, 00280 Dacl, 00281 FALSE ); 00282 00283 InitializeObjectAttributes( 00284 &ObjectAttributes, 00285 &UnicodeName, 00286 (OBJ_PERMANENT | OBJ_CASE_INSENSITIVE), 00287 NULL, 00288 SD 00289 ); 00290 00291 Status = NtCreateDirectoryObject( 00292 &SecurityRoot, 00293 DIRECTORY_ALL_ACCESS, 00294 &ObjectAttributes 00295 ); 00296 RtlFreeUnicodeString( &UnicodeName ); 00297 ASSERTMSG("Security root object directory creation failed.",NT_SUCCESS(Status)); 00298 00299 ExFreePool( Dacl ); 00300 00301 // 00302 // Create an event in the security directory 00303 // 00304 00305 RtlInitString( &Name, "LSA_AUTHENTICATION_INITIALIZED" ); 00306 Status = RtlAnsiStringToUnicodeString( 00307 &UnicodeName, 00308 &Name, 00309 TRUE ); ASSERT( NT_SUCCESS(Status) ); 00310 InitializeObjectAttributes( 00311 &ObjectAttributes, 00312 &UnicodeName, 00313 (OBJ_PERMANENT | OBJ_CASE_INSENSITIVE), 00314 SecurityRoot, 00315 SePublicDefaultSd 00316 ); 00317 00318 Status = NtCreateEvent( 00319 &TemporaryHandle, 00320 GENERIC_WRITE, 00321 &ObjectAttributes, 00322 NotificationEvent, 00323 FALSE 00324 ); 00325 RtlFreeUnicodeString( &UnicodeName ); 00326 ASSERTMSG("LSA Initialization Event Creation Failed.",NT_SUCCESS(Status)); 00327 00328 Status = NtClose( SecurityRoot ); 00329 ASSERTMSG("Security object directory handle closure Failed.",NT_SUCCESS(Status)); 00330 Status = NtClose( TemporaryHandle ); 00331 ASSERTMSG("LSA Initialization Event handle closure Failed.",NT_SUCCESS(Status)); 00332 00333 // 00334 // Initialize auditing structures 00335 // 00336 00337 if (!SepAdtInitializePhase1()) { 00338 KdPrint(("Security: Auditing initialization failed.\n")); 00339 return FALSE; 00340 } 00341 00342 00343 #ifndef SETEST 00344 00345 return TRUE; 00346 00347 #else 00348 00349 return SepDevelopmentTest(); 00350 00351 #endif //SETEST 00352 00353 }
1.3.7