Main Page | Class Hierarchy | Class List | File List | Class Members | File Members

se.h

Go to the documentation of this file.
00001 /*++ BUILD Version: 0011    // Increment this if a change has global effects
00002 
00003 Copyright (c) 1989  Microsoft Corporation
00004 
00005 Module Name:
00006 
00007     se.h
00008 
00009 Abstract:
00010 
00011     This module contains the Security routines that are only callable
00012     from kernel mode.
00013 
00014     This file is included by including "ntos.h".
00015 
00016 Author:
00017 
00018     Gary Kimura (GaryKi) 09-Mar-1989
00019 
00020 Revision History:
00021 
00022 
00023 
00024 --*/
00025 
00026 #ifndef _SE_
00027 #define _SE_
00028 
00029 
00030 
00032 //                                                                          //
00033 //  Kernel mode only data structures                                        //
00034 //  Opaque security data structures are defined in seopaque.h               //
00035 //                                                                          //
00037 
00038 // begin_ntddk begin_nthal begin_ntifs
00039 //
00040 //  Security operation codes
00041 //
00042 
00043 typedef enum _SECURITY_OPERATION_CODE {
00044     SetSecurityDescriptor,
00045     QuerySecurityDescriptor,
00046     DeleteSecurityDescriptor,
00047     AssignSecurityDescriptor
00048     } SECURITY_OPERATION_CODE, *PSECURITY_OPERATION_CODE;
00049 
00050 // end_ntddk end_nthal end_ntifs
00051 
00052 
00053 
00054 //
00055 //  Default security quota
00056 //
00057 //  This is the minimum amount of quota (in bytes) that will be
00058 //  charged for security information for an object that has
00059 //  security.
00060 //
00061 
00062 #define SE_DEFAULT_SECURITY_QUOTA   2048
00063 
00064 // begin_ntifs
00065 //
00066 // Token Flags
00067 //
00068 // Flags that may be defined in the TokenFlags field of the token object,
00069 // or in an ACCESS_STATE structure
00070 //
00071 
00072 #define TOKEN_HAS_TRAVERSE_PRIVILEGE    0x01
00073 #define TOKEN_HAS_BACKUP_PRIVILEGE      0x02
00074 #define TOKEN_HAS_RESTORE_PRIVILEGE     0x04
00075 #define TOKEN_HAS_ADMIN_GROUP           0x08
00076 #define TOKEN_IS_RESTRICTED             0x10
00077 
00078 // end_ntifs
00079 
00080 
00081 //
00082 // General flag
00083 //
00084 
00085 #define SE_BACKUP_PRIVILEGES_CHECKED    0x00000010
00086 
00087 
00088 
00089 
00090 // begin_ntddk begin_nthal begin_ntifs
00091 //
00092 //  Data structure used to capture subject security context
00093 //  for access validations and auditing.
00094 //
00095 //  THE FIELDS OF THIS DATA STRUCTURE SHOULD BE CONSIDERED OPAQUE
00096 //  BY ALL EXCEPT THE SECURITY ROUTINES.
00097 //
00098 
00099 typedef struct _SECURITY_SUBJECT_CONTEXT {
00100     PACCESS_TOKEN ClientToken;
00101     SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
00102     PACCESS_TOKEN PrimaryToken;
00103     PVOID ProcessAuditId;
00104     } SECURITY_SUBJECT_CONTEXT, *PSECURITY_SUBJECT_CONTEXT;
00105 
00106 // end_ntddk end_nthal end_ntifs
00107 //
00108 // where
00109 //
00110 //    ClientToken - optionally points to a token object being used by the
00111 //        subject's thread to impersonate a client.  If the subject's
00112 //        thread is not impersonating a client, this field is set to null.
00113 //        The token's reference count is incremented to count this field
00114 //        as an outstanding reference.
00115 //
00116 //    ImpersonationLevel - Contains the impersonation level of the subject's
00117 //        thread.  This field is only meaningful if the ClientToken field
00118 //        is not null.  This field over-rides any higher impersonation
00119 //        level value that might be in the client's token.
00120 //
00121 //    PrimaryToken - points the the subject's primary token.  The token's
00122 //        reference count is incremented to count this field value as an
00123 //        outstanding reference.
00124 //
00125 //    ProcessAuditId - Is an ID assigned to represent the subject's process.
00126 //        As an implementation detail, this is the process object's address.
00127 //        However, this field should not be treated as a pointer, and the
00128 //        reference count of the process object is not incremented to
00129 //        count it as an outstanding reference.
00130 //
00131 
00132 
00133 // begin_ntddk begin_nthal begin_ntifs
00135 //                                                                           //
00136 //                  ACCESS_STATE and related structures                      //
00137 //                                                                           //
00139 
00140 //
00141 //  Initial Privilege Set - Room for three privileges, which should
00142 //  be enough for most applications.  This structure exists so that
00143 //  it can be imbedded in an ACCESS_STATE structure.  Use PRIVILEGE_SET
00144 //  for all other references to Privilege sets.
00145 //
00146 
00147 #define INITIAL_PRIVILEGE_COUNT         3
00148 
00149 typedef struct _INITIAL_PRIVILEGE_SET {
00150     ULONG PrivilegeCount;
00151     ULONG Control;
00152     LUID_AND_ATTRIBUTES Privilege[INITIAL_PRIVILEGE_COUNT];
00153     } INITIAL_PRIVILEGE_SET, * PINITIAL_PRIVILEGE_SET;
00154 
00155 
00156 
00157 //
00158 // Combine the information that describes the state
00159 // of an access-in-progress into a single structure
00160 //
00161 
00162 
00163 typedef struct _ACCESS_STATE {
00164    LUID OperationID;
00165    BOOLEAN SecurityEvaluated;
00166    BOOLEAN GenerateAudit;
00167    BOOLEAN GenerateOnClose;
00168    BOOLEAN PrivilegesAllocated;
00169    ULONG Flags;
00170    ACCESS_MASK RemainingDesiredAccess;
00171    ACCESS_MASK PreviouslyGrantedAccess;
00172    ACCESS_MASK OriginalDesiredAccess;
00173    SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
00174    PSECURITY_DESCRIPTOR SecurityDescriptor;
00175    PVOID AuxData;
00176    union {
00177       INITIAL_PRIVILEGE_SET InitialPrivilegeSet;
00178       PRIVILEGE_SET PrivilegeSet;
00179       } Privileges;
00180 
00181    BOOLEAN AuditPrivileges;
00182    UNICODE_STRING ObjectName;
00183    UNICODE_STRING ObjectTypeName;
00184 
00185    } ACCESS_STATE, *PACCESS_STATE;
00186 
00187 // end_ntddk end_nthal end_ntifs
00188 
00189 /*
00190 where:
00191 
00192     OperationID - an LUID to identify the operation being performed.  This
00193         ID will be put in the audit log to allow non-contiguous operations
00194         on the same object to be associated with one another.
00195 
00196     SecurityEvaluated - a marker to be set by Parse Methods to indicate
00197         that security access checking and audit logging has been performed.
00198 
00199     Flags - Holds misc flags for reference during the access attempt.
00200 
00201     AuditHandleCreation - a flag set by SeOpenObjectAuditAlarm to indicate
00202         that auditing is to take place when the handle for the object
00203         is allocated.
00204 
00205     RemainingDesiredAccess - Access mask containing the access types that
00206         have not yet been granted.
00207 
00208     PreviouslyGrantedAccess - Access mask containing the access types that
00209         have been granted, one way or another (for example, a given access
00210         may be granted as a result of owning a privilege rather than being
00211         in an ACL.  A routine can check the privilege and mark the access
00212         as granted without doing a formal access check).
00213 
00214     SubjectSecurityContext - The subject's captured security context
00215 
00216     PrivilegesAllocated - Flag to indicate whether we have allocated
00217         space for the privilege set from pool memory, so it can be
00218         freed.
00219 
00220     SecurityDescriptor - Temporarily contains the security descriptor
00221        for the object being created between the time the user's
00222        security descriptor is captured and the time the security
00223        descriptor is passed to SeAssignSecurity.  NO ONE BUT
00224        SEASSIGNSECURITY SHOULD EVER LOOK IN THIS FIELD FOR AN
00225        OBJECT'S SECURITY DESCRIPTOR.
00226 
00227     AuxData - points to an auxillary data structure to be used for future
00228         expansion of the access state in an upwardly compatible way.  This
00229         field replaces the PrivilegesUsed pointer, which was for internal
00230         use only.
00231 
00232     Privileges - A set of privileges, some of which may have the
00233         UsedForAccess bit set.  If the pre-allocated number of privileges
00234         is not enough, we will allocate space from pool memory to allow
00235         for growth.
00236 
00237 */
00238 
00239 
00240 
00241 //*******************************************************************************
00242 //                                                                              *
00243 //  Since the AccessState structure is publically exposed to driver             *
00244 //  writers, this structure contains additional data added after NT 3.51.       *
00245 //                                                                              *
00246 //  Its contents must be accessed only through Se level interfaces,             *
00247 //  never directly by name.                                                     *
00248 //                                                                              *
00249 //  This structure is pointed to by the AuxData field of the AccessState.       *
00250 //  It is allocated by SeCreateAccessState and freed by SeDeleteAccessState.    *
00251 //                                                                              *
00252 //  DO NOT EXPOSE THIS STRUCTURE TO THE PUBLIC.                                 *
00253 //                                                                              *
00254 //*******************************************************************************
00255 
00256 
00257 typedef struct _AUX_ACCESS_DATA {
00258     PPRIVILEGE_SET PrivilegesUsed;
00259     GENERIC_MAPPING GenericMapping;
00260     ACCESS_MASK AccessesToAudit;
00261 } AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
00262 
00263 /*
00264 where:
00265 
00266     PrivilegesUsed - Points to the set of privileges used during the access
00267         validation.
00268 
00269     GenericMapping - Points to the generic mapping for the object being accessed.
00270         Normally this would be filled in with the generic mapping passed to
00271         SeCreateAccessState, but in the case of the IO system (which does not
00272         know the type of object being accessed until it parses the name),
00273         it must be filled in later.  See the discussion of the GenericMapping
00274         parameter in SeCreateAccessState for more details.
00275 
00276     AccessToAudit - Used as a temporary holding area for the access mask
00277         to put into the audit record.  This field is necessary because the
00278         access being put into the newly created handle may not be the ones
00279         we want to audit.  This occurs when a file is opened for read-only
00280         transacted mode, where a read only file is opened for write access.
00281         We don't want to audit the fact that we granted write access, since
00282         we really didn't, and customers would be confused to see the extra
00283         bit in the audit record.
00284 
00285 
00286 */
00287 
00288 
00289 
00290 //
00291 //  Structure describing whether or not a particular type of event
00292 //  is being audited
00293 //
00294 
00295 typedef struct _SE_AUDITING_STATE {
00296     BOOLEAN AuditOnSuccess;
00297     BOOLEAN AuditOnFailure;
00298 } SE_AUDITING_STATE, *PSE_AUDITING_STATE;
00299 
00300 
00301 
00302 
00303 typedef struct _SE_PROCESS_AUDIT_INFO {
00304     PEPROCESS Process;
00305     PEPROCESS Parent;
00306 } SE_PROCESS_AUDIT_INFO, *PSE_PROCESS_AUDIT_INFO;
00307 
00308 
00309 
00310 
00311 /************************************************************
00312 
00313                  WARNING WARNING WARNING
00314 
00315 
00316     Only add new fields to the end of this structure.
00317 
00318 
00319 *************************************************************/
00320 
00321 // begin_ntifs
00322 
00323 typedef struct _SE_EXPORTS {
00324 
00325     //
00326     // Privilege values
00327     //
00328 
00329     LUID    SeCreateTokenPrivilege;
00330     LUID    SeAssignPrimaryTokenPrivilege;
00331     LUID    SeLockMemoryPrivilege;
00332     LUID    SeIncreaseQuotaPrivilege;
00333     LUID    SeUnsolicitedInputPrivilege;
00334     LUID    SeTcbPrivilege;
00335     LUID    SeSecurityPrivilege;
00336     LUID    SeTakeOwnershipPrivilege;
00337     LUID    SeLoadDriverPrivilege;
00338     LUID    SeCreatePagefilePrivilege;
00339     LUID    SeIncreaseBasePriorityPrivilege;
00340     LUID    SeSystemProfilePrivilege;
00341     LUID    SeSystemtimePrivilege;
00342     LUID    SeProfileSingleProcessPrivilege;
00343     LUID    SeCreatePermanentPrivilege;
00344     LUID    SeBackupPrivilege;
00345     LUID    SeRestorePrivilege;
00346     LUID    SeShutdownPrivilege;
00347     LUID    SeDebugPrivilege;
00348     LUID    SeAuditPrivilege;
00349     LUID    SeSystemEnvironmentPrivilege;
00350     LUID    SeChangeNotifyPrivilege;
00351     LUID    SeRemoteShutdownPrivilege;
00352 
00353 
00354     //
00355     // Universally defined Sids
00356     //
00357 
00358 
00359     PSID  SeNullSid;
00360     PSID  SeWorldSid;
00361     PSID  SeLocalSid;
00362     PSID  SeCreatorOwnerSid;
00363     PSID  SeCreatorGroupSid;
00364 
00365 
00366     //
00367     // Nt defined Sids
00368     //
00369 
00370 
00371     PSID  SeNtAuthoritySid;
00372     PSID  SeDialupSid;
00373     PSID  SeNetworkSid;
00374     PSID  SeBatchSid;
00375     PSID  SeInteractiveSid;
00376     PSID  SeLocalSystemSid;
00377     PSID  SeAliasAdminsSid;
00378     PSID  SeAliasUsersSid;
00379     PSID  SeAliasGuestsSid;
00380     PSID  SeAliasPowerUsersSid;
00381     PSID  SeAliasAccountOpsSid;
00382     PSID  SeAliasSystemOpsSid;
00383     PSID  SeAliasPrintOpsSid;
00384     PSID  SeAliasBackupOpsSid;
00385 
00386     //
00387     // New Sids defined for NT5
00388     //
00389 
00390     PSID  SeAuthenticatedUsersSid;
00391 
00392     PSID  SeRestrictedSid;
00393     PSID  SeAnonymousLogonSid;
00394 
00395     //
00396     // New Privileges defined for NT5
00397     //
00398 
00399     LUID  SeUndockPrivilege;
00400     LUID  SeSyncAgentPrivilege;
00401     LUID  SeEnableDelegationPrivilege;
00402 
00403 } SE_EXPORTS, *PSE_EXPORTS;
00404 
00405 // end_ntifs
00406 
00407 /************************************************************
00408 
00409 
00410                  WARNING WARNING WARNING
00411 
00412 
00413     Only add new fields to the end of this structure.
00414 
00415 
00416 *************************************************************/
00417 
00418 
00419 
00420 // begin_ntifs
00422 //                                                                           //
00423 //              Logon session notification callback routines                 //
00424 //                                                                           //
00426 
00427 //
00428 //  These callback routines are used to notify file systems that have
00429 //  registered of logon sessions being terminated, so they can cleanup state
00430 //  associated with this logon session
00431 //
00432 
00433 typedef NTSTATUS
00434 (*PSE_LOGON_SESSION_TERMINATED_ROUTINE)(
00435     IN PLUID LogonId);
00436 
00437 // end_ntifs
00438 
00439 
00440 
00441 
00442 
00444 //                                                                           //
00445 //                  Exported Security Macro Definitions                      //
00446 //                                                                           //
00448 
00449 //++
00450 //
00451 //  ACCESS_MASK
00452 //  SeComputeDeniedAccesses(
00453 //      IN ACCESS_MASK GrantedAccess,
00454 //      IN ACCESS_MASK DesiredAccess
00455 //      );
00456 //
00457 //  Routine Description:
00458 //
00459 //      This routine generates an access mask containing those accesses
00460 //      requested by DesiredAccess that aren't granted by GrantedAccess.
00461 //      The result of this routine may be compared to 0 to determine
00462 //      if a DesiredAccess mask contains any accesses that have not
00463 //      been granted.
00464 //
00465 //      If the result IS ZERO, then all desired accesses have been granted.
00466 //
00467 //  Arguments:
00468 //
00469 //      GrantedAccess - Specifies the granted access mask.
00470 //
00471 //      DesiredAccess - Specifies the desired access mask.
00472 //
00473 //  Return Value:
00474 //
00475 //      An ACCESS_MASK containing the desired accesses that have
00476 //      not been granted.
00477 //
00478 //--
00479 
00480 #define SeComputeDeniedAccesses( GrantedAccess, DesiredAccess ) \
00481     ((~(GrantedAccess)) & (DesiredAccess) )
00482 
00483 
00484 //++
00485 //
00486 //  BOOLEAN
00487 //  SeComputeGrantedAccesses(
00488 //      IN ACCESS_MASK GrantedAccess,
00489 //      IN ACCESS_MASK DesiredAccess
00490 //      );
00491 //
00492 //  Routine Description:
00493 //
00494 //      This routine generates an access mask containing acccesses
00495 //      requested by DesiredAccess that are granted by GrantedAccess.
00496 //      The result of this routine may be compared to 0 to determine
00497 //      if any desired accesses have been granted.
00498 //
00499 //      If the result IS NON-ZERO, then at least one desired accesses
00500 //      has been granted.
00501 //
00502 //  Arguments:
00503 //
00504 //      GrantedAccess - Specifies the granted access mask.
00505 //
00506 //      DesiredAccess - Specifies the desired access mask.
00507 //
00508 //  Return Value:
00509 //
00510 //      This routine returns TRUE if the DesiredAccess mask does specifies
00511 //      any bits that are set in the GrantedAccess mask.
00512 //
00513 //--
00514 
00515 #define SeComputeGrantedAccesses( GrantedAccess, DesiredAccess ) \
00516     ((GrantedAccess) & (DesiredAccess) )
00517 
00518 
00519 //++
00520 //
00521 //  ULONG
00522 //  SeLengthSid(
00523 //      IN PSID Sid
00524 //      );
00525 //
00526 //  Routine Description:
00527 //
00528 //      This routine computes the length of a SID.
00529 //
00530 //  Arguments:
00531 //
00532 //      Sid - Points to the SID whose length is to be returned.
00533 //
00534 //  Return Value:
00535 //
00536 //      The length, in bytes of the SID.
00537 //
00538 //--
00539 
00540 #define SeLengthSid( Sid ) \
00541     (8 + (4 * ((SID *)Sid)->SubAuthorityCount))
00542 
00543 
00544 //++
00545 //  BOOLEAN
00546 //  SeSameToken (
00547 //      IN PTOKEN_CONTROL TokenControl1,
00548 //      IN PTOKEN_CONTROL TokenControl2
00549 //      )
00550 //
00551 //
00552 //  Routine Description:
00553 //
00554 //      This routine returns a boolean value indicating whether the two
00555 //      token control values represent the same token.  The token may
00556 //      have changed over time, but must have the same authentication ID
00557 //      and token ID.  A value of TRUE indicates they
00558 //      are equal.  A value of FALSE indicates they are not equal.
00559 //
00560 //
00561 //
00562 //  Arguments:
00563 //
00564 //      TokenControl1 - Points to a token control to compare.
00565 //
00566 //      TokenControl2 - Points to the other token control to compare.
00567 //
00568 //  Return Value:
00569 //
00570 //      TRUE => The token control values represent the same token.
00571 //
00572 //      FALSE => The token control values do not represent the same token.
00573 //
00574 //
00575 //--
00576 
00577 #define SeSameToken(TC1,TC2)  (                                               \
00578         ((TC1)->TokenId.HighPart == (TC2)->TokenId.HighPart)               && \
00579         ((TC1)->TokenId.LowPart  == (TC2)->TokenId.LowPart)                && \
00580         (RtlEqualLuid(&(TC1)->AuthenticationId,&(TC2)->AuthenticationId))     \
00581         )
00582 
00583 
00584 // begin_ntifs
00585 //
00586 //VOID
00587 //SeDeleteClientSecurity(
00588 //    IN PSECURITY_CLIENT_CONTEXT ClientContext
00589 //    )
00590 //
00592 //
00593 //Routine Description:
00594 //
00595 //    This service deletes a client security context block,
00596 //    performing whatever cleanup might be necessary to do so.  In
00597 //    particular, reference to any client token is removed.
00598 //
00599 //Arguments:
00600 //
00601 //    ClientContext - Points to the client security context block to be
00602 //        deleted.
00603 //
00604 //
00605 //Return Value:
00606 //
00607 //
00608 //
00609 //--*/
00610 //--
00611 
00612 #define SeDeleteClientSecurity(C)  {                                           \
00613             if (SeTokenType((C)->ClientToken) == TokenPrimary) {               \
00614                 PsDereferencePrimaryToken( (C)->ClientToken );                 \
00615             } else {                                                           \
00616                 PsDereferenceImpersonationToken( (C)->ClientToken );           \
00617             }                                                                  \
00618         }
00619 
00620 // end_ntifs
00621 
00622 //++
00623 //VOID
00624 //SeStopImpersonatingClient()
00625 //
00627 //
00628 //Routine Description:
00629 //
00630 //    This service is used to stop impersonating a client using an
00631 //    impersonation token.  This service must be called in the context
00632 //    of the server thread which wishes to stop impersonating its
00633 //    client.
00634 //
00635 //
00636 //Arguments:
00637 //
00638 //    None.
00639 //
00640 //Return Value:
00641 //
00642 //    None.
00643 //
00644 //--*/
00645 //--
00646 
00647 #define SeStopImpersonatingClient() PsRevertToSelf()
00648 
00649 
00650 #define SeAssertMappedCanonicalAccess( AccessMask )                  \
00651     ASSERT(!( ( AccessMask ) &                                       \
00652             ( GENERIC_READ        |                                  \
00653               GENERIC_WRITE       |                                  \
00654               GENERIC_EXECUTE     |                                  \
00655               GENERIC_ALL ))                                         \
00656           )
00657 /*++
00658 
00659 Routine Description:
00660 
00661     This routine asserts that the given AccessMask does not contain
00662     any generic access types.
00663 
00664 Arguments:
00665 
00666     AccessMask - The access mask to be checked.
00667 
00668 Return Value:
00669 
00670     None, or doesn't return.
00671 
00672 --*/
00673 
00674 
00675 
00676 #define SeComputeSecurityQuota( Size )                                 \
00677     (                                                                  \
00678        ((( Size ) * 2 )  > SE_DEFAULT_SECURITY_QUOTA) ?                \
00679                     (( Size ) * 2 ) : SE_DEFAULT_SECURITY_QUOTA        \
00680     )
00681 
00682 /*++
00683 
00684 Routine Description:
00685 
00686     This macro computes the amount of quota to charge for
00687     security information.
00688 
00689     The current algorithm is to use the larger of twice the size
00690     of the Group + Dacl information being applied and the default as
00691     specified by SE_DEFAULT_SECURITY_QUOTA.
00692 
00693 Arguments:
00694 
00695     Size - The size in bytes of the Group + Dacl information being applied
00696         to the object.
00697 
00698 Return Value:
00699 
00700     The size in bytes to charge for security information on this object.
00701 
00702 --*/
00703 
00704 // begin_ntifs
00705 
00706 //++
00707 //
00708 //  PACCESS_TOKEN
00709 //  SeQuerySubjectContextToken(
00710 //      IN PSECURITY_SUBJECT_CONTEXT SubjectContext
00711 //      );
00712 //
00713 //  Routine Description:
00714 //
00715 //      This routine returns the effective token from the subject context,
00716 //      either the client token, if present, or the process token.
00717 //
00718 //  Arguments:
00719 //
00720 //      SubjectContext - Context to query
00721 //
00722 //  Return Value:
00723 //
00724 //      This routine returns the PACCESS_TOKEN for the effective token.
00725 //      The pointer may be passed to SeQueryInformationToken.  This routine
00726 //      does not affect the lock status of the token, i.e. the token is not
00727 //      locked.  If the SubjectContext has been locked, the token remains locked,
00728 //      if not, the token remains unlocked.
00729 //
00730 //--
00731 
00732 #define SeQuerySubjectContextToken( SubjectContext ) \
00733         ( ARGUMENT_PRESENT( ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken) ? \
00734             ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken : \
00735             ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )
00736 
00737 // end_ntifs
00738 
00739 
00740 
00741 
00742 
00744 //                                                                           //
00745 //  Define the exported procedures that are callable only from kernel mode   //
00746 //                                                                           //
00748 
00749 BOOLEAN
00750 SeInitSystem( VOID );
00751 
00752 VOID
00753 SeSetSecurityAccessMask(
00754     IN SECURITY_INFORMATION SecurityInformation,
00755     OUT PACCESS_MASK DesiredAccess
00756     );
00757 
00758 VOID
00759 SeQuerySecurityAccessMask(
00760     IN SECURITY_INFORMATION SecurityInformation,
00761     OUT PACCESS_MASK DesiredAccess
00762     );
00763 
00764 
00765 NTSTATUS
00766 SeDefaultObjectMethod (
00767     IN PVOID Object,
00768     IN SECURITY_OPERATION_CODE OperationCode,
00769     IN PSECURITY_INFORMATION SecurityInformation,
00770     IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
00771     IN OUT PULONG Length,
00772     IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
00773     IN POOL_TYPE PoolType,
00774     IN PGENERIC_MAPPING GenericMapping
00775     );
00776 
00777 
00778 NTKERNELAPI
00779 NTSTATUS
00780 SeCaptureSecurityDescriptor (
00781     IN PSECURITY_DESCRIPTOR InputSecurityDescriptor,
00782     IN KPROCESSOR_MODE RequestorMode,
00783     IN POOL_TYPE PoolType,
00784     IN BOOLEAN ForceCapture,
00785     OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor
00786     );
00787 
00788 NTKERNELAPI
00789 VOID
00790 SeReleaseSecurityDescriptor (
00791     IN PSECURITY_DESCRIPTOR CapturedSecurityDescriptor,
00792     IN KPROCESSOR_MODE RequestorMode,
00793     IN BOOLEAN ForceCapture
00794     );
00795 
00796 // begin_ntifs
00797 
00798 NTKERNELAPI
00799 VOID
00800 SeCaptureSubjectContext (
00801     OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
00802     );
00803 
00804 NTKERNELAPI
00805 VOID
00806 SeLockSubjectContext(
00807     IN PSECURITY_SUBJECT_CONTEXT SubjectContext
00808     );
00809 
00810 NTKERNELAPI
00811 VOID
00812 SeUnlockSubjectContext(
00813     IN PSECURITY_SUBJECT_CONTEXT SubjectContext
00814     );
00815 
00816 NTKERNELAPI
00817 VOID
00818 SeReleaseSubjectContext (
00819     IN PSECURITY_SUBJECT_CONTEXT SubjectContext
00820     );
00821 
00822 // end_ntifs
00823 
00824 NTSTATUS
00825 SeCaptureSecurityQos (
00826     IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
00827     IN KPROCESSOR_MODE RequestorMode,
00828     IN PBOOLEAN SecurityQosPresent,
00829     IN PSECURITY_ADVANCED_QUALITY_OF_SERVICE CapturedSecurityQos
00830     );
00831 
00832 VOID
00833 SeFreeCapturedSecurityQos(
00834     IN PVOID SecurityQos
00835     );
00836 
00837 NTSTATUS
00838 SeCaptureSid (
00839     IN PSID InputSid,
00840     IN KPROCESSOR_MODE RequestorMode,
00841     IN PVOID CaptureBuffer OPTIONAL,
00842     IN ULONG CaptureBufferLength,
00843     IN POOL_TYPE PoolType,
00844     IN BOOLEAN ForceCapture,
00845     OUT PSID *CapturedSid
00846     );
00847 
00848 
00849 VOID
00850 SeReleaseSid (
00851     IN PSID CapturedSid,
00852     IN KPROCESSOR_MODE RequestorMode,
00853     IN BOOLEAN ForceCapture
00854     );
00855 
00856 
00857 NTSTATUS
00858 SeCaptureAcl (
00859     IN PACL InputAcl,
00860     IN KPROCESSOR_MODE RequestorMode,
00861     IN PVOID CaptureBuffer OPTIONAL,
00862     IN ULONG CaptureBufferLength,
00863     IN POOL_TYPE PoolType,
00864     IN BOOLEAN ForceCapture,
00865     OUT PACL *CapturedAcl,
00866     OUT PULONG AlignedAclSize
00867     );
00868 
00869 
00870 VOID
00871 SeReleaseAcl (
00872     IN PACL CapturedAcl,
00873     IN KPROCESSOR_MODE RequestorMode,
00874     IN BOOLEAN ForceCapture
00875     );
00876 
00877 
00878 NTSTATUS
00879 SeCaptureLuidAndAttributesArray (
00880     IN PLUID_AND_ATTRIBUTES InputArray,
00881     IN ULONG ArrayCount,
00882     IN KPROCESSOR_MODE RequestorMode,
00883     IN PVOID CaptureBuffer OPTIONAL,
00884     IN ULONG CaptureBufferLength,
00885     IN POOL_TYPE PoolType,
00886     IN BOOLEAN ForceCapture,
00887     OUT PLUID_AND_ATTRIBUTES *CapturedArray,
00888     OUT PULONG AlignedArraySize
00889     );
00890 
00891 
00892 
00893 VOID
00894 SeReleaseLuidAndAttributesArray (
00895     IN PLUID_AND_ATTRIBUTES CapturedArray,
00896     IN KPROCESSOR_MODE RequestorMode,
00897     IN BOOLEAN ForceCapture
00898     );
00899 
00900 
00901 
00902 NTSTATUS
00903 SeCaptureSidAndAttributesArray (
00904     IN PSID_AND_ATTRIBUTES InputArray,
00905     IN ULONG ArrayCount,
00906     IN KPROCESSOR_MODE RequestorMode,
00907     IN PVOID CaptureBuffer OPTIONAL,
00908     IN ULONG CaptureBufferLength,
00909     IN POOL_TYPE PoolType,
00910     IN BOOLEAN ForceCapture,
00911     OUT PSID_AND_ATTRIBUTES *CapturedArray,
00912     OUT PULONG AlignedArraySize
00913     );
00914 
00915 
00916 VOID
00917 SeReleaseSidAndAttributesArray (
00918     IN PSID_AND_ATTRIBUTES CapturedArray,
00919     IN KPROCESSOR_MODE RequestorMode,
00920     IN BOOLEAN ForceCapture
00921     );
00922 
00923 // begin_ntddk begin_ntifs
00924 
00925 NTKERNELAPI
00926 NTSTATUS
00927 SeAssignSecurity (
00928     IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
00929     IN PSECURITY_DESCRIPTOR ExplicitDescriptor,
00930     OUT PSECURITY_DESCRIPTOR *NewDescriptor,
00931     IN BOOLEAN IsDirectoryObject,
00932     IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
00933     IN PGENERIC_MAPPING GenericMapping,
00934     IN POOL_TYPE PoolType
00935     );
00936 
00937 NTKERNELAPI
00938 NTSTATUS
00939 SeAssignSecurityEx (
00940     IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
00941     IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
00942     OUT PSECURITY_DESCRIPTOR *NewDescriptor,
00943     IN GUID *ObjectType OPTIONAL,
00944     IN BOOLEAN IsDirectoryObject,
00945     IN ULONG AutoInheritFlags,
00946     IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
00947     IN PGENERIC_MAPPING GenericMapping,
00948     IN POOL_TYPE PoolType
00949     );
00950 
00951 NTKERNELAPI
00952 NTSTATUS
00953 SeDeassignSecurity (
00954     IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
00955     );
00956 
00957 NTKERNELAPI
00958 BOOLEAN
00959 SeAccessCheck (
00960     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
00961     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
00962     IN BOOLEAN SubjectContextLocked,
00963     IN ACCESS_MASK DesiredAccess,
00964     IN ACCESS_MASK PreviouslyGrantedAccess,
00965     OUT PPRIVILEGE_SET *Privileges OPTIONAL,
00966     IN PGENERIC_MAPPING GenericMapping,
00967     IN KPROCESSOR_MODE AccessMode,
00968     OUT PACCESS_MASK GrantedAccess,
00969     OUT PNTSTATUS AccessStatus
00970     );
00971 
00972 // end_ntddk end_ntifs
00973 
00974 BOOLEAN
00975 SeProxyAccessCheck (
00976     IN PUNICODE_STRING Volume,
00977     IN PUNICODE_STRING RelativePath,
00978     IN BOOLEAN ContainerObject,
00979     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
00980     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
00981     IN BOOLEAN SubjectContextLocked,
00982     IN ACCESS_MASK DesiredAccess,
00983     IN ACCESS_MASK PreviouslyGrantedAccess,
00984     OUT PPRIVILEGE_SET *Privileges OPTIONAL,
00985     IN PGENERIC_MAPPING GenericMapping,
00986     IN KPROCESSOR_MODE AccessMode,
00987     OUT PACCESS_MASK GrantedAccess,
00988     OUT PNTSTATUS AccessStatus
00989     );
00990 
00991 // begin_ntifs
00992 
00993 NTKERNELAPI
00994 BOOLEAN
00995 SePrivilegeCheck(
00996     IN OUT PPRIVILEGE_SET RequiredPrivileges,
00997     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
00998     IN KPROCESSOR_MODE AccessMode
00999     );
01000 
01001 NTKERNELAPI
01002 VOID
01003 SeFreePrivileges(
01004     IN PPRIVILEGE_SET Privileges
01005     );
01006 
01007 // end_ntifs
01008 
01009 NTSTATUS
01010 SePrivilegePolicyCheck(
01011     IN OUT PACCESS_MASK RemainingDesiredAccess,
01012     IN OUT PACCESS_MASK PreviouslyGrantedAccess,
01013     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext OPTIONAL,
01014     IN PACCESS_TOKEN Token OPTIONAL,
01015     OUT PPRIVILEGE_SET *PrivilegeSet,
01016     IN KPROCESSOR_MODE PreviousMode
01017     );
01018 
01019 VOID
01020 SeGenerateMessage (
01021     IN PSTRING ObjectName,
01022     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01023     IN PACCESS_TOKEN Token,
01024     IN ACCESS_MASK DesiredAccess,
01025     IN BOOLEAN AccessGranted,
01026     IN HANDLE AuditPort,
01027     IN HANDLE AlarmPort,
01028     IN KPROCESSOR_MODE AccessMode
01029     );
01030 
01031 // begin_ntifs
01032 
01033 NTKERNELAPI
01034 VOID
01035 SeOpenObjectAuditAlarm (
01036     IN PUNICODE_STRING ObjectTypeName,
01037     IN PVOID Object OPTIONAL,
01038     IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
01039     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01040     IN PACCESS_STATE AccessState,
01041     IN BOOLEAN ObjectCreated,
01042     IN BOOLEAN AccessGranted,
01043     IN KPROCESSOR_MODE AccessMode,
01044     OUT PBOOLEAN GenerateOnClose
01045     );
01046 
01047 NTKERNELAPI
01048 VOID
01049 SeOpenObjectForDeleteAuditAlarm (
01050     IN PUNICODE_STRING ObjectTypeName,
01051     IN PVOID Object OPTIONAL,
01052     IN PUNICODE_STRING AbsoluteObjectName OPTIONAL,
01053     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01054     IN PACCESS_STATE AccessState,
01055     IN BOOLEAN ObjectCreated,
01056     IN BOOLEAN AccessGranted,
01057     IN KPROCESSOR_MODE AccessMode,
01058     OUT PBOOLEAN GenerateOnClose
01059     );
01060 
01061 VOID
01062 SeDeleteObjectAuditAlarm(
01063     IN PVOID Object,
01064     IN HANDLE Handle
01065     );
01066 
01067 
01068 // end_ntifs
01069 
01070 VOID
01071 SeCloseObjectAuditAlarm(
01072     IN PVOID Object,
01073     IN HANDLE Handle,
01074     IN BOOLEAN GenerateOnClose
01075     );
01076 
01077 VOID
01078 SeTraverseAuditAlarm(
01079     IN PLUID OperationID,
01080     IN PVOID DirectoryObject,
01081     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01082     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01083     IN BOOLEAN SubjectContextLocked,
01084     IN ACCESS_MASK TraverseAccess,
01085     IN PPRIVILEGE_SET Privileges OPTIONAL,
01086     IN BOOLEAN AccessGranted,
01087     IN KPROCESSOR_MODE AccessMode
01088     );
01089 
01090 VOID
01091 SeCreateInstanceAuditAlarm(
01092     IN PLUID OperationID OPTIONAL,
01093     IN PVOID Object,
01094     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01095     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01096     IN ACCESS_MASK DesiredAccess,
01097     IN PPRIVILEGE_SET Privileges OPTIONAL,
01098     IN BOOLEAN AccessGranted,
01099     IN KPROCESSOR_MODE AccessMode
01100     );
01101 
01102 VOID
01103 SeCreateObjectAuditAlarm(
01104     IN PLUID OperationID OPTIONAL,
01105     IN PVOID Object,
01106     IN PUNICODE_STRING ComponentName,
01107     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01108     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01109     IN ACCESS_MASK DesiredAccess,
01110     IN PPRIVILEGE_SET Privileges OPTIONAL,
01111     IN BOOLEAN AccessGranted,
01112     OUT PBOOLEAN AuditPerformed,
01113     IN KPROCESSOR_MODE AccessMode
01114     );
01115 
01116 VOID
01117 SeObjectReferenceAuditAlarm(
01118     IN PLUID OperationID OPTIONAL,
01119     IN PVOID Object,
01120     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01121     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01122     IN ACCESS_MASK DesiredAccess,
01123     IN PPRIVILEGE_SET Privileges OPTIONAL,
01124     IN BOOLEAN AccessGranted,
01125     IN KPROCESSOR_MODE AccessMode
01126     );
01127 
01128 NTKERNELAPI
01129 VOID
01130 SePrivilegeObjectAuditAlarm(
01131     IN HANDLE Handle,
01132     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01133     IN ACCESS_MASK DesiredAccess,
01134     IN PPRIVILEGE_SET Privileges,
01135     IN BOOLEAN AccessGranted,
01136     IN KPROCESSOR_MODE AccessMode
01137     );
01138 
01139 BOOLEAN
01140 SeCheckPrivilegedObject(
01141     LUID PrivilegeValue,
01142     HANDLE ObjectHandle,
01143     ACCESS_MASK DesiredAccess,
01144     KPROCESSOR_MODE PreviousMode
01145     );
01146 
01147 // begin_ntddk begin_ntifs
01148 
01149 NTKERNELAPI
01150 BOOLEAN
01151 SeValidSecurityDescriptor(
01152     IN ULONG Length,
01153     IN PSECURITY_DESCRIPTOR SecurityDescriptor
01154     );
01155 
01156 // end_ntddk end_ntifs
01157 
01158 
01159 
01160 //VOID
01161 //SeImplicitObjectAuditAlarm(
01162 //    IN PLUID OperationID OPTIONAL,
01163 //    IN PVOID Object,
01164 //    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01165 //    IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01166 //    IN ACCESS_MASK DesiredAccess,
01167 //    IN PPRIVILEGE_SET Privileges OPTIONAL,
01168 //    IN BOOLEAN AccessGranted,
01169 //    IN KPROCESSOR_MODE AccessMode
01170 //    );
01171 //
01172 
01173 VOID
01174 SeAuditHandleCreation(
01175     IN PACCESS_STATE AccessState,
01176     IN HANDLE Handle
01177     );
01178 
01179 
01180 
01181 PACCESS_TOKEN
01182 SeMakeSystemToken ();
01183 
01184 PACCESS_TOKEN
01185 SeMakeAnonymousLogonToken ();
01186 
01187 VOID
01188 SeGetTokenControlInformation (
01189     IN PACCESS_TOKEN Token,
01190     OUT PTOKEN_CONTROL TokenControl
01191     );
01192 
01193 //++
01194 //
01195 // PVOID
01196 // SeTokenObjectType()
01197 //
01198 // Routine Description:
01199 //
01200 //    This function returns a pointer to the Token object type structure.
01201 //
01202 // Arguments:
01203 //
01204 //    None.
01205 //
01206 // Return Value:
01207 //
01208 //    Pointer to the token object type structure.
01209 //
01210 //--
01211 
01212 extern struct _OBJECT_TYPE *SepTokenObjectType;
01213 #define SeTokenObjectType() (PVOID)SepTokenObjectType
01214 
01215 NTKERNELAPI                                     // ntifs
01216 TOKEN_TYPE                                      // ntifs
01217 SeTokenType(                                    // ntifs
01218     IN PACCESS_TOKEN Token                      // ntifs
01219     );                                          // ntifs
01220 
01221 SECURITY_IMPERSONATION_LEVEL
01222 SeTokenImpersonationLevel(
01223     IN PACCESS_TOKEN Token
01224     );
01225 
01226 NTKERNELAPI                                     // ntifs
01227 BOOLEAN                                         // ntifs
01228 SeTokenIsAdmin(                                 // ntifs
01229     IN PACCESS_TOKEN Token                      // ntifs
01230     );                                          // ntifs
01231 
01232 
01233 NTKERNELAPI                                     // ntifs
01234 BOOLEAN                                         // ntifs
01235 SeTokenIsRestricted(                            // ntifs
01236     IN PACCESS_TOKEN Token                      // ntifs
01237     );                                          // ntifs
01238 
01239 NTSTATUS
01240 SeSubProcessToken (
01241     IN PEPROCESS ParentProcess,
01242     OUT PACCESS_TOKEN *ChildToken
01243     );
01244 
01245 VOID
01246 SeAssignPrimaryToken(
01247     IN PEPROCESS Process,
01248     IN PACCESS_TOKEN Token
01249     );
01250 
01251 VOID
01252 SeDeassignPrimaryToken(
01253     IN PEPROCESS Process
01254     );
01255 
01256 NTSTATUS
01257 SeExchangePrimaryToken(
01258     IN PEPROCESS Process,
01259     IN PACCESS_TOKEN NewAccessToken,
01260     OUT PACCESS_TOKEN *OldAccessToken
01261     );
01262 
01263 NTSTATUS
01264 SeCopyClientToken(
01265     IN PACCESS_TOKEN ClientToken,
01266     IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
01267     IN KPROCESSOR_MODE RequestorMode,
01268     OUT PACCESS_TOKEN *DuplicateToken
01269     );
01270 
01271 NTSTATUS
01272 SeFilterToken (
01273     IN PACCESS_TOKEN ExistingToken,
01274     IN ULONG Flags,
01275     IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
01276     IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
01277     IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
01278     OUT PACCESS_TOKEN * FilteredToken
01279     );
01280 
01281 
01282 // begin_ntifs
01283 
01284 NTKERNELAPI
01285 NTSTATUS
01286 SeQueryAuthenticationIdToken(
01287     IN PACCESS_TOKEN Token,
01288     OUT PLUID AuthenticationId
01289     );
01290 
01291 NTKERNELAPI
01292 NTSTATUS
01293 SeQuerySessionIdToken(
01294     IN PACCESS_TOKEN,
01295     IN PULONG pSessionId
01296     );
01297 
01298 NTKERNELAPI
01299 NTSTATUS
01300 SeSetSessionIdToken(
01301     IN PACCESS_TOKEN,
01302     IN ULONG SessionId
01303     );
01304 
01305 NTKERNELAPI
01306 NTSTATUS
01307 SeCreateClientSecurity (
01308     IN PETHREAD ClientThread,
01309     IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
01310     IN BOOLEAN RemoteSession,
01311     OUT PSECURITY_CLIENT_CONTEXT ClientContext
01312     );
01313 
01314 NTKERNELAPI
01315 VOID
01316 SeImpersonateClient(
01317     IN PSECURITY_CLIENT_CONTEXT ClientContext,
01318     IN PETHREAD ServerThread OPTIONAL
01319     );
01320 
01321 NTKERNELAPI
01322 NTSTATUS
01323 SeImpersonateClientEx(
01324     IN PSECURITY_CLIENT_CONTEXT ClientContext,
01325     IN PETHREAD ServerThread OPTIONAL
01326     );
01327 
01328 NTKERNELAPI
01329 NTSTATUS
01330 SeCreateClientSecurityFromSubjectContext (
01331     IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
01332     IN PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
01333     IN BOOLEAN ServerIsRemote,
01334     OUT PSECURITY_CLIENT_CONTEXT ClientContext
01335     );
01336 
01337 // end_ntifs
01338 
01339 //
01340 // Do not export the following routines to drivers.
01341 // If you need to do so, create a new routine that
01342 // does not take the AuxData parameter and export
01343 // that.
01344 //
01345 
01346 NTKERNELAPI
01347 NTSTATUS
01348 SeCreateAccessState(
01349    IN PACCESS_STATE AccessState,
01350    IN PAUX_ACCESS_DATA AuxData,
01351    IN ACCESS_MASK DesiredAccess,
01352    IN PGENERIC_MAPPING GenericMapping
01353    );
01354 
01355 NTKERNELAPI
01356 VOID
01357 SeDeleteAccessState(
01358     IN PACCESS_STATE AccessState
01359     );
01360 
01361 NTSTATUS
01362 SeUpdateClientSecurity(
01363     IN PETHREAD ClientThread,
01364     IN OUT PSECURITY_CLIENT_CONTEXT ClientContext,
01365     OUT PBOOLEAN ChangesMade,
01366     OUT PBOOLEAN NewToken
01367     );
01368 
01369 BOOLEAN
01370 SeRmInitPhase1(
01371     );
01372 
01373 // begin_ntifs
01374 
01375 NTKERNELAPI
01376 NTSTATUS
01377 SeQuerySecurityDescriptorInfo (
01378     IN PSECURITY_INFORMATION SecurityInformation,
01379     OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
01380     IN OUT PULONG Length,
01381     IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor
01382     );
01383 
01384 NTKERNELAPI
01385 NTSTATUS
01386 SeSetSecurityDescriptorInfo (
01387     IN PVOID Object OPTIONAL,
01388     IN PSECURITY_INFORMATION SecurityInformation,
01389     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01390     IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
01391     IN POOL_TYPE PoolType,
01392     IN PGENERIC_MAPPING GenericMapping
01393     );
01394 
01395 NTKERNELAPI
01396 NTSTATUS
01397 SeSetSecurityDescriptorInfoEx (
01398     IN PVOID Object OPTIONAL,
01399     IN PSECURITY_INFORMATION SecurityInformation,
01400     IN PSECURITY_DESCRIPTOR ModificationDescriptor,
01401     IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
01402     IN ULONG AutoInheritFlags,
01403     IN POOL_TYPE PoolType,
01404     IN PGENERIC_MAPPING GenericMapping
01405     );
01406 
01407 NTKERNELAPI
01408 NTSTATUS
01409 SeAppendPrivileges(
01410     PACCESS_STATE AccessState,
01411     PPRIVILEGE_SET Privileges
01412     );
01413 
01414 // end_ntifs
01415 
01416 NTSTATUS
01417 SeComputeQuotaInformationSize(
01418     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01419     OUT PULONG Size
01420     );
01421 
01422 VOID
01423 SePrivilegedServiceAuditAlarm (
01424     IN PUNICODE_STRING ServiceName,
01425     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01426     IN PPRIVILEGE_SET Privileges,
01427     IN BOOLEAN AccessGranted
01428     );
01429 
01430 NTKERNELAPI                                                     // ntddk ntifs
01431 BOOLEAN                                                         // ntddk ntifs
01432 SeSinglePrivilegeCheck(                                         // ntddk ntifs
01433     LUID PrivilegeValue,                                        // ntddk ntifs
01434     KPROCESSOR_MODE PreviousMode                                // ntddk ntifs
01435     );                                                          // ntddk ntifs
01436 
01437 BOOLEAN
01438 SeCheckAuditPrivilege (
01439    IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
01440    IN KPROCESSOR_MODE PreviousMode
01441    );
01442 
01443 NTSTATUS
01444 SeAssignWorldSecurityDescriptor(
01445     IN PSECURITY_DESCRIPTOR SecurityDescriptor,
01446     IN OUT PULONG Length,
01447     IN PSECURITY_INFORMATION SecurityInformation
01448     );
01449 
01450 BOOLEAN
01451 SeFastTraverseCheck(
01452     PSECURITY_DESCRIPTOR SecurityDescriptor,
01453     ACCESS_MASK TraverseAccess,
01454     KPROCESSOR_MODE AccessMode
01455     );
01456 
01457 NTKERNELAPI                                                     // ntifs
01458 BOOLEAN                                                         // ntifs
01459 SeAuditingFileEvents(                                           // ntifs
01460     IN BOOLEAN AccessGranted,                                   // ntifs
01461     IN PSECURITY_DESCRIPTOR SecurityDescriptor                  // ntifs
01462     );                                                          // ntifs
01463 
01464 NTKERNELAPI                                                     // ntifs
01465 BOOLEAN                                                         // ntifs
01466 SeAuditingFileOrGlobalEvents(                                   // ntifs
01467     IN BOOLEAN AccessGranted,                                   // ntifs
01468     IN PSECURITY_DESCRIPTOR SecurityDescriptor,                 // ntifs
01469     IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext         // ntifs
01470     );                                                          // ntifs
01471 
01472 VOID
01473 SeAuditProcessCreation(
01474     PEPROCESS Process,
01475     PEPROCESS Parent,
01476     PUNICODE_STRING ImageFileName
01477     );
01478 
01479 VOID
01480 SeAuditProcessExit(
01481     PEPROCESS Process
01482     );
01483 
01484 VOID
01485 SeAuditHandleDuplication(
01486     PVOID SourceHandle,
01487     PVOID NewHandle,
01488     PEPROCESS SourceProcess,
01489     PEPROCESS TargetProcess
01490     );
01491 
01492 // begin_ntifs
01493 
01494 VOID
01495 SeSetAccessStateGenericMapping (
01496     PACCESS_STATE AccessState,
01497     PGENERIC_MAPPING GenericMapping
01498     );
01499 
01500 // end_ntifs
01501 
01502 // begin_ntifs
01503 
01504 NTKERNELAPI
01505 NTSTATUS
01506 SeRegisterLogonSessionTerminatedRoutine(
01507     IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
01508     );
01509 
01510 NTKERNELAPI
01511 NTSTATUS
01512 SeUnregisterLogonSessionTerminatedRoutine(
01513     IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine
01514     );
01515 
01516 NTKERNELAPI
01517 NTSTATUS
01518 SeMarkLogonSessionForTerminationNotification(
01519     IN PLUID LogonId
01520     );
01521 
01522 NTKERNELAPI
01523 NTSTATUS
01524 SeQueryInformationToken (
01525     IN PACCESS_TOKEN Token,
01526     IN TOKEN_INFORMATION_CLASS TokenInformationClass,
01527     OUT PVOID *TokenInformation
01528     );
01529 
01530 
01531 // end_ntifs
01532 
01533 NTSTATUS
01534 SeIsChildToken(
01535     IN HANDLE Token,
01536     OUT PBOOLEAN IsChild
01537     );
01538 
01539 NTSTATUS
01540 SeIsChildTokenByPointer(
01541     IN PACCESS_TOKEN Token,
01542     OUT PBOOLEAN IsChild
01543     );
01544 
01545 
01546 NTSTATUS
01547 SeFastFilterToken(
01548     IN PACCESS_TOKEN ExistingToken,
01549     IN KPROCESSOR_MODE RequestorMode,
01550     IN ULONG Flags,
01551     IN ULONG GroupCount,
01552     IN PSID_AND_ATTRIBUTES GroupsToDisable OPTIONAL,
01553     IN ULONG PrivilegeCount,
01554     IN PLUID_AND_ATTRIBUTES PrivilegesToDelete OPTIONAL,
01555     IN ULONG SidCount,
01556     IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL,
01557     IN ULONG SidLength,
01558     OUT PACCESS_TOKEN * FilteredToken
01559     );
01560 
01562 //                                                                    //
01563 //           Global, READ ONLY, Security variables                    //
01564 //                                                                    //
01566 
01567 
01568 // begin_ntifs
01569 // **************************************************************
01570 //
01571 //              C A V E A T      P R O G R A M M E R
01572 //
01573 //
01574 //  If you wish to include this file in an NT driver and use SeExports structure
01575 //  defined above, you need to call:
01576 //
01577 //
01578 //      SeEnableAccessToExports()
01579 //
01580 //  exactly once during initialization.
01581 //
01582 //              C A V E A T      P R O G R A M M E R
01583 //
01584 // **************************************************************
01585 #if 0
01586 #define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports;
01587 extern PSE_EXPORTS SeExports;                       // ntifs
01588 #else
01589 #define SeEnableAccessToExports()
01590 extern NTKERNELAPI PSE_EXPORTS SeExports;
01591 #endif
01592 
01593 // end_ntifs
01594 
01595 //
01596 // Value used to represent the authentication ID of system processes
01597 //
01598 
01599 extern LUID SeSystemAuthenticationId;
01600 extern LUID SeAnonymousAuthenticationId;
01601 
01602 extern TOKEN_SOURCE SeSystemTokenSource;
01603 
01604 //
01605 // Universal well known SIDs
01606 //
01607 
01608 extern PSID  SeNullSid;
01609 extern PSID  SeWorldSid;
01610 extern PSID  SeLocalSid;
01611 extern PSID  SeCreatorOwnerSid;
01612 extern PSID  SeCreatorGroupSid;
01613 extern PSID  SeCreatorOwnerServerSid;
01614 extern PSID  SeCreatorGroupServerSid;
01615 extern PSID  SePrincipalSelfSid;
01616 
01617 
01618 //
01619 // Sids defined by NT
01620 //
01621 
01622 extern PSID SeNtAuthoritySid;
01623 
01624 extern PSID SeDialupSid;
01625 extern PSID SeNetworkSid;
01626 extern PSID SeBatchSid;
01627 extern PSID SeInteractiveSid;
01628 extern PSID SeLocalSystemSid;
01629 extern PSID SeAuthenticatedUsersSid;
01630 extern PSID SeAliasAdminsSid;
01631 extern PSID SeRestrictedSid;
01632 extern PSID SeAnonymousLogonSid;
01633 extern PSID SeAliasUsersSid;
01634 extern PSID SeAliasGuestsSid;
01635 extern PSID SeAliasPowerUsersSid;
01636 extern PSID SeAliasAccountOpsSid;
01637 extern PSID SeAliasSystemOpsSid;
01638 extern PSID SeAliasPrintOpsSid;
01639 extern PSID SeAliasBackupOpsSid;
01640 
01641 //
01642 // Well known tokens
01643 //
01644 
01645 extern PACCESS_TOKEN SeAnonymousLogonToken;
01646 
01647 //
01648 // System default DACLs & Security Descriptors
01649 //
01650 
01651 extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
01652 extern PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
01653 extern PSECURITY_DESCRIPTOR SePublicOpenSd;
01654 extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
01655 extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
01656 extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
01657 
01658 extern PACL SePublicDefaultDacl;
01659 extern PACL SePublicDefaultUnrestrictedDacl;
01660 extern PACL SePublicOpenDacl;
01661 extern PACL SePublicOpenUnrestrictedDacl;
01662 extern PACL SeSystemDefaultDacl;
01663 extern PACL SeUnrestrictedDacl;
01664 
01665 //
01666 //  Well known privilege values
01667 //
01668 
01669 
01670 extern LUID SeCreateTokenPrivilege;
01671 extern LUID SeAssignPrimaryTokenPrivilege;
01672 extern LUID SeLockMemoryPrivilege;
01673 extern LUID SeIncreaseQuotaPrivilege;
01674 extern LUID SeUnsolicitedInputPrivilege;
01675 extern LUID SeTcbPrivilege;
01676 extern LUID SeSecurityPrivilege;
01677 extern LUID SeTakeOwnershipPrivilege;
01678 extern LUID SeLoadDriverPrivilege;
01679 extern LUID SeCreatePagefilePrivilege;
01680 extern LUID SeIncreaseBasePriorityPrivilege;
01681 extern LUID SeSystemProfilePrivilege;
01682 extern LUID SeSystemtimePrivilege;
01683 extern LUID SeProfileSingleProcessPrivilege;
01684 extern LUID SeCreatePermanentPrivilege;
01685 extern LUID SeBackupPrivilege;
01686 extern LUID SeRestorePrivilege;
01687 extern LUID SeShutdownPrivilege;
01688 extern LUID SeDebugPrivilege;
01689 extern LUID SeAuditPrivilege;
01690 extern LUID SeSystemEnvironmentPrivilege;
01691 extern LUID SeChangeNotifyPrivilege;
01692 extern LUID SeRemoteShutdownPrivilege;
01693 extern LUID SeUndockPrivilege;
01694 extern LUID SeSyncAgentPrivilege;
01695 extern LUID SeEnableDelegationPrivilege;
01696 
01697 
01698 //
01699 // Auditing information array
01700 //
01701 
01702 extern SE_AUDITING_STATE SeAuditingState[];
01703 
01704 //
01705 // Flag so that other components may quickly check for
01706 // auditing.
01707 //
01708 
01709 extern BOOLEAN SeDetailedAuditing;
01710 
01711 extern UNICODE_STRING SeSubsystemName;
01712 
01713 
01714 #endif // _SE_
Generated on Sat May 15 19:41:43 2004 for test by doxygen 1.3.7