lpcpriv.c File Reference

#include "lpcp.h"

Go to the source code of this file.

Functions
NTSTATUS	NtImpersonateClientOfPort (IN HANDLE PortHandle, IN PPORT_MESSAGE Message)
VOID	LpcpFreePortClientSecurity (IN PLPCP_PORT_OBJECT Port)

---

Function Documentation

VOID LpcpFreePortClientSecurity (  IN PLPCP_PORT_OBJECT  Port  )

Definition at line 296 of file lpcpriv.c. References CLIENT_COMMUNICATION_PORT, PORT_DYNAMIC_SECURITY, PORT_TYPE, and SeDeleteClientSecurity. Referenced by LpcpDeletePort(). 00302 : 00303 00304 This routine cleans up the captured security context for a client port. 00305 The cleanup is typically done when we are deleting a port 00306 00307 Arguments: 00308 00309 Port - Supplies the client port being deleted 00310 00311 Return Value: 00312 00313 None. 00314 00315 --*/ 00316 00317 { 00318 // 00319 // We only do this action if supplied with a client communication port 00320 // 00321 00322 if ((Port->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { 00323 00324 // 00325 // We only do this action if the port has static security tracking, 00326 // and we have a captured client token. The action is to simply 00327 // delete the client token. 00328 // 00329 00330 if (!(Port->Flags & PORT_DYNAMIC_SECURITY)) { 00331 00332 if ( Port->StaticSecurity.ClientToken ) { 00333 00334 SeDeleteClientSecurity( &(Port)->StaticSecurity ); 00335 } 00336 } 00337 } 00338 00339 // 00340 // And return to our caller 00341 // 00342 00343 return; 00344 } }

NTSTATUS NtImpersonateClientOfPort (  IN HANDLE  PortHandle, IN PPORT_MESSAGE  Message )

Definition at line 32 of file lpcpriv.c. References ClientThread(), _LPCP_PORT_OBJECT::ConnectedPort, EXCEPTION_EXECUTE_HANDLER, _LPCP_PORT_OBJECT::Flags, KernelMode, KPROCESSOR_MODE, LpcpAcquireLpcpLock, LpcpFreeDynamicClientSecurity, LpcpGetDynamicClientSecurity, LpcpReferencePortObject, LpcpReleaseLpcpLock, _LPCP_PORT_OBJECT::LpcReplyChainHead, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObject, PAGED_CODE, PORT_DELETED, PORT_DYNAMIC_SECURITY, PORT_TYPE, PortHandle, ProbeForRead, PsLookupProcessThreadByCid(), SeImpersonateClientEx(), SERVER_COMMUNICATION_PORT, _LPCP_PORT_OBJECT::StaticSecurity, and Status. Referenced by RtlImpersonateLpcClient(), and SepServerImpersonateClient(). : This procedure is used by the server thread to temporarily acquire the identifier set of a client thread. This service establishes an impersonation token for the calling thread. The impersonation token corresponds to the context provided by the port client. The client must currently be waiting for a reply to the specified message. This service returns an error status code if the client thread is not waiting for a reply to the message. The security quality of service parameters specified by the client upon connection dictate what use the server will have of the client's security context. For complicated or extended impersonation needs, the server may open a copy of the client's token (using NtOpenThreadToken()). This must be done while impersonating the client. Arguments: PortHandle - Specifies the handle of the communication port that the message was received from. Message - Specifies an address of a message that was received from the client that is to be impersonated. The ClientId field of the message identifies the client thread that is to be impersonated. The client thread must be waiting for a reply to the message in order to impersonate the client. Return Value: NTSTATUS - Status code that indicates whether or not the operation was successful. --*/ { PLPCP_PORT_OBJECT PortObject; PLPCP_PORT_OBJECT ConnectedPort; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PETHREAD ClientThread; CLIENT_ID CapturedClientId; ULONG CapturedMessageId; SECURITY_CLIENT_CONTEXT DynamicSecurity; PLIST_ENTRY Next, Head; PETHREAD ThreadWaitingForReply; PAGED_CODE(); // // Get previous processor mode and probe output arguments if necessary. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForRead( Message, sizeof( PORT_MESSAGE ), sizeof( ULONG )); CapturedClientId = Message->ClientId; CapturedMessageId = Message->MessageId; } except( EXCEPTION_EXECUTE_HANDLER ) { return( GetExceptionCode() ); } } else { CapturedClientId = Message->ClientId; CapturedMessageId = Message->MessageId; } // // Reference the communication port object by handle. Return status if // unsuccessful. // Status = LpcpReferencePortObject( PortHandle, 0, PreviousMode, &PortObject ); if (!NT_SUCCESS( Status )) { return( Status ); } // // It is an error to try this on any port other than a server // communication port // if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ObDereferenceObject( PortObject ); return( STATUS_INVALID_PORT_HANDLE ); } // // Translate the ClientId from the connection request into a // thread pointer. This is a referenced pointer to keep the thread // from evaporating out from under us. // Status = PsLookupProcessThreadByCid( &CapturedClientId, NULL, &ClientThread ); if (!NT_SUCCESS( Status )) { ObDereferenceObject( PortObject ); return( Status ); } // // Acquire the mutex that guards the LpcReplyMessage field of // the thread and get the pointer to the message that the thread // is waiting for a reply to. // LpcpAcquireLpcpLock(); if ( ( PortObject->ConnectedPort == NULL ) || ( PortObject->ConnectedPort->Flags & PORT_DELETED )) { LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); return( STATUS_PORT_DISCONNECTED ); } ConnectedPort = PortObject->ConnectedPort; ObReferenceObject( ConnectedPort ); // // See if the thread is waiting for a reply to the message // specified on this call, if the user gave us a bad // message id. If not then a bogus message // has been specified, so return failure. // if ((ClientThread->LpcReplyMessageId != CapturedMessageId) || (CapturedMessageId == 0)) { LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return (STATUS_REPLY_MESSAGE_MISMATCH); } // // Search in the LpcReplyChain if the ClientThread exists // Perform this search only if the client thread is queued to the port object // if ( !IsListEmpty( &ClientThread->LpcReplyChain ) ) { ThreadWaitingForReply = NULL; Head = &PortObject->LpcReplyChainHead; Next = Head->Flink; while ((Next != NULL) && (Next != Head)) { ThreadWaitingForReply = CONTAINING_RECORD( Next, ETHREAD, LpcReplyChain ); // // If found the Client thread, quit from the loop // if ( ThreadWaitingForReply == ClientThread) { break; } Next = Next->Flink; } // // If not found, return an error // if (ThreadWaitingForReply != ClientThread) { LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return (STATUS_REPLY_MESSAGE_MISMATCH); } } LpcpReleaseLpcpLock(); // // If the client requested dynamic security tracking, then the client // security needs to be referenced. Otherwise, (static case) // it is already in the client's port. // if (ConnectedPort->Flags & PORT_DYNAMIC_SECURITY) { // // Impersonate the client with information from the queued message // Status = LpcpGetDynamicClientSecurity( ClientThread, PortObject->ConnectedPort, &DynamicSecurity ); if (!NT_SUCCESS( Status )) { ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return( Status ); } Status = SeImpersonateClientEx( &DynamicSecurity, NULL ); LpcpFreeDynamicClientSecurity( &DynamicSecurity ); } else { // // Impersonate the client with information from the client's port // Status = SeImpersonateClientEx( &ConnectedPort->StaticSecurity, NULL ); } ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); // // And return to our caller // return Status; }

---