security.c File Reference

#include "psp.h"

Go to the source code of this file.

Functions
PACCESS_TOKEN	PsReferencePrimaryToken (IN PEPROCESS Process)
PACCESS_TOKEN	PsReferenceImpersonationToken (IN PETHREAD Thread, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
PACCESS_TOKEN	PsReferenceEffectiveToken (IN PETHREAD Thread, OUT PTOKEN_TYPE TokenType, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
NTSTATUS	PsOpenTokenOfThread (IN HANDLE ThreadHandle, IN BOOLEAN OpenAsSelf, OUT PACCESS_TOKEN *Token, OUT PBOOLEAN CopyOnOpen, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
NTSTATUS	PsOpenTokenOfProcess (IN HANDLE ProcessHandle, OUT PACCESS_TOKEN *Token)
NTSTATUS	PsOpenTokenOfJobObject (IN HANDLE JobObject, OUT PACCESS_TOKEN *Token)
NTSTATUS	PsImpersonateClient (IN PETHREAD Thread, IN PACCESS_TOKEN Token, IN BOOLEAN CopyOnOpen, IN BOOLEAN EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
BOOLEAN	PsDisableImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
VOID	PsRestoreImpersonation (IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState)
VOID	PsRevertToSelf ()
NTSTATUS	PspInitializeProcessSecurity (IN PEPROCESS Parent OPTIONAL, IN PEPROCESS Child)
VOID	PspDeleteProcessSecurity (IN PEPROCESS Process)
NTSTATUS	PspAssignPrimaryToken (IN PEPROCESS Process, IN HANDLE Token OPTIONAL, IN PACCESS_TOKEN TokenPointer OPTIONAL)
VOID	PspInitializeThreadSecurity (IN PEPROCESS Process, IN PETHREAD Thread)
VOID	PspDeleteThreadSecurity (IN PETHREAD Thread)
NTSTATUS	PsAssignImpersonationToken (IN PETHREAD Thread, IN HANDLE Token)

---

Function Documentation

NTSTATUS PsAssignImpersonationToken (  IN PETHREAD  Thread, IN HANDLE  Token )

Definition at line 1483 of file ps/security.c. References FALSE, Filter, IS_SYSTEM_THREAD, KeAttachProcess(), KeDetachProcess(), KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), _EPROCESS::Pcb, PsGetCurrentProcess, PsImpersonateClient(), SeFastFilterToken(), SeTokenImpersonationLevel(), SeTokenIsAdmin(), SeTokenIsRestricted(), SeTokenObjectType, SeTokenType(), Status, THREAD_TO_PROCESS, Token, and TRUE. Referenced by NtSetInformationThread(). 01490 : 01491 01492 This function performs the security portions of establishing an 01493 impersonation token. This routine is expected to be used only in 01494 the case where the subject has asked for impersonation explicitly 01495 providing an impersonation token. Other services are provided for 01496 use by communication session layers that need to establish an 01497 impersonation on a server's behalf. 01498 01499 It is expected that the proper access to the thread object has already 01500 been established. 01501 01502 The following rules apply: 01503 01504 1) The caller must have TOKEN_IMPERSONATE access to the token 01505 for any action to be taken. 01506 01507 2) If the token may NOT be used for impersonation (e.g., not an 01508 impersonation token) no action is taken. 01509 01510 3) Otherwise, any existing impersonation token is dereferenced and 01511 the new token is established as the impersonation token. 01512 01513 01514 01515 Arguments: 01516 01517 Thread - A pointer to the thread whose impersonation token is being 01518 set. 01519 01520 Token - The handle value of the token to be assigned as the impersonation 01521 token. If this value is NULL, then current impersonation (if any) 01522 is terminated and no new impersonation is established. 01523 01524 01525 Return Value: 01526 01527 STATUS_SUCCESS - Indicates the primary token has been successfully 01528 replaced. 01529 01530 STATUS_BAD_TOKEN_TYPE - Indicates the token is not of type 01531 TokenImpersonation. 01532 01533 Other status may be returned when attempting to reference the token 01534 object. 01535 01536 --*/ 01537 01538 { 01539 NTSTATUS 01540 Status; 01541 01542 PACCESS_TOKEN 01543 NewToken, NewerToken ; 01544 01545 KPROCESSOR_MODE 01546 PreviousMode; 01547 01548 SECURITY_IMPERSONATION_LEVEL 01549 ImpersonationLevel; 01550 01551 PPS_JOB_TOKEN_FILTER Filter ; 01552 01553 PEPROCESS ThreadProcess; 01554 BOOLEAN AttachedToProcess = FALSE; 01555 01556 PreviousMode = KeGetPreviousMode(); 01557 01558 if (!ARGUMENT_PRESENT(Token)) { 01559 01560 NewToken = NULL; 01561 01562 // 01563 // Don't care what value ImpersonationLevel has, it won't 01564 // be used. 01565 // 01566 01567 } else { 01568 01569 // 01570 // Reference the specified token for TOKEN_IMPERSONATE access 01571 // 01572 01573 Status = ObReferenceObjectByHandle ( 01574 Token, 01575 TOKEN_IMPERSONATE, 01576 SeTokenObjectType(), 01577 PreviousMode, 01578 (PVOID *)&NewToken, 01579 NULL 01580 ); 01581 01582 if ( !NT_SUCCESS(Status) ) { 01583 return Status; 01584 } 01585 01586 // 01587 // Make sure the token is an impersonation token. 01588 // 01589 01590 if (SeTokenType( NewToken ) != TokenImpersonation ) { 01591 ObDereferenceObject( NewToken ); 01592 return STATUS_BAD_TOKEN_TYPE; 01593 } 01594 01595 if ( Thread->ThreadsProcess->Job ) { 01596 01597 if ( ( Thread->ThreadsProcess->Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN ) && 01598 ( SeTokenIsAdmin( NewToken ) ) ) { 01599 01600 ObDereferenceObject( NewToken ); 01601 01602 return STATUS_ACCESS_DENIED ; 01603 01604 } 01605 01606 if ( ( Thread->ThreadsProcess->Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN ) && 01607 ( !SeTokenIsRestricted( NewToken ) ) ) 01608 { 01609 ObDereferenceObject( NewToken ); 01610 01611 return STATUS_ACCESS_DENIED ; 01612 } 01613 01614 if ( Thread->ThreadsProcess->Job->Filter ) 01615 { 01616 // 01617 // Filter installed. Need to create a restricted token 01618 // dynamically. 01619 // 01620 Filter = Thread->ThreadsProcess->Job->Filter ; 01621 01622 Status = SeFastFilterToken( 01623 NewToken, 01624 PreviousMode, 01625 0, 01626 Filter->CapturedGroupCount, 01627 Filter->CapturedGroups, 01628 Filter->CapturedPrivilegeCount, 01629 Filter->CapturedPrivileges, 01630 Filter->CapturedSidCount, 01631 Filter->CapturedSids, 01632 Filter->CapturedSidsLength, 01633 &NewerToken ); 01634 01635 ObDereferenceObject( NewToken ); 01636 01637 if ( NT_SUCCESS( Status ) ) 01638 { 01639 NewToken = NewerToken ; 01640 } 01641 else 01642 { 01643 return Status ; 01644 } 01645 01646 01647 } 01648 } 01649 01650 ImpersonationLevel = SeTokenImpersonationLevel( NewToken ); 01651 } 01652 01653 // 01654 // The rest can be done by PsImpersonateClient. 01655 // 01656 // PsImpersonateClient will reference the passed token 01657 // on success. 01658 // 01659 01660 Status = PsImpersonateClient( 01661 Thread, 01662 NewToken, 01663 FALSE, // CopyOnOpen 01664 FALSE, //EffectiveOnly 01665 ImpersonationLevel 01666 ); 01667 01668 01669 // 01670 // dereference the passed token, if there is one. 01671 // 01672 // Note that if PsImpersonateClient failed, this will 01673 // be the final dereference of NewToken/NewerToken, 01674 // and it will be freed. 01675 // 01676 01677 if (ARGUMENT_PRESENT(NewToken)) { 01678 ObDereferenceObject( NewToken ); 01679 } 01680 01681 if (NT_SUCCESS( Status )) { 01682 01683 // 01684 // Indicate that 'Thread' has started to do impersonation. 01685 // This info is useful for GetUserDefaultLCID() 01686 // 01687 01688 if (!IS_SYSTEM_THREAD(Thread)) { 01689 01690 ThreadProcess = THREAD_TO_PROCESS(Thread); 01691 01692 if ( PsGetCurrentProcess() != ThreadProcess ) { 01693 KeAttachProcess( &ThreadProcess->Pcb ); 01694 AttachedToProcess = TRUE; 01695 } 01696 01697 if (ARGUMENT_PRESENT(NewToken)) { 01698 ((PTEB)(Thread->Tcb.Teb))->ImpersonationLocale = (LCID)-1; 01699 ((PTEB)(Thread->Tcb.Teb))->IsImpersonating = 1; 01700 } else { 01701 ((PTEB)(Thread->Tcb.Teb))->ImpersonationLocale = (LCID) 0; 01702 ((PTEB)(Thread->Tcb.Teb))->IsImpersonating = 0; 01703 } 01704 01705 if (AttachedToProcess) { 01706 KeDetachProcess(); 01707 } 01708 } 01709 } 01710 01711 return Status; 01712 } }

BOOLEAN PsDisableImpersonation (  IN PETHREAD  Thread, IN PSE_IMPERSONATION_STATE  ImpersonationState )

Definition at line 888 of file ps/security.c. References ASSERT, _PS_IMPERSONATION_INFORMATION::CopyOnOpen, _PS_IMPERSONATION_INFORMATION::EffectiveOnly, FALSE, _PS_IMPERSONATION_INFORMATION::ImpersonationLevel, NULL, PsFreeProcessSecurityFields, PsLockProcessSecurityFields, ThreadObject, _PS_IMPERSONATION_INFORMATION::Token, and TRUE. Referenced by NtOpenThreadToken(), PsOpenTokenOfThread(), and SepOpenTokenOfThread(). : This routine temporarily disables the impersonation of a thread. The impersonation state is saved for quick replacement later. The impersonation token is left referenced and a pointer to it is held in the IMPERSONATION_STATE data structure. PsRestoreImpersonation() must be used after this routine is called. Arguments: Thread - points to the thread whose impersonation (if any) is to be temporarily disabled. ImpersonationState - receives the current impersonation information, including a pointer to the impersonation token. Return Value: TRUE - Indicates the impersonation state has been saved and the impersonation has been temporarily disabled. FALSE - Indicates the specified thread was not impersonating a client. No action has been taken. --*/ { PPS_IMPERSONATION_INFORMATION OldClient; ASSERT( Thread->Tcb.Header.Type == ThreadObject ); // // Lock the process security fields // PsLockProcessSecurityFields(); // // Capture the impersonation information (if there is any). // if ( Thread->ActiveImpersonationInfo ) { OldClient = Thread->ImpersonationInfo; ImpersonationState->Level = OldClient->ImpersonationLevel; ImpersonationState->EffectiveOnly = OldClient->EffectiveOnly; ImpersonationState->CopyOnOpen = OldClient->CopyOnOpen; ImpersonationState->Token = OldClient->Token; } else { // // Not impersonating. Just make up some values. // The NULL for the token indicates we aren't impersonating. // OldClient = NULL; ImpersonationState->Level = SecurityAnonymous; ImpersonationState->EffectiveOnly = FALSE; ImpersonationState->CopyOnOpen = FALSE; ImpersonationState->Token = NULL; } // // Clear the Client field to indicate the thread is not impersonating. // Thread->ActiveImpersonationInfo = FALSE; // // Release the security fields // PsFreeProcessSecurityFields(); if ( OldClient ) { return TRUE; } else { return FALSE; } }

NTSTATUS PsImpersonateClient (  IN PETHREAD  Thread, IN PACCESS_TOKEN  Token, IN BOOLEAN  CopyOnOpen, IN BOOLEAN  EffectiveOnly, IN SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel )

Definition at line 650 of file ps/security.c. References ASSERT, _PS_IMPERSONATION_INFORMATION::CopyOnOpen, _PS_IMPERSONATION_INFORMATION::EffectiveOnly, ExAllocatePoolWithTag, FALSE, Filter, _PS_IMPERSONATION_INFORMATION::ImpersonationLevel, KernelMode, NT_SUCCESS, NTSTATUS(), NULL, ObReferenceObject, PagedPool, PsDereferenceImpersonationToken, PsFreeProcessSecurityFields, PsLockProcessSecurityFields, SeFastFilterToken(), SeTokenIsAdmin(), SeTokenIsRestricted(), Status, ThreadObject, _PS_IMPERSONATION_INFORMATION::Token, Token, and TRUE. Referenced by NtImpersonateAnonymousToken(), NtOpenThreadToken(), PsAssignImpersonationToken(), PsRestoreImpersonation(), and SeImpersonateClientEx(). : This routine sets up the specified thread so that it is impersonating the specified client. This will result in the reference count of the token representing the client being incremented to reflect the new reference. If the thread is currently impersonating a client, that token will be dereferenced. Arguments: Thread - points to the thread which is going to impersonate a client. Token - Points to the token to be assigned as the impersonation token. This does NOT have to be a TokenImpersonation type token. This allows direct reference of client process's primary tokens. CopyOnOpen - If TRUE, indicates the token is considered to be private by the assigner and should be copied if opened. For example, a session layer may be using a token to represent a client's context. If the session is trying to synchronize the context of the client, then user mode code should not be given direct access to the session layer's token. Basically, session layers should always specify TRUE for this, while tokens assigned by the server itself (handle based) should specify FALSE. EffectiveOnly - Is a boolean value to be assigned as the Thread->ImpersonationInfo->EffectiveOnly field value for the impersonation. A value of FALSE indicates the server is allowed to enable currently disabled groups and privileges. ImpersonationLevel - Is the impersonation level that the server is allowed to access the token with. Return Value: STATUS_SUCCESS - Indicates the call completed successfully. --*/ { PPS_IMPERSONATION_INFORMATION NewClient; PACCESS_TOKEN OldToken; PACCESS_TOKEN NewerToken ; NTSTATUS Status ; PPS_JOB_TOKEN_FILTER Filter ; BOOLEAN DontRefToken = FALSE ; ASSERT( Thread->Tcb.Header.Type == ThreadObject ); // // Lock the process security fields // PsLockProcessSecurityFields(); if (!ARGUMENT_PRESENT(Token)) { // // This is a request to revert to self. // Clean up any client information. // if ( Thread->ActiveImpersonationInfo ) { OldToken = Thread->ImpersonationInfo->Token; Thread->ActiveImpersonationInfo = FALSE; } else { OldToken = NULL; } } else { // // Check if we're allowed to impersonate based on the job // restrictions: // Status = STATUS_SUCCESS ; if ( Thread->ThreadsProcess->Job ) { if ( ( Thread->ThreadsProcess->Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN ) && ( SeTokenIsAdmin( Token ) ) ) { Status = STATUS_ACCESS_DENIED ; } if ( ( Thread->ThreadsProcess->Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN ) && ( !SeTokenIsRestricted( Token ) ) ) { Status = STATUS_ACCESS_DENIED ; } if ( Thread->ThreadsProcess->Job->Filter ) { // // Filter installed. Need to create a restricted token // dynamically. // Filter = Thread->ThreadsProcess->Job->Filter ; Status = SeFastFilterToken( Token, KernelMode, 0, Filter->CapturedGroupCount, Filter->CapturedGroups, Filter->CapturedPrivilegeCount, Filter->CapturedPrivileges, Filter->CapturedSidCount, Filter->CapturedSids, Filter->CapturedSidsLength, &NewerToken ); if ( NT_SUCCESS( Status ) ) { DontRefToken = TRUE ; Token = NewerToken ; } } } if ( !NT_SUCCESS( Status ) ) { PsFreeProcessSecurityFields(); return Status ; } // // If we are already impersonating someone, // use the already allocated block. This avoids // an alloc and a free. // if ( Thread->ActiveImpersonationInfo ) { // // capture the old token pointer. // We'll dereference it after unlocking the security fields. // OldToken = Thread->ImpersonationInfo->Token; NewClient = Thread->ImpersonationInfo; } else { OldToken = NULL; if ( Thread->ImpersonationInfo ) { NewClient = Thread->ImpersonationInfo; } else { // // Allocate and set up the Client block // NewClient = (PPS_IMPERSONATION_INFORMATION)ExAllocatePoolWithTag( PagedPool, sizeof(PS_IMPERSONATION_INFORMATION), 'mIsP'); if (NewClient == NULL) { PsFreeProcessSecurityFields(); return STATUS_NO_MEMORY ; } Thread->ImpersonationInfo = NewClient; } } NewClient->ImpersonationLevel = ImpersonationLevel; NewClient->EffectiveOnly = EffectiveOnly; NewClient->CopyOnOpen = CopyOnOpen; NewClient->Token = Token; Thread->ActiveImpersonationInfo = TRUE; if ( !DontRefToken ) { ObReferenceObject(NewClient->Token); } } // // Release the security fields // PsFreeProcessSecurityFields(); // // Free the old client token, if necessary. // if (ARGUMENT_PRESENT( OldToken )) { PsDereferenceImpersonationToken( OldToken ); } return STATUS_SUCCESS ; }

NTSTATUS PsOpenTokenOfJobObject (  IN HANDLE  JobObject, OUT PACCESS_TOKEN *  Token )

Definition at line 586 of file ps/security.c. References KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObReferenceObject, ObReferenceObjectByHandle(), PsJobType, Status, Token, and _EJOB::Token. : This function does the ps/job specific work for NtOpenJobObjectToken. Arguments: JobObject - Supplies a handle to a job object whose limit token token is to be opened. Token - If successful, receives a pointer to the process's token object. Return Value: STATUS_SUCCESS - Indicates the call completed successfully. STATUS_NO_TOKEN - indicates the job object does not have a token --*/ { NTSTATUS Status ; PEJOB Job ; KPROCESSOR_MODE PreviousMode ; PreviousMode = KeGetPreviousMode(); Status = ObReferenceObjectByHandle( JobObject, JOB_OBJECT_QUERY, PsJobType, PreviousMode, &Job, NULL ); if ( NT_SUCCESS( Status ) ) { if ( Job->Token ) { ObReferenceObject( Job->Token ); *Token = Job->Token ; } else { Status = STATUS_NO_TOKEN ; } } return Status ; }

NTSTATUS PsOpenTokenOfProcess (  IN HANDLE  ProcessHandle, OUT PACCESS_TOKEN *  Token )

Definition at line 492 of file ps/security.c. References KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), PsProcessType, PsReferencePrimaryToken(), and Status. Referenced by NtOpenProcessToken(). : This function does the process specific processing of an NtOpenProcessToken() service. The service validates that the handle has appropriate access to referenced process. If so, it goes on to reference the primary token object to prevent it from going away while the rest of the NtOpenProcessToken() request is processed. NOTE: If this call completes successfully, the caller is responsible for decrementing the reference count of the target token. This must be done using the PsDereferencePrimaryToken() API. Arguments: ProcessHandle - Supplies a handle to a process object whose primary token is to be opened. Token - If successful, receives a pointer to the process's token object. Return Value: STATUS_SUCCESS - Indicates the call completed successfully. status may also be any value returned by an attemp the reference the process object for PROCESS_QUERY_INFORMATION access. --*/ { NTSTATUS Status; PEPROCESS Process; KPROCESSOR_MODE PreviousMode; PreviousMode = KeGetPreviousMode(); // // Make sure the handle grants the appropriate access to the specified // process. // Status = ObReferenceObjectByHandle( ProcessHandle, PROCESS_QUERY_INFORMATION, PsProcessType, PreviousMode, (PVOID *)&Process, NULL ); if (!NT_SUCCESS(Status)) { return Status; } // // Reference the primary token // (This takes care of gaining exlusive access to the process // security fields for us) // (*Token) = PsReferencePrimaryToken( Process ); // // Done with the process object // ObDereferenceObject( Process ); return STATUS_SUCCESS; }

NTSTATUS PsOpenTokenOfThread (  IN HANDLE  ThreadHandle, IN BOOLEAN  OpenAsSelf, OUT PACCESS_TOKEN *  Token, OUT PBOOLEAN  CopyOnOpen, OUT PBOOLEAN  EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel )

Definition at line 326 of file ps/security.c. References FALSE, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), PsDereferenceImpersonationToken, PsDisableImpersonation(), PsGetCurrentThread, PsReferenceImpersonationToken(), PsRestoreImpersonation(), PsThreadType, Status, ThreadHandle, and Token. : This function does the thread specific processing of an NtOpenThreadToken() service. The service validates that the handle has appropriate access to reference the thread. If so, it goes on to increment the reference count of the token object to prevent it from going away while the rest of the NtOpenThreadToken() request is processed. NOTE: If this call completes successfully, the caller is responsible for decrementing the reference count of the target token. This must be done using PsDereferenceImpersonationToken(). Arguments: ThreadHandle - Supplies a handle to a thread object. OpenAsSelf - Is a boolean value indicating whether the access should be made using the calling thread's current security context, which may be that of a client (if impersonating), or using the caller's process-level security context. A value of FALSE indicates the caller's current context should be used un-modified. A value of TRUE indicates the request should be fulfilled using the process level security context. Token - If successful, receives a pointer to the thread's token object. CopyOnOpen - The current value of the Thread->Client->CopyOnOpen field. EffectiveOnly - The current value of the Thread->Client->EffectiveOnly field. ImpersonationLevel - The current value of the Thread->Client->ImpersonationLevel field. Return Value: STATUS_SUCCESS - Indicates the call completed successfully. STATUS_NO_TOKEN - Indicates the referenced thread is not currently impersonating a client. STATUS_CANT_OPEN_ANONYMOUS - Indicates the client requested anonymous impersonation level. An anonymous token can not be openned. status may also be any value returned by an attemp the reference the thread object for THREAD_QUERY_INFORMATION access. --*/ { NTSTATUS Status; PETHREAD Thread; KPROCESSOR_MODE PreviousMode; SE_IMPERSONATION_STATE DisabledImpersonationState; BOOLEAN RestoreImpersonationState = FALSE; PreviousMode = KeGetPreviousMode(); // // Disable impersonation if necessary // if (OpenAsSelf) { RestoreImpersonationState = PsDisableImpersonation( PsGetCurrentThread(), &DisabledImpersonationState ); } // // Make sure the handle grants the appropriate access to the specified // thread. // Status = ObReferenceObjectByHandle( ThreadHandle, THREAD_QUERY_INFORMATION, PsThreadType, PreviousMode, (PVOID *)&Thread, NULL ); if (RestoreImpersonationState) { PsRestoreImpersonation( PsGetCurrentThread(), &DisabledImpersonationState ); } if (!NT_SUCCESS(Status)) { return Status; } // // Reference the impersonation token, if there is one // (*Token) = PsReferenceImpersonationToken( Thread, CopyOnOpen, EffectiveOnly, ImpersonationLevel ); // // dereference the target thread. // ObDereferenceObject( Thread ); // // Make sure there is a token // if ((*Token) == NULL) { return STATUS_NO_TOKEN; } // // Make sure the ImpersonationLevel is high enough to allow // the token to be openned. // if ((*ImpersonationLevel) <= SecurityAnonymous) { PsDereferenceImpersonationToken( (*Token) ); (*Token) = NULL; return STATUS_CANT_OPEN_ANONYMOUS; } return STATUS_SUCCESS; }

NTSTATUS PspAssignPrimaryToken (  IN PEPROCESS  Process, IN HANDLE Token  OPTIONAL, IN PACCESS_TOKEN TokenPointer  OPTIONAL )

Definition at line 1256 of file ps/security.c. References KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), PsFreeProcessSecurityFields, PsLockProcessSecurityFields, SeExchangePrimaryToken(), SeTokenObjectType, Status, and Token. Referenced by PspSetPrimaryToken(). : This function performs the security portions of primary token assignment. It is expected that the proper access to the process and thread objects, as well as necessary privilege, has already been established. A primary token can only be replaced if the process has no threads, or has one thread. This is because the thread objects point to the primary token and must have those pointers updated when the primary token is changed. This is only expected to be necessary at logon time, when the process is in its infancy and either has zero threads or maybe one inactive thread. If the assignment is successful, the old token is dereferenced and the new one is referenced. Arguments: Process - A pointer to the process whose primary token is being replaced. Token - The handle value of the token to be assigned as the primary token. Return Value: STATUS_SUCCESS - Indicates the primary token has been successfully replaced. STATUS_BAD_TOKEN_TYPE - Indicates the token is not of type TokenPrimary. STATUS_TOKEN_IN_USE - Indicates the token is already in use by another process. Other status may be returned when attempting to reference the token object. --*/ { NTSTATUS Status; PACCESS_TOKEN NewToken, OldToken; KPROCESSOR_MODE PreviousMode; if ( TokenPointer == NULL ) { PreviousMode = KeGetPreviousMode(); // // Reference the specified token, and make sure it can be assigned // as a primary token. // Status = ObReferenceObjectByHandle ( Token, TOKEN_ASSIGN_PRIMARY, SeTokenObjectType(), PreviousMode, (PVOID *)&NewToken, NULL ); if ( !NT_SUCCESS(Status) ) { return Status; } } else { NewToken = TokenPointer ; } // // Lock the process security fields. // PsLockProcessSecurityFields(); // // This routine makes sure the NewToken is suitable for assignment // as a primary token. // Status = SeExchangePrimaryToken( Process, NewToken, &OldToken ); // // Release the process security fields // PsFreeProcessSecurityFields(); // // Free the old token (we don't need it). // This can't be done while the security fields are locked. // if (NT_SUCCESS( Status )) { ObDereferenceObject( OldToken ); } // // Undo the handle reference // if ( TokenPointer == NULL ) { ObDereferenceObject( NewToken ); } return Status; }

VOID PspDeleteProcessSecurity (  IN PEPROCESS  Process  )

Definition at line 1206 of file ps/security.c. References NULL, and SeDeassignPrimaryToken(). Referenced by PspCreateProcess(), and PspProcessDelete(). : This function cleans up a process's security fields as part of process deletion. It is assumed no other references to the process can occur during or after a call to this routine. This enables us to reference the process security fields without acquiring the lock protecting those fields. NOTE: It may be desirable to add auditing capability to this routine at some point. Arguments: Process - A pointer to the process being deleted. Return Value: None. --*/ { // // If we are deleting a process that didn't successfully complete // process initialization, then there may be no token associated // with it yet. // if (ARGUMENT_PRESENT(Process->Token)) { SeDeassignPrimaryToken( Process ); Process->Token = NULL; } return; }

VOID PspDeleteThreadSecurity (  IN PETHREAD  Thread  )

Definition at line 1436 of file ps/security.c. References ExFreePool(), FALSE, NULL, and ObDereferenceObject. Referenced by PspThreadDelete(). : This function cleans up a thread's security fields as part of thread deletion. It is assumed no other references to the thread can occur during or after a call to this routine, so no locking is necessary to access the thread security fields. Arguments: Thread - A pointer to the thread being deleted. Return Value: None. --*/ { // // clean-up client information, if there is any. // if ( Thread->ActiveImpersonationInfo ) { ObDereferenceObject( Thread->ImpersonationInfo->Token ); } if ( Thread->ImpersonationInfo ) { ExFreePool( Thread->ImpersonationInfo ); Thread->ActiveImpersonationInfo = FALSE; Thread->ImpersonationInfo = NULL; } return; }

NTSTATUS PspInitializeProcessSecurity (  IN PEPROCESS Parent  OPTIONAL, IN PEPROCESS  Child )

Definition at line 1117 of file ps/security.c. References NT_SUCCESS, NTSTATUS(), NULL, PspBootAccessToken, SeAssignPrimaryToken(), SeSubProcessToken(), and Status. Referenced by PspCreateProcess(). 01124 : 01125 01126 This function initializes a new process's security fields, including 01127 the assignment of a new primary token. 01128 01129 The child process is assumed to not yet have been inserted into 01130 an object table. 01131 01132 NOTE: IT IS EXPECTED THAT THIS SERVICE WILL BE CALLED WITH A NULL 01133 PARENT PROCESS POINTER EXACTLY ONCE - FOR THE INITIAL SYSTEM 01134 PROCESS. 01135 01136 01137 Arguments: 01138 01139 Parent - An optional pointer to the process being used as the parent 01140 of the new process. If this value is NULL, then the process is 01141 assumed to be the initial system process, and the boot token is 01142 assigned rather than a duplicate of the parent process's primary 01143 token. 01144 01145 Child - Supplies the address of the process being initialized. This 01146 process does not yet require security field contention protection. 01147 In particular, the security fields may be accessed without first 01148 acquiring the process security fields lock. 01149 01150 01151 01152 Return Value: 01153 01154 01155 --*/ 01156 01157 { 01158 NTSTATUS 01159 Status; 01160 01161 01162 // 01163 // Assign the primary token 01164 // 01165 01166 if (ARGUMENT_PRESENT(Parent)) { 01167 01168 // 01169 // create the primary token 01170 // This is a duplicate of the parent's token. 01171 // 01172 01173 Status = SeSubProcessToken( 01174 Parent, 01175 &Child->Token 01176 ); 01177 01178 if (!NT_SUCCESS(Status)) { 01179 Child->Token = NULL; // Needed to ensure proper deletion 01180 } 01181 01182 } else { 01183 01184 // 01185 // Reference and assign the boot token 01186 // 01187 // The use of a single boot access token assumes there is 01188 // exactly one parentless process in the system - the initial 01189 // process. If this ever changes, this code will need to change 01190 // to match the new condition (so that a token doesn't end up 01191 // being shared by multiple processes. 01192 // 01193 01194 Child->Token = NULL; 01195 SeAssignPrimaryToken( Child, PspBootAccessToken ); 01196 Status = STATUS_SUCCESS; 01197 01198 01199 } 01200 01201 return Status; 01202 01203 }

VOID PspInitializeThreadSecurity (  IN PEPROCESS  Process, IN PETHREAD  Thread )

Definition at line 1395 of file ps/security.c. References FALSE, and NULL. Referenced by PspCreateThread(). : This function initializes a new thread's security fields. Arguments: Process - Points to the process the thread belongs to. Thread - Points to the thread object being initialized. Return Value: None. --*/ { // // Initially not impersonating anyone. // Thread->ImpersonationInfo = NULL; Thread->ActiveImpersonationInfo = FALSE; return; }

PACCESS_TOKEN PsReferenceEffectiveToken (  IN PETHREAD  Thread, OUT PTOKEN_TYPE  TokenType, OUT PBOOLEAN  EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel )

Definition at line 208 of file ps/security.c. References ASSERT, FALSE, ObReferenceObject, PsFreeProcessSecurityFields, PsLockProcessSecurityFields, THREAD_TO_PROCESS, ThreadObject, and Token. Referenced by SeCreateClientSecurity(). 00217 : 00218 00219 This function returns a pointer to the effective token of a thread. The 00220 effective token of a thread is the thread's impersonation token if it has 00221 one. Otherwise, it is the primary token of the thread's process. 00222 00223 The reference count of the effective token is incremented to protect 00224 the pointer returned. 00225 00226 If the thread is impersonating a client, then the impersonation level 00227 is also returned. 00228 00229 Either PsDereferenceImpersonationToken() (for an impersonation token) or 00230 PsDereferencePrimaryToken() (for a primary token) must be called to 00231 decrement the token's reference count when the pointer is no longer 00232 needed. 00233 00234 00235 Arguments: 00236 00237 Thread - Supplies the address of the thread whose effective token 00238 is to be referenced. 00239 00240 TokenType - Receives the type of the effective token. If the thread 00241 is currently impersonating a client, then this will be 00242 TokenImpersonation. Othwerwise, it will be TokenPrimary. 00243 00244 EffectiveOnly - If the token type is TokenImpersonation, then this 00245 receives the value of the client thread's Thread->Client->EffectiveOnly field. 00246 Otherwise, it is set to FALSE. 00247 00248 ImpersonationLevel - The current value of the Thread->Client->ImpersonationLevel 00249 field for an impersonation token and is not set for a primary token. 00250 00251 Return Value: 00252 00253 A pointer to the specified thread's effective token. 00254 00255 --*/ 00256 00257 { 00258 PACCESS_TOKEN 00259 Token; 00260 00261 ASSERT( Thread->Tcb.Header.Type == ThreadObject ); 00262 00263 // 00264 // Lock the process security fields. 00265 // 00266 00267 PsLockProcessSecurityFields(); 00268 00269 // 00270 // Grab the current impersonation token pointer value 00271 // 00272 00273 00274 if ( Thread->ActiveImpersonationInfo ) { 00275 00276 Token = Thread->ImpersonationInfo->Token; 00277 00278 // 00279 // Return the thread's impersonation level, etc. 00280 // 00281 00282 (*TokenType) = TokenImpersonation; 00283 (*EffectiveOnly) = Thread->ImpersonationInfo->EffectiveOnly; 00284 (*ImpersonationLevel) = Thread->ImpersonationInfo->ImpersonationLevel; 00285 00286 00287 00288 } else { 00289 00290 // 00291 // Get the thread's primary token if it wasn't impersonating a client. 00292 // 00293 00294 Token = THREAD_TO_PROCESS(Thread)->Token; 00295 00296 00297 // 00298 // Only the TokenType and CopyOnOpen OUT parameters are 00299 // returned for a primary token. 00300 // 00301 00302 (*TokenType) = TokenPrimary; 00303 (*EffectiveOnly) = FALSE; 00304 00305 } 00306 00307 // 00308 // Increment the reference count of the token to protect our 00309 // pointer. 00310 // 00311 00312 ObReferenceObject(Token); 00313 00314 // 00315 // Release the security fields. 00316 // 00317 00318 PsFreeProcessSecurityFields(); 00319 00320 00321 return Token; 00322 00323 }

PACCESS_TOKEN PsReferenceImpersonationToken (  IN PETHREAD  Thread, OUT PBOOLEAN  CopyOnOpen, OUT PBOOLEAN  EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL  ImpersonationLevel )

Definition at line 97 of file ps/security.c. References ASSERT, NULL, ObReferenceObject, PsFreeProcessSecurityFields, PsLockProcessSecurityFields, ThreadObject, and Token. Referenced by GetProcessLuid(), IsRestricted(), PsOpenTokenOfThread(), SeCaptureSubjectContext(), and SepOpenTokenOfThread(). 00106 : 00107 00108 This function returns a pointer to the impersonation token of a thread. 00109 The reference count of that impersonation token is incremented to protect 00110 the pointer returned. 00111 00112 If the thread is not currently impersonating a client, then a null pointer 00113 is returned. 00114 00115 If the thread is impersonating a client, then information about the 00116 means of impersonation are also returned (ImpersonationLevel). 00117 00118 If a non-null value is returned, then PsDereferenceImpersonationToken() 00119 must be called to decrement the token's reference count when the pointer 00120 is no longer needed. 00121 00122 00123 Arguments: 00124 00125 Thread - Supplies the address of the thread whose impersonation token 00126 is to be referenced. 00127 00128 CopyOnOpen - The current value of the Thread->ImpersonationInfo->CopyOnOpen field. 00129 00130 EffectiveOnly - The current value of the Thread->ImpersonationInfo->EffectiveOnly field. 00131 00132 ImpersonationLevel - The current value of the Thread->ImpersonationInfo->ImpersonationLevel 00133 field. 00134 00135 Return Value: 00136 00137 A pointer to the specified thread's impersonation token. 00138 00139 If the thread is not currently impersonating a client, then NULL is 00140 returned. 00141 00142 --*/ 00143 00144 { 00145 PACCESS_TOKEN 00146 Token; 00147 00148 ASSERT( Thread->Tcb.Header.Type == ThreadObject ); 00149 // 00150 // before going through the lock overhead just look to see if it is 00151 // null. There is no race. Grabbing the lock is not needed until 00152 // we decide to use the token at which point we re check to see it 00153 // it is null. 00154 // This check saves about 300 instructions. 00155 // 00156 00157 if ( !Thread->ActiveImpersonationInfo ) { 00158 return NULL; 00159 } 00160 00161 00162 // 00163 // Lock the process security fields. 00164 // 00165 00166 PsLockProcessSecurityFields(); 00167 00168 // 00169 // Grab the current token pointer value 00170 // 00171 00172 00173 if ( Thread->ActiveImpersonationInfo ) { 00174 00175 // 00176 // Return the thread's impersonation level, etc. 00177 // 00178 00179 Token = Thread->ImpersonationInfo->Token; 00180 (*ImpersonationLevel) = Thread->ImpersonationInfo->ImpersonationLevel; 00181 (*CopyOnOpen) = Thread->ImpersonationInfo->CopyOnOpen; 00182 (*EffectiveOnly) = Thread->ImpersonationInfo->EffectiveOnly; 00183 00184 00185 // 00186 // Increment the reference count of the token to protect our 00187 // pointer. 00188 // 00189 00190 ObReferenceObject(Token); 00191 00192 } else { 00193 Token = NULL; 00194 } 00195 00196 00197 // 00198 // Release the security fields. 00199 // 00200 00201 PsFreeProcessSecurityFields(); 00202 00203 return Token; 00204 00205 }

PACCESS_TOKEN PsReferencePrimaryToken (  IN PEPROCESS  Process  )

Definition at line 28 of file ps/security.c. References ASSERT, ObReferenceObject, ProcessObject, PsFreeProcessSecurityFields, PsLockProcessSecurityFields, and Token. Referenced by CheckAllowForeground(), GetProcessLuid(), IsRestricted(), NtOpenThreadToken(), NtSecureConnectPort(), NtSetInformationProcess(), PsOpenTokenOfProcess(), PspCreateProcess(), PspCreateThread(), PspSetPrimaryToken(), SeCaptureSubjectContext(), SeIsChildToken(), SeIsChildTokenByPointer(), and SeSubProcessToken(). 00034 : 00035 00036 This function returns a pointer to the primary token of a process. 00037 The reference count of that primary token is incremented to protect 00038 the pointer returned. 00039 00040 When the pointer is no longer needed, it should be freed using 00041 PsDereferencePrimaryToken(). 00042 00043 00044 Arguments: 00045 00046 Process - Supplies the address of the process whose primary token 00047 is to be referenced. 00048 00049 Return Value: 00050 00051 A pointer to the specified process's primary token. 00052 00053 --*/ 00054 00055 { 00056 PACCESS_TOKEN 00057 Token; 00058 00059 ASSERT( Process->Pcb.Header.Type == ProcessObject ); 00060 00061 // 00062 // For performance sake, we may want to change this to use 00063 // an executive interlocked add routine in the future. 00064 // 00065 00066 00067 // 00068 // Lock the process security fields. 00069 // 00070 00071 PsLockProcessSecurityFields(); 00072 00073 // 00074 // Grab the current token pointer value 00075 // 00076 00077 Token = Process->Token; 00078 00079 // 00080 // Increment the reference count of the primary token to protect our 00081 // pointer. 00082 // 00083 00084 ObReferenceObject(Token); 00085 00086 // 00087 // Release the process security fields 00088 // 00089 00090 PsFreeProcessSecurityFields(); 00091 00092 return Token; 00093 00094 }

VOID PsRestoreImpersonation (  IN PETHREAD  Thread, IN PSE_IMPERSONATION_STATE  ImpersonationState )

Definition at line 990 of file ps/security.c. References ObDereferenceObject, and PsImpersonateClient(). Referenced by NtOpenThreadToken(), PsOpenTokenOfThread(), and SepOpenTokenOfThread(). : This routine restores an impersonation that has been temporarily disabled using PsDisableImpersonation(). Notice that if this routine finds the thread is already impersonating (again), then restoring the temporarily disabled impersonation will cause the current impersonation to be abandoned. Arguments: Thread - points to the thread whose impersonation is to be restored. ImpersontionState - receives the current impersontion information, including a pointer ot the impersonation token. Return Value: TRUE - Indicates the impersonation state has been saved and the impersonation has been temporarily disabled. FALSE - Indicates the specified thread was not impersonating a client. No action has been taken. --*/ { // // The processing for restore is identical to that for Impersonation, // except that the token's reference count will be incremented (and // so we need to do one dereference). PsImpersonateClient( Thread, ImpersonationState->Token, ImpersonationState->CopyOnOpen, ImpersonationState->EffectiveOnly, ImpersonationState->Level ); ObDereferenceObject( ImpersonationState->Token ); return; }

VOID PsRevertToSelf (   )

Definition at line 1051 of file ps/security.c. References _ETHREAD::ActiveImpersonationInfo, FALSE, _ETHREAD::ImpersonationInfo, NULL, ObDereferenceObject, PsFreeProcessSecurityFields, PsGetCurrentThread, PsLockProcessSecurityFields, and _PS_IMPERSONATION_INFORMATION::Token. Referenced by CmpWorker(). : This routine causes the calling thread to discontinue impersonating a client. If the thread is not currently impersonating a client, no action is taken. Arguments: None. Return Value: None. --*/ { PETHREAD Thread = PsGetCurrentThread(); PACCESS_TOKEN OldToken; // // Lock the process security fields // PsLockProcessSecurityFields(); // // See if the thread is impersonating a client // and dereference that token if so. // if ( Thread->ActiveImpersonationInfo ) { Thread->ActiveImpersonationInfo = FALSE; OldToken = Thread->ImpersonationInfo->Token; } else { OldToken = NULL; } // // Release the security fields // PsFreeProcessSecurityFields(); // // Free the old client info... // if ( OldToken ) { ObDereferenceObject( OldToken ); } return; }

---