tokenp.h File Reference

#include "ntos.h"
#include "sep.h"
#include "seopaque.h"

Go to the source code of this file.

Classes
struct	_TOKEN
struct	_IOBJECT_TYPE_LIST
Defines
#define	IF_TOKEN_GLOBAL(FlagName)   if (FALSE)
#define	TokenDiagPrint(FlagName, _Text_)   ;
#define	TOKEN_DIAG_TOKEN_LOCKS   ((ULONG) 0x00000001L)
#define	TOKEN_DEFAULT_DYNAMIC_CHARGE   500
#define	OBJECT_SUCCESS_AUDIT   0x1
#define	OBJECT_FAILURE_AUDIT   0x2
#define	SepAcquireTokenReadLock(T)
#define	SepAcquireTokenWriteLock(T)
#define	SepReleaseTokenReadLock(T)
#define	SepReleaseTokenWriteLock(T, M)
#define	SepArrayPrivilegeAttributes(P, I)   ( (P)[I].Attributes )
#define	SepTokenPrivilegeAttributes(T, I)   ( (T)->Privileges[I].Attributes )
#define	SepArrayGroupAttributes(G, I)   ( (G)[I].Attributes )
#define	SepTokenGroupAttributes(T, I)   ( (T)->UserAndGroups[I].Attributes )
Typedefs
typedef _TOKEN	TOKEN
typedef _TOKEN *	PTOKEN
typedef _IOBJECT_TYPE_LIST	IOBJECT_TYPE_LIST
typedef _IOBJECT_TYPE_LIST *	PIOBJECT_TYPE_LIST
Functions
NTSTATUS	SeCaptureObjectTypeList (IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN KPROCESSOR_MODE RequestorMode, OUT PIOBJECT_TYPE_LIST *CapturedObjectTypeList)
VOID	SeFreeCapturedObjectTypeList (IN PVOID ObjectTypeList)
NTSTATUS	SepAdjustGroups (IN PTOKEN Token, IN BOOLEAN MakeChanges, IN BOOLEAN ResetToDefault, IN ULONG GroupCount OPTIONAL, IN PSID_AND_ATTRIBUTES NewState OPTIONAL, OUT PTOKEN_GROUPS PreviousState OPTIONAL, OUT PSID SidBuffer OPTIONAL, OUT PULONG ReturnLength, OUT PULONG ChangeCount, OUT PBOOLEAN ChangesMade)
NTSTATUS	SepAdjustPrivileges (IN PTOKEN Token, IN BOOLEAN MakeChanges, IN BOOLEAN DisableAllPrivileges, IN ULONG PrivilegeCount OPTIONAL, IN PLUID_AND_ATTRIBUTES NewState OPTIONAL, OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, OUT PULONG ReturnLength, OUT PULONG ChangeCount, OUT PBOOLEAN ChangesMade)
VOID	SepAppendDefaultDacl (IN PTOKEN Token, IN PACL PAcl)
VOID	SepAppendPrimaryGroup (IN PTOKEN Token, IN PSID PSid)
NTSTATUS	SepDuplicateToken (IN PTOKEN ExistingToken, IN POBJECT_ATTRIBUTES ObjectAttributes, IN BOOLEAN EffectiveOnly, IN TOKEN_TYPE TokenType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL, IN KPROCESSOR_MODE RequestorMode, OUT PTOKEN *DuplicateToken)
NTSTATUS	SepFilterToken (IN PTOKEN ExistingToken, IN KPROCESSOR_MODE RequestorMode, IN ULONG Flags, IN ULONG GroupCount, IN PSID_AND_ATTRIBUTES GroupsToDisable OPTIONAL, IN ULONG PrivilegeCount, IN PLUID_AND_ATTRIBUTES PrivilegesToDelete OPTIONAL, IN ULONG SidCount, IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL, IN ULONG SidLength, OUT PTOKEN *FilteredToken)
BOOLEAN	SepSidInSidAndAttributes (IN PSID_AND_ATTRIBUTES SidAndAttributes, IN ULONG SidCount, IN PSID PrincipalSelfSid, IN PSID Sid)
VOID	SepRemoveDisabledGroupsAndPrivileges (IN PTOKEN Token, IN ULONG Flags, IN ULONG GroupCount, IN PSID_AND_ATTRIBUTES GroupsToDisable, IN ULONG PrivilegeCount, IN PLUID_AND_ATTRIBUTES PrivilegesToDelete)
VOID	SepFreeDefaultDacl (IN PTOKEN Token)
VOID	SepFreePrimaryGroup (IN PTOKEN Token)
BOOLEAN	SepIdAssignableAsOwner (IN PTOKEN Token, IN ULONG Index)
VOID	SepMakeTokenEffectiveOnly (IN PTOKEN Token)
BOOLEAN	SepTokenInitialization (VOID)
VOID	SepTokenDeleteMethod (IN PVOID Token)
BOOLEAN	SepPrivilegeCheck (IN PTOKEN Token, IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges, IN ULONG RequiredPrivilegeCount, IN ULONG PrivilegeSetControl, IN KPROCESSOR_MODE PreviousMode)
VOID	SepAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID PrincipalSelfSid, IN PTOKEN PrimaryToken, IN PTOKEN ClientToken OPTIONAL, IN ACCESS_MASK DesiredAccess, IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL, IN ULONG ObjectTypeListLength, IN PGENERIC_MAPPING GenericMapping, IN ACCESS_MASK PreviouslyGrantedAccess, IN KPROCESSOR_MODE PreviousMode, OUT PACCESS_MASK GrantedAccess, OUT PPRIVILEGE_SET *Privileges OPTIONAL, OUT PNTSTATUS AccessStatus, IN BOOLEAN ReturnResultList, OUT PBOOLEAN ReturnSomeAccessGranted, OUT PBOOLEAN ReturnSomeAccessDenied)
BOOLEAN	SepObjectInTypeList (IN GUID *ObjectType, IN PIOBJECT_TYPE_LIST ObjectTypeList, IN ULONG ObjectTypeListLength, OUT PULONG ReturnedIndex)
Variables
GENERIC_MAPPING	SepTokenMapping
POBJECT_TYPE	SepTokenObjectType
ERESOURCE	SepTokenLock

---

Define Documentation

#define IF_TOKEN_GLOBAL (  FlagName   )     if (FALSE)

Definition at line 87 of file tokenp.h.

#define OBJECT_FAILURE_AUDIT   0x2

Definition at line 377 of file tokenp.h. Referenced by SepAdtOpenObjectAuditAlarm(), SepAuditTypeList(), and SepSetAuditInfoForObjectType().

#define OBJECT_SUCCESS_AUDIT   0x1

Definition at line 376 of file tokenp.h. Referenced by SepAdtOpenObjectAuditAlarm(), SepAuditTypeList(), and SepSetAuditInfoForObjectType().

#define SepAcquireTokenReadLock (  T   )

Value: KeEnterCriticalRegion(); \ ExAcquireResourceShared(&SepTokenLock, TRUE) Definition at line 413 of file tokenp.h. Referenced by NtDuplicateToken(), NtFilterToken(), NtQueryInformationToken(), SeAccessCheckByType(), SeFilterToken(), SeGetTokenControlInformation(), SeIsChildToken(), SeIsChildTokenByPointer(), SeLockSubjectContext(), SepDuplicateToken(), SepFilterToken(), SepIdAssignableAsGroup(), SepPrivilegeCheck(), SepTokenIsOwner(), SepValidOwnerSubjectContext(), SeQueryAuthenticationIdToken(), SeQueryInformationToken(), and SeQuerySessionIdToken().

#define SepAcquireTokenWriteLock (  T   )

Value: KeEnterCriticalRegion(); \ ExAcquireResourceExclusive(&SepTokenLock, TRUE) Definition at line 416 of file tokenp.h. Referenced by NtAdjustGroupsToken(), NtAdjustPrivilegesToken(), NtSetInformationToken(), and SeSetSessionIdToken().

#define SepArrayGroupAttributes (  G, I   )     ( (G)[I].Attributes )

Definition at line 479 of file tokenp.h. Referenced by SepAdjustGroups(), and SepCreateToken().

#define SepArrayPrivilegeAttributes (  P, I   )     ( (P)[I].Attributes )

Definition at line 460 of file tokenp.h. Referenced by SepAdjustPrivileges().

#define SepReleaseTokenReadLock (  T   )

Value: ExReleaseResource(&SepTokenLock); \ KeLeaveCriticalRegion() Definition at line 419 of file tokenp.h. Referenced by NtDuplicateToken(), NtFilterToken(), NtQueryInformationToken(), SeAccessCheckByType(), SeFilterToken(), SeGetTokenControlInformation(), SeIsChildToken(), SeIsChildTokenByPointer(), SepDuplicateToken(), SepFilterToken(), SepIdAssignableAsGroup(), SepPrivilegeCheck(), SepTokenIsOwner(), SepValidOwnerSubjectContext(), SeQueryAuthenticationIdToken(), SeQueryInformationToken(), SeQuerySessionIdToken(), and SeUnlockSubjectContext().

#define SepReleaseTokenWriteLock (  T, M   )

Value: { \ if ((M)) { \ ExAllocateLocallyUniqueId( &((PTOKEN)(T))->ModifiedId ); \ } \ SepReleaseTokenReadLock( T ); \ } Definition at line 444 of file tokenp.h. Referenced by NtAdjustGroupsToken(), NtAdjustPrivilegesToken(), NtSetInformationToken(), and SeSetSessionIdToken().

#define SepTokenGroupAttributes (  T, I   )     ( (T)->UserAndGroups[I].Attributes )

Definition at line 489 of file tokenp.h. Referenced by SepAdjustGroups(), SepIdAssignableAsOwner(), and SepMakeTokenEffectiveOnly().

#define SepTokenPrivilegeAttributes (  T, I   )     ( (T)->Privileges[I].Attributes )

Definition at line 470 of file tokenp.h. Referenced by SepAdjustPrivileges(), and SepMakeTokenEffectiveOnly().

#define TOKEN_DEFAULT_DYNAMIC_CHARGE   500

Definition at line 124 of file tokenp.h. Referenced by SepCreateToken().

#define TOKEN_DIAG_TOKEN_LOCKS   ((ULONG) 0x00000001L)

Definition at line 108 of file tokenp.h.

#define TokenDiagPrint (  FlagName, _Text_   )     ;

Definition at line 93 of file tokenp.h.

---

Typedef Documentation

typedef struct _IOBJECT_TYPE_LIST IOBJECT_TYPE_LIST

Referenced by SeCaptureObjectTypeList().

typedef struct _IOBJECT_TYPE_LIST * PIOBJECT_TYPE_LIST

typedef struct _TOKEN * PTOKEN

typedef struct _TOKEN TOKEN

Referenced by CmpParseInfBuffer().

---

Function Documentation

NTSTATUS SeCaptureObjectTypeList (  IN POBJECT_TYPE_LIST ObjectTypeList  OPTIONAL, IN ULONG  ObjectTypeListLength, IN KPROCESSOR_MODE  RequestorMode, OUT PIOBJECT_TYPE_LIST *  CapturedObjectTypeList )

Definition at line 144 of file accessck.c. References _IOBJECT_TYPE_LIST::CurrentDenied, _IOBJECT_TYPE_LIST::CurrentGranted, ExAllocatePoolWithTag, EXCEPTION_EXECUTE_HANDLER, ExFreePool(), _IOBJECT_TYPE_LIST::Flags, IOBJECT_TYPE_LIST, IsValidElementCount, _IOBJECT_TYPE_LIST::Level, NTSTATUS(), NULL, _IOBJECT_TYPE_LIST::ObjectType, PAGED_CODE, PagedPool, _IOBJECT_TYPE_LIST::ParentIndex, ProbeForRead, _IOBJECT_TYPE_LIST::Remaining, Status, UserMode, and USHORT. Referenced by SeAccessCheckByType(), and SepAccessCheckAndAuditAlarm(). : This routine probes and captures a copy of any object type list that might have been provided via the ObjectTypeList argument. The object type list is converted to the internal form that explicitly specifies the hierarchical relationship between the entries. The object typs list is validated to ensure a valid hierarchical relationship is represented. Arguments: ObjectTypeList - The object type list from which the type list information is to be retrieved. ObjectTypeListLength - Number of elements in ObjectTypeList RequestorMode - Indicates the processor mode by which the access is being requested. CapturedObjectTypeList - Receives the captured type list which must be freed using SeFreeCapturedObjectTypeList(). Return Value: STATUS_SUCCESS indicates no exceptions were encountered. Any access violations encountered will be returned. --*/ { NTSTATUS Status = STATUS_SUCCESS; ULONG i; PIOBJECT_TYPE_LIST LocalTypeList = NULL; ULONG Levels[ACCESS_MAX_LEVEL+1]; PAGED_CODE(); // // Set default return // *CapturedObjectTypeList = NULL; if (RequestorMode != UserMode) { return STATUS_NOT_IMPLEMENTED; } try { if ( ObjectTypeListLength == 0 ) { // Drop through } else if ( !ARGUMENT_PRESENT(ObjectTypeList) ) { Status = STATUS_INVALID_PARAMETER; } else { if ( !IsValidElementCount( ObjectTypeListLength, IOBJECT_TYPE_LIST ) ) { Status = STATUS_INVALID_PARAMETER ; // // No more to do, get out of the try statement: // leave ; } ProbeForRead( ObjectTypeList, sizeof(OBJECT_TYPE_LIST) * ObjectTypeListLength, sizeof(ULONG) ); // // Allocate a buffer to copy into. // LocalTypeList = ExAllocatePoolWithTag( PagedPool, sizeof(IOBJECT_TYPE_LIST) * ObjectTypeListLength, 'tOeS' ); if ( LocalTypeList == NULL ) { Status = STATUS_INSUFFICIENT_RESOURCES; // // Copy the callers structure to the local structure. // } else { GUID * CapturedObjectType; for ( i=0; i<ObjectTypeListLength; i++ ) { USHORT CurrentLevel; // // Limit ourselves // CurrentLevel = ObjectTypeList[i].Level; if ( CurrentLevel > ACCESS_MAX_LEVEL ) { Status = STATUS_INVALID_PARAMETER; break; } // // Copy data the caller passed in // LocalTypeList[i].Level = CurrentLevel; LocalTypeList[i].Flags = 0; CapturedObjectType = ObjectTypeList[i].ObjectType; ProbeForRead( CapturedObjectType, sizeof(GUID), sizeof(ULONG) ); LocalTypeList[i].ObjectType = *CapturedObjectType; LocalTypeList[i].Remaining = 0; LocalTypeList[i].CurrentGranted = 0; LocalTypeList[i].CurrentDenied = 0; // // Ensure that the level number is consistent with the // level number of the previous entry. // if ( i == 0 ) { if ( CurrentLevel != 0 ) { Status = STATUS_INVALID_PARAMETER; break; } } else { // // The previous entry is either: // my immediate parent, // my sibling, or // the child (or grandchild, etc.) of my sibling. // if ( CurrentLevel > LocalTypeList[i-1].Level + 1 ) { Status = STATUS_INVALID_PARAMETER; break; } // // Don't support two roots. // if ( CurrentLevel == 0 ) { Status = STATUS_INVALID_PARAMETER; break; } } // // If the above rules are maintained, // then my parent object is the last object seen that // has a level one less than mine. // if ( CurrentLevel == 0 ) { LocalTypeList[i].ParentIndex = -1; } else { LocalTypeList[i].ParentIndex = Levels[CurrentLevel-1]; } // // Save this obect as the last object seen at this level. // Levels[CurrentLevel] = i; } } } // end_if } except(EXCEPTION_EXECUTE_HANDLER) { // // If we captured any proxy data, we need to free it now. // if ( LocalTypeList != NULL ) { ExFreePool( LocalTypeList ); LocalTypeList = NULL; } Status = GetExceptionCode(); } // end_try *CapturedObjectTypeList = LocalTypeList; return Status; }

VOID SeFreeCapturedObjectTypeList (  IN PVOID  ObjectTypeList  )

Definition at line 353 of file accessck.c. References ExFreePool(), NULL, and PAGED_CODE. Referenced by SeAccessCheckByType(), and SepAccessCheckAndAuditAlarm(). : This routine frees the data associated with a captured ObjectTypeList structure. Arguments: ObjectTypeList - Points to a captured object type list structure. Return Value: None. --*/ { PAGED_CODE(); if ( ObjectTypeList != NULL ) { ExFreePool( ObjectTypeList ); } return; }

VOID SepAccessCheck (  IN PSECURITY_DESCRIPTOR  SecurityDescriptor, IN PSID  PrincipalSelfSid, IN PTOKEN  PrimaryToken, IN PTOKEN ClientToken  OPTIONAL, IN ACCESS_MASK  DesiredAccess, IN PIOBJECT_TYPE_LIST ObjectTypeList  OPTIONAL, IN ULONG  ObjectTypeListLength, IN PGENERIC_MAPPING  GenericMapping, IN ACCESS_MASK  PreviouslyGrantedAccess, IN KPROCESSOR_MODE  PreviousMode, OUT PACCESS_MASK  GrantedAccess, OUT PPRIVILEGE_SET *Privileges  OPTIONAL, OUT PNTSTATUS  AccessStatus, IN BOOLEAN  ReturnResultList, OUT PBOOLEAN  ReturnSomeAccessGranted, OUT PBOOLEAN  ReturnSomeAccessDenied )

Definition at line 1564 of file accessck.c. References ASSERT, ClientToken, _IOBJECT_TYPE_LIST::CurrentGranted, Dacl, FALSE, FirstAce, Index, NextAce, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, PrimaryToken, PTOKEN, _IOBJECT_TYPE_LIST::Remaining, SeAssertMappedCanonicalAccess, SepAddAccessTypeList(), SepAssemblePrivileges(), SepDumpSecurityDescriptor(), SepDumpTokenInfo(), SepMaximumAccessCheck(), SepNormalAccessCheck(), SepObjectInTypeList(), SepSidInToken(), SepSinglePrivilegeCheck(), SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeTokenIsRestricted(), Status, TRUE, and UpdateRemaining. Referenced by SeAccessCheck(), SeAccessCheckByType(), and SepAccessCheckAndAuditAlarm(). : Worker routine for SeAccessCheck and NtAccessCheck. We actually do the access checking here. Whether or not we actually evaluate the DACL is based on the following interaction between the SE_DACL_PRESENT bit in the security descriptor and the value of the DACL pointer itself. SE_DACL_PRESENT SET CLEAR +-------------+-------------+ | | | NULL | GRANT | GRANT | | ALL | ALL | DACL | | | Pointer +-------------+-------------+ | | | !NULL | EVALUATE | GRANT | | ACL | ALL | | | | +-------------+-------------+ Arguments: SecurityDescriptor - Pointer to the security descriptor from the object being accessed. PrincipalSelfSid - If the object being access checked is an object which represents a principal (e.g., a user object), this parameter should be the SID of the object. Any ACE containing the constant PRINCIPAL_SELF_SID is replaced by this SID. The parameter should be NULL if the object does not represent a principal. Token - Pointer to user's token object. TokenLocked - Boolean describing whether or not there is a read lock on the token. DesiredAccess - Access mask describing the user's desired access to the object. This mask is assumed not to contain generic access types. ObjectTypeList - Supplies a list of GUIDs representing the object (and sub-objects) being accessed. If no list is present, AccessCheckByType behaves identically to AccessCheck. ObjectTypeListLength - Specifies the number of elements in the ObjectTypeList. GenericMapping - Supplies a pointer to the generic mapping associated with this object type. PreviouslyGrantedAccess - Access mask indicating any access' that have already been granted by higher level routines PrivilgedAccessMask - Mask describing access types that may not be granted without a privilege. GrantedAccess - Returns an access mask describing all granted access', or NULL. Privileges - Optionally supplies a pointer in which will be returned any privileges that were used for the access. If this is null, it will be assumed that privilege checks have been done already. AccessStatus - Returns STATUS_SUCCESS or other error code to be propogated back to the caller ReturnResultList - If true, GrantedAccess and AccessStatus is actually an array of entries ObjectTypeListLength elements long. ReturnSomeAccessGranted - Returns a value of TRUE to indicate that some access' were granted, FALSE otherwise. ReturnSomeAccessDenied - Returns a value of FALSE if some of the requested access was not granted. This will alway be an inverse of SomeAccessGranted unless ReturnResultList is TRUE. In that case, Return Value: A value of TRUE indicates that some access' were granted, FALSE otherwise. --*/ { NTSTATUS Status; ACCESS_MASK Remaining; PACL Dacl; PVOID Ace; ULONG AceCount; ULONG i; ULONG j; ULONG Index; ULONG PrivilegeCount = 0; BOOLEAN Success = FALSE; BOOLEAN SystemSecurity = FALSE; BOOLEAN WriteOwner = FALSE; PTOKEN EToken; IOBJECT_TYPE_LIST FixedTypeList; PIOBJECT_TYPE_LIST LocalTypeList; ULONG LocalTypeListLength; ULONG ResultListIndex; PAGED_CODE(); #if DBG SepDumpSecurityDescriptor( SecurityDescriptor, "Input to SeAccessCheck\n" ); if (ARGUMENT_PRESENT( ClientToken )) { SepDumpTokenInfo( ClientToken ); } SepDumpTokenInfo( PrimaryToken ); #endif EToken = ARGUMENT_PRESENT( ClientToken ) ? ClientToken : PrimaryToken; // // Assert that there are no generic accesses in the DesiredAccess // SeAssertMappedCanonicalAccess( DesiredAccess ); Remaining = DesiredAccess; // // Check for ACCESS_SYSTEM_SECURITY here, // fail if he's asking for it and doesn't have // the privilege. // if ( Remaining & ACCESS_SYSTEM_SECURITY ) { // // Bugcheck if we weren't given a pointer to return privileges // into. Our caller was supposed to have taken care of this // in that case. // ASSERT( ARGUMENT_PRESENT( Privileges )); Success = SepSinglePrivilegeCheck ( SeSecurityPrivilege, EToken, PreviousMode ); if (!Success) { PreviouslyGrantedAccess = 0; Status = STATUS_PRIVILEGE_NOT_HELD; goto ReturnOneStatus; } // // Success, remove ACCESS_SYSTEM_SECURITY from remaining, add it // to PreviouslyGrantedAccess // Remaining &= ~ACCESS_SYSTEM_SECURITY; PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY; PrivilegeCount++; SystemSecurity = TRUE; if ( Remaining == 0 ) { Status = STATUS_SUCCESS; goto ReturnOneStatus; } } // // Get pointer to client SID's // Dacl = RtlpDaclAddrSecurityDescriptor( (PISECURITY_DESCRIPTOR)SecurityDescriptor ); // // If the SE_DACL_PRESENT bit is not set, the object has no // security, so all accesses are granted. If he's asking for // MAXIMUM_ALLOWED, return the GENERIC_ALL field from the generic // mapping. // // Also grant all access if the Dacl is NULL. // if ( !RtlpAreControlBitsSet( (PISECURITY_DESCRIPTOR)SecurityDescriptor, SE_DACL_PRESENT) || (Dacl == NULL)) { // // Restricted tokens treat a NULL dacl the same as a DACL with no // ACEs. // #ifdef SECURE_NULL_DACLS if (SeTokenIsRestricted( EToken )) { // // We know that Remaining != 0 here, because we // know it was non-zero coming into this routine, // and we've checked it against 0 every time we've // cleared a bit. // ASSERT( Remaining != 0 ); // // There are ungranted accesses. Since there is // nothing in the DACL, they will not be granted. // If, however, the only ungranted access at this // point is MAXIMUM_ALLOWED, and something has been // granted in the PreviouslyGranted mask, return // what has been granted. // if ( (Remaining == MAXIMUM_ALLOWED) && (PreviouslyGrantedAccess != (ACCESS_MASK)0) ) { Status = STATUS_SUCCESS; goto ReturnOneStatus; } else { PreviouslyGrantedAccess = 0; Status = STATUS_ACCESS_DENIED; goto ReturnOneStatus; } } #endif //SECURE_NULL_DACLS if (DesiredAccess & MAXIMUM_ALLOWED) { // // Give him: // GenericAll // Anything else he asked for // PreviouslyGrantedAccess = GenericMapping->GenericAll | (DesiredAccess | PreviouslyGrantedAccess) & ~MAXIMUM_ALLOWED; } else { PreviouslyGrantedAccess |= DesiredAccess; } Status = STATUS_SUCCESS; goto ReturnOneStatus; } // // There is security on this object. Check to see // if he's asking for WRITE_OWNER, and perform the // privilege check if so. // if ( (Remaining & WRITE_OWNER) && ARGUMENT_PRESENT( Privileges ) ) { Success = SepSinglePrivilegeCheck ( SeTakeOwnershipPrivilege, EToken, PreviousMode ); if (Success) { // // Success, remove WRITE_OWNER from remaining, add it // to PreviouslyGrantedAccess // Remaining &= ~WRITE_OWNER; PreviouslyGrantedAccess |= WRITE_OWNER; PrivilegeCount++; WriteOwner = TRUE; if ( Remaining == 0 ) { Status = STATUS_SUCCESS; goto ReturnOneStatus; } } } // // If the DACL is empty, // deny all access immediately. // if ((AceCount = Dacl->AceCount) == 0) { // // We know that Remaining != 0 here, because we // know it was non-zero coming into this routine, // and we've checked it against 0 every time we've // cleared a bit. // ASSERT( Remaining != 0 ); // // There are ungranted accesses. Since there is // nothing in the DACL, they will not be granted. // If, however, the only ungranted access at this // point is MAXIMUM_ALLOWED, and something has been // granted in the PreviouslyGranted mask, return // what has been granted. // if ( (Remaining == MAXIMUM_ALLOWED) && (PreviouslyGrantedAccess != (ACCESS_MASK)0) ) { Status = STATUS_SUCCESS; goto ReturnOneStatus; } else { PreviouslyGrantedAccess = 0; Status = STATUS_ACCESS_DENIED; goto ReturnOneStatus; } } // // Fake out a top level ObjectType list if none is passed by the caller. // if ( ObjectTypeListLength == 0 ) { LocalTypeList = &FixedTypeList; LocalTypeListLength = 1; RtlZeroMemory( &FixedTypeList, sizeof(FixedTypeList) ); FixedTypeList.ParentIndex = -1; } else { LocalTypeList = ObjectTypeList; LocalTypeListLength = ObjectTypeListLength; } // // If the caller wants the MAXIMUM_ALLOWED or the caller wants the // results on all objects and subobjects, use a slower algorithm // that traverses all the ACEs. // if ( (DesiredAccess & MAXIMUM_ALLOWED) != 0 || ReturnResultList ) { // // Do the normal maximum-allowed access check // SepMaximumAccessCheck( EToken, PrimaryToken, Dacl, PrincipalSelfSid, LocalTypeListLength, LocalTypeList, ObjectTypeListLength, FALSE ); // // If this is a restricted token, do the additional access check // if (SeTokenIsRestricted( EToken ) ) { SepMaximumAccessCheck( EToken, PrimaryToken, Dacl, PrincipalSelfSid, LocalTypeListLength, LocalTypeList, ObjectTypeListLength, TRUE ); } // // If the caller wants to know the individual results of each sub-object, // sub-object, // break it down for him. // if ( ReturnResultList ) { ACCESS_MASK GrantedAccessMask; ACCESS_MASK RequiredAccessMask; BOOLEAN SomeAccessGranted = FALSE; BOOLEAN SomeAccessDenied = FALSE; // // Compute mask of Granted access bits to tell the caller about. // If he asked for MAXIMUM_ALLOWED, // tell him everything, // otherwise // tell him what he asked about. // if (DesiredAccess & MAXIMUM_ALLOWED) { GrantedAccessMask = (ACCESS_MASK) ~MAXIMUM_ALLOWED; RequiredAccessMask = (DesiredAccess | PreviouslyGrantedAccess) & ~MAXIMUM_ALLOWED; } else { GrantedAccessMask = DesiredAccess | PreviouslyGrantedAccess; RequiredAccessMask = DesiredAccess | PreviouslyGrantedAccess; } // // Loop computing the access granted to each object and sub-object. // for ( ResultListIndex=0; ResultListIndex<LocalTypeListLength; ResultListIndex++ ) { // // Return the subset of the access granted that the caller // expressed interest in. // GrantedAccess[ResultListIndex] = (LocalTypeList[ResultListIndex].CurrentGranted | PreviouslyGrantedAccess ) & GrantedAccessMask; // // If absolutely no access was granted, // indicate so. // if ( GrantedAccess[ResultListIndex] == 0 ) { AccessStatus[ResultListIndex] = STATUS_ACCESS_DENIED; SomeAccessDenied = TRUE; } else { // // If some requested access is still missing, // the bottom line is that access is denied. // // Note, that ByTypeResultList actually returns the // partially granted access mask even though the caller // really has no access to the object. // if ( ((~GrantedAccess[ResultListIndex]) & RequiredAccessMask ) != 0 ) { AccessStatus[ResultListIndex] = STATUS_ACCESS_DENIED; SomeAccessDenied = TRUE; } else { AccessStatus[ResultListIndex] = STATUS_SUCCESS; SomeAccessGranted = TRUE; } } } if ( SomeAccessGranted && PrivilegeCount != 0 ) { SepAssemblePrivileges( PrivilegeCount, SystemSecurity, WriteOwner, Privileges ); } if ( ARGUMENT_PRESENT(ReturnSomeAccessGranted)) { *ReturnSomeAccessGranted = SomeAccessGranted; } if ( ARGUMENT_PRESENT(ReturnSomeAccessDenied)) { *ReturnSomeAccessDenied = SomeAccessDenied; } return; // // If the caller is only interested in the access to the object itself, // just summarize. // } else { // // Turn off the MAXIMUM_ALLOWED bit and whatever we found that // he was granted. If the user passed in extra bits in addition // to MAXIMUM_ALLOWED, make sure that he was granted those access // types. If not, he didn't get what he wanted, so return failure. // Remaining &= ~(MAXIMUM_ALLOWED | LocalTypeList->CurrentGranted); if (Remaining != 0) { Status = STATUS_ACCESS_DENIED; PreviouslyGrantedAccess = 0; goto ReturnOneStatus; } PreviouslyGrantedAccess |= LocalTypeList->CurrentGranted; Status = STATUS_SUCCESS; goto ReturnOneStatus; } } // if MAXIMUM_ALLOWED... #ifdef notdef // // The remaining bits are "remaining" at all levels for ( j=0; j<LocalTypeListLength; j++ ) { LocalTypeList[j].Remaining = Remaining; } // // Process the DACL handling individual access bits. // for ( i = 0, Ace = FirstAce( Dacl ) ; ( i < AceCount ) && ( LocalTypeList->Remaining != 0 ) ; i++, Ace = NextAce( Ace ) ) { if ( !(((PACE_HEADER)Ace)->AceFlags & INHERIT_ONLY_ACE)) { // // Handle an Access Allowed ACE // if ( (((PACE_HEADER)Ace)->AceType == ACCESS_ALLOWED_ACE_TYPE) ) { if ( SepSidInToken( EToken, PrincipalSelfSid, &((PACCESS_ALLOWED_ACE)Ace)->SidStart, FALSE ) ) { // Optimize 'normal' case if ( LocalTypeListLength == 1 ) { LocalTypeList->Remaining &= ~((PACCESS_ALLOWED_ACE)Ace)->Mask; } else { // // The zeroeth object type represents the object itself. // SepAddAccessTypeList( LocalTypeList, // List to modify LocalTypeListLength, // Length of list 0, // Element to update ((PACCESS_ALLOWED_ACE)Ace)->Mask, // Access Granted UpdateRemaining ); } } // // Handle an object specific Access Allowed ACE // } else if ( (((PACE_HEADER)Ace)->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) ) { GUID *ObjectTypeInAce; // // If no object type is in the ACE, // treat this as an ACCESS_ALLOWED_ACE. // ObjectTypeInAce = RtlObjectAceObjectType(Ace); if ( ObjectTypeInAce == NULL ) { if ( SepSidInToken( EToken, PrincipalSelfSid, RtlObjectAceSid(Ace), FALSE ) ) { // Optimize 'normal' case if ( LocalTypeListLength == 1 ) { LocalTypeList->Remaining &= ~((PACCESS_ALLOWED_ACE)Ace)->Mask; } else { SepAddAccessTypeList( LocalTypeList, // List to modify LocalTypeListLength, // Length of list 0, // Element to update ((PACCESS_ALLOWED_OBJECT_ACE)Ace)->Mask, // Access Granted UpdateRemaining ); } } // // If no object type list was passed, // don't grant access to anyone. // } else if ( ObjectTypeListLength == 0 ) { // Drop through // // If an object type is in the ACE, // Find it in the LocalTypeList before using the ACE. // } else { if ( SepSidInToken( EToken, PrincipalSelfSid, RtlObjectAceSid(Ace), FALSE ) ) { if ( SepObjectInTypeList( ObjectTypeInAce, LocalTypeList, LocalTypeListLength, &Index ) ) { SepAddAccessTypeList( LocalTypeList, // List to modify LocalTypeListLength, // Length of list Index, // Element already updated ((PACCESS_ALLOWED_OBJECT_ACE)Ace)->Mask, // Access Granted UpdateRemaining ); } } } // // Handle a compound Access Allowed ACE // } else if ( (((PACE_HEADER)Ace)->AceType == ACCESS_ALLOWED_COMPOUND_ACE_TYPE) ) { // // See comment in MAXIMUM_ALLOWED case as to why we can use EToken here // for the client. // if ( SepSidInToken(EToken, PrincipalSelfSid, RtlCompoundAceClientSid( Ace ), FALSE) && SepSidInToken(PrimaryToken, NULL, RtlCompoundAceServerSid( Ace ), FALSE) ) { // Optimize 'normal' case if ( LocalTypeListLength == 1 ) { LocalTypeList->Remaining &= ~((PCOMPOUND_ACCESS_ALLOWED_ACE)Ace)->Mask; } else { SepAddAccessTypeList( LocalTypeList, // List to modify LocalTypeListLength, // Length of list 0, // Element to update ((PCOMPOUND_ACCESS_ALLOWED_ACE)Ace)->Mask, // Access Granted UpdateRemaining ); } } // // Handle an Access Denied ACE // } else if ( (((PACE_HEADER)Ace)->AceType == ACCESS_DENIED_ACE_TYPE) ) { if ( SepSidInToken( EToken, PrincipalSelfSid, &((PACCESS_DENIED_ACE)Ace)->SidStart, TRUE ) ) { // // The zeroeth element represents the object itself. // Just check that element. // if (LocalTypeList->Remaining & ((PACCESS_DENIED_ACE)Ace)->Mask) { break; } } // // Handle an object specific Access Denied ACE // } else if ( (((PACE_HEADER)Ace)->AceType == ACCESS_DENIED_OBJECT_ACE_TYPE) ) { if ( SepSidInToken( EToken, PrincipalSelfSid, RtlObjectAceSid(Ace), TRUE ) ) { GUID *ObjectTypeInAce; // // If there is no object type in the ACE, // or if the caller didn't specify an object type list, // apply this deny ACE to the entire object. // ObjectTypeInAce = RtlObjectAceObjectType(Ace); if ( ObjectTypeInAce == NULL || ObjectTypeListLength == 0 ) { // // The zeroeth element represents the object itself. // Just check that element. // if (LocalTypeList->Remaining & ((PACCESS_DENIED_OBJECT_ACE)Ace)->Mask) { break; } // // Otherwise apply the deny ACE to the object specified // in the ACE. // } else if ( SepObjectInTypeList( ObjectTypeInAce, LocalTypeList, LocalTypeListLength, &Index ) ) { if (LocalTypeList[Index].Remaining & ((PACCESS_DENIED_OBJECT_ACE)Ace)->Mask) { break; } } } } } } #endif // // Do the normal access check first // SepNormalAccessCheck( Remaining, EToken, PrimaryToken, Dacl, PrincipalSelfSid, LocalTypeListLength, LocalTypeList, ObjectTypeListLength, FALSE ); if (LocalTypeList->Remaining != 0) { Status = STATUS_ACCESS_DENIED; PreviouslyGrantedAccess = 0; goto ReturnOneStatus; } // // If this is a restricted token, do the additional access check // if (SeTokenIsRestricted( EToken ) ) { SepNormalAccessCheck( Remaining, EToken, PrimaryToken, Dacl, PrincipalSelfSid, LocalTypeListLength, LocalTypeList, ObjectTypeListLength, TRUE ); } if (LocalTypeList->Remaining != 0) { Status = STATUS_ACCESS_DENIED; PreviouslyGrantedAccess = 0; goto ReturnOneStatus; } Status = STATUS_SUCCESS; PreviouslyGrantedAccess |= DesiredAccess; // // Return a single status code to the caller. // ReturnOneStatus: if ( Status == STATUS_SUCCESS && PreviouslyGrantedAccess == 0 ) { Status = STATUS_ACCESS_DENIED; } // // If the caller asked for a list of status', // duplicate the status all over. // if ( ReturnResultList ) { for ( ResultListIndex=0; ResultListIndex<ObjectTypeListLength; ResultListIndex++ ) { AccessStatus[ResultListIndex] = Status; GrantedAccess[ResultListIndex] = PreviouslyGrantedAccess; } } else { *AccessStatus = Status; *GrantedAccess = PreviouslyGrantedAccess; } if ( NT_SUCCESS(Status) ) { if ( PrivilegeCount > 0 ) { SepAssemblePrivileges( PrivilegeCount, SystemSecurity, WriteOwner, Privileges ); } if ( ARGUMENT_PRESENT(ReturnSomeAccessGranted)) { *ReturnSomeAccessGranted = TRUE; } if ( ARGUMENT_PRESENT(ReturnSomeAccessDenied)) { *ReturnSomeAccessDenied = FALSE; } } else { if ( ARGUMENT_PRESENT(ReturnSomeAccessGranted)) { *ReturnSomeAccessGranted = FALSE; } if ( ARGUMENT_PRESENT(ReturnSomeAccessDenied)) { *ReturnSomeAccessDenied = TRUE;; } } return; }

NTSTATUS SepAdjustGroups (  IN PTOKEN  Token, IN BOOLEAN  MakeChanges, IN BOOLEAN  ResetToDefault, IN ULONG GroupCount  OPTIONAL, IN PSID_AND_ATTRIBUTES NewState  OPTIONAL, OUT PTOKEN_GROUPS PreviousState  OPTIONAL, OUT PSID SidBuffer  OPTIONAL, OUT PULONG  ReturnLength, OUT PULONG  ChangeCount, OUT PBOOLEAN  ChangesMade )

Definition at line 1099 of file tokenadj.c. References ANYSIZE_ARRAY, ASSERT, FALSE, NTSTATUS(), PAGED_CODE, RtlCopySid(), RtlEqualSid(), SeLengthSid, SepArrayGroupAttributes, SepTokenGroupAttributes, Token, and TRUE. Referenced by NtAdjustGroupsToken(). 01115 : 01116 01117 This routine is used to walk the groups array in a token as a 01118 result of a request to adjust groups. 01119 01120 If the MakeChanges parameter is FALSE, this routine simply determines 01121 what changes are needed and how much space is necessary to save the 01122 current state of changed groups. 01123 01124 If the MakeChanges parameter is TRUE, this routine will not only 01125 calculate the space necessary to save the current state, but will 01126 actually make the changes. 01127 01128 This routine makes the following assumptions: 01129 01130 1) The token is locked for exclusive access. 01131 01132 2) The NewState parameter is captured and accesses 01133 to it will not result in access violations. 01134 01135 4) Any access violations encountered may leave the request 01136 partially completed. It is the calling routine's responsibility 01137 to catch exceptions. 01138 01139 5) The calling routine is responsible for inrementing the token's 01140 ModifiedId field. 01141 01142 Arguments: 01143 01144 Token - Pointer to the token to act upon. 01145 01146 MakeChanges - A boolean value indicating whether the changes should 01147 actually be made, or just evaluated. A value of TRUE indicates 01148 the changes should be made. 01149 01150 ResetToDefault - Indicates that the groups are to be reset to their 01151 default enabled/disabled state. 01152 01153 GroupCount - This parameter is required only if the NewState parameter 01154 is used. In that case, this parameter indicates how many entries are 01155 in the NewState parameter. 01156 01157 NewState - This parameter points to a SID_AND_ATTRIBUTES array 01158 containing the groups whose states are to be adjusted 01159 (disabled or enabled). Only the Enabled flag of the 01160 attributes associated with each group is used. It provides 01161 the new value that is to be assigned to the group in the 01162 token. If the ResetToDefault argument is specified as TRUE, 01163 then this argument is ignored. Otherwise, it must be passed. 01164 01165 PreviousState - This (optional) parameter points to a buffer to 01166 receive the state of any groups actually changed by this 01167 request. This information is formated as a TOKEN_GROUPS data 01168 structure which may be passed as the NewState parameter in a 01169 subsequent call to NtAdjustGroups to restore the original state 01170 of those groups. It is the caller's responsibility to make 01171 sure this buffer is large enough to receive all the state 01172 information. 01173 01174 SidBuffer - Pointer to buffer to receive the SID values corresponding 01175 to the groups returned in the PreviousState argument. 01176 01177 ReturnLength - Points to a buffer to receive the number of bytes needed 01178 to retrieve the previous state information of changed privileges. 01179 This parameter is ignored if the PreviousState argument is not 01180 passed. 01181 01182 ChangeCount - Points to a ULONG to receive the number of groups 01183 which were adjusted (or would be adjusted, if changes are made). 01184 01185 ChangesMade - Points to a boolean flag which is to receive an indication 01186 as to whether any changes were made as a result of this call. This 01187 is expected to be used to decide whether or not to increment the 01188 token's ModifiedId field. 01189 01190 Return Value: 01191 01192 STATUS_SUCCESS - Call completed sccessfully. 01193 01194 STATUS_NOT_ALL_ASSIGNED - Indicates not all the specified adjustments 01195 have been made (or could be made, if update wasn't requested). 01196 01197 STATUS_CANT_DISABLE_MANDATORY - Not all adjustments were made (or could 01198 be made, if update not requested) because an attempt was made to 01199 disable a mandatory group. The state of the groups is left 01200 in an underterministic state if update was requested. 01201 01202 01203 --*/ 01204 { 01205 01206 NTSTATUS CompletionStatus = STATUS_SUCCESS; 01207 01208 ULONG OldIndex; 01209 ULONG NewIndex; 01210 ULONG SidLength; 01211 ULONG LocalReturnLength = 0; 01212 PSID NextSid; 01213 BOOLEAN Found; 01214 ULONG MatchCount = 0; 01215 BOOLEAN EnableGroup; 01216 BOOLEAN DisableGroup; 01217 ULONG TokenGroupAttributes; 01218 01219 SID_AND_ATTRIBUTES CurrentGroup; 01220 01221 PAGED_CODE(); 01222 01223 // 01224 // NextSid is used to copy group SID values if asked for previous state. 01225 // 01226 01227 NextSid = SidBuffer; 01228 01229 01230 // 01231 // Walk through the groups array to determine which need to be 01232 // adjusted. 01233 // 01234 01235 OldIndex = 1; // Don't evaluate the 0th entry (user ID) 01236 (*ChangeCount) = 0; 01237 01238 while (OldIndex < Token->UserAndGroupCount) { 01239 01240 CurrentGroup = Token->UserAndGroups[OldIndex]; 01241 01242 if (ResetToDefault) { 01243 01244 TokenGroupAttributes = SepTokenGroupAttributes(Token,OldIndex); 01245 01246 // 01247 // If the group is enabled by default and currently disabled, 01248 // then we must enable it. 01249 // 01250 01251 EnableGroup = (BOOLEAN)( (TokenGroupAttributes & SE_GROUP_ENABLED_BY_DEFAULT) 01252 && !(TokenGroupAttributes & SE_GROUP_ENABLED)); 01253 01254 // 01255 // If the group is disabled by default and currently enabled, 01256 // then we must disable it. 01257 // 01258 01259 DisableGroup = (BOOLEAN)( !(TokenGroupAttributes & SE_GROUP_ENABLED_BY_DEFAULT) 01260 && (TokenGroupAttributes & SE_GROUP_ENABLED)); 01261 01262 // 01263 // Blow up if it's a mandatory group that is not both 01264 // enabled by default and enabled (SepCreateToken should 01265 // make sure that this never happens). 01266 // 01267 01268 ASSERT(!(TokenGroupAttributes & SE_GROUP_MANDATORY) 01269 || (TokenGroupAttributes & (SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED) 01270 == (SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED))); 01271 01272 if ( EnableGroup || DisableGroup ) { 01273 01274 SidLength = SeLengthSid( CurrentGroup.Sid ); 01275 SidLength = (ULONG)LongAlignSize(SidLength); 01276 LocalReturnLength += SidLength; 01277 01278 // 01279 // Change, if necessary (saving previous state if 01280 // appropriate). 01281 // 01282 01283 if (MakeChanges) { 01284 01285 if (ARGUMENT_PRESENT(PreviousState)) { 01286 01287 (*(PreviousState)).Groups[(*ChangeCount)].Attributes = 01288 CurrentGroup.Attributes; 01289 01290 (*(PreviousState)).Groups[(*ChangeCount)].Sid = 01291 NextSid; 01292 01293 RtlCopySid( SidLength, NextSid, CurrentGroup.Sid ); 01294 NextSid = (PSID)((ULONG_PTR)NextSid + SidLength); 01295 } 01296 01297 if (EnableGroup) { 01298 SepTokenGroupAttributes(Token,OldIndex) |= SE_GROUP_ENABLED; 01299 } else { 01300 SepTokenGroupAttributes(Token,OldIndex) &= ~SE_GROUP_ENABLED; 01301 } 01302 01303 01304 01305 } //endif make changes 01306 01307 // 01308 // increment the number of changes 01309 // 01310 01311 (*ChangeCount) += 1; 01312 01313 } // endif group enabled 01314 01315 } else { 01316 01317 // 01318 // Selective adjustments - this is a little trickier 01319 // Compare the current group to each of those in 01320 // the NewState array. If a match is found, then adjust 01321 // the current group appropriately. 01322 // 01323 01324 NewIndex = 0; 01325 Found = FALSE; 01326 01327 while ( (NewIndex < GroupCount) && !Found) { 01328 01329 // 01330 // Look for a comparison 01331 // 01332 01333 if (RtlEqualSid( 01334 CurrentGroup.Sid, 01335 NewState[NewIndex].Sid 01336 ) ) { 01337 01338 Found = TRUE; 01339 MatchCount += 1; 01340 01341 01342 // 01343 // See if it needs to be changed 01344 // 01345 01346 if ( (SepArrayGroupAttributes( NewState, NewIndex ) & 01347 SE_GROUP_ENABLED ) != 01348 (SepTokenGroupAttributes(Token,OldIndex) & 01349 SE_GROUP_ENABLED ) ) { 01350 01351 // 01352 // Make sure group is not mandatory 01353 // 01354 01355 if (SepTokenGroupAttributes(Token,OldIndex) & 01356 SE_GROUP_MANDATORY ) { 01357 return STATUS_CANT_DISABLE_MANDATORY; 01358 } 01359 01360 // 01361 // Make sure group is not deny-only 01362 // 01363 01364 01365 if (SepTokenGroupAttributes(Token,OldIndex) & 01366 SE_GROUP_USE_FOR_DENY_ONLY ) { 01367 return STATUS_CANT_ENABLE_DENY_ONLY; 01368 } 01369 01370 SidLength = SeLengthSid( CurrentGroup.Sid ); 01371 SidLength = (ULONG)LongAlignSize(SidLength); 01372 LocalReturnLength += SidLength; 01373 01374 // 01375 // Change, if necessary (saving previous state if 01376 // appropriate). 01377 // 01378 01379 if (MakeChanges) { 01380 01381 if (ARGUMENT_PRESENT(PreviousState)) { 01382 01383 PreviousState->Groups[(*ChangeCount)].Attributes = 01384 CurrentGroup.Attributes; 01385 01386 PreviousState->Groups[(*ChangeCount)].Sid = 01387 NextSid; 01388 01389 RtlCopySid( SidLength, NextSid, CurrentGroup.Sid ); 01390 01391 NextSid = (PSID)((ULONG_PTR)NextSid + SidLength); 01392 } 01393 01394 SepTokenGroupAttributes(Token,OldIndex) &= 01395 ~(SepTokenGroupAttributes(Token,OldIndex) 01396 & SE_GROUP_ENABLED); 01397 SepTokenGroupAttributes(Token,OldIndex) |= 01398 (SepArrayGroupAttributes(NewState,NewIndex) 01399 & SE_GROUP_ENABLED); 01400 01401 01402 01403 } //endif make changes 01404 01405 // 01406 // increment the number of changes 01407 // 01408 01409 (*ChangeCount) += 1; 01410 01411 01412 } // endif change needed 01413 01414 } // endif found 01415 01416 NewIndex += 1; 01417 01418 } // endwhile searching NewState 01419 01420 } // endelse 01421 01422 OldIndex += 1; 01423 01424 } // endwhile more groups in token 01425 01426 // 01427 // Set completion status appropriately if some not assigned 01428 // 01429 01430 if (!ResetToDefault) { 01431 01432 if (MatchCount < GroupCount) { 01433 CompletionStatus = STATUS_NOT_ALL_ASSIGNED; 01434 } 01435 } 01436 01437 // 01438 // Indicate whether changes were made 01439 // 01440 01441 if ((*ChangeCount) > 0 && MakeChanges) { 01442 (*ChangesMade) = TRUE; 01443 } else { 01444 (*ChangesMade) = FALSE; 01445 } 01446 01447 // 01448 // Calculate the space needed to return previous state information 01449 // (The SID lengths have already been added up in LocalReturnLength). 01450 // 01451 01452 if (ARGUMENT_PRESENT(PreviousState)) { 01453 01454 (*ReturnLength) = LocalReturnLength + 01455 (ULONG)sizeof(TOKEN_GROUPS) + 01456 ((*ChangeCount) * (ULONG)sizeof(SID_AND_ATTRIBUTES)) - 01457 (ANYSIZE_ARRAY * (ULONG)sizeof(SID_AND_ATTRIBUTES)); 01458 } 01459 01460 return CompletionStatus; 01461 } }

NTSTATUS SepAdjustPrivileges (  IN PTOKEN  Token, IN BOOLEAN  MakeChanges, IN BOOLEAN  DisableAllPrivileges, IN ULONG PrivilegeCount  OPTIONAL, IN PLUID_AND_ATTRIBUTES NewState  OPTIONAL, OUT PTOKEN_PRIVILEGES PreviousState  OPTIONAL, OUT PULONG  ReturnLength, OUT PULONG  ChangeCount, OUT PBOOLEAN  ChangesMade )

Definition at line 819 of file tokenadj.c. References ANYSIZE_ARRAY, DisableAllPrivileges(), FALSE, NTSTATUS(), PAGED_CODE, RtlEqualLuid(), SeChangeNotifyPrivilege, SepArrayPrivilegeAttributes, SepTokenPrivilegeAttributes, Token, TOKEN_HAS_TRAVERSE_PRIVILEGE, and TRUE. Referenced by NtAdjustPrivilegesToken(). 00834 : 00835 00836 This routine is used to walk the privileges array in a token as a 00837 result of a request to adjust privileges. 00838 00839 If the MakeChanges parameter is FALSE, this routine simply determines 00840 what changes are needed and how much space is necessary to save the 00841 current state of changed privileges. 00842 00843 If the MakeChanges parameter is TRUE, this routine will not only 00844 calculate the space necessary to save the current state, but will 00845 actually make the changes. 00846 00847 This routine makes the following assumptions: 00848 00849 1) The token is locked for exclusive access. 00850 00851 2) The PrivilegeCount and NewState parameters (if passed) are captured 00852 and accesses to them will not result in access violations. 00853 00854 4) Any access violations encountered may leave the request 00855 partially completed. It is the calling routine's responsibility 00856 to catch exceptions. 00857 00858 5) The calling routine is responsible for inrementing the token's 00859 ModifiedId field. 00860 00861 Arguments: 00862 00863 Token - Pointer to the token to act upon. 00864 00865 MakeChanges - A boolean value indicating whether the changes should 00866 actually be made, or just evaluated. A value of TRUE indicates 00867 the changes should be made. 00868 00869 DisableAllPrivilegs - A boolean value indicating whether all privileges 00870 are to be disabled, or only select, specified privileges. A value 00871 of TRUE indicates all privileges are to be disabled. 00872 00873 PrivilegeCount - This parameter is required only if the NewState parameter 00874 is used. In that case, this parameter indicates how many entries are 00875 in the NewState parameter. 00876 00877 NewState - This parameter is ignored if the DisableAllPrivileges 00878 argument is TRUE. If the DisableAllPrivileges argument is FALSE, 00879 then this parameter must be provided and specifies the new state 00880 to set privileges to (enabled or disabled). 00881 00882 PreviousState - This (optional) parameter points to a buffer to 00883 receive the state of any privileges actually changed by this 00884 request. This information is formated as a TOKEN_PRIVILEGES data 00885 structure which may be passed as the NewState parameter in a 00886 subsequent call to NtAdjustPrivileges to restore the original state 00887 of those privileges. It is the caller's responsibility to make 00888 sure this buffer is large enough to receive all the state 00889 information. 00890 00891 ReturnLength - Points to a buffer to receive the number of bytes needed 00892 to retrieve the previous state information of changed privileges. 00893 This parameter is ignored if the PreviousState argument is not 00894 passed. 00895 00896 ChangeCount - Points to a ULONG to receive the number of privileges 00897 which were adjusted (or would be adjusted, if changes are made). 00898 00899 ChangesMade - Points to a boolean flag which is to receive an indication 00900 as to whether any changes were made as a result of this call. This 00901 is expected to be used to decide whether or not to increment the 00902 token's ModifiedId field. 00903 00904 Return Value: 00905 00906 STATUS_SUCCESS - Call completed sccessfully. 00907 00908 STATUS_NOT_ALL_ASSIGNED - Indicates not all the specified adjustments 00909 have been made (or could be made, if update wasn't requested). 00910 00911 --*/ 00912 { 00913 NTSTATUS CompletionStatus = STATUS_SUCCESS; 00914 00915 ULONG OldIndex; 00916 ULONG NewIndex; 00917 BOOLEAN Found; 00918 ULONG MatchCount = 0; 00919 00920 LUID_AND_ATTRIBUTES CurrentPrivilege; 00921 00922 PAGED_CODE(); 00923 00924 // 00925 // Walk through the privileges array to determine which need to be 00926 // adjusted. 00927 // 00928 00929 OldIndex = 0; 00930 (*ChangeCount) = 0; 00931 00932 while (OldIndex < Token->PrivilegeCount) { 00933 00934 CurrentPrivilege = (Token->Privileges)[OldIndex]; 00935 00936 if (DisableAllPrivileges) { 00937 00938 if (SepTokenPrivilegeAttributes(Token,OldIndex) & 00939 SE_PRIVILEGE_ENABLED ) { 00940 00941 // 00942 // Change, if necessary (saving previous state if 00943 // appropriate). 00944 // 00945 00946 if (MakeChanges) { 00947 00948 if (ARGUMENT_PRESENT(PreviousState)) { 00949 00950 PreviousState->Privileges[(*ChangeCount)] = 00951 CurrentPrivilege; 00952 } 00953 00954 SepTokenPrivilegeAttributes(Token,OldIndex) &= 00955 ~SE_PRIVILEGE_ENABLED; 00956 00957 00958 00959 } //endif make changes 00960 00961 // 00962 // increment the number of changes 00963 // 00964 00965 (*ChangeCount) += 1; 00966 00967 } // endif privilege enabled 00968 00969 } else { 00970 00971 // 00972 // Selective adjustments - this is a little trickier 00973 // Compare the current privilege to each of those in 00974 // the NewState array. If a match is found, then adjust 00975 // the current privilege appropriately. 00976 // 00977 00978 NewIndex = 0; 00979 Found = FALSE; 00980 00981 while ( (NewIndex < PrivilegeCount) && !Found) { 00982 00983 // 00984 // Look for a comparison 00985 // 00986 00987 if (RtlEqualLuid(&CurrentPrivilege.Luid,&NewState[NewIndex].Luid)) { 00988 00989 Found = TRUE; 00990 MatchCount += 1; 00991 00992 if ( (SepArrayPrivilegeAttributes( NewState, NewIndex ) & 00993 SE_PRIVILEGE_ENABLED) 00994 != 00995 (SepTokenPrivilegeAttributes(Token,OldIndex) & 00996 SE_PRIVILEGE_ENABLED) ) { 00997 00998 // 00999 // Change, if necessary (saving previous state if 01000 // appropriate). 01001 // 01002 01003 if (MakeChanges) { 01004 01005 if (ARGUMENT_PRESENT(PreviousState)) { 01006 01007 PreviousState->Privileges[(*ChangeCount)] = 01008 CurrentPrivilege; 01009 } 01010 01011 SepTokenPrivilegeAttributes(Token,OldIndex) &= 01012 ~(SepTokenPrivilegeAttributes(Token,OldIndex) 01013 & SE_PRIVILEGE_ENABLED); 01014 SepTokenPrivilegeAttributes(Token,OldIndex) |= 01015 (SepArrayPrivilegeAttributes(NewState,NewIndex) 01016 & SE_PRIVILEGE_ENABLED); 01017 01018 // 01019 // if this is SeChangeNotifyPrivilege, then 01020 // change its corresponding bit in TokenFlags 01021 // 01022 01023 if (RtlEqualLuid(&CurrentPrivilege.Luid, 01024 &SeChangeNotifyPrivilege)) { 01025 Token->TokenFlags ^= TOKEN_HAS_TRAVERSE_PRIVILEGE; 01026 } 01027 01028 01029 01030 } //endif make changes 01031 01032 // 01033 // increment the number of changes 01034 // 01035 01036 (*ChangeCount) += 1; 01037 01038 01039 } // endif change needed 01040 01041 } // endif found 01042 01043 NewIndex += 1; 01044 01045 } // endwhile searching NewState 01046 01047 } // endelse 01048 01049 OldIndex += 1; 01050 01051 } // endwhile privileges in token 01052 01053 // 01054 // If we disabled all privileges, then clear the TokenFlags flag 01055 // corresponding to the SeChangeNotifyPrivilege privilege. 01056 // 01057 01058 01059 if (DisableAllPrivileges) { 01060 Token->TokenFlags &= ~TOKEN_HAS_TRAVERSE_PRIVILEGE; 01061 } 01062 01063 // 01064 // Set completion status appropriately if some not assigned 01065 // 01066 01067 if (!DisableAllPrivileges) { 01068 01069 if (MatchCount < PrivilegeCount) { 01070 CompletionStatus = STATUS_NOT_ALL_ASSIGNED; 01071 } 01072 } 01073 01074 // 01075 // Indicate whether changes were made 01076 // 01077 01078 if ((*ChangeCount) > 0 && MakeChanges) { 01079 (*ChangesMade) = TRUE; 01080 } else { 01081 (*ChangesMade) = FALSE; 01082 } 01083 01084 // 01085 // Calculate the space needed to return previous state information 01086 // 01087 01088 if (ARGUMENT_PRESENT(PreviousState)) { 01089 01090 (*ReturnLength) = (ULONG)sizeof(TOKEN_PRIVILEGES) + 01091 ((*ChangeCount) * (ULONG)sizeof(LUID_AND_ATTRIBUTES)) - 01092 (ANYSIZE_ARRAY * (ULONG)sizeof(LUID_AND_ATTRIBUTES)); 01093 } 01094 01095 return CompletionStatus; 01096 }

VOID SepAppendDefaultDacl (  IN PTOKEN  Token, IN PACL  PAcl )

Definition at line 778 of file tokenset.c. References ASSERT, PAGED_CODE, SeLengthSid, and Token. Referenced by NtSetInformationToken(). : Add a default discretionary ACL to the available space at the end of the dynamic part of the token. It is the caller's responsibility to ensure that the default Dacl fits within the available space of the dynamic part of the token. The token is assumed to be locked for write access before calling this routine. Arguments: Token - Pointer to the token. PAcl - Pointer to the ACL to add. Return Value: None. --*/ { ULONG_PTR NextFree; ULONG AclSize; PAGED_CODE(); // // Add the size of the primary group to the // address of the Dynamic Part of the token to establish // where the primary group should be placed. // ASSERT(ARGUMENT_PRESENT(Token->PrimaryGroup)); NextFree = (ULONG_PTR)(Token->DynamicPart) + SeLengthSid(Token->PrimaryGroup); // // Now copy the default Dacl // AclSize = (ULONG)(PAcl->AclSize); // ASSERT(AclSize == (ULONG)LongAlignSize(AclSize)); RtlCopyMemory( (PVOID)NextFree, (PVOID)PAcl, AclSize ); Token->DefaultDacl = (PACL)NextFree; // // And decrement the amount of the dynamic part that is available. // ASSERT( AclSize <= (Token->DynamicAvailable) ); Token->DynamicAvailable -= AclSize; return; }

VOID SepAppendPrimaryGroup (  IN PTOKEN  Token, IN PSID  PSid )

Definition at line 697 of file tokenset.c. References ASSERT, PAGED_CODE, SeLengthSid, and Token. Referenced by NtSetInformationToken(). 00705 : 00706 00707 Add a primary group SID to the available space at the end of the dynamic 00708 part of the token. It is the caller's responsibility to ensure that the 00709 primary group SID fits within the available space of the dynamic part of 00710 the token. 00711 00712 The token is assumed to be locked for write access before calling 00713 this routine. 00714 00715 Arguments: 00716 00717 Token - Pointer to the token. 00718 00719 PSid - Pointer to the SID to add. 00720 00721 Return Value: 00722 00723 None. 00724 00725 --*/ 00726 { 00727 ULONG_PTR NextFree; 00728 ULONG SidSize; 00729 00730 PAGED_CODE(); 00731 00732 // 00733 // Add the size of the Default Dacl (if there is one) to the 00734 // address of the Dynamic Part of the token to establish 00735 // where the primary group should be placed. 00736 // 00737 00738 if (ARGUMENT_PRESENT(Token->DefaultDacl)) { 00739 00740 // ASSERT( (ULONG)(Token->DefaultDacl->AclSize) == 00741 // (ULONG)LongAlignSize(Token->DefaultDacl->AclSize) ); 00742 00743 NextFree = (ULONG_PTR)(Token->DynamicPart) + Token->DefaultDacl->AclSize; 00744 00745 } else { 00746 00747 NextFree = (ULONG_PTR)(Token->DynamicPart); 00748 00749 } 00750 00751 // 00752 // Now copy the primary group SID. 00753 // 00754 00755 00756 SidSize = SeLengthSid( PSid ); 00757 00758 RtlCopyMemory( 00759 (PVOID)NextFree, 00760 (PVOID)PSid, 00761 SidSize 00762 ); 00763 00764 Token->PrimaryGroup = (PSID)NextFree; 00765 00766 // 00767 // And decrement the amount of the dynamic part that is available. 00768 // 00769 00770 ASSERT( SidSize <= (Token->DynamicAvailable) ); 00771 Token->DynamicAvailable -= SidSize; 00772 00773 return; 00774 00775 }

NTSTATUS SepDuplicateToken (  IN PTOKEN  ExistingToken, IN POBJECT_ATTRIBUTES  ObjectAttributes, IN BOOLEAN  EffectiveOnly, IN TOKEN_TYPE  TokenType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel  OPTIONAL, IN KPROCESSOR_MODE  RequestorMode, OUT PTOKEN *  DuplicateToken )

Definition at line 362 of file tokendup.c. References ASSERT, DbgPrint, ExAllocateLocallyUniqueId, ExAllocatePool, ExAllocatePoolWithTag, ExFreePool(), FALSE, Index, NT_SUCCESS, NTSTATUS(), NULL, ObCreateObject(), ObjectAttributes, PAGED_CODE, PagedPool, PTOKEN, SepAcquireTokenReadLock, SepCopyProxyData(), SepDeReferenceLogonSession(), SepFreeProxyData(), SepMakeTokenEffectiveOnly(), SepReferenceLogonSession(), SepReleaseTokenReadLock, SepTokenObjectType, and Status. Referenced by NtDuplicateToken(), NtOpenThreadToken(), SeCopyClientToken(), and SeSubProcessToken(). : This routine does the bulk of the work to actually duplicate a token. This routine assumes all access validation and argument probing (except the ObjectAttributes) has been performed. THE CALLER IS RESPONSIBLE FOR CHECKING SUBJECT RIGHTS TO CREATE THE TYPE OF TOKEN BEING CREATED. This routine acquires a read lock on the token being duplicated. Arguments: ExistingToken - Points to the token to be duplicated. ObjectAttributes - Points to the standard object attributes data structure. Refer to the NT Object Management Specification for a description of this data structure. The security Quality Of Service of the object attributes are ignored. This information must be specified using parameters to this routine. EffectiveOnly - Is a boolean flag indicating whether the entire source token should be duplicated into the target token or just the effective (currently enabled) part of the token. This provides a means for a caller of a protected subsystem to limit which privileges and optional groups are made available to the protected subsystem. A value of TRUE indicates only the currently enabled parts of the source token are to be duplicated. Otherwise, the entire source token is duplicated. TokenType - Indicates the type of token to make the duplicate token. ImpersonationLevel - This value specifies the impersonation level to assign to the duplicate token. If the TokenType of the duplicate is not TokenImpersonation then this parameter is ignored. Otherwise, it is must be provided. RequestorMode - Mode of client requesting the token be duplicated. DuplicateToken - Receives a pointer to the duplicate token. The token has not yet been inserted into any object table. No exceptions are expected when tring to set this OUT value. Return Value: STATUS_SUCCESS - The service successfully completed the requested operation. --*/ { NTSTATUS Status; PTOKEN NewToken; PULONG DynamicPart; ULONG PagedPoolSize; ULONG NonPagedPoolSize; ULONG TokenBodyLength; ULONG FieldOffset; ULONG Index; PSECURITY_TOKEN_PROXY_DATA NewProxyData; PSECURITY_TOKEN_AUDIT_DATA NewAuditData; PAGED_CODE(); ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) ); if ( TokenType == TokenImpersonation ) { ASSERT( SecurityDelegation > SecurityImpersonation ); ASSERT( SecurityImpersonation > SecurityIdentification ); ASSERT( SecurityIdentification > SecurityAnonymous ); if ( (ImpersonationLevel > SecurityDelegation) || (ImpersonationLevel < SecurityAnonymous) ) { return STATUS_BAD_IMPERSONATION_LEVEL; } } // // Increment the reference count for this logon session // This can not fail, since there is already a token in this logon // session. // Status = SepReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ASSERT( NT_SUCCESS(Status) ); // // Note that the size of the dynamic portion of a token can not change // once established. // // // Allocate the dynamic portion // DynamicPart = (PULONG)ExAllocatePoolWithTag( PagedPool, ExistingToken->DynamicCharged, 'dTeS' ); if (DynamicPart == NULL) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); return( STATUS_INSUFFICIENT_RESOURCES ); } if (ARGUMENT_PRESENT(ExistingToken->ProxyData)) { Status = SepCopyProxyData( &NewProxyData, ExistingToken->ProxyData ); if (!NT_SUCCESS(Status)) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); return( Status ); } } else { NewProxyData = NULL; } if (ARGUMENT_PRESENT( ExistingToken->AuditData )) { NewAuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA )); if (NewAuditData == NULL) { SepFreeProxyData( NewProxyData ); SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); return( STATUS_INSUFFICIENT_RESOURCES ); } else { *NewAuditData = *(ExistingToken->AuditData); } } else { NewAuditData = NULL; } // // Create a new object // TokenBodyLength = (ULONG)sizeof(TOKEN) + ExistingToken->VariableLength; NonPagedPoolSize = TokenBodyLength; PagedPoolSize = ExistingToken->DynamicCharged; Status = ObCreateObject( RequestorMode, // ProbeMode SepTokenObjectType, // ObjectType ObjectAttributes, // ObjectAttributes RequestorMode, // OwnershipMode NULL, // ParseContext TokenBodyLength, // ObjectBodySize PagedPoolSize, // PagedPoolCharge NonPagedPoolSize, // NonPagedPoolCharge (PVOID *)&NewToken // Return pointer to object ); if (!NT_SUCCESS(Status)) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); SepFreeProxyData( NewProxyData ); if (NewAuditData != NULL) { ExFreePool( NewAuditData ); } return Status; } // // acquire exclusive access to the source token // SepAcquireTokenReadLock( ExistingToken ); // // Main Body initialization // // // The following fields are unchanged from the source token. // Although some may change if EffectiveOnly has been specified. // NewToken->AuthenticationId = ExistingToken->AuthenticationId; NewToken->ModifiedId = ExistingToken->ModifiedId; NewToken->ExpirationTime = ExistingToken->ExpirationTime; NewToken->TokenSource = ExistingToken->TokenSource; NewToken->DynamicCharged = ExistingToken->DynamicCharged; NewToken->DynamicAvailable = ExistingToken->DynamicAvailable; NewToken->DefaultOwnerIndex = ExistingToken->DefaultOwnerIndex; NewToken->UserAndGroupCount = ExistingToken->UserAndGroupCount; NewToken->RestrictedSidCount = ExistingToken->RestrictedSidCount; NewToken->PrivilegeCount = ExistingToken->PrivilegeCount; NewToken->VariableLength = ExistingToken->VariableLength; NewToken->TokenFlags = ExistingToken->TokenFlags; NewToken->ProxyData = NewProxyData; NewToken->AuditData = NewAuditData; NewToken->SessionId = ExistingToken->SessionId; // // The following fields differ in the new token. // ExAllocateLocallyUniqueId( &(NewToken->TokenId) ); NewToken->ParentTokenId = ExistingToken->ParentTokenId; NewToken->TokenInUse = FALSE; NewToken->TokenType = TokenType; NewToken->ImpersonationLevel = ImpersonationLevel; // // Copy and initialize the variable part. // The variable part is assumed to be position independent. // RtlCopyMemory( (PVOID)&(NewToken->VariablePart), (PVOID)&(ExistingToken->VariablePart), ExistingToken->VariableLength ); // // Set the address of the UserAndGroups array. // ASSERT( ARGUMENT_PRESENT(ExistingToken->UserAndGroups ) ); ASSERT( (ULONG_PTR)(ExistingToken->UserAndGroups) >= (ULONG_PTR)(&(ExistingToken->VariablePart)) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->UserAndGroups) - (ULONG_PTR)(&(ExistingToken->VariablePart))); NewToken->UserAndGroups = (PSID_AND_ATTRIBUTES)(FieldOffset + (ULONG_PTR)(&(NewToken->VariablePart))); // // Now go through and change the address of each SID pointer // for the user and groups // Index = 0; while (Index < ExistingToken->UserAndGroupCount) { FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->UserAndGroups[Index].Sid) - (ULONG_PTR)(&(ExistingToken->VariablePart))); NewToken->UserAndGroups[Index].Sid = (PSID)( FieldOffset + (ULONG_PTR)(&(NewToken->VariablePart)) ); Index += 1; } // // Set the address of the RestrictedSids array. // if (ARGUMENT_PRESENT(ExistingToken->RestrictedSids ) ) { ASSERT( (ULONG_PTR)(ExistingToken->RestrictedSids) >= (ULONG_PTR)(&(ExistingToken->VariablePart)) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->RestrictedSids) - (ULONG_PTR)(&(ExistingToken->VariablePart))); NewToken->RestrictedSids = (PSID_AND_ATTRIBUTES)(FieldOffset + (ULONG_PTR)(&(NewToken->VariablePart)) ); // // Now go through and change the address of each SID pointer // for the user and groups // Index = 0; while (Index < ExistingToken->RestrictedSidCount) { FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->RestrictedSids[Index].Sid) - (ULONG_PTR)(&(ExistingToken->VariablePart))); NewToken->RestrictedSids[Index].Sid = (PSID)( FieldOffset + (ULONG_PTR)(&(NewToken->VariablePart)) ); Index += 1; } } else { NewToken->RestrictedSids = NULL; } // // If present, set the address of the privileges // if (ExistingToken->PrivilegeCount > 0) { ASSERT( ARGUMENT_PRESENT(ExistingToken->Privileges ) ); ASSERT( (ULONG_PTR)(ExistingToken->Privileges) >= (ULONG_PTR)(&(ExistingToken->VariablePart)) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->Privileges) - (ULONG_PTR)(&(ExistingToken->VariablePart))); NewToken->Privileges = (PLUID_AND_ATTRIBUTES)( FieldOffset + (ULONG_PTR)(&(NewToken->VariablePart)) ); } else { NewToken->Privileges = NULL; } // // Copy and initialize the dynamic part. // The dynamic part is assumed to be position independent. // RtlCopyMemory( (PVOID)DynamicPart, (PVOID)(ExistingToken->DynamicPart), ExistingToken->DynamicCharged ); NewToken->DynamicPart = DynamicPart; // // If present, set the address of the default Dacl // if (ARGUMENT_PRESENT(ExistingToken->DefaultDacl)) { ASSERT( (ULONG_PTR)(ExistingToken->DefaultDacl) >= (ULONG_PTR)(ExistingToken->DynamicPart) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->DefaultDacl) - (ULONG_PTR)(ExistingToken->DynamicPart)); NewToken->DefaultDacl = (PACL)(FieldOffset + (ULONG_PTR)DynamicPart); } else { NewToken->DefaultDacl = NULL; } // // Set the address of the primary group // ASSERT(ARGUMENT_PRESENT(ExistingToken->PrimaryGroup)); ASSERT( (ULONG_PTR)(ExistingToken->PrimaryGroup) >= (ULONG_PTR)(ExistingToken->DynamicPart) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->PrimaryGroup) - (ULONG_PTR)(ExistingToken->DynamicPart)); NewToken->PrimaryGroup = (PACL)(FieldOffset + (ULONG_PTR)(DynamicPart)); // // For the time being, take the easy way to generating an "EffectiveOnly" // duplicate. That is, use the same space required of the original, just // eliminate any IDs or privileges not active. // // Ultimately, if duplication becomes a common operation, then it will be // worthwhile to recalculate the actual space needed and copy only the // effective IDs/privileges into the new token. // if (EffectiveOnly) { SepMakeTokenEffectiveOnly( NewToken ); } #ifdef TOKEN_DEBUG // // Debug DbgPrint("\n"); DbgPrint("\n"); DbgPrint("\n"); DbgPrint("Duplicate token:\n"); SepDumpToken( NewToken ); // Debug // #endif //TOKEN_DEBUG // // Release the source token. // SepReleaseTokenReadLock( ExistingToken ); (*DuplicateToken) = NewToken; return Status; }

NTSTATUS SepFilterToken (  IN PTOKEN  ExistingToken, IN KPROCESSOR_MODE  RequestorMode, IN ULONG  Flags, IN ULONG  GroupCount, IN PSID_AND_ATTRIBUTES GroupsToDisable  OPTIONAL, IN ULONG  PrivilegeCount, IN PLUID_AND_ATTRIBUTES PrivilegesToDelete  OPTIONAL, IN ULONG  SidCount, IN PSID_AND_ATTRIBUTES RestrictedSids  OPTIONAL, IN ULONG  SidLength, OUT PTOKEN *  FilteredToken )

Definition at line 1939 of file tokendup.c. References ASSERT, DbgPrint, ExAllocateLocallyUniqueId, ExAllocatePool, ExAllocatePoolWithTag, ExFreePool(), FALSE, Index, MAX, NT_SUCCESS, NTSTATUS(), NULL, ObCreateObject(), ObDereferenceObject, PAGED_CODE, PagedPool, PTOKEN, RtlCopyLuidAndAttributesArray(), RtlCopySidAndAttributesArray(), SepAcquireTokenReadLock, SepCopyProxyData(), SepDeReferenceLogonSession(), SepFreeProxyData(), SepReferenceLogonSession(), SepReleaseTokenReadLock, SepRemoveDisabledGroupsAndPrivileges(), SepSidInSidAndAttributes(), SepTokenObjectType, Status, and TOKEN_IS_RESTRICTED. Referenced by NtFilterToken(), SeFastFilterToken(), and SeFilterToken(). : This routine does the bulk of the work to actually filter a token. This routine assumes all access validation and argument probing has been performed. THE CALLER IS RESPONSIBLE FOR CHECKING SUBJECT RIGHTS TO CREATE THE TYPE OF TOKEN BEING CREATED. This routine acquires a read lock on the token being filtered. Arguments: ExistingToken - Points to the token to be duplicated. RequestorMode - Mode of client requesting the token be duplicated. GroupCount - Count of groups to disable GroupsToDisable - Contains a list of sids and attributes. All sids with the USE_FOR_DENY_ONLY attribute that also exist in the token will cause the new token to have that sid set with the USE_FOR_DENY_ONLY attribute. PrivilegeCount - Count of privileges to delete PrivilegesToDelete - Privileges in this list that are present in the existing token will not exist in the final token. This is similar to duplicating a token effective only with these privileges set to disabled. SidCount - Count of restricted sids to add. RestrictedSids - Contains a list of SIDs and attributes that will be stored in the RestrictedSids field of the new token. These SIDs are used after a normal access check to futher restrict access. The attributes of these groups are always SE_GROUP_MANDATORY | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT. If there already exist RestrictedSids in the original token, the intersection of the two sets will be in the final tokense sids will be. SidLength - Length of added restricted sids. FilteredToken - Receives a pointer to the duplicate token. The token has not yet been inserted into any object table. No exceptions are expected when tring to set this OUT value. Return Value: STATUS_SUCCESS - The service successfully completed the requested operation. --*/ { NTSTATUS Status; PTOKEN NewToken; PULONG DynamicPart; ULONG PagedPoolSize; ULONG NonPagedPoolSize; ULONG TokenBodyLength; ULONG FieldOffset; ULONG_PTR NextFree; PSID NextSidFree; ULONG VariableLength; ULONG Index; PSECURITY_TOKEN_PROXY_DATA NewProxyData; PSECURITY_TOKEN_AUDIT_DATA NewAuditData; OBJECT_ATTRIBUTES ObjA ; PAGED_CODE(); ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) ); // // Increment the reference count for this logon session // This can not fail, since there is already a token in this logon // session. // Status = SepReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ASSERT( NT_SUCCESS(Status) ); // // Note that the size of the dynamic portion of a token can not change // once established. // // // Allocate the dynamic portion // DynamicPart = (PULONG)ExAllocatePoolWithTag( PagedPool, ExistingToken->DynamicCharged, 'dTeS' ); if (DynamicPart == NULL) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); return( STATUS_INSUFFICIENT_RESOURCES ); } if (ARGUMENT_PRESENT(ExistingToken->ProxyData)) { Status = SepCopyProxyData( &NewProxyData, ExistingToken->ProxyData ); if (!NT_SUCCESS(Status)) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); return( Status ); } } else { NewProxyData = NULL; } if (ARGUMENT_PRESENT( ExistingToken->AuditData )) { NewAuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA )); if (NewAuditData == NULL) { SepFreeProxyData( NewProxyData ); SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); return( STATUS_INSUFFICIENT_RESOURCES ); } else { *NewAuditData = *(ExistingToken->AuditData); } } else { NewAuditData = NULL; } // // Create a new object // VariableLength = ExistingToken->VariableLength + SidLength; TokenBodyLength = (ULONG)sizeof(TOKEN) + VariableLength; NonPagedPoolSize = TokenBodyLength; PagedPoolSize = ExistingToken->DynamicCharged; InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL ); Status = ObCreateObject( RequestorMode, // ProbeMode SepTokenObjectType, // ObjectType NULL, // ObjectAttributes RequestorMode, // OwnershipMode NULL, // ParseContext TokenBodyLength, // ObjectBodySize PagedPoolSize, // PagedPoolCharge NonPagedPoolSize, // NonPagedPoolCharge (PVOID *)&NewToken // Return pointer to object ); if (!NT_SUCCESS(Status)) { SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) ); ExFreePool( DynamicPart ); SepFreeProxyData( NewProxyData ); if (NewAuditData != NULL) { ExFreePool( NewAuditData ); } return Status; } // // acquire exclusive access to the source token // SepAcquireTokenReadLock( ExistingToken ); // // Main Body initialization // // // The following fields are unchanged from the source token. // Although some may change if EffectiveOnly has been specified. // NewToken->AuthenticationId = ExistingToken->AuthenticationId; NewToken->ExpirationTime = ExistingToken->ExpirationTime; NewToken->TokenSource = ExistingToken->TokenSource; NewToken->DynamicCharged = ExistingToken->DynamicCharged; NewToken->DynamicAvailable = ExistingToken->DynamicAvailable; NewToken->DefaultOwnerIndex = ExistingToken->DefaultOwnerIndex; NewToken->UserAndGroupCount = ExistingToken->UserAndGroupCount; NewToken->SessionId = ExistingToken->SessionId; NewToken->RestrictedSidCount = 0; NewToken->PrivilegeCount = ExistingToken->PrivilegeCount; NewToken->VariableLength = VariableLength; NewToken->TokenFlags = ExistingToken->TokenFlags; NewToken->ProxyData = NewProxyData; NewToken->AuditData = NewAuditData; // // The following fields differ in the new token. // // // Allocate a new modified Id to distinguish this token from the orignial // token. // ExAllocateLocallyUniqueId( &(NewToken->ModifiedId) ); ExAllocateLocallyUniqueId( &(NewToken->TokenId) ); NewToken->ParentTokenId = ExistingToken->TokenId; NewToken->TokenInUse = FALSE; NewToken->TokenType = ExistingToken->TokenType; NewToken->ImpersonationLevel = ExistingToken->ImpersonationLevel; // // Compute the beginning portion of the variable part, which contains the // sid & attributes arrays and the privilege set. // // // First copy the privileges. We will later remove the ones that are // to be deleted. // NextFree = (ULONG_PTR)(&NewToken->VariablePart); NewToken->Privileges = (PLUID_AND_ATTRIBUTES)NextFree; RtlCopyLuidAndAttributesArray( ExistingToken->PrivilegeCount, ExistingToken->Privileges, (PLUID_AND_ATTRIBUTES)NextFree ); NextFree += (ExistingToken->PrivilegeCount * (ULONG)sizeof(LUID_AND_ATTRIBUTES)); VariableLength -= ( (ExistingToken->PrivilegeCount * (ULONG)sizeof(LUID_AND_ATTRIBUTES)) ); // // Figure out the count of SIDs. This is the count of users&groups + // the number of existing restricuted SIDs plus the number of new // restricted Sids // #define MAX(_x_,_y_) ((_x_) > (_y_) ? (_x_) : (_y_)) NextSidFree = (PSID) (NextFree + (ExistingToken->UserAndGroupCount + MAX(ExistingToken->RestrictedSidCount,SidCount)) * sizeof(SID_AND_ATTRIBUTES)); NewToken->UserAndGroups = (PSID_AND_ATTRIBUTES) NextFree; // // Copy in the existing users & groups. We will later flag the ones // to be disabled. // Status = RtlCopySidAndAttributesArray( ExistingToken->UserAndGroupCount, ExistingToken->UserAndGroups, VariableLength, (PSID_AND_ATTRIBUTES)NextFree, NextSidFree, &NextSidFree, &VariableLength ); ASSERT(NT_SUCCESS(Status)); NextFree += (ExistingToken->UserAndGroupCount * (ULONG)sizeof(SID_AND_ATTRIBUTES)); // // Now add all the existing restricted sids. We need to take the // intersection of the two sets. // NewToken->RestrictedSids = (PSID_AND_ATTRIBUTES) NextFree; for (Index = 0; Index < SidCount ; Index++ ) { if ( ( ExistingToken->RestrictedSidCount == 0 ) || SepSidInSidAndAttributes( ExistingToken->RestrictedSids, ExistingToken->RestrictedSidCount, NULL, // no self sid RestrictedSids[Index].Sid )) { Status = RtlCopySidAndAttributesArray( 1, &RestrictedSids[Index], VariableLength, (PSID_AND_ATTRIBUTES)NextFree, NextSidFree, &NextSidFree, &VariableLength ); ASSERT(NT_SUCCESS(Status)); NextFree += sizeof(SID_AND_ATTRIBUTES); NewToken->RestrictedSids[NewToken->RestrictedSidCount].Attributes = SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY; NewToken->RestrictedSidCount++; } } // // Make sure the new token has some restrictions. // If it doesn't, then we've ended up with a token // that gives us more access than the original, // which we don't want. // if ((ExistingToken->RestrictedSidCount != 0) && (NewToken->RestrictedSidCount == 0)) { SepReleaseTokenReadLock( ExistingToken ); Status = STATUS_INVALID_PARAMETER; // // Cleanup. ObDereferenceObject will cause the logon // session to be dereferenced, and will free the proxy data // as well as the audit data. // // See SepTokenDeleteMethod(), which is called by // the object manager when the token object is // being freed. // ExFreePool( DynamicPart ); // // Do this so we don't crash trying to free whatever // junk is pointed to by DynamicPart. // NewToken->DynamicPart = NULL; ObDereferenceObject( NewToken ); return(Status); } // // If there are any restricted sids in the token, turn on the restricted // flag // if (NewToken->RestrictedSidCount > 0) { NewToken->TokenFlags |= TOKEN_IS_RESTRICTED; } // // Copy and initialize the dynamic part. // The dynamic part is assumed to be position independent. // RtlCopyMemory( (PVOID)DynamicPart, (PVOID)(ExistingToken->DynamicPart), ExistingToken->DynamicCharged ); NewToken->DynamicPart = DynamicPart; // // If present, set the address of the default Dacl // if (ARGUMENT_PRESENT(ExistingToken->DefaultDacl)) { ASSERT( (ULONG_PTR)(ExistingToken->DefaultDacl) >= (ULONG_PTR)(ExistingToken->DynamicPart) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->DefaultDacl) - (ULONG_PTR)(ExistingToken->DynamicPart)); NewToken->DefaultDacl = (PACL)(FieldOffset + (ULONG_PTR)DynamicPart); } else { NewToken->DefaultDacl = NULL; } // // Set the address of the primary group // ASSERT(ARGUMENT_PRESENT(ExistingToken->PrimaryGroup)); ASSERT( (ULONG_PTR)(ExistingToken->PrimaryGroup) >= (ULONG_PTR)(ExistingToken->DynamicPart) ); FieldOffset = (ULONG)((ULONG_PTR)(ExistingToken->PrimaryGroup) - (ULONG_PTR)(ExistingToken->DynamicPart)); NewToken->PrimaryGroup = (PACL)(FieldOffset + (ULONG_PTR)(DynamicPart)); // // For the time being, take the easy way to generating an "EffectiveOnly" // duplicate. That is, use the same space required of the original, just // eliminate any IDs or privileges not active. // // Ultimately, if duplication becomes a common operation, then it will be // worthwhile to recalculate the actual space needed and copy only the // effective IDs/privileges into the new token. // SepRemoveDisabledGroupsAndPrivileges( NewToken, Flags, GroupCount, GroupsToDisable, PrivilegeCount, PrivilegesToDelete ); #ifdef TOKEN_DEBUG // // Debug DbgPrint("\n"); DbgPrint("\n"); DbgPrint("\n"); DbgPrint("Filter token:\n"); SepDumpToken( NewToken ); // Debug // #endif //TOKEN_DEBUG // // Release the source token. // SepReleaseTokenReadLock( ExistingToken ); (*FilteredToken) = NewToken; return Status; }

VOID SepFreeDefaultDacl (  IN PTOKEN  Token  )

Definition at line 635 of file tokenset.c. References NULL, PAGED_CODE, SeLengthSid, and Token. Referenced by NtSetInformationToken(). 00642 : 00643 00644 Free up the space in the dynamic part of the token take up by the default 00645 discretionary access control list. 00646 00647 The token is assumed to be locked for write access before calling 00648 this routine. 00649 00650 Arguments: 00651 00652 Token - Pointer to the token. 00653 00654 Return Value: 00655 00656 None. 00657 00658 --*/ 00659 { 00660 ULONG PrimaryGroupSize; 00661 00662 PAGED_CODE(); 00663 00664 // 00665 // Add the size of the Default Dacl (if there is one) to the 00666 // DynamicAvailable field. 00667 // 00668 if (ARGUMENT_PRESENT(Token->DefaultDacl)) { 00669 00670 Token->DynamicAvailable += Token->DefaultDacl->AclSize; 00671 Token->DefaultDacl = NULL; 00672 00673 } 00674 00675 // 00676 // If it is not already at the beginning of the dynamic part, move 00677 // the primary group there (remember to update the pointer to it). 00678 // 00679 00680 if (Token->DynamicPart != (PULONG)(Token->PrimaryGroup)) { 00681 00682 PrimaryGroupSize = SeLengthSid( Token->PrimaryGroup ); 00683 00684 RtlMoveMemory( 00685 (PVOID)(Token->DynamicPart), 00686 (PVOID)(Token->PrimaryGroup), 00687 PrimaryGroupSize 00688 ); 00689 00690 Token->PrimaryGroup = (PSID)(Token->DynamicPart); 00691 } 00692 00693 return; 00694 }

VOID SepFreePrimaryGroup (  IN PTOKEN  Token  )

Definition at line 576 of file tokenset.c. References PAGED_CODE, SeLengthSid, and Token. Referenced by NtSetInformationToken(). : Free up the space in the dynamic part of the token take up by the primary group. The token is assumed to be locked for write access before calling this routine. Arguments: Token - Pointer to the token. Return Value: None. --*/ { PAGED_CODE(); // // Add the size of the primary group to the DynamicAvailable field. // Token->DynamicAvailable += SeLengthSid( Token->PrimaryGroup ); // // If there is a default discretionary ACL, and it is not already at the // beginning of the dynamic part, move it there (remember to update the // pointer to it). // if (ARGUMENT_PRESENT(Token->DefaultDacl)) { if (Token->DynamicPart != (PULONG)(Token->DefaultDacl)) { RtlMoveMemory( (PVOID)(Token->DynamicPart), (PVOID)(Token->DefaultDacl), Token->DefaultDacl->AclSize ); Token->DefaultDacl = (PACL)(Token->DynamicPart); } } return; }

BOOLEAN SepIdAssignableAsOwner (  IN PTOKEN  Token, IN ULONG  Index )

Definition at line 2813 of file token.c. References Index, PAGED_CODE, SepTokenGroupAttributes, Token, and TRUE. Referenced by NtSetInformationToken(), and SepValidOwnerSubjectContext(). : This routine returns a boolean value indicating whether the user or group ID in the specified token with the specified index is assignable as the owner of an object. If the index is 0, which is always the USER ID, then the ID is assignable as owner. Otherwise, the ID is that of a group, and it must have the "Owner" attribute set to be assignable. Arguments: Token - Pointer to a locked Token to use. Index - Index into the Token's UserAndGroupsArray. This value is assumed to be valid. Return Value: TRUE - Indicates the index corresponds to an ID that may be assigned as the owner of objects. FALSE - Indicates the index does not correspond to an ID that may be assigned as the owner of objects. --*/ { PAGED_CODE(); if (Index == 0) { return TRUE; } else { return (BOOLEAN) ( (SepTokenGroupAttributes(Token,Index) & SE_GROUP_OWNER) != 0 ); } }

VOID SepMakeTokenEffectiveOnly (  IN PTOKEN  Token  )

Definition at line 806 of file tokendup.c. References ASSERT, Index, PAGED_CODE, RtlEqualSid(), SeAliasAdminsSid, SepTokenGroupAttributes, SepTokenPrivilegeAttributes, Token, and TOKEN_HAS_ADMIN_GROUP. Referenced by SepDuplicateToken(). : This routine eliminates all but the effective groups and privileges from a token. It does this by moving elements of the SID and privileges arrays to overwrite lapsed IDs/privileges, and then reducing the array element counts. This results in wasted memory within the token object. One side effect of this routine is that a token that initially had a default owner ID corresponding to a lapsed group will be changed so that the default owner ID is the user ID. THIS ROUTINE MUST BE CALLED ONLY AS PART OF TOKEN CREATION (FOR TOKENS WHICH HAVE NOT YET BEEN INSERTED INTO AN OBJECT TABLE.) THIS ROUTINE MODIFIES READ ONLY TOKEN FIELDS. Note that since we are operating on a token that is not yet visible to the user, we do not bother acquiring a read lock on the token being modified. Arguments: Token - Points to the token to be made effective only. Return Value: None. --*/ { ULONG Index; ULONG ElementCount; PAGED_CODE(); // // Walk the privilege array, discarding any lapsed privileges // ElementCount = Token->PrivilegeCount; Index = 0; while (Index < ElementCount) { // // If this privilege is not enabled, replace it with the one at // the end of the array and reduce the size of the array by one. // Otherwise, move on to the next entry in the array. // if ( !(SepTokenPrivilegeAttributes(Token,Index) & SE_PRIVILEGE_ENABLED) ) { (Token->Privileges)[Index] = (Token->Privileges)[ElementCount - 1]; ElementCount -= 1; } else { Index += 1; } } // endwhile Token->PrivilegeCount = ElementCount; // // Walk the UserAndGroups array (except for the first entry, which is // the user - and can't be disabled) discarding any lapsed groups. // ElementCount = Token->UserAndGroupCount; ASSERT( ElementCount >= 1 ); // Must be at least a user ID Index = 1; // Start at the first group, not the user ID. while (Index < ElementCount) { // // If this group is not enabled, replace it with the one at // the end of the array and reduce the size of the array by one. // if ( !(SepTokenGroupAttributes(Token, Index) & SE_GROUP_ENABLED) && !(SepTokenGroupAttributes(Token, Index) & SE_GROUP_USE_FOR_DENY_ONLY) ) { // // Reset the TOKEN_HAS_ADMIN_GROUP flag // if (RtlEqualSid( Token->UserAndGroups[Index].Sid, SeAliasAdminsSid )) { Token->TokenFlags &= ~TOKEN_HAS_ADMIN_GROUP; } (Token->UserAndGroups)[Index] = (Token->UserAndGroups)[ElementCount - 1]; ElementCount -= 1; } else { Index += 1; } } // endwhile Token->UserAndGroupCount = ElementCount; return; }

BOOLEAN SepObjectInTypeList (  IN GUID *  ObjectType, IN PIOBJECT_TYPE_LIST  ObjectTypeList, IN ULONG  ObjectTypeListLength, OUT PULONG  ReturnedIndex )

Definition at line 388 of file accessck.c. References ASSERT, FALSE, Index, PAGED_CODE, and TRUE. Referenced by SepAccessCheck(), SepExamineSaclEx(), SepMaximumAccessCheck(), and SepNormalAccessCheck(). : This routine searches an ObjectTypeList to determine if the specified object type is in the list. Arguments: ObjectType - Object Type to search for. ObjectTypeList - The object type list to search. ObjectTypeListLength - Number of elements in ObjectTypeList ReturnedIndex - Index to the element ObjectType was found in Return Value: TRUE: ObjectType was found in list. FALSE: ObjectType was not found in list. --*/ { ULONG Index; GUID *LocalObjectType; PAGED_CODE(); ASSERT( sizeof(GUID) == sizeof(ULONG) * 4 ); for ( Index=0; Index<ObjectTypeListLength; Index++ ) { LocalObjectType = &ObjectTypeList[Index].ObjectType; if ( RtlpIsEqualGuid( ObjectType, LocalObjectType ) ) { *ReturnedIndex = Index; return TRUE; } } return FALSE; }

BOOLEAN SepPrivilegeCheck (  IN PTOKEN  Token, IN OUT PLUID_AND_ATTRIBUTES  RequiredPrivileges, IN ULONG  RequiredPrivilegeCount, IN ULONG  PrivilegeSetControl, IN KPROCESSOR_MODE  PreviousMode )

Definition at line 38 of file privileg.c. References FALSE, KernelMode, PAGED_CODE, RtlEqualLuid(), SepAcquireTokenReadLock, SepReleaseTokenReadLock, Token, and TRUE. Referenced by NtPrivilegeCheck(), SeCheckAuditPrivilege(), SePrivilegeCheck(), and SepSinglePrivilegeCheck(). : Worker routine for SePrivilegeCheck Arguments: Token - The user's effective token. RequiredPrivileges - A privilege set describing the required privileges. The UsedForAccess bits will be set in any privilege that is actually used (usually all of them). RequiredPrivilegeCount - How many privileges are in the RequiredPrivileges set. PrivilegeSetControl - Describes how many privileges are required. PreviousMode - The previous processor mode. Return Value: Returns TRUE if requested privileges are granted, FALSE otherwise. --*/ { PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege; PLUID_AND_ATTRIBUTES CurrentTokenPrivilege; BOOLEAN RequiredAll; ULONG TokenPrivilegeCount; ULONG MatchCount = 0; ULONG i; ULONG j; PAGED_CODE(); // // Take care of kernel callers first // if (PreviousMode == KernelMode) { return(TRUE); } SepAcquireTokenReadLock( Token ); TokenPrivilegeCount = Token->PrivilegeCount; // // Save whether we require ALL of them or ANY // RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY); for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ; i < RequiredPrivilegeCount ; i++, CurrentRequiredPrivilege++ ) { for ( j = 0, CurrentTokenPrivilege = Token->Privileges; j < TokenPrivilegeCount ; j++, CurrentTokenPrivilege++ ) { if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) && (RtlEqualLuid(&CurrentTokenPrivilege->Luid, &CurrentRequiredPrivilege->Luid)) ) { CurrentRequiredPrivilege->Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS; MatchCount++; break; // start looking for next one } } } SepReleaseTokenReadLock( Token ); // // If we wanted ANY and didn't get any, return failure. // if (!RequiredAll && (MatchCount == 0)) { return (FALSE); } // // If we wanted ALL and didn't get all, return failure. // if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) { return(FALSE); } return(TRUE); }

VOID SepRemoveDisabledGroupsAndPrivileges (  IN PTOKEN  Token, IN ULONG  Flags, IN ULONG  GroupCount, IN PSID_AND_ATTRIBUTES  GroupsToDisable, IN ULONG  PrivilegeCount, IN PLUID_AND_ATTRIBUTES  PrivilegesToDelete )

Definition at line 1041 of file tokendup.c. References ASSERT, FALSE, Index, NULL, PAGED_CODE, RtlEqualLuid(), RtlEqualSid(), SeAliasAdminsSid, SeChangeNotifyPrivilege, SepSidInSidAndAttributes(), Token, TOKEN_HAS_ADMIN_GROUP, TOKEN_HAS_TRAVERSE_PRIVILEGE, and TRUE. Referenced by SepFilterToken(). : This routine eliminates all groups and privileges that are marked to be deleted/disabled. It does this by looping through the groups in the token and checking each one agains the groups to disable. Similary the privilegs are compared. It does this by moving elements of the SID and privileges arrays to overwrite lapsed IDs/privileges, and then reducing the array element counts. This results in wasted memory within the token object. THIS ROUTINE MUST BE CALLED ONLY AS PART OF TOKEN CREATION (FOR TOKENS WHICH HAVE NOT YET BEEN INSERTED INTO AN OBJECT TABLE.) THIS ROUTINE MODIFIES READ ONLY TOKEN FIELDS. Note that since we are operating on a token that is not yet visible to the user, we do not bother acquiring a read lock on the token being modified. Arguments: Token - Points to the token to be made effective only. Flags - Flags indicating additional filtering. The flags may be: DISABLE_ALL_GROUPS - disable all groups in token DELETE_ALL_PRIVILEGES - Disable all privileges GroupCount - Count of groups to be removed GroupsToDisable - Groups to disable and mark with SE_GROUP_USE_FOR_DENY_ONLY PrivilegeCount - Count of privileges to remove PrivilegesToDelete - List of privileges to remove Return Value: None. --*/ { ULONG Index; ULONG Index2; ULONG ElementCount; BOOLEAN Found; PAGED_CODE(); // // Walk the privilege array, discarding any lapsed privileges // ElementCount = Token->PrivilegeCount; Index = 0; while (Index < ElementCount) { // // If the caller asked us to disable all privileges except change // notify, do so now. // if (((Flags & DISABLE_MAX_PRIVILEGE) != 0) && !RtlEqualLuid( &Token->Privileges[Index].Luid, &SeChangeNotifyPrivilege )) { (Token->Privileges)[Index] = (Token->Privileges)[ElementCount - 1]; ElementCount -= 1; } else { // // If this privilege is in the list of those to be removed, replace it // with the one at the end of the array and reduce the size of the // array by one. Otherwise, move on to the next entry in the array. // Found = FALSE; for (Index2 = 0; Index2 < PrivilegeCount ; Index2++ ) { if (RtlEqualLuid( &Token->Privileges[Index].Luid, &PrivilegesToDelete[Index2].Luid )) { (Token->Privileges)[Index] = (Token->Privileges)[ElementCount - 1]; ElementCount -= 1; // // If this was SeChangeNotifyPrivilege, we need to turn off // the TOKEN_HAS_TRAVERSE_PRIVILEGE in the token // if (RtlEqualLuid( &PrivilegesToDelete[Index2].Luid, &SeChangeNotifyPrivilege )) { Token->TokenFlags &= ~TOKEN_HAS_TRAVERSE_PRIVILEGE; } Found = TRUE; break; } } if (!Found) { Index += 1; } } } // endwhile Token->PrivilegeCount = ElementCount; // // Walk the UserAndGroups array marking any disabled groups. // ElementCount = Token->UserAndGroupCount; ASSERT( ElementCount >= 1 ); // Must be at least a user ID Index = 0; // Start at the first group, not the user ID. while (Index < ElementCount) { // // If this group is not enabled, replace it with the one at // the end of the array and reduce the size of the array by one. // if ( SepSidInSidAndAttributes( GroupsToDisable, GroupCount, NULL, // no principal self sid Token->UserAndGroups[Index].Sid )){ (Token->UserAndGroups)[Index].Attributes &= ~(SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT); (Token->UserAndGroups)[Index].Attributes |= SE_GROUP_USE_FOR_DENY_ONLY; // // If this was the owner, reset the owner to be the user // if (Index == Token->DefaultOwnerIndex) { Token->DefaultOwnerIndex = 0; } // // If this is the admins sid, turn off the admin group flag // if (RtlEqualSid( Token->UserAndGroups[Index].Sid, SeAliasAdminsSid )) { Token->TokenFlags &= ~TOKEN_HAS_ADMIN_GROUP; } } Index += 1; } // endwhile return; }

BOOLEAN SepSidInSidAndAttributes (  IN PSID_AND_ATTRIBUTES  SidAndAttributes, IN ULONG  SidCount, IN PSID  PrincipalSelfSid, IN PSID  Sid )

Definition at line 933 of file tokendup.c. References FALSE, NULL, PAGED_CODE, PTOKEN, RtlEqualSid(), SePrincipalSelfSid, Token, and TRUE. Referenced by SepFilterToken(), and SepRemoveDisabledGroupsAndPrivileges(). : Checks to see if a given SID is in the given token. N.B. The code to compute the length of a SID and test for equality is duplicated from the security runtime since this is such a frequently used routine. Arguments: SidAndAttributes - Pointer to the sid and attributes to be examined PrincipalSelfSid - If the object being access checked is an object which represents a principal (e.g., a user object), this parameter should be the SID of the object. Any ACE containing the constant PRINCIPAL_SELF_SID is replaced by this SID. The parameter should be NULL if the object does not represent a principal. Sid - Pointer to the SID of interest Return Value: A value of TRUE indicates that the SID is in the token, FALSE otherwise. --*/ { ULONG i; PISID MatchSid; ULONG SidLength; PTOKEN Token; PSID_AND_ATTRIBUTES TokenSid; ULONG UserAndGroupCount; PAGED_CODE(); if (!ARGUMENT_PRESENT( SidAndAttributes ) ) { return(FALSE); } // // If Sid is the constant PrincipalSelfSid, // replace it with the passed in PrincipalSelfSid. // if ( PrincipalSelfSid != NULL && RtlEqualSid( SePrincipalSelfSid, Sid ) ) { Sid = PrincipalSelfSid; } // // Get the length of the source SID since this only needs to be computed // once. // SidLength = 8 + (4 * ((PISID)Sid)->SubAuthorityCount); // // Get address of user/group array and number of user/groups. // TokenSid = SidAndAttributes; UserAndGroupCount = SidCount; // // Scan through the user/groups and attempt to find a match with the // specified SID. // for (i = 0 ; i < UserAndGroupCount ; i += 1) { MatchSid = (PISID)TokenSid->Sid; // // If the SID revision and length matches, then compare the SIDs // for equality. // if ((((PISID)Sid)->Revision == MatchSid->Revision) && (SidLength == (8 + (4 * (ULONG)MatchSid->SubAuthorityCount)))) { if (RtlEqualMemory(Sid, MatchSid, SidLength)) { return TRUE; } } TokenSid += 1; } return FALSE; }

VOID SepTokenDeleteMethod (  IN PVOID  Token  )

Definition at line 2156 of file token.c. References ExFreePool(), PAGED_CODE, SepDeReferenceLogonSession(), SepFreeProxyData(), and Token. Referenced by SepTokenInitialization(). 02162 : 02163 02164 This function is the token object type-specific delete method. 02165 It is needed to ensure that all memory allocated for the token 02166 gets deallocated. 02167 02168 Arguments: 02169 02170 Token - Points to the token object being deleted. 02171 02172 Return Value: 02173 02174 None. 02175 02176 --*/ 02177 02178 { 02179 PAGED_CODE(); 02180 02181 // 02182 // De-reference the logon session referenced by this token object 02183 // 02184 02185 SepDeReferenceLogonSession( &(((TOKEN *)Token)->AuthenticationId) ); 02186 02187 02188 // 02189 // If the token has an associated Dynamic part, deallocate it. 02190 // 02191 02192 if (ARGUMENT_PRESENT( ((TOKEN *)Token)->DynamicPart)) { 02193 ExFreePool( ((TOKEN *)Token)->DynamicPart ); 02194 } 02195 02196 // 02197 // Free the Proxy and Global audit structures if present. 02198 // 02199 02200 if (ARGUMENT_PRESENT(((TOKEN *) Token)->ProxyData)) { 02201 SepFreeProxyData( ((TOKEN *)Token)->ProxyData ); 02202 } 02203 02204 if (ARGUMENT_PRESENT(((TOKEN *)Token)->AuditData )) { 02205 ExFreePool( (((TOKEN *)Token)->AuditData) ); 02206 } 02207 02208 02209 return; 02210 }

BOOLEAN SepTokenInitialization (  VOID   )

Definition at line 1460 of file token.c. References ExInitializeResource, L, NT_SUCCESS, NTSTATUS(), NULL, ObCreateObjectType(), PAGED_CODE, PagedPool, RtlInitUnicodeString(), SepTokenDeleteMethod(), SepTokenLock, SepTokenMapping, SepTokenObjectType, Status, and TRUE. Referenced by SepInitializationPhase0(). 01464 : 01465 01466 This function creates the token object type descriptor at system 01467 initialization and stores the address of the object type descriptor 01468 in global storage. It also created token related global variables. 01469 01470 Furthermore, some number of pseudo tokens are created during system 01471 initialization. These tokens are tracked down and replaced with 01472 real tokens. 01473 01474 Arguments: 01475 01476 None. 01477 01478 Return Value: 01479 01480 A value of TRUE is returned if the object type descriptor is 01481 successfully initialized. Otherwise a value of FALSE is returned. 01482 01483 --*/ 01484 01485 { 01486 01487 OBJECT_TYPE_INITIALIZER ObjectTypeInitializer; 01488 NTSTATUS Status; 01489 UNICODE_STRING TypeName; 01490 01491 PAGED_CODE(); 01492 01493 // 01494 // Initialize string descriptor. 01495 // 01496 01497 RtlInitUnicodeString(&TypeName, L"Token"); 01498 01499 01500 // 01501 // Create the global token lock 01502 // 01503 01504 ExInitializeResource(&SepTokenLock); 01505 01506 01507 #if 0 01508 BUG, BUG Need to get system default ACL to protect token object 01509 #endif 01510 01511 // 01512 // Create object type descriptor. 01513 // 01514 01515 RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer)); 01516 ObjectTypeInitializer.Length = sizeof(ObjectTypeInitializer); 01517 ObjectTypeInitializer.InvalidAttributes = OBJ_OPENLINK; 01518 ObjectTypeInitializer.GenericMapping = SepTokenMapping; 01519 ObjectTypeInitializer.SecurityRequired = TRUE; 01520 ObjectTypeInitializer.UseDefaultObject = TRUE; 01521 ObjectTypeInitializer.PoolType = PagedPool; 01522 ObjectTypeInitializer.ValidAccessMask = TOKEN_ALL_ACCESS; 01523 ObjectTypeInitializer.DeleteProcedure = SepTokenDeleteMethod; 01524 01525 Status = ObCreateObjectType(&TypeName, 01526 &ObjectTypeInitializer, 01527 (PSECURITY_DESCRIPTOR)NULL, // BUG, BUG assign real protection 01528 &SepTokenObjectType 01529 ); 01530 01531 01532 #if 0 01533 BUG, BUG Now track down all pseudo tokens used during system initialization 01534 BUG, BUG and replace them with real ones. 01535 #endif 01536 01537 // 01538 // If the object type descriptor was successfully created, then 01539 // return a value of TRUE. Otherwise return a value of FALSE. 01540 // 01541 01542 return (BOOLEAN)NT_SUCCESS(Status); 01543 }

---

Variable Documentation

ERESOURCE SepTokenLock

Definition at line 674 of file tokenp.h. Referenced by SepTokenInitialization().

GENERIC_MAPPING SepTokenMapping

Definition at line 671 of file tokenp.h. Referenced by SepTokenInitialization().

POBJECT_TYPE SepTokenObjectType

Definition at line 672 of file tokenp.h.

---