privileg.c File Reference

#include "tokenp.h"

Go to the source code of this file.

Functions
BOOLEAN	SepPrivilegeCheck (IN PTOKEN Token, IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges, IN ULONG RequiredPrivilegeCount, IN ULONG PrivilegeSetControl, IN KPROCESSOR_MODE PreviousMode)
BOOLEAN	SePrivilegeCheck (IN OUT PPRIVILEGE_SET RequiredPrivileges, IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN KPROCESSOR_MODE AccessMode)
NTSTATUS	NtPrivilegeCheck (IN HANDLE ClientToken, IN OUT PPRIVILEGE_SET RequiredPrivileges, OUT PBOOLEAN Result)
BOOLEAN	SeSinglePrivilegeCheck (LUID PrivilegeValue, KPROCESSOR_MODE PreviousMode)
BOOLEAN	SeCheckPrivilegedObject (LUID PrivilegeValue, HANDLE ObjectHandle, ACCESS_MASK DesiredAccess, KPROCESSOR_MODE PreviousMode)

---

Function Documentation

NTSTATUS NtPrivilegeCheck (  IN HANDLE  ClientToken, IN OUT PPRIVILEGE_SET  RequiredPrivileges, OUT PBOOLEAN  Result )

Definition at line 231 of file privileg.c. References ANYSIZE_ARRAY, ClientToken, EXCEPTION_EXECUTE_HANDLER, IsValidElementCount, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), PAGED_CODE, PagedPool, ProbeForWrite(), ProbeForWriteBoolean, PTOKEN, SeCaptureLuidAndAttributesArray(), SepPrivilegeCheck(), SepTokenObjectType, SeReleaseLuidAndAttributesArray(), Status, Token, TRUE, and UserMode. Referenced by IsPrivileged(), RtlNewSecurityGrantedAccess(), RtlpNewSecurityObject(), and RtlpValidOwnerSubjectContext(). : This routine tests the caller's client's security context to see if it contains the specified privileges. This API requires the caller have SeTcbPrivilege privilege. The test for this privilege is always against the primary token of the calling process, not the impersonation token of the thread. Arguments: ClientToken - A handle to a token object representing a client attempting access. This handle must be obtained from a communication session layer, such as from an LPC Port or Local Named Pipe, to prevent possible security policy violations. RequiredPrivileges - Points to a set of privileges. The client's security context is to be checked to see which of the specified privileges are present. The results will be indicated in the attributes associated with each privilege. Note that flags in this parameter indicate whether all the privileges listed are needed, or any of the privileges. Result - Receives a boolean flag indicating whether the client has all the specified privileges or not. A value of TRUE indicates the client has all the specified privileges. Otherwise a value of FALSE is returned. Return Value: STATUS_SUCCESS - Indicates the call completed successfully. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have sufficient privilege to use this privileged system service. --*/ { BOOLEAN BStatus; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL; PTOKEN Token; ULONG CapturedPrivilegeCount; ULONG CapturedPrivilegesLength; ULONG ParameterLength; ULONG PrivilegeSetControl; PAGED_CODE(); PreviousMode = KeGetPreviousMode(); Status = ObReferenceObjectByHandle( ClientToken, // Handle TOKEN_QUERY, // DesiredAccess SepTokenObjectType, // ObjectType PreviousMode, // AccessMode (PVOID *)&Token, // Object NULL // GrantedAccess ); if ( !NT_SUCCESS(Status) ) { return Status; } // // If the passed token is an impersonation token, make sure // it is at SecurityIdentification or above. // if (Token->TokenType == TokenImpersonation) { if (Token->ImpersonationLevel < SecurityIdentification) { ObDereferenceObject( (PVOID)Token ); return( STATUS_BAD_IMPERSONATION_LEVEL ); } } try { // // Capture passed Privilege Set // ProbeForWrite( RequiredPrivileges, sizeof(PRIVILEGE_SET), sizeof(ULONG) ); CapturedPrivilegeCount = RequiredPrivileges->PrivilegeCount; if (!IsValidElementCount(CapturedPrivilegeCount, LUID_AND_ATTRIBUTES)) { Status = STATUS_INVALID_PARAMETER; leave; } ParameterLength = (ULONG)sizeof(PRIVILEGE_SET) + ((CapturedPrivilegeCount - ANYSIZE_ARRAY) * (ULONG)sizeof(LUID_AND_ATTRIBUTES) ); ProbeForWrite( RequiredPrivileges, ParameterLength, sizeof(ULONG) ); ProbeForWriteBoolean(Result); PrivilegeSetControl = RequiredPrivileges->Control; } except(EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); } if (!NT_SUCCESS(Status)) { ObDereferenceObject( (PVOID)Token ); return Status; } Status = SeCaptureLuidAndAttributesArray( (RequiredPrivileges->Privilege), CapturedPrivilegeCount, UserMode, NULL, 0, PagedPool, TRUE, &CapturedPrivileges, &CapturedPrivilegesLength ); if (!NT_SUCCESS(Status)) { ObDereferenceObject( (PVOID)Token ); return Status; } BStatus = SepPrivilegeCheck( Token, // Token, CapturedPrivileges, // RequiredPrivileges, CapturedPrivilegeCount, // RequiredPrivilegeCount, PrivilegeSetControl, // PrivilegeSetControl PreviousMode // PreviousMode ); ObDereferenceObject( Token ); try { // // copy the modified privileges buffer back to user // RtlMoveMemory( RequiredPrivileges->Privilege, CapturedPrivileges, CapturedPrivilegesLength ); *Result = BStatus; } except (EXCEPTION_EXECUTE_HANDLER) { SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE ); return(GetExceptionCode()); } SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE ); return( STATUS_SUCCESS ); }

BOOLEAN SeCheckPrivilegedObject (  LUID  PrivilegeValue, HANDLE  ObjectHandle, ACCESS_MASK  DesiredAccess, KPROCESSOR_MODE  PreviousMode )

Definition at line 504 of file privileg.c. References KernelMode, PAGED_CODE, SeCaptureSubjectContext(), SePrivilegeCheck(), SePrivilegeObjectAuditAlarm(), and SeReleaseSubjectContext(). Referenced by NtSetInformationJobObject(), NtSetInformationProcess(), NtSetInformationThread(), and PspSetPrimaryToken(). 00513 : 00514 00515 This function will check for the passed privilege value in the 00516 current context, and generate audits as appropriate. 00517 00518 Arguments: 00519 00520 PrivilegeValue - The value of the privilege being checked. 00521 00522 Object - Specifies a pointer to the object being accessed. 00523 00524 ObjectHandle - Specifies the object handle being used. 00525 00526 DesiredAccess - The desired access mask, if any 00527 00528 PreviousMode - The previous processor mode 00529 00530 00531 Return Value: 00532 00533 TRUE - The current subject has the desired privilege. 00534 00535 FALSE - The current subject does not have the desired privilege. 00536 --*/ 00537 00538 { 00539 BOOLEAN AccessGranted; 00540 PRIVILEGE_SET RequiredPrivileges; 00541 SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; 00542 00543 PAGED_CODE(); 00544 00545 // 00546 // Make sure the caller has the privilege to make this 00547 // call. 00548 // 00549 00550 RequiredPrivileges.PrivilegeCount = 1; 00551 RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY; 00552 RequiredPrivileges.Privilege[0].Luid = PrivilegeValue; 00553 RequiredPrivileges.Privilege[0].Attributes = 0; 00554 00555 SeCaptureSubjectContext( &SubjectSecurityContext ); 00556 00557 AccessGranted = SePrivilegeCheck( 00558 &RequiredPrivileges, 00559 &SubjectSecurityContext, 00560 PreviousMode 00561 ); 00562 00563 if ( PreviousMode != KernelMode ) { 00564 00565 SePrivilegeObjectAuditAlarm( 00566 ObjectHandle, 00567 &SubjectSecurityContext, 00568 DesiredAccess, 00569 &RequiredPrivileges, 00570 AccessGranted, 00571 PreviousMode 00572 ); 00573 00574 } 00575 00576 00577 SeReleaseSubjectContext( &SubjectSecurityContext ); 00578 00579 return( AccessGranted ); 00580 00581 } }

BOOLEAN SepPrivilegeCheck (  IN PTOKEN  Token, IN OUT PLUID_AND_ATTRIBUTES  RequiredPrivileges, IN ULONG  RequiredPrivilegeCount, IN ULONG  PrivilegeSetControl, IN KPROCESSOR_MODE  PreviousMode )

Definition at line 38 of file privileg.c. References FALSE, KernelMode, PAGED_CODE, RtlEqualLuid(), SepAcquireTokenReadLock, SepReleaseTokenReadLock, Token, and TRUE. Referenced by NtPrivilegeCheck(), SeCheckAuditPrivilege(), SePrivilegeCheck(), and SepSinglePrivilegeCheck(). : Worker routine for SePrivilegeCheck Arguments: Token - The user's effective token. RequiredPrivileges - A privilege set describing the required privileges. The UsedForAccess bits will be set in any privilege that is actually used (usually all of them). RequiredPrivilegeCount - How many privileges are in the RequiredPrivileges set. PrivilegeSetControl - Describes how many privileges are required. PreviousMode - The previous processor mode. Return Value: Returns TRUE if requested privileges are granted, FALSE otherwise. --*/ { PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege; PLUID_AND_ATTRIBUTES CurrentTokenPrivilege; BOOLEAN RequiredAll; ULONG TokenPrivilegeCount; ULONG MatchCount = 0; ULONG i; ULONG j; PAGED_CODE(); // // Take care of kernel callers first // if (PreviousMode == KernelMode) { return(TRUE); } SepAcquireTokenReadLock( Token ); TokenPrivilegeCount = Token->PrivilegeCount; // // Save whether we require ALL of them or ANY // RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY); for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ; i < RequiredPrivilegeCount ; i++, CurrentRequiredPrivilege++ ) { for ( j = 0, CurrentTokenPrivilege = Token->Privileges; j < TokenPrivilegeCount ; j++, CurrentTokenPrivilege++ ) { if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) && (RtlEqualLuid(&CurrentTokenPrivilege->Luid, &CurrentRequiredPrivilege->Luid)) ) { CurrentRequiredPrivilege->Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS; MatchCount++; break; // start looking for next one } } } SepReleaseTokenReadLock( Token ); // // If we wanted ANY and didn't get any, return failure. // if (!RequiredAll && (MatchCount == 0)) { return (FALSE); } // // If we wanted ALL and didn't get all, return failure. // if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) { return(FALSE); } return(TRUE); }

BOOLEAN SePrivilegeCheck (  IN OUT PPRIVILEGE_SET  RequiredPrivileges, IN PSECURITY_SUBJECT_CONTEXT  SubjectSecurityContext, IN KPROCESSOR_MODE  AccessMode )

Definition at line 158 of file privileg.c. References EffectiveToken, FALSE, NULL, PAGED_CODE, SepPrivilegeCheck(), and Status. Referenced by IopCheckBackupRestorePrivilege(), IsPrivileged(), ObpIncrementHandleCount(), RtlpNewSecurityObject(), SeCheckPrivilegedObject(), and SeSinglePrivilegeCheck(). : This routine checks to see if the token contains the specified privileges. Arguments: RequiredPrivileges - Points to a set of privileges. The subject's security context is to be checked to see which of the specified privileges are present. The results will be indicated in the attributes associated with each privilege. Note that flags in this parameter indicate whether all the privileges listed are needed, or any of the privileges. SubjectSecurityContext - A pointer to the subject's captured security context. AccessMode - Indicates the access mode to use for access check. One of UserMode or KernelMode. If the mode is kernel, then all privileges will be marked as being possessed by the subject, and successful completion status is returned. Return Value: BOOLEAN - TRUE if all specified privileges are held by the subject, otherwise FALSE. --*/ { BOOLEAN Status; PAGED_CODE(); // // If we're impersonating a client, we have to be at impersonation level // of SecurityImpersonation or above. // if ( (SubjectSecurityContext->ClientToken != NULL) && (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation) ) { return(FALSE); } // // SepPrivilegeCheck locks the passed token for read access // Status = SepPrivilegeCheck( EffectiveToken( SubjectSecurityContext ), RequiredPrivileges->Privilege, RequiredPrivileges->PrivilegeCount, RequiredPrivileges->Control, AccessMode ); return(Status); }

BOOLEAN SeSinglePrivilegeCheck (  LUID  PrivilegeValue, KPROCESSOR_MODE  PreviousMode )

Definition at line 436 of file privileg.c. References KernelMode, NULL, PAGED_CODE, SeCaptureSubjectContext(), SECURITY_SUBJECT_CONTEXT, SePrivilegeCheck(), SePrivilegedServiceAuditAlarm(), and SeReleaseSubjectContext(). Referenced by CmpDoOpen(), CmpRefreshHive(), ExpRaiseHardError(), NtAllocateUserPhysicalPages(), NtCreatePagingFile(), NtCreateProfile(), NtLoadDriver(), NtLoadKey2(), NtLockVirtualMemory(), NtOpenProcess(), NtOpenThread(), NtQuerySystemEnvironmentValue(), NtQuerySystemInformation(), NtReplaceKey(), NtRestoreKey(), NtSaveKey(), NtSaveMergedKeys(), NtSetDefaultHardErrorPort(), NtSetInformationProcess(), NtSetInformationToken(), NtSetSystemEnvironmentValue(), NtSetSystemInformation(), NtSystemDebugControl(), NtUnloadDriver(), NtUnloadKey(), NtUnlockVirtualMemory(), ObCreateObject(), PspSetQuotaLimits(), SepCreateToken(), SepValidOwnerSubjectContext(), and UdfInvalidateVolumes(). : This function will check for the passed privilege value in the current context. Arguments: PrivilegeValue - The value of the privilege being checked. Return Value: TRUE - The current subject has the desired privilege. FALSE - The current subject does not have the desired privilege. --*/ { BOOLEAN AccessGranted; PRIVILEGE_SET RequiredPrivileges; SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; PAGED_CODE(); // // Make sure the caller has the privilege to make this // call. // RequiredPrivileges.PrivilegeCount = 1; RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY; RequiredPrivileges.Privilege[0].Luid = PrivilegeValue; RequiredPrivileges.Privilege[0].Attributes = 0; SeCaptureSubjectContext( &SubjectSecurityContext ); AccessGranted = SePrivilegeCheck( &RequiredPrivileges, &SubjectSecurityContext, PreviousMode ); if ( PreviousMode != KernelMode ) { SePrivilegedServiceAuditAlarm ( NULL, // BUGWARNING need service name &SubjectSecurityContext, &RequiredPrivileges, AccessGranted ); } SeReleaseSubjectContext( &SubjectSecurityContext ); return( AccessGranted ); }

---