seglobal.c File Reference

#include "sep.h"
#include "adt.h"
#include "seopaque.h"

Go to the source code of this file.

Functions
VOID	SepInitializePrivilegeSets (VOID)
VOID	SepInitSystemDacls (VOID)
BOOLEAN	SepVariableInitialization ()
VOID	SepAssemblePrivileges (IN ULONG PrivilegeCount, IN BOOLEAN SystemSecurity, IN BOOLEAN WriteOwner, OUT PPRIVILEGE_SET *Privileges)
BOOLEAN	SepInitializeWorkList (VOID)
Variables
TOKEN_SOURCE	SeSystemTokenSource = {"*SYSTEM*", 0}
LUID	SeSystemAuthenticationId = SYSTEM_LUID
LUID	SeAnonymousAuthenticationId = ANONYMOUS_LOGON_LUID
PSID	SeNullSid
PSID	SeWorldSid
PSID	SeLocalSid
PSID	SeCreatorOwnerSid
PSID	SeCreatorGroupSid
PSID	SeCreatorGroupServerSid
PSID	SeCreatorOwnerServerSid
PSID	SeNtAuthoritySid
PSID	SeDialupSid
PSID	SeNetworkSid
PSID	SeBatchSid
PSID	SeInteractiveSid
PSID	SeServiceSid
PSID	SePrincipalSelfSid
PSID	SeLocalSystemSid
PSID	SeAuthenticatedUsersSid
PSID	SeAliasAdminsSid
PSID	SeRestrictedSid
PSID	SeAliasUsersSid
PSID	SeAliasGuestsSid
PSID	SeAliasPowerUsersSid
PSID	SeAliasAccountOpsSid
PSID	SeAliasSystemOpsSid
PSID	SeAliasPrintOpsSid
PSID	SeAliasBackupOpsSid
PSID	SeAnonymousLogonSid
PACCESS_TOKEN	SeAnonymousLogonToken
PSECURITY_DESCRIPTOR	SePublicDefaultSd
SECURITY_DESCRIPTOR	SepPublicDefaultSd
PSECURITY_DESCRIPTOR	SePublicDefaultUnrestrictedSd
SECURITY_DESCRIPTOR	SepPublicDefaultUnrestrictedSd
PSECURITY_DESCRIPTOR	SePublicOpenUnrestrictedSd
SECURITY_DESCRIPTOR	SepPublicOpenUnrestrictedSd
PSECURITY_DESCRIPTOR	SePublicOpenSd
SECURITY_DESCRIPTOR	SepPublicOpenSd
PSECURITY_DESCRIPTOR	SeSystemDefaultSd
SECURITY_DESCRIPTOR	SepSystemDefaultSd
PSECURITY_DESCRIPTOR	SeUnrestrictedSd
SECURITY_DESCRIPTOR	SepUnrestrictedSd
PACL	SePublicDefaultDacl
PACL	SePublicDefaultUnrestrictedDacl
PACL	SePublicOpenDacl
PACL	SePublicOpenUnrestrictedDacl
PACL	SeSystemDefaultDacl
PACL	SeUnrestrictedDacl
PSID	SepPrimaryDomainSid
PSID	SepPrimaryDomainAdminSid
LUID	SeCreateTokenPrivilege
LUID	SeAssignPrimaryTokenPrivilege
LUID	SeLockMemoryPrivilege
LUID	SeIncreaseQuotaPrivilege
LUID	SeUnsolicitedInputPrivilege
LUID	SeTcbPrivilege
LUID	SeSecurityPrivilege
LUID	SeTakeOwnershipPrivilege
LUID	SeLoadDriverPrivilege
LUID	SeCreatePagefilePrivilege
LUID	SeIncreaseBasePriorityPrivilege
LUID	SeSystemProfilePrivilege
LUID	SeSystemtimePrivilege
LUID	SeProfileSingleProcessPrivilege
LUID	SeCreatePermanentPrivilege
LUID	SeBackupPrivilege
LUID	SeRestorePrivilege
LUID	SeShutdownPrivilege
LUID	SeDebugPrivilege
LUID	SeAuditPrivilege
LUID	SeSystemEnvironmentPrivilege
LUID	SeChangeNotifyPrivilege
LUID	SeRemoteShutdownPrivilege
LUID	SeUndockPrivilege
LUID	SeSyncAgentPrivilege
LUID	SeEnableDelegationPrivilege
PSE_EXPORTS	SeExports
SE_EXPORTS	SepExports
SID_IDENTIFIER_AUTHORITY	SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY
SID_IDENTIFIER_AUTHORITY	SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY
SID_IDENTIFIER_AUTHORITY	SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY
SID_IDENTIFIER_AUTHORITY	SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY
SID_IDENTIFIER_AUTHORITY	SepNtAuthority = SECURITY_NT_AUTHORITY
ULONG	SinglePrivilegeSetSize
ULONG	DoublePrivilegeSetSize
PPRIVILEGE_SET	SepSystemSecurityPrivilegeSet
PPRIVILEGE_SET	SepTakeOwnershipPrivilegeSet
PPRIVILEGE_SET	SepDoublePrivilegeSet
SE_AUDITING_STATE	SeAuditingState [POLICY_AUDIT_EVENT_TYPE_COUNT]
BOOLEAN	SepAdtAuditingEnabled = FALSE
BOOLEAN	SepCrashOnAuditFail = FALSE
HANDLE	SepLsaHandle
BOOLEAN	SeDetailedAuditing = FALSE
UNICODE_STRING	SeSubsystemName
ERESOURCE	SepLsaQueueLock
LIST_ENTRY	SepLsaQueue
ULONG	SepLsaQueueLength = 0
SEP_WORK_ITEM	SepExWorkItem

---

Function Documentation

VOID SepAssemblePrivileges (  IN ULONG  PrivilegeCount, IN BOOLEAN  SystemSecurity, IN BOOLEAN  WriteOwner, OUT PPRIVILEGE_SET *  Privileges )

Definition at line 1071 of file seglobal.c. References ASSERT, DoublePrivilegeSetSize, ExAllocatePoolWithTag, NULL, PAGED_CODE, PagedPool, POOL_RAISE_IF_ALLOCATION_FAILURE, SepDoublePrivilegeSet, SepSystemSecurityPrivilegeSet, SepTakeOwnershipPrivilegeSet, and SinglePrivilegeSetSize. Referenced by SepAccessCheck(). : This routine takes the results of the various privilege checks in SeAccessCheck and returns an appropriate privilege set. Arguments: PrivilegeCount - The number of privileges granted. SystemSecurity - Provides a boolean indicating whether to put SeSecurityPrivilege into the output privilege set. WriteOwner - Provides a boolean indicating whether to put SeTakeOwnershipPrivilege into the output privilege set. Privileges - Supplies a pointer that will return the privilege set. Should be freed with ExFreePool when no longer needed. Return Value: None. --*/ { PPRIVILEGE_SET PrivilegeSet; ULONG SizeRequired; PAGED_CODE(); ASSERT( (PrivilegeCount != 0) && (PrivilegeCount <= 2) ); if ( !ARGUMENT_PRESENT( Privileges ) ) { return; } if ( PrivilegeCount == 1 ) { SizeRequired = SinglePrivilegeSetSize; if ( SystemSecurity ) { PrivilegeSet = SepSystemSecurityPrivilegeSet; } else { ASSERT( WriteOwner ); PrivilegeSet = SepTakeOwnershipPrivilegeSet; } } else { SizeRequired = DoublePrivilegeSetSize; PrivilegeSet = SepDoublePrivilegeSet; } *Privileges = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SizeRequired, 'rPeS' ); if ( *Privileges != NULL ) { RtlCopyMemory ( *Privileges, PrivilegeSet, SizeRequired ); } }

VOID SepInitializePrivilegeSets (  VOID   )

Definition at line 1019 of file seglobal.c. References DoublePrivilegeSetSize, ExAllocatePoolWithTag, PAGED_CODE, PagedPool, POOL_RAISE_IF_ALLOCATION_FAILURE, SepDoublePrivilegeSet, SepSystemSecurityPrivilegeSet, SepTakeOwnershipPrivilegeSet, SeSecurityPrivilege, SeTakeOwnershipPrivilege, and SinglePrivilegeSetSize. Referenced by SepVariableInitialization(). : This routine is called once during system initialization to pre-allocate and initialize some commonly used privilege sets. Arguments: None Return Value: None. --*/ { PAGED_CODE(); SinglePrivilegeSetSize = sizeof( PRIVILEGE_SET ); DoublePrivilegeSetSize = sizeof( PRIVILEGE_SET ) + (ULONG)sizeof( LUID_AND_ATTRIBUTES ); SepSystemSecurityPrivilegeSet = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SinglePrivilegeSetSize, 'rPeS' ); SepTakeOwnershipPrivilegeSet = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SinglePrivilegeSetSize, 'rPeS' ); SepDoublePrivilegeSet = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, DoublePrivilegeSetSize, 'rPeS' ); SepSystemSecurityPrivilegeSet->PrivilegeCount = 1; SepSystemSecurityPrivilegeSet->Control = 0; SepSystemSecurityPrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege; SepSystemSecurityPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; SepTakeOwnershipPrivilegeSet->PrivilegeCount = 1; SepTakeOwnershipPrivilegeSet->Control = 0; SepTakeOwnershipPrivilegeSet->Privilege[0].Luid = SeTakeOwnershipPrivilege; SepTakeOwnershipPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; SepDoublePrivilegeSet->PrivilegeCount = 2; SepDoublePrivilegeSet->Control = 0; SepDoublePrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege; SepDoublePrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; SepDoublePrivilegeSet->Privilege[1].Luid = SeTakeOwnershipPrivilege; SepDoublePrivilegeSet->Privilege[1].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS; }

BOOLEAN SepInitializeWorkList (  VOID   )

Definition at line 1152 of file seglobal.c. References ExInitializeResource, PAGED_CODE, SepLsaQueue, SepLsaQueueLock, and TRUE. Referenced by SepInitializationPhase0(). 01158 : 01159 01160 Initializes the mutex and list head used to queue work from the 01161 Executive to LSA. This mechanism operates on top of the normal ExWorkerThread 01162 mechanism by capturing the first thread to perform LSA work and keeping it 01163 until all the current work is done. 01164 01165 The reduces the number of worker threads that are blocked on I/O to LSA. 01166 01167 Arguments: 01168 01169 None. 01170 01171 01172 Return Value: 01173 01174 TRUE if successful, FALSE otherwise. 01175 01176 --*/ 01177 01178 { 01179 PAGED_CODE(); 01180 01181 ExInitializeResource(&SepLsaQueueLock); 01182 InitializeListHead(&SepLsaQueue); 01183 return( TRUE ); 01184 } }

VOID SepInitSystemDacls (  VOID   )

Definition at line 651 of file seglobal.c. References ASSERT, ExAllocatePoolWithTag, FALSE, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, PagedPool, POOL_RAISE_IF_ALLOCATION_FAILURE, RtlAddAccessAllowedAce(), RtlCreateAcl(), RtlCreateSecurityDescriptor(), RtlSetDaclSecurityDescriptor(), SeAliasAdminsSid, SeLengthSid, SeLocalSystemSid, SepPublicDefaultSd, SepPublicDefaultUnrestrictedSd, SepPublicOpenSd, SepPublicOpenUnrestrictedSd, SepSystemDefaultSd, SePublicDefaultDacl, SePublicDefaultSd, SePublicDefaultUnrestrictedDacl, SePublicDefaultUnrestrictedSd, SePublicOpenDacl, SePublicOpenSd, SePublicOpenUnrestrictedDacl, SePublicOpenUnrestrictedSd, SepUnrestrictedSd, SeRestrictedSid, SeSystemDefaultDacl, SeSystemDefaultSd, SeUnrestrictedDacl, SeUnrestrictedSd, SeWorldSid, Status, and TRUE. Referenced by SepVariableInitialization(). : This function initializes the system's default dacls & security descriptors. Arguments: None. Return Value: None. --*/ { NTSTATUS Status; ULONG PublicLength, PublicUnrestrictedLength, SystemLength, PublicOpenLength, UnrestrictedLength; PAGED_CODE(); // // Set up a default ACLs // // Public: WORLD:execute, SYSTEM:all, ADMINS:all // PublicUnrestricted: WORLD:execute, SYSTEM:all, ADMINS:all, Restricted:execute // Public Open: WORLD:(Read|Write|Execute), ADMINS:(all), SYSTEM:all // System: SYSTEM:all, ADMINS:(read|execute|read_control) // Unrestricted: WORLD:(all), Restricted:(all) SystemLength = (ULONG)sizeof(ACL) + (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) + SeLengthSid( SeLocalSystemSid ) + SeLengthSid( SeAliasAdminsSid ) + 8; // The 8 is just for good measure PublicLength = SystemLength + ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) + SeLengthSid( SeWorldSid ); PublicUnrestrictedLength = SystemLength + ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) + SeLengthSid( SeRestrictedSid ); PublicOpenLength = PublicLength; UnrestrictedLength = (ULONG)sizeof(ACL) + (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) + SeLengthSid( SeWorldSid ) + SeLengthSid( SeRestrictedSid ) + 8; // The 8 is just for good measure SePublicDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicLength, 'cAeS'); SePublicDefaultUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicUnrestrictedLength, 'cAeS'); SePublicOpenDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicOpenLength, 'cAeS'); SePublicOpenUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicUnrestrictedLength, 'cAeS'); SeSystemDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SystemLength, 'cAeS'); SeUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, UnrestrictedLength, 'cAeS'); ASSERT(SePublicDefaultDacl != NULL); ASSERT(SePublicDefaultUnrestrictedDacl != NULL); ASSERT(SePublicOpenDacl != NULL); ASSERT(SePublicOpenUnrestrictedDacl != NULL); ASSERT(SeSystemDefaultDacl != NULL); ASSERT(SeUnrestrictedDacl != NULL); Status = RtlCreateAcl( SePublicDefaultDacl, PublicLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlCreateAcl( SePublicDefaultUnrestrictedDacl, PublicUnrestrictedLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlCreateAcl( SePublicOpenDacl, PublicUnrestrictedLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlCreateAcl( SePublicOpenUnrestrictedDacl, PublicOpenLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlCreateAcl( SeSystemDefaultDacl, SystemLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlCreateAcl( SeUnrestrictedDacl, UnrestrictedLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); // // WORLD access (Public DACLs and Unrestricted only) // Status = RtlAddAccessAllowedAce ( SePublicDefaultDacl, ACL_REVISION2, GENERIC_EXECUTE, SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicDefaultUnrestrictedDacl, ACL_REVISION2, GENERIC_EXECUTE, SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenDacl, ACL_REVISION2, (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE), SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenUnrestrictedDacl, ACL_REVISION2, (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE), SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SeUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeWorldSid ); ASSERT( NT_SUCCESS(Status) ); // // SYSTEM access (PublicDefault, PublicOpen, and SystemDefault) // Status = RtlAddAccessAllowedAce ( SePublicDefaultDacl, ACL_REVISION2, GENERIC_ALL, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicDefaultUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenDacl, ACL_REVISION2, GENERIC_ALL, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SeSystemDefaultDacl, ACL_REVISION2, GENERIC_ALL, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); // // ADMINISTRATORS access (PublicDefault, PublicOpen, and SystemDefault) // Status = RtlAddAccessAllowedAce ( SePublicDefaultDacl, ACL_REVISION2, GENERIC_ALL, SeAliasAdminsSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicDefaultUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeAliasAdminsSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenDacl, ACL_REVISION2, GENERIC_ALL, SeAliasAdminsSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeAliasAdminsSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SeSystemDefaultDacl, ACL_REVISION2, GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL, SeAliasAdminsSid ); ASSERT( NT_SUCCESS(Status) ); // // RESTRICTED access (PublicDefaultUnrestricted and Unrestricted) // Status = RtlAddAccessAllowedAce ( SePublicDefaultUnrestrictedDacl, ACL_REVISION2, GENERIC_EXECUTE, SeRestrictedSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SePublicOpenUnrestrictedDacl, ACL_REVISION2, GENERIC_EXECUTE | GENERIC_READ, SeRestrictedSid ); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( SeUnrestrictedDacl, ACL_REVISION2, GENERIC_ALL, SeRestrictedSid ); ASSERT( NT_SUCCESS(Status) ); // // Now initialize security descriptors // that export this protection // SePublicDefaultSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultSd; Status = RtlCreateSecurityDescriptor( SePublicDefaultSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SePublicDefaultSd, TRUE, // DaclPresent SePublicDefaultDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); SePublicDefaultUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultUnrestrictedSd; Status = RtlCreateSecurityDescriptor( SePublicDefaultUnrestrictedSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SePublicDefaultUnrestrictedSd, TRUE, // DaclPresent SePublicDefaultUnrestrictedDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); SePublicOpenSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenSd; Status = RtlCreateSecurityDescriptor( SePublicOpenSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SePublicOpenSd, TRUE, // DaclPresent SePublicOpenDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); SePublicOpenUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenUnrestrictedSd; Status = RtlCreateSecurityDescriptor( SePublicOpenUnrestrictedSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SePublicOpenUnrestrictedSd, TRUE, // DaclPresent SePublicOpenUnrestrictedDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); SeSystemDefaultSd = (PSECURITY_DESCRIPTOR)&SepSystemDefaultSd; Status = RtlCreateSecurityDescriptor( SeSystemDefaultSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SeSystemDefaultSd, TRUE, // DaclPresent SeSystemDefaultDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); SeUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepUnrestrictedSd; Status = RtlCreateSecurityDescriptor( SeUnrestrictedSd, SECURITY_DESCRIPTOR_REVISION1 ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor( SeUnrestrictedSd, TRUE, // DaclPresent SeUnrestrictedDacl, FALSE // DaclDefaulted ); ASSERT( NT_SUCCESS(Status) ); return; }

BOOLEAN SepVariableInitialization (   )

Definition at line 307 of file seglobal.c. References ExAllocatePoolWithTag, FALSE, NULL, PAGED_CODE, PagedPool, POOL_RAISE_IF_ALLOCATION_FAILURE, RtlInitializeSid(), RtlLengthRequiredSid(), RtlSubAuthoritySid(), _SE_EXPORTS::SeAliasAccountOpsSid, SeAliasAccountOpsSid, _SE_EXPORTS::SeAliasAdminsSid, SeAliasAdminsSid, _SE_EXPORTS::SeAliasBackupOpsSid, SeAliasBackupOpsSid, _SE_EXPORTS::SeAliasGuestsSid, SeAliasGuestsSid, _SE_EXPORTS::SeAliasPowerUsersSid, SeAliasPowerUsersSid, _SE_EXPORTS::SeAliasPrintOpsSid, SeAliasPrintOpsSid, _SE_EXPORTS::SeAliasSystemOpsSid, SeAliasSystemOpsSid, _SE_EXPORTS::SeAliasUsersSid, SeAliasUsersSid, _SE_EXPORTS::SeAnonymousLogonSid, SeAnonymousLogonSid, _SE_EXPORTS::SeAssignPrimaryTokenPrivilege, SeAssignPrimaryTokenPrivilege, _SE_EXPORTS::SeAuditPrivilege, SeAuditPrivilege, _SE_EXPORTS::SeAuthenticatedUsersSid, SeAuthenticatedUsersSid, _SE_EXPORTS::SeBackupPrivilege, SeBackupPrivilege, _SE_EXPORTS::SeBatchSid, SeBatchSid, _SE_EXPORTS::SeChangeNotifyPrivilege, SeChangeNotifyPrivilege, _SE_EXPORTS::SeCreatePagefilePrivilege, SeCreatePagefilePrivilege, _SE_EXPORTS::SeCreatePermanentPrivilege, SeCreatePermanentPrivilege, _SE_EXPORTS::SeCreateTokenPrivilege, SeCreateTokenPrivilege, SeCreatorGroupServerSid, _SE_EXPORTS::SeCreatorGroupSid, SeCreatorGroupSid, SeCreatorOwnerServerSid, _SE_EXPORTS::SeCreatorOwnerSid, SeCreatorOwnerSid, _SE_EXPORTS::SeDebugPrivilege, SeDebugPrivilege, _SE_EXPORTS::SeDialupSid, SeDialupSid, _SE_EXPORTS::SeEnableDelegationPrivilege, SeEnableDelegationPrivilege, SeExports, _SE_EXPORTS::SeIncreaseBasePriorityPrivilege, SeIncreaseBasePriorityPrivilege, _SE_EXPORTS::SeIncreaseQuotaPrivilege, SeIncreaseQuotaPrivilege, _SE_EXPORTS::SeInteractiveSid, SeInteractiveSid, _SE_EXPORTS::SeLoadDriverPrivilege, SeLoadDriverPrivilege, _SE_EXPORTS::SeLocalSid, SeLocalSid, _SE_EXPORTS::SeLocalSystemSid, SeLocalSystemSid, _SE_EXPORTS::SeLockMemoryPrivilege, SeLockMemoryPrivilege, _SE_EXPORTS::SeNetworkSid, SeNetworkSid, _SE_EXPORTS::SeNtAuthoritySid, SeNtAuthoritySid, _SE_EXPORTS::SeNullSid, SeNullSid, SepCreatorSidAuthority, SepExports, SepInitializePrivilegeSets(), SepInitSystemDacls(), SepLocalSidAuthority, SepNtAuthority, SepNullSidAuthority, SePrincipalSelfSid, _SE_EXPORTS::SeProfileSingleProcessPrivilege, SeProfileSingleProcessPrivilege, SepWorldSidAuthority, _SE_EXPORTS::SeRemoteShutdownPrivilege, SeRemoteShutdownPrivilege, _SE_EXPORTS::SeRestorePrivilege, SeRestorePrivilege, _SE_EXPORTS::SeRestrictedSid, SeRestrictedSid, _SE_EXPORTS::SeSecurityPrivilege, SeSecurityPrivilege, SeServiceSid, _SE_EXPORTS::SeShutdownPrivilege, SeShutdownPrivilege, _SE_EXPORTS::SeSyncAgentPrivilege, SeSyncAgentPrivilege, _SE_EXPORTS::SeSystemEnvironmentPrivilege, SeSystemEnvironmentPrivilege, _SE_EXPORTS::SeSystemProfilePrivilege, SeSystemProfilePrivilege, _SE_EXPORTS::SeSystemtimePrivilege, SeSystemtimePrivilege, _SE_EXPORTS::SeTakeOwnershipPrivilege, SeTakeOwnershipPrivilege, _SE_EXPORTS::SeTcbPrivilege, SeTcbPrivilege, _SE_EXPORTS::SeUndockPrivilege, SeUndockPrivilege, _SE_EXPORTS::SeUnsolicitedInputPrivilege, SeUnsolicitedInputPrivilege, _SE_EXPORTS::SeWorldSid, SeWorldSid, and TRUE. Referenced by SepInitializationPhase0(). 00310 : 00311 00312 This function initializes the global variables used by and exposed 00313 by security. 00314 00315 Arguments: 00316 00317 None. 00318 00319 Return Value: 00320 00321 TRUE if variables successfully initialized. 00322 FALSE if not successfully initialized. 00323 00324 --*/ 00325 { 00326 00327 ULONG SidWithZeroSubAuthorities; 00328 ULONG SidWithOneSubAuthority; 00329 ULONG SidWithTwoSubAuthorities; 00330 ULONG SidWithThreeSubAuthorities; 00331 00332 SID_IDENTIFIER_AUTHORITY NullSidAuthority; 00333 SID_IDENTIFIER_AUTHORITY WorldSidAuthority; 00334 SID_IDENTIFIER_AUTHORITY LocalSidAuthority; 00335 SID_IDENTIFIER_AUTHORITY CreatorSidAuthority; 00336 SID_IDENTIFIER_AUTHORITY SeNtAuthority; 00337 00338 PAGED_CODE(); 00339 00340 NullSidAuthority = SepNullSidAuthority; 00341 WorldSidAuthority = SepWorldSidAuthority; 00342 LocalSidAuthority = SepLocalSidAuthority; 00343 CreatorSidAuthority = SepCreatorSidAuthority; 00344 SeNtAuthority = SepNtAuthority; 00345 00346 00347 // 00348 // The following SID sizes need to be allocated 00349 // 00350 00351 SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 ); 00352 SidWithOneSubAuthority = RtlLengthRequiredSid( 1 ); 00353 SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 ); 00354 SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 ); 00355 00356 // 00357 // Allocate and initialize the universal SIDs 00358 // 00359 00360 SeNullSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00361 SeWorldSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00362 SeLocalSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00363 SeCreatorOwnerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00364 SeCreatorGroupSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00365 SeCreatorOwnerServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00366 SeCreatorGroupServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00367 00368 // 00369 // Fail initialization if we didn't get enough memory for the universal 00370 // SIDs. 00371 // 00372 00373 if ( (SeNullSid == NULL) || 00374 (SeWorldSid == NULL) || 00375 (SeLocalSid == NULL) || 00376 (SeCreatorOwnerSid == NULL) || 00377 (SeCreatorGroupSid == NULL) || 00378 (SeCreatorOwnerServerSid == NULL ) || 00379 (SeCreatorGroupServerSid == NULL ) 00380 ) { 00381 00382 return( FALSE ); 00383 } 00384 00385 RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 ); 00386 RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 ); 00387 RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 ); 00388 RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 ); 00389 RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 ); 00390 RtlInitializeSid( SeCreatorOwnerServerSid, &CreatorSidAuthority, 1 ); 00391 RtlInitializeSid( SeCreatorGroupServerSid, &CreatorSidAuthority, 1 ); 00392 00393 *(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID; 00394 *(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID; 00395 *(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID; 00396 *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID; 00397 *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID; 00398 *(RtlSubAuthoritySid( SeCreatorOwnerServerSid, 0 )) = SECURITY_CREATOR_OWNER_SERVER_RID; 00399 *(RtlSubAuthoritySid( SeCreatorGroupServerSid, 0 )) = SECURITY_CREATOR_GROUP_SERVER_RID; 00400 00401 // 00402 // Allocate and initialize the NT defined SIDs 00403 // 00404 00405 SeNtAuthoritySid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithZeroSubAuthorities,'iSeS'); 00406 SeDialupSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00407 SeNetworkSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00408 SeBatchSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00409 SeInteractiveSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00410 SeServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00411 SePrincipalSelfSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00412 SeLocalSystemSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00413 SeAuthenticatedUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00414 SeRestrictedSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00415 SeAnonymousLogonSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS'); 00416 00417 SeAliasAdminsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00418 SeAliasUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00419 SeAliasGuestsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00420 SeAliasPowerUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00421 SeAliasAccountOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00422 SeAliasSystemOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00423 SeAliasPrintOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00424 SeAliasBackupOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS'); 00425 00426 // 00427 // Fail initialization if we didn't get enough memory for the NT SIDs. 00428 // 00429 00430 if ( (SeNtAuthoritySid == NULL) || 00431 (SeDialupSid == NULL) || 00432 (SeNetworkSid == NULL) || 00433 (SeBatchSid == NULL) || 00434 (SeInteractiveSid == NULL) || 00435 (SeServiceSid == NULL) || 00436 (SePrincipalSelfSid == NULL) || 00437 (SeLocalSystemSid == NULL) || 00438 (SeAuthenticatedUsersSid == NULL) || 00439 (SeRestrictedSid == NULL) || 00440 (SeAnonymousLogonSid == NULL) || 00441 (SeAliasAdminsSid == NULL) || 00442 (SeAliasUsersSid == NULL) || 00443 (SeAliasGuestsSid == NULL) || 00444 (SeAliasPowerUsersSid == NULL) || 00445 (SeAliasAccountOpsSid == NULL) || 00446 (SeAliasSystemOpsSid == NULL) || 00447 (SeAliasPrintOpsSid == NULL) || 00448 (SeAliasBackupOpsSid == NULL) 00449 ) { 00450 00451 return( FALSE ); 00452 } 00453 00454 RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 ); 00455 RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 ); 00456 RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 ); 00457 RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 ); 00458 RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 ); 00459 RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 ); 00460 RtlInitializeSid( SePrincipalSelfSid, &SeNtAuthority, 1 ); 00461 RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 ); 00462 RtlInitializeSid( SeAuthenticatedUsersSid, &SeNtAuthority, 1 ); 00463 RtlInitializeSid( SeRestrictedSid, &SeNtAuthority, 1 ); 00464 RtlInitializeSid( SeAnonymousLogonSid, &SeNtAuthority, 1 ); 00465 00466 RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2); 00467 RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2); 00468 RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2); 00469 RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2); 00470 RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2); 00471 RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2); 00472 RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2); 00473 RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2); 00474 00475 *(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID; 00476 *(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID; 00477 *(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID; 00478 *(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID; 00479 *(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID; 00480 *(RtlSubAuthoritySid( SePrincipalSelfSid, 0 )) = SECURITY_PRINCIPAL_SELF_RID; 00481 *(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID; 00482 *(RtlSubAuthoritySid( SeAuthenticatedUsersSid, 0 )) = SECURITY_AUTHENTICATED_USER_RID; 00483 *(RtlSubAuthoritySid( SeRestrictedSid, 0 )) = SECURITY_RESTRICTED_CODE_RID; 00484 *(RtlSubAuthoritySid( SeAnonymousLogonSid, 0 )) = SECURITY_ANONYMOUS_LOGON_RID; 00485 00486 00487 *(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00488 *(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00489 *(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00490 *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00491 *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00492 *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00493 *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00494 *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; 00495 00496 *(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS; 00497 *(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS; 00498 *(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS; 00499 *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS; 00500 *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS; 00501 *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS; 00502 *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS; 00503 *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS; 00504 00505 00506 00507 // 00508 // Initialize system default dacl 00509 // 00510 00511 SepInitSystemDacls(); 00512 00513 00514 // 00515 // Initialize the well known privilege values 00516 // 00517 00518 SeCreateTokenPrivilege = 00519 RtlConvertLongToLuid(SE_CREATE_TOKEN_PRIVILEGE); 00520 SeAssignPrimaryTokenPrivilege = 00521 RtlConvertLongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE); 00522 SeLockMemoryPrivilege = 00523 RtlConvertLongToLuid(SE_LOCK_MEMORY_PRIVILEGE); 00524 SeIncreaseQuotaPrivilege = 00525 RtlConvertLongToLuid(SE_INCREASE_QUOTA_PRIVILEGE); 00526 SeUnsolicitedInputPrivilege = 00527 RtlConvertLongToLuid(SE_UNSOLICITED_INPUT_PRIVILEGE); 00528 SeTcbPrivilege = 00529 RtlConvertLongToLuid(SE_TCB_PRIVILEGE); 00530 SeSecurityPrivilege = 00531 RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE); 00532 SeTakeOwnershipPrivilege = 00533 RtlConvertLongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE); 00534 SeLoadDriverPrivilege = 00535 RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE); 00536 SeCreatePagefilePrivilege = 00537 RtlConvertLongToLuid(SE_CREATE_PAGEFILE_PRIVILEGE); 00538 SeIncreaseBasePriorityPrivilege = 00539 RtlConvertLongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE); 00540 SeSystemProfilePrivilege = 00541 RtlConvertLongToLuid(SE_SYSTEM_PROFILE_PRIVILEGE); 00542 SeSystemtimePrivilege = 00543 RtlConvertLongToLuid(SE_SYSTEMTIME_PRIVILEGE); 00544 SeProfileSingleProcessPrivilege = 00545 RtlConvertLongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE); 00546 SeCreatePermanentPrivilege = 00547 RtlConvertLongToLuid(SE_CREATE_PERMANENT_PRIVILEGE); 00548 SeBackupPrivilege = 00549 RtlConvertLongToLuid(SE_BACKUP_PRIVILEGE); 00550 SeRestorePrivilege = 00551 RtlConvertLongToLuid(SE_RESTORE_PRIVILEGE); 00552 SeShutdownPrivilege = 00553 RtlConvertLongToLuid(SE_SHUTDOWN_PRIVILEGE); 00554 SeDebugPrivilege = 00555 RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE); 00556 SeAuditPrivilege = 00557 RtlConvertLongToLuid(SE_AUDIT_PRIVILEGE); 00558 SeSystemEnvironmentPrivilege = 00559 RtlConvertLongToLuid(SE_SYSTEM_ENVIRONMENT_PRIVILEGE); 00560 SeChangeNotifyPrivilege = 00561 RtlConvertLongToLuid(SE_CHANGE_NOTIFY_PRIVILEGE); 00562 SeRemoteShutdownPrivilege = 00563 RtlConvertLongToLuid(SE_REMOTE_SHUTDOWN_PRIVILEGE); 00564 SeUndockPrivilege = 00565 RtlConvertLongToLuid(SE_UNDOCK_PRIVILEGE); 00566 SeSyncAgentPrivilege = 00567 RtlConvertLongToLuid(SE_SYNC_AGENT_PRIVILEGE); 00568 SeEnableDelegationPrivilege = 00569 RtlConvertLongToLuid(SE_ENABLE_DELEGATION_PRIVILEGE); 00570 00571 00572 // 00573 // Initialize the SeExports structure for exporting all 00574 // of the information we've created out of the kernel. 00575 // 00576 00577 // 00578 // Package these together for export 00579 // 00580 00581 00582 SepExports.SeNullSid = SeNullSid; 00583 SepExports.SeWorldSid = SeWorldSid; 00584 SepExports.SeLocalSid = SeLocalSid; 00585 SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid; 00586 SepExports.SeCreatorGroupSid = SeCreatorGroupSid; 00587 00588 00589 SepExports.SeNtAuthoritySid = SeNtAuthoritySid; 00590 SepExports.SeDialupSid = SeDialupSid; 00591 SepExports.SeNetworkSid = SeNetworkSid; 00592 SepExports.SeBatchSid = SeBatchSid; 00593 SepExports.SeInteractiveSid = SeInteractiveSid; 00594 SepExports.SeLocalSystemSid = SeLocalSystemSid; 00595 SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid; 00596 SepExports.SeRestrictedSid = SeRestrictedSid; 00597 SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid; 00598 SepExports.SeAliasAdminsSid = SeAliasAdminsSid; 00599 SepExports.SeAliasUsersSid = SeAliasUsersSid; 00600 SepExports.SeAliasGuestsSid = SeAliasGuestsSid; 00601 SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid; 00602 SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid; 00603 SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid; 00604 SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid; 00605 SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid; 00606 00607 00608 00609 SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege; 00610 SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege; 00611 SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege; 00612 SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege; 00613 SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege; 00614 SepExports.SeTcbPrivilege = SeTcbPrivilege; 00615 SepExports.SeSecurityPrivilege = SeSecurityPrivilege; 00616 SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege; 00617 SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege; 00618 SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege; 00619 SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege; 00620 SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege; 00621 SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege; 00622 SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege; 00623 SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege; 00624 SepExports.SeBackupPrivilege = SeBackupPrivilege; 00625 SepExports.SeRestorePrivilege = SeRestorePrivilege; 00626 SepExports.SeShutdownPrivilege = SeShutdownPrivilege; 00627 SepExports.SeDebugPrivilege = SeDebugPrivilege; 00628 SepExports.SeAuditPrivilege = SeAuditPrivilege; 00629 SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege; 00630 SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege; 00631 SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege; 00632 SepExports.SeUndockPrivilege = SeUndockPrivilege; 00633 SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege; 00634 SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege; 00635 00636 00637 SeExports = &SepExports; 00638 00639 // 00640 // Initialize frequently used privilege sets to speed up access 00641 // validation. 00642 // 00643 00644 SepInitializePrivilegeSets(); 00645 00646 return TRUE; 00647 00648 }

---

Variable Documentation

ULONG DoublePrivilegeSetSize [static]

Definition at line 225 of file seglobal.c. Referenced by SepAssemblePrivileges(), and SepInitializePrivilegeSets().

PSID SeAliasAccountOpsSid

Definition at line 105 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasAdminsSid

Definition at line 100 of file seglobal.c. Referenced by IopApplySystemPartitionProt(), IopCreateDefaultDeviceSecurityDescriptor(), IopOpenDeviceParametersSubkey(), ObpGetDosDevicesProtection(), SeMakeAnonymousLogonToken(), SeMakeSystemToken(), SepCreateImpersonationTokenDacl(), SepCreateToken(), SepInitializationPhase1(), SepInitSystemDacls(), SepMakeTokenEffectiveOnly(), SepRemoveDisabledGroupsAndPrivileges(), and SepVariableInitialization().

PSID SeAliasBackupOpsSid

Definition at line 108 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasGuestsSid

Definition at line 103 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasPowerUsersSid

Definition at line 104 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasPrintOpsSid

Definition at line 107 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasSystemOpsSid

Definition at line 106 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeAliasUsersSid

Definition at line 102 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeAnonymousAuthenticationId = ANONYMOUS_LOGON_LUID

Definition at line 71 of file seglobal.c. Referenced by SeMakeAnonymousLogonToken(), and SepRmDbInitialization().

PSID SeAnonymousLogonSid

Definition at line 109 of file seglobal.c. Referenced by SeMakeAnonymousLogonToken(), and SepVariableInitialization().

PACCESS_TOKEN SeAnonymousLogonToken

Definition at line 115 of file seglobal.c. Referenced by NtImpersonateAnonymousToken(), and SepInitializationPhase1().

LUID SeAssignPrimaryTokenPrivilege

Definition at line 174 of file seglobal.c. Referenced by NtSetInformationJobObject(), PspSetPrimaryToken(), SeMakeSystemToken(), and SepVariableInitialization().

SE_AUDITING_STATE SeAuditingState[POLICY_AUDIT_EVENT_TYPE_COUNT]

Initial value: { { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE }, { FALSE, FALSE } } Definition at line 236 of file seglobal.c. Referenced by SepRmSetAuditEventWrkr(), and SeTraverseAuditAlarm().

LUID SeAuditPrivilege

Definition at line 192 of file seglobal.c. Referenced by SeCheckAuditPrivilege(), SeMakeSystemToken(), and SepVariableInitialization().

PSID SeAuthenticatedUsersSid

Definition at line 99 of file seglobal.c. Referenced by SeMakeSystemToken(), and SepVariableInitialization().

LUID SeBackupPrivilege

Definition at line 188 of file seglobal.c. Referenced by CmpDoOpen(), IopCheckBackupRestorePrivilege(), NtSaveKey(), NtSaveMergedKeys(), SeMakeSystemToken(), and SepVariableInitialization().

PSID SeBatchSid

Definition at line 94 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

LUID SeChangeNotifyPrivilege

Definition at line 194 of file seglobal.c. Referenced by SeMakeSystemToken(), SepAdjustPrivileges(), SepCreateToken(), SepRemoveDisabledGroupsAndPrivileges(), and SepVariableInitialization().

LUID SeCreatePagefilePrivilege

Definition at line 182 of file seglobal.c. Referenced by NtCreatePagingFile(), NtQuerySystemInformation(), NtSetSystemInformation(), SeMakeSystemToken(), and SepVariableInitialization().

LUID SeCreatePermanentPrivilege

Definition at line 187 of file seglobal.c. Referenced by ObCreateObject(), SeMakeSystemToken(), and SepVariableInitialization().

LUID SeCreateTokenPrivilege

Definition at line 173 of file seglobal.c. Referenced by SeMakeSystemToken(), SepCreateToken(), and SepVariableInitialization().

PSID SeCreatorGroupServerSid

Definition at line 83 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

PSID SeCreatorGroupSid

Definition at line 82 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

PSID SeCreatorOwnerServerSid

Definition at line 84 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

PSID SeCreatorOwnerSid

Definition at line 81 of file seglobal.c. Referenced by ObpGetDosDevicesProtection(), SepSidTranslation(), and SepVariableInitialization().

LUID SeDebugPrivilege

Definition at line 191 of file seglobal.c. Referenced by NtOpenProcess(), NtOpenThread(), NtSetSystemInformation(), NtSystemDebugControl(), SeMakeSystemToken(), and SepVariableInitialization().

BOOLEAN SeDetailedAuditing = FALSE

Definition at line 273 of file seglobal.c. Referenced by NtDuplicateObject(), ObInitProcess(), PspCreateProcess(), PspProcessDelete(), and SepRmSetAuditEventWrkr().

PSID SeDialupSid

Definition at line 92 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeEnableDelegationPrivilege

Definition at line 198 of file seglobal.c. Referenced by SepVariableInitialization().

PSE_EXPORTS SeExports

Definition at line 207 of file seglobal.c. Referenced by InitSecurity(), SepVariableInitialization(), SmbTraceStart(), xxxConnectService(), and xxxCreateWindowStation().

LUID SeIncreaseBasePriorityPrivilege

Definition at line 183 of file seglobal.c. Referenced by NtSetInformationJobObject(), NtSetInformationProcess(), NtSetInformationThread(), SeMakeSystemToken(), and SepVariableInitialization().

LUID SeIncreaseQuotaPrivilege

Definition at line 176 of file seglobal.c. Referenced by NtSetSystemInformation(), PspSetQuotaLimits(), SeMakeSystemToken(), and SepVariableInitialization().

PSID SeInteractiveSid

Definition at line 95 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

LUID SeLoadDriverPrivilege

Definition at line 181 of file seglobal.c. Referenced by NtLoadDriver(), NtSetSystemInformation(), NtUnloadDriver(), SeMakeSystemToken(), and SepVariableInitialization().

PSID SeLocalSid

Definition at line 80 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

PSID SeLocalSystemSid

Definition at line 98 of file seglobal.c. Referenced by IopApplySystemPartitionProt(), IopInitializePlugPlayServices(), ObpGetDosDevicesProtection(), SeMakeSystemToken(), SepAdtGenerateDiscardAudit(), SepAdtPrivilegeObjectAuditAlarm(), SepCreateImpersonationTokenDacl(), SepInitializationPhase1(), SepInitSystemDacls(), SePrivilegedServiceAuditAlarm(), SepSidTranslation(), SepVariableInitialization(), and SeRmInitPhase1().

LUID SeLockMemoryPrivilege

Definition at line 175 of file seglobal.c. Referenced by NtAllocateUserPhysicalPages(), NtLockVirtualMemory(), NtUnlockVirtualMemory(), SeMakeSystemToken(), and SepVariableInitialization().

PSID SeNetworkSid

Definition at line 93 of file seglobal.c. Referenced by SepSidTranslation(), and SepVariableInitialization().

PSID SeNtAuthoritySid

Definition at line 90 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeNullSid

Definition at line 78 of file seglobal.c. Referenced by SepVariableInitialization().

BOOLEAN SepAdtAuditingEnabled = FALSE

Definition at line 253 of file seglobal.c.

BOOLEAN SepCrashOnAuditFail = FALSE

Definition at line 260 of file seglobal.c. Referenced by SepAdtInitializeCrashOnFail(), SepAdtLogAuditRecord(), and SepAuditFailed().

SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY [static]

Definition at line 214 of file seglobal.c. Referenced by SepVariableInitialization().

PPRIVILEGE_SET SepDoublePrivilegeSet [static]

Definition at line 229 of file seglobal.c. Referenced by SepAssemblePrivileges(), and SepInitializePrivilegeSets().

SE_EXPORTS SepExports

Definition at line 208 of file seglobal.c. Referenced by SepVariableInitialization().

SEP_WORK_ITEM SepExWorkItem

Definition at line 296 of file seglobal.c. Referenced by SepQueueWorkItem().

SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY [static]

Definition at line 213 of file seglobal.c. Referenced by SepVariableInitialization().

HANDLE SepLsaHandle

Definition at line 266 of file seglobal.c. Referenced by SepRmCallLsa(), and SepRmCommandServerThreadInit().

LIST_ENTRY SepLsaQueue

Definition at line 288 of file seglobal.c. Referenced by SepDequeueWorkItem(), SepInitializeWorkList(), and SepQueueWorkItem().

ULONG SepLsaQueueLength = 0

Definition at line 294 of file seglobal.c. Referenced by SepRmCallLsa().

ERESOURCE SepLsaQueueLock

Definition at line 282 of file seglobal.c. Referenced by SepInitializeWorkList().

SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY [static]

Definition at line 215 of file seglobal.c. Referenced by SepVariableInitialization().

SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY [static]

Definition at line 211 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SepPrimaryDomainAdminSid

Definition at line 164 of file seglobal.c.

PSID SepPrimaryDomainSid

Definition at line 163 of file seglobal.c.

SECURITY_DESCRIPTOR SepPublicDefaultSd

Definition at line 140 of file seglobal.c. Referenced by SepInitSystemDacls().

SECURITY_DESCRIPTOR SepPublicDefaultUnrestrictedSd

Definition at line 142 of file seglobal.c. Referenced by SepInitSystemDacls().

SECURITY_DESCRIPTOR SepPublicOpenSd

Definition at line 146 of file seglobal.c. Referenced by SepInitSystemDacls().

SECURITY_DESCRIPTOR SepPublicOpenUnrestrictedSd

Definition at line 144 of file seglobal.c. Referenced by SepInitSystemDacls().

PSID SePrincipalSelfSid

Definition at line 97 of file seglobal.c. Referenced by SepSidInSidAndAttributes(), SepSidInToken(), SepSidInTokenEx(), and SepVariableInitialization().

LUID SeProfileSingleProcessPrivilege

Definition at line 186 of file seglobal.c. Referenced by SeMakeSystemToken(), and SepVariableInitialization().

SECURITY_DESCRIPTOR SepSystemDefaultSd

Definition at line 148 of file seglobal.c. Referenced by SepInitSystemDacls().

PPRIVILEGE_SET SepSystemSecurityPrivilegeSet [static]

Definition at line 227 of file seglobal.c. Referenced by SepAssemblePrivileges(), and SepInitializePrivilegeSets().

PPRIVILEGE_SET SepTakeOwnershipPrivilegeSet [static]

Definition at line 228 of file seglobal.c. Referenced by SepAssemblePrivileges(), and SepInitializePrivilegeSets().

PACL SePublicDefaultDacl

Definition at line 152 of file seglobal.c. Referenced by SepInitSystemDacls().

PSECURITY_DESCRIPTOR SePublicDefaultSd

Definition at line 139 of file seglobal.c. Referenced by ExpInitializeCallbacks(), SepInitializationPhase1(), and SepInitSystemDacls().

PACL SePublicDefaultUnrestrictedDacl

Definition at line 153 of file seglobal.c. Referenced by IopCreateDefaultDeviceSecurityDescriptor(), ObInitSystem(), and SepInitSystemDacls().

PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd

Definition at line 141 of file seglobal.c. Referenced by IoCreateSymbolicLink(), ObInitSystem(), and SepInitSystemDacls().

PACL SePublicOpenDacl

Definition at line 154 of file seglobal.c. Referenced by SepInitSystemDacls().

PSECURITY_DESCRIPTOR SePublicOpenSd

Definition at line 145 of file seglobal.c. Referenced by SepInitSystemDacls().

PACL SePublicOpenUnrestrictedDacl

Definition at line 155 of file seglobal.c. Referenced by IopCreateDefaultDeviceSecurityDescriptor(), and SepInitSystemDacls().

PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd

Definition at line 143 of file seglobal.c. Referenced by SepInitSystemDacls().

SECURITY_DESCRIPTOR SepUnrestrictedSd

Definition at line 150 of file seglobal.c. Referenced by SepInitSystemDacls().

SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY [static]

Definition at line 212 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeRemoteShutdownPrivilege

Definition at line 195 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeRestorePrivilege

Definition at line 189 of file seglobal.c. Referenced by CmpDoOpen(), IopCheckBackupRestorePrivilege(), NtLoadKey2(), NtReplaceKey(), NtRestoreKey(), NtUnloadKey(), SeMakeSystemToken(), SepValidOwnerSubjectContext(), and SepVariableInitialization().

PSID SeRestrictedSid

Definition at line 101 of file seglobal.c. Referenced by SepCreateImpersonationTokenDacl(), SepInitSystemDacls(), and SepVariableInitialization().

LUID SeSecurityPrivilege

Definition at line 179 of file seglobal.c. Referenced by ObpIncrementHandleCount(), RtlpNewSecurityObject(), SeMakeSystemToken(), SepAccessCheck(), SepInitializePrivilegeSets(), SePrivilegePolicyCheck(), and SepVariableInitialization().

PSID SeServiceSid

Definition at line 96 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeShutdownPrivilege

Definition at line 190 of file seglobal.c. Referenced by ExpRaiseHardError(), SeMakeSystemToken(), and SepVariableInitialization().

UNICODE_STRING SeSubsystemName

Definition at line 275 of file seglobal.c. Referenced by SeAuditHandleCreation(), SeAuditHandleDuplication(), SeAuditProcessCreation(), SeAuditProcessExit(), SeCloseObjectAuditAlarm(), SeDeleteObjectAuditAlarm(), SeOpenObjectAuditAlarm(), SeOpenObjectForDeleteAuditAlarm(), SepAdtGenerateDiscardAudit(), SepAdtInitializePhase1(), SepAdtObjectReferenceAuditAlarm(), SepAdtPrivilegedServiceAuditAlarm(), SePrivilegedServiceAuditAlarm(), and SePrivilegeObjectAuditAlarm().

LUID SeSyncAgentPrivilege

Definition at line 197 of file seglobal.c. Referenced by SepVariableInitialization().

LUID SeSystemAuthenticationId = SYSTEM_LUID

Definition at line 70 of file seglobal.c. Referenced by SeMakeSystemToken(), and SepRmDbInitialization().

PACL SeSystemDefaultDacl

Definition at line 156 of file seglobal.c. Referenced by SeMakeSystemToken(), and SepInitSystemDacls().

PSECURITY_DESCRIPTOR SeSystemDefaultSd

Definition at line 147 of file seglobal.c. Referenced by SepInitSystemDacls().

LUID SeSystemEnvironmentPrivilege

Definition at line 193 of file seglobal.c. Referenced by NtQuerySystemEnvironmentValue(), NtSetSystemEnvironmentValue(), SeMakeSystemToken(), and SepVariableInitialization().

LUID SeSystemProfilePrivilege

Definition at line 184 of file seglobal.c. Referenced by NtCreateProfile(), and SepVariableInitialization().

LUID SeSystemtimePrivilege

Definition at line 185 of file seglobal.c. Referenced by NtSetSystemInformation(), SeMakeSystemToken(), and SepVariableInitialization().

TOKEN_SOURCE SeSystemTokenSource = {"*SYSTEM*", 0}

Definition at line 69 of file seglobal.c. Referenced by SeMakeAnonymousLogonToken(), and SeMakeSystemToken().

LUID SeTakeOwnershipPrivilege

Definition at line 180 of file seglobal.c. Referenced by SeMakeSystemToken(), SepAccessCheck(), SepInitializePrivilegeSets(), SePrivilegePolicyCheck(), and SepVariableInitialization().

LUID SeTcbPrivilege

Definition at line 178 of file seglobal.c. Referenced by CmpRefreshHive(), NtSetDefaultHardErrorPort(), NtSetInformationProcess(), NtSetInformationToken(), SeMakeSystemToken(), SepSinglePrivilegeCheck(), and SepVariableInitialization().

LUID SeUndockPrivilege

Definition at line 196 of file seglobal.c. Referenced by SeMakeSystemToken(), and SepVariableInitialization().

PACL SeUnrestrictedDacl

Definition at line 157 of file seglobal.c. Referenced by SepInitSystemDacls().

PSECURITY_DESCRIPTOR SeUnrestrictedSd

Definition at line 149 of file seglobal.c. Referenced by SepInitSystemDacls().

LUID SeUnsolicitedInputPrivilege

Definition at line 177 of file seglobal.c. Referenced by SepVariableInitialization().

PSID SeWorldSid

Definition at line 79 of file seglobal.c. Referenced by IopCreateDefaultDeviceSecurityDescriptor(), IopInitializePlugPlayServices(), ObInitSystem(), ObpGetDosDevicesProtection(), SeAssignWorldSecurityDescriptor(), SeFastTraverseCheck(), SeMakeAnonymousLogonToken(), SeMakeSystemToken(), SepInitializationPhase1(), SepInitSystemDacls(), SepSidTranslation(), and SepVariableInitialization().

ULONG SinglePrivilegeSetSize [static]

Definition at line 224 of file seglobal.c. Referenced by SepAssemblePrivileges(), and SepInitializePrivilegeSets().

---