obse.c File Reference

#include "obp.h"

Go to the source code of this file.

Functions
NTSTATUS	NtSetSecurityObject (IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
NTSTATUS	ObSetSecurityObjectByPointer (IN PVOID Object, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor)
NTSTATUS	NtQuerySecurityObject (IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG Length, OUT PULONG LengthNeeded)
BOOLEAN	ObCheckObjectAccess (IN PVOID Object, IN OUT PACCESS_STATE AccessState, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE AccessMode, OUT PNTSTATUS AccessStatus)
BOOLEAN	ObpCheckObjectReference (IN PVOID Object, IN OUT PACCESS_STATE AccessState, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE AccessMode, OUT PNTSTATUS AccessStatus)
BOOLEAN	ObpCheckTraverseAccess (IN PVOID DirectoryObject, IN ACCESS_MASK TraverseAccess, IN PACCESS_STATE AccessState OPTIONAL, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE PreviousMode, OUT PNTSTATUS AccessStatus)
BOOLEAN	ObCheckCreateObjectAccess (IN PVOID DirectoryObject, IN ACCESS_MASK CreateAccess, IN PACCESS_STATE AccessState, IN PUNICODE_STRING ComponentName, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE PreviousMode, OUT PNTSTATUS AccessStatus)
NTSTATUS	ObAssignObjectSecurityDescriptor (IN PVOID Object, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN POOL_TYPE PoolType)
NTSTATUS	ObGetObjectSecurity (IN PVOID Object, OUT PSECURITY_DESCRIPTOR *SecurityDescriptor, OUT PBOOLEAN MemoryAllocated)
VOID	ObReleaseObjectSecurity (IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN MemoryAllocated)
NTSTATUS	ObValidateSecurityQuota (IN PVOID Object, IN ULONG NewSize)
NTSTATUS	ObAssignSecurity (IN PACCESS_STATE AccessState, IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL, IN PVOID Object, IN POBJECT_TYPE ObjectType)
NTSTATUS	ObQuerySecurityDescriptorInfo (IN PSECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG Length, IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor)
NTSTATUS	ObSetSecurityDescriptorInfo (IN PVOID Object, IN PSECURITY_INFORMATION SecurityInformation, IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping)
NTSTATUS	ObpValidateAccessMask (PACCESS_STATE AccessState)

---

Function Documentation

NTSTATUS NtQuerySecurityObject (  IN HANDLE  Handle, IN SECURITY_INFORMATION  SecurityInformation, OUT PSECURITY_DESCRIPTOR  SecurityDescriptor, IN ULONG  Length, OUT PULONG  LengthNeeded )

Definition at line 255 of file obse.c. References EXCEPTION_EXECUTE_HANDLER, _OBJECT_TYPE_INITIALIZER::GenericMapping, Handle, KernelMode, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, OBJECT_TO_OBJECT_HEADER, ObReferenceObjectByHandle(), PAGED_CODE, _OBJECT_TYPE_INITIALIZER::PoolType, ProbeForWrite(), ProbeForWriteUlong, QuerySecurityDescriptor, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_TYPE_INITIALIZER::SecurityProcedure, SeQuerySecurityAccessMask(), Status, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by CmpCloneControlSet(), CmpCloneHwProfile(), CmpSaveBootControlSet(), Copy(), DumpSecurity(), and GetUserObjectSecurity(). : This routine is used to query the security descriptor for an object. Arguments: Handle - Supplies the handle for the object being investigated SecurityInformation - Indicates the type of information we are interested in getting. e.g., owner, group, dacl, or sacl. SecurityDescriptor - Supplies a pointer to where the information should be returned Length - Supplies the size, in bytes, of the output buffer LengthNeeded - Receives the length, in bytes, needed to store the output security descriptor Return Value: An appropriate NTSTATUS value --*/ { NTSTATUS Status; PVOID Object; ACCESS_MASK DesiredAccess; OBJECT_HANDLE_INFORMATION HandleInformation; KPROCESSOR_MODE RequestorMode; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PAGED_CODE(); // // Probe output parameters // RequestorMode = KeGetPreviousMode(); if (RequestorMode != KernelMode) { try { ProbeForWriteUlong( LengthNeeded ); ProbeForWrite( SecurityDescriptor, Length, sizeof(ULONG) ); } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } // // Establish the accesses needed to the object based upon the // security information being queried // SeQuerySecurityAccessMask( SecurityInformation, &DesiredAccess ); Status = ObReferenceObjectByHandle( Handle, DesiredAccess, NULL, RequestorMode, &Object, &HandleInformation ); if (!NT_SUCCESS( Status )) { return( Status ); } // // Map the object body to an object header and the corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // Invoke the object type's security callback routine to query // the object. This routine is assumed to have a try-except around // the setting of the output security descriptor // Status = (ObjectType->TypeInfo.SecurityProcedure)( Object, QuerySecurityDescriptor, &SecurityInformation, SecurityDescriptor, &Length, &ObjectHeader->SecurityDescriptor, ObjectType->TypeInfo.PoolType, &ObjectType->TypeInfo.GenericMapping ); // // Indicate the length needed for the security descriptor. This // will be set even if the callback failed so the caller will know // the number of bytes necessary // try { *LengthNeeded = Length; } except(EXCEPTION_EXECUTE_HANDLER) { ObDereferenceObject( Object ); return(GetExceptionCode()); } // // And return to our caller // ObDereferenceObject( Object ); return( Status ); }

NTSTATUS NtSetSecurityObject (  IN HANDLE  Handle, IN SECURITY_INFORMATION  SecurityInformation, IN PSECURITY_DESCRIPTOR  SecurityDescriptor )

Definition at line 46 of file obse.c. References ASSERT, FALSE, Handle, KPROCESSOR_MODE, NT_SUCCESS, NTSTATUS(), NULL, ObDereferenceObject, ObReferenceObjectByHandle(), ObSetSecurityObjectByPointer(), PAGED_CODE, PagedPool, SeCaptureSecurityDescriptor(), SeReleaseSecurityDescriptor(), SeSetSecurityAccessMask(), Status, and TRUE. Referenced by main(), and SetUserObjectSecurity(). : This routine is used to invoke an object's security routine. It is used to set the object's security state. Arguments: Handle - Supplies the handle for the object being modified SecurityInformation - Indicates the type of information we are interested in setting. e.g., owner, group, dacl, or sacl. SecurityDescriptor - Supplies the security descriptor for the object being modified. Return Value: An appropriate NTSTATUS value --*/ { NTSTATUS Status; PVOID Object; ACCESS_MASK DesiredAccess; OBJECT_HANDLE_INFORMATION HandleInformation; KPROCESSOR_MODE RequestorMode; SECURITY_DESCRIPTOR_RELATIVE *CapturedDescriptor; PAGED_CODE(); // // Make sure the passed security descriptor is really there. // SeCaptureSecurityDescriptor doesn't mind being passed a NULL // SecurityDescriptor, and will just return NULL back. // if (!ARGUMENT_PRESENT( SecurityDescriptor )) { return( STATUS_ACCESS_VIOLATION ); } // // Establish the accesses needed to the object based upon the // security information being modified. // SeSetSecurityAccessMask( SecurityInformation, &DesiredAccess ); Status = ObReferenceObjectByHandle( Handle, DesiredAccess, NULL, RequestorMode = KeGetPreviousMode(), &Object, &HandleInformation ); if (NT_SUCCESS( Status )) { // // Probe and capture the input security descriptor, and return // right away if it is ill-formed. // // Because the security descriptor is always captured the returned // security descriptor is in self-relative format. // Status = SeCaptureSecurityDescriptor( SecurityDescriptor, RequestorMode, PagedPool, TRUE, (PSECURITY_DESCRIPTOR *)&CapturedDescriptor ); if (NT_SUCCESS( Status )) { // // Now check for a valid combination of what the user wants to set // and what was supplied in the input security descriptor. If the // caller wants to set the owner then the owner field of the // security descriptor better not be null, likewise for the group // setting. If anything is missing we'll return and error. // ASSERT(CapturedDescriptor->Control & SE_SELF_RELATIVE); if (((SecurityInformation & OWNER_SECURITY_INFORMATION) && (CapturedDescriptor->Owner == 0)) || ((SecurityInformation & GROUP_SECURITY_INFORMATION) && (CapturedDescriptor->Group == 0))) { SeReleaseSecurityDescriptor( (PSECURITY_DESCRIPTOR)CapturedDescriptor, RequestorMode, TRUE ); ObDereferenceObject( Object ); ASSERT(FALSE); return( STATUS_INVALID_SECURITY_DESCR ); } Status = ObSetSecurityObjectByPointer( Object, SecurityInformation, CapturedDescriptor ); SeReleaseSecurityDescriptor( (PSECURITY_DESCRIPTOR)CapturedDescriptor, RequestorMode, TRUE ); } ObDereferenceObject( Object ); } return( Status ); }

NTSTATUS ObAssignObjectSecurityDescriptor (  IN PVOID  Object, IN PSECURITY_DESCRIPTOR SecurityDescriptor  OPTIONAL, IN POOL_TYPE  PoolType )

Definition at line 1183 of file obse.c. References NT_SUCCESS, NTSTATUS(), NULL, OBJECT_TO_OBJECT_HEADER, ObpLogSecurityDescriptor(), PAGED_CODE, and Status. Referenced by CmpSecurityMethod(), SeDefaultObjectMethod(), SeMakeAnonymousLogonToken(), and SeMakeSystemToken(). : Takes a pointer to an object and sets the SecurityDescriptor field in the object's header. Arguments: Object - Supplies a pointer to the object SecurityDescriptor - Supplies a pointer to the security descriptor to be assigned to the object. This pointer may be null if there is no security on the object. PoolType - Supplies the type of pool memory used to allocate the security descriptor. This field is currently ignored. Return Value: An appropriate NTSTATUS value. --*/ { NTSTATUS Status; PSECURITY_DESCRIPTOR OutputSecurityDescriptor; PAGED_CODE(); // // If the security descriptor isn't supplied then we set the // object header's security descriptor to null and return // to our caller // if (!ARGUMENT_PRESENT(SecurityDescriptor)) { OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = NULL; return( STATUS_SUCCESS ); } // // Log the new security descriptor into our security database and // get back the real security descriptor to use // Status = ObpLogSecurityDescriptor( SecurityDescriptor, &OutputSecurityDescriptor ); // // If we've been successful so far then set the object's // security descriptor to the newly allocated one. // if (NT_SUCCESS(Status)) { OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = OutputSecurityDescriptor; } // // And return to our caller // return( Status ); }

NTSTATUS ObAssignSecurity (  IN PACCESS_STATE  AccessState, IN PSECURITY_DESCRIPTOR ParentDescriptor  OPTIONAL, IN PVOID  Object, IN POBJECT_TYPE  ObjectType )

Definition at line 1574 of file obse.c. References AssignSecurityDescriptor, NT_SUCCESS, NTSTATUS(), NULL, ObpBeginTypeSpecificCallOut, ObpDirectoryObjectType, ObpEndTypeSpecificCallOut, PAGED_CODE, PagedPool, SeAssignSecurity(), SeDeassignSecurity(), and Status. Referenced by ObInsertObject(), and xxxCreateDesktop2(). : This routine will assign a security descriptor to a newly created object. It assumes that the AccessState parameter contains a captured security descriptor. Arguments: AccessState - The AccessState containing the security information for this object creation. ParentDescriptor - The security descriptor from the parent object, if available. Object - A pointer to the object being created. ObjectType - Supplies the type of object being created. Return Value: STATUS_SUCCESS - indicates the operation was successful. STATUS_INVALID_OWNER - The owner SID provided as the owner of the target security descriptor is not one the caller is authorized to assign as the owner of an object. STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege necessary to explicitly assign the specified system ACL. SeSecurityPrivilege privilege is needed to explicitly assign system ACLs to objects. --*/ { PSECURITY_DESCRIPTOR NewDescriptor = NULL; NTSTATUS Status; KIRQL SaveIrql; PAGED_CODE(); // // SeAssignSecurity will construct the final version // of the security descriptor // Status = SeAssignSecurity( ParentDescriptor, AccessState->SecurityDescriptor, &NewDescriptor, (BOOLEAN)(ObjectType == ObpDirectoryObjectType), &AccessState->SubjectSecurityContext, &ObjectType->TypeInfo.GenericMapping, PagedPool ); if (!NT_SUCCESS( Status )) { return( Status ); } ObpBeginTypeSpecificCallOut( SaveIrql ); // // Now invoke the security method callback to finish // the assignment. // Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object, AssignSecurityDescriptor, NULL, NewDescriptor, NULL, NULL, PagedPool, &ObjectType->TypeInfo.GenericMapping ); ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object ); if (!NT_SUCCESS( Status )) { // // The attempt to assign the security descriptor to the object // failed. Free the space used by the new security descriptor. // SeDeassignSecurity( &NewDescriptor ); } // // And return to our caller // return( Status ); }

BOOLEAN ObCheckCreateObjectAccess (  IN PVOID  DirectoryObject, IN ACCESS_MASK  CreateAccess, IN PACCESS_STATE  AccessState, IN PUNICODE_STRING  ComponentName, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  PreviousMode, OUT PNTSTATUS  AccessStatus )

Definition at line 983 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeAppendPrivileges(), SeCreateObjectAuditAlarm(), SeFreePrivileges(), SeLockSubjectContext(), SeUnlockSubjectContext(), Status, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObpLookupObjectName(), and xxxCreateDesktop2(). : This routine checks to see if we are allowed to create an object in the given directory, and performs auditing as appropriate. Arguments: DirectoryObject - The directory object being examined. CreateAccess - The access mask corresponding to create access for this directory type. AccessState - Checks for traverse access will typically be incidental to some other access attempt. Information on the current state of that access attempt is required so that the constituent access attempts may be associated with each other in the audit log. ComponentName - Pointer to a Unicode string containing the name of the object being created. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. PreviousMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus contains the status code to be passed back to the caller. It is not correct to simply pass back STATUS_ACCESS_DENIED, since this will have to change with the advent of mandatory access control. --*/ { BOOLEAN AccessAllowed; ACCESS_MASK GrantedAccess = 0; PSECURITY_DESCRIPTOR SecurityDescriptor; BOOLEAN MemoryAllocated; NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PPRIVILEGE_SET Privileges = NULL; BOOLEAN AuditPerformed = FALSE; PAGED_CODE(); // // Map the object body to its object header and corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject ); ObjectType = ObjectHeader->Type; // // If the caller didn't lock the object type down then // we'll do it now // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor and make it was // successful // Status = ObGetObjectSecurity( DirectoryObject, &SecurityDescriptor, &MemoryAllocated ); if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } // // lock the caller's tokens until after auditing has been // performed. // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); // // if we have a security descriptor then do an access // check to see if access is allowed and set in the // privileges if necessary // if (SecurityDescriptor != NULL) { AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked CreateAccess, 0, &Privileges, &ObjectType->TypeInfo.GenericMapping, PreviousMode, &GrantedAccess, AccessStatus ); if (Privileges != NULL) { Status = SeAppendPrivileges( AccessState, Privileges ); SeFreePrivileges( Privileges ); } // // This is wrong, but leave for reference. // // if (AccessAllowed) { // // AccessState->PreviouslyGrantedAccess |= GrantedAccess; // AccessState->RemainingDesiredAccess &= ~GrantedAccess; // } // #if 0 SeCreateObjectAuditAlarm( &AccessState->OperationID, DirectoryObject, ComponentName, SecurityDescriptor, &AccessState->SubjectSecurityContext, CreateAccess, AccessState->PrivilegesUsed, AccessAllowed, &AuditPerformed, PreviousMode ); if ( AuditPerformed ) { AccessState->AuditHandleCreation = TRUE; } #endif } else { // // At this point there is not a security descriptor // so we'll assume access is allowed // AccessAllowed = TRUE; } // // Free the caller's token and if the caller didn't have the // object type locked we need to free it. // SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Finally free the security descriptor // and return to our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

BOOLEAN ObCheckObjectAccess (  IN PVOID  Object, IN OUT PACCESS_STATE  AccessState, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  AccessMode, OUT PNTSTATUS  AccessStatus )

Definition at line 392 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, _OBJECT_TYPE::Name, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeAppendPrivileges(), SeFreePrivileges(), SeLockSubjectContext(), SeOpenObjectAuditAlarm(), SeUnlockSubjectContext(), Status, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by AccessCheckObject(), CmpDoOpen(), and ObpIncrementHandleCount(). : This routine performs access validation on the passed object. The remaining desired access mask is extracted from the AccessState parameter and passes to the appropriate security routine to perform the access check. If the access attempt is successful, SeAccessCheck returns a mask containing the granted accesses. The bits in this mask are turned on in the PreviouslyGrantedAccess field of the AccessState, and are turned off in the RemainingDesiredAccess field. Arguments: Object - The object being examined. AccessState - The ACCESS_STATE structure containing accumulated information about the current attempt to gain access to the object. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. AccessMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise --*/ { ACCESS_MASK GrantedAccess = 0; BOOLEAN AccessAllowed; BOOLEAN MemoryAllocated; NTSTATUS Status; PSECURITY_DESCRIPTOR SecurityDescriptor = NULL; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PPRIVILEGE_SET Privileges = NULL; PAGED_CODE(); // // Map the object body to an object header and the // corresponding object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // If the caller does not have the object type locked // then lock it down // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor // Status = ObGetObjectSecurity( Object, &SecurityDescriptor, &MemoryAllocated ); // // If we failed in getting the security descriptor then // put the object type lock back where it was and return // the error back to our caller // if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } else { // // Otherwise we've been successful at getting the // object's security descriptor, but now make sure // it is not null. if (SecurityDescriptor == NULL) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return(TRUE); } } // // We have a non-null security descriptor so now // lock the caller's tokens until after auditing has been // performed. // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); // // Do the access check, and if we have some privileges then // put those in the access state too. // AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked AccessState->RemainingDesiredAccess, AccessState->PreviouslyGrantedAccess, &Privileges, &ObjectType->TypeInfo.GenericMapping, AccessMode, &GrantedAccess, AccessStatus ); if (Privileges != NULL) { Status = SeAppendPrivileges( AccessState, Privileges ); SeFreePrivileges( Privileges ); } // // If we were granted access then set that fact into // what we've been granted and remove it from what remains // to be granted. // if (AccessAllowed) { AccessState->PreviouslyGrantedAccess |= GrantedAccess; AccessState->RemainingDesiredAccess &= ~(GrantedAccess | MAXIMUM_ALLOWED); } // // Audit the attempt to open the object, audit // the creation of its handle later. // // **** SecurityDescriptor cannot be null // if ( SecurityDescriptor != NULL ) { SeOpenObjectAuditAlarm( &ObjectType->Name, Object, NULL, // AbsoluteObjectName SecurityDescriptor, AccessState, FALSE, // ObjectCreated (FALSE, only open here) AccessAllowed, AccessMode, &AccessState->GenerateOnClose ); } SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); // // If the caller didn't lock the object type then we have to // remove our lock on it. // if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Free the security descriptor before returning to // our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

NTSTATUS ObGetObjectSecurity (  IN PVOID  Object, OUT PSECURITY_DESCRIPTOR *  SecurityDescriptor, OUT PBOOLEAN  MemoryAllocated )

Definition at line 1258 of file obse.c. References ExAllocatePoolWithTag, ExFreePool(), FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, OBJECT_TO_OBJECT_HEADER, ObpBeginTypeSpecificCallOut, ObpCentralizedSecurity, ObpEndTypeSpecificCallOut, ObpReferenceSecurityDescriptor(), PAGED_CODE, PagedPool, _OBJECT_TYPE_INITIALIZER::PoolType, QuerySecurityDescriptor, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_TYPE_INITIALIZER::SecurityProcedure, Status, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObInsertObject(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), ObpProcessDosDeviceSymbolicLink(), PspCreateProcess(), PspCreateThread(), and PspSetPrimaryToken(). : Given an object, this routine will find its security descriptor. It will do this by calling the object's security method. It is possible for an object not to have a security descriptor at all. Unnamed objects such as events that can only be referenced by a handle are an example of an object that does not have a security descriptor. Arguments: Object - Supplies the object body being queried. SecurityDescriptor - Returns a pointer to the object's security descriptor. MemoryAllocated - indicates whether we had to allocate pool memory to hold the security descriptor or not. This should be passed back into ObReleaseObjectSecurity. Return Value: STATUS_SUCCESS - The operation was successful. Note that the operation may be successful and still return a NULL security descriptor. STATUS_INSUFFICIENT_RESOURCES - Insufficient memory was available to satisfy the request. --*/ { SECURITY_INFORMATION SecurityInformation; ULONG Length = 0; NTSTATUS Status; POBJECT_TYPE ObjectType; POBJECT_HEADER ObjectHeader; KIRQL SaveIrql; PAGED_CODE(); // // Map the object body to its object header and corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // If the object is one that uses the default object method, // its security descriptor is contained in ob's security // descriptor cache. // // Reference it so that it doesn't go away out from under us. // if (ObpCentralizedSecurity(ObjectType)) { *SecurityDescriptor = ObpReferenceSecurityDescriptor( Object ); *MemoryAllocated = FALSE; return( STATUS_SUCCESS ); } // // Request a complete security descriptor // SecurityInformation = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION; // // Call the security method with Length = 0 to find out // how much memory we need to store the final result. // // Note that the ObjectsSecurityDescriptor parameter is NULL, // because we expect whoever is on the other end of this call // to find the security descriptor for us. We pass in a pool // type to keep the compiler happy, it will not be used for a // query operation. // ObpBeginTypeSpecificCallOut( SaveIrql ); Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object, QuerySecurityDescriptor, &SecurityInformation, *SecurityDescriptor, &Length, &ObjectHeader->SecurityDescriptor, // not used ObjectType->TypeInfo.PoolType, &ObjectType->TypeInfo.GenericMapping ); ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object ); if (Status != STATUS_BUFFER_TOO_SMALL) { return( Status ); } // // Now that we know how large the security descriptor is we // can allocate space for it // *SecurityDescriptor = ExAllocatePoolWithTag( PagedPool, Length, 'qSbO' ); if (*SecurityDescriptor == NULL) { return( STATUS_INSUFFICIENT_RESOURCES ); } *MemoryAllocated = TRUE; // // The security method will return an absolute format // security descriptor that just happens to be in a self // contained buffer (not to be confused with a self-relative // security descriptor). // ObpBeginTypeSpecificCallOut( SaveIrql ); Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object, QuerySecurityDescriptor, &SecurityInformation, *SecurityDescriptor, &Length, &ObjectHeader->SecurityDescriptor, ObjectType->TypeInfo.PoolType, &ObjectType->TypeInfo.GenericMapping ); ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object ); if (!NT_SUCCESS( Status )) { ExFreePool( *SecurityDescriptor ); *MemoryAllocated = FALSE; } return( Status ); }

BOOLEAN ObpCheckObjectReference (  IN PVOID  Object, IN OUT PACCESS_STATE  AccessState, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  AccessMode, OUT PNTSTATUS  AccessStatus )

Definition at line 602 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeLockSubjectContext(), SeObjectReferenceAuditAlarm(), SeUnlockSubjectContext(), Status, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObReferenceObjectByName(). : The routine performs access validation on the passed object. The remaining desired access mask is extracted from the AccessState parameter and passes to the appropriate security routine to perform the access check. If the access attempt is successful, SeAccessCheck returns a mask containing the granted accesses. The bits in this mask are turned on in the PreviouslyGrantedAccess field of the AccessState, and are turned off in the RemainingDesiredAccess field. This routine differs from ObpCheckObjectAccess in that it calls a different audit routine. Arguments: Object - The object being examined. AccessState - The ACCESS_STATE structure containing accumulated information about the current attempt to gain access to the object. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. AccessMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise --*/ { BOOLEAN AccessAllowed; ACCESS_MASK GrantedAccess = 0; BOOLEAN MemoryAllocated; PSECURITY_DESCRIPTOR SecurityDescriptor; NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PPRIVILEGE_SET Privileges = NULL; PAGED_CODE(); // // Map the object body to an object header and the // corresponding object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // If the caller does not have the object type locked // then lock it down // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor // Status = ObGetObjectSecurity( Object, &SecurityDescriptor, &MemoryAllocated ); // // If we failed in getting the security descriptor then // put the object type lock back where it was and return // the error back to our caller // if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } // // Lock the caller's tokens until after auditing has been // performed. // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); // // Do the access check, and if we have some privileges then // put those in the access state too. // AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked AccessState->RemainingDesiredAccess, AccessState->PreviouslyGrantedAccess, &Privileges, &ObjectType->TypeInfo.GenericMapping, AccessMode, &GrantedAccess, AccessStatus ); if (AccessAllowed) { AccessState->PreviouslyGrantedAccess |= GrantedAccess; AccessState->RemainingDesiredAccess &= ~GrantedAccess; } // // If we have a security descriptor then call the security routine // to audit this reference and then unlock the caller's token // if ( SecurityDescriptor != NULL ) { SeObjectReferenceAuditAlarm( &AccessState->OperationID, Object, SecurityDescriptor, &AccessState->SubjectSecurityContext, AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess, ((PAUX_ACCESS_DATA)(AccessState->AuxData))->PrivilegesUsed, AccessAllowed, AccessMode ); } SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); // // If the caller didn't have the object type locked then remove // our lock // if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Finally free the security descriptor // and return to our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

BOOLEAN ObpCheckTraverseAccess (  IN PVOID  DirectoryObject, IN ACCESS_MASK  TraverseAccess, IN PACCESS_STATE AccessState  OPTIONAL, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  PreviousMode, OUT PNTSTATUS  AccessStatus )

Definition at line 778 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeAppendPrivileges(), SeFastTraverseCheck(), SeFreePrivileges(), SeLockSubjectContext(), SeUnlockSubjectContext(), Status, TOKEN_IS_RESTRICTED, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObpLookupObjectName(). : This routine checks for traverse access to the given directory object. Note that the contents of the AccessState structure are not modified, since it is assumed that this access check is incidental to another access operation. Arguments: DirectoryObject - The object body of the object being examined. TraverseAccess - The desired access to the object, most likely DIRECTORY TRAVERSE access. AccessState - Checks for traverse access will typically be incidental to some other access attempt. Information on the current state of that access attempt is required so that the constituent access attempts may be associated with each other in the audit log. This is an OPTIONAL parameter, in which case the call will success ONLY if the Directory Object grants World traverse access rights. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. PreviousMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus contains the status code to be passed back to the caller. It is not correct to simply pass back STATUS_ACCESS_DENIED, since this will have to change with the advent of mandatory access control. --*/ { BOOLEAN AccessAllowed; ACCESS_MASK GrantedAccess = 0; PSECURITY_DESCRIPTOR SecurityDescriptor; BOOLEAN MemoryAllocated; NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; BOOLEAN SubjectContextLocked = FALSE; PPRIVILEGE_SET Privileges = NULL; PAGED_CODE(); // // Map the object body to an object header and corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject ); ObjectType = ObjectHeader->Type; // // If the caller hasn't locked down the object type then // lock it down now // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor and make it was // successful // Status = ObGetObjectSecurity( DirectoryObject, &SecurityDescriptor, &MemoryAllocated ); if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } // // Check to see if WORLD has TRAVERSE access, by seeing if the // token is restricted or the fast traverse check fails meaning // that the world does not have traverse access // if (((AccessState->Flags & TOKEN_IS_RESTRICTED) != 0) || (!SeFastTraverseCheck( SecurityDescriptor, DIRECTORY_TRAVERSE, PreviousMode ))) { // // SeFastTraverseCheck could be modified to tell us that // no one has any access to this directory. However, // we're going to have to fail this entire call if // that is the case, so we really don't need to worry // all that much about making it blindingly fast. // if (ARGUMENT_PRESENT( AccessState )) { // // The world does not have traverse access and we have // the client's access state so lock down the client's // token and then do the access check, appending privileges // if present. The access check will give the answer // we return back to our caller // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); SubjectContextLocked = TRUE; AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked TraverseAccess, 0, &Privileges, &ObjectType->TypeInfo.GenericMapping, PreviousMode, &GrantedAccess, AccessStatus ); if (Privileges != NULL) { Status = SeAppendPrivileges( AccessState, Privileges ); SeFreePrivileges( Privileges ); } } } else { // // At this point the world has traverse access // AccessAllowed = TRUE; } // // If the client's token is locked then now we can unlock it // // **** this should be able to move up into the preceding clause // where it is locked // if ( SubjectContextLocked ) { SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); } // // If the caller did not lock the object type then we // now need to unlock it // if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Finally free the security descriptor // and then return to our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

NTSTATUS ObpValidateAccessMask (  PACCESS_STATE  AccessState  )

Definition at line 1886 of file obse.c. References NULL, PAGED_CODE, _ACCESS_STATE::PreviouslyGrantedAccess, _ACCESS_STATE::RemainingDesiredAccess, and _ACCESS_STATE::SecurityDescriptor. Referenced by ObInsertObject(), and ObOpenObjectByName(). : Checks the desired access mask of a passed object against the passed security descriptor. Arguments: AccessState - A pointer to the AccessState for the pending operation. Return Value: Only returns STATUS_SUCCESS --*/ { SECURITY_DESCRIPTOR *SecurityDescriptor = AccessState->SecurityDescriptor; PAGED_CODE(); // // First make sure the access state has a security descriptor. If there // is one and it has a system acl and the previously granted access did // not include system security then add the fact that we want system // security to the remaining desired access state. // if (SecurityDescriptor != NULL) { if ( SecurityDescriptor->Control & SE_SACL_PRESENT ) { if ( !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY)) { AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY; } } } return( STATUS_SUCCESS ); }

NTSTATUS ObQuerySecurityDescriptorInfo (  IN PSECURITY_INFORMATION  SecurityInformation, OUT PSECURITY_DESCRIPTOR  SecurityDescriptor, IN OUT PULONG  Length, IN PSECURITY_DESCRIPTOR *  ObjectsSecurityDescriptor )

Definition at line 1679 of file obse.c. References NTSTATUS(), ObpAcquireDescriptorCacheReadLock(), ObpReleaseDescriptorCacheLock(), PAGED_CODE, SeQuerySecurityDescriptorInfo(), and Status. Referenced by SeDefaultObjectMethod(). : This routine will extract the desired information from the passed security descriptor and return the information in the passed buffer as a security descriptor in self-relative format. This routine assumes that all parameters are captured and safe to reference. Arguments: SecurityInformation - Specifies what information is being queried. SecurityDescriptor - Supplies the buffer to output the requested information into. This buffer has been probed only to the size indicated by the Length parameter. Since it still points into user space, it must always be accessed in a try clause. Length - Supplies the address of a variable containing the length of the security descriptor buffer. Upon return this variable will contain the length needed to store the requested information. ObjectsSecurityDescriptor - Supplies the address of a pointer to the objects security descriptor. The passed security descriptor must be in self-relative format. Return Value: NTSTATUS - STATUS_SUCCESS if successful and an appropriate error value otherwise --*/ { NTSTATUS Status; PAGED_CODE(); // // Take the read lock on the security descriptor cache so we // don't collide with anyone who is modifying this security // descriptor (bug 347986). // ObpAcquireDescriptorCacheReadLock(); Status = SeQuerySecurityDescriptorInfo( SecurityInformation, SecurityDescriptor, Length, ObjectsSecurityDescriptor ); ObpReleaseDescriptorCacheLock(); return( Status ); }

VOID ObReleaseObjectSecurity (  IN PSECURITY_DESCRIPTOR  SecurityDescriptor, IN BOOLEAN  MemoryAllocated )

Definition at line 1418 of file obse.c. References ExFreePool(), NULL, ObpDereferenceSecurityDescriptor(), and PAGED_CODE. Referenced by ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObInsertObject(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), ObpProcessDosDeviceSymbolicLink(), PspCreateProcess(), PspCreateThread(), and PspSetPrimaryToken(). : This function will free up any memory associated with a queried security descriptor. This undoes the function ObGetObjectSecurity Arguments: SecurityDescriptor - Supplies a pointer to the security descriptor to be freed. MemoryAllocated - Supplies whether or not we should free the memory pointed to by SecurityDescriptor. Return Value: None. --*/ { PAGED_CODE(); // // Check if there is a security descriptor to actually free // if ( SecurityDescriptor != NULL ) { // // If ObGetObjectSecurity allocated memory then we // need to free it. Otherwise what the earlier routine did // was reference the object to keep the security descriptor // to keep it from going away // if (MemoryAllocated) { ExFreePool( SecurityDescriptor ); } else { ObpDereferenceSecurityDescriptor( SecurityDescriptor ); } } }

NTSTATUS ObSetSecurityDescriptorInfo (  IN PVOID  Object, IN PSECURITY_INFORMATION  SecurityInformation, IN OUT PSECURITY_DESCRIPTOR  SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *  ObjectsSecurityDescriptor, IN POOL_TYPE  PoolType, IN PGENERIC_MAPPING  GenericMapping )

Definition at line 1748 of file obse.c. References ExFreePool(), NT_SUCCESS, NTSTATUS(), OBJECT_TO_OBJECT_HEADER, ObpAcquireDescriptorCacheWriteLock(), ObpDereferenceSecurityDescriptor(), ObpDirectoryObjectType, ObpLogSecurityDescriptor(), ObpReleaseDescriptorCacheLock(), PAGED_CODE, SeFastTraverseCheck(), SeSetSecurityDescriptorInfo(), Status, and UserMode. Referenced by SeDefaultObjectMethod(), and xxxCreateWindowStation(). : Sets the security descriptor on an already secure object. Arguments: Object - Pointer to the object being modified. SecurityInformation - Describes which information in the SecurityDescriptor parameter is relevent. SecurityDescriptor - Provides the new security information. ObjectsSecurityDescriptor - Provides/returns the object's security descriptor. PoolType - The pool the ObjectSecurityDescriptor is allocated from. GenericMapping - Supplies the generic mapping for the object. Return Value: An appropriate status value --*/ { PSECURITY_DESCRIPTOR OldDescriptor; PSECURITY_DESCRIPTOR NewDescriptor; NTSTATUS Status; PAGED_CODE(); // // Check the rest of our input and call the default set security // method. Also make sure no one is modifying the security descriptor // while we're looking at it. // ObpAcquireDescriptorCacheWriteLock(); OldDescriptor = *ObjectsSecurityDescriptor; NewDescriptor = OldDescriptor; Status = SeSetSecurityDescriptorInfo( Object, SecurityInformation, SecurityDescriptor, &NewDescriptor, PoolType, GenericMapping ); // // Now if the object is an object directory object that // participated in snapped symbolic links. If so and the // new security on the object does NOT allow world traverse // access, then return an error, as it is too late to change // the security on the object directory at this point. // if (NT_SUCCESS( Status ) && (OBJECT_TO_OBJECT_HEADER( Object )->Type == ObpDirectoryObjectType) && (((POBJECT_DIRECTORY)Object)->SymbolicLinkUsageCount != 0) && !SeFastTraverseCheck( NewDescriptor, DIRECTORY_TRAVERSE, UserMode )) { KdPrint(( "OB: Failing attempt the remove world traverse access from object directory\n" )); ExFreePool( NewDescriptor ); Status = STATUS_INVALID_PARAMETER; } // // If we successfully set the new security descriptor then we // need to log it in our database and get yet another pointer // to the finaly security descriptor // if ( NT_SUCCESS( Status )) { Status = ObpLogSecurityDescriptor( NewDescriptor, ObjectsSecurityDescriptor ); ObpReleaseDescriptorCacheLock(); if ( NT_SUCCESS( Status )) { // // Dereference old SecurityDescriptor and insert new one // ObpDereferenceSecurityDescriptor( OldDescriptor ); } else { // // We failed logging the new security descriptor. // Clean up and fail the entire operation. // ExFreePool( NewDescriptor ); } } else { // // Release the security descriptor lock // ObpReleaseDescriptorCacheLock(); } // // And return to our caller // return( Status ); }

NTSTATUS ObSetSecurityObjectByPointer (  IN PVOID  Object, IN SECURITY_INFORMATION  SecurityInformation, IN PSECURITY_DESCRIPTOR  SecurityDescriptor )

Definition at line 174 of file obse.c. References ASSERT, _OBJECT_TYPE_INITIALIZER::GenericMapping, NTSTATUS(), NULL, OBJECT_TO_OBJECT_HEADER, PAGED_CODE, _OBJECT_TYPE_INITIALIZER::PoolType, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_TYPE_INITIALIZER::SecurityProcedure, SetSecurityDescriptor, Status, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by IopChangeDeviceObjectFromRegistryProperties(), IopSetSecurityObjectFromRegistry(), and NtSetSecurityObject(). : This routine is used to invoke an object's security routine. It is used to set the object's security state. This routine is accessible only to the kernel and assumes that all necessary validation of parameters has been done by the caller. Arguments: Object - Supplies the pointer for the object being modified SecurityInformation - Indicates the type of information we are interested in setting. e.g., owner, group, dacl, or sacl. SecurityDescriptor - Supplies the security descriptor for the object being modified. Return Value: An appropriate NTSTATUS value --*/ { NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PAGED_CODE(); // DbgPrint("ObSetSecurityObjectByPointer called for object %#08lx with info " // "%x and descriptor %#08lx\n", // Object, SecurityInformation, SecurityDescriptor); // // Map the object body to an object header and the corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // Make sure the passed security descriptor is really there. // ASSERT(ARGUMENT_PRESENT( SecurityDescriptor )); // // Now invoke the security procedure call back to set the security // descriptor for the object // Status = (ObjectType->TypeInfo.SecurityProcedure) ( Object, SetSecurityDescriptor, &SecurityInformation, SecurityDescriptor, NULL, &ObjectHeader->SecurityDescriptor, ObjectType->TypeInfo.PoolType, &ObjectType->TypeInfo.GenericMapping ); // DbgPrint("ObSetSecurityObjectByPointer: object security routine returned " // "%#08lx\n", Status); return( Status ); }

NTSTATUS ObValidateSecurityQuota (  IN PVOID  Object, IN ULONG  NewSize )

Definition at line 1473 of file obse.c. References _OBJECT_HEADER::Flags, NULL, OB_FLAG_DEFAULT_SECURITY_QUOTA, OBJECT_HEADER_TO_QUOTA_INFO, OBJECT_TO_OBJECT_HEADER, PAGED_CODE, SE_DEFAULT_SECURITY_QUOTA, and _OBJECT_HEADER_QUOTA_INFO::SecurityDescriptorCharge. Referenced by RtlpSetSecurityObject(). : This routine will check to see if the new security information is larger than is allowed by the object's pre-allocated quota. Arguments: Object - Supplies a pointer to the object whose information is to be modified. NewSize - Supplies the size of the proposed new security information. Return Value: STATUS_SUCCESS - New size is within alloted quota. STATUS_QUOTA_EXCEEDED - The desired adjustment would have exceeded the permitted security quota for this object. --*/ { POBJECT_HEADER ObjectHeader; POBJECT_HEADER_QUOTA_INFO QuotaInfo; PAGED_CODE(); // // Map the object body to its object header and corresponding // quota information block // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); QuotaInfo = OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader ); // // If there isn't any quota info and the new size is greater // then the default security quota then if the object uses // the default value then we've exceeded quota otherwise // let the caller get the quota // if ((QuotaInfo == NULL) && (NewSize > SE_DEFAULT_SECURITY_QUOTA)) { if (!(ObjectHeader->Flags & OB_FLAG_DEFAULT_SECURITY_QUOTA)) { // // Should really charge quota here. // return( STATUS_SUCCESS ); } return( STATUS_QUOTA_EXCEEDED ); // // If the quota is not null and the new size is greater than the // allowed quota charge then if the charge is zero we grant the // request otherwise we've exceeded quota. // // **** this logic seems wierd // } else if ((QuotaInfo != NULL) && (NewSize > QuotaInfo->SecurityDescriptorCharge)) { if (QuotaInfo->SecurityDescriptorCharge == 0) { // // Should really charge quota here. // // QuotaInfo->SecurityDescriptorCharge = SeComputeSecurityQuota( NewSize ); return( STATUS_SUCCESS ); } return( STATUS_QUOTA_EXCEEDED ); // // Otherwise we have two cases. (1) there isn't any quota info but // the size is within limits or (2) there is a quota info block and // the size is within the specified security descriptor charge so // return success to our caller // } else { return( STATUS_SUCCESS ); } }

---