test: tokenp.h Source File

00001 /*++ 00002 00003 Copyright (c) 1989 Microsoft Corporation 00004 00005 Module Name: 00006 00007 tokenp.h 00008 00009 Abstract: 00010 00011 This module contains the internal (private) declarations needed by the 00012 TOKEN object routines. 00013 00014 It also contains global variables needed by the TOKEN object routines. 00015 00016 Author: 00017 00018 Jim Kelly (JimK) 18-May-1990 00019 00020 Revision History: 00021 00022 v10: robertre 00023 Added SepAccessCheck and SepPrivilegeCheck prototypes 00024 v11: robertre 00025 Added parameter to SepAccessCheck 00026 00027 --*/ 00028 00029 #ifndef _TOKENP_ 00030 #define _TOKENP_ 00031 00032 //#define TOKEN_DEBUG 00033 00034 #include "ntos.h" 00035 #include "sep.h" 00036 #include "seopaque.h" 00037 00038 00039 00041 // // 00042 // Token Diagnostics // 00043 // // 00045 00046 00047 00048 #if DBG 00049 #define TOKEN_DIAGNOSTICS_ENABLED 1 00050 #endif // DBG 00051 00052 00053 // 00054 // These definitions are useful diagnostics aids 00055 // 00056 00057 #if TOKEN_DIAGNOSTICS_ENABLED 00058 00059 // 00060 // Test for enabled diagnostic 00061 // 00062 00063 #define IF_TOKEN_GLOBAL( FlagName ) \ 00064 if (TokenGlobalFlag & (TOKEN_DIAG_##FlagName)) 00065 00066 // 00067 // Diagnostics print statement 00068 // 00069 00070 #define TokenDiagPrint( FlagName, _Text_ ) \ 00071 IF_TOKEN_GLOBAL( FlagName ) \ 00072 DbgPrint _Text_ 00073 00074 00075 00076 #else // !TOKEN_DIAGNOSTICS_ENABLED 00077 00078 // 00079 // No diagnostics included in build 00080 // 00081 00082 00083 // 00084 // Test for diagnostics enabled 00085 // 00086 00087 #define IF_TOKEN_GLOBAL( FlagName ) if (FALSE) 00088 00089 // 00090 // Diagnostics print statement (expands to no-op) 00091 // 00092 00093 #define TokenDiagPrint( FlagName, _Text_ ) ; 00094 00095 #endif // TOKEN_DIAGNOSTICS_ENABLED 00096 00097 00098 // 00099 // The following flags enable or disable various diagnostic 00100 // capabilities within token code. These flags are set in 00101 // TokenGlobalFlag (only available within a DBG system). 00102 // 00103 // 00104 // TOKEN_LOCKS - Display information about acquisition and freeing 00105 // of token locks. 00106 // 00107 00108 #define TOKEN_DIAG_TOKEN_LOCKS ((ULONG) 0x00000001L) 00109 00110 00112 // // 00113 // Token Related Constants // 00114 // // 00116 00117 // 00118 // By default, a token is charged the following for its dynamic component. 00119 // The dynamic component houses the default ACL and primary group ID. 00120 // If the size of these parameters passed upon token creation are larger 00121 // than this default, then the larger value will be charged. 00122 // 00123 00124 #define TOKEN_DEFAULT_DYNAMIC_CHARGE 500 00125 00126 00127 00129 // // 00130 // Token Object Body // 00131 // // 00133 00134 // 00135 // Tokens have three parts: 00136 // 00137 // Fixed part of body, 00138 // Variable part of body, 00139 // Dynamic part (not in body). 00140 // 00141 // The fixed and variable parts are allocated in a single block of memory. 00142 // The dynamic part is a separately allocated block of memory. 00143 // 00144 // The fixed part of the body contains the fixed length fields. These 00145 // are defined in the TOKEN data type. 00146 // 00147 // The variable part of the body is variable in length and contains 00148 // privileges and user/group SIDs. This part is variable in length 00149 // between different token objects, but does not change once established 00150 // for an individual token. 00151 // 00152 // The dynamic part is used to house default discretionary ACL information 00153 // and the primary group ID. 00154 // 00155 // Pictorially, a token looks like: 00156 // 00157 // ============== +---------------+ 00158 // ^ | | 00159 // | | | 00160 // | | | 00161 // | | DynamicPart o-----------+ 00162 // | |- - - - - - - -| | 00163 // +-----o Privileges | | 00164 // Token | |- - - - - - - -| | 00165 // Body | +--o UserAndGroups | | 00166 // | | | |- - - - - - - -| | 00167 // | | +--o RestrictedSids| \|/ 00168 // | | | |- - - - - - - -| +---------------------+ 00169 // | | | | PrimaryGroup o------->| [Primary Group SID] | 00170 // | | | |- - - - - - - -| | o | 00171 // | | | | DefaultAcl o---+ | o | 00172 // | | | |- - - - - - - -| | | o | 00173 // | | | | o | | |- - - - - - - - - - -| 00174 // | | | | o | +--->| [ Default Acl ] | 00175 // v | | | o | | o | 00176 // ==============| | |===============| | o | 00177 // ^ | +->| SIDs Array | | o | 00178 // | | | [User SID ] | +---------------------+ 00179 // | | | [Group SID ] | 00180 // | | [Group SID ] | 00181 // Variable | | [Rest. Sid ] | 00182 // Part | | o | 00183 // | |- - - - - - - -| 00184 // | +---->| Privileges | 00185 // | | Array | 00186 // v | | 00187 // ============== +---------------+ 00188 // 00189 // WARNING: The positions of fields illustrated in this picture are not 00190 // intented to reflect their actual or even relative positions 00191 // within the real data structures. The exception to this is 00192 // that THE USER SID IS THE FIRST SID IN THE UserAndGroups 00193 // ARRAY. 00194 // 00195 00196 00197 // 00198 // ! ! ! ! IMPORTANT ! ! ! ! 00199 // 00200 // The access validation routines assume the SIDs are arranged 00201 // in a particular order within the variable part of the token. 00202 // Any changes to the order of the SIDs must be coordinated with 00203 // corresponding changes to the access validation routines. 00204 // 00205 // ! ! ! ! ! ! ! ! ! ! ! 00206 00207 00208 00209 typedef struct _TOKEN { 00210 00211 // 00212 // Fields arranged by size to preserve alignment. 00213 // Large fields before small fields. 00214 // 00215 00216 00217 // 00218 // The following fields are either ReadOnly or ReadWrite. 00219 // ReadOnly fields may be referenced any time a pointer to the 00220 // token is still valid. ReadWrite fields may only be referenced 00221 // when the TokenLock is held. 00222 00223 // The dynamic part of the token (pointed to by the DynamicPart field) 00224 // is also protected by the token lock. 00225 // 00226 // ReadOnly fields are marked Ro: in their comment. 00227 // ReadWrite fields are marked Wr: in their comment. 00228 // 00229 00230 TOKEN_SOURCE TokenSource; // Ro: 16-Bytes 00231 00232 LUID TokenId; // Ro: 8-Bytes 00233 LUID AuthenticationId; // Ro: 8-Bytes 00234 LUID ParentTokenId; // Ro: 8-Bytes 00235 LARGE_INTEGER ExpirationTime; // Ro: 8-Bytes 00236 00237 // 00238 // Each time the security information in a token is changed, the 00239 // following ID is changed. Fields that cause this field to be 00240 // updated are marked as (Mod) in their comment field. 00241 // 00242 00243 LUID ModifiedId; // Wr: 8-Bytes 00244 00245 ULONG SessionId; // Wr: 4-bytes 00246 ULONG UserAndGroupCount; // Ro: 4-Bytes 00247 ULONG RestrictedSidCount; // Ro: 4-Bytes 00248 ULONG PrivilegeCount; // Ro: 4-Bytes 00249 ULONG VariableLength; // Ro: 4-Bytes 00250 ULONG DynamicCharged; // Ro: 4-Bytes 00251 00252 ULONG DynamicAvailable; // Wr: 4-Bytes (Mod) 00253 ULONG DefaultOwnerIndex; // Wr: 4-Bytes (Mod) 00254 PSID_AND_ATTRIBUTES UserAndGroups; // Wr: 4-Bytes (Mod) 00255 PSID_AND_ATTRIBUTES RestrictedSids; // Ro: 4-Bytes 00256 PSID PrimaryGroup; // Wr: 4-Bytes (Mod) 00257 PLUID_AND_ATTRIBUTES Privileges; // Wr: 4-Bytes (Mod) 00258 PULONG DynamicPart; // Wr: 4-Bytes (Mod) 00259 PACL DefaultDacl; // Wr: 4-Bytes (Mod) 00260 00261 00262 00263 TOKEN_TYPE TokenType; // Ro: 1-Byte 00264 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Ro: 1-Byte 00265 00266 UCHAR TokenFlags; // Ro: 4-Bytes 00267 BOOLEAN TokenInUse; // Wr: 1-Byte 00268 00269 PSECURITY_TOKEN_PROXY_DATA ProxyData; // Ro: 4-Bytes 00270 PSECURITY_TOKEN_AUDIT_DATA AuditData; // Ro: 4-Bytes 00271 00272 // 00273 // This marks the beginning of the variable part of the token. 00274 // It must follow all other fields in the token. 00275 // 00276 00277 ULONG VariablePart; // Wr: 4-Bytes (Mod) 00278 00279 } TOKEN, * PTOKEN; 00280 00281 // 00282 // Where: 00283 // 00284 // TokenSource - Information provided by the executive component that 00285 // requested the logon that the token represents. 00286 // 00287 // 00288 // TokenId - Is an LUID value. Each token object has a uniquely 00289 // assigned LUID. 00290 // 00291 // 00292 // AuthenticationId - Is the LUID assigned by the domain controller for 00293 // the logon session. 00294 // 00295 // 00296 // ExpirationTime - Not yet supported in NT. 00297 // 00298 // 00299 // ModifiedId - Is an LUID which is changed each time a modification is 00300 // made to this token which changes the security semantics of the 00301 // token. This includes enabling/disabling privileges and groups 00302 // and changing default ACLs, et cetera. Any token which is a 00303 // duplicate of this token will have the same ModifiedId (until 00304 // one or the other is changed). This does not cover changes to 00305 // non-security semantics fields, like TokenInUse. 00306 // 00307 // 00308 // UserAndGroupCount - Indicates the number of user/group IDs in this token. 00309 // This value must be at least 1. A value of 1 indicates a user 00310 // ID with no supplemental group IDs. A value of 5 indicates a 00311 // user ID and 4 supplemental group IDs. 00312 // 00313 // PrivilegeCount - Indicates how many privileges are included in 00314 // this token. May be zero or larger. 00315 // 00316 // TokenType - Indicates which type of token this token object is. 00317 // 00318 // ImpersonationLevel - For TokenImpersonation type tokens, this field 00319 // indicates the impersonation level. For TokenPrimary type tokens, 00320 // this field is ignored. 00321 // 00322 // DynamicCharged - Indicates how much pool quota has been charged 00323 // for the dynamic portion of this token. 00324 // 00325 // DynamicAvailable - Indicates how much of the charged quota is still 00326 // available for use. This is modified when pool associated 00327 // with the dynamic portion of the token is allocated or freed, 00328 // such as when the default DACL or primary group is replaced. 00329 // 00330 // 00331 // DefaultOwnerIndex - If non-zero, identifies an ID that has explicitly 00332 // been established as the default owner for this token. If it is zero, 00333 // the standard default (user ID) is used as the default owner. 00334 // 00335 // UserAndGroups - Points to an array of SID_AND_ATTRIBUTES. The first 00336 // element in this array is the token's user ID. Any additional 00337 // elements are those of groups. The number of entries in this 00338 // array is one greater than 00339 // 00340 // PrimaryGroup - Points to an SID that is to be used as the primary 00341 // group of the token. There are no value restrictions 00342 // placed upon what can be used as a primary group. This 00343 // SID is not one of user or group IDs (although it may have the 00344 // same value as one of those IDs). 00345 // 00346 // Privileges - Points to an array of privileges represented as 00347 // LUID_AND_ATTRIBUTES. The number of elements in this array 00348 // is contained in the PrivilegesCount field. 00349 // 00350 // TokenInUse - Is a boolean that indicates whether a primary token 00351 // is already in use by a process. This field value is only 00352 // valid for primary tokens. 00353 // 00354 // ProxyData - Optionally points to a Proxy data structure, containing 00355 // the information to be passed to AVR routines by file systems. 00356 // This field being non-null identifies the token as a proxy token. 00357 // 00358 // AuditData - Optionally points to an Audit data structure, containing 00359 // global auditing data for this subject. 00360 // 00361 // NOTE: Access to this field is guarded by the global 00362 // PROCESS SECURITY FIELDS LOCK. 00363 // VariablePart - Is the beginning of the variable part of the token. 00364 // 00365 00366 00368 // 00369 // Internal version of Object Type list 00370 // 00372 00373 typedef struct _IOBJECT_TYPE_LIST { 00374 USHORT Level; 00375 USHORT Flags; 00376 #define OBJECT_SUCCESS_AUDIT 0x1 00377 #define OBJECT_FAILURE_AUDIT 0x2 00378 GUID ObjectType; 00379 LONG ParentIndex; 00380 ULONG Remaining; 00381 ULONG CurrentGranted; 00382 ULONG CurrentDenied; 00383 } IOBJECT_TYPE_LIST, *PIOBJECT_TYPE_LIST; 00384 00385 NTSTATUS 00386 SeCaptureObjectTypeList ( 00387 IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 00388 IN ULONG ObjectTypeListLength, 00389 IN KPROCESSOR_MODE RequestorMode, 00390 OUT PIOBJECT_TYPE_LIST *CapturedObjectTypeList 00391 ); 00392 00393 VOID 00394 SeFreeCapturedObjectTypeList( 00395 IN PVOID ObjectTypeList 00396 ); 00397 00398 00400 // // 00401 // Token Specific Macros // 00402 // // 00404 00405 00406 00407 00408 00409 00410 00411 #ifndef TOKEN_DIAGNOSTICS_ENABLED 00412 00413 #define SepAcquireTokenReadLock(T) KeEnterCriticalRegion(); \ 00414 ExAcquireResourceShared(&SepTokenLock, TRUE) 00415 00416 #define SepAcquireTokenWriteLock(T) KeEnterCriticalRegion(); \ 00417 ExAcquireResourceExclusive(&SepTokenLock, TRUE) 00418 00419 #define SepReleaseTokenReadLock(T) ExReleaseResource(&SepTokenLock); \ 00420 KeLeaveCriticalRegion() 00421 00422 #else // TOKEN_DIAGNOSTICS_ENABLED 00423 00424 #define SepAcquireTokenReadLock(T) if (TokenGlobalFlag & TOKEN_DIAG_TOKEN_LOCKS) { \ 00425 DbgPrint("SE (Token): Acquiring Token READ Lock for access to token 0x%lx\n", (T)); \ 00426 } \ 00427 KeEnterCriticalRegion(); \ 00428 ExAcquireResourceShared(&SepTokenLock, TRUE) 00429 00430 #define SepAcquireTokenWriteLock(T) if (TokenGlobalFlag & TOKEN_DIAG_TOKEN_LOCKS) { \ 00431 DbgPrint("SE (Token): Acquiring Token WRITE Lock for access to token 0x%lx ********************* EXCLUSIVE *****\n", (T)); \ 00432 } \ 00433 KeEnterCriticalRegion(); \ 00434 ExAcquireResourceExclusive(&SepTokenLock, TRUE) 00435 00436 #define SepReleaseTokenReadLock(T) if (TokenGlobalFlag & TOKEN_DIAG_TOKEN_LOCKS) { \ 00437 DbgPrint("SE (Token): Releasing Token Lock for access to token 0x%lx\n", (T)); \ 00438 } \ 00439 ExReleaseResource(&SepTokenLock); \ 00440 KeLeaveCriticalRegion() 00441 00442 #endif // TOKEN_DIAGNOSTICS_ENABLED 00443 00444 #define SepReleaseTokenWriteLock(T,M) \ 00445 { \ 00446 if ((M)) { \ 00447 ExAllocateLocallyUniqueId( &((PTOKEN)(T))->ModifiedId ); \ 00448 } \ 00449 SepReleaseTokenReadLock( T ); \ 00450 } 00451 00452 // 00453 // Reference individual privilege attribute flags of any privilege array 00454 // 00455 // P - is a pointer to an array of privileges (PLUID_AND_ATTRIBUTES) 00456 // I - is the index of the privilege 00457 // A - is the name of the attribute desired (e.g., Enabled, EnabledByDefault, etc. ) 00458 // 00459 00460 #define SepArrayPrivilegeAttributes(P,I) ( (P)[I].Attributes ) 00461 00462 // 00463 // Reference individual privilege attribute flags of token privileges 00464 // 00465 // T - is a pointer to a token 00466 // I - is the index of the privilege 00467 // A - is the name of the attribute desired (e.g., Enabled, EnabledByDefault, etc. ) 00468 // 00469 00470 #define SepTokenPrivilegeAttributes(T,I) ( (T)->Privileges[I].Attributes ) 00471 00472 // 00473 // Reference individual group attribute flags of any group array 00474 // 00475 // G - is a pointer to the array of groups (SID_AND_ATTRIBUTES[]) 00476 // I - is the index of the group 00477 // 00478 00479 #define SepArrayGroupAttributes(G,I) ( (G)[I].Attributes ) 00480 00481 00482 // 00483 // Reference individual group attribute flags of token groups 00484 // 00485 // T - is a pointer to a token 00486 // I - is the index of the group 00487 // 00488 00489 #define SepTokenGroupAttributes(T,I) ( (T)->UserAndGroups[I].Attributes ) 00490 00491 00492 00493 00495 // // 00496 // Private Routine Declarations // 00497 // // 00499 00500 NTSTATUS 00501 SepAdjustGroups( 00502 IN PTOKEN Token, 00503 IN BOOLEAN MakeChanges, 00504 IN BOOLEAN ResetToDefault, 00505 IN ULONG GroupCount OPTIONAL, 00506 IN PSID_AND_ATTRIBUTES NewState OPTIONAL, 00507 OUT PTOKEN_GROUPS PreviousState OPTIONAL, 00508 OUT PSID SidBuffer OPTIONAL, 00509 OUT PULONG ReturnLength, 00510 OUT PULONG ChangeCount, 00511 OUT PBOOLEAN ChangesMade 00512 ); 00513 00514 NTSTATUS 00515 SepAdjustPrivileges( 00516 IN PTOKEN Token, 00517 IN BOOLEAN MakeChanges, 00518 IN BOOLEAN DisableAllPrivileges, 00519 IN ULONG PrivilegeCount OPTIONAL, 00520 IN PLUID_AND_ATTRIBUTES NewState OPTIONAL, 00521 OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, 00522 OUT PULONG ReturnLength, 00523 OUT PULONG ChangeCount, 00524 OUT PBOOLEAN ChangesMade 00525 ); 00526 00527 VOID 00528 SepAppendDefaultDacl( 00529 IN PTOKEN Token, 00530 IN PACL PAcl 00531 ); 00532 00533 VOID 00534 SepAppendPrimaryGroup( 00535 IN PTOKEN Token, 00536 IN PSID PSid 00537 ); 00538 00539 NTSTATUS 00540 SepDuplicateToken( 00541 IN PTOKEN ExistingToken, 00542 IN POBJECT_ATTRIBUTES ObjectAttributes, 00543 IN BOOLEAN EffectiveOnly, 00544 IN TOKEN_TYPE TokenType, 00545 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL, 00546 IN KPROCESSOR_MODE RequestorMode, 00547 OUT PTOKEN *DuplicateToken 00548 ); 00549 00550 NTSTATUS 00551 SepFilterToken( 00552 IN PTOKEN ExistingToken, 00553 IN KPROCESSOR_MODE RequestorMode, 00554 IN ULONG Flags, 00555 IN ULONG GroupCount, 00556 IN PSID_AND_ATTRIBUTES GroupsToDisable OPTIONAL, 00557 IN ULONG PrivilegeCount, 00558 IN PLUID_AND_ATTRIBUTES PrivilegesToDelete OPTIONAL, 00559 IN ULONG SidCount, 00560 IN PSID_AND_ATTRIBUTES RestrictedSids OPTIONAL, 00561 IN ULONG SidLength, 00562 OUT PTOKEN * FilteredToken 00563 ); 00564 00565 BOOLEAN 00566 SepSidInSidAndAttributes ( 00567 IN PSID_AND_ATTRIBUTES SidAndAttributes, 00568 IN ULONG SidCount, 00569 IN PSID PrincipalSelfSid, 00570 IN PSID Sid 00571 ); 00572 00573 VOID 00574 SepRemoveDisabledGroupsAndPrivileges( 00575 IN PTOKEN Token, 00576 IN ULONG Flags, 00577 IN ULONG GroupCount, 00578 IN PSID_AND_ATTRIBUTES GroupsToDisable, 00579 IN ULONG PrivilegeCount, 00580 IN PLUID_AND_ATTRIBUTES PrivilegesToDelete 00581 ); 00582 00583 00584 VOID 00585 SepFreeDefaultDacl( 00586 IN PTOKEN Token 00587 ); 00588 00589 VOID 00590 SepFreePrimaryGroup( 00591 IN PTOKEN Token 00592 ); 00593 00594 00595 BOOLEAN 00596 SepIdAssignableAsOwner( 00597 IN PTOKEN Token, 00598 IN ULONG Index 00599 ); 00600 00601 VOID 00602 SepMakeTokenEffectiveOnly( 00603 IN PTOKEN Token 00604 ); 00605 00606 BOOLEAN 00607 SepTokenInitialization( VOID ); 00608 00609 00610 VOID 00611 SepTokenDeleteMethod ( 00612 IN PVOID Token 00613 ); 00614 00615 // 00616 // These are here because if they are placed in sep.h, we don't 00617 // have the PTOKEN datatype available. 00618 // 00619 00620 BOOLEAN 00621 SepPrivilegeCheck( 00622 IN PTOKEN Token, 00623 IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges, 00624 IN ULONG RequiredPrivilegeCount, 00625 IN ULONG PrivilegeSetControl, 00626 IN KPROCESSOR_MODE PreviousMode 00627 ); 00628 00629 VOID 00630 SepAccessCheck ( 00631 IN PSECURITY_DESCRIPTOR SecurityDescriptor, 00632 IN PSID PrincipalSelfSid, 00633 IN PTOKEN PrimaryToken, 00634 IN PTOKEN ClientToken OPTIONAL, 00635 IN ACCESS_MASK DesiredAccess, 00636 IN PIOBJECT_TYPE_LIST ObjectTypeList OPTIONAL, 00637 IN ULONG ObjectTypeListLength, 00638 IN PGENERIC_MAPPING GenericMapping, 00639 IN ACCESS_MASK PreviouslyGrantedAccess, 00640 IN KPROCESSOR_MODE PreviousMode, 00641 OUT PACCESS_MASK GrantedAccess, 00642 OUT PPRIVILEGE_SET *Privileges OPTIONAL, 00643 OUT PNTSTATUS AccessStatus, 00644 IN BOOLEAN ReturnResultList, 00645 OUT PBOOLEAN ReturnSomeAccessGranted, 00646 OUT PBOOLEAN ReturnSomeAccessDenied 00647 ); 00648 00649 BOOLEAN 00650 SepObjectInTypeList ( 00651 IN GUID *ObjectType, 00652 IN PIOBJECT_TYPE_LIST ObjectTypeList, 00653 IN ULONG ObjectTypeListLength, 00654 OUT PULONG ReturnedIndex 00655 ); 00656 00657 #ifdef TOKEN_DEBUG 00658 VOID 00659 SepDumpToken( 00660 IN PTOKEN T 00661 ); 00662 #endif //TOKEN_DEBUG 00663 00665 // // 00666 // Global Variables // 00667 // // 00669 00670 00671 extern GENERIC_MAPPING SepTokenMapping; 00672 extern POBJECT_TYPE SepTokenObjectType; 00673 00674 extern ERESOURCE SepTokenLock; 00675 00676 00677 #ifdef TOKEN_DIAGNOSTICS_ENABLED 00678 extern ULONG TokenGlobalFlag; 00679 #endif // TOKEN_DIAGNOSTICS_ENABLED 00680 00681 00682 #endif // _TOKENP_