Main Page | Class Hierarchy | Class List | File List | Class Members | File Members

seglobal.c

Go to the documentation of this file.
00001 /*++
00002 
00003 Copyright (c) 1989  Microsoft Corporation
00004 
00005 Module Name:
00006 
00007     seglobal.c
00008 
00009 Abstract:
00010 
00011    This module contains the global variables used and exported by the security
00012    component.
00013 
00014 Author:
00015 
00016     Jim Kelly (JimK) 5-Aug-1990
00017 
00018 Environment:
00019 
00020     Kernel mode only.
00021 
00022 Revision History:
00023 
00024 
00025 --*/
00026 
00027 #include "sep.h"
00028 #include "adt.h"
00029 #include "seopaque.h"
00030 
00031 VOID
00032 SepInitializePrivilegeSets( VOID );
00033 
00034 
00035 VOID
00036 SepInitSystemDacls( VOID );
00037 
00038 
00039 #ifdef ALLOC_PRAGMA
00040 #pragma alloc_text(INIT,SepVariableInitialization)
00041 #pragma alloc_text(INIT,SepInitializePrivilegeSets)
00042 #pragma alloc_text(INIT,SepInitSystemDacls)
00043 #pragma alloc_text(INIT,SepInitializeWorkList)
00044 #pragma alloc_text(PAGE,SepAssemblePrivileges)
00045 #endif
00046 
00047 #ifdef    SE_DIAGNOSTICS_ENABLED
00048 
00049 //
00050 // Used to control the active SE diagnostic support provided
00051 //
00052 
00053 ULONG SeGlobalFlag = 0;
00054 
00055 #endif // SE_DIAGNOSTICS_ENABLED
00056 
00057 
00058 
00060 //                                                                    //
00061 //           Global, READ ONLY, Security variables                    //
00062 //                                                                    //
00064 
00065 //
00066 //  Authentication ID and source name used for system processes
00067 //
00068 
00069 TOKEN_SOURCE SeSystemTokenSource = {"*SYSTEM*", 0};
00070 LUID SeSystemAuthenticationId = SYSTEM_LUID;
00071 LUID SeAnonymousAuthenticationId = ANONYMOUS_LOGON_LUID;
00072 
00073 
00074 //
00075 // Universal well known SIDs
00076 //
00077 
00078 PSID  SeNullSid;
00079 PSID  SeWorldSid;
00080 PSID  SeLocalSid;
00081 PSID  SeCreatorOwnerSid;
00082 PSID  SeCreatorGroupSid;
00083 PSID  SeCreatorGroupServerSid;
00084 PSID  SeCreatorOwnerServerSid;
00085 
00086 //
00087 // Sids defined by NT
00088 //
00089 
00090 PSID SeNtAuthoritySid;
00091 
00092 PSID SeDialupSid;
00093 PSID SeNetworkSid;
00094 PSID SeBatchSid;
00095 PSID SeInteractiveSid;
00096 PSID SeServiceSid;
00097 PSID SePrincipalSelfSid;
00098 PSID SeLocalSystemSid;
00099 PSID SeAuthenticatedUsersSid;
00100 PSID SeAliasAdminsSid;
00101 PSID SeRestrictedSid;
00102 PSID SeAliasUsersSid;
00103 PSID SeAliasGuestsSid;
00104 PSID SeAliasPowerUsersSid;
00105 PSID SeAliasAccountOpsSid;
00106 PSID SeAliasSystemOpsSid;
00107 PSID SeAliasPrintOpsSid;
00108 PSID SeAliasBackupOpsSid;
00109 PSID SeAnonymousLogonSid;
00110 
00111 //
00112 // Well known tokens
00113 //
00114 
00115 PACCESS_TOKEN SeAnonymousLogonToken;
00116 
00117 //
00118 // System default DACLs & Security Descriptors
00119 //
00120 //  SePublicDefaultDacl     - Protects objects so that WORLD:E, Admins:ALL, System: ALL.
00121 //                            Not inherited by sub-objects.
00122 //
00123 //  SePublicDefaultUnrestrictedDacl - Protects objects so that WORLD:E, Admins:ALL, System: ALL, Restricted:E
00124 //                            Not inherited by sub-objects.
00125 //
00126 //  SePublicOpenDacl        - Protects so that WORLD can RWE and Admins: All.
00127 //                            Not inherited by sub-objects.
00128 //
00129 //  SePublicOpenUnrestrictedDacl - Protects so that WORLD can RWE and Admins: All, Restricted:RE
00130 //                            Not inherited by sub-objects.
00131 //
00132 //  SeSystemDefaultDacl     - Protects objects so that SYSTEM & ADMIN can use them.
00133 //                            Not inherited by subobjects.
00134 //
00135 //  SeUnrestrictedDacl      - Protects objects so that everyone AND unrestricted have full control
00136 //                            Not inherited by subobjects.
00137 //
00138 
00139 PSECURITY_DESCRIPTOR SePublicDefaultSd;
00140 SECURITY_DESCRIPTOR  SepPublicDefaultSd;
00141 PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd;
00142 SECURITY_DESCRIPTOR  SepPublicDefaultUnrestrictedSd;
00143 PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
00144 SECURITY_DESCRIPTOR  SepPublicOpenUnrestrictedSd;
00145 PSECURITY_DESCRIPTOR SePublicOpenSd;
00146 SECURITY_DESCRIPTOR  SepPublicOpenSd;
00147 PSECURITY_DESCRIPTOR SeSystemDefaultSd;
00148 SECURITY_DESCRIPTOR  SepSystemDefaultSd;
00149 PSECURITY_DESCRIPTOR SeUnrestrictedSd;
00150 SECURITY_DESCRIPTOR  SepUnrestrictedSd;
00151 
00152 PACL SePublicDefaultDacl;
00153 PACL SePublicDefaultUnrestrictedDacl;
00154 PACL SePublicOpenDacl;
00155 PACL SePublicOpenUnrestrictedDacl;
00156 PACL SeSystemDefaultDacl;
00157 PACL SeUnrestrictedDacl;
00158 
00159 //
00160 // Sid of primary domain, and admin account in that domain
00161 //
00162 
00163 PSID SepPrimaryDomainSid;
00164 PSID SepPrimaryDomainAdminSid;
00165 
00166 
00167 
00168 //
00169 //  Well known privilege values
00170 //
00171 
00172 
00173 LUID SeCreateTokenPrivilege;
00174 LUID SeAssignPrimaryTokenPrivilege;
00175 LUID SeLockMemoryPrivilege;
00176 LUID SeIncreaseQuotaPrivilege;
00177 LUID SeUnsolicitedInputPrivilege;
00178 LUID SeTcbPrivilege;
00179 LUID SeSecurityPrivilege;
00180 LUID SeTakeOwnershipPrivilege;
00181 LUID SeLoadDriverPrivilege;
00182 LUID SeCreatePagefilePrivilege;
00183 LUID SeIncreaseBasePriorityPrivilege;
00184 LUID SeSystemProfilePrivilege;
00185 LUID SeSystemtimePrivilege;
00186 LUID SeProfileSingleProcessPrivilege;
00187 LUID SeCreatePermanentPrivilege;
00188 LUID SeBackupPrivilege;
00189 LUID SeRestorePrivilege;
00190 LUID SeShutdownPrivilege;
00191 LUID SeDebugPrivilege;
00192 LUID SeAuditPrivilege;
00193 LUID SeSystemEnvironmentPrivilege;
00194 LUID SeChangeNotifyPrivilege;
00195 LUID SeRemoteShutdownPrivilege;
00196 LUID SeUndockPrivilege;
00197 LUID SeSyncAgentPrivilege;
00198 LUID SeEnableDelegationPrivilege;
00199 
00200 
00201 //
00202 // Define the following structures for export from the kernel.
00203 // This will allow us to export pointers to these structures
00204 // rather than a pointer for each element in the structure.
00205 //
00206 
00207 PSE_EXPORTS  SeExports;
00208 SE_EXPORTS SepExports;
00209 
00210 
00211 static SID_IDENTIFIER_AUTHORITY    SepNullSidAuthority    = SECURITY_NULL_SID_AUTHORITY;
00212 static SID_IDENTIFIER_AUTHORITY    SepWorldSidAuthority   = SECURITY_WORLD_SID_AUTHORITY;
00213 static SID_IDENTIFIER_AUTHORITY    SepLocalSidAuthority   = SECURITY_LOCAL_SID_AUTHORITY;
00214 static SID_IDENTIFIER_AUTHORITY    SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
00215 static SID_IDENTIFIER_AUTHORITY    SepNtAuthority = SECURITY_NT_AUTHORITY;
00216 
00217 
00218 
00219 //
00220 // Some variables we are going to use to help speed up access
00221 // checking.
00222 //
00223 
00224 static ULONG SinglePrivilegeSetSize;
00225 static ULONG DoublePrivilegeSetSize;
00226 
00227 static PPRIVILEGE_SET SepSystemSecurityPrivilegeSet;
00228 static PPRIVILEGE_SET SepTakeOwnershipPrivilegeSet;
00229 static PPRIVILEGE_SET SepDoublePrivilegeSet;
00230 
00231 
00232 //
00233 // Array containing information describing what is to be audited
00234 //
00235 
00236 SE_AUDITING_STATE SeAuditingState[POLICY_AUDIT_EVENT_TYPE_COUNT] =
00237     {
00238         { FALSE, FALSE },
00239         { FALSE, FALSE },
00240         { FALSE, FALSE },
00241         { FALSE, FALSE },
00242         { FALSE, FALSE },
00243         { FALSE, FALSE },
00244         { FALSE, FALSE },
00245         { FALSE, FALSE },
00246         { FALSE, FALSE }
00247     };
00248 
00249 //
00250 // Boolean indicating whether or not auditing is enabled for the system
00251 //
00252 
00253 BOOLEAN SepAdtAuditingEnabled = FALSE;
00254 
00255 //
00256 // Boolean to hold whether or not the user wants the system to crash when
00257 // an audit fails.
00258 //
00259 
00260 BOOLEAN SepCrashOnAuditFail = FALSE;
00261 
00262 //
00263 // Handle to the LSA process
00264 //
00265 
00266 HANDLE SepLsaHandle;
00267 
00268 //
00269 // Boolean indicating that we're auditing detailed events
00270 // such as process creation.
00271 //
00272 
00273 BOOLEAN SeDetailedAuditing = FALSE;
00274 
00275 UNICODE_STRING SeSubsystemName;
00276 
00277 
00278 //
00279 // Mutex protecting the queue of work being passed to LSA
00280 //
00281 
00282 ERESOURCE SepLsaQueueLock;
00283 
00284 //
00285 // Doubly linked list of work items queued to worker threads.
00286 //
00287 
00288 LIST_ENTRY SepLsaQueue;
00289 
00290 //
00291 // Count to tell us how long the queue gets in SepRmCallLsa
00292 //
00293 
00294 ULONG SepLsaQueueLength = 0;
00295 
00296 SEP_WORK_ITEM SepExWorkItem;
00297 
00298 
00299 
00301 //                                                                    //
00302 //           Variable Initialization Routines                         //
00303 //                                                                    //
00305 
00306 BOOLEAN
00307 SepVariableInitialization()
00308 /*++
00309 
00310 Routine Description:
00311 
00312     This function initializes the global variables used by and exposed
00313     by security.
00314 
00315 Arguments:
00316 
00317     None.
00318 
00319 Return Value:
00320 
00321     TRUE if variables successfully initialized.
00322     FALSE if not successfully initialized.
00323 
00324 --*/
00325 {
00326 
00327     ULONG SidWithZeroSubAuthorities;
00328     ULONG SidWithOneSubAuthority;
00329     ULONG SidWithTwoSubAuthorities;
00330     ULONG SidWithThreeSubAuthorities;
00331 
00332     SID_IDENTIFIER_AUTHORITY NullSidAuthority;
00333     SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
00334     SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
00335     SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
00336     SID_IDENTIFIER_AUTHORITY SeNtAuthority;
00337 
00338     PAGED_CODE();
00339 
00340     NullSidAuthority         = SepNullSidAuthority;
00341     WorldSidAuthority        = SepWorldSidAuthority;
00342     LocalSidAuthority        = SepLocalSidAuthority;
00343     CreatorSidAuthority      = SepCreatorSidAuthority;
00344     SeNtAuthority            = SepNtAuthority;
00345 
00346 
00347     //
00348     //  The following SID sizes need to be allocated
00349     //
00350 
00351     SidWithZeroSubAuthorities  = RtlLengthRequiredSid( 0 );
00352     SidWithOneSubAuthority     = RtlLengthRequiredSid( 1 );
00353     SidWithTwoSubAuthorities   = RtlLengthRequiredSid( 2 );
00354     SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
00355 
00356     //
00357     //  Allocate and initialize the universal SIDs
00358     //
00359 
00360     SeNullSid         = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00361     SeWorldSid        = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00362     SeLocalSid        = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00363     SeCreatorOwnerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00364     SeCreatorGroupSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00365     SeCreatorOwnerServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00366     SeCreatorGroupServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00367 
00368     //
00369     // Fail initialization if we didn't get enough memory for the universal
00370     // SIDs.
00371     //
00372 
00373     if ( (SeNullSid         == NULL)        ||
00374          (SeWorldSid        == NULL)        ||
00375          (SeLocalSid        == NULL)        ||
00376          (SeCreatorOwnerSid == NULL)        ||
00377          (SeCreatorGroupSid == NULL)        ||
00378          (SeCreatorOwnerServerSid == NULL ) ||
00379          (SeCreatorGroupServerSid == NULL )
00380        ) {
00381 
00382         return( FALSE );
00383     }
00384 
00385     RtlInitializeSid( SeNullSid,         &NullSidAuthority, 1 );
00386     RtlInitializeSid( SeWorldSid,        &WorldSidAuthority, 1 );
00387     RtlInitializeSid( SeLocalSid,        &LocalSidAuthority, 1 );
00388     RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
00389     RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
00390     RtlInitializeSid( SeCreatorOwnerServerSid, &CreatorSidAuthority, 1 );
00391     RtlInitializeSid( SeCreatorGroupServerSid, &CreatorSidAuthority, 1 );
00392 
00393     *(RtlSubAuthoritySid( SeNullSid, 0 ))         = SECURITY_NULL_RID;
00394     *(RtlSubAuthoritySid( SeWorldSid, 0 ))        = SECURITY_WORLD_RID;
00395     *(RtlSubAuthoritySid( SeLocalSid, 0 ))        = SECURITY_LOCAL_RID;
00396     *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
00397     *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
00398     *(RtlSubAuthoritySid( SeCreatorOwnerServerSid, 0 )) = SECURITY_CREATOR_OWNER_SERVER_RID;
00399     *(RtlSubAuthoritySid( SeCreatorGroupServerSid, 0 )) = SECURITY_CREATOR_GROUP_SERVER_RID;
00400 
00401     //
00402     // Allocate and initialize the NT defined SIDs
00403     //
00404 
00405     SeNtAuthoritySid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithZeroSubAuthorities,'iSeS');
00406     SeDialupSid       = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00407     SeNetworkSid      = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00408     SeBatchSid        = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00409     SeInteractiveSid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00410     SeServiceSid      = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00411     SePrincipalSelfSid      = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00412     SeLocalSystemSid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00413     SeAuthenticatedUsersSid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00414     SeRestrictedSid   = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00415     SeAnonymousLogonSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
00416 
00417     SeAliasAdminsSid     = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00418     SeAliasUsersSid      = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00419     SeAliasGuestsSid     = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00420     SeAliasPowerUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00421     SeAliasAccountOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00422     SeAliasSystemOpsSid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00423     SeAliasPrintOpsSid   = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00424     SeAliasBackupOpsSid  = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
00425 
00426     //
00427     // Fail initialization if we didn't get enough memory for the NT SIDs.
00428     //
00429 
00430     if ( (SeNtAuthoritySid          == NULL) ||
00431          (SeDialupSid               == NULL) ||
00432          (SeNetworkSid              == NULL) ||
00433          (SeBatchSid                == NULL) ||
00434          (SeInteractiveSid          == NULL) ||
00435          (SeServiceSid              == NULL) ||
00436          (SePrincipalSelfSid        == NULL) ||
00437          (SeLocalSystemSid          == NULL) ||
00438          (SeAuthenticatedUsersSid   == NULL) ||
00439          (SeRestrictedSid           == NULL) ||
00440          (SeAnonymousLogonSid       == NULL) ||
00441          (SeAliasAdminsSid          == NULL) ||
00442          (SeAliasUsersSid           == NULL) ||
00443          (SeAliasGuestsSid          == NULL) ||
00444          (SeAliasPowerUsersSid      == NULL) ||
00445          (SeAliasAccountOpsSid      == NULL) ||
00446          (SeAliasSystemOpsSid       == NULL) ||
00447          (SeAliasPrintOpsSid        == NULL) ||
00448          (SeAliasBackupOpsSid       == NULL)
00449        ) {
00450 
00451         return( FALSE );
00452     }
00453 
00454     RtlInitializeSid( SeNtAuthoritySid,         &SeNtAuthority, 0 );
00455     RtlInitializeSid( SeDialupSid,              &SeNtAuthority, 1 );
00456     RtlInitializeSid( SeNetworkSid,             &SeNtAuthority, 1 );
00457     RtlInitializeSid( SeBatchSid,               &SeNtAuthority, 1 );
00458     RtlInitializeSid( SeInteractiveSid,         &SeNtAuthority, 1 );
00459     RtlInitializeSid( SeServiceSid,             &SeNtAuthority, 1 );
00460     RtlInitializeSid( SePrincipalSelfSid,       &SeNtAuthority, 1 );
00461     RtlInitializeSid( SeLocalSystemSid,         &SeNtAuthority, 1 );
00462     RtlInitializeSid( SeAuthenticatedUsersSid,  &SeNtAuthority, 1 );
00463     RtlInitializeSid( SeRestrictedSid,          &SeNtAuthority, 1 );
00464     RtlInitializeSid( SeAnonymousLogonSid,      &SeNtAuthority, 1 );
00465 
00466     RtlInitializeSid( SeAliasAdminsSid,     &SeNtAuthority, 2);
00467     RtlInitializeSid( SeAliasUsersSid,      &SeNtAuthority, 2);
00468     RtlInitializeSid( SeAliasGuestsSid,     &SeNtAuthority, 2);
00469     RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
00470     RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
00471     RtlInitializeSid( SeAliasSystemOpsSid,  &SeNtAuthority, 2);
00472     RtlInitializeSid( SeAliasPrintOpsSid,   &SeNtAuthority, 2);
00473     RtlInitializeSid( SeAliasBackupOpsSid,  &SeNtAuthority, 2);
00474 
00475     *(RtlSubAuthoritySid( SeDialupSid,              0 )) = SECURITY_DIALUP_RID;
00476     *(RtlSubAuthoritySid( SeNetworkSid,             0 )) = SECURITY_NETWORK_RID;
00477     *(RtlSubAuthoritySid( SeBatchSid,               0 )) = SECURITY_BATCH_RID;
00478     *(RtlSubAuthoritySid( SeInteractiveSid,         0 )) = SECURITY_INTERACTIVE_RID;
00479     *(RtlSubAuthoritySid( SeServiceSid,             0 )) = SECURITY_SERVICE_RID;
00480     *(RtlSubAuthoritySid( SePrincipalSelfSid,       0 )) = SECURITY_PRINCIPAL_SELF_RID;
00481     *(RtlSubAuthoritySid( SeLocalSystemSid,         0 )) = SECURITY_LOCAL_SYSTEM_RID;
00482     *(RtlSubAuthoritySid( SeAuthenticatedUsersSid,  0 )) = SECURITY_AUTHENTICATED_USER_RID;
00483     *(RtlSubAuthoritySid( SeRestrictedSid,          0 )) = SECURITY_RESTRICTED_CODE_RID;
00484     *(RtlSubAuthoritySid( SeAnonymousLogonSid,      0 )) = SECURITY_ANONYMOUS_LOGON_RID;
00485 
00486 
00487     *(RtlSubAuthoritySid( SeAliasAdminsSid,     0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00488     *(RtlSubAuthoritySid( SeAliasUsersSid,      0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00489     *(RtlSubAuthoritySid( SeAliasGuestsSid,     0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00490     *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00491     *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00492     *(RtlSubAuthoritySid( SeAliasSystemOpsSid,  0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00493     *(RtlSubAuthoritySid( SeAliasPrintOpsSid,   0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00494     *(RtlSubAuthoritySid( SeAliasBackupOpsSid,  0 )) = SECURITY_BUILTIN_DOMAIN_RID;
00495 
00496     *(RtlSubAuthoritySid( SeAliasAdminsSid,     1 )) = DOMAIN_ALIAS_RID_ADMINS;
00497     *(RtlSubAuthoritySid( SeAliasUsersSid,      1 )) = DOMAIN_ALIAS_RID_USERS;
00498     *(RtlSubAuthoritySid( SeAliasGuestsSid,     1 )) = DOMAIN_ALIAS_RID_GUESTS;
00499     *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
00500     *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
00501     *(RtlSubAuthoritySid( SeAliasSystemOpsSid,  1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
00502     *(RtlSubAuthoritySid( SeAliasPrintOpsSid,   1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
00503     *(RtlSubAuthoritySid( SeAliasBackupOpsSid,  1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
00504 
00505 
00506 
00507     //
00508     // Initialize system default dacl
00509     //
00510 
00511     SepInitSystemDacls();
00512 
00513 
00514     //
00515     // Initialize the well known privilege values
00516     //
00517 
00518     SeCreateTokenPrivilege =
00519         RtlConvertLongToLuid(SE_CREATE_TOKEN_PRIVILEGE);
00520     SeAssignPrimaryTokenPrivilege =
00521         RtlConvertLongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE);
00522     SeLockMemoryPrivilege =
00523         RtlConvertLongToLuid(SE_LOCK_MEMORY_PRIVILEGE);
00524     SeIncreaseQuotaPrivilege =
00525         RtlConvertLongToLuid(SE_INCREASE_QUOTA_PRIVILEGE);
00526     SeUnsolicitedInputPrivilege =
00527         RtlConvertLongToLuid(SE_UNSOLICITED_INPUT_PRIVILEGE);
00528     SeTcbPrivilege =
00529         RtlConvertLongToLuid(SE_TCB_PRIVILEGE);
00530     SeSecurityPrivilege =
00531         RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
00532     SeTakeOwnershipPrivilege =
00533         RtlConvertLongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE);
00534     SeLoadDriverPrivilege =
00535         RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE);
00536     SeCreatePagefilePrivilege =
00537         RtlConvertLongToLuid(SE_CREATE_PAGEFILE_PRIVILEGE);
00538     SeIncreaseBasePriorityPrivilege =
00539         RtlConvertLongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE);
00540     SeSystemProfilePrivilege =
00541         RtlConvertLongToLuid(SE_SYSTEM_PROFILE_PRIVILEGE);
00542     SeSystemtimePrivilege =
00543         RtlConvertLongToLuid(SE_SYSTEMTIME_PRIVILEGE);
00544     SeProfileSingleProcessPrivilege =
00545         RtlConvertLongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
00546     SeCreatePermanentPrivilege =
00547         RtlConvertLongToLuid(SE_CREATE_PERMANENT_PRIVILEGE);
00548     SeBackupPrivilege =
00549         RtlConvertLongToLuid(SE_BACKUP_PRIVILEGE);
00550     SeRestorePrivilege =
00551         RtlConvertLongToLuid(SE_RESTORE_PRIVILEGE);
00552     SeShutdownPrivilege =
00553         RtlConvertLongToLuid(SE_SHUTDOWN_PRIVILEGE);
00554     SeDebugPrivilege =
00555         RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
00556     SeAuditPrivilege =
00557         RtlConvertLongToLuid(SE_AUDIT_PRIVILEGE);
00558     SeSystemEnvironmentPrivilege =
00559         RtlConvertLongToLuid(SE_SYSTEM_ENVIRONMENT_PRIVILEGE);
00560     SeChangeNotifyPrivilege =
00561         RtlConvertLongToLuid(SE_CHANGE_NOTIFY_PRIVILEGE);
00562     SeRemoteShutdownPrivilege =
00563         RtlConvertLongToLuid(SE_REMOTE_SHUTDOWN_PRIVILEGE);
00564     SeUndockPrivilege =
00565         RtlConvertLongToLuid(SE_UNDOCK_PRIVILEGE);
00566     SeSyncAgentPrivilege =
00567         RtlConvertLongToLuid(SE_SYNC_AGENT_PRIVILEGE);
00568     SeEnableDelegationPrivilege = 
00569         RtlConvertLongToLuid(SE_ENABLE_DELEGATION_PRIVILEGE);
00570 
00571 
00572     //
00573     // Initialize the SeExports structure for exporting all
00574     // of the information we've created out of the kernel.
00575     //
00576 
00577     //
00578     // Package these together for export
00579     //
00580 
00581 
00582     SepExports.SeNullSid         = SeNullSid;
00583     SepExports.SeWorldSid        = SeWorldSid;
00584     SepExports.SeLocalSid        = SeLocalSid;
00585     SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
00586     SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
00587 
00588 
00589     SepExports.SeNtAuthoritySid         = SeNtAuthoritySid;
00590     SepExports.SeDialupSid              = SeDialupSid;
00591     SepExports.SeNetworkSid             = SeNetworkSid;
00592     SepExports.SeBatchSid               = SeBatchSid;
00593     SepExports.SeInteractiveSid         = SeInteractiveSid;
00594     SepExports.SeLocalSystemSid         = SeLocalSystemSid;
00595     SepExports.SeAuthenticatedUsersSid  = SeAuthenticatedUsersSid;
00596     SepExports.SeRestrictedSid          = SeRestrictedSid;
00597     SepExports.SeAnonymousLogonSid      = SeAnonymousLogonSid;
00598     SepExports.SeAliasAdminsSid         = SeAliasAdminsSid;
00599     SepExports.SeAliasUsersSid          = SeAliasUsersSid;
00600     SepExports.SeAliasGuestsSid         = SeAliasGuestsSid;
00601     SepExports.SeAliasPowerUsersSid     = SeAliasPowerUsersSid;
00602     SepExports.SeAliasAccountOpsSid     = SeAliasAccountOpsSid;
00603     SepExports.SeAliasSystemOpsSid      = SeAliasSystemOpsSid;
00604     SepExports.SeAliasPrintOpsSid       = SeAliasPrintOpsSid;
00605     SepExports.SeAliasBackupOpsSid      = SeAliasBackupOpsSid;
00606 
00607 
00608 
00609     SepExports.SeCreateTokenPrivilege          = SeCreateTokenPrivilege;
00610     SepExports.SeAssignPrimaryTokenPrivilege   = SeAssignPrimaryTokenPrivilege;
00611     SepExports.SeLockMemoryPrivilege           = SeLockMemoryPrivilege;
00612     SepExports.SeIncreaseQuotaPrivilege        = SeIncreaseQuotaPrivilege;
00613     SepExports.SeUnsolicitedInputPrivilege     = SeUnsolicitedInputPrivilege;
00614     SepExports.SeTcbPrivilege                  = SeTcbPrivilege;
00615     SepExports.SeSecurityPrivilege             = SeSecurityPrivilege;
00616     SepExports.SeTakeOwnershipPrivilege        = SeTakeOwnershipPrivilege;
00617     SepExports.SeLoadDriverPrivilege           = SeLoadDriverPrivilege;
00618     SepExports.SeCreatePagefilePrivilege       = SeCreatePagefilePrivilege;
00619     SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
00620     SepExports.SeSystemProfilePrivilege        = SeSystemProfilePrivilege;
00621     SepExports.SeSystemtimePrivilege           = SeSystemtimePrivilege;
00622     SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
00623     SepExports.SeCreatePermanentPrivilege      = SeCreatePermanentPrivilege;
00624     SepExports.SeBackupPrivilege               = SeBackupPrivilege;
00625     SepExports.SeRestorePrivilege              = SeRestorePrivilege;
00626     SepExports.SeShutdownPrivilege             = SeShutdownPrivilege;
00627     SepExports.SeDebugPrivilege                = SeDebugPrivilege;
00628     SepExports.SeAuditPrivilege                = SeAuditPrivilege;
00629     SepExports.SeSystemEnvironmentPrivilege    = SeSystemEnvironmentPrivilege;
00630     SepExports.SeChangeNotifyPrivilege         = SeChangeNotifyPrivilege;
00631     SepExports.SeRemoteShutdownPrivilege       = SeRemoteShutdownPrivilege;
00632     SepExports.SeUndockPrivilege               = SeUndockPrivilege;
00633     SepExports.SeSyncAgentPrivilege            = SeSyncAgentPrivilege;
00634     SepExports.SeEnableDelegationPrivilege     = SeEnableDelegationPrivilege;
00635 
00636 
00637     SeExports = &SepExports;
00638 
00639     //
00640     // Initialize frequently used privilege sets to speed up access
00641     // validation.
00642     //
00643 
00644     SepInitializePrivilegeSets();
00645 
00646     return TRUE;
00647 
00648 }
00649 
00650 VOID
00651 SepInitSystemDacls( VOID )
00652 /*++
00653 
00654 Routine Description:
00655 
00656     This function initializes the system's default dacls & security
00657     descriptors.
00658 
00659 Arguments:
00660 
00661     None.
00662 
00663 Return Value:
00664 
00665     None.
00666 
00667 
00668 --*/
00669 {
00670 
00671     NTSTATUS
00672         Status;
00673 
00674     ULONG
00675         PublicLength,
00676         PublicUnrestrictedLength,
00677         SystemLength,
00678         PublicOpenLength,
00679         UnrestrictedLength;
00680 
00681 
00682     PAGED_CODE();
00683 
00684     //
00685     // Set up a default ACLs
00686     //
00687     //    Public:       WORLD:execute, SYSTEM:all, ADMINS:all
00688     //    PublicUnrestricted: WORLD:execute, SYSTEM:all, ADMINS:all, Restricted:execute
00689     //    Public Open:  WORLD:(Read|Write|Execute), ADMINS:(all), SYSTEM:all
00690     //    System:       SYSTEM:all, ADMINS:(read|execute|read_control)
00691     //    Unrestricted: WORLD:(all), Restricted:(all)
00692 
00693     SystemLength = (ULONG)sizeof(ACL) +
00694                    (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) +
00695                    SeLengthSid( SeLocalSystemSid ) +
00696                    SeLengthSid( SeAliasAdminsSid ) +
00697                    8; // The 8 is just for good measure
00698 
00699     PublicLength = SystemLength +
00700                    ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) +
00701                    SeLengthSid( SeWorldSid );
00702 
00703     PublicUnrestrictedLength = SystemLength +
00704                    ((ULONG)sizeof(ACCESS_ALLOWED_ACE)) +
00705                    SeLengthSid( SeRestrictedSid );
00706 
00707     PublicOpenLength = PublicLength;
00708 
00709     UnrestrictedLength = (ULONG)sizeof(ACL) +
00710                    (2*((ULONG)sizeof(ACCESS_ALLOWED_ACE))) +
00711                    SeLengthSid( SeWorldSid ) +
00712                    SeLengthSid( SeRestrictedSid ) +
00713                    8; // The 8 is just for good measure
00714 
00715 
00716     SePublicDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicLength, 'cAeS');
00717     SePublicDefaultUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicUnrestrictedLength, 'cAeS');
00718     SePublicOpenDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicOpenLength, 'cAeS');
00719     SePublicOpenUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, PublicUnrestrictedLength, 'cAeS');
00720     SeSystemDefaultDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SystemLength, 'cAeS');
00721     SeUnrestrictedDacl = (PACL)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, UnrestrictedLength, 'cAeS');
00722     ASSERT(SePublicDefaultDacl != NULL);
00723     ASSERT(SePublicDefaultUnrestrictedDacl != NULL);
00724     ASSERT(SePublicOpenDacl    != NULL);
00725     ASSERT(SePublicOpenUnrestrictedDacl    != NULL);
00726     ASSERT(SeSystemDefaultDacl != NULL);
00727     ASSERT(SeUnrestrictedDacl != NULL);
00728 
00729 
00730 
00731     Status = RtlCreateAcl( SePublicDefaultDacl, PublicLength, ACL_REVISION2);
00732     ASSERT( NT_SUCCESS(Status) );
00733     Status = RtlCreateAcl( SePublicDefaultUnrestrictedDacl, PublicUnrestrictedLength, ACL_REVISION2);
00734     ASSERT( NT_SUCCESS(Status) );
00735     Status = RtlCreateAcl( SePublicOpenDacl, PublicUnrestrictedLength, ACL_REVISION2);
00736     ASSERT( NT_SUCCESS(Status) );
00737     Status = RtlCreateAcl( SePublicOpenUnrestrictedDacl, PublicOpenLength, ACL_REVISION2);
00738     ASSERT( NT_SUCCESS(Status) );
00739     Status = RtlCreateAcl( SeSystemDefaultDacl, SystemLength, ACL_REVISION2);
00740     ASSERT( NT_SUCCESS(Status) );
00741     Status = RtlCreateAcl( SeUnrestrictedDacl, UnrestrictedLength, ACL_REVISION2);
00742     ASSERT( NT_SUCCESS(Status) );
00743 
00744 
00745     //
00746     // WORLD access (Public DACLs and Unrestricted only)
00747     //
00748 
00749     Status = RtlAddAccessAllowedAce (
00750                  SePublicDefaultDacl,
00751                  ACL_REVISION2,
00752                  GENERIC_EXECUTE,
00753                  SeWorldSid
00754                  );
00755     ASSERT( NT_SUCCESS(Status) );
00756 
00757     Status = RtlAddAccessAllowedAce (
00758                  SePublicDefaultUnrestrictedDacl,
00759                  ACL_REVISION2,
00760                  GENERIC_EXECUTE,
00761                  SeWorldSid
00762                  );
00763     ASSERT( NT_SUCCESS(Status) );
00764 
00765     Status = RtlAddAccessAllowedAce (
00766                  SePublicOpenDacl,
00767                  ACL_REVISION2,
00768                  (GENERIC_READ | GENERIC_WRITE  | GENERIC_EXECUTE),
00769                  SeWorldSid
00770                  );
00771     ASSERT( NT_SUCCESS(Status) );
00772 
00773     Status = RtlAddAccessAllowedAce (
00774                  SePublicOpenUnrestrictedDacl,
00775                  ACL_REVISION2,
00776                  (GENERIC_READ | GENERIC_WRITE  | GENERIC_EXECUTE),
00777                  SeWorldSid
00778                  );
00779     ASSERT( NT_SUCCESS(Status) );
00780 
00781     Status = RtlAddAccessAllowedAce (
00782                  SeUnrestrictedDacl,
00783                  ACL_REVISION2,
00784                  GENERIC_ALL,
00785                  SeWorldSid
00786                  );
00787     ASSERT( NT_SUCCESS(Status) );
00788 
00789 
00790 
00791     //
00792     // SYSTEM access  (PublicDefault, PublicOpen, and SystemDefault)
00793     //
00794 
00795 
00796     Status = RtlAddAccessAllowedAce (
00797                  SePublicDefaultDacl,
00798                  ACL_REVISION2,
00799                  GENERIC_ALL,
00800                  SeLocalSystemSid
00801                  );
00802     ASSERT( NT_SUCCESS(Status) );
00803 
00804 
00805     Status = RtlAddAccessAllowedAce (
00806                  SePublicDefaultUnrestrictedDacl,
00807                  ACL_REVISION2,
00808                  GENERIC_ALL,
00809                  SeLocalSystemSid
00810                  );
00811     ASSERT( NT_SUCCESS(Status) );
00812 
00813 
00814     Status = RtlAddAccessAllowedAce (
00815                  SePublicOpenDacl,
00816                  ACL_REVISION2,
00817                  GENERIC_ALL,
00818                  SeLocalSystemSid
00819                  );
00820     ASSERT( NT_SUCCESS(Status) );
00821 
00822     Status = RtlAddAccessAllowedAce (
00823                  SePublicOpenUnrestrictedDacl,
00824                  ACL_REVISION2,
00825                  GENERIC_ALL,
00826                  SeLocalSystemSid
00827                  );
00828     ASSERT( NT_SUCCESS(Status) );
00829 
00830 
00831     Status = RtlAddAccessAllowedAce (
00832                  SeSystemDefaultDacl,
00833                  ACL_REVISION2,
00834                  GENERIC_ALL,
00835                  SeLocalSystemSid
00836                  );
00837     ASSERT( NT_SUCCESS(Status) );
00838 
00839     //
00840     // ADMINISTRATORS access  (PublicDefault, PublicOpen, and SystemDefault)
00841     //
00842 
00843     Status = RtlAddAccessAllowedAce (
00844                  SePublicDefaultDacl,
00845                  ACL_REVISION2,
00846                  GENERIC_ALL,
00847                  SeAliasAdminsSid
00848                  );
00849     ASSERT( NT_SUCCESS(Status) );
00850 
00851 
00852     Status = RtlAddAccessAllowedAce (
00853                  SePublicDefaultUnrestrictedDacl,
00854                  ACL_REVISION2,
00855                  GENERIC_ALL,
00856                  SeAliasAdminsSid
00857                  );
00858     ASSERT( NT_SUCCESS(Status) );
00859 
00860 
00861     Status = RtlAddAccessAllowedAce (
00862                  SePublicOpenDacl,
00863                  ACL_REVISION2,
00864                  GENERIC_ALL,
00865                  SeAliasAdminsSid
00866                  );
00867     ASSERT( NT_SUCCESS(Status) );
00868 
00869 
00870     Status = RtlAddAccessAllowedAce (
00871                  SePublicOpenUnrestrictedDacl,
00872                  ACL_REVISION2,
00873                  GENERIC_ALL,
00874                  SeAliasAdminsSid
00875                  );
00876     ASSERT( NT_SUCCESS(Status) );
00877 
00878 
00879     Status = RtlAddAccessAllowedAce (
00880                  SeSystemDefaultDacl,
00881                  ACL_REVISION2,
00882                  GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL,
00883                  SeAliasAdminsSid
00884                  );
00885     ASSERT( NT_SUCCESS(Status) );
00886 
00887     //
00888     // RESTRICTED access  (PublicDefaultUnrestricted and Unrestricted)
00889     //
00890 
00891     Status = RtlAddAccessAllowedAce (
00892                  SePublicDefaultUnrestrictedDacl,
00893                  ACL_REVISION2,
00894                  GENERIC_EXECUTE,
00895                  SeRestrictedSid
00896                  );
00897     ASSERT( NT_SUCCESS(Status) );
00898 
00899     Status = RtlAddAccessAllowedAce (
00900                  SePublicOpenUnrestrictedDacl,
00901                  ACL_REVISION2,
00902                  GENERIC_EXECUTE | GENERIC_READ,
00903                  SeRestrictedSid
00904                  );
00905     ASSERT( NT_SUCCESS(Status) );
00906 
00907     Status = RtlAddAccessAllowedAce (
00908                  SeUnrestrictedDacl,
00909                  ACL_REVISION2,
00910                  GENERIC_ALL,
00911                  SeRestrictedSid
00912                  );
00913     ASSERT( NT_SUCCESS(Status) );
00914 
00915 
00916 
00917 
00918     //
00919     // Now initialize security descriptors
00920     // that export this protection
00921     //
00922 
00923 
00924     SePublicDefaultSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultSd;
00925     Status = RtlCreateSecurityDescriptor(
00926                  SePublicDefaultSd,
00927                  SECURITY_DESCRIPTOR_REVISION1
00928                  );
00929     ASSERT( NT_SUCCESS(Status) );
00930     Status = RtlSetDaclSecurityDescriptor(
00931                  SePublicDefaultSd,
00932                  TRUE,                       // DaclPresent
00933                  SePublicDefaultDacl,
00934                  FALSE                       // DaclDefaulted
00935                  );
00936     ASSERT( NT_SUCCESS(Status) );
00937 
00938 
00939     SePublicDefaultUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepPublicDefaultUnrestrictedSd;
00940     Status = RtlCreateSecurityDescriptor(
00941                  SePublicDefaultUnrestrictedSd,
00942                  SECURITY_DESCRIPTOR_REVISION1
00943                  );
00944     ASSERT( NT_SUCCESS(Status) );
00945     Status = RtlSetDaclSecurityDescriptor(
00946                  SePublicDefaultUnrestrictedSd,
00947                  TRUE,                       // DaclPresent
00948                  SePublicDefaultUnrestrictedDacl,
00949                  FALSE                       // DaclDefaulted
00950                  );
00951     ASSERT( NT_SUCCESS(Status) );
00952 
00953 
00954     SePublicOpenSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenSd;
00955     Status = RtlCreateSecurityDescriptor(
00956                  SePublicOpenSd,
00957                  SECURITY_DESCRIPTOR_REVISION1
00958                  );
00959     ASSERT( NT_SUCCESS(Status) );
00960     Status = RtlSetDaclSecurityDescriptor(
00961                  SePublicOpenSd,
00962                  TRUE,                       // DaclPresent
00963                  SePublicOpenDacl,
00964                  FALSE                       // DaclDefaulted
00965                  );
00966     ASSERT( NT_SUCCESS(Status) );
00967 
00968 
00969     SePublicOpenUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepPublicOpenUnrestrictedSd;
00970     Status = RtlCreateSecurityDescriptor(
00971                  SePublicOpenUnrestrictedSd,
00972                  SECURITY_DESCRIPTOR_REVISION1
00973                  );
00974     ASSERT( NT_SUCCESS(Status) );
00975     Status = RtlSetDaclSecurityDescriptor(
00976                  SePublicOpenUnrestrictedSd,
00977                  TRUE,                       // DaclPresent
00978                  SePublicOpenUnrestrictedDacl,
00979                  FALSE                       // DaclDefaulted
00980                  );
00981     ASSERT( NT_SUCCESS(Status) );
00982 
00983 
00984     SeSystemDefaultSd = (PSECURITY_DESCRIPTOR)&SepSystemDefaultSd;
00985     Status = RtlCreateSecurityDescriptor(
00986                  SeSystemDefaultSd,
00987                  SECURITY_DESCRIPTOR_REVISION1
00988                  );
00989     ASSERT( NT_SUCCESS(Status) );
00990     Status = RtlSetDaclSecurityDescriptor(
00991                  SeSystemDefaultSd,
00992                  TRUE,                       // DaclPresent
00993                  SeSystemDefaultDacl,
00994                  FALSE                       // DaclDefaulted
00995                  );
00996     ASSERT( NT_SUCCESS(Status) );
00997 
00998     SeUnrestrictedSd = (PSECURITY_DESCRIPTOR)&SepUnrestrictedSd;
00999     Status = RtlCreateSecurityDescriptor(
01000                  SeUnrestrictedSd,
01001                  SECURITY_DESCRIPTOR_REVISION1
01002                  );
01003     ASSERT( NT_SUCCESS(Status) );
01004     Status = RtlSetDaclSecurityDescriptor(
01005                  SeUnrestrictedSd,
01006                  TRUE,                       // DaclPresent
01007                  SeUnrestrictedDacl,
01008                  FALSE                       // DaclDefaulted
01009                  );
01010     ASSERT( NT_SUCCESS(Status) );
01011 
01012 
01013     return;
01014 
01015 }
01016 
01017 
01018 VOID
01019 SepInitializePrivilegeSets( VOID )
01020 /*++
01021 
01022 Routine Description:
01023 
01024     This routine is called once during system initialization to pre-allocate
01025     and initialize some commonly used privilege sets.
01026 
01027 Arguments:
01028 
01029     None
01030 
01031 Return Value:
01032 
01033     None.
01034 
01035 --*/
01036 {
01037     PAGED_CODE();
01038 
01039     SinglePrivilegeSetSize = sizeof( PRIVILEGE_SET );
01040     DoublePrivilegeSetSize = sizeof( PRIVILEGE_SET ) +
01041                                 (ULONG)sizeof( LUID_AND_ATTRIBUTES );
01042 
01043     SepSystemSecurityPrivilegeSet = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SinglePrivilegeSetSize, 'rPeS' );
01044     SepTakeOwnershipPrivilegeSet  = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SinglePrivilegeSetSize, 'rPeS' );
01045     SepDoublePrivilegeSet         = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, DoublePrivilegeSetSize, 'rPeS' );
01046 
01047     SepSystemSecurityPrivilegeSet->PrivilegeCount = 1;
01048     SepSystemSecurityPrivilegeSet->Control = 0;
01049     SepSystemSecurityPrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege;
01050     SepSystemSecurityPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
01051 
01052     SepTakeOwnershipPrivilegeSet->PrivilegeCount = 1;
01053     SepTakeOwnershipPrivilegeSet->Control = 0;
01054     SepTakeOwnershipPrivilegeSet->Privilege[0].Luid = SeTakeOwnershipPrivilege;
01055     SepTakeOwnershipPrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
01056 
01057     SepDoublePrivilegeSet->PrivilegeCount = 2;
01058     SepDoublePrivilegeSet->Control = 0;
01059 
01060     SepDoublePrivilegeSet->Privilege[0].Luid = SeSecurityPrivilege;
01061     SepDoublePrivilegeSet->Privilege[0].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
01062 
01063     SepDoublePrivilegeSet->Privilege[1].Luid = SeTakeOwnershipPrivilege;
01064     SepDoublePrivilegeSet->Privilege[1].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
01065 
01066 }
01067 
01068 
01069 
01070 VOID
01071 SepAssemblePrivileges(
01072     IN ULONG PrivilegeCount,
01073     IN BOOLEAN SystemSecurity,
01074     IN BOOLEAN WriteOwner,
01075     OUT PPRIVILEGE_SET *Privileges
01076     )
01077 /*++
01078 
01079 Routine Description:
01080 
01081     This routine takes the results of the various privilege checks
01082     in SeAccessCheck and returns an appropriate privilege set.
01083 
01084 Arguments:
01085 
01086     PrivilegeCount - The number of privileges granted.
01087 
01088     SystemSecurity - Provides a boolean indicating whether to put
01089         SeSecurityPrivilege into the output privilege set.
01090 
01091     WriteOwner - Provides a boolean indicating whether to put
01092         SeTakeOwnershipPrivilege into the output privilege set.
01093 
01094     Privileges - Supplies a pointer that will return the privilege
01095         set.  Should be freed with ExFreePool when no longer needed.
01096 
01097 Return Value:
01098 
01099     None.
01100 
01101 --*/
01102 {
01103     PPRIVILEGE_SET PrivilegeSet;
01104     ULONG SizeRequired;
01105 
01106     PAGED_CODE();
01107 
01108     ASSERT( (PrivilegeCount != 0) && (PrivilegeCount <= 2) );
01109 
01110     if ( !ARGUMENT_PRESENT( Privileges ) ) {
01111         return;
01112     }
01113 
01114     if ( PrivilegeCount == 1 ) {
01115 
01116         SizeRequired = SinglePrivilegeSetSize;
01117 
01118         if ( SystemSecurity ) {
01119 
01120             PrivilegeSet = SepSystemSecurityPrivilegeSet;
01121 
01122         } else {
01123 
01124             ASSERT( WriteOwner );
01125 
01126             PrivilegeSet = SepTakeOwnershipPrivilegeSet;
01127         }
01128 
01129     } else {
01130 
01131         SizeRequired = DoublePrivilegeSetSize;
01132         PrivilegeSet = SepDoublePrivilegeSet;
01133     }
01134 
01135     *Privileges = ExAllocatePoolWithTag( PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE, SizeRequired, 'rPeS' );
01136 
01137     if ( *Privileges != NULL ) {
01138 
01139         RtlCopyMemory (
01140            *Privileges,
01141            PrivilegeSet,
01142            SizeRequired
01143            );
01144     }
01145 }
01146 
01147 
01148 
01149 
01150 
01151 BOOLEAN
01152 SepInitializeWorkList(
01153     VOID
01154     )
01155 
01156 /*++
01157 
01158 Routine Description:
01159 
01160     Initializes the mutex and list head used to queue work from the
01161     Executive to LSA.  This mechanism operates on top of the normal ExWorkerThread
01162     mechanism by capturing the first thread to perform LSA work and keeping it
01163     until all the current work is done.
01164 
01165     The reduces the number of worker threads that are blocked on I/O to LSA.
01166 
01167 Arguments:
01168 
01169     None.
01170 
01171 
01172 Return Value:
01173 
01174     TRUE if successful, FALSE otherwise.
01175 
01176 --*/
01177 
01178 {
01179     PAGED_CODE();
01180 
01181     ExInitializeResource(&SepLsaQueueLock);
01182     InitializeListHead(&SepLsaQueue);
01183     return( TRUE );
01184 }
Generated on Sat May 15 19:41:45 2004 for test by doxygen 1.3.7