1928 lines
51 KiB
C
1928 lines
51 KiB
C
/*++
|
|
|
|
Copyright (c) 1989 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
obse.c
|
|
|
|
Abstract:
|
|
|
|
Object Security API calls
|
|
|
|
Author:
|
|
|
|
Steve Wood (stevewo) 31-Mar-1989
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#include "obp.h"
|
|
|
|
#if defined(ALLOC_PRAGMA) && defined(NTOS_KERNEL_RUNTIME)
|
|
|
|
#pragma alloc_text(PAGE,NtSetSecurityObject)
|
|
#pragma alloc_text(PAGE,NtQuerySecurityObject)
|
|
#pragma alloc_text(PAGE,ObAssignObjectSecurityDescriptor)
|
|
#pragma alloc_text(PAGE,ObAssignSecurity)
|
|
#pragma alloc_text(PAGE,ObCheckCreateObjectAccess)
|
|
#pragma alloc_text(PAGE,ObCheckObjectAccess)
|
|
#pragma alloc_text(PAGE,ObCheckObjectReference)
|
|
#pragma alloc_text(PAGE,ObpCheckTraverseAccess)
|
|
#pragma alloc_text(PAGE,ObGetObjectSecurity)
|
|
#pragma alloc_text(PAGE,ObSetSecurityDescriptorInfo)
|
|
#pragma alloc_text(PAGE,ObQuerySecurityDescriptorInfo)
|
|
#pragma alloc_text(PAGE,ObReleaseObjectSecurity)
|
|
#pragma alloc_text(PAGE,ObSetSecurityQuotaCharged)
|
|
#pragma alloc_text(PAGE,ObValidateSecurityQuota)
|
|
#pragma alloc_text(PAGE,ObpValidateAccessMask)
|
|
#pragma alloc_text(PAGE,ObSetSecurityObjectByPointer)
|
|
|
|
#endif
|
|
|
|
|
|
NTSTATUS
|
|
NtSetSecurityObject (
|
|
IN HANDLE Handle,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is used to invoke an object's security routine. It
|
|
is used to set the object's security state.
|
|
|
|
Arguments:
|
|
|
|
Handle - Supplies the handle for the object being modified
|
|
|
|
SecurityInformation - Indicates the type of information we are
|
|
interested in setting. e.g., owner, group, dacl, or sacl.
|
|
|
|
SecurityDescriptor - Supplies the security descriptor for the
|
|
object being modified.
|
|
|
|
Return Value:
|
|
|
|
An appropriate NTSTATUS value
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
PVOID Object;
|
|
ACCESS_MASK DesiredAccess;
|
|
OBJECT_HANDLE_INFORMATION HandleInformation;
|
|
KPROCESSOR_MODE RequestorMode;
|
|
SECURITY_DESCRIPTOR_RELATIVE *CapturedDescriptor;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Make sure the passed security descriptor is really there.
|
|
// SeCaptureSecurityDescriptor doesn't mind being passed a NULL
|
|
// SecurityDescriptor, and will just return NULL back.
|
|
|
|
|
|
if (!ARGUMENT_PRESENT( SecurityDescriptor )) {
|
|
|
|
return( STATUS_ACCESS_VIOLATION );
|
|
}
|
|
|
|
|
|
// Establish the accesses needed to the object based upon the
|
|
// security information being modified.
|
|
|
|
|
|
SeSetSecurityAccessMask( SecurityInformation, &DesiredAccess );
|
|
|
|
Status = ObReferenceObjectByHandle( Handle,
|
|
DesiredAccess,
|
|
NULL,
|
|
RequestorMode = KeGetPreviousMode(),
|
|
&Object,
|
|
&HandleInformation );
|
|
|
|
if (NT_SUCCESS( Status )) {
|
|
|
|
|
|
// Probe and capture the input security descriptor, and return
|
|
// right away if it is ill-formed.
|
|
|
|
// Because the security descriptor is always captured the returned
|
|
// security descriptor is in self-relative format.
|
|
|
|
|
|
Status = SeCaptureSecurityDescriptor( SecurityDescriptor,
|
|
RequestorMode,
|
|
PagedPool,
|
|
TRUE,
|
|
(PSECURITY_DESCRIPTOR *)&CapturedDescriptor );
|
|
|
|
if (NT_SUCCESS( Status )) {
|
|
|
|
|
|
// Now check for a valid combination of what the user wants to set
|
|
// and what was supplied in the input security descriptor. If the
|
|
// caller wants to set the owner then the owner field of the
|
|
// security descriptor better not be null, likewise for the group
|
|
// setting. If anything is missing we'll return and error.
|
|
|
|
|
|
ASSERT(CapturedDescriptor->Control & SE_SELF_RELATIVE);
|
|
|
|
if (((SecurityInformation & OWNER_SECURITY_INFORMATION) &&
|
|
(CapturedDescriptor->Owner == 0))
|
|
|
|
||
|
|
|
|
((SecurityInformation & GROUP_SECURITY_INFORMATION) &&
|
|
(CapturedDescriptor->Group == 0))) {
|
|
|
|
SeReleaseSecurityDescriptor( (PSECURITY_DESCRIPTOR)CapturedDescriptor,
|
|
RequestorMode,
|
|
TRUE );
|
|
|
|
ObDereferenceObject( Object );
|
|
|
|
ASSERT(FALSE);
|
|
return( STATUS_INVALID_SECURITY_DESCR );
|
|
}
|
|
|
|
Status = ObSetSecurityObjectByPointer( Object,
|
|
SecurityInformation,
|
|
CapturedDescriptor );
|
|
|
|
SeReleaseSecurityDescriptor( (PSECURITY_DESCRIPTOR)CapturedDescriptor,
|
|
RequestorMode,
|
|
TRUE );
|
|
}
|
|
|
|
ObDereferenceObject( Object );
|
|
|
|
}
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObSetSecurityObjectByPointer (
|
|
IN PVOID Object,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is used to invoke an object's security routine. It
|
|
is used to set the object's security state.
|
|
|
|
This routine is accessible only to the kernel and assumes that all
|
|
necessary validation of parameters has been done by the caller.
|
|
|
|
Arguments:
|
|
|
|
Object - Supplies the pointer for the object being modified
|
|
|
|
SecurityInformation - Indicates the type of information we are
|
|
interested in setting. e.g., owner, group, dacl, or sacl.
|
|
|
|
SecurityDescriptor - Supplies the security descriptor for the
|
|
object being modified.
|
|
|
|
Return Value:
|
|
|
|
An appropriate NTSTATUS value
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
|
|
PAGED_CODE();
|
|
|
|
// DbgPrint("ObSetSecurityObjectByPointer called for object %#08lx with info "
|
|
// "%x and descriptor %#08lx\n",
|
|
// Object, SecurityInformation, SecurityDescriptor);
|
|
|
|
|
|
// Map the object body to an object header and the corresponding
|
|
// object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// Make sure the passed security descriptor is really there.
|
|
|
|
|
|
ASSERT(ARGUMENT_PRESENT( SecurityDescriptor ));
|
|
|
|
|
|
// Now invoke the security procedure call back to set the security
|
|
// descriptor for the object
|
|
|
|
|
|
Status = (ObjectType->TypeInfo.SecurityProcedure)
|
|
( Object,
|
|
SetSecurityDescriptor,
|
|
&SecurityInformation,
|
|
SecurityDescriptor,
|
|
NULL,
|
|
&ObjectHeader->SecurityDescriptor,
|
|
ObjectType->TypeInfo.PoolType,
|
|
&ObjectType->TypeInfo.GenericMapping );
|
|
|
|
|
|
// DbgPrint("ObSetSecurityObjectByPointer: object security routine returned "
|
|
// "%#08lx\n", Status);
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NtQuerySecurityObject (
|
|
IN HANDLE Handle,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN ULONG Length,
|
|
OUT PULONG LengthNeeded
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is used to query the security descriptor for an
|
|
object.
|
|
|
|
Arguments:
|
|
|
|
Handle - Supplies the handle for the object being investigated
|
|
|
|
SecurityInformation - Indicates the type of information we are
|
|
interested in getting. e.g., owner, group, dacl, or sacl.
|
|
|
|
SecurityDescriptor - Supplies a pointer to where the information
|
|
should be returned
|
|
|
|
Length - Supplies the size, in bytes, of the output buffer
|
|
|
|
LengthNeeded - Receives the length, in bytes, needed to store
|
|
the output security descriptor
|
|
|
|
Return Value:
|
|
|
|
An appropriate NTSTATUS value
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
PVOID Object;
|
|
ACCESS_MASK DesiredAccess;
|
|
OBJECT_HANDLE_INFORMATION HandleInformation;
|
|
KPROCESSOR_MODE RequestorMode;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Probe output parameters
|
|
|
|
|
|
RequestorMode = KeGetPreviousMode();
|
|
|
|
if (RequestorMode != KernelMode) {
|
|
|
|
try {
|
|
|
|
ProbeForWriteUlong( LengthNeeded );
|
|
|
|
ProbeForWrite( SecurityDescriptor, Length, sizeof(ULONG) );
|
|
|
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
return GetExceptionCode();
|
|
}
|
|
}
|
|
|
|
|
|
// Establish the accesses needed to the object based upon the
|
|
// security information being queried
|
|
|
|
|
|
SeQuerySecurityAccessMask( SecurityInformation, &DesiredAccess );
|
|
|
|
Status = ObReferenceObjectByHandle( Handle,
|
|
DesiredAccess,
|
|
NULL,
|
|
RequestorMode,
|
|
&Object,
|
|
&HandleInformation );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
// Map the object body to an object header and the corresponding
|
|
// object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// Invoke the object type's security callback routine to query
|
|
// the object. This routine is assumed to have a try-except around
|
|
// the setting of the output security descriptor
|
|
|
|
|
|
Status = (ObjectType->TypeInfo.SecurityProcedure)( Object,
|
|
QuerySecurityDescriptor,
|
|
&SecurityInformation,
|
|
SecurityDescriptor,
|
|
&Length,
|
|
&ObjectHeader->SecurityDescriptor,
|
|
ObjectType->TypeInfo.PoolType,
|
|
&ObjectType->TypeInfo.GenericMapping );
|
|
|
|
|
|
// Indicate the length needed for the security descriptor. This
|
|
// will be set even if the callback failed so the caller will know
|
|
// the number of bytes necessary
|
|
|
|
|
|
try {
|
|
|
|
*LengthNeeded = Length;
|
|
|
|
} except(EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
ObDereferenceObject( Object );
|
|
|
|
return(GetExceptionCode());
|
|
}
|
|
|
|
|
|
// And return to our caller
|
|
|
|
|
|
ObDereferenceObject( Object );
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
ObCheckObjectAccess (
|
|
IN PVOID Object,
|
|
IN OUT PACCESS_STATE AccessState,
|
|
IN BOOLEAN TypeMutexLocked,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PNTSTATUS AccessStatus
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine performs access validation on the passed object. The
|
|
remaining desired access mask is extracted from the AccessState
|
|
parameter and passes to the appropriate security routine to perform the
|
|
access check.
|
|
|
|
If the access attempt is successful, SeAccessCheck returns a mask
|
|
containing the granted accesses. The bits in this mask are turned
|
|
on in the PreviouslyGrantedAccess field of the AccessState, and
|
|
are turned off in the RemainingDesiredAccess field.
|
|
|
|
Arguments:
|
|
|
|
Object - The object being examined.
|
|
|
|
AccessState - The ACCESS_STATE structure containing accumulated
|
|
information about the current attempt to gain access to the object.
|
|
|
|
TypeMutexLocked - Indicates whether the type mutex for this object's
|
|
type is locked. The type mutex is used to protect the object's
|
|
security descriptor from being modified while it is being accessed.
|
|
|
|
AccessMode - The previous processor mode.
|
|
|
|
AccessStatus - Pointer to a variable to return the status code of the
|
|
access attempt. In the case of failure this status code must be
|
|
propagated back to the user.
|
|
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if access is allowed and FALSE otherwise
|
|
|
|
--*/
|
|
|
|
{
|
|
ACCESS_MASK GrantedAccess = 0;
|
|
BOOLEAN AccessAllowed;
|
|
BOOLEAN MemoryAllocated;
|
|
NTSTATUS Status;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
PPRIVILEGE_SET Privileges = NULL;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to an object header and the
|
|
// corresponding object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// If the caller does not have the object type locked
|
|
// then lock it down
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpEnterObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Obtain the object's security descriptor
|
|
|
|
|
|
Status = ObGetObjectSecurity( Object,
|
|
&SecurityDescriptor,
|
|
&MemoryAllocated );
|
|
|
|
|
|
// If we failed in getting the security descriptor then
|
|
// put the object type lock back where it was and return
|
|
// the error back to our caller
|
|
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
*AccessStatus = Status;
|
|
|
|
return( FALSE );
|
|
|
|
} else {
|
|
|
|
|
|
// Otherwise we've been successful at getting the
|
|
// object's security descriptor, but now make sure
|
|
// it is not null.
|
|
|
|
if (SecurityDescriptor == NULL) {
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
*AccessStatus = Status;
|
|
|
|
return(TRUE);
|
|
}
|
|
}
|
|
|
|
|
|
// We have a non-null security descriptor so now
|
|
// lock the caller's tokens until after auditing has been
|
|
// performed.
|
|
|
|
|
|
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
|
|
// Do the access check, and if we have some privileges then
|
|
// put those in the access state too.
|
|
|
|
|
|
AccessAllowed = SeAccessCheck( SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
TRUE, // Tokens are locked
|
|
AccessState->RemainingDesiredAccess,
|
|
AccessState->PreviouslyGrantedAccess,
|
|
&Privileges,
|
|
&ObjectType->TypeInfo.GenericMapping,
|
|
AccessMode,
|
|
&GrantedAccess,
|
|
AccessStatus );
|
|
|
|
if (Privileges != NULL) {
|
|
|
|
Status = SeAppendPrivileges( AccessState,
|
|
Privileges );
|
|
|
|
SeFreePrivileges( Privileges );
|
|
}
|
|
|
|
|
|
// If we were granted access then set that fact into
|
|
// what we've been granted and remove it from what remains
|
|
// to be granted.
|
|
|
|
|
|
if (AccessAllowed) {
|
|
|
|
AccessState->PreviouslyGrantedAccess |= GrantedAccess;
|
|
AccessState->RemainingDesiredAccess &= ~(GrantedAccess | MAXIMUM_ALLOWED);
|
|
}
|
|
|
|
|
|
// Audit the attempt to open the object, audit
|
|
// the creation of its handle later.
|
|
|
|
// **** SecurityDescriptor cannot be null
|
|
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
|
|
SeOpenObjectAuditAlarm( &ObjectType->Name,
|
|
Object,
|
|
NULL, // AbsoluteObjectName
|
|
SecurityDescriptor,
|
|
AccessState,
|
|
FALSE, // ObjectCreated (FALSE, only open here)
|
|
AccessAllowed,
|
|
AccessMode,
|
|
&AccessState->GenerateOnClose );
|
|
}
|
|
|
|
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
|
|
// If the caller didn't lock the object type then we have to
|
|
// remove our lock on it.
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Free the security descriptor before returning to
|
|
// our caller
|
|
|
|
|
|
ObReleaseObjectSecurity( SecurityDescriptor,
|
|
MemoryAllocated );
|
|
|
|
return( AccessAllowed );
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
ObpCheckObjectReference (
|
|
IN PVOID Object,
|
|
IN OUT PACCESS_STATE AccessState,
|
|
IN BOOLEAN TypeMutexLocked,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PNTSTATUS AccessStatus
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
The routine performs access validation on the passed object. The
|
|
remaining desired access mask is extracted from the AccessState
|
|
parameter and passes to the appropriate security routine to
|
|
perform the access check.
|
|
|
|
If the access attempt is successful, SeAccessCheck returns a mask
|
|
containing the granted accesses. The bits in this mask are turned
|
|
on in the PreviouslyGrantedAccess field of the AccessState, and
|
|
are turned off in the RemainingDesiredAccess field.
|
|
|
|
This routine differs from ObpCheckObjectAccess in that it calls
|
|
a different audit routine.
|
|
|
|
Arguments:
|
|
|
|
Object - The object being examined.
|
|
|
|
AccessState - The ACCESS_STATE structure containing accumulated
|
|
information about the current attempt to gain access to the object.
|
|
|
|
TypeMutexLocked - Indicates whether the type mutex for this object's
|
|
type is locked. The type mutex is used to protect the object's
|
|
security descriptor from being modified while it is being accessed.
|
|
|
|
AccessMode - The previous processor mode.
|
|
|
|
AccessStatus - Pointer to a variable to return the status code of the
|
|
access attempt. In the case of failure this status code must be
|
|
propagated back to the user.
|
|
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if access is allowed and FALSE otherwise
|
|
|
|
--*/
|
|
|
|
{
|
|
BOOLEAN AccessAllowed;
|
|
ACCESS_MASK GrantedAccess = 0;
|
|
BOOLEAN MemoryAllocated;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
NTSTATUS Status;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
PPRIVILEGE_SET Privileges = NULL;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to an object header and the
|
|
// corresponding object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// If the caller does not have the object type locked
|
|
// then lock it down
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpEnterObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Obtain the object's security descriptor
|
|
|
|
|
|
Status = ObGetObjectSecurity( Object,
|
|
&SecurityDescriptor,
|
|
&MemoryAllocated );
|
|
|
|
|
|
// If we failed in getting the security descriptor then
|
|
// put the object type lock back where it was and return
|
|
// the error back to our caller
|
|
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
*AccessStatus = Status;
|
|
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
// Lock the caller's tokens until after auditing has been
|
|
// performed.
|
|
|
|
|
|
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
|
|
// Do the access check, and if we have some privileges then
|
|
// put those in the access state too.
|
|
|
|
|
|
AccessAllowed = SeAccessCheck( SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
TRUE, // Tokens are locked
|
|
AccessState->RemainingDesiredAccess,
|
|
AccessState->PreviouslyGrantedAccess,
|
|
&Privileges,
|
|
&ObjectType->TypeInfo.GenericMapping,
|
|
AccessMode,
|
|
&GrantedAccess,
|
|
AccessStatus );
|
|
|
|
if (AccessAllowed) {
|
|
|
|
AccessState->PreviouslyGrantedAccess |= GrantedAccess;
|
|
AccessState->RemainingDesiredAccess &= ~GrantedAccess;
|
|
}
|
|
|
|
|
|
// If we have a security descriptor then call the security routine
|
|
// to audit this reference and then unlock the caller's token
|
|
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
|
|
SeObjectReferenceAuditAlarm( &AccessState->OperationID,
|
|
Object,
|
|
SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess,
|
|
((PAUX_ACCESS_DATA)(AccessState->AuxData))->PrivilegesUsed,
|
|
AccessAllowed,
|
|
AccessMode );
|
|
}
|
|
|
|
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
|
|
// If the caller didn't have the object type locked then remove
|
|
// our lock
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Finally free the security descriptor
|
|
// and return to our caller
|
|
|
|
|
|
ObReleaseObjectSecurity( SecurityDescriptor,
|
|
MemoryAllocated );
|
|
|
|
return( AccessAllowed );
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
ObpCheckTraverseAccess (
|
|
IN PVOID DirectoryObject,
|
|
IN ACCESS_MASK TraverseAccess,
|
|
IN PACCESS_STATE AccessState OPTIONAL,
|
|
IN BOOLEAN TypeMutexLocked,
|
|
IN KPROCESSOR_MODE PreviousMode,
|
|
OUT PNTSTATUS AccessStatus
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine checks for traverse access to the given directory object.
|
|
|
|
Note that the contents of the AccessState structure are not
|
|
modified, since it is assumed that this access check is incidental
|
|
to another access operation.
|
|
|
|
Arguments:
|
|
|
|
DirectoryObject - The object body of the object being examined.
|
|
|
|
TraverseAccess - The desired access to the object, most likely DIRECTORY
|
|
TRAVERSE access.
|
|
|
|
AccessState - Checks for traverse access will typically be incidental
|
|
to some other access attempt. Information on the current state of
|
|
that access attempt is required so that the constituent access
|
|
attempts may be associated with each other in the audit log.
|
|
This is an OPTIONAL parameter, in which case the call will
|
|
success ONLY if the Directory Object grants World traverse
|
|
access rights.
|
|
|
|
TypeMutexLocked - Indicates whether the type mutex for this object's
|
|
type is locked. The type mutex is used to protect the object's
|
|
security descriptor from being modified while it is being accessed.
|
|
|
|
PreviousMode - The previous processor mode.
|
|
|
|
AccessStatus - Pointer to a variable to return the status code of the
|
|
access attempt. In the case of failure this status code must be
|
|
propagated back to the user.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus
|
|
contains the status code to be passed back to the caller. It is not
|
|
correct to simply pass back STATUS_ACCESS_DENIED, since this will have
|
|
to change with the advent of mandatory access control.
|
|
|
|
--*/
|
|
|
|
{
|
|
BOOLEAN AccessAllowed;
|
|
ACCESS_MASK GrantedAccess = 0;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
BOOLEAN MemoryAllocated;
|
|
NTSTATUS Status;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
BOOLEAN SubjectContextLocked = FALSE;
|
|
PPRIVILEGE_SET Privileges = NULL;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to an object header and corresponding
|
|
// object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// If the caller hasn't locked down the object type then
|
|
// lock it down now
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpEnterObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Obtain the object's security descriptor and make it was
|
|
// successful
|
|
|
|
|
|
Status = ObGetObjectSecurity( DirectoryObject,
|
|
&SecurityDescriptor,
|
|
&MemoryAllocated );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
*AccessStatus = Status;
|
|
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
// Check to see if WORLD has TRAVERSE access, by seeing if the
|
|
// token is restricted or the fast traverse check fails meaning
|
|
// that the world does not have traverse access
|
|
|
|
|
|
if (((AccessState->Flags & TOKEN_IS_RESTRICTED) != 0)
|
|
|
|
||
|
|
|
|
(!SeFastTraverseCheck( SecurityDescriptor,
|
|
DIRECTORY_TRAVERSE,
|
|
PreviousMode ))) {
|
|
|
|
|
|
// SeFastTraverseCheck could be modified to tell us that
|
|
// no one has any access to this directory. However,
|
|
// we're going to have to fail this entire call if
|
|
// that is the case, so we really don't need to worry
|
|
// all that much about making it blindingly fast.
|
|
|
|
|
|
if (ARGUMENT_PRESENT( AccessState )) {
|
|
|
|
|
|
// The world does not have traverse access and we have
|
|
// the client's access state so lock down the client's
|
|
// token and then do the access check, appending privileges
|
|
// if present. The access check will give the answer
|
|
// we return back to our caller
|
|
|
|
|
|
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
SubjectContextLocked = TRUE;
|
|
|
|
AccessAllowed = SeAccessCheck( SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
TRUE, // Tokens are locked
|
|
TraverseAccess,
|
|
0,
|
|
&Privileges,
|
|
&ObjectType->TypeInfo.GenericMapping,
|
|
PreviousMode,
|
|
&GrantedAccess,
|
|
AccessStatus );
|
|
|
|
if (Privileges != NULL) {
|
|
|
|
Status = SeAppendPrivileges( AccessState,
|
|
Privileges );
|
|
|
|
SeFreePrivileges( Privileges );
|
|
}
|
|
}
|
|
|
|
} else {
|
|
|
|
|
|
// At this point the world has traverse access
|
|
|
|
|
|
AccessAllowed = TRUE;
|
|
}
|
|
|
|
|
|
// If the client's token is locked then now we can unlock it
|
|
|
|
// **** this should be able to move up into the preceding clause
|
|
// where it is locked
|
|
|
|
|
|
if ( SubjectContextLocked ) {
|
|
|
|
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
}
|
|
|
|
|
|
// If the caller did not lock the object type then we
|
|
// now need to unlock it
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Finally free the security descriptor
|
|
// and then return to our caller
|
|
|
|
|
|
ObReleaseObjectSecurity( SecurityDescriptor,
|
|
MemoryAllocated );
|
|
|
|
return( AccessAllowed );
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
ObCheckCreateObjectAccess (
|
|
IN PVOID DirectoryObject,
|
|
IN ACCESS_MASK CreateAccess,
|
|
IN PACCESS_STATE AccessState,
|
|
IN PUNICODE_STRING ComponentName,
|
|
IN BOOLEAN TypeMutexLocked,
|
|
IN KPROCESSOR_MODE PreviousMode,
|
|
OUT PNTSTATUS AccessStatus
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine checks to see if we are allowed to create an object in the
|
|
given directory, and performs auditing as appropriate.
|
|
|
|
Arguments:
|
|
|
|
DirectoryObject - The directory object being examined.
|
|
|
|
CreateAccess - The access mask corresponding to create access for
|
|
this directory type.
|
|
|
|
AccessState - Checks for traverse access will typically be incidental
|
|
to some other access attempt. Information on the current state of
|
|
that access attempt is required so that the constituent access
|
|
attempts may be associated with each other in the audit log.
|
|
|
|
ComponentName - Pointer to a Unicode string containing the name of
|
|
the object being created.
|
|
|
|
TypeMutexLocked - Indicates whether the type mutex for this object's
|
|
type is locked. The type mutex is used to protect the object's
|
|
security descriptor from being modified while it is being accessed.
|
|
|
|
PreviousMode - The previous processor mode.
|
|
|
|
AccessStatus - Pointer to a variable to return the status code of the
|
|
access attempt. In the case of failure this status code must be
|
|
propagated back to the user.
|
|
|
|
Return Value:
|
|
|
|
BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus
|
|
contains the status code to be passed back to the caller. It is not
|
|
correct to simply pass back STATUS_ACCESS_DENIED, since this will have
|
|
to change with the advent of mandatory access control.
|
|
|
|
--*/
|
|
|
|
{
|
|
BOOLEAN AccessAllowed;
|
|
ACCESS_MASK GrantedAccess = 0;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
BOOLEAN MemoryAllocated;
|
|
NTSTATUS Status;
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_TYPE ObjectType;
|
|
PPRIVILEGE_SET Privileges = NULL;
|
|
BOOLEAN AuditPerformed = FALSE;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to its object header and corresponding
|
|
// object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// If the caller didn't lock the object type down then
|
|
// we'll do it now
|
|
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpEnterObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Obtain the object's security descriptor and make it was
|
|
// successful
|
|
|
|
|
|
Status = ObGetObjectSecurity( DirectoryObject,
|
|
&SecurityDescriptor,
|
|
&MemoryAllocated );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
*AccessStatus = Status;
|
|
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
// lock the caller's tokens until after auditing has been
|
|
// performed.
|
|
|
|
|
|
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
|
|
// if we have a security descriptor then do an access
|
|
// check to see if access is allowed and set in the
|
|
// privileges if necessary
|
|
|
|
|
|
if (SecurityDescriptor != NULL) {
|
|
|
|
AccessAllowed = SeAccessCheck( SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
TRUE, // Tokens are locked
|
|
CreateAccess,
|
|
0,
|
|
&Privileges,
|
|
&ObjectType->TypeInfo.GenericMapping,
|
|
PreviousMode,
|
|
&GrantedAccess,
|
|
AccessStatus );
|
|
|
|
if (Privileges != NULL) {
|
|
|
|
Status = SeAppendPrivileges( AccessState,
|
|
Privileges );
|
|
|
|
SeFreePrivileges( Privileges );
|
|
}
|
|
|
|
|
|
// This is wrong, but leave for reference.
|
|
|
|
// if (AccessAllowed) {
|
|
|
|
// AccessState->PreviouslyGrantedAccess |= GrantedAccess;
|
|
// AccessState->RemainingDesiredAccess &= ~GrantedAccess;
|
|
// }
|
|
|
|
|
|
#if 0
|
|
SeCreateObjectAuditAlarm( &AccessState->OperationID,
|
|
DirectoryObject,
|
|
ComponentName,
|
|
SecurityDescriptor,
|
|
&AccessState->SubjectSecurityContext,
|
|
CreateAccess,
|
|
AccessState->PrivilegesUsed,
|
|
AccessAllowed,
|
|
&AuditPerformed,
|
|
PreviousMode );
|
|
|
|
if ( AuditPerformed ) {
|
|
|
|
AccessState->AuditHandleCreation = TRUE;
|
|
}
|
|
#endif
|
|
|
|
} else {
|
|
|
|
|
|
// At this point there is not a security descriptor
|
|
// so we'll assume access is allowed
|
|
|
|
|
|
AccessAllowed = TRUE;
|
|
}
|
|
|
|
|
|
// Free the caller's token and if the caller didn't have the
|
|
// object type locked we need to free it.
|
|
|
|
|
|
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
|
|
|
|
if (!TypeMutexLocked) {
|
|
|
|
ObpLeaveObjectTypeMutex( ObjectType );
|
|
}
|
|
|
|
|
|
// Finally free the security descriptor
|
|
// and return to our caller
|
|
|
|
|
|
ObReleaseObjectSecurity( SecurityDescriptor,
|
|
MemoryAllocated );
|
|
|
|
return( AccessAllowed );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObAssignObjectSecurityDescriptor (
|
|
IN PVOID Object,
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
|
|
IN POOL_TYPE PoolType // This field is currently ignored.
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Takes a pointer to an object and sets the SecurityDescriptor field
|
|
in the object's header.
|
|
|
|
Arguments:
|
|
|
|
Object - Supplies a pointer to the object
|
|
|
|
SecurityDescriptor - Supplies a pointer to the security descriptor
|
|
to be assigned to the object. This pointer may be null if there
|
|
is no security on the object.
|
|
|
|
PoolType - Supplies the type of pool memory used to allocate the
|
|
security descriptor. This field is currently ignored.
|
|
|
|
Return Value:
|
|
|
|
An appropriate NTSTATUS value.
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
PSECURITY_DESCRIPTOR OutputSecurityDescriptor;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// If the security descriptor isn't supplied then we set the
|
|
// object header's security descriptor to null and return
|
|
// to our caller
|
|
|
|
|
|
if (!ARGUMENT_PRESENT(SecurityDescriptor)) {
|
|
|
|
OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = NULL;
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
|
|
|
|
// Log the new security descriptor into our security database and
|
|
// get back the real security descriptor to use
|
|
|
|
|
|
Status = ObpLogSecurityDescriptor( SecurityDescriptor, &OutputSecurityDescriptor );
|
|
|
|
|
|
// If we've been successful so far then set the object's
|
|
// security descriptor to the newly allocated one.
|
|
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = OutputSecurityDescriptor;
|
|
}
|
|
|
|
|
|
// And return to our caller
|
|
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObGetObjectSecurity (
|
|
IN PVOID Object,
|
|
OUT PSECURITY_DESCRIPTOR *SecurityDescriptor,
|
|
OUT PBOOLEAN MemoryAllocated
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Given an object, this routine will find its security descriptor.
|
|
It will do this by calling the object's security method.
|
|
|
|
It is possible for an object not to have a security descriptor
|
|
at all. Unnamed objects such as events that can only be referenced
|
|
by a handle are an example of an object that does not have a
|
|
security descriptor.
|
|
|
|
Arguments:
|
|
|
|
Object - Supplies the object body being queried.
|
|
|
|
SecurityDescriptor - Returns a pointer to the object's security
|
|
descriptor.
|
|
|
|
MemoryAllocated - indicates whether we had to allocate pool
|
|
memory to hold the security descriptor or not. This should
|
|
be passed back into ObReleaseObjectSecurity.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The operation was successful. Note that the
|
|
operation may be successful and still return a NULL security
|
|
descriptor.
|
|
|
|
STATUS_INSUFFICIENT_RESOURCES - Insufficient memory was available
|
|
to satisfy the request.
|
|
|
|
--*/
|
|
|
|
{
|
|
SECURITY_INFORMATION SecurityInformation;
|
|
ULONG Length = 0;
|
|
NTSTATUS Status;
|
|
POBJECT_TYPE ObjectType;
|
|
POBJECT_HEADER ObjectHeader;
|
|
KIRQL SaveIrql;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to its object header and corresponding
|
|
// object type
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
ObjectType = ObjectHeader->Type;
|
|
|
|
|
|
// If the object is one that uses the default object method,
|
|
// its security descriptor is contained in ob's security
|
|
// descriptor cache.
|
|
|
|
// Reference it so that it doesn't go away out from under us.
|
|
|
|
|
|
if (ObpCentralizedSecurity(ObjectType)) {
|
|
|
|
*SecurityDescriptor = ObpReferenceSecurityDescriptor( Object );
|
|
|
|
*MemoryAllocated = FALSE;
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
|
|
|
|
// Request a complete security descriptor
|
|
|
|
|
|
SecurityInformation = OWNER_SECURITY_INFORMATION |
|
|
GROUP_SECURITY_INFORMATION |
|
|
DACL_SECURITY_INFORMATION |
|
|
SACL_SECURITY_INFORMATION;
|
|
|
|
|
|
// Call the security method with Length = 0 to find out
|
|
// how much memory we need to store the final result.
|
|
|
|
// Note that the ObjectsSecurityDescriptor parameter is NULL,
|
|
// because we expect whoever is on the other end of this call
|
|
// to find the security descriptor for us. We pass in a pool
|
|
// type to keep the compiler happy, it will not be used for a
|
|
// query operation.
|
|
|
|
|
|
|
|
ObpBeginTypeSpecificCallOut( SaveIrql );
|
|
|
|
Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object,
|
|
QuerySecurityDescriptor,
|
|
&SecurityInformation,
|
|
*SecurityDescriptor,
|
|
&Length,
|
|
&ObjectHeader->SecurityDescriptor, // not used
|
|
ObjectType->TypeInfo.PoolType,
|
|
&ObjectType->TypeInfo.GenericMapping );
|
|
|
|
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
|
|
|
|
if (Status != STATUS_BUFFER_TOO_SMALL) {
|
|
return( Status );
|
|
}
|
|
|
|
|
|
// Now that we know how large the security descriptor is we
|
|
// can allocate space for it
|
|
*SecurityDescriptor = ExAllocatePoolWithTag( PagedPool, Length, 'qSbO' );
|
|
if (*SecurityDescriptor == NULL) {
|
|
return( STATUS_INSUFFICIENT_RESOURCES );
|
|
}
|
|
|
|
*MemoryAllocated = TRUE;
|
|
|
|
|
|
// The security method will return an absolute format
|
|
// security descriptor that just happens to be in a self
|
|
// contained buffer (not to be confused with a self-relative
|
|
// security descriptor).
|
|
|
|
|
|
ObpBeginTypeSpecificCallOut( SaveIrql );
|
|
|
|
Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object,
|
|
QuerySecurityDescriptor,
|
|
&SecurityInformation,
|
|
*SecurityDescriptor,
|
|
&Length,
|
|
&ObjectHeader->SecurityDescriptor,
|
|
ObjectType->TypeInfo.PoolType,
|
|
&ObjectType->TypeInfo.GenericMapping );
|
|
|
|
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
ExFreePool( *SecurityDescriptor );
|
|
|
|
*MemoryAllocated = FALSE;
|
|
}
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
VOID
|
|
ObReleaseObjectSecurity (
|
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN BOOLEAN MemoryAllocated
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function will free up any memory associated with a queried
|
|
security descriptor. This undoes the function ObGetObjectSecurity
|
|
|
|
Arguments:
|
|
|
|
SecurityDescriptor - Supplies a pointer to the security descriptor
|
|
to be freed.
|
|
|
|
MemoryAllocated - Supplies whether or not we should free the
|
|
memory pointed to by SecurityDescriptor.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
PAGED_CODE();
|
|
|
|
|
|
// Check if there is a security descriptor to actually free
|
|
|
|
|
|
if ( SecurityDescriptor != NULL ) {
|
|
|
|
|
|
// If ObGetObjectSecurity allocated memory then we
|
|
// need to free it. Otherwise what the earlier routine did
|
|
// was reference the object to keep the security descriptor
|
|
// to keep it from going away
|
|
|
|
|
|
if (MemoryAllocated) {
|
|
|
|
ExFreePool( SecurityDescriptor );
|
|
|
|
} else {
|
|
|
|
ObpDereferenceSecurityDescriptor( SecurityDescriptor );
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObValidateSecurityQuota (
|
|
IN PVOID Object,
|
|
IN ULONG NewSize
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine will check to see if the new security information
|
|
is larger than is allowed by the object's pre-allocated quota.
|
|
|
|
Arguments:
|
|
|
|
Object - Supplies a pointer to the object whose information is to be
|
|
modified.
|
|
|
|
NewSize - Supplies the size of the proposed new security
|
|
information.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - New size is within alloted quota.
|
|
|
|
STATUS_QUOTA_EXCEEDED - The desired adjustment would have exceeded
|
|
the permitted security quota for this object.
|
|
|
|
--*/
|
|
|
|
{
|
|
POBJECT_HEADER ObjectHeader;
|
|
POBJECT_HEADER_QUOTA_INFO QuotaInfo;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Map the object body to its object header and corresponding
|
|
// quota information block
|
|
|
|
|
|
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
|
|
QuotaInfo = OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader );
|
|
|
|
|
|
// If there isn't any quota info and the new size is greater
|
|
// then the default security quota then if the object uses
|
|
// the default value then we've exceeded quota otherwise
|
|
// let the caller get the quota
|
|
|
|
|
|
if ((QuotaInfo == NULL) && (NewSize > SE_DEFAULT_SECURITY_QUOTA)) {
|
|
|
|
if (!(ObjectHeader->Flags & OB_FLAG_DEFAULT_SECURITY_QUOTA)) {
|
|
|
|
|
|
// Should really charge quota here.
|
|
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
|
|
return( STATUS_QUOTA_EXCEEDED );
|
|
|
|
|
|
// If the quota is not null and the new size is greater than the
|
|
// allowed quota charge then if the charge is zero we grant the
|
|
// request otherwise we've exceeded quota.
|
|
|
|
// **** this logic seems wierd
|
|
|
|
|
|
} else if ((QuotaInfo != NULL) && (NewSize > QuotaInfo->SecurityDescriptorCharge)) {
|
|
|
|
if (QuotaInfo->SecurityDescriptorCharge == 0) {
|
|
|
|
|
|
// Should really charge quota here.
|
|
|
|
|
|
// QuotaInfo->SecurityDescriptorCharge = SeComputeSecurityQuota( NewSize );
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
|
|
return( STATUS_QUOTA_EXCEEDED );
|
|
|
|
|
|
// Otherwise we have two cases. (1) there isn't any quota info but
|
|
// the size is within limits or (2) there is a quota info block and
|
|
// the size is within the specified security descriptor charge so
|
|
// return success to our caller
|
|
|
|
|
|
} else {
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObAssignSecurity (
|
|
IN PACCESS_STATE AccessState,
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PVOID Object,
|
|
IN POBJECT_TYPE ObjectType
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine will assign a security descriptor to a newly created object.
|
|
It assumes that the AccessState parameter contains a captured security
|
|
descriptor.
|
|
|
|
Arguments:
|
|
|
|
AccessState - The AccessState containing the security information
|
|
for this object creation.
|
|
|
|
ParentDescriptor - The security descriptor from the parent object, if
|
|
available.
|
|
|
|
Object - A pointer to the object being created.
|
|
|
|
ObjectType - Supplies the type of object being created.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - indicates the operation was successful.
|
|
|
|
STATUS_INVALID_OWNER - The owner SID provided as the owner of the
|
|
target security descriptor is not one the caller is authorized
|
|
to assign as the owner of an object.
|
|
|
|
STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege
|
|
necessary to explicitly assign the specified system ACL.
|
|
SeSecurityPrivilege privilege is needed to explicitly assign
|
|
system ACLs to objects.
|
|
|
|
--*/
|
|
|
|
{
|
|
PSECURITY_DESCRIPTOR NewDescriptor = NULL;
|
|
NTSTATUS Status;
|
|
KIRQL SaveIrql;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// SeAssignSecurity will construct the final version
|
|
// of the security descriptor
|
|
|
|
|
|
Status = SeAssignSecurity( ParentDescriptor,
|
|
AccessState->SecurityDescriptor,
|
|
&NewDescriptor,
|
|
(BOOLEAN)(ObjectType == ObpDirectoryObjectType),
|
|
&AccessState->SubjectSecurityContext,
|
|
&ObjectType->TypeInfo.GenericMapping,
|
|
PagedPool );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
return( Status );
|
|
}
|
|
|
|
ObpBeginTypeSpecificCallOut( SaveIrql );
|
|
|
|
|
|
// Now invoke the security method callback to finish
|
|
// the assignment.
|
|
|
|
|
|
Status = (*ObjectType->TypeInfo.SecurityProcedure)( Object,
|
|
AssignSecurityDescriptor,
|
|
NULL,
|
|
NewDescriptor,
|
|
NULL,
|
|
NULL,
|
|
PagedPool,
|
|
&ObjectType->TypeInfo.GenericMapping );
|
|
|
|
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
|
|
// The attempt to assign the security descriptor to the object
|
|
// failed. Free the space used by the new security descriptor.
|
|
|
|
|
|
SeDeassignSecurity( &NewDescriptor );
|
|
}
|
|
|
|
|
|
// And return to our caller
|
|
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
ObQuerySecurityDescriptorInfo(
|
|
IN PSECURITY_INFORMATION SecurityInformation,
|
|
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN OUT PULONG Length,
|
|
IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine will extract the desired information from the
|
|
passed security descriptor and return the information in
|
|
the passed buffer as a security descriptor in self-relative
|
|
format.
|
|
|
|
This routine assumes that all parameters are captured and
|
|
safe to reference.
|
|
|
|
Arguments:
|
|
|
|
SecurityInformation - Specifies what information is being queried.
|
|
|
|
SecurityDescriptor - Supplies the buffer to output the requested
|
|
information into.
|
|
|
|
This buffer has been probed only to the size indicated by
|
|
the Length parameter. Since it still points into user space,
|
|
it must always be accessed in a try clause.
|
|
|
|
Length - Supplies the address of a variable containing the length of
|
|
the security descriptor buffer. Upon return this variable will
|
|
contain the length needed to store the requested information.
|
|
|
|
ObjectsSecurityDescriptor - Supplies the address of a pointer to
|
|
the objects security descriptor. The passed security descriptor
|
|
must be in self-relative format.
|
|
|
|
Return Value:
|
|
|
|
NTSTATUS - STATUS_SUCCESS if successful and an appropriate error value
|
|
otherwise
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Take the read lock on the security descriptor cache so we
|
|
// don't collide with anyone who is modifying this security
|
|
// descriptor (bug 347986).
|
|
|
|
|
|
ObpAcquireDescriptorCacheReadLock();
|
|
|
|
Status = SeQuerySecurityDescriptorInfo( SecurityInformation,
|
|
SecurityDescriptor,
|
|
Length,
|
|
ObjectsSecurityDescriptor
|
|
);
|
|
ObpReleaseDescriptorCacheLock();
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
ObSetSecurityDescriptorInfo (
|
|
IN PVOID Object,
|
|
IN PSECURITY_INFORMATION SecurityInformation,
|
|
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
IN POOL_TYPE PoolType,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Sets the security descriptor on an already secure object.
|
|
|
|
Arguments:
|
|
|
|
Object - Pointer to the object being modified.
|
|
|
|
SecurityInformation - Describes which information in the SecurityDescriptor parameter
|
|
is relevent.
|
|
|
|
SecurityDescriptor - Provides the new security information.
|
|
|
|
ObjectsSecurityDescriptor - Provides/returns the object's security descriptor.
|
|
|
|
PoolType - The pool the ObjectSecurityDescriptor is allocated from.
|
|
|
|
GenericMapping - Supplies the generic mapping for the object.
|
|
|
|
Return Value:
|
|
|
|
An appropriate status value
|
|
|
|
--*/
|
|
|
|
{
|
|
PSECURITY_DESCRIPTOR OldDescriptor;
|
|
PSECURITY_DESCRIPTOR NewDescriptor;
|
|
NTSTATUS Status;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// Check the rest of our input and call the default set security
|
|
// method. Also make sure no one is modifying the security descriptor
|
|
// while we're looking at it.
|
|
|
|
|
|
ObpAcquireDescriptorCacheWriteLock();
|
|
|
|
OldDescriptor = *ObjectsSecurityDescriptor;
|
|
NewDescriptor = OldDescriptor;
|
|
|
|
Status = SeSetSecurityDescriptorInfo( Object,
|
|
SecurityInformation,
|
|
SecurityDescriptor,
|
|
&NewDescriptor,
|
|
PoolType,
|
|
GenericMapping );
|
|
|
|
|
|
// Now if the object is an object directory object that
|
|
// participated in snapped symbolic links. If so and the
|
|
// new security on the object does NOT allow world traverse
|
|
// access, then return an error, as it is too late to change
|
|
// the security on the object directory at this point.
|
|
|
|
|
|
if (NT_SUCCESS( Status )
|
|
|
|
&&
|
|
|
|
(OBJECT_TO_OBJECT_HEADER( Object )->Type == ObpDirectoryObjectType)
|
|
|
|
&&
|
|
|
|
(((POBJECT_DIRECTORY)Object)->SymbolicLinkUsageCount != 0)
|
|
|
|
&&
|
|
|
|
!SeFastTraverseCheck( NewDescriptor, DIRECTORY_TRAVERSE, UserMode )) {
|
|
|
|
KdPrint(( "OB: Failing attempt the remove world traverse access from object directory\n" ));
|
|
|
|
ExFreePool( NewDescriptor );
|
|
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
|
|
// If we successfully set the new security descriptor then we
|
|
// need to log it in our database and get yet another pointer
|
|
// to the finaly security descriptor
|
|
|
|
|
|
if ( NT_SUCCESS( Status )) {
|
|
|
|
Status = ObpLogSecurityDescriptor( NewDescriptor,
|
|
ObjectsSecurityDescriptor );
|
|
|
|
ObpReleaseDescriptorCacheLock();
|
|
|
|
if ( NT_SUCCESS( Status )) {
|
|
|
|
|
|
// Dereference old SecurityDescriptor and insert new one
|
|
|
|
|
|
ObpDereferenceSecurityDescriptor( OldDescriptor );
|
|
|
|
} else {
|
|
|
|
|
|
// We failed logging the new security descriptor.
|
|
// Clean up and fail the entire operation.
|
|
|
|
|
|
ExFreePool( NewDescriptor );
|
|
}
|
|
} else {
|
|
|
|
|
|
// Release the security descriptor lock
|
|
|
|
|
|
ObpReleaseDescriptorCacheLock();
|
|
}
|
|
|
|
|
|
// And return to our caller
|
|
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
ObpValidateAccessMask (
|
|
PACCESS_STATE AccessState
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Checks the desired access mask of a passed object against the
|
|
passed security descriptor.
|
|
|
|
Arguments:
|
|
|
|
AccessState - A pointer to the AccessState for the pending operation.
|
|
|
|
Return Value:
|
|
|
|
Only returns STATUS_SUCCESS
|
|
|
|
--*/
|
|
|
|
{
|
|
SECURITY_DESCRIPTOR *SecurityDescriptor = AccessState->SecurityDescriptor;
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
// First make sure the access state has a security descriptor. If there
|
|
// is one and it has a system acl and the previously granted access did
|
|
// not include system security then add the fact that we want system
|
|
// security to the remaining desired access state.
|
|
|
|
|
|
if (SecurityDescriptor != NULL) {
|
|
|
|
if ( SecurityDescriptor->Control & SE_SACL_PRESENT ) {
|
|
|
|
if ( !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY)) {
|
|
|
|
AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
|
}
|
|
}
|
|
}
|
|
|
|
return( STATUS_SUCCESS );
|
|
}
|
|
|