/*++ Copyright (c) 1989 Microsoft Corporation Module Name: lpcpriv.c Abstract: Local Inter-Process Communication priviledged procedures that implement client impersonation. Author: Steve Wood (stevewo) 15-Nov-1989 Revision History: --*/ #include "lpcp.h" #ifdef ALLOC_PRAGMA #pragma alloc_text(PAGE,LpcpFreePortClientSecurity) #pragma alloc_text(PAGE,NtImpersonateClientOfPort) #endif NTSTATUS NtImpersonateClientOfPort ( IN HANDLE PortHandle, IN PPORT_MESSAGE Message ) /*++ Routine Description: This procedure is used by the server thread to temporarily acquire the identifier set of a client thread. This service establishes an impersonation token for the calling thread. The impersonation token corresponds to the context provided by the port client. The client must currently be waiting for a reply to the specified message. This service returns an error status code if the client thread is not waiting for a reply to the message. The security quality of service parameters specified by the client upon connection dictate what use the server will have of the client's security context. For complicated or extended impersonation needs, the server may open a copy of the client's token (using NtOpenThreadToken()). This must be done while impersonating the client. Arguments: PortHandle - Specifies the handle of the communication port that the message was received from. Message - Specifies an address of a message that was received from the client that is to be impersonated. The ClientId field of the message identifies the client thread that is to be impersonated. The client thread must be waiting for a reply to the message in order to impersonate the client. Return Value: NTSTATUS - Status code that indicates whether or not the operation was successful. --*/ { PLPCP_PORT_OBJECT PortObject; PLPCP_PORT_OBJECT ConnectedPort; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PETHREAD ClientThread; CLIENT_ID CapturedClientId; ULONG CapturedMessageId; SECURITY_CLIENT_CONTEXT DynamicSecurity; PAGED_CODE(); // // Get previous processor mode and probe output arguments if necessary. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForReadSmallStructure( Message, sizeof( PORT_MESSAGE ), sizeof( ULONG )); CapturedClientId = Message->ClientId; CapturedMessageId = Message->MessageId; } except( EXCEPTION_EXECUTE_HANDLER ) { return( GetExceptionCode() ); } } else { CapturedClientId = Message->ClientId; CapturedMessageId = Message->MessageId; } // // Reference the communication port object by handle. Return status if // unsuccessful. // Status = LpcpReferencePortObject( PortHandle, 0, PreviousMode, &PortObject ); if (!NT_SUCCESS( Status )) { return( Status ); } // // It is an error to try this on any port other than a server // communication port // if ((PortObject->Flags & PORT_TYPE) != SERVER_COMMUNICATION_PORT) { ObDereferenceObject( PortObject ); return( STATUS_INVALID_PORT_HANDLE ); } // // Translate the ClientId from the connection request into a // thread pointer. This is a referenced pointer to keep the thread // from evaporating out from under us. // Status = PsLookupProcessThreadByCid( &CapturedClientId, NULL, &ClientThread ); if (!NT_SUCCESS( Status )) { ObDereferenceObject( PortObject ); return( Status ); } // // Acquire the mutex that guards the LpcReplyMessage field of // the thread and get the pointer to the message that the thread // is waiting for a reply to. // LpcpAcquireLpcpLock(); // // The connected port can be in a state with 0 references in a deletion process. // We need to test this case while referencing it. // ConnectedPort = PortObject->ConnectedPort; if ( ( ConnectedPort == NULL ) || ( !ObReferenceObjectSafe( ConnectedPort ) ) ) { // // The port is being deleted. Quit this function with // appropriate return status. // We don't need to dereference the connected port because // it is anyway about to be deleted // LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); return( STATUS_PORT_DISCONNECTED ); } // // See if the thread is waiting for a reply to the message // specified on this call, if the user gave us a bad // message id. If not then a bogus message // has been specified, so return failure. // // // The W2k fix searched the client thread in the rundown queue, to make sure // we are not impersonating a port from a different connection. Ones we added the port // to the thread structure to fix other security issues for reply os accessing data // we can use that easy test for the impersonation too, w/o searching the rundown queue // if ((ClientThread->LpcReplyMessageId != CapturedMessageId) || (CapturedMessageId == 0) || (!LpcpValidateClientPort( ClientThread, PortObject, LPCP_VALIDATE_REASON_IMPERSONATION)) ) { LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return (STATUS_REPLY_MESSAGE_MISMATCH); } // // Test whether the client allows impersonation for this message or not. // if (LpcpGetThreadAttributes(ClientThread) & LPCP_NO_IMPERSONATION) { LpcpReleaseLpcpLock(); ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return (STATUS_ACCESS_DENIED); } LpcpReleaseLpcpLock(); // // If the client requested dynamic security tracking, then the client // security needs to be referenced. Otherwise, (static case) // it is already in the client's port. // if (ConnectedPort->Flags & PORT_DYNAMIC_SECURITY) { // // Impersonate the client with information from the queued message // Status = LpcpGetDynamicClientSecurity( ClientThread, ConnectedPort, &DynamicSecurity ); if (!NT_SUCCESS( Status )) { ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); return( Status ); } Status = SeImpersonateClientEx( &DynamicSecurity, NULL ); LpcpFreeDynamicClientSecurity( &DynamicSecurity ); } else { // // Impersonate the client with information from the client's port // Status = SeImpersonateClientEx( &ConnectedPort->StaticSecurity, NULL ); } ObDereferenceObject( PortObject ); ObDereferenceObject( ClientThread ); ObDereferenceObject( ConnectedPort ); // // And return to our caller // return Status; } VOID LpcpFreePortClientSecurity ( IN PLPCP_PORT_OBJECT Port ) /*++ Routine Description: This routine cleans up the captured security context for a client port. The cleanup is typically done when we are deleting a port Arguments: Port - Supplies the client port being deleted Return Value: None. --*/ { // // We only do this action if supplied with a client communication port // if ((Port->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { // // We only do this action if the port has static security tracking, // and we have a captured client token. The action is to simply // delete the client token. // if (!(Port->Flags & PORT_DYNAMIC_SECURITY)) { if ( Port->StaticSecurity.ClientToken ) { SeDeleteClientSecurity( &(Port)->StaticSecurity ); } } } // // And return to our caller // return; }