archive
/
windows-nt-4.0
mirror of https://github.com/lianthony/NT4.0
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Windows NT 4.0 source code leak
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
184 MiB
Tree: b4a8d373d8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b4a8d373d8'
${ noResults }
windows-nt-4.0/private/ntos/se/privileg.c

574 lines
13 KiB
Raw Normal View History

initial commit
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. Privileg.c
  9. Abstract:
  11. This Module implements the privilege check procedures.
  13. Author:
  15. Robert Reichel (robertre) 26-Nov-90
  17. Environment:
  19. Kernel Mode
  21. Revision History:
  23. --*/
  25. #include "tokenp.h"
  28. #ifdef ALLOC_PRAGMA
  29. #pragma alloc_text(PAGE,NtPrivilegeCheck)
  30. #pragma alloc_text(PAGE,SeCheckPrivilegedObject)
  31. #pragma alloc_text(PAGE,SepPrivilegeCheck)
  32. #pragma alloc_text(PAGE,SePrivilegeCheck)
  33. #pragma alloc_text(PAGE,SeSinglePrivilegeCheck)
  34. #endif
  37. BOOLEAN
  38. SepPrivilegeCheck(
  39. IN PTOKEN Token,
  40. IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges,
  41. IN ULONG RequiredPrivilegeCount,
  42. IN ULONG PrivilegeSetControl,
  43. IN KPROCESSOR_MODE PreviousMode
  44. )
  45. /*++
  47. Routine Description:
  49. Worker routine for SePrivilegeCheck
  51. Arguments:
  53. Token - The user's effective token.
  55. RequiredPrivileges - A privilege set describing the required
  56. privileges. The UsedForAccess bits will be set in any privilege
  57. that is actually used (usually all of them).
  59. RequiredPrivilegeCount - How many privileges are in the
  60. RequiredPrivileges set.
  62. PrivilegeSetControl - Describes how many privileges are required.
  64. PreviousMode - The previous processor mode.
  66. Return Value:
  68. Returns TRUE if requested privileges are granted, FALSE otherwise.
  70. --*/
  72. {
  73. PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege;
  74. PLUID_AND_ATTRIBUTES CurrentTokenPrivilege;
  76. BOOLEAN RequiredAll;
  78. ULONG TokenPrivilegeCount;
  79. ULONG MatchCount = 0;
  81. ULONG i;
  82. ULONG j;
  84. PAGED_CODE();
  86. //
  87. // Take care of kernel callers first
  88. //
  90. if (PreviousMode == KernelMode) {
  92. return(TRUE);
  94. }
  96. SepAcquireTokenReadLock( Token );
  98. TokenPrivilegeCount = Token->PrivilegeCount;
  100. //
  101. // Save whether we require ALL of them or ANY
  102. //
  104. RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY);
  106. for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ;
  107. i < RequiredPrivilegeCount ;
  108. i++, CurrentRequiredPrivilege++ ) {
  110. for ( j = 0, CurrentTokenPrivilege = Token->Privileges;
  111. j < TokenPrivilegeCount ;
  112. j++, CurrentTokenPrivilege++ ) {
  114. if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) &&
  115. (RtlEqualLuid(&CurrentTokenPrivilege->Luid,
  116. &CurrentRequiredPrivilege->Luid))
  117. ) {
  119. CurrentRequiredPrivilege->Attributes |=
  120. SE_PRIVILEGE_USED_FOR_ACCESS;
  121. MatchCount++;
  122. break; // start looking for next one
  123. }
  125. }
  127. }
  129. SepReleaseTokenReadLock( Token );
  131. //
  132. // If we wanted ANY and didn't get any, return failure.
  133. //
  135. if (!RequiredAll && (MatchCount == 0)) {
  137. return (FALSE);
  139. }
  141. //
  142. // If we wanted ALL and didn't get all, return failure.
  143. //
  145. if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) {
  147. return(FALSE);
  148. }
  150. return(TRUE);
  152. }
  157. BOOLEAN
  158. SePrivilegeCheck(
  159. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  160. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  161. IN KPROCESSOR_MODE AccessMode
  162. )
  163. /*++
  165. Routine Description:
  167. This routine checks to see if the token contains the specified
  168. privileges.
  170. Arguments:
  172. RequiredPrivileges - Points to a set of privileges. The subject's
  173. security context is to be checked to see which of the specified
  174. privileges are present. The results will be indicated in the
  175. attributes associated with each privilege. Note that
  176. flags in this parameter indicate whether all the privileges listed
  177. are needed, or any of the privileges.
  179. SubjectSecurityContext - A pointer to the subject's captured security
  180. context.
  182. AccessMode - Indicates the access mode to use for access check. One of
  183. UserMode or KernelMode. If the mode is kernel, then all privileges
  184. will be marked as being possessed by the subject, and successful
  185. completion status is returned.
  188. Return Value:
  190. BOOLEAN - TRUE if all specified privileges are held by the subject,
  191. otherwise FALSE.
  194. --*/
  196. {
  197. BOOLEAN Status;
  199. PAGED_CODE();
  201. //
  202. // If we're impersonating a client, we have to be at impersonation level
  203. // of SecurityImpersonation or above.
  204. //
  206. if ( (SubjectSecurityContext->ClientToken != NULL) &&
  207. (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation)
  208. ) {
  210. return(FALSE);
  211. }
  213. //
  214. // SepPrivilegeCheck locks the passed token for read access
  215. //
  217. Status = SepPrivilegeCheck(
  218. EffectiveToken( SubjectSecurityContext ),
  219. RequiredPrivileges->Privilege,
  220. RequiredPrivileges->PrivilegeCount,
  221. RequiredPrivileges->Control,
  222. AccessMode
  223. );
  225. return(Status);
  226. }
  230. NTSTATUS
  231. NtPrivilegeCheck(
  232. IN HANDLE ClientToken,
  233. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  234. OUT PBOOLEAN Result
  235. )
  237. /*++
  239. Routine Description:
  241. This routine tests the caller's client's security context to see if it
  242. contains the specified privileges.
  244. This API requires the caller have SeTcbPrivilege privilege. The test
  245. for this privilege is always against the primary token of the calling
  246. process, not the impersonation token of the thread.
  249. Arguments:
  251. ClientToken - A handle to a token object representing a client
  252. attempting access. This handle must be obtained from a
  253. communication session layer, such as from an LPC Port or Local
  254. Named Pipe, to prevent possible security policy violations.
  256. RequiredPrivileges - Points to a set of privileges. The client's
  257. security context is to be checked to see which of the specified
  258. privileges are present. The results will be indicated in the
  259. attributes associated with each privilege. Note that
  260. flags in this parameter indicate whether all the privileges listed
  261. are needed, or any of the privileges.
  263. Result - Receives a boolean flag indicating whether the client has all
  264. the specified privileges or not. A value of TRUE indicates the
  265. client has all the specified privileges. Otherwise a value of
  266. FALSE is returned.
  270. Return Value:
  272. STATUS_SUCCESS - Indicates the call completed successfully.
  274. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have
  275. sufficient privilege to use this privileged system service.
  277. --*/
  281. {
  282. BOOLEAN BStatus;
  283. KPROCESSOR_MODE PreviousMode;
  284. NTSTATUS Status;
  285. PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
  286. PTOKEN Token;
  287. ULONG CapturedPrivilegeCount;
  288. ULONG CapturedPrivilegesLength;
  289. ULONG ParameterLength;
  290. ULONG PrivilegeSetControl;
  292. PAGED_CODE();
  294. PreviousMode = KeGetPreviousMode();
  296. Status = ObReferenceObjectByHandle(
  297. ClientToken, // Handle
  298. TOKEN_QUERY, // DesiredAccess
  299. SepTokenObjectType, // ObjectType
  300. PreviousMode, // AccessMode
  301. (PVOID *)&Token, // Object
  302. NULL // GrantedAccess
  303. );
  305. if ( !NT_SUCCESS(Status) ) {
  306. return Status;
  308. }
  310. //
  311. // If the passed token is an impersonation token, make sure
  312. // it is at SecurityIdentification or above.
  313. //
  315. if (Token->TokenType == TokenImpersonation) {
  317. if (Token->ImpersonationLevel < SecurityIdentification) {
  319. ObDereferenceObject( (PVOID)Token );
  321. return( STATUS_BAD_IMPERSONATION_LEVEL );
  323. }
  324. }
  326. try {
  328. //
  329. // Capture passed Privilege Set
  330. //
  332. ProbeForWrite(
  333. RequiredPrivileges,
  334. sizeof(PRIVILEGE_SET),
  335. sizeof(ULONG)
  336. );
  338. ParameterLength = (ULONG)sizeof(PRIVILEGE_SET) +
  339. ((RequiredPrivileges->PrivilegeCount - ANYSIZE_ARRAY) *
  340. (ULONG)sizeof(LUID_AND_ATTRIBUTES) );
  342. ProbeForWrite(
  343. RequiredPrivileges,
  344. ParameterLength,
  345. sizeof(ULONG)
  346. );
  349. ProbeForWriteBoolean(Result);
  351. PrivilegeSetControl = RequiredPrivileges->Control;
  352. CapturedPrivilegeCount = RequiredPrivileges->PrivilegeCount;
  355. } except(EXCEPTION_EXECUTE_HANDLER) {
  357. ObDereferenceObject( (PVOID)Token );
  358. return GetExceptionCode();
  359. }
  361. Status = SeCaptureLuidAndAttributesArray(
  362. (RequiredPrivileges->Privilege),
  363. CapturedPrivilegeCount,
  364. UserMode,
  365. NULL, 0,
  366. PagedPool,
  367. TRUE,
  368. &CapturedPrivileges,
  369. &CapturedPrivilegesLength
  370. );
  372. if (!NT_SUCCESS(Status)) {
  374. ObDereferenceObject( (PVOID)Token );
  375. return Status;
  376. }
  378. ASSERT(CapturedPrivileges != NULL);
  380. BStatus = SepPrivilegeCheck(
  381. Token, // Token,
  382. CapturedPrivileges, // RequiredPrivileges,
  383. CapturedPrivilegeCount, // RequiredPrivilegeCount,
  384. PrivilegeSetControl, // PrivilegeSetControl
  385. PreviousMode // PreviousMode
  386. );
  388. ObDereferenceObject( Token );
  391. try {
  393. //
  394. // copy the modified privileges buffer back to user
  395. //
  397. RtlMoveMemory(
  398. RequiredPrivileges->Privilege,
  399. CapturedPrivileges,
  400. CapturedPrivilegesLength
  401. );
  403. *Result = BStatus;
  405. } except (EXCEPTION_EXECUTE_HANDLER) {
  407. SeReleaseLuidAndAttributesArray(
  408. CapturedPrivileges,
  409. PreviousMode,
  410. TRUE
  411. );
  413. return(GetExceptionCode());
  415. }
  417. SeReleaseLuidAndAttributesArray(
  418. CapturedPrivileges,
  419. PreviousMode,
  420. TRUE
  421. );
  423. return( STATUS_SUCCESS );
  424. }
  428. BOOLEAN
  429. SeSinglePrivilegeCheck(
  430. LUID PrivilegeValue,
  431. KPROCESSOR_MODE PreviousMode
  432. )
  434. /*++
  436. Routine Description:
  438. This function will check for the passed privilege value in the
  439. current context.
  441. Arguments:
  443. PrivilegeValue - The value of the privilege being checked.
  446. Return Value:
  448. TRUE - The current subject has the desired privilege.
  450. FALSE - The current subject does not have the desired privilege.
  451. --*/
  453. {
  454. BOOLEAN AccessGranted;
  455. PRIVILEGE_SET RequiredPrivileges;
  456. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  458. PAGED_CODE();
  460. //
  461. // Make sure the caller has the privilege to make this
  462. // call.
  463. //
  465. RequiredPrivileges.PrivilegeCount = 1;
  466. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  467. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  468. RequiredPrivileges.Privilege[0].Attributes = 0;
  470. SeCaptureSubjectContext( &SubjectSecurityContext );
  472. AccessGranted = SePrivilegeCheck(
  473. &RequiredPrivileges,
  474. &SubjectSecurityContext,
  475. PreviousMode
  476. );
  478. if ( PreviousMode != KernelMode ) {
  480. SePrivilegedServiceAuditAlarm (
  481. NULL, // BUGWARNING need service name
  482. &SubjectSecurityContext,
  483. &RequiredPrivileges,
  484. AccessGranted
  485. );
  486. }
  489. SeReleaseSubjectContext( &SubjectSecurityContext );
  491. return( AccessGranted );
  493. }
  496. BOOLEAN
  497. SeCheckPrivilegedObject(
  498. LUID PrivilegeValue,
  499. HANDLE ObjectHandle,
  500. ACCESS_MASK DesiredAccess,
  501. KPROCESSOR_MODE PreviousMode
  502. )
  504. /*++
  506. Routine Description:
  508. This function will check for the passed privilege value in the
  509. current context, and generate audits as appropriate.
  511. Arguments:
  513. PrivilegeValue - The value of the privilege being checked.
  515. Object - Specifies a pointer to the object being accessed.
  517. ObjectHandle - Specifies the object handle being used.
  519. DesiredAccess - The desired access mask, if any
  521. PreviousMode - The previous processor mode
  524. Return Value:
  526. TRUE - The current subject has the desired privilege.
  528. FALSE - The current subject does not have the desired privilege.
  529. --*/
  531. {
  532. BOOLEAN AccessGranted;
  533. PRIVILEGE_SET RequiredPrivileges;
  534. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  536. PAGED_CODE();
  538. //
  539. // Make sure the caller has the privilege to make this
  540. // call.
  541. //
  543. RequiredPrivileges.PrivilegeCount = 1;
  544. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  545. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  546. RequiredPrivileges.Privilege[0].Attributes = 0;
  548. SeCaptureSubjectContext( &SubjectSecurityContext );
  550. AccessGranted = SePrivilegeCheck(
  551. &RequiredPrivileges,
  552. &SubjectSecurityContext,
  553. PreviousMode
  554. );
  556. if ( PreviousMode != KernelMode ) {
  558. SePrivilegeObjectAuditAlarm(
  559. ObjectHandle,
  560. &SubjectSecurityContext,
  561. DesiredAccess,
  562. &RequiredPrivileges,
  563. AccessGranted,
  564. PreviousMode
  565. );
  567. }
  570. SeReleaseSubjectContext( &SubjectSecurityContext );
  572. return( AccessGranted );
  574. }