archive
/
windows-nt-4.0
mirror of https://github.com/lianthony/NT4.0
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Windows NT 4.0 source code leak
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
184 MiB
 
 
 
 
 
 
Tree: b4a8d373d8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b4a8d373d8'
${ noResults }
windows-nt-4.0/private/ntos/ob/obse.c

1449 lines
38 KiB
Raw Blame History

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
obse.c
Abstract:
Object Security API calls
Author:
Steve Wood (stevewo) 31-Mar-1989
Revision History:
--*/
#include "obp.h"
#if defined(ALLOC_PRAGMA) && defined(NTOS_KERNEL_RUNTIME)
#pragma alloc_text(PAGE,NtSetSecurityObject)
#pragma alloc_text(PAGE,NtQuerySecurityObject)
#pragma alloc_text(PAGE,ObAssignObjectSecurityDescriptor)
#pragma alloc_text(PAGE,ObAssignSecurity)
#pragma alloc_text(PAGE,ObCheckCreateObjectAccess)
#pragma alloc_text(PAGE,ObCheckObjectAccess)
#pragma alloc_text(PAGE,ObCheckObjectReference)
#pragma alloc_text(PAGE,ObpCheckTraverseAccess)
#pragma alloc_text(PAGE,ObGetObjectSecurity)
#pragma alloc_text(PAGE,ObSetSecurityDescriptorInfo)
#pragma alloc_text(PAGE,ObReleaseObjectSecurity)
#pragma alloc_text(PAGE,ObSetSecurityQuotaCharged)
#pragma alloc_text(PAGE,ObValidateSecurityQuota)
#pragma alloc_text(PAGE,ObpValidateAccessMask)
#endif
NTSTATUS
NtSetSecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
)
{
NTSTATUS Status;
PVOID Object;
ACCESS_MASK DesiredAccess;
OBJECT_HANDLE_INFORMATION HandleInformation;
KPROCESSOR_MODE RequestorMode;
SECURITY_DESCRIPTOR *CapturedDescriptor;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
PAGED_CODE();
//
// Establish the accesses needed to the object based upon the
// security information being modified.
//
SeSetSecurityAccessMask( SecurityInformation, &DesiredAccess );
Status = ObReferenceObjectByHandle( Handle,
DesiredAccess,
NULL,
RequestorMode = KeGetPreviousMode(),
&Object,
&HandleInformation
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
ObjectType = ObjectHeader->Type;
//
// Probe and capture the input security descriptor, and return
// right away if it is ill-formed.
//
// The returned security descriptor is in self-relative format.
//
//
// Make sure the passed security descriptor is really there.
// SeCaptureSecurityDescriptor doesn't mind being passed a NULL
// SecurityDescriptor, and will just return NULL back.
//
if (!ARGUMENT_PRESENT( SecurityDescriptor )) {
ObDereferenceObject( Object );
return( STATUS_ACCESS_VIOLATION );
}
Status = SeCaptureSecurityDescriptor(
SecurityDescriptor,
RequestorMode,
PagedPool,
FALSE,
(PSECURITY_DESCRIPTOR *)&CapturedDescriptor
);
if (NT_SUCCESS(Status)) {
if ( (SecurityInformation & OWNER_SECURITY_INFORMATION) &&
(((PISECURITY_DESCRIPTOR)CapturedDescriptor)->Owner == NULL)
||
(SecurityInformation & GROUP_SECURITY_INFORMATION) &&
(((PISECURITY_DESCRIPTOR)CapturedDescriptor)->Group == NULL)
) {
Status = STATUS_INVALID_SECURITY_DESCR;
}
}
if (!NT_SUCCESS( Status )) {
ObDereferenceObject( Object );
return( Status );
}
Status = (ObjectType->TypeInfo.SecurityProcedure)(
Object,
SetSecurityDescriptor,
&SecurityInformation,
(PSECURITY_DESCRIPTOR)CapturedDescriptor,
NULL,
&ObjectHeader->SecurityDescriptor,
ObjectType->TypeInfo.PoolType,
&ObjectType->TypeInfo.GenericMapping
);
ObDereferenceObject( Object );
SeReleaseSecurityDescriptor( (PSECURITY_DESCRIPTOR)CapturedDescriptor,
RequestorMode,
FALSE
);
return( Status );
}
NTSTATUS
NtQuerySecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG Length,
OUT PULONG LengthNeeded
)
{
NTSTATUS Status;
PVOID Object;
ACCESS_MASK DesiredAccess;
OBJECT_HANDLE_INFORMATION HandleInformation;
KPROCESSOR_MODE RequestorMode;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
PAGED_CODE();
//
// Probe output parameters
//
RequestorMode = KeGetPreviousMode();
if (RequestorMode != KernelMode) {
try {
ProbeForWriteUlong( LengthNeeded );
ProbeForWrite( SecurityDescriptor, Length, sizeof(ULONG) );
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
} // end_try
}
//
// Establish the accesses needed to the object based upon the
// security information being modified.
//
SeQuerySecurityAccessMask( SecurityInformation, &DesiredAccess );
Status = ObReferenceObjectByHandle( Handle,
DesiredAccess,
NULL,
RequestorMode,
&Object,
&HandleInformation
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
ObjectType = ObjectHeader->Type;
Status = (ObjectType->TypeInfo.SecurityProcedure)(
Object,
QuerySecurityDescriptor,
&SecurityInformation,
SecurityDescriptor,
&Length,
&ObjectHeader->SecurityDescriptor,
ObjectType->TypeInfo.PoolType,
&ObjectType->TypeInfo.GenericMapping
);
try {
*LengthNeeded = Length;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Object );
return(GetExceptionCode());
}
ObDereferenceObject( Object );
return( Status );
}
BOOLEAN
ObCheckObjectAccess(
IN PVOID Object,
IN OUT PACCESS_STATE AccessState,
IN BOOLEAN TypeMutexLocked,
IN KPROCESSOR_MODE AccessMode,
OUT PNTSTATUS AccessStatus
)
/*++
Routine Description:
This routine performs access validation on the passed object. The
remaining desired access mask is extracted from the AccessState
parameter and passes to the appropriate security routine to perform the
access check.
If the access attempt is successful, SeAccessCheck returns a mask
containing the granted accesses. The bits in this mask are turned
on in the PreviouslyGrantedAccess field of the AccessState, and
are turned off in the RemainingDesiredAccess field.
Arguments:
Object - The object being examined.
AccessState - The ACCESS_STATE structure containing accumulated
information about the current attempt to gain access to the object.
TypeMutexLocked - Indicates whether the type mutex for this object's
type is locked. The type mutex is used to protect the object's
security descriptor from being modified while it is being accessed.
AccessMode - The previous processor mode.
AccessStatus - Pointer to a variable to return the status code of the
access attempt. In the case of failure this status code must be
propagated back to the user.
Return Value:
BOOLEAN - TRUE if access is allowed and FALSE otherwise
--*/
{
ACCESS_MASK GrantedAccess = 0;
BOOLEAN AccessAllowed;
BOOLEAN MemoryAllocated;
NTSTATUS Status;
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
PPRIVILEGE_SET Privileges = NULL;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
ObjectType = ObjectHeader->Type;
if (!TypeMutexLocked) {
ObpEnterObjectTypeMutex( ObjectType );
}
//
// Obtain the object's security descriptor
//
Status = ObGetObjectSecurity(
Object,
&SecurityDescriptor,
&MemoryAllocated
);
if (!NT_SUCCESS( Status )) {
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
*AccessStatus = Status;
return( FALSE );
} else {
if (SecurityDescriptor == NULL) {
*AccessStatus = Status;
return(TRUE);
}
}
//
// Lock the caller's tokens until after auditing has been
// performed.
//
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
AccessAllowed = SeAccessCheck (
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
TRUE, // Tokens are locked
AccessState->RemainingDesiredAccess,
AccessState->PreviouslyGrantedAccess,
&Privileges,
&ObjectType->TypeInfo.GenericMapping,
AccessMode,
&GrantedAccess,
AccessStatus
);
if (Privileges != NULL) {
Status = SeAppendPrivileges(
AccessState,
Privileges
);
SeFreePrivileges( Privileges );
}
if (AccessAllowed) {
AccessState->PreviouslyGrantedAccess |= GrantedAccess;
AccessState->RemainingDesiredAccess &= ~(GrantedAccess | MAXIMUM_ALLOWED);
}
//
// Audit the attempt to open the object, audit
// the creation of its handle later.
//
if ( SecurityDescriptor != NULL ) {
SeOpenObjectAuditAlarm(
&ObjectType->Name,
Object,
NULL, // AbsoluteObjectName
SecurityDescriptor,
AccessState,
FALSE, // ObjectCreated (FALSE, only open here)
AccessAllowed,
AccessMode,
&AccessState->GenerateOnClose
);
}
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
//
// BUGBUG why is this check necessary?
//
if (SecurityDescriptor != NULL) {
ObReleaseObjectSecurity(
SecurityDescriptor,
MemoryAllocated
);
}
return( AccessAllowed );
}
BOOLEAN
ObpCheckObjectReference(
IN PVOID Object,
IN OUT PACCESS_STATE AccessState,
IN BOOLEAN TypeMutexLocked,
IN KPROCESSOR_MODE AccessMode,
OUT PNTSTATUS AccessStatus
)
/*++
Routine Description:
The routine performs access validation on the passed object. The
remaining desired access mask is extracted from the AccessState
parameter and passes to the appropriate security routine to
perform the access check.
If the access attempt is successful, SeAccessCheck returns a mask
containing the granted accesses. The bits in this mask are turned
on in the PreviouslyGrantedAccess field of the AccessState, and
are turned off in the RemainingDesiredAccess field.
This routine differs from ObpCheckObjectAccess in that it calls
a different audit routine.
Arguments:
Object - The object being examined.
AccessState - The ACCESS_STATE structure containing accumulated
information about the current attempt to gain access to the object.
TypeMutexLocked - Indicates whether the type mutex for this object's
type is locked. The type mutex is used to protect the object's
security descriptor from being modified while it is being accessed.
AccessMode - The previous processor mode.
AccessStatus - Pointer to a variable to return the status code of the
access attempt. In the case of failure this status code must be
propagated back to the user.
Return Value:
BOOLEAN - TRUE if access is allowed and FALSE otherwise
--*/
{
BOOLEAN AccessAllowed;
ACCESS_MASK GrantedAccess = 0;
BOOLEAN MemoryAllocated;
PSECURITY_DESCRIPTOR SecurityDescriptor;
NTSTATUS Status;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
PPRIVILEGE_SET Privileges = NULL;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
ObjectType = ObjectHeader->Type;
if (!TypeMutexLocked) {
ObpEnterObjectTypeMutex( ObjectType );
}
//
// Obtain the object's security descriptor
//
Status = ObGetObjectSecurity(
Object,
&SecurityDescriptor,
&MemoryAllocated
);
if (!NT_SUCCESS( Status )) {
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
*AccessStatus = Status;
return( FALSE );
}
//
// Lock the caller's tokens until after auditing has been
// performed.
//
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
AccessAllowed = SeAccessCheck (
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
TRUE, // Tokens are locked
AccessState->RemainingDesiredAccess,
AccessState->PreviouslyGrantedAccess,
&Privileges,
&ObjectType->TypeInfo.GenericMapping,
AccessMode,
&GrantedAccess,
AccessStatus
);
if (AccessAllowed) {
AccessState->PreviouslyGrantedAccess |= GrantedAccess;
AccessState->RemainingDesiredAccess &= ~GrantedAccess;
}
if ( SecurityDescriptor != NULL ) {
SeObjectReferenceAuditAlarm(
&AccessState->OperationID,
Object,
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess,
((PAUX_ACCESS_DATA)(AccessState->AuxData))->PrivilegesUsed,
AccessAllowed,
AccessMode
);
}
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
if (SecurityDescriptor != NULL) {
ObReleaseObjectSecurity(
SecurityDescriptor,
MemoryAllocated
);
}
return( AccessAllowed );
}
BOOLEAN
ObpCheckTraverseAccess(
IN PVOID DirectoryObject,
IN ACCESS_MASK TraverseAccess,
IN PACCESS_STATE AccessState OPTIONAL,
IN BOOLEAN TypeMutexLocked,
IN KPROCESSOR_MODE PreviousMode,
OUT PNTSTATUS AccessStatus
)
/*++
Routine Description:
This routine checks for traverse access to the given directory object.
Note that the contents of the AccessState structure are not
modified, since it is assumed that this access check is incidental
to another access operation.
Arguments:
DirectoryObject - The object header of the object being examined.
AccessState - Checks for traverse access will typically be incidental
to some other access attempt. Information on the current state of
that access attempt is required so that the constituent access
attempts may be associated with each other in the audit log.
This is an OPTIONAL parameter, in which case the call will
success ONLY if the Directory Object grants World traverse
access rights.
TypeMutexLocked - Indicates whether the type mutex for this object's
type is locked. The type mutex is used to protect the object's
security descriptor from being modified while it is being accessed.
AccessMode - The previous processor mode.
AccessStatus - Pointer to a variable to return the status code of the
access attempt. In the case of failure this status code must be
propagated back to the user.
Return Value:
BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus
contains the status code to be passed back to the caller. It is not
correct to simply pass back STATUS_ACCESS_DENIED, since this will have
to change with the advent of mandatory access control.
--*/
{
BOOLEAN AccessAllowed;
ACCESS_MASK GrantedAccess = 0;
PSECURITY_DESCRIPTOR SecurityDescriptor;
BOOLEAN MemoryAllocated;
NTSTATUS Status;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
BOOLEAN SubjectContextLocked = FALSE;
PPRIVILEGE_SET Privileges = NULL;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject );
ObjectType = ObjectHeader->Type;
if (!TypeMutexLocked) {
ObpEnterObjectTypeMutex( ObjectType );
}
//
// Obtain the object's security descriptor
//
Status = ObGetObjectSecurity(
DirectoryObject,
&SecurityDescriptor,
&MemoryAllocated
);
if (!NT_SUCCESS( Status )) {
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
*AccessStatus = Status;
return( FALSE );
}
//
// Check to see if WORLD has TRAVERSE access
//
if ( !SeFastTraverseCheck(
SecurityDescriptor,
DIRECTORY_TRAVERSE,
PreviousMode
) ) {
//
// SeFastTraverseCheck could be modified to tell us that
// no one has any access to this directory. However,
// we're going to have to fail this entire call if
// that is the case, so we really don't need to worry
// all that much about making it blindingly fast.
//
if (ARGUMENT_PRESENT( AccessState )) {
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
SubjectContextLocked = TRUE;
AccessAllowed = SeAccessCheck(
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
TRUE, // Tokens are locked
TraverseAccess,
0,
&Privileges,
&ObjectType->TypeInfo.GenericMapping,
PreviousMode,
&GrantedAccess,
AccessStatus
);
if (Privileges != NULL) {
Status = SeAppendPrivileges(
AccessState,
Privileges
);
SeFreePrivileges( Privileges );
}
}
} else {
AccessAllowed = TRUE;
}
if ( SubjectContextLocked ) {
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
}
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
if ( SecurityDescriptor != NULL ) {
ObReleaseObjectSecurity(
SecurityDescriptor,
MemoryAllocated
);
}
return( AccessAllowed );
}
BOOLEAN
ObCheckCreateObjectAccess(
IN PVOID DirectoryObject,
IN ACCESS_MASK CreateAccess,
IN PACCESS_STATE AccessState,
IN PUNICODE_STRING ComponentName,
IN BOOLEAN TypeMutexLocked,
IN KPROCESSOR_MODE PreviousMode,
OUT PNTSTATUS AccessStatus
)
/*++
Routine Description:
This routine checks to see if we are allowed to create an object in the
given directory, and performs auditing as appropriate.
Arguments:
DirectoryObject - The directory object being examined.
CreateAccess - The access mask corresponding to create access for
this directory type.
AccessState - Checks for traverse access will typically be incidental
to some other access attempt. Information on the current state of
that access attempt is required so that the constituent access
attempts may be associated with each other in the audit log.
ComponentName - Pointer to a Unicode string containing the name of
the object being created.
TypeMutexLocked - Indicates whether the type mutex for this object's
type is locked. The type mutex is used to protect the object's
security descriptor from being modified while it is being accessed.
AccessMode - The previous processor mode.
AccessStatus - Pointer to a variable to return the status code of the
access attempt. In the case of failure this status code must be
propagated back to the user.
Return Value:
BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus
contains the status code to be passed back to the caller. It is not
correct to simply pass back STATUS_ACCESS_DENIED, since this will have
to change with the advent of mandatory access control.
--*/
{
BOOLEAN AccessAllowed;
ACCESS_MASK GrantedAccess = 0;
PSECURITY_DESCRIPTOR SecurityDescriptor;
BOOLEAN MemoryAllocated;
NTSTATUS Status;
POBJECT_HEADER ObjectHeader;
POBJECT_TYPE ObjectType;
PPRIVILEGE_SET Privileges = NULL;
BOOLEAN AuditPerformed = FALSE;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject );
ObjectType = ObjectHeader->Type;
if (!TypeMutexLocked) {
ObpEnterObjectTypeMutex( ObjectType );
}
Status = ObGetObjectSecurity(
DirectoryObject,
&SecurityDescriptor,
&MemoryAllocated
);
if (!NT_SUCCESS( Status )) {
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
*AccessStatus = Status;
return( FALSE );
}
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
if (SecurityDescriptor != NULL) {
AccessAllowed = SeAccessCheck (
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
TRUE, // Tokens are locked
CreateAccess,
0,
&Privileges,
&ObjectType->TypeInfo.GenericMapping,
PreviousMode,
&GrantedAccess,
AccessStatus
);
if (Privileges != NULL) {
Status = SeAppendPrivileges(
AccessState,
Privileges
);
SeFreePrivileges( Privileges );
}
//
// This is wrong, but leave for reference.
//
// if (AccessAllowed) {
// AccessState->PreviouslyGrantedAccess |= GrantedAccess;
// AccessState->RemainingDesiredAccess &= ~GrantedAccess;
// }
#if 0
SeCreateObjectAuditAlarm(
&AccessState->OperationID,
DirectoryObject,
ComponentName,
SecurityDescriptor,
&AccessState->SubjectSecurityContext,
CreateAccess,
AccessState->PrivilegesUsed,
AccessAllowed,
&AuditPerformed,
PreviousMode
);
if ( AuditPerformed ) {
AccessState->AuditHandleCreation = TRUE;
}
#endif
}
else {
AccessAllowed = TRUE;
}
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
if (!TypeMutexLocked) {
ObpLeaveObjectTypeMutex( ObjectType );
}
ObReleaseObjectSecurity(
SecurityDescriptor,
MemoryAllocated
);
return( AccessAllowed );
}
NTSTATUS
ObAssignObjectSecurityDescriptor(
IN PVOID Object,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN POOL_TYPE PoolType
)
/*++
Routine Description:
Takes a pointer to an object and sets the SecurityDescriptor field
in the object's header.
Arguments:
Object - Supplies a pointer to the object
SecurityDescriptor - Supplies a pointer to the security descriptor
to be assigned to the object. This pointer may be null if there
is no security on the object.
PoolType - Supplies the type of pool memory used to allocate the
security descriptor.
Return Value:
None.
--*/
{
NTSTATUS Status;
PSECURITY_DESCRIPTOR OutputSecurityDescriptor;
PAGED_CODE();
if (!ARGUMENT_PRESENT(SecurityDescriptor)) {
OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = NULL;
return( STATUS_SUCCESS );
}
Status = ObpLogSecurityDescriptor( SecurityDescriptor, &OutputSecurityDescriptor );
if (NT_SUCCESS(Status)) {
OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor = OutputSecurityDescriptor;
}
return( Status );
}
NTSTATUS
ObGetObjectSecurity(
IN PVOID Object,
OUT PSECURITY_DESCRIPTOR *SecurityDescriptor,
OUT PBOOLEAN MemoryAllocated
)
/*++
Routine Description:
Given an object, this routine will find its security descriptor.
It will do this by calling the object's security method.
It is possible for an object not to have a security descriptor
at all. Unnamed objects such as events that can only be referenced
by a handle are an example of an object that does not have a
security descriptor.
Arguments:
Object - Supplies the object being queried.
SecurityDescriptor - Returns a pointer to the object's security
descriptor.
MemoryAllocated - indicates whether we had to allocate pool
memory to hold the security descriptor or not. This should
be passed back into ObReleaseObjectSecurity.
Return Value:
STATUS_SUCCESS - The operation was successful. Note that the
operation may be successful and still return a NULL security
descriptor.
STATUS_INSUFFICIENT_RESOURCES - Insufficient memory was available
to satisfy the request.
--*/
{
SECURITY_INFORMATION SecurityInformation;
ULONG Length = 0;
NTSTATUS Status;
POBJECT_TYPE ObjectType;
POBJECT_HEADER ObjectHeader;
KIRQL SaveIrql;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
ObjectType = ObjectHeader->Type;
//
// If the object is one that uses the default object method,
// its security descriptor is contained in ob's security
// descriptor cache.
//
// Reference it so that it doesn't go away out from under us.
//
if (ObpCentralizedSecurity(ObjectType)) {
*SecurityDescriptor = ObpReferenceSecurityDescriptor( Object );
*MemoryAllocated = FALSE;
return( STATUS_SUCCESS );
}
//
// Request a complete security descriptor
//
SecurityInformation = OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION;
//
// Call the security method with Length = 0 to find out
// how much memory we need to store the final result.
//
// Note that the ObjectsSecurityDescriptor parameter is NULL,
// because we expect whoever is on the other end of this call
// to find the security descriptor for us. We pass in a pool
// type to keep the compiler happy, it will not be used for a
// query operation.
//
ObpBeginTypeSpecificCallOut( SaveIrql );
Status = (*ObjectType->TypeInfo.SecurityProcedure)(
Object,
QuerySecurityDescriptor,
&SecurityInformation,
*SecurityDescriptor,
&Length,
&ObjectHeader->SecurityDescriptor, // not used
ObjectType->TypeInfo.PoolType,
&ObjectType->TypeInfo.GenericMapping
);
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
if (Status != STATUS_BUFFER_TOO_SMALL) {
return( Status );
}
*SecurityDescriptor = ExAllocatePoolWithTag( PagedPool, Length, 'qSbO' );
if (*SecurityDescriptor == NULL) {
return( STATUS_INSUFFICIENT_RESOURCES );
}
*MemoryAllocated = TRUE;
//
// The security method will return an absolute format
// security descriptor that just happens to be in a self
// contained buffer (not to be confused with a self-relative
// security descriptor).
//
ObpBeginTypeSpecificCallOut( SaveIrql );
Status = (*ObjectType->TypeInfo.SecurityProcedure)(
Object,
QuerySecurityDescriptor,
&SecurityInformation,
*SecurityDescriptor,
&Length,
&ObjectHeader->SecurityDescriptor,
ObjectType->TypeInfo.PoolType,
&ObjectType->TypeInfo.GenericMapping
);
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
if (!NT_SUCCESS( Status )) {
ExFreePool( *SecurityDescriptor );
*MemoryAllocated = FALSE;
}
return( Status );
}
VOID
ObReleaseObjectSecurity(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN BOOLEAN MemoryAllocated
)
/*++
Routine Description:
This function will free up any memory associated with a queried
security descriptor.
Arguments:
SecurityDescriptor - Supplies a pointer to the security descriptor
to be freed.
MemoryAllocated - Supplies whether or not we should free the
memory pointed to by SecurityDescriptor.
Return Value:
None.
--*/
{
PAGED_CODE();
if ( SecurityDescriptor != NULL ) {
if (MemoryAllocated) {
ExFreePool( SecurityDescriptor );
} else {
ObpDereferenceSecurityDescriptor( SecurityDescriptor );
}
}
}
NTSTATUS
ObValidateSecurityQuota(
IN PVOID Object,
IN ULONG NewSize
)
/*++
Routine Description:
This routine will check to see if the new security information
is larger than is allowed by the object's pre-allocated quota.
Arguments:
Object - Supplies a pointer to the object whose information is to be
modified.
NewSize - Supplies the size of the proposed new security
information.
Return Value:
STATUS_SUCCESS - New size is within alloted quota.
STATUS_QUOTA_EXCEEDED - The desired adjustment would have exceeded
the permitted security quota for this object.
--*/
{
POBJECT_HEADER ObjectHeader;
POBJECT_HEADER_QUOTA_INFO QuotaInfo;
PAGED_CODE();
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
QuotaInfo = OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader );
if (QuotaInfo == NULL && NewSize > SE_DEFAULT_SECURITY_QUOTA) {
if (!(ObjectHeader->Flags & OB_FLAG_DEFAULT_SECURITY_QUOTA)) {
//
// Should really charge quota here.
//
return( STATUS_SUCCESS );
}
return( STATUS_QUOTA_EXCEEDED );
}
else
if (QuotaInfo != NULL && NewSize > QuotaInfo->SecurityDescriptorCharge) {
if (QuotaInfo->SecurityDescriptorCharge == 0) {
//
// Should really charge quota here.
//
// QuotaInfo->SecurityDescriptorCharge = SeComputeSecurityQuota( NewSize );
return( STATUS_SUCCESS );
}
return( STATUS_QUOTA_EXCEEDED );
}
else {
return( STATUS_SUCCESS );
}
}
NTSTATUS
ObAssignSecurity(
IN PACCESS_STATE AccessState,
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
IN PVOID Object,
IN POBJECT_TYPE ObjectType
)
/*++
Routine Description:
This routine will assign a security descriptor to a newly created object.
It assumes that the AccessState parameter contains a captured security
descriptor.
Arguments:
AccessState - The AccessState containing the security information
for this object creation.
ParentDescriptor - The security descriptor from the parent object, if
available.
IsDirectoryObject - A boolean indicating if this is a directory object
or not.
Object - A pointer to the object being created.
Return Value:
STATUS_SUCCESS - indicates the operation was successful.
STATUS_INVALID_OWNER - The owner SID provided as the owner of the
target security descriptor is not one the caller is authorized
to assign as the owner of an object.
STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege
necessary to explicitly assign the specified system ACL.
SeSecurityPrivilege privilege is needed to explicitly assign
system ACLs to objects.
--*/
{
PSECURITY_DESCRIPTOR NewDescriptor = NULL;
NTSTATUS Status;
KIRQL SaveIrql;
PAGED_CODE();
//
// Assign construct the final version of the security
// descriptor and pass it to the security method to be
// assigned to the object.
//
Status = SeAssignSecurity (
ParentDescriptor,
AccessState->SecurityDescriptor,
&NewDescriptor,
(BOOLEAN)(ObjectType == ObpDirectoryObjectType),
&AccessState->SubjectSecurityContext,
&ObjectType->TypeInfo.GenericMapping,
PagedPool
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
ObpBeginTypeSpecificCallOut( SaveIrql );
Status = (*ObjectType->TypeInfo.SecurityProcedure)(
Object,
AssignSecurityDescriptor,
NULL,
NewDescriptor,
NULL,
NULL,
PagedPool,
&ObjectType->TypeInfo.GenericMapping
);
ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object );
if (!NT_SUCCESS( Status )) {
//
// The attempt to assign the security descriptor to the object
// failed. Free the space used by the new security descriptor.
//
SeDeassignSecurity( &NewDescriptor );
}
return( Status );
}
NTSTATUS
ObSetSecurityDescriptorInfo(
IN PVOID Object,
IN PSECURITY_INFORMATION SecurityInformation,
IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
IN POOL_TYPE PoolType,
IN PGENERIC_MAPPING GenericMapping
)
/*++
Routine Description:
Sets the security descriptor on an already secure object.
Arguments:
Object - Pointer to the object being modified.
SecurityInformation - Describes which information in the SecurityDescriptor parameter
is relevent.
SecurityDescriptor - Provides the new security information.
ObjectsSecurityDescriptor - Provides/returns the object's security descriptor.
PoolType - The pool the ObjectSecurityDescriptor is allocated from.
Return Value:
return-value - Description of conditions needed to return value. - or -
None.
--*/
{
PSECURITY_DESCRIPTOR OldDescriptor = *ObjectsSecurityDescriptor;
PSECURITY_DESCRIPTOR NewDescriptor = OldDescriptor;
NTSTATUS Status;
PAGED_CODE();
//
// Check the rest of our input and call the default set security
// method. Also make sure no one is modifying the security descriptor
// while we're looking at it.
//
ObpAcquireDescriptorCacheReadLock();
Status = SeSetSecurityDescriptorInfo( Object,
SecurityInformation,
SecurityDescriptor,
&NewDescriptor,
PoolType,
GenericMapping
);
ObpReleaseDescriptorCacheLock();
if ( NT_SUCCESS( Status )) {
Status = ObpLogSecurityDescriptor(
NewDescriptor,
ObjectsSecurityDescriptor
);
//
// Now if the object is an object directory object that
// participated in snapped symbolic links. If so and the
// new security on the object does NOT allow world traverse
// access, then return an error, as it is too late to change
// the security on the object directory at this point.
//
if (NT_SUCCESS( Status ) &&
OBJECT_TO_OBJECT_HEADER( Object )->Type == ObpDirectoryObjectType &&
((POBJECT_DIRECTORY)Object)->SymbolicLinkUsageCount != 0 &&
!SeFastTraverseCheck( *ObjectsSecurityDescriptor,
DIRECTORY_TRAVERSE,
UserMode
)
) {
KdPrint(( "OB: Failing attempt the remove world traverse access from object directory\n" ));
Status = STATUS_INVALID_PARAMETER;
}
if ( NT_SUCCESS( Status )) {
//
// Dereference old SecurityDescriptor and insert new one
//
ObpDereferenceSecurityDescriptor( OldDescriptor );
} else {
//
// We failed logging the new security descriptor.
// Clean up and fail the entire operation.
//
ExFreePool( NewDescriptor );
}
}
return( Status );
}
NTSTATUS
ObpValidateAccessMask(
PACCESS_STATE AccessState
)
/*++
Routine Description:
Checks the desired access mask of a passed object against the
passed security descriptor.
Arguments:
AccessState - A pointer to the AccessState for the pending operation.
Return Value:
STATUS_SUCCESS
--*/
{
SECURITY_DESCRIPTOR *SecurityDescriptor = AccessState->SecurityDescriptor;
PAGED_CODE();
if (SecurityDescriptor != NULL) {
if ( SecurityDescriptor->Control & SE_SACL_PRESENT ) {
if ( !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY)) {
AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
}
}
return( STATUS_SUCCESS );
}