archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/base/ntos/se/privileg.c

579 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. Privileg.c
  9. Abstract:
  11. This Module implements the privilege check procedures.
  13. Author:
  15. Robert Reichel (robertre) 26-Nov-90
  17. Environment:
  19. Kernel Mode
  21. Revision History:
  23. --*/
  25. #include "pch.h"
  27. #pragma hdrstop
  30. #ifdef ALLOC_PRAGMA
  31. #pragma alloc_text(PAGE,NtPrivilegeCheck)
  32. #pragma alloc_text(PAGE,SeCheckPrivilegedObject)
  33. #pragma alloc_text(PAGE,SepPrivilegeCheck)
  34. #pragma alloc_text(PAGE,SePrivilegeCheck)
  35. #pragma alloc_text(PAGE,SeSinglePrivilegeCheck)
  36. #endif
  39. BOOLEAN
  40. SepPrivilegeCheck(
  41. IN PTOKEN Token,
  42. IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges,
  43. IN ULONG RequiredPrivilegeCount,
  44. IN ULONG PrivilegeSetControl,
  45. IN KPROCESSOR_MODE PreviousMode
  46. )
  47. /*++
  49. Routine Description:
  51. Worker routine for SePrivilegeCheck
  53. Arguments:
  55. Token - The user's effective token.
  57. RequiredPrivileges - A privilege set describing the required
  58. privileges. The UsedForAccess bits will be set in any privilege
  59. that is actually used (usually all of them).
  61. RequiredPrivilegeCount - How many privileges are in the
  62. RequiredPrivileges set.
  64. PrivilegeSetControl - Describes how many privileges are required.
  66. PreviousMode - The previous processor mode.
  68. Return Value:
  70. Returns TRUE if requested privileges are granted, FALSE otherwise.
  72. --*/
  74. {
  75. PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege;
  76. PLUID_AND_ATTRIBUTES CurrentTokenPrivilege;
  78. BOOLEAN RequiredAll;
  80. ULONG TokenPrivilegeCount;
  81. ULONG MatchCount = 0;
  83. ULONG i;
  84. ULONG j;
  86. PAGED_CODE();
  88. //
  89. // Take care of kernel callers first
  90. //
  92. if (PreviousMode == KernelMode) {
  94. return(TRUE);
  96. }
  98. TokenPrivilegeCount = Token->PrivilegeCount;
  100. //
  101. // Save whether we require ALL of them or ANY
  102. //
  104. RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY);
  106. SepAcquireTokenReadLock( Token );
  109. for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ;
  110. i < RequiredPrivilegeCount ;
  111. i++, CurrentRequiredPrivilege++ ) {
  113. for ( j = 0, CurrentTokenPrivilege = Token->Privileges;
  114. j < TokenPrivilegeCount ;
  115. j++, CurrentTokenPrivilege++ ) {
  117. if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) &&
  118. (RtlEqualLuid(&CurrentTokenPrivilege->Luid,
  119. &CurrentRequiredPrivilege->Luid))
  120. ) {
  122. CurrentRequiredPrivilege->Attributes |=
  123. SE_PRIVILEGE_USED_FOR_ACCESS;
  124. MatchCount++;
  125. break; // start looking for next one
  126. }
  128. }
  130. }
  132. SepReleaseTokenReadLock( Token );
  134. //
  135. // If we wanted ANY and didn't get any, return failure.
  136. //
  138. if (!RequiredAll && (MatchCount == 0)) {
  140. return (FALSE);
  142. }
  144. //
  145. // If we wanted ALL and didn't get all, return failure.
  146. //
  148. if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) {
  150. return(FALSE);
  151. }
  153. return(TRUE);
  155. }
  160. BOOLEAN
  161. SePrivilegeCheck(
  162. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  163. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  164. IN KPROCESSOR_MODE AccessMode
  165. )
  166. /*++
  168. Routine Description:
  170. This routine checks to see if the token contains the specified
  171. privileges.
  173. Arguments:
  175. RequiredPrivileges - Points to a set of privileges. The subject's
  176. security context is to be checked to see which of the specified
  177. privileges are present. The results will be indicated in the
  178. attributes associated with each privilege. Note that
  179. flags in this parameter indicate whether all the privileges listed
  180. are needed, or any of the privileges.
  182. SubjectSecurityContext - A pointer to the subject's captured security
  183. context.
  185. AccessMode - Indicates the access mode to use for access check. One of
  186. UserMode or KernelMode. If the mode is kernel, then all privileges
  187. will be marked as being possessed by the subject, and successful
  188. completion status is returned.
  191. Return Value:
  193. BOOLEAN - TRUE if all specified privileges are held by the subject,
  194. otherwise FALSE.
  197. --*/
  199. {
  200. BOOLEAN Status;
  202. PAGED_CODE();
  204. //
  205. // If we're impersonating a client, we have to be at impersonation level
  206. // of SecurityImpersonation or above.
  207. //
  209. if ( (SubjectSecurityContext->ClientToken != NULL) &&
  210. (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation)
  211. ) {
  213. return(FALSE);
  214. }
  216. //
  217. // SepPrivilegeCheck locks the passed token for read access
  218. //
  220. Status = SepPrivilegeCheck(
  221. EffectiveToken( SubjectSecurityContext ),
  222. RequiredPrivileges->Privilege,
  223. RequiredPrivileges->PrivilegeCount,
  224. RequiredPrivileges->Control,
  225. AccessMode
  226. );
  228. return(Status);
  229. }
  233. NTSTATUS
  234. NtPrivilegeCheck(
  235. IN HANDLE ClientToken,
  236. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  237. OUT PBOOLEAN Result
  238. )
  240. /*++
  242. Routine Description:
  244. This routine tests the caller's client's security context to see if it
  245. contains the specified privileges.
  247. Arguments:
  249. ClientToken - A handle to a token object representing a client
  250. attempting access. This handle must be obtained from a
  251. communication session layer, such as from an LPC Port or Local
  252. Named Pipe, to prevent possible security policy violations.
  254. RequiredPrivileges - Points to a set of privileges. The client's
  255. security context is to be checked to see which of the specified
  256. privileges are present. The results will be indicated in the
  257. attributes associated with each privilege. Note that
  258. flags in this parameter indicate whether all the privileges listed
  259. are needed, or any of the privileges.
  261. Result - Receives a boolean flag indicating whether the client has all
  262. the specified privileges or not. A value of TRUE indicates the
  263. client has all the specified privileges. Otherwise a value of
  264. FALSE is returned.
  268. Return Value:
  270. STATUS_SUCCESS - Indicates the call completed successfully.
  272. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have
  273. sufficient privilege to use this privileged system service.
  275. --*/
  279. {
  280. BOOLEAN BStatus;
  281. KPROCESSOR_MODE PreviousMode;
  282. NTSTATUS Status;
  283. PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
  284. PTOKEN Token = NULL;
  285. ULONG CapturedPrivilegeCount = 0;
  286. ULONG CapturedPrivilegesLength = 0;
  287. ULONG ParameterLength = 0;
  288. ULONG PrivilegeSetControl = 0;
  290. PAGED_CODE();
  292. PreviousMode = KeGetPreviousMode();
  294. Status = ObReferenceObjectByHandle(
  295. ClientToken, // Handle
  296. TOKEN_QUERY, // DesiredAccess
  297. SeTokenObjectType, // ObjectType
  298. PreviousMode, // AccessMode
  299. (PVOID *)&Token, // Object
  300. NULL // GrantedAccess
  301. );
  303. if ( !NT_SUCCESS(Status) ) {
  304. return Status;
  306. }
  308. //
  309. // If the passed token is an impersonation token, make sure
  310. // it is at SecurityIdentification or above.
  311. //
  313. if (Token->TokenType == TokenImpersonation) {
  315. if (Token->ImpersonationLevel < SecurityIdentification) {
  317. ObDereferenceObject( (PVOID)Token );
  319. return( STATUS_BAD_IMPERSONATION_LEVEL );
  321. }
  322. }
  324. try {
  326. //
  327. // Capture passed Privilege Set
  328. //
  330. ProbeForWriteSmallStructure(
  331. RequiredPrivileges,
  332. sizeof(PRIVILEGE_SET),
  333. sizeof(ULONG)
  334. );
  336. CapturedPrivilegeCount = RequiredPrivileges->PrivilegeCount;
  338. if (!IsValidElementCount(CapturedPrivilegeCount, LUID_AND_ATTRIBUTES)) {
  339. Status = STATUS_INVALID_PARAMETER;
  340. leave;
  341. }
  342. ParameterLength = (ULONG)sizeof(PRIVILEGE_SET) +
  343. ((CapturedPrivilegeCount - ANYSIZE_ARRAY) *
  344. (ULONG)sizeof(LUID_AND_ATTRIBUTES) );
  346. ProbeForWrite(
  347. RequiredPrivileges,
  348. ParameterLength,
  349. sizeof(ULONG)
  350. );
  353. ProbeForWriteBoolean(Result);
  355. PrivilegeSetControl = RequiredPrivileges->Control;
  358. } except(EXCEPTION_EXECUTE_HANDLER) {
  359. Status = GetExceptionCode();
  360. }
  362. if (!NT_SUCCESS(Status)) {
  363. ObDereferenceObject( (PVOID)Token );
  364. return Status;
  366. }
  368. Status = SeCaptureLuidAndAttributesArray(
  369. (RequiredPrivileges->Privilege),
  370. CapturedPrivilegeCount,
  371. UserMode,
  372. NULL, 0,
  373. PagedPool,
  374. TRUE,
  375. &CapturedPrivileges,
  376. &CapturedPrivilegesLength
  377. );
  379. if (!NT_SUCCESS(Status)) {
  381. ObDereferenceObject( (PVOID)Token );
  382. return Status;
  383. }
  385. BStatus = SepPrivilegeCheck(
  386. Token, // Token,
  387. CapturedPrivileges, // RequiredPrivileges,
  388. CapturedPrivilegeCount, // RequiredPrivilegeCount,
  389. PrivilegeSetControl, // PrivilegeSetControl
  390. PreviousMode // PreviousMode
  391. );
  393. ObDereferenceObject( Token );
  396. try {
  398. //
  399. // copy the modified privileges buffer back to user
  400. //
  402. RtlCopyMemory(
  403. RequiredPrivileges->Privilege,
  404. CapturedPrivileges,
  405. CapturedPrivilegesLength
  406. );
  408. *Result = BStatus;
  410. } except (EXCEPTION_EXECUTE_HANDLER) {
  412. SeReleaseLuidAndAttributesArray(
  413. CapturedPrivileges,
  414. PreviousMode,
  415. TRUE
  416. );
  418. return(GetExceptionCode());
  420. }
  422. SeReleaseLuidAndAttributesArray(
  423. CapturedPrivileges,
  424. PreviousMode,
  425. TRUE
  426. );
  428. return( STATUS_SUCCESS );
  429. }
  433. BOOLEAN
  434. SeSinglePrivilegeCheck(
  435. LUID PrivilegeValue,
  436. KPROCESSOR_MODE PreviousMode
  437. )
  439. /*++
  441. Routine Description:
  443. This function will check for the passed privilege value in the
  444. current context.
  446. Arguments:
  448. PrivilegeValue - The value of the privilege being checked.
  451. Return Value:
  453. TRUE - The current subject has the desired privilege.
  455. FALSE - The current subject does not have the desired privilege.
  456. --*/
  458. {
  459. BOOLEAN AccessGranted;
  460. PRIVILEGE_SET RequiredPrivileges;
  461. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  463. PAGED_CODE();
  465. //
  466. // Make sure the caller has the privilege to make this
  467. // call.
  468. //
  470. RequiredPrivileges.PrivilegeCount = 1;
  471. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  472. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  473. RequiredPrivileges.Privilege[0].Attributes = 0;
  475. SeCaptureSubjectContext( &SubjectSecurityContext );
  477. AccessGranted = SePrivilegeCheck(
  478. &RequiredPrivileges,
  479. &SubjectSecurityContext,
  480. PreviousMode
  481. );
  483. if ( PreviousMode != KernelMode ) {
  485. SePrivilegedServiceAuditAlarm (
  486. NULL,
  487. &SubjectSecurityContext,
  488. &RequiredPrivileges,
  489. AccessGranted
  490. );
  491. }
  494. SeReleaseSubjectContext( &SubjectSecurityContext );
  496. return( AccessGranted );
  498. }
  501. BOOLEAN
  502. SeCheckPrivilegedObject(
  503. LUID PrivilegeValue,
  504. HANDLE ObjectHandle,
  505. ACCESS_MASK DesiredAccess,
  506. KPROCESSOR_MODE PreviousMode
  507. )
  509. /*++
  511. Routine Description:
  513. This function will check for the passed privilege value in the
  514. current context, and generate audits as appropriate.
  516. Arguments:
  518. PrivilegeValue - The value of the privilege being checked.
  520. Object - Specifies a pointer to the object being accessed.
  522. ObjectHandle - Specifies the object handle being used.
  524. DesiredAccess - The desired access mask, if any
  526. PreviousMode - The previous processor mode
  529. Return Value:
  531. TRUE - The current subject has the desired privilege.
  533. FALSE - The current subject does not have the desired privilege.
  534. --*/
  536. {
  537. BOOLEAN AccessGranted;
  538. PRIVILEGE_SET RequiredPrivileges;
  539. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  541. PAGED_CODE();
  543. //
  544. // Make sure the caller has the privilege to make this
  545. // call.
  546. //
  548. RequiredPrivileges.PrivilegeCount = 1;
  549. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  550. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  551. RequiredPrivileges.Privilege[0].Attributes = 0;
  553. SeCaptureSubjectContext( &SubjectSecurityContext );
  555. AccessGranted = SePrivilegeCheck(
  556. &RequiredPrivileges,
  557. &SubjectSecurityContext,
  558. PreviousMode
  559. );
  561. if ( PreviousMode != KernelMode ) {
  563. SePrivilegeObjectAuditAlarm(
  564. ObjectHandle,
  565. &SubjectSecurityContext,
  566. DesiredAccess,
  567. &RequiredPrivileges,
  568. AccessGranted,
  569. PreviousMode
  570. );
  572. }
  575. SeReleaseSubjectContext( &SubjectSecurityContext );
  577. return( AccessGranted );
  579. }