Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1224 lines
37 KiB

  1. /*++
  2. Copyright (c) 1991 Microsoft Corporation
  3. Module Name:
  4. rmmain.c
  5. Abstract:
  6. Security Reference Monitor - Init, Control and State Change
  7. Author:
  8. Scott Birrell (ScottBi) March 12, 1991
  9. Environment:
  10. Revision History:
  11. --*/
  12. #include "pch.h"
  13. #pragma hdrstop
  14. #ifdef ALLOC_PRAGMA
  15. #pragma alloc_text(INIT,SeRmInitPhase1)
  16. #pragma alloc_text(PAGE,SepRmCommandServerThread)
  17. #pragma alloc_text(PAGE,SepRmCommandServerThreadInit)
  18. #pragma alloc_text(PAGE,SepRmCallLsa)
  19. #pragma alloc_text(INIT,SepRmInitPhase0)
  20. #endif
  21. //
  22. // Reference Monitor Command Worker Table
  23. //
  24. //
  25. // Keep this in sync with RM_COMMAND_NUMBER in ntrmlsa.h
  26. //
  27. #ifdef ALLOC_DATA_PRAGMA
  28. #pragma const_seg("PAGECONST")
  29. #endif
  30. const SEP_RM_COMMAND_WORKER SepRmCommandDispatch[] = {
  31. NULL,
  32. SepRmSetAuditEventWrkr,
  33. SepRmCreateLogonSessionWrkr,
  34. SepRmDeleteLogonSessionWrkr
  35. };
  36. BOOLEAN
  37. SeRmInitPhase1(
  38. )
  39. /*++
  40. Routine Description:
  41. This function is called by Phase 1 System Initialization to initialize
  42. the Security Reference Monitor. Note that initialization of the
  43. Reference Monitor Global State has already been performed in Phase 0
  44. initialization to allow access validation routines to operate without
  45. having to check that Reference Monitor Initialization is complete.
  46. The steps listed below are performed in this routine. The remainder
  47. of Reference Monitor initialization requires the LSA subsystem to have run,
  48. so that initialization is performed in a separate thread (the RM Command
  49. Server Thread, see below), so that the present thread can create the
  50. Session Manager which execs the LSA.
  51. o Create the Reference Monitor Command LPC port. The LSA subsystem sends
  52. commands (e.g. turn on auditing) which change the Reference Monitor
  53. Global State.
  54. o Create an Event for use in synchronizing with the LSA subsystem. The
  55. LSA will signal the event when the portion of LSA initialization upon
  56. with the Reference Monitor depends is complete. The Reference Monitor
  57. uses another LPC port, called the LSA Command Port to send commands
  58. to the LSA, so the RM must know that this port has been created before
  59. trying to connect to it.
  60. o Create the Reference Monitor Command Server Thread. This thread is
  61. a permanent thread of the System Init process that fields the Reference
  62. Monitor State Change commands described above.
  63. Arguments:
  64. None.
  65. Return Value:
  66. BOOLEAN - TRUE if Rm Initialization (Phase 1) succeeded, else FALSE
  67. --*/
  68. {
  69. NTSTATUS Status;
  70. UNICODE_STRING RmCommandPortName;
  71. OBJECT_ATTRIBUTES ObjectAttributes;
  72. UNICODE_STRING LsaInitEventName;
  73. OBJECT_ATTRIBUTES LsaInitEventObjectAttributes;
  74. SECURITY_DESCRIPTOR LsaInitEventSecurityDescriptor;
  75. ULONG AclSize;
  76. PAGED_CODE();
  77. //
  78. // Create an LPC port called the Reference Monitor Command Port.
  79. // This will be used by the LSA to send commands to the Reference
  80. // Monitor to update its state data.
  81. //
  82. RtlInitUnicodeString( &RmCommandPortName, L"\\SeRmCommandPort" );
  83. InitializeObjectAttributes(
  84. &ObjectAttributes,
  85. &RmCommandPortName,
  86. 0,
  87. NULL,
  88. NULL
  89. );
  90. Status = ZwCreatePort(
  91. &SepRmState.RmCommandServerPortHandle,
  92. &ObjectAttributes,
  93. sizeof(SEP_RM_CONNECT_INFO),
  94. sizeof(RM_COMMAND_MESSAGE),
  95. sizeof(RM_COMMAND_MESSAGE) * 32
  96. );
  97. if( !NT_SUCCESS(Status) ) {
  98. KdPrint(("Security: Rm Create Command Port failed 0x%lx\n", Status));
  99. return FALSE;
  100. }
  101. //
  102. // Prepare to create an event for synchronizing with the LSA.
  103. // First, build the Security Descriptor for the Init Event Object
  104. //
  105. Status = RtlCreateSecurityDescriptor(
  106. &LsaInitEventSecurityDescriptor,
  107. SECURITY_DESCRIPTOR_REVISION
  108. );
  109. if (!NT_SUCCESS(Status)) {
  110. KdPrint(("Security: Creating Lsa Init Event Desc failed 0x%lx\n",
  111. Status));
  112. return FALSE;
  113. }
  114. //
  115. // Allocate a temporary buffer from the paged pool. It is a fatal
  116. // system error if the allocation fails since security cannot be
  117. // enabled.
  118. //
  119. AclSize = sizeof(ACL) +
  120. sizeof(ACCESS_ALLOWED_ACE) +
  121. SeLengthSid(SeLocalSystemSid);
  122. LsaInitEventSecurityDescriptor.Dacl =
  123. ExAllocatePoolWithTag(PagedPool, AclSize, 'cAeS');
  124. if (LsaInitEventSecurityDescriptor.Dacl == NULL) {
  125. KdPrint(("Security LSA: Insufficient resources to initialize\n"));
  126. return FALSE;
  127. }
  128. //
  129. // Now create the Discretionary ACL within the Security Descriptor
  130. //
  131. Status = RtlCreateAcl(
  132. LsaInitEventSecurityDescriptor.Dacl,
  133. AclSize,
  134. ACL_REVISION2
  135. );
  136. if (!NT_SUCCESS(Status)) {
  137. KdPrint(("Security: Creating Lsa Init Event Dacl failed 0x%lx\n",
  138. Status));
  139. return FALSE;
  140. }
  141. //
  142. // Now add an ACE giving GENERIC_ALL access to the User ID
  143. //
  144. Status = RtlAddAccessAllowedAce(
  145. LsaInitEventSecurityDescriptor.Dacl,
  146. ACL_REVISION2,
  147. GENERIC_ALL,
  148. SeLocalSystemSid
  149. );
  150. if (!NT_SUCCESS(Status)) {
  151. KdPrint(("Security: Adding Lsa Init Event ACE failed 0x%lx\n",
  152. Status));
  153. return FALSE;
  154. }
  155. //
  156. // Set up the Object Attributes for the Lsa Initialization Event
  157. //
  158. RtlInitUnicodeString( &LsaInitEventName, L"\\SeLsaInitEvent" );
  159. InitializeObjectAttributes(
  160. &LsaInitEventObjectAttributes,
  161. &LsaInitEventName,
  162. 0,
  163. NULL,
  164. &LsaInitEventSecurityDescriptor
  165. );
  166. //
  167. // Create an event for use in synchronizing with the LSA. The LSA will
  168. // signal this event when LSA initialization has reached the point
  169. // where the LSA's Reference Monitor Server Port has been created.
  170. //
  171. Status = ZwCreateEvent(
  172. &(SepRmState.LsaInitEventHandle),
  173. EVENT_MODIFY_STATE,
  174. &LsaInitEventObjectAttributes,
  175. NotificationEvent,
  176. FALSE);
  177. if (!NT_SUCCESS(Status)) {
  178. KdPrint(("Security: LSA init event creation failed.0x%xl\n",
  179. Status));
  180. return FALSE;
  181. }
  182. //
  183. // Deallocate the pool memory used for the Init Event DACL
  184. //
  185. ExFreePool( LsaInitEventSecurityDescriptor.Dacl );
  186. //
  187. // Create a permanent thread of the Sysinit Process, called the
  188. // Reference Monitor Server Thread. This thread is dedicated to
  189. // receiving Reference Monitor commands and dispatching them.
  190. //
  191. Status = PsCreateSystemThread(
  192. &SepRmState.SepRmThreadHandle,
  193. THREAD_GET_CONTEXT |
  194. THREAD_SET_CONTEXT |
  195. THREAD_SET_INFORMATION,
  196. NULL,
  197. NULL,
  198. NULL,
  199. SepRmCommandServerThread,
  200. NULL
  201. );
  202. if (!NT_SUCCESS(Status)) {
  203. KdPrint(("Security: Rm Server Thread creation failed 0x%lx\n", Status));
  204. return FALSE;
  205. }
  206. //
  207. // Initialize data from the registry. This must go here because all other
  208. // Se initialization takes place before the registry is initialized.
  209. //
  210. SepAdtInitializeCrashOnFail();
  211. SepAdtInitializePrivilegeAuditing();
  212. SepAdtInitializeAuditingOptions();
  213. //
  214. // Reference Monitor initialization is successful if we get to here.
  215. //
  216. ZwClose( SepRmState.SepRmThreadHandle );
  217. SepRmState.SepRmThreadHandle = NULL;
  218. return TRUE;
  219. }
  220. VOID
  221. SepRmCommandServerThread(
  222. IN PVOID StartContext
  223. )
  224. /*++
  225. Routine Description:
  226. This function is executed indefinitely by a dedicated permanent thread
  227. of the Sysinit Process, called the Reference Monitor Server Thread.
  228. This thread updates Reference Monitor Global State Data by dispatching
  229. commands sent from the LSA through the the Reference Monitor LPC Command
  230. Port. The following steps are repeated indefinitely:
  231. o Initialize RM Command receive and reply buffer headers
  232. o Perform remaining Reference Monitor initialization involving LSA
  233. o Wait for RM command sent from LSA, send reply to previous command
  234. (if any)
  235. o Validate command
  236. o Dispatch to command worker routine to execute command.
  237. Arguments:
  238. None.
  239. Return Value:
  240. None.
  241. --*/
  242. {
  243. NTSTATUS Status;
  244. PRM_REPLY_MESSAGE Reply;
  245. RM_COMMAND_MESSAGE CommandMessage;
  246. RM_REPLY_MESSAGE ReplyMessage;
  247. PAGED_CODE();
  248. //
  249. // Perform the rest of the Reference Monitor initialization, involving
  250. // synchronization with the LSA or dependency on the LSA having run.
  251. //
  252. if (!SepRmCommandServerThreadInit()) {
  253. KdPrint(("Security: Terminating Rm Command Server Thread\n"));
  254. return;
  255. }
  256. Status = PoRequestShutdownEvent (NULL);
  257. if (!NT_SUCCESS (Status)) {
  258. ZwClose (SepRmState.RmCommandPortHandle);
  259. ZwClose (SepRmState.RmCommandServerPortHandle);
  260. ZwClose (SepRmState.LsaCommandPortHandle);
  261. ZwClose (SepLsaHandle);
  262. SepRmState.RmCommandPortHandle = NULL;
  263. SepRmState.RmCommandServerPortHandle = NULL;
  264. SepRmState.LsaCommandPortHandle = NULL;
  265. SepLsaHandle = NULL;
  266. return;
  267. }
  268. //
  269. // Initialize LPC port message header type and length fields for the
  270. // received command message.
  271. //
  272. CommandMessage.MessageHeader.u2.ZeroInit = 0;
  273. CommandMessage.MessageHeader.u1.s1.TotalLength =
  274. (CSHORT) sizeof(RM_COMMAND_MESSAGE);
  275. CommandMessage.MessageHeader.u1.s1.DataLength =
  276. CommandMessage.MessageHeader.u1.s1.TotalLength -
  277. (CSHORT) sizeof(PORT_MESSAGE);
  278. //
  279. // Initialize the LPC port message header type and data sizes for
  280. // for the reply message.
  281. //
  282. ReplyMessage.MessageHeader.u2.ZeroInit = 0;
  283. ReplyMessage.MessageHeader.u1.s1.TotalLength =
  284. (CSHORT) sizeof(RM_COMMAND_MESSAGE);
  285. ReplyMessage.MessageHeader.u1.s1.DataLength =
  286. ReplyMessage.MessageHeader.u1.s1.TotalLength -
  287. (CSHORT) sizeof(PORT_MESSAGE);
  288. //
  289. // First time through, there is no reply.
  290. //
  291. Reply = NULL;
  292. //
  293. // Now loop indefinitely, processing incoming Rm commands from the LSA.
  294. //
  295. for(;;) {
  296. //
  297. // Wait for Command, send reply to previous command (if any)
  298. //
  299. Status = ZwReplyWaitReceivePort(
  300. SepRmState.RmCommandPortHandle,
  301. NULL,
  302. (PPORT_MESSAGE) Reply,
  303. (PPORT_MESSAGE) &CommandMessage
  304. );
  305. if (!NT_SUCCESS(Status)) {
  306. //
  307. // malicious user apps can try to connect to this port. We will
  308. // fail later, but if their thread vanishes, we'll get a failure
  309. // here. Ignore it:
  310. //
  311. if (Status == STATUS_UNSUCCESSFUL ||
  312. Status == STATUS_INVALID_CID ||
  313. Status == STATUS_REPLY_MESSAGE_MISMATCH)
  314. {
  315. //
  316. // skip it:
  317. //
  318. Reply = NULL ;
  319. continue;
  320. }
  321. KdPrint(("Security: RM message receive from Lsa failed %lx\n",
  322. Status));
  323. }
  324. //
  325. // Now dispatch to a routine to handle the command. Allow
  326. // command errors to occur without bringing system down just now.
  327. //
  328. CommandMessage.MessageHeader.u2.s2.Type &= ~LPC_KERNELMODE_MESSAGE;
  329. if ( CommandMessage.MessageHeader.u2.s2.Type == LPC_REQUEST ) {
  330. if ( (CommandMessage.CommandNumber >= RmAuditSetCommand) &&
  331. (CommandMessage.CommandNumber <= RmDeleteLogonSession) ) {
  332. (*(SepRmCommandDispatch[CommandMessage.CommandNumber]))
  333. (&CommandMessage, &ReplyMessage);
  334. //
  335. // Initialize the client thread info and message id for the
  336. // reply message. First time through, the reply message structure
  337. // is not used.
  338. //
  339. ReplyMessage.MessageHeader.ClientId =
  340. CommandMessage.MessageHeader.ClientId;
  341. ReplyMessage.MessageHeader.MessageId =
  342. CommandMessage.MessageHeader.MessageId;
  343. Reply = &ReplyMessage;
  344. } else {
  345. ASSERT( (CommandMessage.CommandNumber >= RmAuditSetCommand) &&
  346. (CommandMessage.CommandNumber <= RmDeleteLogonSession) );
  347. Reply = NULL;
  348. }
  349. } else if (CommandMessage.MessageHeader.u2.s2.Type == LPC_PORT_CLOSED ) {
  350. KEVENT Event;
  351. BOOLEAN Wait;
  352. KeInitializeEvent (&Event, NotificationEvent, FALSE);
  353. SepLockLsaQueue();
  354. SepAdtLsaDeadEvent = &Event;
  355. Wait = !SepWorkListEmpty ();
  356. SepUnlockLsaQueue();
  357. if (Wait) {
  358. KeWaitForSingleObject (&Event,
  359. Executive,
  360. KernelMode,
  361. FALSE,
  362. NULL);
  363. }
  364. //
  365. // Our only client closed its handle. Tidy up and exit.
  366. //
  367. ZwClose (SepRmState.LsaCommandPortHandle);
  368. ZwClose (SepRmState.RmCommandPortHandle);
  369. ZwClose (SepRmState.RmCommandServerPortHandle);
  370. ZwClose (SepLsaHandle);
  371. SepRmState.LsaCommandPortHandle = NULL;
  372. SepRmState.RmCommandPortHandle = NULL;
  373. SepRmState.RmCommandServerPortHandle = NULL;
  374. SepLsaHandle = NULL;
  375. break;
  376. } else if (CommandMessage.MessageHeader.u2.s2.Type == LPC_CONNECTION_REQUEST) {
  377. HANDLE tmp;
  378. //
  379. // Reject extra connection attempts
  380. //
  381. Status = ZwAcceptConnectPort(&tmp,
  382. NULL,
  383. (PPORT_MESSAGE) &CommandMessage,
  384. FALSE,
  385. NULL,
  386. NULL);
  387. } else {
  388. Reply = NULL;
  389. }
  390. } // end_for
  391. UNREFERENCED_PARAMETER( StartContext );
  392. }
  393. BOOLEAN
  394. SepRmCommandServerThreadInit(
  395. VOID
  396. )
  397. /*++
  398. Routine Description:
  399. This function performs initialization of the Reference Monitor Server
  400. thread. The following steps are performed.
  401. o Wait on the LSA signalling the event. When the event is signalled,
  402. the LSA has already created the LSA Command Server LPC Port
  403. o Close the LSA Init Event Handle. The event is not used again.
  404. o Listen for the LSA to connect to the Port
  405. o Accept the connection.
  406. o Connect to the LSA Command Server LPC Port
  407. Arguments:
  408. None.
  409. Return Value:
  410. --*/
  411. {
  412. NTSTATUS Status;
  413. UNICODE_STRING LsaCommandPortName;
  414. PORT_MESSAGE ConnectionRequest;
  415. SECURITY_QUALITY_OF_SERVICE DynamicQos;
  416. OBJECT_ATTRIBUTES ObjectAttributes;
  417. PORT_VIEW ClientView;
  418. REMOTE_PORT_VIEW LsaClientView;
  419. BOOLEAN BooleanStatus = TRUE;
  420. PAGED_CODE();
  421. //
  422. // Save a pointer to our process so we can get back into this process
  423. // to send commands to the LSA (using a handle to an LPC port created
  424. // below).
  425. //
  426. SepRmLsaCallProcess = PsGetCurrentProcess();
  427. ObReferenceObject(SepRmLsaCallProcess);
  428. //
  429. // Wait on the LSA signalling the event. This means that the LSA
  430. // has created its command port, not that LSA initialization is
  431. // complete.
  432. //
  433. Status = ZwWaitForSingleObject(
  434. SepRmState.LsaInitEventHandle,
  435. FALSE,
  436. NULL);
  437. if ( !NT_SUCCESS(Status) ) {
  438. KdPrint(("Security Rm Init: Waiting for LSA Init Event failed 0x%lx\n", Status));
  439. goto RmCommandServerThreadInitError;
  440. }
  441. //
  442. // Close the LSA Init Event Handle. The event is not used again.
  443. //
  444. ZwClose(SepRmState.LsaInitEventHandle);
  445. //
  446. // Listen for a connection to be made by the LSA to the Reference Monitor
  447. // Command Port. This connection will be made by the LSA process.
  448. //
  449. ConnectionRequest.u1.s1.TotalLength = sizeof(ConnectionRequest);
  450. ConnectionRequest.u1.s1.DataLength = (CSHORT)0;
  451. Status = ZwListenPort(
  452. SepRmState.RmCommandServerPortHandle,
  453. &ConnectionRequest
  454. );
  455. if (!NT_SUCCESS(Status)) {
  456. KdPrint(("Security Rm Init: Listen to Command Port failed 0x%lx\n",
  457. Status));
  458. goto RmCommandServerThreadInitError;
  459. }
  460. //
  461. // Obtain a handle to the LSA process for use when auditing.
  462. //
  463. InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
  464. Status = ZwOpenProcess(
  465. &SepLsaHandle,
  466. PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
  467. &ObjectAttributes,
  468. &ConnectionRequest.ClientId
  469. );
  470. if (!NT_SUCCESS(Status)) {
  471. KdPrint(("Security Rm Init: Open Listen to Command Port failed 0x%lx\n",
  472. Status));
  473. goto RmCommandServerThreadInitError;
  474. }
  475. //
  476. // Accept the connection made by the LSA process.
  477. //
  478. LsaClientView.Length = sizeof(LsaClientView);
  479. Status = ZwAcceptConnectPort(
  480. &SepRmState.RmCommandPortHandle,
  481. NULL,
  482. &ConnectionRequest,
  483. TRUE,
  484. NULL,
  485. &LsaClientView
  486. );
  487. if (!NT_SUCCESS(Status)) {
  488. KdPrint(("Security Rm Init: Accept Connect to Command Port failed 0x%lx\n",
  489. Status));
  490. goto RmCommandServerThreadInitError;
  491. }
  492. //
  493. // Complete the connection.
  494. //
  495. Status = ZwCompleteConnectPort(SepRmState.RmCommandPortHandle);
  496. if (!NT_SUCCESS(Status)) {
  497. KdPrint(("Security Rm Init: Complete Connect to Command Port failed 0x%lx\n",
  498. Status));
  499. goto RmCommandServerThreadInitError;
  500. }
  501. //
  502. // Set up the security quality of service parameters to use over the
  503. // Lsa Command LPC port. Use the most efficient (least overhead) - which
  504. // is dynamic rather than static tracking.
  505. //
  506. DynamicQos.ImpersonationLevel = SecurityImpersonation;
  507. DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  508. DynamicQos.EffectiveOnly = TRUE;
  509. //
  510. // Create the section to be used as unnamed shared memory for
  511. // communication between the RM and LSA.
  512. //
  513. SepRmState.LsaCommandPortSectionSize.LowPart = PAGE_SIZE;
  514. SepRmState.LsaCommandPortSectionSize.HighPart = 0;
  515. Status = ZwCreateSection(
  516. &SepRmState.LsaCommandPortSectionHandle,
  517. SECTION_ALL_ACCESS,
  518. NULL, // ObjectAttributes
  519. &SepRmState.LsaCommandPortSectionSize,
  520. PAGE_READWRITE,
  521. SEC_COMMIT,
  522. NULL // FileHandle
  523. );
  524. if (!NT_SUCCESS(Status)) {
  525. KdPrint(("Security Rm Init: Create Memory Section for LSA port failed: %X\n", Status));
  526. goto RmCommandServerThreadInitError;
  527. }
  528. //
  529. // Set up for a call to NtConnectPort and connect to the LSA port.
  530. // This setup includes a description of the port memory section so that
  531. // the LPC connection logic can make the section visible to both the
  532. // client and server processes.
  533. //
  534. ClientView.Length = sizeof(ClientView);
  535. ClientView.SectionHandle = SepRmState.LsaCommandPortSectionHandle;
  536. ClientView.SectionOffset = 0;
  537. ClientView.ViewSize = SepRmState.LsaCommandPortSectionSize.LowPart;
  538. ClientView.ViewBase = 0;
  539. ClientView.ViewRemoteBase = 0;
  540. //
  541. // Set up the security quality of service parameters to use over the
  542. // port. Use dynamic tracking so that XACTSRV will impersonate the
  543. // user that we are impersonating when we call NtRequestWaitReplyPort.
  544. // If we used static tracking, XACTSRV would impersonate the context
  545. // when the connection is made.
  546. //
  547. DynamicQos.ImpersonationLevel = SecurityImpersonation;
  548. DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  549. DynamicQos.EffectiveOnly = TRUE;
  550. //
  551. // Connect to the Lsa Command LPC Port. This port is used to send
  552. // commands from the RM to the LSA.
  553. //
  554. RtlInitUnicodeString( &LsaCommandPortName, L"\\SeLsaCommandPort" );
  555. Status = ZwConnectPort(
  556. &SepRmState.LsaCommandPortHandle,
  557. &LsaCommandPortName,
  558. &DynamicQos,
  559. &ClientView,
  560. NULL, // ServerView
  561. NULL, // MaxMessageLength
  562. NULL, // ConnectionInformation
  563. NULL // ConnectionInformationLength
  564. );
  565. if (!NT_SUCCESS(Status)) {
  566. KdPrint(("Security Rm Init: Connect to LSA Port failed 0x%lx\n", Status));
  567. goto RmCommandServerThreadInitError;
  568. }
  569. //
  570. // Store information about the section so that we can create pointers
  571. // meaningful to LSA.
  572. //
  573. SepRmState.RmViewPortMemory = ClientView.ViewBase;
  574. SepRmState.LsaCommandPortMemoryDelta =
  575. (LONG)((ULONG_PTR)ClientView.ViewRemoteBase - (ULONG_PTR) ClientView.ViewBase );
  576. SepRmState.LsaViewPortMemory = ClientView.ViewRemoteBase;
  577. RmCommandServerThreadInitFinish:
  578. //
  579. // Dont need this section handle any more, even if returning
  580. // success.
  581. //
  582. if ( SepRmState.LsaCommandPortSectionHandle != NULL ) {
  583. NtClose( SepRmState.LsaCommandPortSectionHandle );
  584. SepRmState.LsaCommandPortSectionHandle = NULL;
  585. }
  586. //
  587. // The Reference Monitor Thread has successfully initialized.
  588. //
  589. return BooleanStatus;
  590. RmCommandServerThreadInitError:
  591. if ( SepRmState.LsaCommandPortHandle != NULL ) {
  592. NtClose( SepRmState.LsaCommandPortHandle );
  593. SepRmState.LsaCommandPortHandle = NULL;
  594. }
  595. BooleanStatus = FALSE;
  596. goto RmCommandServerThreadInitFinish;
  597. }
  598. NTSTATUS
  599. SepRmCallLsa(
  600. PSEP_WORK_ITEM SepWorkItem
  601. )
  602. /*++
  603. Routine Description:
  604. This function sends a command to the LSA via the LSA Reference Monitor
  605. Server Command LPC Port. If the command has parameters, they will be
  606. copied directly into a message structure and sent via LPC, therefore,
  607. the supplied parameters may not contain any absolute pointers. A caller
  608. must remove pointers by "marshalling" them into the buffer CommandParams.
  609. This function will create a queue of requests. This is in order to allow
  610. greater throughput for the majority if its callers. If a thread enters
  611. this routine and finds the queue empty, it is the responsibility of that
  612. thread to service all requests that come in while it is working until the
  613. queue is empty again. Other threads that enter will simply hook their work
  614. item onto the queue and exit.
  615. To implement a new LSA command, do the following:
  616. ================================================
  617. (1) If the command takes no parameters, just call this routine directly
  618. and provide an LSA worker routine called Lsap<command>Wrkr. See
  619. file lsa\server\lsarm.c for examples
  620. (2) If the command takes parameters, provide a routine called
  621. SepRmSend<command>Command that takes the parameters in unmarshalled
  622. form and calls SepRmCallLsa() with the command id, marshalled
  623. parameters, length of marshalled parameters and pointer to
  624. optional reply message. The marshalled parameters are free format:
  625. the only restriction is that there must be no absolute address
  626. pointers. These parameters are all placed in the passed LsaWorkItem
  627. structure.
  628. (3) In file private\inc\ntrmlsa.h, append a command name to the
  629. enumerated type LSA_COMMAND_NUMBER defined in file
  630. private\inc\ntrmlsa.h. Change the #define for LsapMaximumCommand
  631. to reference the new command.
  632. (4) Add the Lsap<command>Wrkr to the command dispatch table structure
  633. LsapCommandDispatch[] in file lsarm.c.
  634. (5) Add function prototypes to lsap.h and sep.h.
  635. Arguments:
  636. LsaWorkItem - Supplies a pointer to an SE_LSA_WORK_ITEM containing the
  637. information to be passed to LSA. This structure will be freed
  638. asynchronously by some invocation of this routine, not necessarily
  639. in the current context.
  640. !THIS PARAMETER MUST BE ALLOCATED OUT OF NONPAGED POOL!
  641. Return Value:
  642. NTSTATUS - Result Code. This is either a result code returned from
  643. trying to send the command/receive the reply, or a status code
  644. from the command itself.
  645. --*/
  646. {
  647. NTSTATUS Status = STATUS_SUCCESS;
  648. LSA_COMMAND_MESSAGE CommandMessage;
  649. LSA_REPLY_MESSAGE ReplyMessage;
  650. PSEP_LSA_WORK_ITEM WorkQueueItem;
  651. ULONG LocalListLength = 0;
  652. SIZE_T RegionSize;
  653. PVOID CopiedCommandParams = NULL;
  654. PVOID LsaViewCopiedCommandParams = NULL;
  655. PAGED_CODE();
  656. UNREFERENCED_PARAMETER( SepWorkItem );
  657. #if 0
  658. DbgPrint("Entering SepRmCallLsa\n");
  659. #endif
  660. WorkQueueItem = SepWorkListHead();
  661. KeAttachProcess( &SepRmLsaCallProcess->Pcb );
  662. while ( WorkQueueItem ) {
  663. #if 0
  664. DbgPrint("Got a work item from head of queue, processing\n");
  665. #endif
  666. //
  667. // Construct a message for LPC. First, fill in the message header
  668. // fields for LPC, specifying the message type and data sizes for
  669. // the outgoing CommandMessage and the incoming ReplyMessage.
  670. //
  671. CommandMessage.MessageHeader.u2.ZeroInit = 0;
  672. CommandMessage.MessageHeader.u1.s1.TotalLength =
  673. ((CSHORT) RM_COMMAND_MESSAGE_HEADER_SIZE +
  674. (CSHORT) WorkQueueItem->CommandParamsLength);
  675. CommandMessage.MessageHeader.u1.s1.DataLength =
  676. CommandMessage.MessageHeader.u1.s1.TotalLength -
  677. (CSHORT) sizeof(PORT_MESSAGE);
  678. ReplyMessage.MessageHeader.u2.ZeroInit = 0;
  679. ReplyMessage.MessageHeader.u1.s1.DataLength = (CSHORT) WorkQueueItem->ReplyBufferLength;
  680. ReplyMessage.MessageHeader.u1.s1.TotalLength =
  681. ReplyMessage.MessageHeader.u1.s1.DataLength +
  682. (CSHORT) sizeof(PORT_MESSAGE);
  683. //
  684. // Next, fill in the header info needed by the LSA.
  685. //
  686. CommandMessage.CommandNumber = WorkQueueItem->CommandNumber;
  687. ReplyMessage.ReturnedStatus = STATUS_SUCCESS;
  688. //
  689. // Set up the Command Parameters either in the LPC Command Message
  690. // itself, in the preallocated Lsa shared memory block, or in a
  691. // specially allocated block. The parameters are either
  692. // immediate (i.e. in the WorkQueueItem itself, or are in a buffer
  693. // pointed to by the address in the WorkQueueItem.
  694. //
  695. switch (WorkQueueItem->CommandParamsMemoryType) {
  696. case SepRmImmediateMemory:
  697. //
  698. // The Command Parameters are in the CommandParams buffer
  699. // in the Work Queue Item. Just copy them to the corresponding
  700. // buffer in the CommandMessage buffer.
  701. //
  702. CommandMessage.CommandParamsMemoryType = SepRmImmediateMemory;
  703. RtlCopyMemory(
  704. CommandMessage.CommandParams,
  705. &WorkQueueItem->CommandParams,
  706. WorkQueueItem->CommandParamsLength
  707. );
  708. break;
  709. case SepRmPagedPoolMemory:
  710. case SepRmUnspecifiedMemory:
  711. //
  712. // The Command Parameters are contained in paged pool memory.
  713. // Since this memory is is not accessible by the LSA, we must
  714. // copy of them either to the LPC Command Message Block, or
  715. // into LSA shared memory.
  716. //
  717. if (WorkQueueItem->CommandParamsLength <= LSA_MAXIMUM_COMMAND_PARAM_SIZE) {
  718. //
  719. // Parameters will fit into the LPC Command Message block.
  720. //
  721. CopiedCommandParams = CommandMessage.CommandParams;
  722. RtlCopyMemory(
  723. CopiedCommandParams,
  724. WorkQueueItem->CommandParams.BaseAddress,
  725. WorkQueueItem->CommandParamsLength
  726. );
  727. CommandMessage.CommandParamsMemoryType = SepRmImmediateMemory;
  728. } else {
  729. //
  730. // Parameters too large for LPC Command Message block.
  731. // If possible, copy them to the preallocated Lsa Shared
  732. // Memory block. If they are too large to fit, copy them
  733. // to an individually allocated chunk of Shared Virtual
  734. // Memory.
  735. //
  736. if (WorkQueueItem->CommandParamsLength <= SEP_RM_LSA_SHARED_MEMORY_SIZE) {
  737. RtlCopyMemory(
  738. SepRmState.RmViewPortMemory,
  739. WorkQueueItem->CommandParams.BaseAddress,
  740. WorkQueueItem->CommandParamsLength
  741. );
  742. LsaViewCopiedCommandParams = SepRmState.LsaViewPortMemory;
  743. CommandMessage.CommandParamsMemoryType = SepRmLsaCommandPortSharedMemory;
  744. } else {
  745. Status = SepAdtCopyToLsaSharedMemory(
  746. SepLsaHandle,
  747. WorkQueueItem->CommandParams.BaseAddress,
  748. WorkQueueItem->CommandParamsLength,
  749. &LsaViewCopiedCommandParams
  750. );
  751. if (!NT_SUCCESS(Status)) {
  752. //
  753. // An error occurred, most likely in allocating
  754. // shared virtual memory. For now, just ignore
  755. // the error and discard the Audit Record. Later,
  756. // we may consider generating a warning record
  757. // indicating some records lost.
  758. //
  759. break;
  760. }
  761. CommandMessage.CommandParamsMemoryType = SepRmLsaCustomSharedMemory;
  762. }
  763. //
  764. // Buffer has been successfully copied to a shared Lsa
  765. // memory buffer. Place the address of the buffer valid in
  766. // the LSA's process context in the Command Message.
  767. //
  768. *((PVOID *) CommandMessage.CommandParams) =
  769. LsaViewCopiedCommandParams;
  770. CommandMessage.MessageHeader.u1.s1.TotalLength =
  771. ((CSHORT) RM_COMMAND_MESSAGE_HEADER_SIZE +
  772. (CSHORT) sizeof( LsaViewCopiedCommandParams ));
  773. CommandMessage.MessageHeader.u1.s1.DataLength =
  774. CommandMessage.MessageHeader.u1.s1.TotalLength -
  775. (CSHORT) sizeof(PORT_MESSAGE);
  776. }
  777. //
  778. // Free input command params buffer if Paged Pool.
  779. //
  780. if (WorkQueueItem->CommandParamsMemoryType == SepRmPagedPoolMemory) {
  781. ExFreePool( WorkQueueItem->CommandParams.BaseAddress );
  782. }
  783. break;
  784. default:
  785. Status = STATUS_INVALID_PARAMETER;
  786. break;
  787. }
  788. if (NT_SUCCESS(Status)) {
  789. //
  790. // Send Message to the LSA via the LSA Server Command LPC Port.
  791. // This must be done in the process in which the handle was created.
  792. //
  793. if( WorkQueueItem->CommandNumber == LsapLogonSessionDeletedCommand &&
  794. WorkQueueItem->ReplyBuffer == NULL
  795. )
  796. {
  797. //
  798. // send a datagram.
  799. //
  800. Status = ZwRequestPort(
  801. SepRmState.LsaCommandPortHandle,
  802. (PPORT_MESSAGE) &CommandMessage
  803. );
  804. ReplyMessage.ReturnedStatus = STATUS_SUCCESS;
  805. } else {
  806. Status = ZwRequestWaitReplyPort(
  807. SepRmState.LsaCommandPortHandle,
  808. (PPORT_MESSAGE) &CommandMessage,
  809. (PPORT_MESSAGE) &ReplyMessage
  810. );
  811. }
  812. //
  813. // If the command was successful, copy the data back to the output
  814. // buffer.
  815. //
  816. if (NT_SUCCESS(Status)) {
  817. //
  818. // Move output from command (if any) to buffer. Note that this
  819. // is done even if the command returns status, because some status
  820. // values are not errors.
  821. //
  822. if (ARGUMENT_PRESENT(WorkQueueItem->ReplyBuffer)) {
  823. RtlCopyMemory(
  824. WorkQueueItem->ReplyBuffer,
  825. ReplyMessage.ReplyBuffer,
  826. WorkQueueItem->ReplyBufferLength
  827. );
  828. }
  829. //
  830. // Return status from command.
  831. //
  832. Status = ReplyMessage.ReturnedStatus;
  833. if (!NT_SUCCESS(Status)) {
  834. KdPrint(("Security: Command sent from RM to LSA returned 0x%lx\n",
  835. Status));
  836. }
  837. } else {
  838. KdPrint(("Security: Sending Command RM to LSA failed 0x%lx\n", Status));
  839. }
  840. //
  841. // On return from the LPC call to the LSA, we expect the called
  842. // LSA worker routine to have copied the Command Parameters
  843. // buffer (if any). If a custom shared memory boffer was allocated,
  844. // free it now.
  845. //
  846. if (CommandMessage.CommandParamsMemoryType == SepRmLsaCustomSharedMemory) {
  847. RegionSize = 0;
  848. Status = ZwFreeVirtualMemory(
  849. SepLsaHandle,
  850. (PVOID *) &CommandMessage.CommandParams,
  851. &RegionSize,
  852. MEM_RELEASE
  853. );
  854. ASSERT(NT_SUCCESS(Status));
  855. }
  856. }
  857. //
  858. // Clean up. We must call the cleanup functions on its parameter
  859. // and then free the used WorkQueueItem itself.
  860. //
  861. if ( ARGUMENT_PRESENT( WorkQueueItem->CleanupFunction)) {
  862. (WorkQueueItem->CleanupFunction)(WorkQueueItem->CleanupParameter);
  863. }
  864. //
  865. // Determine if there is more work to do on this list
  866. //
  867. WorkQueueItem = SepDequeueWorkItem();
  868. #if 0
  869. if ( WorkQueueItem ) {
  870. DbgPrint("Got another item from list, going back\n");
  871. } else {
  872. DbgPrint("List is empty, leaving\n");
  873. }
  874. #endif
  875. }
  876. KeDetachProcess();
  877. if ( LocalListLength > SepLsaQueueLength ) {
  878. SepLsaQueueLength = LocalListLength;
  879. }
  880. return Status;
  881. }
  882. BOOLEAN
  883. SepRmInitPhase0(
  884. )
  885. /*++
  886. Routine Description:
  887. This function performs Reference Monitor Phase 0 initialization.
  888. This includes initializing the reference monitor database to a state
  889. which allows access validation routines to operate (always granting
  890. access) prior to the main init of the Reference Monitor in Phase 1
  891. initialization, without having to check if the RM is initialized.
  892. Arguments:
  893. None.
  894. Return Value:
  895. BOOLEAN - TRUE if successful, else FALSE
  896. --*/
  897. {
  898. BOOLEAN CompletionStatus;
  899. PAGED_CODE();
  900. CompletionStatus = SepRmDbInitialization();
  901. return CompletionStatus;
  902. }
  903. #ifdef ALLOC_DATA_PRAGMA
  904. #pragma const_seg()
  905. #endif