|
|
/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
authzp.h
Abstract:
Internal header file for authorization APIs.
Author:
Kedar Dubhashi - March 2000
Environment:
User mode only.
Revision History:
Created - March 2000
--*/
#ifndef __AUTHZP_H__
#define __AUTHZP_H__
#define _AUTHZ_
#include <authz.h>
#include <authzi.h>
#if 0
#define AUTHZ_DEBUG
#define AUTHZ_DEBUG_QUEUE
#define AUTHZ_DEBUG_MEMLEAK
#else
#define AUTHZ_PARAM_CHECK
#define AUTHZ_AUDIT_COUNTER
#endif
#define AuthzpCloseHandleNonNull(h) if (NULL != (h)) { AuthzpCloseHandle((h)); }
#define AuthzpCloseHandle(h) CloseHandle((h))
//
// Size of the local stack buffer used to save a kernel call as well as a memory
// allocation.
//
#define AUTHZ_MAX_STACK_BUFFER_SIZE 1024
#ifndef AUTHZ_DEBUG_MEMLEAK
#define AuthzpAlloc(s) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (s))
#define AuthzpFree(p) LocalFree((p))
#else
//
// This is to be used for debugging memory leaks. Primitive method but works in
// a small project like this.
//
PVOIDAuthzpAlloc(IN DWORD Size);
VOIDAuthzpFree(PVOID l);
#endif
//
// Given two sids and length of the first sid, compare the two sids.
//
#define AUTHZ_EQUAL_SID(s, d, l) ((*((DWORD*) s) == *((DWORD*) d)) && (RtlEqualMemory((s), (d), (l))))
//
// Compares a given sids with a well known constant PrincipalSelfSid.
//
#define AUTHZ_IS_PRINCIPAL_SELF_SID(s) (RtlEqualMemory(pAuthzPrincipalSelfSid, (s), 12))
//
// The client context is restricted if the restricted sid and attribute array is
// present.
//
#define AUTHZ_TOKEN_RESTRICTED(t) (NULL != (t)->RestrictedSids)
//
// Two privileges are inportant for access check:
// SeSecurityPrivilege
// SeTakeOwnershipPrivilege
// Both these are detected at the time of client context capture from token
// and stored in the flags.
//
#define AUTHZ_PRIVILEGE_CHECK(t, f) (FLAG_ON((t)->Flags, (f)))
//
// Flags in the cached handle.
//
#define AUTHZ_DENY_ACE_PRESENT 0x00000001
#define AUTHZ_PRINCIPAL_SELF_ACE_PRESENT 0x00000002
#define AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT 0x00000004
#define AUTHZ_DYNAMIC_DENY_ACE_PRESENT 0x00000008
#define AUTHZ_DYNAMIC_EVALUATION_PRESENT (AUTHZ_PRINCIPAL_SELF_ACE_PRESENT | \
AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT | \ AUTHZ_DYNAMIC_DENY_ACE_PRESENT)
//
// There are only two valid attributes from access check point of view
// SE_GROUP_ENABLED
// SE_GROUP_USE_FOR_DENY_ONLY
//
#define AUTHZ_VALID_SID_ATTRIBUTES (SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY)
#ifdef FLAG_ON
#undef FLAG_ON
#endif
#define FLAG_ON(f, b) (0 != ((f) & (b)))
#ifdef AUTHZ_NON_NULL_PTR
#undef AUTHZ_NON_NULL_PTR
#endif
#define AUTHZ_NON_NULL_PTR(f) (NULL != (f))
//
// If the pointer is not null then free it. This will save us a function call in
// cases when the pointer is null. Note that LocalFree would also take care null
// pointer being freed.
//
#define AuthzpFreeNonNull(p) if (NULL != (p)) { AuthzpFree((p)); }
//
// Check to see if the memory allocation failed.
//
#define AUTHZ_ALLOCATION_FAILED(p) (NULL == (p))
//
// Macros to traverse the acl.
// The first one gets the first ace in a given acl.
// The second one gives the next ace given the current one.
//
#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
//
// These do not need to be defined now since the decision was to put the burden
// on the resource managers. There are disadvantages of making it thread safe.
// Our choices are:
// 1. Have exactly one lock in authz.dll and suffer heavy contention.
// 2. Define one lock per client context which might be too expensive in
// cases where the clients are too many.
// 3. Let the resource manager decide whether they need locking - unlikely
// that locks are needed since it is wrong design on part of the RM to
// have one thread that changes the client context while the other one
// is doing an access check.
//
#define AuthzpAcquireClientContextWriteLock(c)
#define AuthzpAcquireClientContextReadLock(c)
#define AuthzpReleaseClientContextLock(c)
#define AuthzpAcquireClientCacheWriteLock(c)
#define AuthzpReleaseClientCacheLock(c)
#define AuthzpZeroMemory(p, s) RtlZeroMemory((p), (s))
#define AuthzObjectAceSid(Ace) \
((PSID)(((PUCHAR)&(((PKNOWN_OBJECT_ACE)(Ace))->SidStart)) + \ (RtlObjectAceObjectTypePresent(Ace) ? sizeof(GUID) : 0 ) + \ (RtlObjectAceInheritedObjectTypePresent(Ace) ? sizeof(GUID) : 0 )))
#define AuthzAceSid(Ace) ((PSID)&((PKNOWN_ACE)Ace)->SidStart)
#define AuthzCallbackAceSid(Ace) AuthzAceSid(Ace)
#define AuthzCallbackObjectAceSid(Ace) AuthzObjectAceSid(Ace)
//
// Internal structure of the object type list.
//
// Level - Level of the element in the tree. The level of the root is 0.
// Flags - To be used for auditing. The valid ones are
// AUTHZ_OBJECT_SUCCESS_AUDIT
// AUTHZ_OBJECT_FAILURE_AUDIT
// ObjectType - Pointer to the guid for this element.
// ParentIndex - The index of the parent of this element in the array. The
// parent index for the root is -1.
// Remaining - Remaining access bits for this element, used during normal access
// check algorithm.
// CurrentGranted - Granted access bits so far for this element, used during
// maximum allowed access check.
// CurrentDenied - Explicitly denied access bits for this element, used during
// maximum allowed access check.
//
typedef struct _IOBJECT_TYPE_LIST { USHORT Level; USHORT Flags;#define AUTHZ_OBJECT_SUCCESS_AUDIT 0x1
#define AUTHZ_OBJECT_FAILURE_AUDIT 0x2
GUID ObjectType; LONG ParentIndex; ACCESS_MASK Remaining; ACCESS_MASK CurrentGranted; ACCESS_MASK CurrentDenied;} IOBJECT_TYPE_LIST, *PIOBJECT_TYPE_LIST;
typedef struct _AUTHZI_AUDIT_QUEUE{ //
// Flags defined in authz.h
//
DWORD Flags;
//
// High and low marks for the auditing queue
//
DWORD dwAuditQueueHigh; DWORD dwAuditQueueLow;
//
// CS for locking the audit queue
//
RTL_CRITICAL_SECTION AuthzAuditQueueLock; //
// The audit queue and length.
//
LIST_ENTRY AuthzAuditQueue; ULONG AuthzAuditQueueLength;
//
// Handle to the thread that maintains the audit queue.
//
HANDLE hAuthzAuditThread;
//
// This event signals that an audit was placed on the queue.
//
HANDLE hAuthzAuditAddedEvent;
//
// This event signals that the queue is empty. Initially signalled.
//
HANDLE hAuthzAuditQueueEmptyEvent;
//
// This boolean indicates that the queue size has reached the RM-specified high water mark.
//
BOOL bAuthzAuditQueueHighEvent;
//
// This event signals that the queue size is at or below the RM-specified low water mark.
//
HANDLE hAuthzAuditQueueLowEvent;
//
// This boolean is set to TRUE during the life of the resource manager. When it turns to FALSE, the
// dequeue thread knows that it should exit.
//
BOOL bWorker;
} AUTHZI_AUDIT_QUEUE, *PAUTHZI_AUDIT_QUEUE;
typedef struct _AUTHZI_RESOURCE_MANAGER{ //
// No valid flags have been defined yet.
//
DWORD Flags;
//
// Callback function registered by AuthzRegisterRMAccessCheckCallback, to be
// used to interpret callback aces. If no such function is registered by the
// RM then the default behavior is to return TRUE for a deny ACE, FALSE for
// a grant ACE.
//
PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck;
//
// Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
// used to compute groups to be added to the client context. If no such
// function is registered by the RM then the default behavior is to return
// no groups.
//
PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups;
//
// Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
// used to free memory allocated by ComputeDynamicGroupsFn.
//
PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups;
//
// String name of resource manager. Appears in audits.
//
PWSTR szResourceManagerName;
//
// The user SID and Authentication ID of the RM process
//
PSID pUserSID; LUID AuthID;
//
// Default queue and audit events for the RM
//
#define AUTHZP_DEFAULT_RM_EVENTS 0x2
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET; AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAETDS;
AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
} AUTHZI_RESOURCE_MANAGER, *PAUTHZI_RESOURCE_MANAGER;
typedef struct _AUTHZI_CLIENT_CONTEXT AUTHZI_CLIENT_CONTEXT, *PAUTHZI_CLIENT_CONTEXT;typedef struct _AUTHZI_HANDLE AUTHZI_HANDLE, *PAUTHZI_HANDLE;
//
// The authz code inserts two parmeters in the AUDIT_PARAM array
// before the user supplied parameters. The two parameters are:
// -- SID of the client context
// -- sub-system name (this is same as the RM name)
//
// To account for these two parameters, the authz code adds the following
// offset to variables that hold parameter count.
//
#define AUTHZP_NUM_FIXED_HEADER_PARAMS 2
//
// number of parameters in SE_AUDITID_OBJECT_OPERATION
//
#define AUTHZP_NUM_PARAMS_FOR_SE_AUDITID_OBJECT_OPERATION 12
//
// the number of sids that we hash is equal to
// the number of bits in AUTHZI_SID_HASH_ENTRY
//
#ifdef _WIN64_
typedef ULONGLONG AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;#else
typedef DWORD AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;#endif
#define AUTHZI_SID_HASH_ENTRY_NUM_BITS (8*sizeof(AUTHZI_SID_HASH_ENTRY))
//
// the hash size is not related to the number of bits. it is the size
// required to hold two 16 element arrays
//
#define AUTHZI_SID_HASH_SIZE 32
struct _AUTHZI_CLIENT_CONTEXT{
//
// The client context structure is recursive to support delegated clients.
// Not in the picture yet though.
//
PAUTHZI_CLIENT_CONTEXT Server;
//
// Context will always be created with Revision of AUTHZ_CURRENT_CONTEXT_REVISION.
//
#define AUTHZ_CURRENT_CONTEXT_REVISION 1
DWORD Revision;
//
// Resource manager supplied identifier. We do not ever use this.
//
LUID Identifier;
//
// AuthenticationId captured from the token of the client. Needed for
// auditing.
//
LUID AuthenticationId;
//
// Token expiration time. This one will be checked at the time of access check against
// the current time.
//
LARGE_INTEGER ExpirationTime;
//
// Internal flags for the token.
//
#define AUTHZ_TAKE_OWNERSHIP_PRIVILEGE_ENABLED 0x00000001
#define AUTHZ_SECURITY_PRIVILEGE_ENABLED 0x00000002
DWORD Flags;
//
// Sids used for normal access checks.
//
DWORD SidCount; DWORD SidLength; PSID_AND_ATTRIBUTES Sids; AUTHZI_SID_HASH_ENTRY SidHash[AUTHZI_SID_HASH_SIZE];
//
// Sids used if the token is resticted. These will usually be 0 and NULL respectively.
//
DWORD RestrictedSidCount; DWORD RestrictedSidLength; PSID_AND_ATTRIBUTES RestrictedSids;
AUTHZI_SID_HASH_ENTRY RestrictedSidHash[AUTHZI_SID_HASH_SIZE]; //
// Privileges used in access checks. Relevant ones are:
// 1. SeSecurityPrivilege
// 2. SeTakeOwnershipPrivilege
// If there are no privileges associated with the client context then the PrivilegeCount = 0
// and Privileges = NULL
//
DWORD PrivilegeCount; DWORD PrivilegeLength; PLUID_AND_ATTRIBUTES Privileges;
//
// Handles open for this client. When the client context is destroyed all the handles are
// cleaned up.
//
PAUTHZI_HANDLE AuthzHandleHead;
//
// Pointer to the resource manager, needed to retrieve static auditing information.
//
PAUTHZI_RESOURCE_MANAGER pResourceManager;
};
struct _AUTHZI_HANDLE{ //
// Pointers to the next handle maintained by the AuthzClientContext object.
//
PAUTHZI_HANDLE next;
//
// Pointer to the security descriptors provided by the RM at the time of first access
// check call. We do not make a copy of the security descriptors. The assumption
// is that the SDs will be valid at least as long as the the handle is open.
//
PSECURITY_DESCRIPTOR pSecurityDescriptor; PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray; DWORD OptionalSecurityDescriptorCount;
//
// Flags for internal usage only.
//
DWORD Flags;
//
// Back pointer to the client context that created this handle, required if the static
// access granted is insufficient and access check needs to be performed again.
//
PAUTHZI_CLIENT_CONTEXT pAuthzClientContext;
//
// Results of the maximum allowed static access.
//
DWORD ResultListLength; ACCESS_MASK GrantedAccessMask[ANYSIZE_ARRAY];};
//
// This structure stores per access audit information. The structure
// is opaque and initialized with AuthzInitAuditInfo
//
typedef struct _AUTHZI_AUDIT_EVENT{
//
// size of allocated blob for this structure
//
DWORD dwSize;
//
// Flags are specified in authz.h, and this single private flag for DS callers.
//
DWORD Flags;
//
// AuditParams used for audit if available. If no AuditParams is available
// and the audit id is SE_AUDITID_OBJECT_OPERATION then Authz will construct a
// suitable structure.
//
PAUDIT_PARAMS pAuditParams;
//
// Structure defining the Audit Event category and id
//
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET; //
// millisecond timeout value
//
DWORD dwTimeOut;
//
// RM specified strings describing this event.
//
PWSTR szOperationType; PWSTR szObjectType; PWSTR szObjectName; PWSTR szAdditionalInfo; PWSTR szAdditionalInfo2;
AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
} AUTHZI_AUDIT_EVENT, *PAUTHZI_AUDIT_EVENT;
//
// structure to maintain queue of audits to be sent to LSA
//
typedef struct _AUTHZ_AUDIT_QUEUE_ENTRY{ LIST_ENTRY list; PAUTHZ_AUDIT_EVENT_TYPE_OLD pAAETO; DWORD Flags; AUDIT_PARAMS * pAuditParams; PVOID pReserved;} AUTHZ_AUDIT_QUEUE_ENTRY, *PAUTHZ_AUDIT_QUEUE_ENTRY;
//
// Enumeration type to be used to specify what type of coloring should be
// passed on to the rest of the tree starting at a given node.
// Deny gets propagted down the entire subtree as well as to all the
// ancestors (but NOT to siblings and below)
// Grants get propagated down the subtree. When a grant exists on all the
// siblings the parent automatically gets it.
// Remaining is propagated downwards. The remaining on the parent is a
// logical OR of the remaining bits on all the children.
//
typedef enum { AuthzUpdateRemaining = 1, AuthzUpdateCurrentGranted, AuthzUpdateCurrentDenied} ACCESS_MASK_FIELD_TO_UPDATE;
//
// Enumeration type to be used to specify the kind of well known sid for context
// changes. We are not going to support these unless we get a requirement.
//
typedef enum _AUTHZ_WELL_KNOWN_SID_TYPE{ AuthzWorldSid = 1, AuthzUserSid, AuthzAdminSid, AuthzDomainAdminSid, AuthzAuthenticatedUsersSid, AuthzSystemSid} AUTHZ_WELL_KNOWN_SID_TYPE;
BOOLAuthzpVerifyAccessCheckArguments( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL );
BOOLAuthzpVerifyOpenObjectArguments( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN PAUTHZI_AUDIT_EVENT pAuditEvent );
BOOLAuthzpCaptureObjectTypeList( IN POBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeLocalTypeListLength, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL );
VOIDAuthzpFillReplyStructure( IN OUT PAUTHZ_ACCESS_REPLY pReply, IN DWORD Error, IN ACCESS_MASK GrantedAccess );
BOOLAuthzpMaximumAllowedAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL, IN DWORD LocalTypeListLength, IN BOOL ObjectTypeListPresent, OUT PDWORD pCachingFlags );
BOOLAuthzpMaximumAllowedMultipleSDAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL, IN DWORD LocalTypeListLength, IN BOOL ObjectTypeListPresent, IN BOOL Restricted, OUT PDWORD pCachingFlags );
BOOLAuthzpMaximumAllowedSingleAclAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pHash, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PACL pAcl, IN PSID pOwnerSid, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL, IN DWORD LocalTypeListLength, IN BOOL ObjectTypeListPresent, OUT PDWORD pCachingFlags );
BOOLAuthzpSidApplicable( IN DWORD SidCount, IN PSID_AND_ATTRIBUTES pSidAttr, IN PAUTHZI_SID_HASH_ENTRY pHash, IN PSID pSid, IN PSID PrincipalSelfSid, IN PSID CreatorOwnerSid, IN BOOL DenyAce, OUT PDWORD pCachingFlags );
BOOLAuthzpAccessCheckWithCaching( IN DWORD Flags, IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL, IN DWORD LocalTypeListLength );
BOOLAuthzpNormalAccessCheckWithoutCaching( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpNormalMultipleSDAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN ACCESS_MASK Remaining, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpOwnerSidInClientContext( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PISECURITY_DESCRIPTOR pSecurityDescriptor );
BOOLAuthzpNormalAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN ACCESS_MASK Remaining, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PACL pAcl, IN PSID pOwnerSid, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpQuickMaximumAllowedAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZI_HANDLE pAH, IN PAUTHZ_ACCESS_REQUEST pRequest, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpQuickNormalAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZI_HANDLE pAH, IN PAUTHZ_ACCESS_REQUEST pRequest, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpAllowOnlyNormalMultipleSDAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN ACCESS_MASK Remaining, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpAllowOnlyNormalSingleAclAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN ACCESS_MASK Remaining, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PACL pAcl, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength );
BOOLAuthzpAllowOnlySidApplicable( IN DWORD SidCount, IN PSID_AND_ATTRIBUTES pSidAttr, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN PSID pSid );
VOIDAuthzpAddAccessTypeList ( IN PIOBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeListLength, IN DWORD StartIndex, IN ACCESS_MASK AccessMask, IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate );
BOOLAuthzpObjectInTypeList ( IN GUID *ObjectType, IN PIOBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeListLength, OUT PDWORD ReturnedIndex );
BOOLAuthzpCacheResults( IN DWORD Flags, IN PAUTHZI_CLIENT_CONTEXT pCC, IN PIOBJECT_TYPE_LIST LocalCachingTypeList, IN DWORD LocalTypeListLength, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN DWORD CachingFlags, IN PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults );
BOOLAuthzpVerifyCachedAccessCheckArguments( IN PAUTHZI_HANDLE pAH, IN PAUTHZ_ACCESS_REQUEST pRequest, IN OUT PAUTHZ_ACCESS_REPLY pReply );
BOOLAuthzpAllowOnlyMaximumAllowedMultipleSDAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength, IN BOOL ObjectTypeListPresent, IN BOOL Restricted );
BOOLAuthzpAllowOnlyMaximumAllowedSingleAclAccessCheck( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PSID_AND_ATTRIBUTES pSidAttr, IN DWORD SidCount, IN PAUTHZI_SID_HASH_ENTRY pSidHash, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PACL pAcl, IN PSID pOwnerSid, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD LocalTypeListLength, IN BOOL ObjectTypeListPresent );
VOIDAuthzpAddAccessTypeList ( IN OUT PIOBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeListLength, IN DWORD StartIndex, IN ACCESS_MASK AccessMask, IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate );
VOIDAuthzpUpdateParentTypeList( IN OUT PIOBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeListLength, IN DWORD StartIndex );
BOOLAuthzpObjectInTypeList ( IN GUID *ObjectType, IN PIOBJECT_TYPE_LIST ObjectTypeList, IN DWORD ObjectTypeListLength, OUT PDWORD ReturnedIndex );
BOOLAuthzpGenerateAudit( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PAUTHZI_AUDIT_EVENT pAuditEvent, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList );
BOOLAuthzpCopySidsAndAttributes( IN OUT PSID_AND_ATTRIBUTES DestSidAttr, IN PSID_AND_ATTRIBUTES SidAttr1, IN DWORD Count1, IN PSID_AND_ATTRIBUTES SidAttr2, IN DWORD Count2 );
VOIDAuthzpCopyLuidAndAttributes( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PLUID_AND_ATTRIBUTES Source, IN DWORD Count, IN OUT PLUID_AND_ATTRIBUTES Destination );
BOOLAuthzpDefaultAccessCheck( IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext, IN PACE_HEADER pAce, IN PVOID pArgs OPTIONAL, IN OUT PBOOL pbAceApplicable );
VOIDAuthzPrintContext( IN PAUTHZI_CLIENT_CONTEXT pCC );
VOIDAuthzpFillReplyFromParameters( IN PAUTHZ_ACCESS_REQUEST pRequest, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN PIOBJECT_TYPE_LIST LocalTypeList );
BOOLAuthzpGetAllGroupsBySid( IN PSID pUserSid, IN DWORD Flags, OUT PSID_AND_ATTRIBUTES *ppSidAttr, OUT PDWORD pSidCount, OUT PDWORD pSidLength );
BOOLAuthzpGetAllGroupsByName( IN PUNICODE_STRING pusUserName, IN PUNICODE_STRING pusDomainName, IN DWORD Flags, OUT PSID_AND_ATTRIBUTES *ppSidAttr, OUT PDWORD pSidCount, OUT PDWORD pSidLength );
BOOLAuthzpAllocateAndInitializeClientContext( OUT PAUTHZI_CLIENT_CONTEXT *ppCC, IN PAUTHZI_CLIENT_CONTEXT Server, IN DWORD Revision, IN LUID Identifier, IN LARGE_INTEGER ExpirationTime, IN DWORD Flags, IN DWORD SidCount, IN DWORD SidLength, IN PSID_AND_ATTRIBUTES Sids, IN DWORD RestrictedSidCount, IN DWORD RestrictedSidLength, IN PSID_AND_ATTRIBUTES RestrictedSids, IN DWORD PrivilegeCount, IN DWORD PrivilegeLength, IN PLUID_AND_ATTRIBUTES Privileges, IN LUID AuthenticationId, IN PAUTHZI_HANDLE AuthzHandleHead, IN PAUTHZI_RESOURCE_MANAGER pRM );
BOOLAuthzpAddDynamicSidsToToken( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZI_RESOURCE_MANAGER pRM, IN PVOID DynamicGroupsArgs, IN PSID_AND_ATTRIBUTES Sids, IN DWORD SidLength, IN DWORD SidCount, IN PSID_AND_ATTRIBUTES RestrictedSids, IN DWORD RestrictedSidLength, IN DWORD RestrictedSidCount, IN PLUID_AND_ATTRIBUTES Privileges, IN DWORD PrivilegeLength, IN DWORD PrivilegeCount, IN BOOL bAllocated );
BOOLAuthzpExamineSingleSacl( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN ACCESS_MASK AccessMask, IN PACL pAcl, IN PSID pOwnerSid, IN UCHAR AuditMaskType, IN BOOL bMaximumFailed, OUT PAUTHZ_ACCESS_REPLY pReply, OUT PBOOL pbGenerateAudit );
BOOLAuthzpExamineSacl( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN PAUTHZ_ACCESS_REPLY pReply, OUT PBOOL pbGenerateAudit );
BOOLAuthzpExamineSaclForObjectTypeList( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PSECURITY_DESCRIPTOR pSecurityDescriptor, IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL, IN DWORD OptionalSecurityDescriptorCount, IN OUT PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, OUT PBOOL pbGenerateSuccessAudit, OUT PBOOL pbGenerateFailureAudit );
BOOLAuthzpExamineSingleSaclForObjectTypeList( IN PAUTHZI_CLIENT_CONTEXT pCC, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PACL pAcl, IN PSID pOwnerSid, IN PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, OUT PBOOL pbGenerateSuccessAudit, OUT PBOOL pbGenerateFailureAudit );
VOIDAuthzpSetAuditInfoForObjectType( IN PAUTHZ_ACCESS_REPLY pReply, IN OUT PIOBJECT_TYPE_LIST LocalTypeList, IN DWORD StartIndex, IN ACCESS_MASK AceAccessMask, IN ACCESS_MASK DesiredAccessMask, IN UCHAR AceFlags, OUT PBOOL pbGenerateSuccessAudit, OUT PBOOL pbGenerateFailureAudit );
BOOLAuthzpCreateAndLogAudit( IN DWORD AuditTypeFlag, IN PAUTHZI_CLIENT_CONTEXT pAuthzClientContext, IN PAUTHZI_AUDIT_EVENT pAuditEvent, IN PAUTHZI_RESOURCE_MANAGER pRM, IN PIOBJECT_TYPE_LIST LocalTypeList, IN PAUTHZ_ACCESS_REQUEST pRequest, IN PAUTHZ_ACCESS_REPLY pReply );
VOIDAuthzpFillReplyStructureFromCachedGrantedAccessMask( IN OUT PAUTHZ_ACCESS_REPLY pReply, IN ACCESS_MASK DesiredAccess, IN PACCESS_MASK GrantedAccessMask );
BOOLAuthzpSendAuditToLsa( IN AUDIT_HANDLE hAuditContext, IN DWORD Flags, IN PAUDIT_PARAMS pAuditParams, IN PVOID Reserved );
BOOLAuthzpEnQueueAuditEvent( PAUTHZI_AUDIT_QUEUE pQueue, PAUTHZ_AUDIT_QUEUE_ENTRY pAudit );
BOOLAuthzpEnQueueAuditEventMonitor( PAUTHZI_AUDIT_QUEUE pQueue, PAUTHZ_AUDIT_QUEUE_ENTRY pAudit );
BOOLAuthzpMarshallAuditParams( OUT PAUDIT_PARAMS * ppMarshalledAuditParams, IN PAUDIT_PARAMS pAuditParams );
ULONGAuthzpDeQueueThreadWorker( LPVOID lpParameter );
#define AUTHZ_SID_HASH_LOW_MASK 0xf
#define AUTHZ_SID_HASH_HIGH_MASK 0xf0
#define AUTHZ_SID_HASH_HIGH 16
#define AUTHZ_SID_HASH_LOOKUP(table, byte) (((table)[(byte) & 0xf]) & ((table)[AUTHZ_SID_HASH_HIGH + (((byte) & 0xf0) >> 4)]))
VOIDAuthzpInitSidHash( IN PSID_AND_ATTRIBUTES pSidAttr, IN ULONG SidCount, OUT PAUTHZI_SID_HASH_ENTRY pHash );
BOOLAuthzpGetThreadTokenInfo( OUT PSID* pUserSid, OUT PLUID pAuthenticationId );
BOOLAuthzpGetProcessTokenInfo( OUT PSID* ppUserSid, OUT PLUID pAuthenticationId );
VOIDAuthzpReferenceAuditEventType( IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE );BOOLAuthzpDereferenceAuditEventType( IN OUT AUTHZ_AUDIT_EVENT_TYPE_HANDLE );
BOOLAuthzpEveryoneIncludesAnonymous( );
BOOLAuthzpComputeSkipFlagsForWellKnownSid( IN PSID UserSid, OUT PDWORD Flags );
BOOLAuthzpConstructPolicyPerUserAuditing( IN ULONGLONG RawPolicy, OUT PTOKEN_AUDIT_POLICY pTokenPolicy, IN OUT PULONG TokenPolicyLength );
BOOLAuthzpConstructRegistryPolicyPerUserAuditing( IN PTOKEN_AUDIT_POLICY pPolicy, OUT PULONGLONG pRegPolicy );
#define AUTHZP_INIT_PARAMS_SKIP_HEADER 0x2
#define AUTHZP_INIT_PARAMS_SOURCE_INFO 0x4
#define AUTHZP_INIT_PARAMS_SOURCE_DS 0x8
#define AUTHZP_PARAM_FREE_SID 0x80000000
AUTHZAPI BOOLWINAPIAuthzpInitializeAuditParamsV( IN DWORD dwFlags, OUT PAUDIT_PARAMS pParams, IN OUT PSID* ppUserSid, IN PCWSTR SubsystemName, IN USHORT AuditId, IN USHORT NumParams, IN va_list arglist );
BOOLAuthzpRegisterAuditEvent( IN PAUTHZ_AUDIT_EVENT_TYPE_OLD pAuditEventType, OUT PAUDIT_HANDLE phAuditContext );
BOOLAuthzpUnregisterAuditEvent( IN OUT AUDIT_HANDLE* phAuditContext );
#endif
|
