archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/winsafer/safelog.c

311 lines
9.3 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1997-2000 Microsoft Corporation
  5. Module Name:
  7. safelog.c (SAFER Event Logging)
  9. Abstract:
  11. This module implements the internal WinSAFER APIs to write eventlog
  12. messages. All of our message strings are defined in ntstatus.mc
  13. and are physically located within ntdll.dll file.
  15. Currently we are just reusing the previously existing event source
  16. called "Application Popup", which already happens to use ntdll.dll
  17. as its message resource library. Events of this source always go
  18. into the "System Log".
  20. Author:
  22. Jeffrey Lawson (JLawson) - Apr 1999
  24. Environment:
  26. User mode only.
  28. Exported Functions:
  30. SaferRecordEventLogEntry
  32. Revision History:
  34. Created - Nov 2000
  36. --*/
  38. #include "pch.h"
  39. #pragma hdrstop
  40. #include <winsafer.h>
  41. #include <winsaferp.h>
  42. #include "saferp.h"
  47. const static GUID guidTrustedCert = SAFER_GUID_RESULT_TRUSTED_CERT;
  48. const static GUID guidDefaultRule = SAFER_GUID_RESULT_DEFAULT_LEVEL;
  52. BOOL WINAPI
  53. SaferpRecordEventLogEntryHelper(
  54. IN NTSTATUS LogStatusCode,
  55. IN LPCWSTR szTargetPath,
  56. IN REFGUID refRuleGuid,
  57. IN LPCWSTR szRulePath
  58. )
  59. {
  60. NTSTATUS Status = STATUS_UNSUCCESSFUL;
  61. WORD wNumStrings = 0;
  62. LPWSTR lpszStrings[5];
  63. HANDLE hEventSource;
  64. UNICODE_STRING UnicodeGuid;
  65. BYTE LocalBuffer[SECURITY_MAX_SID_SIZE + sizeof(TOKEN_USER)];
  66. PSID pSid = NULL;
  67. HANDLE hToken = NULL;
  68. DWORD Ignore = 0;
  70. //
  71. // Open the effective token on the thead and get the token user. On any
  72. // intermediate failure in this operation, we still dump the event to the
  73. // event log, without the user sid information.
  74. //
  76. //
  77. // Get the effective token on the thread.
  78. //
  80. Status = NtOpenThreadToken(
  81. NtCurrentThread(),
  82. TOKEN_QUERY,
  83. TRUE,
  84. &hToken);
  86. //
  87. // If the thread is not impersonating, get the process token.
  88. //
  90. if (Status == STATUS_NO_TOKEN) {
  91. Status = NtOpenProcessToken(
  92. NtCurrentProcess(),
  93. TOKEN_QUERY,
  94. &hToken);
  95. }
  97. if (NT_SUCCESS(Status)) {
  99. //
  100. // Get the User Sid.
  101. //
  103. Status = NtQueryInformationToken (
  104. hToken,
  105. TokenUser,
  106. LocalBuffer,
  107. sizeof(LocalBuffer),
  108. &Ignore);
  110. NtClose(hToken);
  112. if (NT_SUCCESS(Status)) {
  114. //
  115. // We have successfully computed who the user is. This is good.
  116. //
  118. pSid = (PSID) (((PTOKEN_USER) LocalBuffer)->User.Sid);
  119. }
  120. }
  122. hEventSource = RegisterEventSourceW(NULL, L"Software Restriction Policy");
  124. if (hEventSource != NULL) {
  126. Status = STATUS_SUCCESS;
  127. RtlInitEmptyUnicodeString(&UnicodeGuid, NULL, 0);
  129. switch (LogStatusCode)
  130. {
  131. case STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT:
  132. if (!ARGUMENT_PRESENT(szTargetPath)) {
  133. Status = STATUS_INVALID_PARAMETER;
  134. break;
  135. }
  136. lpszStrings[0] = (LPWSTR) szTargetPath;
  137. wNumStrings = 1;
  138. break;
  140. case STATUS_ACCESS_DISABLED_BY_POLICY_OTHER:
  141. if (!ARGUMENT_PRESENT(szTargetPath) ||
  142. !ARGUMENT_PRESENT(refRuleGuid)) {
  143. Status = STATUS_INVALID_PARAMETER;
  144. break;
  145. }
  147. Status = RtlStringFromGUID(refRuleGuid, &UnicodeGuid);
  148. if (NT_SUCCESS(Status)) {
  149. ASSERT(UnicodeGuid.Buffer != NULL);
  150. lpszStrings[0] = (LPWSTR) szTargetPath;
  151. lpszStrings[1] = UnicodeGuid.Buffer;
  152. wNumStrings = 2;
  153. }
  154. break;
  156. case STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER:
  157. if (!ARGUMENT_PRESENT(szTargetPath)) {
  158. Status = STATUS_INVALID_PARAMETER;
  159. break;
  160. }
  161. lpszStrings[0] = (LPWSTR) szTargetPath;
  162. wNumStrings = 1;
  163. break;
  165. case STATUS_ACCESS_DISABLED_BY_POLICY_PATH:
  166. if (!ARGUMENT_PRESENT(szTargetPath) ||
  167. !ARGUMENT_PRESENT(refRuleGuid) ||
  168. !ARGUMENT_PRESENT(szRulePath)) {
  169. Status = STATUS_INVALID_PARAMETER;
  170. break;
  171. }
  172. Status = RtlStringFromGUID(refRuleGuid, &UnicodeGuid);
  173. if (NT_SUCCESS(Status)) {
  174. ASSERT(UnicodeGuid.Buffer != NULL);
  175. lpszStrings[0] = (LPWSTR) szTargetPath;
  176. lpszStrings[1] = UnicodeGuid.Buffer;
  177. lpszStrings[2] = (LPWSTR) szRulePath;
  178. wNumStrings = 3;
  179. }
  180. break;
  182. default:
  183. Status = STATUS_INVALID_PARAMETER;
  184. }
  186. if (NT_SUCCESS(Status)) {
  187. ReportEventW(
  188. hEventSource, // handle to event log
  189. EVENTLOG_WARNING_TYPE, // event type
  190. 0, // event category
  191. LogStatusCode, // event ID
  192. pSid, // current user's SID
  193. wNumStrings, // strings in lpszStrings
  194. 0, // no bytes of raw data
  195. lpszStrings, // array of error strings
  196. NULL); // no raw data
  197. }
  199. DeregisterEventSource(hEventSource);
  201. if (UnicodeGuid.Buffer != NULL) {
  202. RtlFreeUnicodeString(&UnicodeGuid);
  203. }
  204. }
  206. if (NT_SUCCESS(Status)) {
  207. return TRUE;
  208. } else {
  209. return FALSE;
  210. }
  211. }
  215. BOOL WINAPI
  216. SaferRecordEventLogEntry(
  217. IN SAFER_LEVEL_HANDLE hAuthzLevel,
  218. IN LPCWSTR szTargetPath,
  219. IN LPVOID lpReserved
  220. )
  221. {
  222. PSAFER_IDENTIFICATION_HEADER pIdentCommon;
  223. DWORD dwIdentBufferSize;
  224. BOOL bResult;
  227. //
  228. // Allocate enough memory for the largest structure we can expect
  229. // and then query the information about the identifier that matched.
  230. //
  231. dwIdentBufferSize = max(sizeof(SAFER_HASH_IDENTIFICATION),
  232. sizeof(SAFER_PATHNAME_IDENTIFICATION));
  233. pIdentCommon = (PSAFER_IDENTIFICATION_HEADER)
  234. HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwIdentBufferSize);
  235. if (!pIdentCommon) {
  236. return FALSE;
  237. }
  238. pIdentCommon->cbStructSize = sizeof(SAFER_IDENTIFICATION_HEADER);
  239. if (!SaferGetLevelInformation(
  240. hAuthzLevel,
  241. SaferObjectSingleIdentification,
  242. pIdentCommon,
  243. dwIdentBufferSize,
  244. &dwIdentBufferSize)) {
  246. if (GetLastError() == ERROR_NOT_ENOUGH_MEMORY) {
  248. HeapFree(GetProcessHeap(), 0, pIdentCommon);
  249. pIdentCommon = (PSAFER_IDENTIFICATION_HEADER)
  250. HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwIdentBufferSize);
  251. if (!pIdentCommon) {
  252. return FALSE;
  253. }
  254. pIdentCommon->cbStructSize = sizeof(SAFER_IDENTIFICATION_HEADER);
  255. if (!SaferGetLevelInformation(
  256. hAuthzLevel,
  257. SaferObjectSingleIdentification,
  258. pIdentCommon,
  259. dwIdentBufferSize,
  260. &dwIdentBufferSize)) {
  261. bResult = FALSE;
  262. goto Cleanup;
  263. }
  265. }
  266. else
  267. {
  268. bResult = FALSE;
  269. goto Cleanup;
  270. }
  271. }
  274. //
  275. // Look at the resulting information about the identifier.
  276. //
  277. if (IsEqualGUID(&pIdentCommon->IdentificationGuid, &guidTrustedCert))
  278. {
  279. bResult = SaferpRecordEventLogEntryHelper(
  280. STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER,
  281. szTargetPath, NULL, NULL);
  282. }
  283. else if (IsEqualGUID(&pIdentCommon->IdentificationGuid, &guidDefaultRule))
  284. {
  285. bResult = SaferpRecordEventLogEntryHelper(
  286. STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT,
  287. szTargetPath, NULL, NULL);
  288. }
  289. else if (pIdentCommon->dwIdentificationType == SaferIdentityTypeImageName)
  290. {
  291. PSAFER_PATHNAME_IDENTIFICATION pIdentPath =
  292. (PSAFER_PATHNAME_IDENTIFICATION) pIdentCommon;
  293. bResult = SaferpRecordEventLogEntryHelper(
  294. STATUS_ACCESS_DISABLED_BY_POLICY_PATH,
  295. szTargetPath, &pIdentCommon->IdentificationGuid,
  296. pIdentPath->ImageName);
  297. }
  298. else
  299. {
  300. bResult = SaferpRecordEventLogEntryHelper(
  301. STATUS_ACCESS_DISABLED_BY_POLICY_OTHER,
  302. szTargetPath, &pIdentCommon->IdentificationGuid,
  303. NULL);
  304. }
  306. Cleanup:
  307. HeapFree(GetProcessHeap(), 0, pIdentCommon);
  309. return bResult;
  310. }