Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

579 lines
14 KiB

  1. /*++
  2. Copyright (c) 1989 Microsoft Corporation
  3. Module Name:
  4. Privileg.c
  5. Abstract:
  6. This Module implements the privilege check procedures.
  7. Author:
  8. Robert Reichel (robertre) 26-Nov-90
  9. Environment:
  10. Kernel Mode
  11. Revision History:
  12. --*/
  13. #include "pch.h"
  14. #pragma hdrstop
  15. #ifdef ALLOC_PRAGMA
  16. #pragma alloc_text(PAGE,NtPrivilegeCheck)
  17. #pragma alloc_text(PAGE,SeCheckPrivilegedObject)
  18. #pragma alloc_text(PAGE,SepPrivilegeCheck)
  19. #pragma alloc_text(PAGE,SePrivilegeCheck)
  20. #pragma alloc_text(PAGE,SeSinglePrivilegeCheck)
  21. #endif
  22. BOOLEAN
  23. SepPrivilegeCheck(
  24. IN PTOKEN Token,
  25. IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges,
  26. IN ULONG RequiredPrivilegeCount,
  27. IN ULONG PrivilegeSetControl,
  28. IN KPROCESSOR_MODE PreviousMode
  29. )
  30. /*++
  31. Routine Description:
  32. Worker routine for SePrivilegeCheck
  33. Arguments:
  34. Token - The user's effective token.
  35. RequiredPrivileges - A privilege set describing the required
  36. privileges. The UsedForAccess bits will be set in any privilege
  37. that is actually used (usually all of them).
  38. RequiredPrivilegeCount - How many privileges are in the
  39. RequiredPrivileges set.
  40. PrivilegeSetControl - Describes how many privileges are required.
  41. PreviousMode - The previous processor mode.
  42. Return Value:
  43. Returns TRUE if requested privileges are granted, FALSE otherwise.
  44. --*/
  45. {
  46. PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege;
  47. PLUID_AND_ATTRIBUTES CurrentTokenPrivilege;
  48. BOOLEAN RequiredAll;
  49. ULONG TokenPrivilegeCount;
  50. ULONG MatchCount = 0;
  51. ULONG i;
  52. ULONG j;
  53. PAGED_CODE();
  54. //
  55. // Take care of kernel callers first
  56. //
  57. if (PreviousMode == KernelMode) {
  58. return(TRUE);
  59. }
  60. TokenPrivilegeCount = Token->PrivilegeCount;
  61. //
  62. // Save whether we require ALL of them or ANY
  63. //
  64. RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY);
  65. SepAcquireTokenReadLock( Token );
  66. for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ;
  67. i < RequiredPrivilegeCount ;
  68. i++, CurrentRequiredPrivilege++ ) {
  69. for ( j = 0, CurrentTokenPrivilege = Token->Privileges;
  70. j < TokenPrivilegeCount ;
  71. j++, CurrentTokenPrivilege++ ) {
  72. if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) &&
  73. (RtlEqualLuid(&CurrentTokenPrivilege->Luid,
  74. &CurrentRequiredPrivilege->Luid))
  75. ) {
  76. CurrentRequiredPrivilege->Attributes |=
  77. SE_PRIVILEGE_USED_FOR_ACCESS;
  78. MatchCount++;
  79. break; // start looking for next one
  80. }
  81. }
  82. }
  83. SepReleaseTokenReadLock( Token );
  84. //
  85. // If we wanted ANY and didn't get any, return failure.
  86. //
  87. if (!RequiredAll && (MatchCount == 0)) {
  88. return (FALSE);
  89. }
  90. //
  91. // If we wanted ALL and didn't get all, return failure.
  92. //
  93. if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) {
  94. return(FALSE);
  95. }
  96. return(TRUE);
  97. }
  98. BOOLEAN
  99. SePrivilegeCheck(
  100. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  101. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  102. IN KPROCESSOR_MODE AccessMode
  103. )
  104. /*++
  105. Routine Description:
  106. This routine checks to see if the token contains the specified
  107. privileges.
  108. Arguments:
  109. RequiredPrivileges - Points to a set of privileges. The subject's
  110. security context is to be checked to see which of the specified
  111. privileges are present. The results will be indicated in the
  112. attributes associated with each privilege. Note that
  113. flags in this parameter indicate whether all the privileges listed
  114. are needed, or any of the privileges.
  115. SubjectSecurityContext - A pointer to the subject's captured security
  116. context.
  117. AccessMode - Indicates the access mode to use for access check. One of
  118. UserMode or KernelMode. If the mode is kernel, then all privileges
  119. will be marked as being possessed by the subject, and successful
  120. completion status is returned.
  121. Return Value:
  122. BOOLEAN - TRUE if all specified privileges are held by the subject,
  123. otherwise FALSE.
  124. --*/
  125. {
  126. BOOLEAN Status;
  127. PAGED_CODE();
  128. //
  129. // If we're impersonating a client, we have to be at impersonation level
  130. // of SecurityImpersonation or above.
  131. //
  132. if ( (SubjectSecurityContext->ClientToken != NULL) &&
  133. (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation)
  134. ) {
  135. return(FALSE);
  136. }
  137. //
  138. // SepPrivilegeCheck locks the passed token for read access
  139. //
  140. Status = SepPrivilegeCheck(
  141. EffectiveToken( SubjectSecurityContext ),
  142. RequiredPrivileges->Privilege,
  143. RequiredPrivileges->PrivilegeCount,
  144. RequiredPrivileges->Control,
  145. AccessMode
  146. );
  147. return(Status);
  148. }
  149. NTSTATUS
  150. NtPrivilegeCheck(
  151. IN HANDLE ClientToken,
  152. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  153. OUT PBOOLEAN Result
  154. )
  155. /*++
  156. Routine Description:
  157. This routine tests the caller's client's security context to see if it
  158. contains the specified privileges.
  159. Arguments:
  160. ClientToken - A handle to a token object representing a client
  161. attempting access. This handle must be obtained from a
  162. communication session layer, such as from an LPC Port or Local
  163. Named Pipe, to prevent possible security policy violations.
  164. RequiredPrivileges - Points to a set of privileges. The client's
  165. security context is to be checked to see which of the specified
  166. privileges are present. The results will be indicated in the
  167. attributes associated with each privilege. Note that
  168. flags in this parameter indicate whether all the privileges listed
  169. are needed, or any of the privileges.
  170. Result - Receives a boolean flag indicating whether the client has all
  171. the specified privileges or not. A value of TRUE indicates the
  172. client has all the specified privileges. Otherwise a value of
  173. FALSE is returned.
  174. Return Value:
  175. STATUS_SUCCESS - Indicates the call completed successfully.
  176. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have
  177. sufficient privilege to use this privileged system service.
  178. --*/
  179. {
  180. BOOLEAN BStatus;
  181. KPROCESSOR_MODE PreviousMode;
  182. NTSTATUS Status;
  183. PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
  184. PTOKEN Token = NULL;
  185. ULONG CapturedPrivilegeCount = 0;
  186. ULONG CapturedPrivilegesLength = 0;
  187. ULONG ParameterLength = 0;
  188. ULONG PrivilegeSetControl = 0;
  189. PAGED_CODE();
  190. PreviousMode = KeGetPreviousMode();
  191. Status = ObReferenceObjectByHandle(
  192. ClientToken, // Handle
  193. TOKEN_QUERY, // DesiredAccess
  194. SeTokenObjectType, // ObjectType
  195. PreviousMode, // AccessMode
  196. (PVOID *)&Token, // Object
  197. NULL // GrantedAccess
  198. );
  199. if ( !NT_SUCCESS(Status) ) {
  200. return Status;
  201. }
  202. //
  203. // If the passed token is an impersonation token, make sure
  204. // it is at SecurityIdentification or above.
  205. //
  206. if (Token->TokenType == TokenImpersonation) {
  207. if (Token->ImpersonationLevel < SecurityIdentification) {
  208. ObDereferenceObject( (PVOID)Token );
  209. return( STATUS_BAD_IMPERSONATION_LEVEL );
  210. }
  211. }
  212. try {
  213. //
  214. // Capture passed Privilege Set
  215. //
  216. ProbeForWriteSmallStructure(
  217. RequiredPrivileges,
  218. sizeof(PRIVILEGE_SET),
  219. sizeof(ULONG)
  220. );
  221. CapturedPrivilegeCount = RequiredPrivileges->PrivilegeCount;
  222. if (!IsValidElementCount(CapturedPrivilegeCount, LUID_AND_ATTRIBUTES)) {
  223. Status = STATUS_INVALID_PARAMETER;
  224. leave;
  225. }
  226. ParameterLength = (ULONG)sizeof(PRIVILEGE_SET) +
  227. ((CapturedPrivilegeCount - ANYSIZE_ARRAY) *
  228. (ULONG)sizeof(LUID_AND_ATTRIBUTES) );
  229. ProbeForWrite(
  230. RequiredPrivileges,
  231. ParameterLength,
  232. sizeof(ULONG)
  233. );
  234. ProbeForWriteBoolean(Result);
  235. PrivilegeSetControl = RequiredPrivileges->Control;
  236. } except(EXCEPTION_EXECUTE_HANDLER) {
  237. Status = GetExceptionCode();
  238. }
  239. if (!NT_SUCCESS(Status)) {
  240. ObDereferenceObject( (PVOID)Token );
  241. return Status;
  242. }
  243. Status = SeCaptureLuidAndAttributesArray(
  244. (RequiredPrivileges->Privilege),
  245. CapturedPrivilegeCount,
  246. UserMode,
  247. NULL, 0,
  248. PagedPool,
  249. TRUE,
  250. &CapturedPrivileges,
  251. &CapturedPrivilegesLength
  252. );
  253. if (!NT_SUCCESS(Status)) {
  254. ObDereferenceObject( (PVOID)Token );
  255. return Status;
  256. }
  257. BStatus = SepPrivilegeCheck(
  258. Token, // Token,
  259. CapturedPrivileges, // RequiredPrivileges,
  260. CapturedPrivilegeCount, // RequiredPrivilegeCount,
  261. PrivilegeSetControl, // PrivilegeSetControl
  262. PreviousMode // PreviousMode
  263. );
  264. ObDereferenceObject( Token );
  265. try {
  266. //
  267. // copy the modified privileges buffer back to user
  268. //
  269. RtlCopyMemory(
  270. RequiredPrivileges->Privilege,
  271. CapturedPrivileges,
  272. CapturedPrivilegesLength
  273. );
  274. *Result = BStatus;
  275. } except (EXCEPTION_EXECUTE_HANDLER) {
  276. SeReleaseLuidAndAttributesArray(
  277. CapturedPrivileges,
  278. PreviousMode,
  279. TRUE
  280. );
  281. return(GetExceptionCode());
  282. }
  283. SeReleaseLuidAndAttributesArray(
  284. CapturedPrivileges,
  285. PreviousMode,
  286. TRUE
  287. );
  288. return( STATUS_SUCCESS );
  289. }
  290. BOOLEAN
  291. SeSinglePrivilegeCheck(
  292. LUID PrivilegeValue,
  293. KPROCESSOR_MODE PreviousMode
  294. )
  295. /*++
  296. Routine Description:
  297. This function will check for the passed privilege value in the
  298. current context.
  299. Arguments:
  300. PrivilegeValue - The value of the privilege being checked.
  301. Return Value:
  302. TRUE - The current subject has the desired privilege.
  303. FALSE - The current subject does not have the desired privilege.
  304. --*/
  305. {
  306. BOOLEAN AccessGranted;
  307. PRIVILEGE_SET RequiredPrivileges;
  308. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  309. PAGED_CODE();
  310. //
  311. // Make sure the caller has the privilege to make this
  312. // call.
  313. //
  314. RequiredPrivileges.PrivilegeCount = 1;
  315. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  316. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  317. RequiredPrivileges.Privilege[0].Attributes = 0;
  318. SeCaptureSubjectContext( &SubjectSecurityContext );
  319. AccessGranted = SePrivilegeCheck(
  320. &RequiredPrivileges,
  321. &SubjectSecurityContext,
  322. PreviousMode
  323. );
  324. if ( PreviousMode != KernelMode ) {
  325. SePrivilegedServiceAuditAlarm (
  326. NULL,
  327. &SubjectSecurityContext,
  328. &RequiredPrivileges,
  329. AccessGranted
  330. );
  331. }
  332. SeReleaseSubjectContext( &SubjectSecurityContext );
  333. return( AccessGranted );
  334. }
  335. BOOLEAN
  336. SeCheckPrivilegedObject(
  337. LUID PrivilegeValue,
  338. HANDLE ObjectHandle,
  339. ACCESS_MASK DesiredAccess,
  340. KPROCESSOR_MODE PreviousMode
  341. )
  342. /*++
  343. Routine Description:
  344. This function will check for the passed privilege value in the
  345. current context, and generate audits as appropriate.
  346. Arguments:
  347. PrivilegeValue - The value of the privilege being checked.
  348. Object - Specifies a pointer to the object being accessed.
  349. ObjectHandle - Specifies the object handle being used.
  350. DesiredAccess - The desired access mask, if any
  351. PreviousMode - The previous processor mode
  352. Return Value:
  353. TRUE - The current subject has the desired privilege.
  354. FALSE - The current subject does not have the desired privilege.
  355. --*/
  356. {
  357. BOOLEAN AccessGranted;
  358. PRIVILEGE_SET RequiredPrivileges;
  359. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  360. PAGED_CODE();
  361. //
  362. // Make sure the caller has the privilege to make this
  363. // call.
  364. //
  365. RequiredPrivileges.PrivilegeCount = 1;
  366. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  367. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  368. RequiredPrivileges.Privilege[0].Attributes = 0;
  369. SeCaptureSubjectContext( &SubjectSecurityContext );
  370. AccessGranted = SePrivilegeCheck(
  371. &RequiredPrivileges,
  372. &SubjectSecurityContext,
  373. PreviousMode
  374. );
  375. if ( PreviousMode != KernelMode ) {
  376. SePrivilegeObjectAuditAlarm(
  377. ObjectHandle,
  378. &SubjectSecurityContext,
  379. DesiredAccess,
  380. &RequiredPrivileges,
  381. AccessGranted,
  382. PreviousMode
  383. );
  384. }
  385. SeReleaseSubjectContext( &SubjectSecurityContext );
  386. return( AccessGranted );
  387. }