archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/base/ntos/se/subject.c

665 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. Subject.c
  9. Abstract:
  11. This Module implements services related to subject security context.
  12. These services are part of the services provided by the Reference Monitor
  13. component.
  15. FOR PERFORMANCE SAKE, THIS MODULE IS AWARE OF INTERNAL TOKEN OBJECT
  16. FORMATS.
  18. Author:
  20. Jim Kelly (JimK) 2-Aug-1990
  22. Environment:
  24. Kernel Mode
  26. Revision History:
  28. --*/
  30. #include "pch.h"
  32. #pragma hdrstop
  35. #ifdef ALLOC_PRAGMA
  36. #pragma alloc_text(PAGE,SeCaptureSubjectContext)
  37. #pragma alloc_text(PAGE,SeCaptureSubjectContextEx)
  38. #pragma alloc_text(PAGE,SeLockSubjectContext)
  39. #pragma alloc_text(PAGE,SeUnlockSubjectContext)
  40. #pragma alloc_text(PAGE,SeReleaseSubjectContext)
  41. #pragma alloc_text(PAGE,SepGetDefaultsSubjectContext)
  42. #pragma alloc_text(PAGE,SepIdAssignableAsGroup)
  43. #pragma alloc_text(PAGE,SepValidOwnerSubjectContext)
  44. //#pragma alloc_text(PAGE,SeQueryAuthenticationIdSubjectContext)
  45. #endif
  48. VOID
  49. SeCaptureSubjectContext (
  50. OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
  51. )
  53. /*++
  55. Routine Description:
  57. This routine takes a snapshot of the calling thread's security
  58. context (locking tokens as necessary to do so). This function
  59. is intended to support the object manager and other components
  60. that utilize the reference monitor's access validation,
  61. privilege test, and audit generation services.
  63. A subject's security context should be captured before initiating
  64. access validation and should be released after audit messages
  65. are generated. This is necessary to provide a consistent security
  66. context to all those services.
  68. After calling access validation, privilege test, and audit generation
  69. services, the captured context should be released as soon as possible
  70. using the SeReleaseSubjectContext() service.
  72. Arguments:
  74. SubjectContext - Points to a SECURITY_SUBJECT_CONTEXT data structure
  75. to be filled in with a snapshot of the calling thread's security
  76. profile.
  78. Return Value:
  80. none.
  82. --*/
  84. {
  85. SeCaptureSubjectContextEx (PsGetCurrentThread (),
  86. PsGetCurrentProcess (),
  87. SubjectContext);
  88. }
  91. VOID
  92. SeCaptureSubjectContextEx (
  93. IN PETHREAD Thread,
  94. IN PEPROCESS Process,
  95. OUT PSECURITY_SUBJECT_CONTEXT SubjectContext
  96. )
  98. /*++
  100. Routine Description:
  102. This routine takes a snapshot of the calling thread's security
  103. context (locking tokens as necessary to do so). This function
  104. is intended to support the object manager and other components
  105. that utilize the reference monitor's access validation,
  106. privilege test, and audit generation services.
  108. A subject's security context should be captured before initiating
  109. access validation and should be released after audit messages
  110. are generated. This is necessary to provide a consistent security
  111. context to all those services.
  113. After calling access validation, privilege test, and audit generation
  114. services, the captured context should be released as soon as possible
  115. using the SeReleaseSubjectContext() service.
  117. Arguments:
  119. Thread - Thread to capture the thread token from. If NULL we don't capture
  120. an impersonation token.
  122. Process - Process to capture primary token from.
  124. SubjectContext - Points to a SECURITY_SUBJECT_CONTEXT data structure
  125. to be filled in with a snapshot of the calling thread's security
  126. profile.
  128. Return Value:
  130. none.
  132. --*/
  134. {
  135. //PVOID Objects[2];
  137. BOOLEAN IgnoreCopyOnOpen;
  138. BOOLEAN IgnoreEffectiveOnly;
  140. PAGED_CODE();
  142. SubjectContext->ProcessAuditId = PsProcessAuditId( Process );
  144. //
  145. // Get pointers to primary and impersonation tokens
  146. //
  148. if (Thread == NULL) {
  149. SubjectContext->ClientToken = NULL;
  150. } else {
  151. SubjectContext->ClientToken = PsReferenceImpersonationToken(
  152. Thread,
  153. &IgnoreCopyOnOpen,
  154. &IgnoreEffectiveOnly,
  155. &(SubjectContext->ImpersonationLevel)
  156. );
  157. }
  159. SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process);
  161. #if DBG || TOKEN_LEAK_MONITOR
  163. if (SubjectContext->PrimaryToken) {
  164. InterlockedIncrement(&((PTOKEN)(SubjectContext->PrimaryToken))->CaptureCount);
  165. if (SubjectContext->PrimaryToken == SepTokenLeakToken)
  166. {
  167. DbgBreakPoint();
  168. }
  169. }
  171. if (SubjectContext->ClientToken) {
  172. InterlockedIncrement(&((PTOKEN)(SubjectContext->ClientToken))->CaptureCount);
  173. if (SubjectContext->ClientToken == SepTokenLeakToken)
  174. {
  175. DbgBreakPoint();
  176. }
  177. }
  179. #endif
  181. return;
  183. }
  187. VOID
  188. SeLockSubjectContext(
  189. IN PSECURITY_SUBJECT_CONTEXT SubjectContext
  190. )
  192. /*++
  194. Routine Description:
  196. Acquires READ LOCKS on the primary and impersonation tokens
  197. in the passed SubjectContext.
  199. This call must be undone by a call to SeUnlockSubjectContext().
  201. No one outside of the SE component should need to acquire a
  202. write lock to a token. Therefore there is no public interface
  203. to do this.
  205. Arguments:
  207. SubjectContext - Points to a SECURITY_SUBJECT_CONTEXT data structure
  208. which points to a primary token and an optional impersonation token.
  210. Return Value:
  212. None
  214. --*/
  216. {
  217. PAGED_CODE();
  219. SepAcquireTokenReadLock((PTOKEN)(SubjectContext->PrimaryToken));
  221. if (ARGUMENT_PRESENT(SubjectContext->ClientToken)) {
  223. SepAcquireTokenReadLock((PTOKEN)(SubjectContext->ClientToken));
  224. }
  226. return;
  227. }
  231. VOID
  232. SeUnlockSubjectContext(
  233. IN PSECURITY_SUBJECT_CONTEXT SubjectContext
  234. )
  236. /*++
  238. Routine Description:
  240. Releases the read locks on the token(s) in the passed SubjectContext.
  242. Arguments:
  244. SubjectContext - Points to a SECURITY_SUBJECT_CONTEXT data structure
  245. which points to a primary token and an optional impersonation token.
  247. Return Value:
  249. None
  251. --*/
  253. {
  254. PAGED_CODE();
  256. SepReleaseTokenReadLock((PTOKEN)(SubjectContext->PrimaryToken));
  258. if (ARGUMENT_PRESENT(SubjectContext->ClientToken)) {
  260. SepReleaseTokenReadLock((PTOKEN)(SubjectContext->ClientToken));
  261. }
  264. }
  268. VOID
  269. SeReleaseSubjectContext (
  270. IN PSECURITY_SUBJECT_CONTEXT SubjectContext
  271. )
  273. /*++
  276. Routine Description:
  278. This routine releases a subject security context previously captured by
  279. SeCaptureSubjectContext().
  281. Arguments:
  283. SubjectContext - Points to a SECURITY_SUBJECT_CONTEXT data structure
  284. containing a subject's previously captured security context.
  286. Return Value:
  288. none.
  290. --*/
  292. {
  293. PAGED_CODE();
  295. #if DBG || TOKEN_LEAK_MONITOR
  297. if (SubjectContext->PrimaryToken) {
  298. InterlockedDecrement(&((PTOKEN)(SubjectContext->PrimaryToken))->CaptureCount);
  299. if (SubjectContext->PrimaryToken == SepTokenLeakToken)
  300. {
  301. DbgBreakPoint();
  302. }
  303. }
  305. if (SubjectContext->ClientToken) {
  306. InterlockedDecrement(&((PTOKEN)(SubjectContext->ClientToken))->CaptureCount);
  307. if (SubjectContext->ClientToken == SepTokenLeakToken)
  308. {
  309. DbgBreakPoint();
  310. }
  311. }
  313. #endif
  315. PsDereferencePrimaryTokenEx( PsGetCurrentProcess(), SubjectContext->PrimaryToken );
  317. SubjectContext->PrimaryToken = NULL;
  319. PsDereferenceImpersonationToken( SubjectContext->ClientToken );
  321. SubjectContext->ClientToken = NULL;
  323. return;
  325. }
  327. VOID
  328. SepGetDefaultsSubjectContext(
  329. IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
  330. OUT PSID *Owner,
  331. OUT PSID *Group,
  332. OUT PSID *ServerOwner,
  333. OUT PSID *ServerGroup,
  334. OUT PACL *Dacl
  335. )
  336. /*++
  338. Routine Description:
  340. This routine retrieves pointers to the default owner, primary group,
  341. and, if present, discretionary ACL of the provided subject security
  342. context.
  344. Arguments:
  346. SubjectContext - Points to the subject security context whose default
  347. values are to be retrieved.
  349. Owner - Receives a pointer to the subject's default owner SID. This
  350. value will always be returned as a non-zero pointer. That is,
  351. a subject's security context must contain a owner SID.
  353. Group - Receives a pointer to the subject's default primary group SID.
  354. This value will always be returned as a non-zero pointer. That is,
  355. a subject's security context must contain a primary group.
  357. Dacl - Receives a pointer to the subject's default discretionary ACL,
  358. if one is define for the subject. Note that a subject security context
  359. does not have to include a default discretionary ACL. In this case,
  360. this value will be returned as NULL.
  365. Return Value:
  367. none.
  369. --*/
  371. {
  372. PTOKEN EffectiveToken;
  373. PTOKEN PrimaryToken;
  375. PAGED_CODE();
  377. if (ARGUMENT_PRESENT(SubjectContext->ClientToken)) {
  378. EffectiveToken = (PTOKEN)SubjectContext->ClientToken;
  379. } else {
  380. EffectiveToken = (PTOKEN)SubjectContext->PrimaryToken;
  381. }
  383. (*Owner) = EffectiveToken->UserAndGroups[EffectiveToken->DefaultOwnerIndex].Sid;
  385. (*Group) = EffectiveToken->PrimaryGroup;
  387. (*Dacl) = EffectiveToken->DefaultDacl;
  389. PrimaryToken = (PTOKEN)SubjectContext->PrimaryToken;
  391. *ServerOwner = PrimaryToken->UserAndGroups[PrimaryToken->DefaultOwnerIndex].Sid;
  393. *ServerGroup = PrimaryToken->PrimaryGroup;
  395. return;
  396. }
  399. BOOLEAN
  400. SepIdAssignableAsGroup(
  401. IN PACCESS_TOKEN AToken,
  402. IN PSID Group
  403. )
  404. /*++
  406. Routine Description:
  408. This routine checks to see whether the provided SID is one that
  409. may be assigned to be the default primary group in a token.
  411. The current criteria is that the passed SID be a group in the
  412. token, with no other restrictions.
  414. Arguments:
  416. Token - Points to the token to be examined.
  418. Group - Points to the SID to be checked.
  420. Return Value:
  422. TRUE - SID passed by be assigned as the default primary group in a token.
  424. FALSE - Passed SID may not be so assigned.
  426. --*/
  428. {
  429. ULONG Index;
  430. BOOLEAN Found = FALSE;
  431. PTOKEN Token;
  433. PAGED_CODE();
  435. Token = (PTOKEN)AToken;
  437. //
  438. // Let's make it invalid to assign a NULL primary group,
  439. // but we may need to revisit this.
  440. //
  442. if (Group == NULL) {
  443. return( FALSE );
  444. }
  445. Index = 0;
  447. SepAcquireTokenReadLock( Token );
  449. //
  450. // Walk through the list of user and group IDs looking
  451. // for a match to the specified SID.
  452. //
  454. while (Index < Token->UserAndGroupCount) {
  456. Found = RtlEqualSid(
  457. Group,
  458. Token->UserAndGroups[Index].Sid
  459. );
  461. if ( Found ) {
  462. break;
  463. }
  465. Index += 1;
  466. }
  468. SepReleaseTokenReadLock( Token );
  470. return Found;
  471. }
  474. BOOLEAN
  475. SepValidOwnerSubjectContext(
  476. IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
  477. IN PSID Owner,
  478. IN BOOLEAN ServerObject
  479. )
  480. /*++
  482. Routine Description:
  484. This routine checks to see whether the provided SID is one the subject
  485. is authorized to assign as the owner of objects. It will also check to
  486. see if the caller has SeRestorePrivilege, if so, the request is granted.
  488. Arguments:
  490. SubjectContext - Points to the subject's security context.
  492. Owner - Points to the SID to be checked.
  496. Return Value:
  498. none.
  500. --*/
  502. {
  504. ULONG Index;
  505. BOOLEAN Found;
  506. PTOKEN EffectiveToken;
  507. BOOLEAN Rc = FALSE;
  509. PAGED_CODE();
  511. //
  512. // It is invalid to assign a NULL owner, regardless of
  513. // whether you have SeRestorePrivilege or not.
  514. //
  516. if (Owner == NULL) {
  517. return( FALSE );
  518. }
  520. //
  521. // Allowable owners come from the primary if it's a server object.
  522. //
  524. if (!ServerObject && ARGUMENT_PRESENT(SubjectContext->ClientToken)) {
  525. EffectiveToken = (PTOKEN)SubjectContext->ClientToken;
  526. } else {
  527. EffectiveToken = (PTOKEN)SubjectContext->PrimaryToken;
  528. }
  531. //
  532. // If we're impersonating, make sure we're at TokenImpersonation
  533. // or above. This prevents someone from setting the owner of an
  534. // object when impersonating at less Identify or Anonymous.
  535. //
  537. if (EffectiveToken->TokenType == TokenImpersonation) {
  539. if (EffectiveToken->ImpersonationLevel < SecurityImpersonation) {
  541. return( FALSE );
  543. }
  544. }
  546. Index = 0;
  548. SepAcquireTokenReadLock( EffectiveToken );
  550. //
  551. // Walk through the list of user and group IDs looking
  552. // for a match to the specified SID. If one is found,
  553. // make sure it may be assigned as an owner.
  554. //
  555. // This code is similar to that performed to set the default
  556. // owner of a token (NtSetInformationToken).
  557. //
  559. while (Index < EffectiveToken->UserAndGroupCount) {
  562. Found = RtlEqualSid(
  563. Owner,
  564. EffectiveToken->UserAndGroups[Index].Sid
  565. );
  567. if ( Found ) {
  569. //
  570. // We may return success if the Sid is one that may be assigned
  571. // as an owner, or if the caller has SeRestorePrivilege
  572. //
  574. if ( SepIdAssignableAsOwner(EffectiveToken,Index) ) {
  576. SepReleaseTokenReadLock( EffectiveToken );
  577. Rc = TRUE;
  578. goto exit;
  580. } else {
  582. //
  583. // Rc is already set to FALSE, just exit.
  584. //
  586. SepReleaseTokenReadLock( EffectiveToken );
  587. goto exit;
  589. } //endif assignable
  592. } //endif Found
  595. Index += 1;
  597. } //endwhile
  600. SepReleaseTokenReadLock( EffectiveToken );
  602. exit:
  604. //
  605. // If we are going to fail this call, check for Restore privilege,
  606. // and succeed if he has it.
  607. //
  609. //
  610. // We should really have gotten PreviousMode from the caller, but we
  611. // didn't, so hard wire it to be user-mode here.
  612. //
  614. if ( Rc == FALSE ) {
  615. Rc = SeSinglePrivilegeCheck( SeRestorePrivilege, UserMode );
  616. }
  618. return Rc;
  619. }
  622. #if 0
  623. NTSTATUS
  624. SeQueryAuthenticationIdSubjectContext(
  625. IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
  626. OUT PLUID AuthenticationId
  627. )
  628. /*++
  630. Routine Description:
  632. This routine returns the authentication ID for the effective token
  633. in a subject context
  635. Parameters:
  637. SubjectContext - The subject context to get the ID from
  639. AuthenticationId - Receives the authentication ID from the token
  641. Return Value:
  643. Errors from SeQueryAuthenticationidToken.
  645. --*/
  646. {
  647. NTSTATUS Status;
  649. PAGED_CODE();
  651. SeLockSubjectContext( SubjectContext );
  654. Status = SeQueryAuthenticationIdToken(
  655. EffectiveToken(SubjectContext),
  656. AuthenticationId
  657. );
  659. SeUnlockSubjectContext( SubjectContext );
  661. return( Status );
  664. }
  665. #endif