archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/authz/authzp.h

1162 lines
29 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 2000 Microsoft Corporation
  5. Module Name:
  7. authzp.h
  9. Abstract:
  11. Internal header file for authorization APIs.
  13. Author:
  15. Kedar Dubhashi - March 2000
  17. Environment:
  19. User mode only.
  21. Revision History:
  23. Created - March 2000
  25. --*/
  27. #ifndef __AUTHZP_H__
  28. #define __AUTHZP_H__
  30. #define _AUTHZ_
  32. #include <authz.h>
  33. #include <authzi.h>
  35. #if 0
  36. #define AUTHZ_DEBUG
  37. #define AUTHZ_DEBUG_QUEUE
  38. #define AUTHZ_DEBUG_MEMLEAK
  39. #else
  40. #define AUTHZ_PARAM_CHECK
  41. #define AUTHZ_AUDIT_COUNTER
  42. #endif
  44. #define AuthzpCloseHandleNonNull(h) if (NULL != (h)) { AuthzpCloseHandle((h)); }
  45. #define AuthzpCloseHandle(h) CloseHandle((h))
  47. //
  48. // Size of the local stack buffer used to save a kernel call as well as a memory
  49. // allocation.
  50. //
  52. #define AUTHZ_MAX_STACK_BUFFER_SIZE 1024
  54. #ifndef AUTHZ_DEBUG_MEMLEAK
  56. #define AuthzpAlloc(s) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (s))
  57. #define AuthzpFree(p) LocalFree((p))
  59. #else
  61. //
  62. // This is to be used for debugging memory leaks. Primitive method but works in
  63. // a small project like this.
  64. //
  66. PVOID
  67. AuthzpAlloc(IN DWORD Size);
  69. VOID
  70. AuthzpFree(PVOID l);
  72. #endif
  74. //
  75. // Given two sids and length of the first sid, compare the two sids.
  76. //
  78. #define AUTHZ_EQUAL_SID(s, d, l) ((*((DWORD*) s) == *((DWORD*) d)) && (RtlEqualMemory((s), (d), (l))))
  80. //
  81. // Compares a given sids with a well known constant PrincipalSelfSid.
  82. //
  84. #define AUTHZ_IS_PRINCIPAL_SELF_SID(s) (RtlEqualMemory(pAuthzPrincipalSelfSid, (s), 12))
  86. //
  87. // The client context is restricted if the restricted sid and attribute array is
  88. // present.
  89. //
  91. #define AUTHZ_TOKEN_RESTRICTED(t) (NULL != (t)->RestrictedSids)
  93. //
  94. // Two privileges are inportant for access check:
  95. // SeSecurityPrivilege
  96. // SeTakeOwnershipPrivilege
  97. // Both these are detected at the time of client context capture from token
  98. // and stored in the flags.
  99. //
  101. #define AUTHZ_PRIVILEGE_CHECK(t, f) (FLAG_ON((t)->Flags, (f)))
  103. //
  104. // Flags in the cached handle.
  105. //
  107. #define AUTHZ_DENY_ACE_PRESENT 0x00000001
  108. #define AUTHZ_PRINCIPAL_SELF_ACE_PRESENT 0x00000002
  109. #define AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT 0x00000004
  110. #define AUTHZ_DYNAMIC_DENY_ACE_PRESENT 0x00000008
  111. #define AUTHZ_DYNAMIC_EVALUATION_PRESENT (AUTHZ_PRINCIPAL_SELF_ACE_PRESENT | \
  112. AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT | \
  113. AUTHZ_DYNAMIC_DENY_ACE_PRESENT)
  115. //
  116. // There are only two valid attributes from access check point of view
  117. // SE_GROUP_ENABLED
  118. // SE_GROUP_USE_FOR_DENY_ONLY
  119. //
  121. #define AUTHZ_VALID_SID_ATTRIBUTES (SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY)
  123. #ifdef FLAG_ON
  124. #undef FLAG_ON
  125. #endif
  127. #define FLAG_ON(f, b) (0 != ((f) & (b)))
  129. #ifdef AUTHZ_NON_NULL_PTR
  130. #undef AUTHZ_NON_NULL_PTR
  131. #endif
  133. #define AUTHZ_NON_NULL_PTR(f) (NULL != (f))
  135. //
  136. // If the pointer is not null then free it. This will save us a function call in
  137. // cases when the pointer is null. Note that LocalFree would also take care null
  138. // pointer being freed.
  139. //
  141. #define AuthzpFreeNonNull(p) if (NULL != (p)) { AuthzpFree((p)); }
  143. //
  144. // Check to see if the memory allocation failed.
  145. //
  147. #define AUTHZ_ALLOCATION_FAILED(p) (NULL == (p))
  149. //
  150. // Macros to traverse the acl.
  151. // The first one gets the first ace in a given acl.
  152. // The second one gives the next ace given the current one.
  153. //
  155. #define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
  156. #define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
  158. //
  159. // These do not need to be defined now since the decision was to put the burden
  160. // on the resource managers. There are disadvantages of making it thread safe.
  161. // Our choices are:
  162. // 1. Have exactly one lock in authz.dll and suffer heavy contention.
  163. // 2. Define one lock per client context which might be too expensive in
  164. // cases where the clients are too many.
  165. // 3. Let the resource manager decide whether they need locking - unlikely
  166. // that locks are needed since it is wrong design on part of the RM to
  167. // have one thread that changes the client context while the other one
  168. // is doing an access check.
  169. //
  171. #define AuthzpAcquireClientContextWriteLock(c)
  172. #define AuthzpAcquireClientContextReadLock(c)
  173. #define AuthzpReleaseClientContextLock(c)
  175. #define AuthzpAcquireClientCacheWriteLock(c)
  176. #define AuthzpReleaseClientCacheLock(c)
  177. #define AuthzpZeroMemory(p, s) RtlZeroMemory((p), (s))
  179. #define AuthzObjectAceSid(Ace) \
  180. ((PSID)(((PUCHAR)&(((PKNOWN_OBJECT_ACE)(Ace))->SidStart)) + \
  181. (RtlObjectAceObjectTypePresent(Ace) ? sizeof(GUID) : 0 ) + \
  182. (RtlObjectAceInheritedObjectTypePresent(Ace) ? sizeof(GUID) : 0 )))
  184. #define AuthzAceSid(Ace) ((PSID)&((PKNOWN_ACE)Ace)->SidStart)
  186. #define AuthzCallbackAceSid(Ace) AuthzAceSid(Ace)
  188. #define AuthzCallbackObjectAceSid(Ace) AuthzObjectAceSid(Ace)
  190. //
  191. // Internal structure of the object type list.
  192. //
  193. // Level - Level of the element in the tree. The level of the root is 0.
  194. // Flags - To be used for auditing. The valid ones are
  195. // AUTHZ_OBJECT_SUCCESS_AUDIT
  196. // AUTHZ_OBJECT_FAILURE_AUDIT
  197. // ObjectType - Pointer to the guid for this element.
  198. // ParentIndex - The index of the parent of this element in the array. The
  199. // parent index for the root is -1.
  200. // Remaining - Remaining access bits for this element, used during normal access
  201. // check algorithm.
  202. // CurrentGranted - Granted access bits so far for this element, used during
  203. // maximum allowed access check.
  204. // CurrentDenied - Explicitly denied access bits for this element, used during
  205. // maximum allowed access check.
  206. //
  208. typedef struct _IOBJECT_TYPE_LIST {
  209. USHORT Level;
  210. USHORT Flags;
  211. #define AUTHZ_OBJECT_SUCCESS_AUDIT 0x1
  212. #define AUTHZ_OBJECT_FAILURE_AUDIT 0x2
  213. GUID ObjectType;
  214. LONG ParentIndex;
  215. ACCESS_MASK Remaining;
  216. ACCESS_MASK CurrentGranted;
  217. ACCESS_MASK CurrentDenied;
  218. } IOBJECT_TYPE_LIST, *PIOBJECT_TYPE_LIST;
  220. typedef struct _AUTHZI_AUDIT_QUEUE
  221. {
  223. //
  224. // Flags defined in authz.h
  225. //
  227. DWORD Flags;
  229. //
  230. // High and low marks for the auditing queue
  231. //
  233. DWORD dwAuditQueueHigh;
  234. DWORD dwAuditQueueLow;
  236. //
  237. // CS for locking the audit queue
  238. //
  240. RTL_CRITICAL_SECTION AuthzAuditQueueLock;
  242. //
  243. // The audit queue and length.
  244. //
  246. LIST_ENTRY AuthzAuditQueue;
  247. ULONG AuthzAuditQueueLength;
  249. //
  250. // Handle to the thread that maintains the audit queue.
  251. //
  253. HANDLE hAuthzAuditThread;
  255. //
  256. // This event signals that an audit was placed on the queue.
  257. //
  259. HANDLE hAuthzAuditAddedEvent;
  261. //
  262. // This event signals that the queue is empty. Initially signalled.
  263. //
  265. HANDLE hAuthzAuditQueueEmptyEvent;
  267. //
  268. // This boolean indicates that the queue size has reached the RM-specified high water mark.
  269. //
  271. BOOL bAuthzAuditQueueHighEvent;
  273. //
  274. // This event signals that the queue size is at or below the RM-specified low water mark.
  275. //
  277. HANDLE hAuthzAuditQueueLowEvent;
  279. //
  280. // This boolean is set to TRUE during the life of the resource manager. When it turns to FALSE, the
  281. // dequeue thread knows that it should exit.
  282. //
  284. BOOL bWorker;
  286. } AUTHZI_AUDIT_QUEUE, *PAUTHZI_AUDIT_QUEUE;
  288. typedef struct _AUTHZI_RESOURCE_MANAGER
  289. {
  290. //
  291. // No valid flags have been defined yet.
  292. //
  294. DWORD Flags;
  296. //
  297. // Callback function registered by AuthzRegisterRMAccessCheckCallback, to be
  298. // used to interpret callback aces. If no such function is registered by the
  299. // RM then the default behavior is to return TRUE for a deny ACE, FALSE for
  300. // a grant ACE.
  301. //
  303. PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck;
  305. //
  306. // Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
  307. // used to compute groups to be added to the client context. If no such
  308. // function is registered by the RM then the default behavior is to return
  309. // no groups.
  310. //
  312. PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups;
  314. //
  315. // Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
  316. // used to free memory allocated by ComputeDynamicGroupsFn.
  317. //
  319. PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups;
  321. //
  322. // String name of resource manager. Appears in audits.
  323. //
  325. PWSTR szResourceManagerName;
  327. //
  328. // The user SID and Authentication ID of the RM process
  329. //
  331. PSID pUserSID;
  332. LUID AuthID;
  334. //
  335. // Default queue and audit events for the RM
  336. //
  338. #define AUTHZP_DEFAULT_RM_EVENTS 0x2
  340. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
  341. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAETDS;
  343. AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
  345. } AUTHZI_RESOURCE_MANAGER, *PAUTHZI_RESOURCE_MANAGER;
  348. typedef struct _AUTHZI_CLIENT_CONTEXT AUTHZI_CLIENT_CONTEXT, *PAUTHZI_CLIENT_CONTEXT;
  349. typedef struct _AUTHZI_HANDLE AUTHZI_HANDLE, *PAUTHZI_HANDLE;
  351. //
  352. // the number of sids that we hash is equal to
  353. // the number of bits in AUTHZI_SID_HASH_ENTRY
  354. //
  356. #ifdef _WIN64_
  357. typedef ULONGLONG AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;
  358. #else
  359. typedef DWORD AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;
  360. #endif
  362. #define AUTHZI_SID_HASH_ENTRY_NUM_BITS (8*sizeof(AUTHZI_SID_HASH_ENTRY))
  364. //
  365. // the hash size is not related to the number of bits. it is the size
  366. // required to hold two 16 element arrays
  367. //
  369. #define AUTHZI_SID_HASH_SIZE 32
  371. struct _AUTHZI_CLIENT_CONTEXT
  372. {
  374. //
  375. // The client context structure is recursive to support delegated clients.
  376. // Not in the picture yet though.
  377. //
  379. PAUTHZI_CLIENT_CONTEXT Server;
  381. //
  382. // Context will always be created with Revision of AUTHZ_CURRENT_CONTEXT_REVISION.
  383. //
  385. #define AUTHZ_CURRENT_CONTEXT_REVISION 1
  387. DWORD Revision;
  389. //
  390. // Resource manager supplied identifier. We do not ever use this.
  391. //
  393. LUID Identifier;
  395. //
  396. // AuthenticationId captured from the token of the client. Needed for
  397. // auditing.
  398. //
  400. LUID AuthenticationId;
  402. //
  403. // Token expiration time. This one will be checked at the time of access check against
  404. // the current time.
  405. //
  407. LARGE_INTEGER ExpirationTime;
  409. //
  410. // Internal flags for the token.
  411. //
  413. #define AUTHZ_TAKE_OWNERSHIP_PRIVILEGE_ENABLED 0x00000001
  414. #define AUTHZ_SECURITY_PRIVILEGE_ENABLED 0x00000002
  417. DWORD Flags;
  419. //
  420. // Sids used for normal access checks.
  421. //
  423. DWORD SidCount;
  424. DWORD SidLength;
  425. PSID_AND_ATTRIBUTES Sids;
  427. AUTHZI_SID_HASH_ENTRY SidHash[AUTHZI_SID_HASH_SIZE];
  430. //
  431. // Sids used if the token is resticted. These will usually be 0 and NULL respectively.
  432. //
  434. DWORD RestrictedSidCount;
  435. DWORD RestrictedSidLength;
  436. PSID_AND_ATTRIBUTES RestrictedSids;
  438. AUTHZI_SID_HASH_ENTRY RestrictedSidHash[AUTHZI_SID_HASH_SIZE];
  440. //
  441. // Privileges used in access checks. Relevant ones are:
  442. // 1. SeSecurityPrivilege
  443. // 2. SeTakeOwnershipPrivilege
  444. // If there are no privileges associated with the client context then the PrivilegeCount = 0
  445. // and Privileges = NULL
  446. //
  448. DWORD PrivilegeCount;
  449. DWORD PrivilegeLength;
  450. PLUID_AND_ATTRIBUTES Privileges;
  452. //
  453. // Handles open for this client. When the client context is destroyed all the handles are
  454. // cleaned up.
  455. //
  457. PAUTHZI_HANDLE AuthzHandleHead;
  459. //
  460. // Pointer to the resource manager, needed to retrieve static auditing information.
  461. //
  463. PAUTHZI_RESOURCE_MANAGER pResourceManager;
  465. };
  467. struct _AUTHZI_HANDLE
  468. {
  469. //
  470. // Pointers to the next handle maintained by the AuthzClientContext object.
  471. //
  473. PAUTHZI_HANDLE next;
  475. //
  476. // Pointer to the security descriptors provided by the RM at the time of first access
  477. // check call. We do not make a copy of the security descriptors. The assumption
  478. // is that the SDs will be valid at least as long as the the handle is open.
  479. //
  481. PSECURITY_DESCRIPTOR pSecurityDescriptor;
  482. PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray;
  483. DWORD OptionalSecurityDescriptorCount;
  485. //
  486. // Flags for internal usage only.
  487. //
  489. DWORD Flags;
  491. //
  492. // Back pointer to the client context that created this handle, required if the static
  493. // access granted is insufficient and access check needs to be performed again.
  494. //
  496. PAUTHZI_CLIENT_CONTEXT pAuthzClientContext;
  498. //
  499. // Results of the maximum allowed static access.
  500. //
  502. DWORD ResultListLength;
  503. ACCESS_MASK GrantedAccessMask[ANYSIZE_ARRAY];
  504. };
  507. //
  508. // This structure stores per access audit information. The structure
  509. // is opaque and initialized with AuthzInitAuditInfo
  510. //
  512. typedef struct _AUTHZI_AUDIT_EVENT
  513. {
  515. //
  516. // size of allocated blob for this structure
  517. //
  519. DWORD dwSize;
  521. //
  522. // Flags are specified in authz.h, and this single private flag for DS callers.
  523. //
  525. DWORD Flags;
  527. //
  528. // AuditParams used for audit if available. If no AuditParams is available
  529. // and the audit id is SE_AUDITID_OBJECT_OPERATION then Authz will construct a
  530. // suitable structure.
  531. //
  533. PAUDIT_PARAMS pAuditParams;
  535. //
  536. // Structure defining the Audit Event category and id
  537. //
  539. AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
  541. //
  542. // millisecond timeout value
  543. //
  545. DWORD dwTimeOut;
  547. //
  548. // RM specified strings describing this event.
  549. //
  551. PWSTR szOperationType;
  552. PWSTR szObjectType;
  553. PWSTR szObjectName;
  554. PWSTR szAdditionalInfo;
  556. AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
  558. } AUTHZI_AUDIT_EVENT, *PAUTHZI_AUDIT_EVENT;
  560. //
  561. // structure to maintain queue of audits to be sent to LSA
  562. //
  564. typedef struct _AUTHZ_AUDIT_QUEUE_ENTRY
  565. {
  566. LIST_ENTRY list;
  567. PAUTHZ_AUDIT_EVENT_TYPE_OLD pAAETO;
  568. DWORD Flags;
  569. AUDIT_PARAMS * pAuditParams;
  570. PVOID pReserved;
  571. } AUTHZ_AUDIT_QUEUE_ENTRY, *PAUTHZ_AUDIT_QUEUE_ENTRY;
  573. //
  574. // Enumeration type to be used to specify what type of coloring should be
  575. // passed on to the rest of the tree starting at a given node.
  576. // Deny gets propagted down the entire subtree as well as to all the
  577. // ancestors (but NOT to siblings and below)
  578. // Grants get propagated down the subtree. When a grant exists on all the
  579. // siblings the parent automatically gets it.
  580. // Remaining is propagated downwards. The remaining on the parent is a
  581. // logical OR of the remaining bits on all the children.
  582. //
  584. typedef enum {
  585. AuthzUpdateRemaining = 1,
  586. AuthzUpdateCurrentGranted,
  587. AuthzUpdateCurrentDenied
  588. } ACCESS_MASK_FIELD_TO_UPDATE;
  590. //
  591. // Enumeration type to be used to specify the kind of well known sid for context
  592. // changes. We are not going to support these unless we get a requirement.
  593. //
  595. typedef enum _AUTHZ_WELL_KNOWN_SID_TYPE
  596. {
  597. AuthzWorldSid = 1,
  598. AuthzUserSid,
  599. AuthzAdminSid,
  600. AuthzDomainAdminSid,
  601. AuthzAuthenticatedUsersSid,
  602. AuthzSystemSid
  603. } AUTHZ_WELL_KNOWN_SID_TYPE;
  605. BOOL
  606. AuthzpVerifyAccessCheckArguments(
  607. IN PAUTHZI_CLIENT_CONTEXT pCC,
  608. IN PAUTHZ_ACCESS_REQUEST pRequest,
  609. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  610. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  611. IN DWORD OptionalSecurityDescriptorCount,
  612. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  613. IN OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL
  614. );
  616. BOOL
  617. AuthzpVerifyOpenObjectArguments(
  618. IN PAUTHZI_CLIENT_CONTEXT pCC,
  619. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  620. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  621. IN DWORD OptionalSecurityDescriptorCount,
  622. IN PAUTHZI_AUDIT_EVENT pAuditEvent
  623. );
  625. BOOL
  626. AuthzpCaptureObjectTypeList(
  627. IN POBJECT_TYPE_LIST ObjectTypeList,
  628. IN DWORD ObjectTypeLocalTypeListLength,
  629. OUT PIOBJECT_TYPE_LIST *CapturedObjectTypeList,
  630. OUT PIOBJECT_TYPE_LIST *CapturedCachingObjectTypeList OPTIONAL
  631. );
  633. VOID
  634. AuthzpFillReplyStructure(
  635. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  636. IN DWORD Error,
  637. IN ACCESS_MASK GrantedAccess
  638. );
  640. BOOL
  641. AuthzpMaximumAllowedAccessCheck(
  642. IN PAUTHZI_CLIENT_CONTEXT pCC,
  643. IN PAUTHZ_ACCESS_REQUEST pRequest,
  644. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  645. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  646. IN DWORD OptionalSecurityDescriptorCount,
  647. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  648. IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
  649. IN DWORD LocalTypeListLength,
  650. IN BOOL ObjectTypeListPresent,
  651. OUT PDWORD pCachingFlags
  652. );
  654. BOOL
  655. AuthzpMaximumAllowedMultipleSDAccessCheck(
  656. IN PAUTHZI_CLIENT_CONTEXT pCC,
  657. IN PAUTHZ_ACCESS_REQUEST pRequest,
  658. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  659. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  660. IN DWORD OptionalSecurityDescriptorCount,
  661. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  662. IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
  663. IN DWORD LocalTypeListLength,
  664. IN BOOL ObjectTypeListPresent,
  665. IN BOOL Restricted,
  666. OUT PDWORD pCachingFlags
  667. );
  669. BOOL
  670. AuthzpMaximumAllowedSingleAclAccessCheck(
  671. IN PAUTHZI_CLIENT_CONTEXT pCC,
  672. IN PSID_AND_ATTRIBUTES pSidAttr,
  673. IN DWORD SidCount,
  674. IN PAUTHZI_SID_HASH_ENTRY pHash,
  675. IN PAUTHZ_ACCESS_REQUEST pRequest,
  676. IN PACL pAcl,
  677. IN PSID pOwnerSid,
  678. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  679. IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
  680. IN DWORD LocalTypeListLength,
  681. IN BOOL ObjectTypeListPresent,
  682. OUT PDWORD pCachingFlags
  683. );
  686. BOOL
  687. AuthzpSidApplicable(
  688. IN DWORD SidCount,
  689. IN PSID_AND_ATTRIBUTES pSidAttr,
  690. IN PAUTHZI_SID_HASH_ENTRY pHash,
  691. IN PSID pSid,
  692. IN PSID PrincipalSelfSid,
  693. IN PSID CreatorOwnerSid,
  694. IN BOOL DenyAce,
  695. OUT PDWORD pCachingFlags
  696. );
  698. BOOL
  699. AuthzpAccessCheckWithCaching(
  700. IN DWORD Flags,
  701. IN PAUTHZI_CLIENT_CONTEXT pCC,
  702. IN PAUTHZ_ACCESS_REQUEST pRequest,
  703. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  704. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  705. IN DWORD OptionalSecurityDescriptorCount,
  706. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  707. OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL,
  708. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  709. IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
  710. IN DWORD LocalTypeListLength
  711. );
  713. BOOL
  714. AuthzpNormalAccessCheckWithoutCaching(
  715. IN PAUTHZI_CLIENT_CONTEXT pCC,
  716. IN PAUTHZ_ACCESS_REQUEST pRequest,
  717. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  718. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  719. IN DWORD OptionalSecurityDescriptorCount,
  720. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  721. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  722. IN DWORD LocalTypeListLength
  723. );
  725. BOOL
  726. AuthzpNormalMultipleSDAccessCheck(
  727. IN PAUTHZI_CLIENT_CONTEXT pCC,
  728. IN PSID_AND_ATTRIBUTES pSidAttr,
  729. IN DWORD SidCount,
  730. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  731. IN ACCESS_MASK Remaining,
  732. IN PAUTHZ_ACCESS_REQUEST pRequest,
  733. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  734. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  735. IN DWORD OptionalSecurityDescriptorCount,
  736. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  737. IN DWORD LocalTypeListLength
  738. );
  740. BOOL
  741. AuthzpOwnerSidInClientContext(
  742. IN PAUTHZI_CLIENT_CONTEXT pCC,
  743. IN PISECURITY_DESCRIPTOR pSecurityDescriptor
  744. );
  746. BOOL
  747. AuthzpNormalAccessCheck(
  748. IN PAUTHZI_CLIENT_CONTEXT pCC,
  749. IN PSID_AND_ATTRIBUTES pSidAttr,
  750. IN DWORD SidCount,
  751. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  752. IN ACCESS_MASK Remaining,
  753. IN PAUTHZ_ACCESS_REQUEST pRequest,
  754. IN PACL pAcl,
  755. IN PSID pOwnerSid,
  756. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  757. IN DWORD LocalTypeListLength
  758. );
  760. BOOL
  761. AuthzpQuickMaximumAllowedAccessCheck(
  762. IN PAUTHZI_CLIENT_CONTEXT pCC,
  763. IN PAUTHZI_HANDLE pAH,
  764. IN PAUTHZ_ACCESS_REQUEST pRequest,
  765. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  766. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  767. IN DWORD LocalTypeListLength
  768. );
  770. BOOL
  771. AuthzpQuickNormalAccessCheck(
  772. IN PAUTHZI_CLIENT_CONTEXT pCC,
  773. IN PAUTHZI_HANDLE pAH,
  774. IN PAUTHZ_ACCESS_REQUEST pRequest,
  775. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  776. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  777. IN DWORD LocalTypeListLength
  778. );
  780. BOOL
  781. AuthzpAllowOnlyNormalMultipleSDAccessCheck(
  782. IN PAUTHZI_CLIENT_CONTEXT pCC,
  783. IN PSID_AND_ATTRIBUTES pSidAttr,
  784. IN DWORD SidCount,
  785. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  786. IN ACCESS_MASK Remaining,
  787. IN PAUTHZ_ACCESS_REQUEST pRequest,
  788. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  789. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  790. IN DWORD OptionalSecurityDescriptorCount,
  791. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  792. IN DWORD LocalTypeListLength
  793. );
  795. BOOL
  796. AuthzpAllowOnlyNormalSingleAclAccessCheck(
  797. IN PAUTHZI_CLIENT_CONTEXT pCC,
  798. IN PSID_AND_ATTRIBUTES pSidAttr,
  799. IN DWORD SidCount,
  800. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  801. IN ACCESS_MASK Remaining,
  802. IN PAUTHZ_ACCESS_REQUEST pRequest,
  803. IN PACL pAcl,
  804. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  805. IN DWORD LocalTypeListLength
  806. );
  808. BOOL
  809. AuthzpAllowOnlySidApplicable(
  810. IN DWORD SidCount,
  811. IN PSID_AND_ATTRIBUTES pSidAttr,
  812. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  813. IN PSID pSid
  814. );
  817. VOID
  818. AuthzpAddAccessTypeList (
  819. IN PIOBJECT_TYPE_LIST ObjectTypeList,
  820. IN DWORD ObjectTypeListLength,
  821. IN DWORD StartIndex,
  822. IN ACCESS_MASK AccessMask,
  823. IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate
  824. );
  826. BOOL
  827. AuthzpObjectInTypeList (
  828. IN GUID *ObjectType,
  829. IN PIOBJECT_TYPE_LIST ObjectTypeList,
  830. IN DWORD ObjectTypeListLength,
  831. OUT PDWORD ReturnedIndex
  832. );
  834. BOOL
  835. AuthzpCacheResults(
  836. IN DWORD Flags,
  837. IN PAUTHZI_CLIENT_CONTEXT pCC,
  838. IN PIOBJECT_TYPE_LIST LocalCachingTypeList,
  839. IN DWORD LocalTypeListLength,
  840. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  841. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  842. IN DWORD OptionalSecurityDescriptorCount,
  843. IN DWORD CachingFlags,
  844. IN PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults
  845. );
  848. BOOL
  849. AuthzpVerifyCachedAccessCheckArguments(
  850. IN PAUTHZI_HANDLE pAH,
  851. IN PAUTHZ_ACCESS_REQUEST pRequest,
  852. IN OUT PAUTHZ_ACCESS_REPLY pReply
  853. );
  855. BOOL
  856. AuthzpAllowOnlyMaximumAllowedMultipleSDAccessCheck(
  857. IN PAUTHZI_CLIENT_CONTEXT pCC,
  858. IN PAUTHZ_ACCESS_REQUEST pRequest,
  859. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  860. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  861. IN DWORD OptionalSecurityDescriptorCount,
  862. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  863. IN DWORD LocalTypeListLength,
  864. IN BOOL ObjectTypeListPresent,
  865. IN BOOL Restricted
  866. );
  868. BOOL
  869. AuthzpAllowOnlyMaximumAllowedSingleAclAccessCheck(
  870. IN PAUTHZI_CLIENT_CONTEXT pCC,
  871. IN PSID_AND_ATTRIBUTES pSidAttr,
  872. IN DWORD SidCount,
  873. IN PAUTHZI_SID_HASH_ENTRY pSidHash,
  874. IN PAUTHZ_ACCESS_REQUEST pRequest,
  875. IN PACL pAcl,
  876. IN PSID pOwnerSid,
  877. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  878. IN DWORD LocalTypeListLength,
  879. IN BOOL ObjectTypeListPresent
  880. );
  882. VOID
  883. AuthzpAddAccessTypeList (
  884. IN OUT PIOBJECT_TYPE_LIST ObjectTypeList,
  885. IN DWORD ObjectTypeListLength,
  886. IN DWORD StartIndex,
  887. IN ACCESS_MASK AccessMask,
  888. IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate
  889. );
  891. VOID
  892. AuthzpUpdateParentTypeList(
  893. IN OUT PIOBJECT_TYPE_LIST ObjectTypeList,
  894. IN DWORD ObjectTypeListLength,
  895. IN DWORD StartIndex
  896. );
  898. BOOL
  899. AuthzpObjectInTypeList (
  900. IN GUID *ObjectType,
  901. IN PIOBJECT_TYPE_LIST ObjectTypeList,
  902. IN DWORD ObjectTypeListLength,
  903. OUT PDWORD ReturnedIndex
  904. );
  907. BOOL
  908. AuthzpGenerateAudit(
  909. IN PAUTHZI_CLIENT_CONTEXT pCC,
  910. IN PAUTHZ_ACCESS_REQUEST pRequest,
  911. IN PAUTHZI_AUDIT_EVENT pAuditEvent,
  912. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  913. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  914. IN DWORD OptionalSecurityDescriptorCount,
  915. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  916. IN OUT PIOBJECT_TYPE_LIST LocalTypeList
  917. );
  919. BOOL
  920. AuthzpCopySidsAndAttributes(
  921. IN OUT PSID_AND_ATTRIBUTES DestSidAttr,
  922. IN PSID_AND_ATTRIBUTES SidAttr1,
  923. IN DWORD Count1,
  924. IN PSID_AND_ATTRIBUTES SidAttr2,
  925. IN DWORD Count2
  926. );
  928. VOID
  929. AuthzpCopyLuidAndAttributes(
  930. IN PAUTHZI_CLIENT_CONTEXT pCC,
  931. IN PLUID_AND_ATTRIBUTES Source,
  932. IN DWORD Count,
  933. IN OUT PLUID_AND_ATTRIBUTES Destination
  934. );
  936. BOOL
  937. AuthzpDefaultAccessCheck(
  938. IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
  939. IN PACE_HEADER pAce,
  940. IN PVOID pArgs OPTIONAL,
  941. IN OUT PBOOL pbAceApplicable
  942. );
  944. VOID
  945. AuthzPrintContext(
  946. IN PAUTHZI_CLIENT_CONTEXT pCC
  947. );
  949. VOID
  950. AuthzpFillReplyFromParameters(
  951. IN PAUTHZ_ACCESS_REQUEST pRequest,
  952. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  953. IN PIOBJECT_TYPE_LIST LocalTypeList
  954. );
  956. BOOL
  957. AuthzpGetAllGroupsBySid(
  958. IN PSID pUserSid,
  959. IN DWORD Flags,
  960. OUT PSID_AND_ATTRIBUTES *ppSidAttr,
  961. OUT PDWORD pSidCount,
  962. OUT PDWORD pSidLength
  963. );
  965. BOOL
  966. AuthzpGetAllGroupsByName(
  967. IN PUNICODE_STRING pusUserName,
  968. IN PUNICODE_STRING pusDomainName,
  969. IN DWORD Flags,
  970. OUT PSID_AND_ATTRIBUTES *ppSidAttr,
  971. OUT PDWORD pSidCount,
  972. OUT PDWORD pSidLength
  973. );
  975. BOOL
  976. AuthzpAllocateAndInitializeClientContext(
  977. OUT PAUTHZI_CLIENT_CONTEXT *ppCC,
  978. IN PAUTHZI_CLIENT_CONTEXT Server,
  979. IN DWORD Revision,
  980. IN LUID Identifier,
  981. IN LARGE_INTEGER ExpirationTime,
  982. IN DWORD Flags,
  983. IN DWORD SidCount,
  984. IN DWORD SidLength,
  985. IN PSID_AND_ATTRIBUTES Sids,
  986. IN DWORD RestrictedSidCount,
  987. IN DWORD RestrictedSidLength,
  988. IN PSID_AND_ATTRIBUTES RestrictedSids,
  989. IN DWORD PrivilegeCount,
  990. IN DWORD PrivilegeLength,
  991. IN PLUID_AND_ATTRIBUTES Privileges,
  992. IN LUID AuthenticationId,
  993. IN PAUTHZI_HANDLE AuthzHandleHead,
  994. IN PAUTHZI_RESOURCE_MANAGER pRM
  995. );
  997. BOOL
  998. AuthzpAddDynamicSidsToToken(
  999. IN PAUTHZI_CLIENT_CONTEXT pCC,
  1000. IN PAUTHZI_RESOURCE_MANAGER pRM,
  1001. IN PVOID DynamicGroupsArgs,
  1002. IN PSID_AND_ATTRIBUTES Sids,
  1003. IN DWORD SidLength,
  1004. IN DWORD SidCount,
  1005. IN PSID_AND_ATTRIBUTES RestrictedSids,
  1006. IN DWORD RestrictedSidLength,
  1007. IN DWORD RestrictedSidCount,
  1008. IN PLUID_AND_ATTRIBUTES Privileges,
  1009. IN DWORD PrivilegeLength,
  1010. IN DWORD PrivilegeCount,
  1011. IN BOOL bAllocated
  1012. );
  1014. BOOL
  1015. AuthzpExamineSingleSacl(
  1016. IN PAUTHZI_CLIENT_CONTEXT pCC,
  1017. IN PAUTHZ_ACCESS_REQUEST pRequest,
  1018. IN ACCESS_MASK AccessMask,
  1019. IN PACL pAcl,
  1020. IN PSID pOwnerSid,
  1021. IN UCHAR AuditMaskType,
  1022. IN BOOL bMaximumFailed,
  1023. OUT PAUTHZ_ACCESS_REPLY pReply,
  1024. OUT PBOOL pbGenerateAudit
  1025. );
  1027. BOOL
  1028. AuthzpExamineSacl(
  1029. IN PAUTHZI_CLIENT_CONTEXT pCC,
  1030. IN PAUTHZ_ACCESS_REQUEST pRequest,
  1031. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  1032. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  1033. IN DWORD OptionalSecurityDescriptorCount,
  1034. IN PAUTHZ_ACCESS_REPLY pReply,
  1035. OUT PBOOL pbGenerateAudit
  1036. );
  1039. BOOL
  1040. AuthzpExamineSaclForObjectTypeList(
  1041. IN PAUTHZI_CLIENT_CONTEXT pCC,
  1042. IN PAUTHZ_ACCESS_REQUEST pRequest,
  1043. IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
  1044. IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
  1045. IN DWORD OptionalSecurityDescriptorCount,
  1046. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  1047. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  1048. OUT PBOOL pbGenerateSuccessAudit,
  1049. OUT PBOOL pbGenerateFailureAudit
  1050. );
  1052. BOOL
  1053. AuthzpExamineSingleSaclForObjectTypeList(
  1054. IN PAUTHZI_CLIENT_CONTEXT pCC,
  1055. IN PAUTHZ_ACCESS_REQUEST pRequest,
  1056. IN PACL pAcl,
  1057. IN PSID pOwnerSid,
  1058. IN PAUTHZ_ACCESS_REPLY pReply,
  1059. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  1060. OUT PBOOL pbGenerateSuccessAudit,
  1061. OUT PBOOL pbGenerateFailureAudit
  1062. );
  1064. VOID
  1065. AuthzpSetAuditInfoForObjectType(
  1066. IN PAUTHZ_ACCESS_REPLY pReply,
  1067. IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
  1068. IN DWORD StartIndex,
  1069. IN ACCESS_MASK AceAccessMask,
  1070. IN ACCESS_MASK DesiredAccessMask,
  1071. IN UCHAR AceFlags,
  1072. OUT PBOOL pbGenerateSuccessAudit,
  1073. OUT PBOOL pbGenerateFailureAudit
  1074. );
  1076. BOOL
  1077. AuthzpCreateAndLogAudit(
  1078. IN DWORD AuditTypeFlag,
  1079. IN PAUTHZI_CLIENT_CONTEXT pAuthzClientContext,
  1080. IN PAUTHZI_AUDIT_EVENT pAuditEvent,
  1081. IN PAUTHZI_RESOURCE_MANAGER pRM,
  1082. IN PIOBJECT_TYPE_LIST LocalTypeList,
  1083. IN PAUTHZ_ACCESS_REQUEST pRequest,
  1084. IN PAUTHZ_ACCESS_REPLY pReply
  1085. );
  1087. VOID
  1088. AuthzpFillReplyStructureFromCachedGrantedAccessMask(
  1089. IN OUT PAUTHZ_ACCESS_REPLY pReply,
  1090. IN ACCESS_MASK DesiredAccess,
  1091. IN PACCESS_MASK GrantedAccessMask
  1092. );
  1094. BOOL
  1095. AuthzpSendAuditToLsa(
  1096. IN AUDIT_HANDLE hAuditContext,
  1097. IN DWORD Flags,
  1098. IN PAUDIT_PARAMS pAuditParams,
  1099. IN PVOID Reserved
  1100. );
  1102. BOOL
  1103. AuthzpEnQueueAuditEvent(
  1104. PAUTHZI_AUDIT_QUEUE pQueue,
  1105. PAUTHZ_AUDIT_QUEUE_ENTRY pAudit
  1106. );
  1108. BOOL
  1109. AuthzpEnQueueAuditEventMonitor(
  1110. PAUTHZI_AUDIT_QUEUE pQueue,
  1111. PAUTHZ_AUDIT_QUEUE_ENTRY pAudit
  1112. );
  1114. BOOL
  1115. AuthzpMarshallAuditParams(
  1116. OUT PAUDIT_PARAMS * ppMarshalledAuditParams,
  1117. IN PAUDIT_PARAMS pAuditParams
  1118. );
  1120. ULONG
  1121. AuthzpDeQueueThreadWorker(
  1122. LPVOID lpParameter
  1123. );
  1125. #define AUTHZ_SID_HASH_LOW_MASK 0xf
  1126. #define AUTHZ_SID_HASH_HIGH_MASK 0xf0
  1127. #define AUTHZ_SID_HASH_HIGH 16
  1128. #define AUTHZ_SID_HASH_LOOKUP(table, byte) (((table)[(byte) & 0xf]) & ((table)[AUTHZ_SID_HASH_HIGH + (((byte) & 0xf0) >> 4)]))
  1130. VOID
  1131. AuthzpInitSidHash(
  1132. IN PSID_AND_ATTRIBUTES pSidAttr,
  1133. IN ULONG SidCount,
  1134. OUT PAUTHZI_SID_HASH_ENTRY pHash
  1135. );
  1137. BOOL
  1138. AuthzpGetThreadTokenInfo(
  1139. OUT PSID* pUserSid,
  1140. OUT PLUID pAuthenticationId
  1141. );
  1143. BOOL
  1144. AuthzpGetProcessTokenInfo(
  1145. OUT PSID* ppUserSid,
  1146. OUT PLUID pAuthenticationId
  1147. );
  1149. VOID
  1150. AuthzpReferenceAuditEventType(
  1151. IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE
  1152. );
  1153. BOOL
  1154. AuthzpDereferenceAuditEventType(
  1155. IN OUT AUTHZ_AUDIT_EVENT_TYPE_HANDLE
  1156. );
  1158. BOOL
  1159. AuthzpEveryoneIncludesAnonymous(
  1160. );
  1162. #endif