archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntos/se/privileg.c

584 lines
14 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. Privileg.c
  9. Abstract:
  11. This Module implements the privilege check procedures.
  13. Author:
  15. Robert Reichel (robertre) 26-Nov-90
  17. Environment:
  19. Kernel Mode
  21. Revision History:
  23. --*/
  25. #include "pch.h"
  27. #pragma hdrstop
  30. #ifdef ALLOC_PRAGMA
  31. #pragma alloc_text(PAGE,NtPrivilegeCheck)
  32. #pragma alloc_text(PAGE,SeCheckPrivilegedObject)
  33. #pragma alloc_text(PAGE,SepPrivilegeCheck)
  34. #pragma alloc_text(PAGE,SePrivilegeCheck)
  35. #pragma alloc_text(PAGE,SeSinglePrivilegeCheck)
  36. #endif
  39. BOOLEAN
  40. SepPrivilegeCheck(
  41. IN PTOKEN Token,
  42. IN OUT PLUID_AND_ATTRIBUTES RequiredPrivileges,
  43. IN ULONG RequiredPrivilegeCount,
  44. IN ULONG PrivilegeSetControl,
  45. IN KPROCESSOR_MODE PreviousMode
  46. )
  47. /*++
  49. Routine Description:
  51. Worker routine for SePrivilegeCheck
  53. Arguments:
  55. Token - The user's effective token.
  57. RequiredPrivileges - A privilege set describing the required
  58. privileges. The UsedForAccess bits will be set in any privilege
  59. that is actually used (usually all of them).
  61. RequiredPrivilegeCount - How many privileges are in the
  62. RequiredPrivileges set.
  64. PrivilegeSetControl - Describes how many privileges are required.
  66. PreviousMode - The previous processor mode.
  68. Return Value:
  70. Returns TRUE if requested privileges are granted, FALSE otherwise.
  72. --*/
  74. {
  75. PLUID_AND_ATTRIBUTES CurrentRequiredPrivilege;
  76. PLUID_AND_ATTRIBUTES CurrentTokenPrivilege;
  78. BOOLEAN RequiredAll;
  80. ULONG TokenPrivilegeCount;
  81. ULONG MatchCount = 0;
  83. ULONG i;
  84. ULONG j;
  86. PAGED_CODE();
  88. //
  89. // Take care of kernel callers first
  90. //
  92. if (PreviousMode == KernelMode) {
  94. return(TRUE);
  96. }
  98. TokenPrivilegeCount = Token->PrivilegeCount;
  100. //
  101. // Save whether we require ALL of them or ANY
  102. //
  104. RequiredAll = (BOOLEAN)(PrivilegeSetControl & PRIVILEGE_SET_ALL_NECESSARY);
  106. SepAcquireTokenReadLock( Token );
  109. for ( i = 0 , CurrentRequiredPrivilege = RequiredPrivileges ;
  110. i < RequiredPrivilegeCount ;
  111. i++, CurrentRequiredPrivilege++ ) {
  113. for ( j = 0, CurrentTokenPrivilege = Token->Privileges;
  114. j < TokenPrivilegeCount ;
  115. j++, CurrentTokenPrivilege++ ) {
  117. if ((CurrentTokenPrivilege->Attributes & SE_PRIVILEGE_ENABLED) &&
  118. (RtlEqualLuid(&CurrentTokenPrivilege->Luid,
  119. &CurrentRequiredPrivilege->Luid))
  120. ) {
  122. CurrentRequiredPrivilege->Attributes |=
  123. SE_PRIVILEGE_USED_FOR_ACCESS;
  124. MatchCount++;
  125. break; // start looking for next one
  126. }
  128. }
  130. }
  132. SepReleaseTokenReadLock( Token );
  134. //
  135. // If we wanted ANY and didn't get any, return failure.
  136. //
  138. if (!RequiredAll && (MatchCount == 0)) {
  140. return (FALSE);
  142. }
  144. //
  145. // If we wanted ALL and didn't get all, return failure.
  146. //
  148. if (RequiredAll && (MatchCount != RequiredPrivilegeCount)) {
  150. return(FALSE);
  151. }
  153. return(TRUE);
  155. }
  160. BOOLEAN
  161. SePrivilegeCheck(
  162. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  163. IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext,
  164. IN KPROCESSOR_MODE AccessMode
  165. )
  166. /*++
  168. Routine Description:
  170. This routine checks to see if the token contains the specified
  171. privileges.
  173. Arguments:
  175. RequiredPrivileges - Points to a set of privileges. The subject's
  176. security context is to be checked to see which of the specified
  177. privileges are present. The results will be indicated in the
  178. attributes associated with each privilege. Note that
  179. flags in this parameter indicate whether all the privileges listed
  180. are needed, or any of the privileges.
  182. SubjectSecurityContext - A pointer to the subject's captured security
  183. context.
  185. AccessMode - Indicates the access mode to use for access check. One of
  186. UserMode or KernelMode. If the mode is kernel, then all privileges
  187. will be marked as being possessed by the subject, and successful
  188. completion status is returned.
  191. Return Value:
  193. BOOLEAN - TRUE if all specified privileges are held by the subject,
  194. otherwise FALSE.
  197. --*/
  199. {
  200. BOOLEAN Status;
  202. PAGED_CODE();
  204. //
  205. // If we're impersonating a client, we have to be at impersonation level
  206. // of SecurityImpersonation or above.
  207. //
  209. if ( (SubjectSecurityContext->ClientToken != NULL) &&
  210. (SubjectSecurityContext->ImpersonationLevel < SecurityImpersonation)
  211. ) {
  213. return(FALSE);
  214. }
  216. //
  217. // SepPrivilegeCheck locks the passed token for read access
  218. //
  220. Status = SepPrivilegeCheck(
  221. EffectiveToken( SubjectSecurityContext ),
  222. RequiredPrivileges->Privilege,
  223. RequiredPrivileges->PrivilegeCount,
  224. RequiredPrivileges->Control,
  225. AccessMode
  226. );
  228. return(Status);
  229. }
  233. NTSTATUS
  234. NtPrivilegeCheck(
  235. IN HANDLE ClientToken,
  236. IN OUT PPRIVILEGE_SET RequiredPrivileges,
  237. OUT PBOOLEAN Result
  238. )
  240. /*++
  242. Routine Description:
  244. This routine tests the caller's client's security context to see if it
  245. contains the specified privileges.
  247. This API requires the caller have SeTcbPrivilege privilege. The test
  248. for this privilege is always against the primary token of the calling
  249. process, not the impersonation token of the thread.
  252. Arguments:
  254. ClientToken - A handle to a token object representing a client
  255. attempting access. This handle must be obtained from a
  256. communication session layer, such as from an LPC Port or Local
  257. Named Pipe, to prevent possible security policy violations.
  259. RequiredPrivileges - Points to a set of privileges. The client's
  260. security context is to be checked to see which of the specified
  261. privileges are present. The results will be indicated in the
  262. attributes associated with each privilege. Note that
  263. flags in this parameter indicate whether all the privileges listed
  264. are needed, or any of the privileges.
  266. Result - Receives a boolean flag indicating whether the client has all
  267. the specified privileges or not. A value of TRUE indicates the
  268. client has all the specified privileges. Otherwise a value of
  269. FALSE is returned.
  273. Return Value:
  275. STATUS_SUCCESS - Indicates the call completed successfully.
  277. STATUS_PRIVILEGE_NOT_HELD - Indicates the caller does not have
  278. sufficient privilege to use this privileged system service.
  280. --*/
  284. {
  285. BOOLEAN BStatus;
  286. KPROCESSOR_MODE PreviousMode;
  287. NTSTATUS Status;
  288. PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
  289. PTOKEN Token = NULL;
  290. ULONG CapturedPrivilegeCount = 0;
  291. ULONG CapturedPrivilegesLength = 0;
  292. ULONG ParameterLength = 0;
  293. ULONG PrivilegeSetControl = 0;
  295. PAGED_CODE();
  297. PreviousMode = KeGetPreviousMode();
  299. Status = ObReferenceObjectByHandle(
  300. ClientToken, // Handle
  301. TOKEN_QUERY, // DesiredAccess
  302. SeTokenObjectType, // ObjectType
  303. PreviousMode, // AccessMode
  304. (PVOID *)&Token, // Object
  305. NULL // GrantedAccess
  306. );
  308. if ( !NT_SUCCESS(Status) ) {
  309. return Status;
  311. }
  313. //
  314. // If the passed token is an impersonation token, make sure
  315. // it is at SecurityIdentification or above.
  316. //
  318. if (Token->TokenType == TokenImpersonation) {
  320. if (Token->ImpersonationLevel < SecurityIdentification) {
  322. ObDereferenceObject( (PVOID)Token );
  324. return( STATUS_BAD_IMPERSONATION_LEVEL );
  326. }
  327. }
  329. try {
  331. //
  332. // Capture passed Privilege Set
  333. //
  335. ProbeForWriteSmallStructure(
  336. RequiredPrivileges,
  337. sizeof(PRIVILEGE_SET),
  338. sizeof(ULONG)
  339. );
  341. CapturedPrivilegeCount = RequiredPrivileges->PrivilegeCount;
  343. if (!IsValidElementCount(CapturedPrivilegeCount, LUID_AND_ATTRIBUTES)) {
  344. Status = STATUS_INVALID_PARAMETER;
  345. leave;
  346. }
  347. ParameterLength = (ULONG)sizeof(PRIVILEGE_SET) +
  348. ((CapturedPrivilegeCount - ANYSIZE_ARRAY) *
  349. (ULONG)sizeof(LUID_AND_ATTRIBUTES) );
  351. ProbeForWrite(
  352. RequiredPrivileges,
  353. ParameterLength,
  354. sizeof(ULONG)
  355. );
  358. ProbeForWriteBoolean(Result);
  360. PrivilegeSetControl = RequiredPrivileges->Control;
  363. } except(EXCEPTION_EXECUTE_HANDLER) {
  364. Status = GetExceptionCode();
  365. }
  367. if (!NT_SUCCESS(Status)) {
  368. ObDereferenceObject( (PVOID)Token );
  369. return Status;
  371. }
  373. Status = SeCaptureLuidAndAttributesArray(
  374. (RequiredPrivileges->Privilege),
  375. CapturedPrivilegeCount,
  376. UserMode,
  377. NULL, 0,
  378. PagedPool,
  379. TRUE,
  380. &CapturedPrivileges,
  381. &CapturedPrivilegesLength
  382. );
  384. if (!NT_SUCCESS(Status)) {
  386. ObDereferenceObject( (PVOID)Token );
  387. return Status;
  388. }
  390. BStatus = SepPrivilegeCheck(
  391. Token, // Token,
  392. CapturedPrivileges, // RequiredPrivileges,
  393. CapturedPrivilegeCount, // RequiredPrivilegeCount,
  394. PrivilegeSetControl, // PrivilegeSetControl
  395. PreviousMode // PreviousMode
  396. );
  398. ObDereferenceObject( Token );
  401. try {
  403. //
  404. // copy the modified privileges buffer back to user
  405. //
  407. RtlCopyMemory(
  408. RequiredPrivileges->Privilege,
  409. CapturedPrivileges,
  410. CapturedPrivilegesLength
  411. );
  413. *Result = BStatus;
  415. } except (EXCEPTION_EXECUTE_HANDLER) {
  417. SeReleaseLuidAndAttributesArray(
  418. CapturedPrivileges,
  419. PreviousMode,
  420. TRUE
  421. );
  423. return(GetExceptionCode());
  425. }
  427. SeReleaseLuidAndAttributesArray(
  428. CapturedPrivileges,
  429. PreviousMode,
  430. TRUE
  431. );
  433. return( STATUS_SUCCESS );
  434. }
  438. BOOLEAN
  439. SeSinglePrivilegeCheck(
  440. LUID PrivilegeValue,
  441. KPROCESSOR_MODE PreviousMode
  442. )
  444. /*++
  446. Routine Description:
  448. This function will check for the passed privilege value in the
  449. current context.
  451. Arguments:
  453. PrivilegeValue - The value of the privilege being checked.
  456. Return Value:
  458. TRUE - The current subject has the desired privilege.
  460. FALSE - The current subject does not have the desired privilege.
  461. --*/
  463. {
  464. BOOLEAN AccessGranted;
  465. PRIVILEGE_SET RequiredPrivileges;
  466. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  468. PAGED_CODE();
  470. //
  471. // Make sure the caller has the privilege to make this
  472. // call.
  473. //
  475. RequiredPrivileges.PrivilegeCount = 1;
  476. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  477. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  478. RequiredPrivileges.Privilege[0].Attributes = 0;
  480. SeCaptureSubjectContext( &SubjectSecurityContext );
  482. AccessGranted = SePrivilegeCheck(
  483. &RequiredPrivileges,
  484. &SubjectSecurityContext,
  485. PreviousMode
  486. );
  488. if ( PreviousMode != KernelMode ) {
  490. SePrivilegedServiceAuditAlarm (
  491. NULL,
  492. &SubjectSecurityContext,
  493. &RequiredPrivileges,
  494. AccessGranted
  495. );
  496. }
  499. SeReleaseSubjectContext( &SubjectSecurityContext );
  501. return( AccessGranted );
  503. }
  506. BOOLEAN
  507. SeCheckPrivilegedObject(
  508. LUID PrivilegeValue,
  509. HANDLE ObjectHandle,
  510. ACCESS_MASK DesiredAccess,
  511. KPROCESSOR_MODE PreviousMode
  512. )
  514. /*++
  516. Routine Description:
  518. This function will check for the passed privilege value in the
  519. current context, and generate audits as appropriate.
  521. Arguments:
  523. PrivilegeValue - The value of the privilege being checked.
  525. Object - Specifies a pointer to the object being accessed.
  527. ObjectHandle - Specifies the object handle being used.
  529. DesiredAccess - The desired access mask, if any
  531. PreviousMode - The previous processor mode
  534. Return Value:
  536. TRUE - The current subject has the desired privilege.
  538. FALSE - The current subject does not have the desired privilege.
  539. --*/
  541. {
  542. BOOLEAN AccessGranted;
  543. PRIVILEGE_SET RequiredPrivileges;
  544. SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
  546. PAGED_CODE();
  548. //
  549. // Make sure the caller has the privilege to make this
  550. // call.
  551. //
  553. RequiredPrivileges.PrivilegeCount = 1;
  554. RequiredPrivileges.Control = PRIVILEGE_SET_ALL_NECESSARY;
  555. RequiredPrivileges.Privilege[0].Luid = PrivilegeValue;
  556. RequiredPrivileges.Privilege[0].Attributes = 0;
  558. SeCaptureSubjectContext( &SubjectSecurityContext );
  560. AccessGranted = SePrivilegeCheck(
  561. &RequiredPrivileges,
  562. &SubjectSecurityContext,
  563. PreviousMode
  564. );
  566. if ( PreviousMode != KernelMode ) {
  568. SePrivilegeObjectAuditAlarm(
  569. ObjectHandle,
  570. &SubjectSecurityContext,
  571. DesiredAccess,
  572. &RequiredPrivileges,
  573. AccessGranted,
  574. PreviousMode
  575. );
  577. }
  580. SeReleaseSubjectContext( &SubjectSecurityContext );
  582. return( AccessGranted );
  584. }