Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

339 lines
10 KiB

  1. /*++
  2. Copyright (c) Microsoft Corporation. All rights reserved.
  3. Module Name:
  4. sertlp.h
  5. Abstract:
  6. Include file for NT runtime routines that are callable by both
  7. kernel mode code in the executive and user mode code in various
  8. NT subsystems, but which are private interfaces.
  9. The routines in this file should not be used outside of the security
  10. related rtl files.
  11. Author:
  12. Robert P. Reichel (robertre) 6-12-91
  13. Environment:
  14. These routines are statically linked in the caller's executable and
  15. are callable in either kernel mode or user mode.
  16. Revision History:
  17. --*/
  18. #ifndef _SERTLP_
  19. #define _SERTLP_
  20. #include "nt.h"
  21. #include "zwapi.h"
  22. #include "ntrtl.h"
  23. ///////////////////////////////////////////////////////////////////////////////
  24. // //
  25. // Local Macros //
  26. // //
  27. ///////////////////////////////////////////////////////////////////////////////
  28. #ifndef LongAlign
  29. #define LongAlign LongAlignPtr
  30. #endif
  31. #define LongAlignPtr(Ptr) ((PVOID)(((ULONG_PTR)(Ptr) + 3) & -4))
  32. #define LongAlignSize(Size) (((ULONG)(Size) + 3) & -4)
  33. //
  34. // Macros for calculating the address of the components of a security
  35. // descriptor. This will calculate the address of the field regardless
  36. // of whether the security descriptor is absolute or self-relative form.
  37. // A null value indicates the specified field is not present in the
  38. // security descriptor.
  39. //
  40. //
  41. // NOTE: Similar copies of these macros appear in sep.h.
  42. // Be sure to propagate bug fixes and changes.
  43. //
  44. #define RtlpOwnerAddrSecurityDescriptor( SD ) \
  45. ( ((SD)->Control & SE_SELF_RELATIVE) ? \
  46. ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Owner == 0) ? ((PSID) NULL) : \
  47. (PSID)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Owner) \
  48. ) : \
  49. (PSID)((SD)->Owner) \
  50. )
  51. #define RtlpGroupAddrSecurityDescriptor( SD ) \
  52. ( ((SD)->Control & SE_SELF_RELATIVE) ? \
  53. ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Group == 0) ? ((PSID) NULL) : \
  54. (PSID)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Group) \
  55. ) : \
  56. (PSID)((SD)->Group) \
  57. )
  58. #define RtlpSaclAddrSecurityDescriptor( SD ) \
  59. ( (!((SD)->Control & SE_SACL_PRESENT) ) ? \
  60. (PACL)NULL : \
  61. ( ((SD)->Control & SE_SELF_RELATIVE) ? \
  62. ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Sacl == 0) ? ((PACL) NULL) : \
  63. (PACL)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Sacl) \
  64. ) : \
  65. (PACL)((SD)->Sacl) \
  66. ) \
  67. )
  68. #define RtlpDaclAddrSecurityDescriptor( SD ) \
  69. ( (!((SD)->Control & SE_DACL_PRESENT) ) ? \
  70. (PACL)NULL : \
  71. ( ((SD)->Control & SE_SELF_RELATIVE) ? \
  72. ( (((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Dacl == 0) ? ((PACL) NULL) : \
  73. (PACL)RtlOffsetToPointer((SD), ((SECURITY_DESCRIPTOR_RELATIVE *) (SD))->Dacl) \
  74. ) : \
  75. (PACL)((SD)->Dacl) \
  76. ) \
  77. )
  78. //
  79. // Macro to determine if the given ID has the owner attribute set,
  80. // which means that it may be assignable as an owner
  81. // The GroupSid should not be marked for UseForDenyOnly.
  82. //
  83. #define RtlpIdAssignableAsOwner( G ) \
  84. ( (((G).Attributes & SE_GROUP_OWNER) != 0) && \
  85. (((G).Attributes & SE_GROUP_USE_FOR_DENY_ONLY) == 0) )
  86. //
  87. // Macro to copy the state of the passed bits from the old security
  88. // descriptor (OldSD) into the Control field of the new one (NewSD)
  89. //
  90. #define RtlpPropagateControlBits( NewSD, OldSD, Bits ) \
  91. ( NewSD )->Control |= \
  92. ( \
  93. ( OldSD )->Control & ( Bits ) \
  94. )
  95. //
  96. // Macro to query whether or not the passed set of bits are ALL on
  97. // or not (ie, returns FALSE if some are on and not others)
  98. //
  99. #define RtlpAreControlBitsSet( SD, Bits ) \
  100. (BOOLEAN) \
  101. ( \
  102. (( SD )->Control & ( Bits )) == ( Bits ) \
  103. )
  104. //
  105. // Macro to set the passed control bits in the given Security Descriptor
  106. //
  107. #define RtlpSetControlBits( SD, Bits ) \
  108. ( \
  109. ( SD )->Control |= ( Bits ) \
  110. )
  111. //
  112. // Macro to clear the passed control bits in the given Security Descriptor
  113. //
  114. #define RtlpClearControlBits( SD, Bits ) \
  115. ( \
  116. ( SD )->Control &= ~( Bits ) \
  117. )
  118. ////////////////////////////////////////////////////////////////////////////////
  119. // //
  120. // Prototypes for local procedures //
  121. // //
  122. ////////////////////////////////////////////////////////////////////////////////
  123. BOOLEAN
  124. RtlpContainsCreatorOwnerSid(
  125. PKNOWN_ACE Ace
  126. );
  127. BOOLEAN
  128. RtlpContainsCreatorGroupSid(
  129. PKNOWN_ACE Ace
  130. );
  131. VOID
  132. RtlpApplyAclToObject (
  133. IN PACL Acl,
  134. IN PGENERIC_MAPPING GenericMapping
  135. );
  136. NTSTATUS
  137. RtlpInheritAcl (
  138. IN PACL DirectoryAcl,
  139. IN PACL ChildAcl,
  140. IN ULONG ChildGenericControl,
  141. IN BOOLEAN IsDirectoryObject,
  142. IN BOOLEAN AutoInherit,
  143. IN BOOLEAN DefaultDescriptorForObject,
  144. IN PSID OwnerSid,
  145. IN PSID GroupSid,
  146. IN PSID ServerOwnerSid OPTIONAL,
  147. IN PSID ServerGroupSid OPTIONAL,
  148. IN PGENERIC_MAPPING GenericMapping,
  149. IN BOOLEAN IsSacl,
  150. IN GUID **pNewObjectType OPTIONAL,
  151. IN ULONG GuidCount,
  152. OUT PACL *NewAcl,
  153. OUT PBOOLEAN NewAclExplicitlyAssigned,
  154. OUT PULONG NewGenericControl
  155. );
  156. NTSTATUS
  157. RtlpInitializeAllowedAce(
  158. IN PACCESS_ALLOWED_ACE AllowedAce,
  159. IN USHORT AceSize,
  160. IN UCHAR InheritFlags,
  161. IN UCHAR AceFlags,
  162. IN ACCESS_MASK Mask,
  163. IN PSID AllowedSid
  164. );
  165. NTSTATUS
  166. RtlpInitializeDeniedAce(
  167. IN PACCESS_DENIED_ACE DeniedAce,
  168. IN USHORT AceSize,
  169. IN UCHAR InheritFlags,
  170. IN UCHAR AceFlags,
  171. IN ACCESS_MASK Mask,
  172. IN PSID DeniedSid
  173. );
  174. NTSTATUS
  175. RtlpInitializeAuditAce(
  176. IN PACCESS_ALLOWED_ACE AuditAce,
  177. IN USHORT AceSize,
  178. IN UCHAR InheritFlags,
  179. IN UCHAR AceFlags,
  180. IN ACCESS_MASK Mask,
  181. IN PSID AuditSid
  182. );
  183. BOOLEAN
  184. RtlpValidOwnerSubjectContext(
  185. IN HANDLE Token,
  186. IN PSID Owner,
  187. IN BOOLEAN ServerObject,
  188. OUT PNTSTATUS ReturnStatus
  189. );
  190. VOID
  191. RtlpQuerySecurityDescriptor(
  192. IN PISECURITY_DESCRIPTOR SecurityDescriptor,
  193. OUT PSID *Owner,
  194. OUT PULONG OwnerSize,
  195. OUT PSID *PrimaryGroup,
  196. OUT PULONG PrimaryGroupSize,
  197. OUT PACL *Dacl,
  198. OUT PULONG DaclSize,
  199. OUT PACL *Sacl,
  200. OUT PULONG SaclSize
  201. );
  202. NTSTATUS
  203. RtlpFreeVM(
  204. IN PVOID *Base
  205. );
  206. NTSTATUS
  207. RtlpConvertToAutoInheritSecurityObject(
  208. IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
  209. IN PSECURITY_DESCRIPTOR CurrentSecurityDescriptor,
  210. OUT PSECURITY_DESCRIPTOR *NewSecurityDescriptor,
  211. IN GUID *ObjectType OPTIONAL,
  212. IN BOOLEAN IsDirectoryObject,
  213. IN PGENERIC_MAPPING GenericMapping
  214. );
  215. NTSTATUS
  216. RtlpNewSecurityObject (
  217. IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
  218. IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
  219. OUT PSECURITY_DESCRIPTOR * NewDescriptor,
  220. IN GUID **pObjectType OPTIONAL,
  221. IN ULONG GuidCOunt,
  222. IN BOOLEAN IsDirectoryObject,
  223. IN ULONG AutoInheritFlags,
  224. IN HANDLE Token OPTIONAL,
  225. IN PGENERIC_MAPPING GenericMapping
  226. );
  227. NTSTATUS
  228. RtlpSetSecurityObject (
  229. IN PVOID Object OPTIONAL,
  230. IN SECURITY_INFORMATION SecurityInformation,
  231. IN PSECURITY_DESCRIPTOR ModificationDescriptor,
  232. IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
  233. IN ULONG AutoInheritFlags,
  234. IN ULONG PoolType,
  235. IN PGENERIC_MAPPING GenericMapping,
  236. IN HANDLE Token OPTIONAL
  237. );
  238. FORCEINLINE
  239. PULONG
  240. RtlpSubAuthoritySid(
  241. IN PSID Sid,
  242. IN ULONG SubAuthority
  243. )
  244. /*++
  245. Routine Description:
  246. This function returns the address of a sub-authority array element of
  247. an SID.
  248. Arguments:
  249. Sid - Pointer to the SID data structure.
  250. SubAuthority - An index indicating which sub-authority is being specified.
  251. This value is not compared against the number of sub-authorities in the
  252. SID for validity.
  253. Return Value:
  254. --*/
  255. {
  256. PISID ISid;
  257. //
  258. // Typecast to the opaque SID
  259. //
  260. ISid = (PISID)Sid;
  261. return &(ISid->SubAuthority[SubAuthority]);
  262. }
  263. #endif // _SERTLP_