archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ndis/sys/ndissd.c

671 lines
18 KiB
Raw Normal View History

Add source files
4 years ago
  1. #include "precomp.h"
  3. typedef ULONG SECURITY_INFORMATION;
  5. NTSTATUS
  6. AddNetConfigOpsAce(IN PACL Dacl,
  7. OUT PACL * DeviceAcl
  8. )
  9. /*++
  11. Routine Description:
  13. This routine builds an ACL which gives adds the Network Configuration Operators group
  14. to the principals allowed to control the driver.
  16. Arguments:
  18. Dacl - Existing DACL.
  19. DeviceAcl - Output pointer to the new ACL.
  21. Return Value:
  23. STATUS_SUCCESS or an appropriate error code.
  25. --*/
  27. {
  28. PGENERIC_MAPPING GenericMapping;
  29. PSID AdminsSid = NULL;
  30. PSID SystemSid = NULL;
  31. PSID NetConfigOpsSid = NULL;
  32. PSID NetworkServiceSid = NULL;
  33. ULONG AclLength;
  34. NTSTATUS Status;
  35. ACCESS_MASK AccessMask = GENERIC_ALL;
  36. PACL NewAcl = NULL;
  37. ULONG SidSize;
  38. SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY;
  39. PISID ISid;
  40. PACCESS_ALLOWED_ACE AceTemp;
  41. int i;
  42. //
  43. // Enable access to all the globally defined SIDs
  44. //
  46. GenericMapping = IoGetFileObjectGenericMapping();
  48. RtlMapGenericMask(&AccessMask, GenericMapping);
  50. AdminsSid = SeExports->SeAliasAdminsSid;
  51. SystemSid = SeExports->SeLocalSystemSid;
  52. NetworkServiceSid = SeExports->SeNetworkServiceSid;
  54. SidSize = RtlLengthRequiredSid(2);
  55. NetConfigOpsSid = (PSID)(ExAllocatePool(PagedPool,SidSize));
  57. if (NULL == NetConfigOpsSid) {
  58. return STATUS_INSUFFICIENT_RESOURCES;
  59. }
  61. Status = RtlInitializeSid(NetConfigOpsSid, &sidAuth, 2);
  62. if (Status != STATUS_SUCCESS) {
  63. goto clean_up;
  64. }
  66. ISid = (PISID)(NetConfigOpsSid);
  67. ISid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID;
  68. ISid->SubAuthority[1] = DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS;
  70. AclLength = Dacl->AclSize;
  72. AclLength += sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) - 2 * sizeof(ULONG);
  74. AclLength += RtlLengthSid(NetConfigOpsSid);
  76. NewAcl = ExAllocatePool(
  77. PagedPool,
  78. AclLength
  79. );
  81. if (NewAcl == NULL) {
  82. Status = STATUS_INSUFFICIENT_RESOURCES;
  83. goto clean_up;
  84. }
  86. Status = RtlCreateAcl(NewAcl, AclLength, ACL_REVISION2);
  88. if (!NT_SUCCESS(Status)) {
  89. goto clean_up;
  90. }
  92. for (i = 0; i < Dacl->AceCount; i++) {
  93. Status = RtlGetAce(Dacl, i, &AceTemp);
  95. if (NT_SUCCESS(Status)) {
  97. Status = RtlAddAccessAllowedAce(NewAcl,
  98. ACL_REVISION2,
  99. AceTemp->Mask,
  100. &AceTemp->SidStart);
  101. }
  103. if (!NT_SUCCESS(Status)) {
  104. goto clean_up;
  105. }
  106. }
  108. // Add Net Config Operators Ace
  109. Status = RtlAddAccessAllowedAce(NewAcl,
  110. ACL_REVISION2,
  111. AccessMask,
  112. NetConfigOpsSid);
  114. if (!NT_SUCCESS(Status)) {
  115. goto clean_up;
  116. }
  118. if (!NT_SUCCESS(Status)) {
  119. goto clean_up;
  120. }
  122. *DeviceAcl = NewAcl;
  124. clean_up:
  125. if (NetConfigOpsSid) {
  126. ExFreePool(NetConfigOpsSid);
  127. }
  128. if (!NT_SUCCESS(Status) && NewAcl) {
  129. ExFreePool(NewAcl);
  130. }
  132. return (Status);
  133. }
  137. NTSTATUS
  138. CreateDeviceDriverSecurityDescriptor(PVOID DeviceOrDriverObject)
  140. /*++
  142. Routine Description:
  144. Creates the SD responsible for giving access to different users.
  146. Arguments:
  148. None.
  150. Return Value:
  152. STATUS_SUCCESS or an appropriate error code.
  154. --*/
  156. {
  157. NTSTATUS status;
  158. BOOLEAN memoryAllocated = FALSE;
  159. PSECURITY_DESCRIPTOR sdSecurityDescriptor = NULL;
  160. ULONG sdSecurityDescriptorLength;
  161. CHAR buffer[SECURITY_DESCRIPTOR_MIN_LENGTH];
  162. PSECURITY_DESCRIPTOR localSecurityDescriptor =
  163. (PSECURITY_DESCRIPTOR) & buffer;
  164. SECURITY_INFORMATION securityInformation = DACL_SECURITY_INFORMATION;
  165. PACL paclDacl = NULL;
  166. BOOLEAN bHasDacl;
  167. BOOLEAN bDaclDefaulted;
  168. PACCESS_ALLOWED_ACE pAce = NULL;
  169. PACL NewAcl = NULL;
  170. INT i;
  172. //
  173. // Get a pointer to the security descriptor from the driver/device object.
  174. //
  176. status = ObGetObjectSecurity(
  177. DeviceOrDriverObject,
  178. &sdSecurityDescriptor,
  179. &memoryAllocated
  180. );
  182. if (!NT_SUCCESS(status))
  183. {
  184. KdPrintEx((DPFLTR_TCPIP_ID, DPFLTR_INFO_LEVEL,
  185. "TCP: Unable to get security descriptor, error: %x\n",
  186. status
  187. ));
  188. ASSERT(memoryAllocated == FALSE);
  189. return (status);
  190. }
  192. status = RtlGetDaclSecurityDescriptor(sdSecurityDescriptor, &bHasDacl, &paclDacl, &bDaclDefaulted);
  194. if (bHasDacl)
  195. {
  196. status = AddNetConfigOpsAce(paclDacl, &NewAcl);
  198. if (NT_SUCCESS(status))
  199. {
  200. PSECURITY_DESCRIPTOR sdSecDesc = NULL;
  201. ULONG ulSecDescSize = 0;
  202. PACL daclAbs = NULL;
  203. ULONG ulDacl = 0;
  204. PACL saclAbs = NULL;
  205. ULONG ulSacl = 0;
  206. PSID Owner = NULL;
  207. ULONG ulOwnerSize = 0;
  208. PSID PrimaryGroup = NULL;
  209. ULONG ulPrimaryGroupSize = 0;
  210. BOOLEAN bOwnerDefault;
  211. BOOLEAN bGroupDefault;
  212. BOOLEAN HasSacl = FALSE;
  213. BOOLEAN SaclDefaulted = FALSE;
  214. SECURITY_INFORMATION secInfo = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION;
  215. HANDLE hIp;
  216. HANDLE hTcp;
  218. ulSecDescSize = sizeof(sdSecDesc) + NewAcl->AclSize;
  219. sdSecDesc = ExAllocatePool(PagedPool, ulSecDescSize);
  221. if (sdSecDesc)
  222. {
  223. ulDacl = NewAcl->AclSize;
  224. daclAbs = ExAllocatePool(PagedPool, ulDacl);
  226. if (daclAbs)
  227. {
  228. status = RtlGetOwnerSecurityDescriptor(sdSecurityDescriptor, &Owner, &bOwnerDefault);
  230. if (NT_SUCCESS(status))
  231. {
  232. ulOwnerSize = RtlLengthSid(Owner);
  234. status = RtlGetGroupSecurityDescriptor(sdSecurityDescriptor, &PrimaryGroup, &bGroupDefault);
  236. if (NT_SUCCESS(status))
  237. {
  238. status = RtlGetSaclSecurityDescriptor(sdSecurityDescriptor, &HasSacl, &saclAbs, &SaclDefaulted);
  240. if (NT_SUCCESS(status))
  241. {
  242. if (HasSacl)
  243. {
  244. ulSacl = saclAbs->AclSize;
  245. secInfo |= SACL_SECURITY_INFORMATION;
  246. }
  248. ulPrimaryGroupSize= RtlLengthSid(PrimaryGroup);
  250. status = RtlSelfRelativeToAbsoluteSD(sdSecurityDescriptor, sdSecDesc, &ulSecDescSize, daclAbs,
  251. &ulDacl, saclAbs, &ulSacl, Owner, &ulOwnerSize, PrimaryGroup, &ulPrimaryGroupSize);
  253. if (NT_SUCCESS(status))
  254. {
  255. status = RtlSetDaclSecurityDescriptor(sdSecDesc, TRUE, NewAcl, FALSE);
  257. if (NT_SUCCESS(status))
  258. {
  259. status = ObSetSecurityObjectByPointer(DeviceOrDriverObject, secInfo, sdSecDesc);
  260. }
  261. }
  262. }
  263. }
  264. }
  265. }
  267. if (sdSecDesc)
  268. {
  269. // Since this is a Self-Relative security descriptor, freeing it also frees
  270. // Owner and PrimaryGroup.
  271. ExFreePool(sdSecDesc);
  272. }
  274. if (daclAbs)
  275. {
  276. ExFreePool(daclAbs);
  277. }
  278. }
  280. if (NewAcl)
  281. {
  282. ExFreePool(NewAcl);
  283. }
  285. }
  286. }
  287. else
  288. {
  289. KdPrintEx((DPFLTR_TCPIP_ID, DPFLTR_INFO_LEVEL,"TCP: No Dacl: %x\n", status));
  290. }
  292. ObReleaseObjectSecurity(
  293. sdSecurityDescriptor,
  294. memoryAllocated
  295. );
  297. return (status);
  298. }
  300. NTSTATUS
  301. ndisBuildDeviceAcl(
  302. OUT PACL *DeviceAcl,
  303. IN BOOLEAN AddNetConfigOps
  304. )
  306. /*++
  308. Routine Description:
  310. This routine builds an ACL which gives Administrators, LocalSystem,
  311. and NetworkService principals full access. All other principals have no access.
  313. Arguments:
  315. DeviceAcl - Output pointer to the new ACL.
  317. Return Value:
  319. STATUS_SUCCESS or an appropriate error code.
  321. --*/
  323. {
  324. NTSTATUS Status;
  325. PGENERIC_MAPPING GenericMapping;
  326. ULONG AclLength;
  327. ACCESS_MASK AccessMask = GENERIC_ALL;
  328. PACL NewAcl;
  329. PSID NetConfigOpsSid = NULL;
  330. ULONG NetConfigOpsSidSize;
  331. SID_IDENTIFIER_AUTHORITY NetConfigOpsSidAuth = SECURITY_NT_AUTHORITY;
  332. PISID ISid;
  335. do
  336. {
  337. //
  338. // Enable access to all the globally defined SIDs
  339. //
  341. GenericMapping = IoGetFileObjectGenericMapping();
  343. RtlMapGenericMask(&AccessMask, GenericMapping );
  346. AclLength = sizeof(ACL) +
  347. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  348. RtlLengthSid(SeExports->SeAliasAdminsSid);
  351. if (AddNetConfigOps)
  352. {
  353. NetConfigOpsSidSize = RtlLengthRequiredSid(2);
  354. NetConfigOpsSid = (PSID)ALLOC_FROM_POOL(NetConfigOpsSidSize, NDIS_TAG_NET_CFG_OPS_ID);
  356. if (NULL == NetConfigOpsSid)
  357. {
  358. Status = STATUS_INSUFFICIENT_RESOURCES;
  359. break;
  360. }
  362. Status = RtlInitializeSid(NetConfigOpsSid, &NetConfigOpsSidAuth, 2);
  363. if (Status != STATUS_SUCCESS)
  364. {
  365. Status = STATUS_INSUFFICIENT_RESOURCES;
  366. break;
  367. }
  369. ISid = (PISID)(NetConfigOpsSid);
  370. ISid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID;
  371. ISid->SubAuthority[1] = DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS;
  373. AclLength += RtlLengthSid(NetConfigOpsSid) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart);
  374. }
  376. NewAcl = ALLOC_FROM_POOL(AclLength, NDIS_TAG_SECURITY);
  378. if (NewAcl == NULL)
  379. {
  380. Status = STATUS_INSUFFICIENT_RESOURCES;
  381. break;
  382. }
  384. ZeroMemory(NewAcl, AclLength);
  386. Status = RtlCreateAcl(NewAcl, AclLength, ACL_REVISION );
  388. if (!NT_SUCCESS(Status))
  389. {
  390. FREE_POOL(NewAcl);
  391. break;
  392. }
  394. Status = RtlAddAccessAllowedAce (
  395. NewAcl,
  396. ACL_REVISION2,
  397. AccessMask,
  398. SeExports->SeAliasAdminsSid
  399. );
  401. ASSERT(NT_SUCCESS(Status));
  403. if (AddNetConfigOps)
  404. {
  405. // Add Net Config Operators Ace
  406. Status = RtlAddAccessAllowedAce(NewAcl,
  407. ACL_REVISION2,
  408. AccessMask,
  409. NetConfigOpsSid);
  410. ASSERT(NT_SUCCESS(Status));
  411. }
  414. *DeviceAcl = NewAcl;
  416. Status = STATUS_SUCCESS;
  418. }while (FALSE);
  420. if (NetConfigOpsSid)
  421. {
  422. ExFreePool(NetConfigOpsSid);
  423. }
  425. return(Status);
  427. }
  430. NTSTATUS
  431. ndisCreateSecurityDescriptor(
  432. IN PDEVICE_OBJECT DeviceObject,
  433. OUT PSECURITY_DESCRIPTOR * pSecurityDescriptor,
  434. BOOLEAN AddNetConfigOps
  435. )
  437. /*++
  439. Routine Description:
  441. This routine creates a security descriptor which gives access
  442. only to certain priviliged accounts. This descriptor is used
  443. to access check processes that open a handle to miniport device
  444. objects.
  446. Arguments:
  448. None.
  450. Return Value:
  452. STATUS_SUCCESS or an appropriate error code.
  454. --*/
  456. {
  457. PACL devAcl = NULL;
  458. NTSTATUS Status;
  459. BOOLEAN memoryAllocated = FALSE;
  460. PSECURITY_DESCRIPTOR CurSecurityDescriptor;
  461. PSECURITY_DESCRIPTOR NewSecurityDescriptor;
  462. ULONG CurSecurityDescriptorLength;
  463. CHAR buffer[SECURITY_DESCRIPTOR_MIN_LENGTH];
  464. PSECURITY_DESCRIPTOR localSecurityDescriptor =
  465. (PSECURITY_DESCRIPTOR)buffer;
  466. SECURITY_INFORMATION securityInformation = DACL_SECURITY_INFORMATION;
  467. BOOLEAN bReleaseObjectSecurity = FALSE;
  470. do
  471. {
  473. *pSecurityDescriptor = NULL;
  475. //
  476. // Get a pointer to the security descriptor from the device object.
  477. //
  478. Status = ObGetObjectSecurity(
  479. DeviceObject,
  480. &CurSecurityDescriptor,
  481. &memoryAllocated
  482. );
  484. if (!NT_SUCCESS(Status))
  485. {
  486. ASSERT(memoryAllocated == FALSE);
  487. break;
  488. }
  489. bReleaseObjectSecurity = TRUE;
  491. //
  492. // Build a local security descriptor with an ACL giving only
  493. // certain priviliged accounts.
  494. //
  495. Status = ndisBuildDeviceAcl(&devAcl, AddNetConfigOps);
  497. if (!NT_SUCCESS(Status))
  498. {
  499. break;
  500. }
  502. (VOID)RtlCreateSecurityDescriptor(
  503. localSecurityDescriptor,
  504. SECURITY_DESCRIPTOR_REVISION
  505. );
  507. (VOID)RtlSetDaclSecurityDescriptor(
  508. localSecurityDescriptor,
  509. TRUE,
  510. devAcl,
  511. FALSE
  512. );
  514. //
  515. // Make a copy of the security descriptor. This copy will be the raw descriptor.
  516. //
  517. CurSecurityDescriptorLength = RtlLengthSecurityDescriptor(
  518. CurSecurityDescriptor
  519. );
  521. NewSecurityDescriptor = ALLOC_FROM_POOL(CurSecurityDescriptorLength, NDIS_TAG_SECURITY);
  523. if (NewSecurityDescriptor == NULL)
  524. {
  525. Status = STATUS_INSUFFICIENT_RESOURCES;
  526. break;
  527. }
  529. RtlMoveMemory(
  530. NewSecurityDescriptor,
  531. CurSecurityDescriptor,
  532. CurSecurityDescriptorLength
  533. );
  535. *pSecurityDescriptor = NewSecurityDescriptor;
  537. //
  538. // Now apply the local descriptor to the raw descriptor.
  539. //
  540. Status = SeSetSecurityDescriptorInfo(
  541. NULL,
  542. &securityInformation,
  543. localSecurityDescriptor,
  544. pSecurityDescriptor,
  545. NonPagedPool,
  546. IoGetFileObjectGenericMapping()
  547. );
  549. if (!NT_SUCCESS(Status))
  550. {
  551. ASSERT(*pSecurityDescriptor == NewSecurityDescriptor);
  552. FREE_POOL(*pSecurityDescriptor);
  553. *pSecurityDescriptor = NULL;
  554. break;
  555. }
  557. if (*pSecurityDescriptor != NewSecurityDescriptor)
  558. {
  559. ExFreePool(NewSecurityDescriptor);
  560. }
  562. Status = STATUS_SUCCESS;
  563. }while (FALSE);
  566. if (bReleaseObjectSecurity)
  567. {
  568. ObReleaseObjectSecurity(
  569. CurSecurityDescriptor,
  570. memoryAllocated
  571. );
  572. }
  574. if (devAcl!=NULL)
  575. {
  576. FREE_POOL(devAcl);
  577. }
  579. return(Status);
  580. }
  582. BOOLEAN
  583. ndisCheckAccess (
  584. PIRP Irp,
  585. PIO_STACK_LOCATION IrpSp,
  586. PNTSTATUS Status,
  587. PSECURITY_DESCRIPTOR SecurityDescriptor
  588. )
  589. /*++
  591. Routine Description:
  593. Compares security context of the endpoint creator to that
  594. of the administrator and local system.
  596. Arguments:
  598. Irp - Pointer to I/O request packet.
  600. IrpSp - pointer to the IO stack location to use for this request.
  602. Status - returns status generated by access check on failure.
  604. Return Value:
  606. TRUE - the creator has admin or local system privilige
  607. FALSE - the creator is just a plain user
  609. --*/
  611. {
  612. BOOLEAN accessGranted;
  613. PACCESS_STATE accessState;
  614. PIO_SECURITY_CONTEXT securityContext;
  615. PPRIVILEGE_SET privileges = NULL;
  616. ACCESS_MASK grantedAccess;
  617. PGENERIC_MAPPING GenericMapping;
  618. ACCESS_MASK AccessMask = GENERIC_ALL;
  620. //
  621. // Enable access to all the globally defined SIDs
  622. //
  624. GenericMapping = IoGetFileObjectGenericMapping();
  626. RtlMapGenericMask( &AccessMask, GenericMapping );
  629. securityContext = IrpSp->Parameters.Create.SecurityContext;
  630. accessState = securityContext->AccessState;
  632. SeLockSubjectContext(&accessState->SubjectSecurityContext);
  634. accessGranted = SeAccessCheck(
  635. SecurityDescriptor,
  636. &accessState->SubjectSecurityContext,
  637. TRUE,
  638. AccessMask,
  639. 0,
  640. &privileges,
  641. IoGetFileObjectGenericMapping(),
  642. (KPROCESSOR_MODE)((IrpSp->Flags & SL_FORCE_ACCESS_CHECK)
  643. ? UserMode
  644. : Irp->RequestorMode),
  645. &grantedAccess,
  646. Status
  647. );
  649. if (privileges) {
  650. (VOID) SeAppendPrivileges(
  651. accessState,
  652. privileges
  653. );
  654. SeFreePrivileges(privileges);
  655. }
  657. if (accessGranted) {
  658. accessState->PreviouslyGrantedAccess |= grantedAccess;
  659. accessState->RemainingDesiredAccess &= ~( grantedAccess | MAXIMUM_ALLOWED );
  660. ASSERT (NT_SUCCESS (*Status));
  661. }
  662. else {
  663. ASSERT (!NT_SUCCESS (*Status));
  664. }
  665. SeUnlockSubjectContext(&accessState->SubjectSecurityContext);
  667. return accessGranted;
  668. }