Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

440 lines
16 KiB

  1. /*++
  2. Copyright (c) Microsoft Corporation. All rights reserved.
  3. Module Name:
  4. wdmsec.h
  5. Abstract:
  6. This header exposes secuity routines to drivers that need them.
  7. Author:
  8. Adrian J. Oney - April 21, 2002
  9. Revision History:
  10. --*/
  11. #ifndef _WDMSEC_H_
  12. #define _WDMSEC_H_
  13. #pragma once
  14. #ifdef __cplusplus
  15. extern "C" {
  16. #endif
  17. //
  18. // SDDL_DEVOBJ_KERNEL_ONLY is an "empty" ACL. User mode code (including
  19. // processes running as system) cannot open the device.
  20. //
  21. // This could be used by a driver creating a raw WDM PDO. The INF would specify
  22. // lighter security settings. Until the INF was processed, the device would
  23. // be nonopenable by user mode code.
  24. //
  25. // Similarly, a legacy driver might use this ACL, and let its install app open
  26. // the device up at runtime to individual users. The install app would update
  27. // the class key with a very target ACL and reload the driver. The empty ACL
  28. // would only kick in only if the driver was loaded without the appropriate
  29. // security applied by the install app.
  30. //
  31. // In all of these cases, the default is strong security, lightened as
  32. // necessary (just like chemistry, where the rule is "add acid to water,
  33. // never water to acid").
  34. //
  35. // Example usage:
  36. // IoCreateDeviceSecure(..., &SDDL_DEVOBJ_KERNEL_ONLY, &Guid, ...);
  37. //
  38. /*
  39. DECLARE_CONST_UNICODE_STRING(SDDL_DEVOBJ_KERNEL_ONLY, L"D:P");
  40. */
  41. extern const UNICODE_STRING SDDL_DEVOBJ_KERNEL_ONLY;
  42. //
  43. // IoCreateDeviceSecure can be used to create a WDM PDO that initially can be
  44. // opened only by kernel mode, at least until an INF is supplied. Note that
  45. // IoCreateDeviceSecure should *never* be used for an FDO!!!
  46. //
  47. #define SDDL_DEVOBJ_INF_SUPPLIED SDDL_DEVOBJ_KERNEL_ONLY
  48. //
  49. // SDDL_DEVOBJ_SYS_ALL is similar to SDDL_DEVOBJ_KERNEL_ONLY, except that in
  50. // addition to kernel code, user mode code running as *SYSTEM* is also allowed
  51. // to open the device for any access.
  52. //
  53. // A legacy driver might use this ACL to start with tight security settings,
  54. // and let its service open the device up at runtime to individual users via
  55. // SetFileSecurity API. In this case, the service would have to be running as
  56. // system.
  57. //
  58. // (Note that the DEVOBJ SDDL strings in this file don't specify any
  59. // inheritance. This is because inheritance isn't a valid concept for things
  60. // behind a device object, like a file. As such, these SDDL strings would have
  61. // to be modified with inheritance tokens like "OICI" to be used for things
  62. // like registry keys or file. See the SDK's documentation on SDDL strings for
  63. // more information.)
  64. //
  65. /*
  66. DECLARE_CONST_UNICODE_STRING(SDDL_DEVOBJ_SYS_ALL, L"D:P(A;;GA;;;SY)");
  67. */
  68. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL;
  69. //
  70. // SDDL_DEVOBJ_SYS_ALL_ADM_ALL allows the kernel, system, and admin complete
  71. // control over the device. No other users may access the device
  72. //
  73. /*
  74. DECLARE_CONST_UNICODE_STRING(
  75. SDDL_DEVOBJ_SYS_ALL_ADM_ALL,
  76. L"D:P(A;;GA;;;SY)(A;;GA;;;BA)"
  77. );
  78. */
  79. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_ALL;
  80. //
  81. // SDDL_DEVOBJ_SYS_ALL_ADM_RX allows the kernel and system complete control
  82. // over the device. By default the admin can only read from the device (the
  83. // admin can of course override this manually).
  84. //
  85. // The X refers to traversal, meaning the access to the namespace *beneath* a
  86. // device object. This only has an effect on storage stacks today. To lock down
  87. // the namespace behind a device (for example, if the device doesn't _have_ a
  88. // namespace), see the documentation on FILE_DEVICE_SECURE_OPEN flag to
  89. // IoCreateDevice{Secure}.
  90. //
  91. /*
  92. DECLARE_CONST_UNICODE_STRING(
  93. SDDL_DEVOBJ_SYS_ALL_ADM_RX,
  94. L"D:P(A;;GA;;;SY)(A;;GRGX;;;BA)"
  95. );
  96. */
  97. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RX;
  98. //
  99. // SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R allows the kernel and system complete
  100. // control over the device. By default the admin can access the entire device,
  101. // but cannot change the ACL (the admin must take control of the device first)
  102. //
  103. // Everyone (the WORLD SID) is given read access. "Untrusted" code *cannot*
  104. // access the device (untrusted code might be code launched via the Run-As
  105. // option in Explorer. By default, World does not cover Restricted code.)
  106. //
  107. // Also note that traversal access is not granted to normal users. As such,
  108. // this might not be an appropriate descriptor for a storage device with a
  109. // namespace.
  110. //
  111. /*
  112. DECLARE_CONST_UNICODE_STRING(
  113. SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R,
  114. L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)"
  115. );
  116. */
  117. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R;
  118. //
  119. // SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R allows the kernel and system
  120. // complete control over the device. By default the admin can access the entire
  121. // device, but cannot change the ACL (the admin must take control of the device
  122. // first)
  123. //
  124. // Everyone (the WORLD SID) is given read access. In addition, "restricted" or
  125. // "untrusted" code (the RES SID) is also allowed to access code. Untrusted
  126. // code might be code launched via the Run-As option in Explorer. By default,
  127. // World does not cover Restricted code.
  128. //
  129. // (Odd implementation detail: Due to the mechanics of restricting SIDs, the
  130. // RES SID in an ACL should never exist outside the World SID).
  131. //
  132. // Also note that traversal access is not granted to normal users. As such,
  133. // this might not be an appropriate descriptor for a storage device with a
  134. // namespace.
  135. //
  136. /*
  137. DECLARE_CONST_UNICODE_STRING(
  138. SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R,
  139. L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)"
  140. );
  141. */
  142. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_R_RES_R;
  143. //
  144. // SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R allows the kernel and system
  145. // complete control over the device. By default the admin can access the entire
  146. // device, but cannot change the ACL (the admin must take control of the device
  147. // first)
  148. //
  149. // Everyone (the WORLD SID) can read or write to the device. However,
  150. // "restricted" or "untrusted" code (the RES SID) can only read from the device.
  151. //
  152. // Also note that normal users are not given traversal accesss. It is probably
  153. // unnecessary anyway, as most devices don't manage a seperate namespace
  154. // (ie, they set FILE_DEVICE_SECURE_OPEN).
  155. //
  156. /*
  157. DECLARE_CONST_UNICODE_STRING(
  158. SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R,
  159. L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGW;;;WD)(A;;GR;;;RC)"
  160. );
  161. */
  162. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RW_RES_R;
  163. //
  164. // SDDL_DEVOBJ_SYS_ALL_WORLD_RWX_RES_RWX allows the kernel and system complete
  165. // control over the device. By default the admin can access the entire device,
  166. // but cannot change the ACL (the admin must take control of the device first)
  167. //
  168. // Everyone else, including "restricted" or "untrusted" code can read or write
  169. // to the device. Traversal beneath the device is also granted (removing it
  170. // would only effect storage devices, except if the "bypass-traversal"
  171. // privilege was revoked).
  172. //
  173. /*
  174. DECLARE_CONST_UNICODE_STRING(
  175. SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX,
  176. L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)"
  177. );
  178. */
  179. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX;
  180. //
  181. // SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_A is listed for completeness. This allows the
  182. // kernel and system complete control over the device. By default the admin
  183. // can access the entire device, but cannot change the ACL (the admin must take
  184. // control of the device first)
  185. //
  186. // Everyone (the WORLD SID) can *append* data to the device. "Restricted" or
  187. // "untrusted" code (the RES SID) cannot access the device. See ntioapi.h for
  188. // the individual bit definitions of device rights.
  189. //
  190. // Note also that normal users can send neither read nor write IOCTLs (The read
  191. // device data right is bit 0, the write device data right is bit 1 - neither
  192. // bits are set below).
  193. //
  194. /*
  195. DECLARE_CONST_UNICODE_STRING(
  196. SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_A,
  197. L"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;0x0004;;;WD)"
  198. );
  199. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_A;
  200. */
  201. //
  202. // SDDL_DEVOBJ_SYS_ALL_ADM_ALL_WORLD_ALL_RES_ALL is listed for completeness.
  203. // This ACL would give *any* user *total* access to the device, including the
  204. // ability to change the ACL, locking out other users!!!!!
  205. //
  206. // As this ACL is really a *very* bad idea, it isn't exported by this library.
  207. // Don't make an ACL like this!
  208. //
  209. /*
  210. DECLARE_CONST_UNICODE_STING(
  211. SDDL_DEVOBJ_SYS_ALL_ADM_ALL_WORLD_ALL_RES_ALL,
  212. "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;WD)(A;;GA;;;RC)"
  213. );
  214. extern const UNICODE_STRING SDDL_DEVOBJ_SYS_ALL_ADM_ALL_WORLD_ALL_RES_ALL;
  215. */
  216. /*
  217. The following SIDs represent *accounts* on the local machine:
  218. -------------------------------------------------------------
  219. System ("SY", S-1-5-18, SECURITY_NT_AUTHORITY:SECURITY_LOCAL_SYSTEM_RID)
  220. The OS itself (including its user mode components.)
  221. Local Service ("LS", S-1-5-19, SECURITY_NT_AUTHORITY:SECURITY_LOCAL_SERVICE_RID)
  222. A predefined account for services that presents user credentials for local
  223. resources and annonymous credentials for network access.
  224. Available on XP and later.
  225. Network Service ("NS", S-1-5-20, SECURITY_NT_AUTHORITY:SECURITY_NETWORK_SERVICE_RID)
  226. A predefined account for services that presents user credentials for local
  227. resources and the machine ID for network access.
  228. Available on XP and later.
  229. (A local *account* for a guest and a default administrator also exist, but
  230. the corresponding SDDL abbreviations are not supported by this library.
  231. Use the corresponding group SIDs instead.)
  232. The following SIDs represent *groups* on the local machine:
  233. -----------------------------------------------------------
  234. Administrators ("BA", S-1-5-32-544, SECURITY_NT_AUTHORITY:SECURITY_BUILTIN_DOMAIN_RID:DOMAIN_ALIAS_RID_ADMINS)
  235. The builtin administrators group on the machine. This is not the same
  236. as the builtin Administrator *account*.
  237. Builtin users group ("BU", S-1-5-32-545, SECURITY_NT_AUTHORITY:SECURITY_BUILTIN_DOMAIN_RID:DOMAIN_ALIAS_RID_USERS)
  238. Group covering all local user accounts, and users on the domain.
  239. Builtin guests group ("BG", S-1-5-32-546, SECURITY_NT_AUTHORITY:SECURITY_BUILTIN_DOMAIN_RID:DOMAIN_ALIAS_RID_GUESTS)
  240. Group covering users logging in using the local or domain guest account.
  241. This is not the same as the builtin Guest *account*.
  242. The below SIDs describe the authenticity of the user's identity:
  243. ----------------------------------------------------------------
  244. Authenticated Users ("AU", S-1-5-11, SECURITY_NT_AUTHORITY:SECURITY_AUTHENTICATED_USER_RID)
  245. Any user recognized by the local machine or by a domain. Note that
  246. users logged in using the Builtin Guest account are not authenticated.
  247. However, members of the Guests group with individual accounts on the
  248. machine or domain are authenticated.
  249. Anonymous Logged-on User ("AN", S-1-5-7, SECURITY_NT_AUTHORITY:SECURITY_ANONYMOUS_LOGON_RID)
  250. Any user logged on without an identity, for instance via an anonymous
  251. network session. Note that users logged in using the Builtin Guest
  252. account are neither authenticated nor anonymous. Available on XP and
  253. later.
  254. World ("WD", S-1-1-0, SECURITY_WORLD_SID_AUTHORITY:SECURITY_WORLD_RID)
  255. Prior to Windows XP, this SID covers every session: authenticated,
  256. anonymous, and the Builtin Guest account.
  257. For Windows XP and later, this SID does not cover anonymous logon
  258. sessions - only authenticated and the Builtin Guest account.
  259. Note that untrusted or "restricted" code is also not covered by the
  260. World SID. See the Restricted Code SID description for more
  261. information.
  262. The below SIDs describe how the user logged into the machine:
  263. -------------------------------------------------------------
  264. Interactive Users ("IU", S-1-5-4, SECURITY_NT_AUTHORITY:SECURITY_INTERACTIVE_RID)
  265. Users who initally logged onto the machine "interactively", such as
  266. local logons and Remote Desktops logons.
  267. Network Logon User ("NU", S-1-5-2, SECURITY_NT_AUTHORITY:SECURITY_NETWORK_RID)
  268. Users accessing the machine remotely, without interactive desktop
  269. access (ie, file sharing or RPC calls).
  270. Terminal Server Users (---, S-1-5-14, SECURITY_NT_AUTHORITY:SECURITY_TERMINAL_SERVER_RID)
  271. Interactive Users who *initially* logged onto the machine specifically
  272. via Terminal Services or Remote Desktop.
  273. (NOTE: There is currently no SDDL token for this SID. Furthermore, the
  274. presence of the SID doesn't take into account fast user switching
  275. either.)
  276. The below SID deserves special mention:
  277. ---------------------------------------
  278. Restricted Code ("RC", S-1-5-12, SECURITY_NT_AUTHORITY:SECURITY_RESTRICTED_CODE_RID)
  279. This SID is used to control access by untrusted code.
  280. ACL validation against tokens with RC go through *two* checks, one
  281. against the token's normal list of SIDs (containing WD for instance),
  282. and one against a second list (typically containing RC and a subset of
  283. the original token SIDs). Only if both tests pass is access granted.
  284. As such, RC actually works in *combination* with other SIDs.
  285. When RC is paired with WD in an ACL, a *superset* of Everyone
  286. _including_ untrusted code is described. RC is thus rarely seen in
  287. ACL's without the WD token.
  288. */
  289. //
  290. // Supply overrideable library implementation of IoCreateDeviceSecure.
  291. // This function is similar to IoCreateDevice, except that it only creates
  292. // named device objects. This function would be used to create raw PnP PDOs and
  293. // legacy device objects. The DefaultSDDLString specifies security while the
  294. // ClassGuid allows the administrator to override the defaults. Every driver
  295. // should pass in a ClassGuid (if no relevant Guid exists, just invent a new
  296. // one with guidgen.exe). The classguid parameter is crucial as it allows the
  297. // admin to tighten security (for instance, the admin might deny access to a
  298. // specific user).
  299. //
  300. // Note: This function should *not* be used to create a WDM FDO or Filter. The
  301. // only type of device object in a WDM stack that can be created using
  302. // IoCreateDeviceSecure is a PDO!
  303. //
  304. // See DDK documentation for more details.
  305. //
  306. #undef IoCreateDeviceSecure
  307. #define IoCreateDeviceSecure WdmlibIoCreateDeviceSecure
  308. NTSTATUS
  309. WdmlibIoCreateDeviceSecure(
  310. IN PDRIVER_OBJECT DriverObject,
  311. IN ULONG DeviceExtensionSize,
  312. IN PUNICODE_STRING DeviceName OPTIONAL,
  313. IN DEVICE_TYPE DeviceType,
  314. IN ULONG DeviceCharacteristics,
  315. IN BOOLEAN Exclusive,
  316. IN PCUNICODE_STRING DefaultSDDLString,
  317. IN LPCGUID DeviceClassGuid OPTIONAL,
  318. OUT PDEVICE_OBJECT *DeviceObject
  319. );
  320. //
  321. // Supply library internal implementation of RtlInitUnicodeStringEx
  322. // This function is similar to RtlInitUnicodeString, except that it handles the
  323. // case where a string exceeds UNICODE_STRING_MAX_CHARS (it does not probe or
  324. // check alignments though).
  325. //
  326. // See DDK documentation for more details.
  327. //
  328. #undef RtlInitUnicodeStringEx
  329. #define RtlInitUnicodeStringEx WdmlibRtlInitUnicodeStringEx
  330. NTSTATUS
  331. WdmlibRtlInitUnicodeStringEx(
  332. OUT PUNICODE_STRING DestinationString,
  333. IN PCWSTR SourceString OPTIONAL
  334. );
  335. //
  336. // Supply overrideable library implementation of IoValidateDeviceIoControlAccess
  337. // This function allows a driver running on .NET server to process
  338. // FILE_ANY_ACCESS IOCTLs as if they were FILE_READ_ACCESS, FILE_WRITE_ACCESS,
  339. // or both.
  340. //
  341. // See DDK documentation for more details.
  342. //
  343. #undef IoValidateDeviceIoControlAccess
  344. #define IoValidateDeviceIoControlAccess WdmlibIoValidateDeviceIoControlAccess
  345. NTSTATUS
  346. WdmlibIoValidateDeviceIoControlAccess(
  347. IN PIRP Irp,
  348. IN ULONG RequiredAccess
  349. );
  350. #ifdef __cplusplus
  351. } // extern "C"
  352. #endif
  353. #endif // _WDMSEC_H_