Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1810 lines
44 KiB

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
security.c
Abstract:
This module implements the security related portions of the process
structure.
Author:
Mark Lucovsky (markl) 25-Apr-1989
Jim Kelly (JimK) 2-August-1990
Neill Clift (NeillC) 14-Aug-2000
Revamped for fast referencing the primary token and holding the security lock
only over critical portions.
Revision History:
--*/
#include "psp.h"
#ifdef ALLOC_PRAGMA
NTSTATUS
PsOpenTokenOfJobObject(
IN HANDLE JobObject,
OUT PACCESS_TOKEN * Token
);
#pragma alloc_text(PAGE, PsReferencePrimaryToken)
#pragma alloc_text(PAGE, PsReferenceImpersonationToken)
#pragma alloc_text(PAGE, PsReferenceEffectiveToken)
#pragma alloc_text(PAGE, PsOpenTokenOfThread)
#pragma alloc_text(PAGE, PsOpenTokenOfProcess)
#pragma alloc_text(PAGE, PsOpenTokenOfJobObject)
#pragma alloc_text(PAGE, PsImpersonateClient)
#pragma alloc_text(PAGE, PsDisableImpersonation)
#pragma alloc_text(PAGE, PsRestoreImpersonation)
#pragma alloc_text(PAGE, PsRevertToSelf)
#pragma alloc_text(PAGE, PsRevertThreadToSelf)
#pragma alloc_text(PAGE, PspInitializeProcessSecurity)
#pragma alloc_text(PAGE, PspDeleteProcessSecurity)
#pragma alloc_text(PAGE, PspAssignPrimaryToken)
#pragma alloc_text(PAGE, PspInitializeThreadSecurity)
#pragma alloc_text(PAGE, PspDeleteThreadSecurity)
#pragma alloc_text(PAGE, PsAssignImpersonationToken)
#endif //ALLOC_PRAGMA
PACCESS_TOKEN
PsReferencePrimaryToken(
IN PEPROCESS Process
)
/*++
Routine Description:
This function returns a pointer to the primary token of a process.
The reference count of that primary token is incremented to protect
the pointer returned.
When the pointer is no longer needed, it should be freed using
PsDereferencePrimaryToken().
Arguments:
Process - Supplies the address of the process whose primary token
is to be referenced.
Return Value:
A pointer to the specified process's primary token.
--*/
{
PACCESS_TOKEN Token;
PETHREAD CurrentThread;
PAGED_CODE();
ASSERT( Process->Pcb.Header.Type == ProcessObject );
Token = ObFastReferenceObject (&Process->Token);
if (Token == NULL) {
CurrentThread = PsGetCurrentThread ();
PspLockProcessSecurityShared (Process, CurrentThread);
Token = ObFastReferenceObjectLocked (&Process->Token);
PspUnlockProcessSecurityShared (Process, CurrentThread);
}
return Token;
}
PACCESS_TOKEN
PsReferenceImpersonationToken(
IN PETHREAD Thread,
OUT PBOOLEAN CopyOnOpen,
OUT PBOOLEAN EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
)
/*++
Routine Description:
This function returns a pointer to the impersonation token of a thread.
The reference count of that impersonation token is incremented to protect
the pointer returned.
If the thread is not currently impersonating a client, then a null pointer
is returned.
If the thread is impersonating a client, then information about the
means of impersonation are also returned (ImpersonationLevel).
If a non-null value is returned, then PsDereferenceImpersonationToken()
must be called to decrement the token's reference count when the pointer
is no longer needed.
Arguments:
Thread - Supplies the address of the thread whose impersonation token
is to be referenced.
CopyOnOpen - The current value of the Thread->ImpersonationInfo->CopyOnOpen field.
EffectiveOnly - The current value of the Thread->ImpersonationInfo->EffectiveOnly field.
ImpersonationLevel - The current value of the Thread->ImpersonationInfo->ImpersonationLevel
field.
Return Value:
A pointer to the specified thread's impersonation token.
If the thread is not currently impersonating a client, then NULL is
returned.
--*/
{
PACCESS_TOKEN Token;
PETHREAD CurrentThread;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
//
// before going through the lock overhead just look to see if it is
// null. There is no race. Grabbing the lock is not needed until
// we decide to use the token at which point we re check to see it
// it is null.
// This check saves about 300 instructions.
//
if (!PS_IS_THREAD_IMPERSONATING (Thread)) {
return NULL;
}
//
// Lock the process security fields.
//
CurrentThread = PsGetCurrentThread ();
PspLockThreadSecurityShared (Thread, CurrentThread);
//
// Grab impersonation info block.
//
ImpersonationInfo = Thread->ImpersonationInfo;
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Return the thread's impersonation level, etc.
//
Token = ImpersonationInfo->Token;
//
// Increment the reference count of the token to protect our
// pointer.
//
ObReferenceObject (Token);
(*ImpersonationLevel) = ImpersonationInfo->ImpersonationLevel;
(*CopyOnOpen) = ImpersonationInfo->CopyOnOpen;
(*EffectiveOnly) = ImpersonationInfo->EffectiveOnly;
} else {
Token = NULL;
}
//
// Release the security fields.
//
PspUnlockThreadSecurityShared (Thread, CurrentThread);
return Token;
}
PACCESS_TOKEN
PsReferenceEffectiveToken(
IN PETHREAD Thread,
OUT PTOKEN_TYPE TokenType,
OUT PBOOLEAN EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
)
/*++
Routine Description:
This function returns a pointer to the effective token of a thread. The
effective token of a thread is the thread's impersonation token if it has
one. Otherwise, it is the primary token of the thread's process.
The reference count of the effective token is incremented to protect
the pointer returned.
If the thread is impersonating a client, then the impersonation level
is also returned.
Either PsDereferenceImpersonationToken() (for an impersonation token) or
PsDereferencePrimaryToken() (for a primary token) must be called to
decrement the token's reference count when the pointer is no longer
needed.
Arguments:
Thread - Supplies the address of the thread whose effective token
is to be referenced.
TokenType - Receives the type of the effective token. If the thread
is currently impersonating a client, then this will be
TokenImpersonation. Othwerwise, it will be TokenPrimary.
EffectiveOnly - If the token type is TokenImpersonation, then this
receives the value of the client thread's Thread->Client->EffectiveOnly field.
Otherwise, it is set to FALSE.
ImpersonationLevel - The current value of the Thread->Client->ImpersonationLevel
field for an impersonation token and is not set for a primary token.
Return Value:
A pointer to the specified thread's effective token.
--*/
{
PACCESS_TOKEN Token;
PEPROCESS Process;
PETHREAD CurrentThread;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
Process = THREAD_TO_PROCESS(Thread);
//
// Grab the current impersonation token pointer value
//
Token = NULL;
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Lock the process security fields.
//
CurrentThread = PsGetCurrentThread ();
PspLockThreadSecurityShared (Thread, CurrentThread);
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Grab impersonation info block.
//
ImpersonationInfo = Thread->ImpersonationInfo;
Token = ImpersonationInfo->Token;
//
// Return the thread's impersonation level, etc.
//
(*TokenType) = TokenImpersonation;
(*EffectiveOnly) = ImpersonationInfo->EffectiveOnly;
(*ImpersonationLevel) = ImpersonationInfo->ImpersonationLevel;
//
// Increment the reference count of the token to protect our
// pointer.
//
ObReferenceObject (Token);
//
// Release the security fields.
//
PspUnlockThreadSecurityShared (Thread, CurrentThread);
return Token;
}
//
// Release the security fields.
//
PspUnlockThreadSecurityShared (Thread, CurrentThread);
}
//
// Get the thread's primary token if it wasn't impersonating a client.
//
Token = ObFastReferenceObject (&Process->Token);
if (Token == NULL) {
//
// Fast ref failed. We go the slow way with a lock
//
CurrentThread = PsGetCurrentThread ();
PspLockProcessSecurityShared (Process,CurrentThread);
Token = ObFastReferenceObjectLocked (&Process->Token);
PspUnlockProcessSecurityShared (Process,CurrentThread);
}
//
// Only the TokenType and CopyOnOpen OUT parameters are
// returned for a primary token.
//
(*TokenType) = TokenPrimary;
(*EffectiveOnly) = FALSE;
return Token;
}
NTSTATUS
PsOpenTokenOfThread(
IN HANDLE ThreadHandle,
IN BOOLEAN OpenAsSelf,
OUT PACCESS_TOKEN *Token,
OUT PBOOLEAN CopyOnOpen,
OUT PBOOLEAN EffectiveOnly,
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
)
/*++
Routine Description:
This function does the thread specific processing of
an NtOpenThreadToken() service.
The service validates that the handle has appropriate access
to reference the thread. If so, it goes on to increment
the reference count of the token object to prevent it from
going away while the rest of the NtOpenThreadToken() request
is processed.
NOTE: If this call completes successfully, the caller is responsible
for decrementing the reference count of the target token.
This must be done using PsDereferenceImpersonationToken().
Arguments:
ThreadHandle - Supplies a handle to a thread object.
OpenAsSelf - Is a boolean value indicating whether the access should
be made using the calling thread's current security context, which
may be that of a client (if impersonating), or using the caller's
process-level security context. A value of FALSE indicates the
caller's current context should be used un-modified. A value of
TRUE indicates the request should be fulfilled using the process
level security context.
Token - If successful, receives a pointer to the thread's token
object.
CopyOnOpen - The current value of the Thread->Client->CopyOnOpen field.
EffectiveOnly - The current value of the Thread->Client->EffectiveOnly field.
ImpersonationLevel - The current value of the Thread->Client->ImpersonationLevel
field.
Return Value:
STATUS_SUCCESS - Indicates the call completed successfully.
STATUS_NO_TOKEN - Indicates the referenced thread is not currently
impersonating a client.
STATUS_CANT_OPEN_ANONYMOUS - Indicates the client requested anonymous
impersonation level. An anonymous token can not be openned.
status may also be any value returned by an attemp the reference
the thread object for THREAD_QUERY_INFORMATION access.
--*/
{
NTSTATUS
Status;
PETHREAD
Thread;
KPROCESSOR_MODE
PreviousMode;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
UNREFERENCED_PARAMETER (OpenAsSelf);
//
// Make sure the handle grants the appropriate access to the specified
// thread.
//
Status = ObReferenceObjectByHandle (ThreadHandle,
THREAD_QUERY_INFORMATION,
PsThreadType,
PreviousMode,
&Thread,
NULL);
if (!NT_SUCCESS (Status)) {
return Status;
}
//
// Reference the impersonation token, if there is one
//
(*Token) = PsReferenceImpersonationToken (Thread,
CopyOnOpen,
EffectiveOnly,
ImpersonationLevel);
//
// dereference the target thread.
//
ObDereferenceObject (Thread);
//
// Make sure there is a token
//
if (*Token == NULL) {
return STATUS_NO_TOKEN;
}
//
// Make sure the ImpersonationLevel is high enough to allow
// the token to be openned.
//
if ((*ImpersonationLevel) <= SecurityAnonymous) {
PsDereferenceImpersonationToken (*Token);
(*Token) = NULL;
return STATUS_CANT_OPEN_ANONYMOUS;
}
return STATUS_SUCCESS;
}
NTSTATUS
PsOpenTokenOfProcess(
IN HANDLE ProcessHandle,
OUT PACCESS_TOKEN *Token
)
/*++
Routine Description:
This function does the process specific processing of
an NtOpenProcessToken() service.
The service validates that the handle has appropriate access
to referenced process. If so, it goes on to reference the
primary token object to prevent it from going away while the
rest of the NtOpenProcessToken() request is processed.
NOTE: If this call completes successfully, the caller is responsible
for decrementing the reference count of the target token.
This must be done using the PsDereferencePrimaryToken() API.
Arguments:
ProcessHandle - Supplies a handle to a process object whose primary
token is to be opened.
Token - If successful, receives a pointer to the process's token
object.
Return Value:
STATUS_SUCCESS - Indicates the call completed successfully.
status may also be any value returned by an attemp the reference
the process object for PROCESS_QUERY_INFORMATION access.
--*/
{
NTSTATUS
Status;
PEPROCESS
Process;
KPROCESSOR_MODE
PreviousMode;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
//
// Make sure the handle grants the appropriate access to the specified
// process.
//
Status = ObReferenceObjectByHandle (ProcessHandle,
PROCESS_QUERY_INFORMATION,
PsProcessType,
PreviousMode,
&Process,
NULL);
if (!NT_SUCCESS (Status)) {
return Status;
}
//
// Reference the primary token
// (This takes care of gaining exlusive access to the process
// security fields for us)
//
(*Token) = PsReferencePrimaryToken (Process);
//
// Done with the process object
//
ObDereferenceObject (Process);
return STATUS_SUCCESS;
}
NTSTATUS
PsOpenTokenOfJobObject(
IN HANDLE JobObject,
OUT PACCESS_TOKEN * Token
)
/*++
Routine Description:
This function does the ps/job specific work for NtOpenJobObjectToken.
Arguments:
JobObject - Supplies a handle to a job object whose limit token
token is to be opened.
Token - If successful, receives a pointer to the process's token
object.
Return Value:
STATUS_SUCCESS - Indicates the call completed successfully.
STATUS_NO_TOKEN - indicates the job object does not have a token
--*/
{
NTSTATUS Status;
PEJOB Job;
KPROCESSOR_MODE PreviousMode;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
Status = ObReferenceObjectByHandle (JobObject,
JOB_OBJECT_QUERY,
PsJobType,
PreviousMode,
&Job,
NULL);
if (NT_SUCCESS (Status)) {
if (Job->Token != NULL) {
ObReferenceObject (Job->Token);
*Token = Job->Token;
} else {
Status = STATUS_NO_TOKEN;
}
}
return Status;
}
NTSTATUS
PsImpersonateClient(
IN PETHREAD Thread,
IN PACCESS_TOKEN Token,
IN BOOLEAN CopyOnOpen,
IN BOOLEAN EffectiveOnly,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
)
/*++
Routine Description:
This routine sets up the specified thread so that it is impersonating
the specified client. This will result in the reference count of the
token representing the client being incremented to reflect the new
reference.
If the thread is currently impersonating a client, that token will be
dereferenced.
Arguments:
Thread - points to the thread which is going to impersonate a client.
Token - Points to the token to be assigned as the impersonation token.
This does NOT have to be a TokenImpersonation type token. This
allows direct reference of client process's primary tokens.
CopyOnOpen - If TRUE, indicates the token is considered to be private
by the assigner and should be copied if opened. For example, a
session layer may be using a token to represent a client's context.
If the session is trying to synchronize the context of the client,
then user mode code should not be given direct access to the session
layer's token.
Basically, session layers should always specify TRUE for this, while
tokens assigned by the server itself (handle based) should specify
FALSE.
EffectiveOnly - Is a boolean value to be assigned as the
Thread->ImpersonationInfo->EffectiveOnly field value for the
impersonation. A value of FALSE indicates the server is allowed
to enable currently disabled groups and privileges.
ImpersonationLevel - Is the impersonation level that the server is allowed
to access the token with.
Return Value:
STATUS_SUCCESS - Indicates the call completed successfully.
--*/
{
PPS_IMPERSONATION_INFORMATION NewClient, FreeClient;
PACCESS_TOKEN OldToken;
PACCESS_TOKEN NewerToken=NULL;
NTSTATUS Status;
PPS_JOB_TOKEN_FILTER Filter;
PEPROCESS Process;
PETHREAD CurrentThread;
PEJOB Job;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
Process = THREAD_TO_PROCESS (Thread);
if (!ARGUMENT_PRESENT(Token)) {
OldToken = NULL;
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Lock the process security fields
//
CurrentThread = PsGetCurrentThread ();
PspLockThreadSecurityExclusive (Thread, CurrentThread);
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Grab impersonation info block.
//
ImpersonationInfo = Thread->ImpersonationInfo;
//
// This is a request to revert to self.
// Clean up any client information.
//
OldToken = ImpersonationInfo->Token;
PS_CLEAR_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_IMPERSONATING);
}
//
// Release the security fields
//
PspUnlockThreadSecurityExclusive (Thread, CurrentThread);
}
} else {
//
// Allocate and set up the Client block. We do this without holding the Process
// security lock so we reduce contention. Only one thread will manage to assign this.
// The client block once created never goes away until the last dereference of
// the process. We can touch this without locks
//
NewClient = Thread->ImpersonationInfo;
if (NewClient == NULL) {
NewClient = ExAllocatePoolWithTag (PagedPool,
sizeof (PS_IMPERSONATION_INFORMATION),
'mIsP'|PROTECTED_POOL);
if (NewClient == NULL) {
return STATUS_NO_MEMORY;
}
FreeClient = InterlockedCompareExchangePointer (&Thread->ImpersonationInfo,
NewClient,
NULL);
//
// We got beaten by another thread. Free our context and use the new one
//
if (FreeClient != NULL) {
ExFreePoolWithTag (NewClient, 'mIsP'|PROTECTED_POOL);
NewClient = FreeClient;
}
}
//
// Check if we're allowed to impersonate based on the job
// restrictions:
//
Job = Process->Job;
if (Job != NULL) {
if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_NO_ADMIN) &&
(SeTokenIsAdmin (Token))) {
return STATUS_ACCESS_DENIED;
} else if ((Job->SecurityLimitFlags & JOB_OBJECT_SECURITY_RESTRICTED_TOKEN) &&
(!SeTokenIsRestricted (Token))) {
return STATUS_ACCESS_DENIED;
} else {
Filter = Job->Filter;
if (Filter != NULL) {
//
// Filter installed. Need to create a restricted token
// dynamically.
//
Status = SeFastFilterToken (Token,
KernelMode,
0,
Filter->CapturedGroupCount,
Filter->CapturedGroups,
Filter->CapturedPrivilegeCount,
Filter->CapturedPrivileges,
Filter->CapturedSidCount,
Filter->CapturedSids,
Filter->CapturedSidsLength,
&NewerToken);
if (NT_SUCCESS (Status)) {
//
// If we created a filtered token then we don't need to add an extra token reference
// as this is a new token with a single reference we just created.
//
Token = NewerToken;
} else {
return Status;
}
} else {
ObReferenceObject (Token);
}
}
} else {
ObReferenceObject (Token);
}
//
// Lock the process security fields
//
CurrentThread = PsGetCurrentThread ();
PspLockThreadSecurityExclusive (Thread, CurrentThread);
//
// If we are already impersonating someone,
// use the already allocated block. This avoids
// an alloc and a free.
//
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// capture the old token pointer.
// We'll dereference it after unlocking the security fields.
//
OldToken = NewClient->Token;
} else {
OldToken = NULL;
PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_IMPERSONATING);
}
NewClient->ImpersonationLevel = ImpersonationLevel;
NewClient->EffectiveOnly = EffectiveOnly;
NewClient->CopyOnOpen = CopyOnOpen;
NewClient->Token = Token;
//
// Release the security fields
//
PspUnlockThreadSecurityExclusive (Thread, CurrentThread);
}
//
// Free the old client token, if necessary.
//
if (OldToken != NULL) {
PsDereferenceImpersonationToken (OldToken);
}
return STATUS_SUCCESS;
}
BOOLEAN
PsDisableImpersonation(
IN PETHREAD Thread,
IN PSE_IMPERSONATION_STATE ImpersonationState
)
/*++
Routine Description:
This routine temporarily disables the impersonation of a thread.
The impersonation state is saved for quick replacement later. The
impersonation token is left referenced and a pointer to it is held
in the IMPERSONATION_STATE data structure.
PsRestoreImpersonation() must be used after this routine is called.
Arguments:
Thread - points to the thread whose impersonation (if any) is to
be temporarily disabled.
ImpersonationState - receives the current impersonation information,
including a pointer to the impersonation token.
Return Value:
TRUE - Indicates the impersonation state has been saved and the
impersonation has been temporarily disabled.
FALSE - Indicates the specified thread was not impersonating a client.
No action has been taken.
--*/
{
PPS_IMPERSONATION_INFORMATION OldClient;
PETHREAD CurrentThread;
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
//
// Capture the impersonation information (if there is any).
// The vast majority of cases this function is called we are not impersonating. Skip acquiring
// the lock in this case.
//
OldClient = NULL;
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Lock the process security fields
//
CurrentThread = PsGetCurrentThread ();
PspLockThreadSecurityExclusive (Thread, CurrentThread);
//
// Test and clear the impersonation bit. If we are still impersonating then capture the info.
//
if (PS_TEST_CLEAR_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_IMPERSONATING)&
PS_CROSS_THREAD_FLAGS_IMPERSONATING) {
OldClient = Thread->ImpersonationInfo;
ImpersonationState->Level = OldClient->ImpersonationLevel;
ImpersonationState->EffectiveOnly = OldClient->EffectiveOnly;
ImpersonationState->CopyOnOpen = OldClient->CopyOnOpen;
ImpersonationState->Token = OldClient->Token;
}
//
// Release the security fields
//
PspUnlockThreadSecurityExclusive (Thread, CurrentThread);
}
if (OldClient != NULL) {
return TRUE;
} else {
//
// Not impersonating. Just make up some values.
// The NULL for the token indicates we aren't impersonating.
//
ImpersonationState->Level = SecurityAnonymous;
ImpersonationState->EffectiveOnly = FALSE;
ImpersonationState->CopyOnOpen = FALSE;
ImpersonationState->Token = NULL;
return FALSE;
}
}
VOID
PsRestoreImpersonation(
IN PETHREAD Thread,
IN PSE_IMPERSONATION_STATE ImpersonationState
)
/*++
Routine Description:
This routine restores an impersonation that has been temporarily disabled
using PsDisableImpersonation().
Notice that if this routine finds the thread is already impersonating
(again), then restoring the temporarily disabled impersonation will cause
the current impersonation to be abandoned.
Arguments:
Thread - points to the thread whose impersonation is to be restored.
ImpersontionState - receives the current impersontion information,
including a pointer ot the impersonation token.
Return Value:
TRUE - Indicates the impersonation state has been saved and the
impersonation has been temporarily disabled.
FALSE - Indicates the specified thread was not impersonating a client.
No action has been taken.
--*/
{
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
//
// The processing for restore is identical to that for Impersonation,
// except that the token's reference count will be incremented (and
// so we need to do one dereference).
PsImpersonateClient (Thread,
ImpersonationState->Token,
ImpersonationState->CopyOnOpen,
ImpersonationState->EffectiveOnly,
ImpersonationState->Level);
ObDereferenceObject (ImpersonationState->Token);
return;
}
VOID
PsRevertToSelf( )
/*++
Routine Description:
This routine causes the calling thread to discontinue
impersonating a client. If the thread is not currently
impersonating a client, no action is taken.
Arguments:
None.
Return Value:
None.
--*/
{
PETHREAD Thread;
PEPROCESS Process;
PACCESS_TOKEN OldToken;
PAGED_CODE();
Thread = PsGetCurrentThread ();
Process = THREAD_TO_PROCESS (Thread);
//
// Lock the process security fields
//
PspLockThreadSecurityExclusive (Thread, Thread);
//
// See if the thread is impersonating a client
// and dereference that token if so.
//
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
PS_CLEAR_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_IMPERSONATING);
OldToken = Thread->ImpersonationInfo->Token;
} else {
OldToken = NULL;
}
//
// Release the security fields
//
PspUnlockThreadSecurityExclusive (Thread, Thread);
//
// Free the old client info...
//
if (OldToken != NULL) {
ObDereferenceObject (OldToken);
}
return;
}
VOID
PsRevertThreadToSelf (
IN PETHREAD Thread
)
/*++
Routine Description:
This routine causes the specified thread to discontinue
impersonating a client. If the thread is not currently
impersonating a client, no action is taken.
Arguments:
Thread - Thread to remove impersonation from
Return Value:
None.
--*/
{
PETHREAD CurrentThread;
PACCESS_TOKEN OldToken;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
PAGED_CODE();
ASSERT (Thread->Tcb.Header.Type == ThreadObject);
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
CurrentThread = PsGetCurrentThread ();
//
// Lock the process security fields
//
PspLockThreadSecurityExclusive (Thread, CurrentThread);
//
// See if the thread is impersonating a client
// and dereference that token if so.
//
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
//
// Grab impersonation info block.
//
ImpersonationInfo = Thread->ImpersonationInfo;
PS_CLEAR_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_IMPERSONATING);
OldToken = ImpersonationInfo->Token;
} else {
OldToken = NULL;
}
//
// Release the security fields
//
PspUnlockThreadSecurityExclusive (Thread, CurrentThread);
//
// Free the old client info...
//
if (OldToken != NULL) {
ObDereferenceObject (OldToken);
}
}
return;
}
NTSTATUS
PspInitializeProcessSecurity(
IN PEPROCESS Parent OPTIONAL,
IN PEPROCESS Child
)
/*++
Routine Description:
This function initializes a new process's security fields, including
the assignment of a new primary token.
The child process is assumed to not yet have been inserted into
an object table.
NOTE: IT IS EXPECTED THAT THIS SERVICE WILL BE CALLED WITH A NULL
PARENT PROCESS POINTER EXACTLY ONCE - FOR THE INITIAL SYSTEM
PROCESS.
Arguments:
Parent - An optional pointer to the process being used as the parent
of the new process. If this value is NULL, then the process is
assumed to be the initial system process, and the boot token is
assigned rather than a duplicate of the parent process's primary
token.
Child - Supplies the address of the process being initialized. This
process does not yet require security field contention protection.
In particular, the security fields may be accessed without first
acquiring the process security fields lock.
Return Value:
--*/
{
NTSTATUS Status;
PACCESS_TOKEN ParentToken, NewToken;
PAGED_CODE();
//
// Assign the primary token
//
if (ARGUMENT_PRESENT (Parent)) {
//
// create the primary token
// This is a duplicate of the parent's token.
//
ParentToken = PsReferencePrimaryToken (Parent);
Status = SeSubProcessToken (ParentToken,
&NewToken,
TRUE);
PsDereferencePrimaryTokenEx (Parent, ParentToken);
if (NT_SUCCESS(Status)) {
ObInitializeFastReference (&Child->Token,
NewToken);
}
} else {
//
// Reference and assign the boot token
//
// The use of a single boot access token assumes there is
// exactly one parentless process in the system - the initial
// process. If this ever changes, this code will need to change
// to match the new condition (so that a token doesn't end up
// being shared by multiple processes.
//
ObInitializeFastReference (&Child->Token, NULL);
SeAssignPrimaryToken (Child, PspBootAccessToken);
Status = STATUS_SUCCESS;
}
return Status;
}
VOID
PspDeleteProcessSecurity(
IN PEPROCESS Process
)
/*++
Routine Description:
This function cleans up a process's security fields as part of process
deletion. It is assumed no other references to the process can occur
during or after a call to this routine. This enables us to reference
the process security fields without acquiring the lock protecting those
fields.
NOTE: It may be desirable to add auditing capability to this routine
at some point.
Arguments:
Process - A pointer to the process being deleted.
Return Value:
None.
--*/
{
PAGED_CODE();
//
// If we are deleting a process that didn't successfully complete
// process initialization, then there may be no token associated
// with it yet.
//
if (!ExFastRefObjectNull (Process->Token)) {
SeDeassignPrimaryToken (Process);
}
return;
}
NTSTATUS
PspAssignPrimaryToken(
IN PEPROCESS Process,
IN HANDLE Token OPTIONAL,
IN PACCESS_TOKEN TokenPointer OPTIONAL
)
/*++
Routine Description:
This function performs the security portions of primary token assignment.
It is expected that the proper access to the process and thread objects,
as well as necessary privilege, has already been established.
A primary token can only be replaced if the process has no threads, or
has one thread. This is because the thread objects point to the primary
token and must have those pointers updated when the primary token is
changed. This is only expected to be necessary at logon time, when
the process is in its infancy and either has zero threads or maybe one
inactive thread.
If the assignment is successful, the old token is dereferenced and the
new one is referenced.
Arguments:
Process - A pointer to the process whose primary token is being
replaced.
Token - The handle value of the token to be assigned as the primary
token.
Return Value:
STATUS_SUCCESS - Indicates the primary token has been successfully
replaced.
STATUS_BAD_TOKEN_TYPE - Indicates the token is not of type TokenPrimary.
STATUS_TOKEN_IN_USE - Indicates the token is already in use by
another process.
Other status may be returned when attempting to reference the token
object.
--*/
{
NTSTATUS Status;
PACCESS_TOKEN NewToken, OldToken;
KPROCESSOR_MODE PreviousMode;
PETHREAD CurrentThread;
PAGED_CODE();
CurrentThread = PsGetCurrentThread ();
if (TokenPointer == NULL) {
PreviousMode = KeGetPreviousModeByThread(&CurrentThread->Tcb);
//
// Reference the specified token, and make sure it can be assigned
// as a primary token.
//
Status = ObReferenceObjectByHandle (Token,
TOKEN_ASSIGN_PRIMARY,
SeTokenObjectType,
PreviousMode,
&NewToken,
NULL);
if (!NT_SUCCESS (Status)) {
return Status;
}
} else {
NewToken = TokenPointer;
}
//
// Lock the process security fields.
//
PspLockProcessSecurityExclusive (Process, CurrentThread);
//
// This routine makes sure the NewToken is suitable for assignment
// as a primary token.
//
Status = SeExchangePrimaryToken (Process, NewToken, &OldToken);
//
// Release the process security fields
//
PspUnlockProcessSecurityExclusive (Process, CurrentThread);
//
// Free the old token (we don't need it).
// This can't be done while the security fields are locked.
//
if (NT_SUCCESS (Status)) {
ObDereferenceObject (OldToken);
}
//
// Undo the handle reference
//
if (TokenPointer == NULL) {
ObDereferenceObject (NewToken);
}
return Status;
}
VOID
PspInitializeThreadSecurity(
IN PEPROCESS Process,
IN PETHREAD Thread
)
/*++
Routine Description:
This function initializes a new thread's security fields.
Arguments:
Process - Points to the process the thread belongs to.
Thread - Points to the thread object being initialized.
Return Value:
None.
--*/
{
PAGED_CODE();
UNREFERENCED_PARAMETER (Process);
//
// Initially not impersonating anyone. This is not currently called as we zero out the entire thread at create time anyway
//
Thread->ImpersonationInfo = NULL;
PS_CLEAR_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_IMPERSONATING);
return;
}
VOID
PspDeleteThreadSecurity(
IN PETHREAD Thread
)
/*++
Routine Description:
This function cleans up a thread's security fields as part of thread
deletion. It is assumed no other references to the thread can occur
during or after a call to this routine, so no locking is necessary
to access the thread security fields.
Arguments:
Thread - A pointer to the thread being deleted.
Return Value:
None.
--*/
{
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
PAGED_CODE();
ImpersonationInfo = Thread->ImpersonationInfo;
//
// clean-up client information, if there is any.
//
if (PS_IS_THREAD_IMPERSONATING (Thread)) {
ObDereferenceObject (ImpersonationInfo->Token);
}
if (ImpersonationInfo != NULL) {
ExFreePoolWithTag (ImpersonationInfo, 'mIsP'|PROTECTED_POOL);
PS_CLEAR_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_IMPERSONATING);
Thread->ImpersonationInfo = NULL;
}
return;
}
NTSTATUS
PsAssignImpersonationToken(
IN PETHREAD Thread,
IN HANDLE Token
)
/*++
Routine Description:
This function performs the security portions of establishing an
impersonation token. This routine is expected to be used only in
the case where the subject has asked for impersonation explicitly
providing an impersonation token. Other services are provided for
use by communication session layers that need to establish an
impersonation on a server's behalf.
It is expected that the proper access to the thread object has already
been established.
The following rules apply:
1) The caller must have TOKEN_IMPERSONATE access to the token
for any action to be taken.
2) If the token may NOT be used for impersonation (e.g., not an
impersonation token) no action is taken.
3) Otherwise, any existing impersonation token is dereferenced and
the new token is established as the impersonation token.
Arguments:
Thread - A pointer to the thread whose impersonation token is being
set.
Token - The handle value of the token to be assigned as the impersonation
token. If this value is NULL, then current impersonation (if any)
is terminated and no new impersonation is established.
Return Value:
STATUS_SUCCESS - Indicates the primary token has been successfully
replaced.
STATUS_BAD_TOKEN_TYPE - Indicates the token is not of type
TokenImpersonation.
Other status may be returned when attempting to reference the token
object.
--*/
{
NTSTATUS Status;
PACCESS_TOKEN NewToken;
KPROCESSOR_MODE PreviousMode;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
PEPROCESS ThreadProcess;
BOOLEAN AttachedToProcess = FALSE;
PETHREAD CurrentThread;
KAPC_STATE ApcState;
PAGED_CODE();
CurrentThread = PsGetCurrentThread ();
if (!ARGUMENT_PRESENT (Token)) {
PsRevertThreadToSelf (Thread);
Status = STATUS_SUCCESS;
} else {
PreviousMode = KeGetPreviousModeByThread (&CurrentThread->Tcb);
//
// Reference the specified token for TOKEN_IMPERSONATE access
//
Status = ObReferenceObjectByHandle (Token,
TOKEN_IMPERSONATE,
SeTokenObjectType,
PreviousMode,
&NewToken,
NULL);
if (!NT_SUCCESS (Status)) {
return Status;
}
//
// Make sure the token is an impersonation token.
//
if (SeTokenType (NewToken) != TokenImpersonation) {
ObDereferenceObject (NewToken);
return STATUS_BAD_TOKEN_TYPE;
}
ImpersonationLevel = SeTokenImpersonationLevel (NewToken);
//
// The rest can be done by PsImpersonateClient.
//
// PsImpersonateClient will reference the passed token
// on success.
//
Status = PsImpersonateClient (Thread,
NewToken,
FALSE, // CopyOnOpen
FALSE, // EffectiveOnly
ImpersonationLevel);
//
// Dereference the passed token.
//
//
ObDereferenceObject (NewToken);
}
if (NT_SUCCESS (Status)) {
PTEB Teb;
//
// Indicate that 'Thread' has started to do impersonation.
// This info is useful for GetUserDefaultLCID()
//
ThreadProcess = THREAD_TO_PROCESS (Thread);
Teb = Thread->Tcb.Teb;
if (Teb != NULL) {
if (PsGetCurrentProcessByThread(CurrentThread) != ThreadProcess) {
KeStackAttachProcess (&ThreadProcess->Pcb, &ApcState);
AttachedToProcess = TRUE;
}
//
// We are doing a cross thread TEB reference here. Protect against the TEB being freed and used by
// somebody else.
//
if (ExAcquireRundownProtection (&Thread->RundownProtect)) {
//
// The TAB may still raise an exception in low memory conditions so we need try/except here
//
try {
if (ARGUMENT_PRESENT (Token)) {
Teb->ImpersonationLocale = (LCID)-1;
Teb->IsImpersonating = 1;
} else {
Teb->ImpersonationLocale = (LCID) 0;
Teb->IsImpersonating = 0;
}
} except (EXCEPTION_EXECUTE_HANDLER) {
}
ExReleaseRundownProtection (&Thread->RundownProtect);
}
if (AttachedToProcess) {
KeUnstackDetachProcess (&ApcState);
}
}
}
return Status;
}
#undef PsDereferencePrimaryToken
#pragma alloc_text(PAGE, PsDereferencePrimaryToken)
VOID
PsDereferencePrimaryToken(
IN PACCESS_TOKEN PrimaryToken
)
/*++
Routine Description:
Returns the reference obtained via PsReferencePrimaryToken
Arguments:
Returns the reference
Return Value:
None.
--*/
{
PAGED_CODE();
ObDereferenceObject (PrimaryToken);
}
#undef PsDereferenceImpersonationToken
#pragma alloc_text(PAGE, PsDereferenceImpersonationToken)
VOID
PsDereferenceImpersonationToken(
IN PACCESS_TOKEN ImpersonationToken
)
/*++
Routine Description:
Returns the reference obtained via PsReferenceImpersonationToken
Arguments:
Returns the reference
Return Value:
None.
--*/
{
PAGED_CODE();
if (ImpersonationToken != NULL) {
ObDereferenceObject (ImpersonationToken);
}
}