BOOLEAN
FatCheckManageVolumeAccess (
_In_ PIRP_CONTEXT IrpContext,
_In_ PACCESS_STATE AccessState,
_In_ KPROCESSOR_MODE ProcessorMode
)
/*++
Routine Description:
This function checks whether the SID described in the input access state has
manage volume privilege.
Arguments:
AccessState - the access state describing the security context to be checked
ProcessorMode - the mode this check should occur against
Return Value:
BOOLEAN - TRUE if privilege is held and FALSE otherwise
--*/
{
PRIVILEGE_SET PrivilegeSet;
PAGED_CODE();
PrivilegeSet.PrivilegeCount = 1;
PrivilegeSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
PrivilegeSet.Privilege[0].Luid = RtlConvertLongToLuid( SE_MANAGE_VOLUME_PRIVILEGE );
PrivilegeSet.Privilege[0].Attributes = 0;
if (SePrivilegeCheck( &PrivilegeSet,
&AccessState->SubjectSecurityContext,
ProcessorMode )) {
return TRUE;
}
UNREFERENCED_PARAMETER( IrpContext );
return FALSE;
}
BOOLEAN
SepVariableInitialization()
/*++
Routine Description:
This function initializes the global variables used by and exposed
by security.
Arguments:
None.
Return Value:
TRUE if variables successfully initialized.
FALSE if not successfully initialized.
--*/
{
ULONG SidWithZeroSubAuthorities;
ULONG SidWithOneSubAuthority;
ULONG SidWithTwoSubAuthorities;
ULONG SidWithThreeSubAuthorities;
SID_IDENTIFIER_AUTHORITY NullSidAuthority;
SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
SID_IDENTIFIER_AUTHORITY SeNtAuthority;
PAGED_CODE();
NullSidAuthority = SepNullSidAuthority;
WorldSidAuthority = SepWorldSidAuthority;
LocalSidAuthority = SepLocalSidAuthority;
CreatorSidAuthority = SepCreatorSidAuthority;
SeNtAuthority = SepNtAuthority;
//
// The following SID sizes need to be allocated
//
SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 );
SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
//
// Allocate and initialize the universal SIDs
//
SeNullSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeWorldSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeLocalSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeCreatorOwnerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeCreatorGroupSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeCreatorOwnerServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeCreatorGroupServerSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
//
// Fail initialization if we didn't get enough memory for the universal
// SIDs.
//
if ( (SeNullSid == NULL) ||
(SeWorldSid == NULL) ||
(SeLocalSid == NULL) ||
(SeCreatorOwnerSid == NULL) ||
(SeCreatorGroupSid == NULL) ||
(SeCreatorOwnerServerSid == NULL ) ||
(SeCreatorGroupServerSid == NULL )
) {
return( FALSE );
}
RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 );
RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 );
RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 );
RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
RtlInitializeSid( SeCreatorOwnerServerSid, &CreatorSidAuthority, 1 );
RtlInitializeSid( SeCreatorGroupServerSid, &CreatorSidAuthority, 1 );
*(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID;
*(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID;
*(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID;
*(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
*(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
*(RtlSubAuthoritySid( SeCreatorOwnerServerSid, 0 )) = SECURITY_CREATOR_OWNER_SERVER_RID;
*(RtlSubAuthoritySid( SeCreatorGroupServerSid, 0 )) = SECURITY_CREATOR_GROUP_SERVER_RID;
//
// Allocate and initialize the NT defined SIDs
//
SeNtAuthoritySid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithZeroSubAuthorities,'iSeS');
SeDialupSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeNetworkSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeBatchSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeInteractiveSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SePrincipalSelfSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeLocalSystemSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeAuthenticatedUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeRestrictedSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeAnonymousLogonSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeLocalServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeNetworkServiceSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithOneSubAuthority,'iSeS');
SeAliasAdminsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasGuestsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasPowerUsersSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasAccountOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasSystemOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasPrintOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
SeAliasBackupOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool | POOL_RAISE_IF_ALLOCATION_FAILURE,SidWithTwoSubAuthorities,'iSeS');
//
// Fail initialization if we didn't get enough memory for the NT SIDs.
//
if ( (SeNtAuthoritySid == NULL) ||
(SeDialupSid == NULL) ||
(SeNetworkSid == NULL) ||
(SeBatchSid == NULL) ||
(SeInteractiveSid == NULL) ||
(SeServiceSid == NULL) ||
(SePrincipalSelfSid == NULL) ||
(SeLocalSystemSid == NULL) ||
(SeAuthenticatedUsersSid == NULL) ||
(SeRestrictedSid == NULL) ||
(SeAnonymousLogonSid == NULL) ||
(SeLocalServiceSid == NULL) ||
(SeNetworkServiceSid == NULL) ||
(SeAliasAdminsSid == NULL) ||
(SeAliasUsersSid == NULL) ||
(SeAliasGuestsSid == NULL) ||
(SeAliasPowerUsersSid == NULL) ||
(SeAliasAccountOpsSid == NULL) ||
(SeAliasSystemOpsSid == NULL) ||
(SeAliasPrintOpsSid == NULL) ||
(SeAliasBackupOpsSid == NULL)
) {
return( FALSE );
}
RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 );
RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 );
RtlInitializeSid( SePrincipalSelfSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeAuthenticatedUsersSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeRestrictedSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeAnonymousLogonSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalServiceSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeNetworkServiceSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2);
*(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID;
*(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID;
*(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID;
*(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
*(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID;
*(RtlSubAuthoritySid( SePrincipalSelfSid, 0 )) = SECURITY_PRINCIPAL_SELF_RID;
*(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
*(RtlSubAuthoritySid( SeAuthenticatedUsersSid, 0 )) = SECURITY_AUTHENTICATED_USER_RID;
*(RtlSubAuthoritySid( SeRestrictedSid, 0 )) = SECURITY_RESTRICTED_CODE_RID;
*(RtlSubAuthoritySid( SeAnonymousLogonSid, 0 )) = SECURITY_ANONYMOUS_LOGON_RID;
*(RtlSubAuthoritySid( SeLocalServiceSid, 0 )) = SECURITY_LOCAL_SERVICE_RID;
*(RtlSubAuthoritySid( SeNetworkServiceSid, 0 )) = SECURITY_NETWORK_SERVICE_RID;
*(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
*(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS;
*(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS;
*(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
*(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
*(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
*(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
*(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
//
// Initialize system default dacl
//
SepInitSystemDacls();
//
// Initialize the well known privilege values
//
SeCreateTokenPrivilege =
RtlConvertLongToLuid(SE_CREATE_TOKEN_PRIVILEGE);
SeAssignPrimaryTokenPrivilege =
RtlConvertLongToLuid(SE_ASSIGNPRIMARYTOKEN_PRIVILEGE);
SeLockMemoryPrivilege =
RtlConvertLongToLuid(SE_LOCK_MEMORY_PRIVILEGE);
SeIncreaseQuotaPrivilege =
RtlConvertLongToLuid(SE_INCREASE_QUOTA_PRIVILEGE);
SeUnsolicitedInputPrivilege =
RtlConvertLongToLuid(SE_UNSOLICITED_INPUT_PRIVILEGE);
SeTcbPrivilege =
RtlConvertLongToLuid(SE_TCB_PRIVILEGE);
SeSecurityPrivilege =
RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
SeTakeOwnershipPrivilege =
RtlConvertLongToLuid(SE_TAKE_OWNERSHIP_PRIVILEGE);
SeLoadDriverPrivilege =
RtlConvertLongToLuid(SE_LOAD_DRIVER_PRIVILEGE);
SeCreatePagefilePrivilege =
RtlConvertLongToLuid(SE_CREATE_PAGEFILE_PRIVILEGE);
SeIncreaseBasePriorityPrivilege =
RtlConvertLongToLuid(SE_INC_BASE_PRIORITY_PRIVILEGE);
SeSystemProfilePrivilege =
RtlConvertLongToLuid(SE_SYSTEM_PROFILE_PRIVILEGE);
SeSystemtimePrivilege =
RtlConvertLongToLuid(SE_SYSTEMTIME_PRIVILEGE);
SeProfileSingleProcessPrivilege =
RtlConvertLongToLuid(SE_PROF_SINGLE_PROCESS_PRIVILEGE);
SeCreatePermanentPrivilege =
RtlConvertLongToLuid(SE_CREATE_PERMANENT_PRIVILEGE);
SeBackupPrivilege =
RtlConvertLongToLuid(SE_BACKUP_PRIVILEGE);
SeRestorePrivilege =
RtlConvertLongToLuid(SE_RESTORE_PRIVILEGE);
SeShutdownPrivilege =
RtlConvertLongToLuid(SE_SHUTDOWN_PRIVILEGE);
SeDebugPrivilege =
RtlConvertLongToLuid(SE_DEBUG_PRIVILEGE);
SeAuditPrivilege =
RtlConvertLongToLuid(SE_AUDIT_PRIVILEGE);
SeSystemEnvironmentPrivilege =
RtlConvertLongToLuid(SE_SYSTEM_ENVIRONMENT_PRIVILEGE);
SeChangeNotifyPrivilege =
RtlConvertLongToLuid(SE_CHANGE_NOTIFY_PRIVILEGE);
SeRemoteShutdownPrivilege =
RtlConvertLongToLuid(SE_REMOTE_SHUTDOWN_PRIVILEGE);
SeUndockPrivilege =
RtlConvertLongToLuid(SE_UNDOCK_PRIVILEGE);
SeSyncAgentPrivilege =
RtlConvertLongToLuid(SE_SYNC_AGENT_PRIVILEGE);
SeEnableDelegationPrivilege =
RtlConvertLongToLuid(SE_ENABLE_DELEGATION_PRIVILEGE);
SeManageVolumePrivilege =
RtlConvertLongToLuid(SE_MANAGE_VOLUME_PRIVILEGE);
SeImpersonatePrivilege =
RtlConvertLongToLuid(SE_IMPERSONATE_PRIVILEGE);
SeCreateGlobalPrivilege =
RtlConvertLongToLuid(SE_CREATE_GLOBAL_PRIVILEGE);
//
// Initialize the SeExports structure for exporting all
// of the information we've created out of the kernel.
//
//
// Package these together for export
//
SepExports.SeNullSid = SeNullSid;
SepExports.SeWorldSid = SeWorldSid;
SepExports.SeLocalSid = SeLocalSid;
SepExports.SeCreatorOwnerSid = SeCreatorOwnerSid;
SepExports.SeCreatorGroupSid = SeCreatorGroupSid;
SepExports.SeNtAuthoritySid = SeNtAuthoritySid;
SepExports.SeDialupSid = SeDialupSid;
SepExports.SeNetworkSid = SeNetworkSid;
SepExports.SeBatchSid = SeBatchSid;
SepExports.SeInteractiveSid = SeInteractiveSid;
SepExports.SeLocalSystemSid = SeLocalSystemSid;
SepExports.SeAuthenticatedUsersSid = SeAuthenticatedUsersSid;
SepExports.SeRestrictedSid = SeRestrictedSid;
SepExports.SeAnonymousLogonSid = SeAnonymousLogonSid;
SepExports.SeLocalServiceSid = SeLocalServiceSid;
SepExports.SeNetworkServiceSid = SeNetworkServiceSid;
SepExports.SeAliasAdminsSid = SeAliasAdminsSid;
SepExports.SeAliasUsersSid = SeAliasUsersSid;
SepExports.SeAliasGuestsSid = SeAliasGuestsSid;
SepExports.SeAliasPowerUsersSid = SeAliasPowerUsersSid;
SepExports.SeAliasAccountOpsSid = SeAliasAccountOpsSid;
SepExports.SeAliasSystemOpsSid = SeAliasSystemOpsSid;
SepExports.SeAliasPrintOpsSid = SeAliasPrintOpsSid;
SepExports.SeAliasBackupOpsSid = SeAliasBackupOpsSid;
SepExports.SeCreateTokenPrivilege = SeCreateTokenPrivilege;
SepExports.SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege;
SepExports.SeLockMemoryPrivilege = SeLockMemoryPrivilege;
SepExports.SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege;
SepExports.SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege;
SepExports.SeTcbPrivilege = SeTcbPrivilege;
SepExports.SeSecurityPrivilege = SeSecurityPrivilege;
SepExports.SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege;
SepExports.SeLoadDriverPrivilege = SeLoadDriverPrivilege;
SepExports.SeCreatePagefilePrivilege = SeCreatePagefilePrivilege;
SepExports.SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege;
SepExports.SeSystemProfilePrivilege = SeSystemProfilePrivilege;
SepExports.SeSystemtimePrivilege = SeSystemtimePrivilege;
SepExports.SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege;
SepExports.SeCreatePermanentPrivilege = SeCreatePermanentPrivilege;
SepExports.SeBackupPrivilege = SeBackupPrivilege;
SepExports.SeRestorePrivilege = SeRestorePrivilege;
SepExports.SeShutdownPrivilege = SeShutdownPrivilege;
SepExports.SeDebugPrivilege = SeDebugPrivilege;
SepExports.SeAuditPrivilege = SeAuditPrivilege;
SepExports.SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege;
SepExports.SeChangeNotifyPrivilege = SeChangeNotifyPrivilege;
SepExports.SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege;
SepExports.SeUndockPrivilege = SeUndockPrivilege;
SepExports.SeSyncAgentPrivilege = SeSyncAgentPrivilege;
SepExports.SeEnableDelegationPrivilege = SeEnableDelegationPrivilege;
SepExports.SeManageVolumePrivilege = SeManageVolumePrivilege;
SepExports.SeImpersonatePrivilege = SeImpersonatePrivilege ;
SepExports.SeCreateGlobalPrivilege = SeCreateGlobalPrivilege;
SeExports = &SepExports;
//
// Initialize frequently used privilege sets to speed up access
// validation.
//
SepInitializePrivilegeSets();
return TRUE;
}
NTSTATUS
LsapAdtInitialize(
IN ULONG Pass
)
/*++
Routine Description:
This function performs initialization of auditing within the LSA, and
it also issues commands to the Reference Monitor to enable it to
complete any initialization of auditing variables that is dependent
on the content of the LSA Database. At time of call, the main
System Init thread is in the Reference Monitor awaiting completion
of all LSA initialization, and the Reference Monitor Command
Server thread is waiting for commands.
The following steps are performed:
o Read the Audit Event and Audit Log information from the LSA
Database.
o Call the Event Logging function to open the Audit Log
o Issue a Reference Monitor command to write the Audit Event Info
to the Reference-Monitor's in-memory database.
Arguments:
Pass - Specifies the stage of initialization to be performed.
Pass 1 - Initialization required before Audit Records can
be written to the Audit Log. Any Audit Records received
during this time will be "cached" by the LSA and will
be written out at Pass 2.
Pass 2 - Write out Audit Records cached during Pass 1.
Return Value:
NTSTATUS - Standard Nt Result Code.
All Result Codes are generated by called routines.
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
NTSTATUS SecondaryStatus = STATUS_SUCCESS;
ULONG AuditLogInfoLength = sizeof (POLICY_AUDIT_LOG_INFO);
ULONG AuditEventInfoLength = sizeof (LSARM_POLICY_AUDIT_EVENTS_INFO);
ULONG AuditFullQueryInfoLength = sizeof (POLICY_AUDIT_FULL_QUERY_INFO);
BOOLEAN AcquiredLock = FALSE;
UNICODE_STRING UnicodeString;
PUNICODE_STRING Strings;
PSID Sid = NULL;
LSARM_POLICY_AUDIT_EVENTS_INFO AuditEventsInfo;
Strings = &UnicodeString;
RtlInitUnicodeString( Strings, L"System Restart");
RtlInitUnicodeString( &LsapSubsystemName, L"Security" );
if (Pass == 1) {
Status = LsapAdtInitializeLogQueue();
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
//
// Acquire the LSA Database Lock.
//
Status = LsapDbAcquireLock();
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
AcquiredLock = TRUE;
//
// Read the Audit Log Information from the PolAdtLg attribute of the Lsa
// Database object.
//
Status = LsapDbReadAttributeObject(
LsapDbHandle,
&LsapDbNames[PolAdtLg],
&LsapAdtLogInformation,
&AuditLogInfoLength
);
if (!NT_SUCCESS(Status)) {
LsapLogError(
"LsapAdtInitialize: Read Audit Log Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
//
// Query the Audit Log Full Information in the LSA Database. Note
// that it is too early to update a log full condition, so don't
// try to write to the Audit Log.
//
Status = LsapAdtQueryAuditLogFullInfo(
LsapDbHandle,
(ULONG) 0,
&LsapAdtLogFullInformation
);
if (!NT_SUCCESS(Status)) {
LsapLogError(
"LsapAdtInitialize: Update Audit Log Full Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
//
// Read the Audit Event Information from the AdtEvent attribute of the Lsa
// Database object. The information consists of the Auditing Mode and
// the Auditing Options for each Audit Event Type.
//
Status = LsapDbReadAttributeObject(
LsapDbHandle,
&LsapDbNames[PolAdtEv],
&AuditEventsInfo,
&AuditEventInfoLength
);
if (!NT_SUCCESS(Status)) {
//
// This section of code is temporary and allows an old
// Policy Database to work with the new Audit Event Categories
// without the need to re-install. The Audit Event Information
// is overwritten with the new format and all auditing is turned
// off.
//
if (Status == STATUS_BUFFER_OVERFLOW) {
KdPrint(("LsapAdtInitialize: Old Audit Event Info detected\n"
"Replacing with new format, all auditing disabled\n"));
//
// Initialize Default Event Auditing Options. No auditing is specified
// for any event type.
//
Status = LsapAdtInitializeDefaultAuditing(
LSAP_DB_UPDATE_POLICY_DATABASE,
&AuditEventsInfo
);
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
} else {
LsapLogError(
"LsapAdtInitialize: Read Audit Event Info returned 0x%lx\n",
Status
);
goto AuditInitError;
}
}
//
// Set global flags to tell us if we're supposed to be auditing
// successful logons, failed logons, or both
//
//
LsapAdtAuditingLogon( &AuditEventsInfo );
//
// During system initialization, we are effectively logged on as
// system.
//
LsapAdtSystemRestart( &AuditEventsInfo );
(VOID) LsapAdtInitializeCrashOnFail();
//
// Send a command to the Reference Monitor to write the Auditing
// State to its in-memory data.
//
Status = LsapCallRm(
RmAuditSetCommand,
&AuditEventsInfo,
sizeof (LSARM_POLICY_AUDIT_EVENTS_INFO),
NULL,
0
);
if (!NT_SUCCESS(Status)) {
LsapLogError("LsapAdtInitialize: LsapCallRm returned 0x%lx\n", Status);
goto AuditInitError;
}
RtlCopyMemory(
&LsapAdtEventsInformation,
&AuditEventsInfo,
sizeof(LSARM_POLICY_AUDIT_EVENTS_INFO)
);
LsapAdtInitializeDriveLetters();
//
// Initialize privilege values we need
//
ChangeNotifyPrivilege = RtlConvertLongToLuid( SE_CHANGE_NOTIFY_PRIVILEGE );
AuditPrivilege = RtlConvertLongToLuid( SE_AUDIT_PRIVILEGE );
CreateTokenPrivilege = RtlConvertLongToLuid( SE_CREATE_TOKEN_PRIVILEGE );
AssignPrimaryTokenPrivilege = RtlConvertLongToLuid( SE_ASSIGNPRIMARYTOKEN_PRIVILEGE );
BackupPrivilege = RtlConvertLongToLuid( SE_BACKUP_PRIVILEGE );
RestorePrivilege = RtlConvertLongToLuid( SE_RESTORE_PRIVILEGE );
DebugPrivilege = RtlConvertLongToLuid( SE_DEBUG_PRIVILEGE );
//
// Tell base/wincon how to shut us down.
// First, tell base to shut us down as late in the game as possible.
//
SetProcessShutdownParameters(LSAP_SHUTDOWN_LEVEL, SHUTDOWN_NORETRY);
// And, tell them what function to call when we are being shutdown:
SetConsoleCtrlHandler(LsapShutdownNotification, TRUE);
} else if (Pass == 2) {
//
// Write out any Audit Records that were cached during the
// first stage of initialization. The Audit Log will be opened
// on the first write if necessary.
//
//
// BUGBUG - ScottBi 8/6/92 - This action cannot be taken here
// unless we know that the EventLog service is running. For now,
// an attempt is made to open the log each time an Audit Record
// is generated, and the cache grows until a limit is reached,
// at which point auditing is turned off and subsequent records
// are discarded.
//
/*
Status = LsapAdtWriteLog( NULL, (ULONG) 0);
if (!NT_SUCCESS(Status)) {
goto AuditInitError;
}
*/
}
AuditInitFinish:
if (AcquiredLock) {
LsapDbReleaseLock();
}
return(Status);
AuditInitError:
//
// If the Audit Log is full, signal the Log Full condition
//
if (Status == STATUS_LOG_FILE_FULL) {
SecondaryStatus = LsapAdtSignalLogFull();
}
//
// If auditing failed to initialize, output warning and disable
// auditing.
//
if (Pass == 1) {
LsapLogError(
"LSA: Warning - Audit Initialization Pass 1 Returned 0x%lx\n"
" Auditing has been disabled\n",
Status
);
} else {
LsapLogError(
"LSA: Warning - Audit Initialization Pass 2 Returned 0x%lx\n"
" Auditing has been disabled\n",
Status
);
}
LsapAdtEventsInformation.AuditingMode = FALSE;
Status = LsarSetInformationPolicy(
LsapDbHandle,
PolicyAuditEventsInformation,
(PLSAPR_POLICY_INFORMATION) &LsapAdtEventsInformation
);
goto AuditInitFinish;
}
NTSTATUS
FatExplicitDeviceAccessGranted (
IN PIRP_CONTEXT IrpContext,
IN PDEVICE_OBJECT DeviceObject,
IN PACCESS_STATE AccessState,
IN KPROCESSOR_MODE ProcessorMode
)
/*++
Routine Description:
This function asks whether the SID described in the input access state has
been granted any explicit access to the given device object. It does this
by acquiring a token stripped of its ability to acquire access via the
Everyone SID and re-doing the access check.
Arguments:
DeviceObject - the device whose ACL will be checked
AccessState - the access state describing the security context to be checked
ProcessorMode - the mode this check should occur against
Return Value:
NTSTATUS - Indicating whether explicit access was granted.
--*/
{
NTSTATUS Status;
BOOLEAN Result;
PACCESS_TOKEN OriginalAccessToken;
PACCESS_TOKEN RestrictedAccessToken;
PACCESS_TOKEN *EffectiveToken;
PRIVILEGE_SET PrivilegeSet;
ACCESS_MASK GrantedAccess;
//
// If the access state indicates that specific access other
// than traverse was acquired, either Everyone does have such
// access or explicit access was granted. In both cases, we're
// happy to let this proceed.
//
if (AccessState->PreviouslyGrantedAccess & (SPECIFIC_RIGHTS_ALL ^
FILE_TRAVERSE)) {
return STATUS_SUCCESS;
}
//
// If the manage volume privilege is held, this also permits access.
//
PrivilegeSet.PrivilegeCount = 1;
PrivilegeSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
PrivilegeSet.Privilege[0].Luid = RtlConvertLongToLuid( SE_MANAGE_VOLUME_PRIVILEGE );
PrivilegeSet.Privilege[0].Attributes = 0;
if (SePrivilegeCheck( &PrivilegeSet,
&AccessState->SubjectSecurityContext,
ProcessorMode )) {
return STATUS_SUCCESS;
}
//
// Capture the subject context as a prelude to everything below.
//
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
//
// Convert the token in the subject context into one which does not
// acquire access through the Everyone SID.
//
// The logic for deciding which token is effective comes from
// SeQuerySubjectContextToken; since there is no natural way
// of getting a pointer to it, do it by hand.
//
if (ARGUMENT_PRESENT( AccessState->SubjectSecurityContext.ClientToken )) {
EffectiveToken = &AccessState->SubjectSecurityContext.ClientToken;
} else {
EffectiveToken = &AccessState->SubjectSecurityContext.PrimaryToken;
}
OriginalAccessToken = *EffectiveToken;
Status = FatCreateRestrictEveryoneToken( OriginalAccessToken, &RestrictedAccessToken );
if (!NT_SUCCESS(Status)) {
SeReleaseSubjectContext( &AccessState->SubjectSecurityContext );
return Status;
}
//
// Now see if the resulting context has access to the device through
// its explicitly granted access. We swap in our restricted token
// for this check as the effective client token.
//
*EffectiveToken = RestrictedAccessToken;
Result = SeAccessCheck( DeviceObject->SecurityDescriptor,
&AccessState->SubjectSecurityContext,
FALSE,
AccessState->OriginalDesiredAccess,
0,
NULL,
IoGetFileObjectGenericMapping(),
ProcessorMode,
&GrantedAccess,
&Status );
*EffectiveToken = OriginalAccessToken;
//
// Cleanup and return.
//
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
ObDereferenceObject( RestrictedAccessToken );
return Status;
}
