| Robert Shearman | d2ea92d | 2005-04-22 21:17:15 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Security Management |
| 3 | * |
| 4 | * Copyright (C) 2005 Robert Shearman |
| 5 | * |
| 6 | * This library is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU Lesser General Public |
| 8 | * License as published by the Free Software Foundation; either |
| 9 | * version 2.1 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * This library is distributed in the hope that it will be useful, |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 14 | * Lesser General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU Lesser General Public |
| 17 | * License along with this library; if not, write to the Free Software |
| Jonathan Ernst | 360a3f9 | 2006-05-18 14:49:52 +0200 | [diff] [blame] | 18 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA |
| Robert Shearman | d2ea92d | 2005-04-22 21:17:15 +0000 | [diff] [blame] | 19 | */ |
| 20 | |
| 21 | extern const LUID SeIncreaseQuotaPrivilege; |
| 22 | extern const LUID SeSecurityPrivilege; |
| 23 | extern const LUID SeTakeOwnershipPrivilege; |
| 24 | extern const LUID SeLoadDriverPrivilege; |
| 25 | extern const LUID SeSystemProfilePrivilege; |
| 26 | extern const LUID SeSystemtimePrivilege; |
| 27 | extern const LUID SeProfileSingleProcessPrivilege; |
| 28 | extern const LUID SeIncreaseBasePriorityPrivilege; |
| 29 | extern const LUID SeCreatePagefilePrivilege; |
| 30 | extern const LUID SeBackupPrivilege; |
| 31 | extern const LUID SeRestorePrivilege; |
| 32 | extern const LUID SeShutdownPrivilege; |
| 33 | extern const LUID SeDebugPrivilege; |
| 34 | extern const LUID SeSystemEnvironmentPrivilege; |
| 35 | extern const LUID SeChangeNotifyPrivilege; |
| 36 | extern const LUID SeRemoteShutdownPrivilege; |
| 37 | extern const LUID SeUndockPrivilege; |
| 38 | extern const LUID SeManageVolumePrivilege; |
| 39 | extern const LUID SeImpersonatePrivilege; |
| 40 | extern const LUID SeCreateGlobalPrivilege; |
| 41 | |
| Rob Shearman | cb124c9 | 2007-10-03 20:19:05 +0100 | [diff] [blame] | 42 | extern const PSID security_world_sid; |
| Robert Shearman | 91eaea5 | 2005-07-18 13:22:55 +0000 | [diff] [blame] | 43 | extern const PSID security_interactive_sid; |
| Rob Shearman | cb124c9 | 2007-10-03 20:19:05 +0100 | [diff] [blame] | 44 | extern const PSID security_local_system_sid; |
| Robert Shearman | 91eaea5 | 2005-07-18 13:22:55 +0000 | [diff] [blame] | 45 | |
| Rob Shearman | 5af809a | 2007-10-02 15:54:51 +0100 | [diff] [blame] | 46 | |
| 47 | /* token functions */ |
| 48 | |
| Robert Shearman | d2ea92d | 2005-04-22 21:17:15 +0000 | [diff] [blame] | 49 | extern struct token *token_create_admin(void); |
| Rob Shearman | bdf964d | 2007-05-28 18:39:33 +0100 | [diff] [blame] | 50 | extern struct token *token_duplicate( struct token *src_token, unsigned primary, |
| 51 | SECURITY_IMPERSONATION_LEVEL impersonation_level ); |
| Robert Shearman | d2ea92d | 2005-04-22 21:17:15 +0000 | [diff] [blame] | 52 | extern int token_check_privileges( struct token *token, int all_required, |
| 53 | const LUID_AND_ATTRIBUTES *reqprivs, |
| 54 | unsigned int count, LUID_AND_ATTRIBUTES *usedprivs); |
| Robert Shearman | fbf0ea9 | 2005-07-13 19:31:27 +0000 | [diff] [blame] | 55 | extern const ACL *token_get_default_dacl( struct token *token ); |
| Rob Shearman | 5af809a | 2007-10-02 15:54:51 +0100 | [diff] [blame] | 56 | extern const SID *token_get_user( struct token *token ); |
| 57 | extern const SID *token_get_primary_group( struct token *token ); |
| 58 | |
| Rob Shearman | cb124c9 | 2007-10-03 20:19:05 +0100 | [diff] [blame] | 59 | static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace ) |
| 60 | { |
| 61 | return (const ACE_HEADER *)((const char *)ace + ace->AceSize); |
| 62 | } |
| 63 | |
| 64 | static inline int security_equal_sid( const SID *sid1, const SID *sid2 ) |
| 65 | { |
| 66 | return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) && |
| 67 | !memcmp( sid1, sid2, FIELD_OFFSET(SID, SubAuthority[sid1->SubAuthorityCount]) )); |
| 68 | } |
| 69 | |
| Robert Shearman | 4bba216 | 2005-06-20 13:18:38 +0000 | [diff] [blame] | 70 | extern void security_set_thread_token( struct thread *thread, obj_handle_t handle ); |
| Rob Shearman | 8184bcc | 2007-10-03 13:09:33 +0100 | [diff] [blame] | 71 | extern const SID *security_unix_uid_to_sid( uid_t uid ); |
| Rob Shearman | 6a76a0a | 2007-02-21 13:59:59 +0000 | [diff] [blame] | 72 | extern int check_object_access( struct object *obj, unsigned int *access ); |
| Robert Shearman | d2ea92d | 2005-04-22 21:17:15 +0000 | [diff] [blame] | 73 | |
| 74 | static inline int thread_single_check_privilege( struct thread *thread, const LUID *priv) |
| 75 | { |
| 76 | struct token *token = thread_get_impersonation_token( thread ); |
| 77 | const LUID_AND_ATTRIBUTES privs = { *priv, 0 }; |
| 78 | |
| 79 | if (!token) return FALSE; |
| 80 | |
| 81 | return token_check_privileges( token, TRUE, &privs, 1, NULL ); |
| 82 | } |
| Rob Shearman | 5af809a | 2007-10-02 15:54:51 +0100 | [diff] [blame] | 83 | |
| 84 | |
| 85 | /* security descriptor helper functions */ |
| 86 | |
| 87 | extern int sd_is_valid( const struct security_descriptor *sd, data_size_t size ); |
| 88 | |
| 89 | /* gets the discretionary access control list from a security descriptor */ |
| 90 | static inline const ACL *sd_get_dacl( const struct security_descriptor *sd, int *present ) |
| 91 | { |
| 92 | *present = (sd->control & SE_DACL_PRESENT ? TRUE : FALSE); |
| 93 | |
| 94 | if (sd->dacl_len) |
| 95 | return (const ACL *)((const char *)(sd + 1) + |
| 96 | sd->owner_len + sd->group_len + sd->sacl_len); |
| 97 | else |
| 98 | return NULL; |
| 99 | } |
| 100 | |
| 101 | /* gets the system access control list from a security descriptor */ |
| 102 | static inline const ACL *sd_get_sacl( const struct security_descriptor *sd, int *present ) |
| 103 | { |
| 104 | *present = (sd->control & SE_SACL_PRESENT ? TRUE : FALSE); |
| 105 | |
| 106 | if (sd->sacl_len) |
| 107 | return (const ACL *)((const char *)(sd + 1) + |
| 108 | sd->owner_len + sd->group_len); |
| 109 | else |
| 110 | return NULL; |
| 111 | } |
| 112 | |
| 113 | /* gets the owner from a security descriptor */ |
| 114 | static inline const SID *sd_get_owner( const struct security_descriptor *sd ) |
| 115 | { |
| 116 | if (sd->owner_len) |
| 117 | return (const SID *)(sd + 1); |
| 118 | else |
| 119 | return NULL; |
| 120 | } |
| 121 | |
| 122 | /* gets the primary group from a security descriptor */ |
| 123 | static inline const SID *sd_get_group( const struct security_descriptor *sd ) |
| 124 | { |
| 125 | if (sd->group_len) |
| 126 | return (const SID *)((const char *)(sd + 1) + sd->owner_len); |
| 127 | else |
| 128 | return NULL; |
| 129 | } |
| Rob Shearman | dd9e392 | 2007-10-24 16:04:42 +0100 | [diff] [blame] | 130 | |
| 131 | /* determines whether an object_attributes struct is valid in a buffer |
| 132 | * and calls set_error appropriately */ |
| 133 | extern int objattr_is_valid( const struct object_attributes *objattr, data_size_t size ); |
| Rob Shearman | f98556c | 2007-10-26 17:01:33 +0100 | [diff] [blame] | 134 | static inline void objattr_get_name( const struct object_attributes *objattr, struct unicode_str *name ) |
| 135 | { |
| 136 | name->len = ((objattr->name_len) / sizeof(WCHAR)) * sizeof(WCHAR); |
| 137 | name->str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR); |
| 138 | } |
