server/security.h

   1 /*
   2  * Security Management
   3  *
   4  * Copyright (C) 2005 Robert Shearman
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  */
  20
  21 extern const LUID SeIncreaseQuotaPrivilege;
  22 extern const LUID SeSecurityPrivilege;
  23 extern const LUID SeTakeOwnershipPrivilege;
  24 extern const LUID SeLoadDriverPrivilege;
  25 extern const LUID SeSystemProfilePrivilege;
  26 extern const LUID SeSystemtimePrivilege;
  27 extern const LUID SeProfileSingleProcessPrivilege;
  28 extern const LUID SeIncreaseBasePriorityPrivilege;
  29 extern const LUID SeCreatePagefilePrivilege;
  30 extern const LUID SeBackupPrivilege;
  31 extern const LUID SeRestorePrivilege;
  32 extern const LUID SeShutdownPrivilege;
  33 extern const LUID SeDebugPrivilege;
  34 extern const LUID SeSystemEnvironmentPrivilege;
  35 extern const LUID SeChangeNotifyPrivilege;
  36 extern const LUID SeRemoteShutdownPrivilege;
  37 extern const LUID SeUndockPrivilege;
  38 extern const LUID SeManageVolumePrivilege;
  39 extern const LUID SeImpersonatePrivilege;
  40 extern const LUID SeCreateGlobalPrivilege;
  41
  42 extern const PSID security_world_sid;
  43 extern const PSID security_local_user_sid;
  44 extern const PSID security_local_system_sid;
  45 extern const PSID security_builtin_admins_sid;
  46
  47
  48 /* token functions */
  49
  50 extern struct token *token_create_admin(void);
  51 extern struct token *token_duplicate( struct token *src_token, unsigned primary,
  52                                       int impersonation_level );
  53 extern int token_check_privileges( struct token *token, int all_required,
  54                                    const LUID_AND_ATTRIBUTES *reqprivs,
  55                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
  56 extern const ACL *token_get_default_dacl( struct token *token );
  57 extern const SID *token_get_user( struct token *token );
  58 extern const SID *token_get_primary_group( struct token *token );
  59 extern int token_sid_present( struct token *token, const SID *sid, int deny);
  60
  61 static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
  62 {
  63     return (const ACE_HEADER *)((const char *)ace + ace->AceSize);
  64 }
  65
  66 static inline size_t security_sid_len( const SID *sid )
  67 {
  68     return offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
  69 }
  70
  71 static inline int security_equal_sid( const SID *sid1, const SID *sid2 )
  72 {
  73     return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) &&
  74             !memcmp( sid1, sid2, security_sid_len( sid1 )));
  75 }
  76
  77 extern void security_set_thread_token( struct thread *thread, obj_handle_t handle );
  78 extern const SID *security_unix_uid_to_sid( uid_t uid );
  79 extern int check_object_access( struct object *obj, unsigned int *access );
  80
  81 static inline int thread_single_check_privilege( struct thread *thread, const LUID *priv)
  82 {
  83     struct token *token = thread_get_impersonation_token( thread );
  84     const LUID_AND_ATTRIBUTES privs = { *priv, 0 };
  85
  86     if (!token) return FALSE;
  87
  88     return token_check_privileges( token, TRUE, &privs, 1, NULL );
  89 }
  90
  91
  92 /* security descriptor helper functions */
  93
  94 extern int sd_is_valid( const struct security_descriptor *sd, data_size_t size );
  95
  96 /* gets the discretionary access control list from a security descriptor */
  97 static inline const ACL *sd_get_dacl( const struct security_descriptor *sd, int *present )
  98 {
  99     *present = (sd->control & SE_DACL_PRESENT) != 0;
 100
 101     if (sd->dacl_len)
 102         return (const ACL *)((const char *)(sd + 1) +
 103             sd->owner_len + sd->group_len + sd->sacl_len);
 104     else
 105         return NULL;
 106 }
 107
 108 /* gets the system access control list from a security descriptor */
 109 static inline const ACL *sd_get_sacl( const struct security_descriptor *sd, int *present )
 110 {
 111     *present = (sd->control & SE_SACL_PRESENT) != 0;
 112
 113     if (sd->sacl_len)
 114         return (const ACL *)((const char *)(sd + 1) +
 115             sd->owner_len + sd->group_len);
 116     else
 117         return NULL;
 118 }
 119
 120 /* gets the owner from a security descriptor */
 121 static inline const SID *sd_get_owner( const struct security_descriptor *sd )
 122 {
 123     if (sd->owner_len)
 124         return (const SID *)(sd + 1);
 125     else
 126         return NULL;
 127 }
 128
 129 /* gets the primary group from a security descriptor */
 130 static inline const SID *sd_get_group( const struct security_descriptor *sd )
 131 {
 132     if (sd->group_len)
 133         return (const SID *)((const char *)(sd + 1) + sd->owner_len);
 134     else
 135         return NULL;
 136 }
 137
 138 /* determines whether an object_attributes struct is valid in a buffer
 139  * and calls set_error appropriately */
 140 extern int objattr_is_valid( const struct object_attributes *objattr, data_size_t size );
 141 static inline void objattr_get_name( const struct object_attributes *objattr, struct unicode_str *name )
 142 {
 143     name->len = ((objattr->name_len) / sizeof(WCHAR)) * sizeof(WCHAR);
 144     name->str = (const WCHAR *)objattr + (sizeof(*objattr) + objattr->sd_len) / sizeof(WCHAR);
 145 }