https://git.reactos.org/?p=reactos.git;a=commitdiff;h=95c104f29a45f4d959de9… commit 95c104f29a45f4d959de9342dcc63c0e8f3b5ae0 Author: George Bișoc &lt;george.bisoc(a)reactos.org&gt; AuthorDate: Mon Sep 25 20:18:11 2023 +0200 Commit: George Bișoc &lt;george.bisoc(a)reactos.org&gt; CommitDate: Wed Oct 4 18:04:17 2023 +0200 [TCPIP] Setup a security descriptor for the IP and TCP device objects Grant access to such objects to system, admins and network services. --- drivers/network/tcpip/include/tags.h | 1 + drivers/network/tcpip/tcpip/main.c | 218 +++++++++++++++++++++++++++++++++++ 2 files changed, 219 insertions(+) diff --git a/drivers/network/tcpip/include/tags.h b/drivers/network/tcpip/include/tags.h index 15c0b905dc2..8449afda7e0 100644 --- a/drivers/network/tcpip/include/tags.h +++ b/drivers/network/tcpip/include/tags.h @@ -44,3 +44,4 @@ #define KEY_VALUE_TAG 'vkCT' #define HEADER_TAG 'rhCT' #define REG_STR_TAG 'srCT' +#define DEVICE_OBJ_SECURITY_TAG 'eSeD' diff --git a/drivers/network/tcpip/tcpip/main.c b/drivers/network/tcpip/tcpip/main.c index b99a66f1092..543ffced94d 100644 --- a/drivers/network/tcpip/tcpip/main.c +++ b/drivers/network/tcpip/tcpip/main.c @@ -10,6 +10,10 @@ #include "precomp.h" +#include <ntifs.h> +#include <ndk/rtlfuncs.h> +#include <ndk/obfuncs.h> + #include <dispatch.h> #include <fileobjs.h> @@ -556,6 +560,212 @@ TiDispatch( return IRPFinish(Irp, Status); } +static +NTSTATUS TiCreateSecurityDescriptor( + _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor) +{ + NTSTATUS Status; + SECURITY_DESCRIPTOR AbsSD; + ULONG DaclSize, RelSDSize = 0; + PSECURITY_DESCRIPTOR RelSD = NULL; + PACL Dacl = NULL; + + /* Setup a SD */ + Status = RtlCreateSecurityDescriptor(&AbsSD, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to create the absolute SD (0x%X)\n", Status)); + goto Quit; + } + + /* Setup a DACL */ + DaclSize = sizeof(ACL) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(SeExports->SeLocalSystemSid) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(SeExports->SeAliasAdminsSid) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(SeExports->SeNetworkServiceSid); + Dacl = ExAllocatePoolWithTag(PagedPool, + DaclSize, + DEVICE_OBJ_SECURITY_TAG); + if (Dacl == NULL) + { + TI_DbgPrint(MIN_TRACE, ("Failed to allocate buffer heap for a DACL\n")); + Status = STATUS_INSUFFICIENT_RESOURCES; + goto Quit; + } + + Status = RtlCreateAcl(Dacl, + DaclSize, + ACL_REVISION); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to create a DACL (0x%X)\n", Status)); + goto Quit; + } + + /* Setup access */ + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeExports->SeLocalSystemSid); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to add access allowed ACE for System SID (0x%X)\n", Status)); + goto Quit; + } + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeExports->SeAliasAdminsSid); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to add access allowed ACE for Admins SID (0x%X)\n", Status)); + goto Quit; + } + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeExports->SeNetworkServiceSid); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to add access allowed ACE for Network Service SID (0x%X)\n", Status)); + goto Quit; + } + + /* Assign security data to SD */ + Status = RtlSetDaclSecurityDescriptor(&AbsSD, + TRUE, + Dacl, + FALSE); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set DACL to security descriptor (0x%X)\n", Status)); + goto Quit; + } + + Status = RtlSetGroupSecurityDescriptor(&AbsSD, + SeExports->SeLocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set group to security descriptor (0x%X)\n", Status)); + goto Quit; + } + + Status = RtlSetOwnerSecurityDescriptor(&AbsSD, + SeExports->SeAliasAdminsSid, + FALSE); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set owner to security descriptor (0x%X)\n", Status)); + goto Quit; + } + + /* Get the required buffer size for the self-relative SD */ + Status = RtlAbsoluteToSelfRelativeSD(&AbsSD, + NULL, + &RelSDSize); + if (Status != STATUS_BUFFER_TOO_SMALL) + { + TI_DbgPrint(MIN_TRACE, ("Expected STATUS_BUFFER_TOO_SMALL but got something else (0x%X)\n", Status)); + goto Quit; + } + + RelSD = ExAllocatePoolWithTag(PagedPool, + RelSDSize, + DEVICE_OBJ_SECURITY_TAG); + if (RelSD == NULL) + { + TI_DbgPrint(MIN_TRACE, ("Failed to allocate buffer heap for relative SD\n")); + Status = STATUS_INSUFFICIENT_RESOURCES; + goto Quit; + } + + /* Convert it now */ + Status = RtlAbsoluteToSelfRelativeSD(&AbsSD, + RelSD, + &RelSDSize); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to convert absolute SD into a relative SD (0x%X)\n", Status)); + goto Quit; + } + + /* Give the buffer to caller */ + *SecurityDescriptor = RelSD; + +Quit: + if (!NT_SUCCESS(Status)) + { + if (RelSD != NULL) + { + ExFreePoolWithTag(RelSD, DEVICE_OBJ_SECURITY_TAG); + } + } + + if (Dacl != NULL) + { + ExFreePoolWithTag(Dacl, DEVICE_OBJ_SECURITY_TAG); + } + + return Status; +} + +static +NTSTATUS TiSetupTcpDeviceSD( + _In_ PDEVICE_OBJECT DeviceObject) +{ + NTSTATUS Status; + PSECURITY_DESCRIPTOR Sd; + SECURITY_INFORMATION Info = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION; + + /* Obtain a security descriptor */ + Status = TiCreateSecurityDescriptor(&Sd); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to create a security descriptor for the device object\n")); + return Status; + } + + /* Whack the new descriptor into the TCP device object */ + Status = ObSetSecurityObjectByPointer(DeviceObject, + Info, + Sd); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set new security information to the device object\n")); + } + + ExFreePoolWithTag(Sd, DEVICE_OBJ_SECURITY_TAG); + return Status; +} + +static +NTSTATUS TiSecurityStartup( + VOID) +{ + NTSTATUS Status; + + /* Set security data for the TCP and IP device objects */ + Status = TiSetupTcpDeviceSD(TCPDeviceObject); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set security data for TCP device object\n")); + return Status; + } + + Status = TiSetupTcpDeviceSD(IPDeviceObject); + if (!NT_SUCCESS(Status)) + { + TI_DbgPrint(MIN_TRACE, ("Failed to set security data for IP device object\n")); + return Status; + } + + return STATUS_SUCCESS; +} + VOID NTAPI TiUnload( PDRIVER_OBJECT DriverObject) @@ -761,6 +971,14 @@ DriverEntry( return Status; } + /* Initialize security */ + Status = TiSecurityStartup(); + if (!NT_SUCCESS(Status)) + { + TiUnload(DriverObject); + return Status; + } + /* Use direct I/O */ IPDeviceObject->Flags |= DO_DIRECT_IO; RawIPDeviceObject->Flags |= DO_DIRECT_IO;