[tkreuzer] 62016: [NTOSKRNL] Implement SepAccessCheckAndAuditAlarm, which now does proper argument capturing and forwards those to SepAccessCheckAndAuditAlarmWorker, which for now only grants acces... - Ros-diffs

6 Feb 2014

Author: tkreuzer
Date: Thu Feb  6 19:26:05 2014
New Revision: 62016
URL: http://svn.reactos.org/svn/reactos?rev=62016&view=rev
Log:
[NTOSKRNL]
Implement SepAccessCheckAndAuditAlarm, which now does proper argument capturing and forwards those to SepAccessCheckAndAuditAlarmWorker, which for now only grants access without checking.
Modified:
    trunk/reactos/ntoskrnl/se/audit.c
Modified: trunk/reactos/ntoskrnl/se/audit.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/audit.c?rev=620...
==============================================================================

--- trunk/reactos/ntoskrnl/se/audit.c	[iso-8859-1] (original)
+++ trunk/reactos/ntoskrnl/se/audit.c	[iso-8859-1] Thu Feb  6 19:26:05 2014
@@ -207,13 +207,119 @@
     UNIMPLEMENTED;
 }
+static
+NTSTATUS
+SeCaptureObjectTypeList(
+    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ KPROCESSOR_MODE PreviousMode,
+    _Out_ POBJECT_TYPE_LIST *CapturedObjectTypeList)
+{
+    SIZE_T Size;
+
+    if (PreviousMode == KernelMode)
+    {
+        return STATUS_NOT_IMPLEMENTED;
+    }
+
+    if (ObjectTypeListLength == 0)
+    {
+        *CapturedObjectTypeList = NULL;
+        return STATUS_SUCCESS;
+    }
+
+    if (ObjectTypeList == NULL)
+    {
+        return STATUS_INVALID_PARAMETER;
+    }
+
+    /* Calculate the list size and check for integer overflow */
+    Size = ObjectTypeListLength * sizeof(OBJECT_TYPE_LIST);
+    if (Size == 0)
+    {
+        return STATUS_INVALID_PARAMETER;
+    }
+
+    /* Allocate a new list */
+    *CapturedObjectTypeList = ExAllocatePoolWithTag(PagedPool, Size, TAG_SEPA);
+    if (*CapturedObjectTypeList == NULL)
+    {
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+
+    _SEH2_TRY
+    {
+        ProbeForRead(ObjectTypeList, Size, sizeof(ULONG));
+        RtlCopyMemory(*CapturedObjectTypeList, ObjectTypeList, Size);
+    }
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        ExFreePoolWithTag(*CapturedObjectTypeList, TAG_SEPA);
+        *CapturedObjectTypeList = NULL;
+        return _SEH2_GetExceptionCode();
+    }
+    _SEH2_END;
+
+    return STATUS_SUCCESS;
+}
+
+static
+VOID
+SeReleaseObjectTypeList(
+    _In_  _Post_invalid_ POBJECT_TYPE_LIST CapturedObjectTypeList,
+    _In_ KPROCESSOR_MODE PreviousMode)
+{
+    if ((PreviousMode != KernelMode) && (CapturedObjectTypeList != NULL))
+        ExFreePoolWithTag(CapturedObjectTypeList, TAG_SEPA);
+}
+
+_Must_inspect_result_
+static
+NTSTATUS
+SepAccessCheckAndAuditAlarmWorker(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ PSECURITY_SUBJECT_CONTEXT SubjectContext,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ AUDIT_EVENT_TYPE AuditType,
+    _In_ BOOLEAN HaveAuditPrivilege,
+    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccessList,
+    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatusList,
+    _Out_ PBOOLEAN GenerateOnClose,
+    _In_ BOOLEAN UseResultList)
+{
+    ULONG ResultListLength, i;
+
+    /* Get the length of the result list */
+    ResultListLength = UseResultList ? ObjectTypeListLength : 1;
+
+    /// FIXME: we should do some real work here...
+    UNIMPLEMENTED;
+
+    /// HACK: we just pretend all access is granted!
+    for (i = 0; i < ResultListLength; i++)
+    {
+        GrantedAccessList[i] = DesiredAccess;
+        AccessStatusList[i] = STATUS_SUCCESS;
+    }
+
+    return STATUS_SUCCESS;
+}
+
 _Must_inspect_result_
 NTSTATUS
 NTAPI
 SepAccessCheckAndAuditAlarm(
     _In_ PUNICODE_STRING SubsystemName,
     _In_opt_ PVOID HandleId,
-    _In_ PHANDLE ClientToken,
+    _In_ PHANDLE ClientTokenHandle,
     _In_ PUNICODE_STRING ObjectTypeName,
     _In_ PUNICODE_STRING ObjectName,
     _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
@@ -232,13 +338,32 @@
     SECURITY_SUBJECT_CONTEXT SubjectContext;
     ULONG ResultListLength;
     GENERIC_MAPPING LocalGenericMapping;
+    PTOKEN SubjectContextToken, ClientToken;
+    BOOLEAN AllocatedResultLists;
+    BOOLEAN HaveAuditPrivilege;
+    PISECURITY_DESCRIPTOR CapturedSecurityDescriptor;
+    UNICODE_STRING CapturedSubsystemName, CapturedObjectTypeName, CapturedObjectName;
+    ACCESS_MASK GrantedAccess, *SafeGrantedAccessList;
+    NTSTATUS AccessStatus, *SafeAccessStatusList;
+    PSID CapturedPrincipalSelfSid;
+    POBJECT_TYPE_LIST CapturedObjectTypeList;
+    ULONG i;
+    BOOLEAN LocalGenerateOnClose;
     NTSTATUS Status;
     PAGED_CODE();
-    DBG_UNREFERENCED_LOCAL_VARIABLE(LocalGenericMapping);
-
     /* Only user mode is supported! */
     ASSERT(ExGetPreviousMode() != KernelMode);
+
+    /* Start clean */
+    AllocatedResultLists = FALSE;
+    ClientToken = NULL;
+    CapturedSecurityDescriptor = NULL;
+    CapturedSubsystemName.Buffer = NULL;
+    CapturedObjectTypeName.Buffer = NULL;
+    CapturedObjectName.Buffer = NULL;
+    CapturedPrincipalSelfSid = NULL;
+    CapturedObjectTypeList = NULL;
/* Validate AuditType */
     if ((AuditType != AuditEventObjectAccess) &&
@@ -252,12 +377,13 @@
     SeCaptureSubjectContext(&SubjectContext);
/* Did the caller pass a token handle? */
-    if (ClientToken == NULL)
+    if (ClientTokenHandle == NULL)
     {
         /* Check if we have a token in the subject context */
         if (SubjectContext.ClientToken == NULL)
         {
             Status = STATUS_NO_IMPERSONATION_TOKEN;
+            DPRINT1("No token\n");
             goto Cleanup;
         }
@@ -265,6 +391,8 @@
         if (SubjectContext.ImpersonationLevel < SecurityIdentification)
         {
             Status = STATUS_BAD_IMPERSONATION_LEVEL;
+            DPRINT1("Invalid impersonation level 0x%lx\n",
+                    SubjectContext.ImpersonationLevel);
             goto Cleanup;
         }
     }
@@ -277,13 +405,30 @@
         if ((ResultListLength == 0) || (ResultListLength > 0x1000))
         {
             Status = STATUS_INVALID_PARAMETER;
+            DPRINT1("Invalud ResultListLength: 0x%lx\n", ResultListLength);
             goto Cleanup;
         }
+
+        /* Allocate a safe buffer from paged pool */
+        SafeGrantedAccessList = ExAllocatePoolWithTag(PagedPool,
+                                                      2 * ResultListLength * sizeof(ULONG),
+                                                      TAG_SEPA);
+        if (SafeGrantedAccessList == NULL)
+        {
+            Status = STATUS_INSUFFICIENT_RESOURCES;
+            DPRINT1("Failed to allocate access lists\n");
+            goto Cleanup;
+        }
+
+        SafeAccessStatusList = (PNTSTATUS)&SafeGrantedAccessList[ResultListLength];
+        AllocatedResultLists = TRUE;
     }
     else
     {
         /* List length is 1 */
         ResultListLength = 1;
+        SafeGrantedAccessList = &GrantedAccess;
+        SafeAccessStatusList = &AccessStatus;
     }
_SEH2_TRY
@@ -303,17 +448,193 @@
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
         Status = _SEH2_GetExceptionCode();
+        DPRINT1("Exception while probing parameters: 0x%lx\n", Status);
         goto Cleanup;
     }
     _SEH2_END;
-
-    UNIMPLEMENTED;
-
-    /* For now pretend everything else is ok */
-    Status = STATUS_SUCCESS;
+    /* Do we have a client token? */
+    if (ClientTokenHandle != NULL)
+    {
+        /* Reference the client token */
+        Status = ObReferenceObjectByHandle(*ClientTokenHandle,
+                                           TOKEN_QUERY,
+                                           SeTokenObjectType,
+                                           UserMode,
+                                           (PVOID*)&ClientToken,
+                                           NULL);
+        if (!NT_SUCCESS(Status))
+        {
+            DPRINT1("Failed to reference token handle %p: %lx\n",
+                    *ClientTokenHandle, Status);
+            goto Cleanup;
+        }
+
+        SubjectContextToken = SubjectContext.ClientToken;
+        SubjectContext.ClientToken = ClientToken;
+    }
+
+    /* Check for audit privilege */
+    HaveAuditPrivilege = SeSinglePrivilegeCheck(SeAuditPrivilege, UserMode);
+    if (!HaveAuditPrivilege && !(Flags & AUDIT_ALLOW_NO_PRIVILEGE))
+    {
+        DPRINT1("Caller does not have SeAuditPrivilege\n");
+        Status = STATUS_PRIVILEGE_NOT_HELD;
+        goto Cleanup;
+    }
+
+    /* Generic access must already be mapped to non-generic access types! */
+    if (DesiredAccess & (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL))
+    {
+        DPRINT1("Generic access rights requested: 0x%lx\n", DesiredAccess);
+        Status = STATUS_GENERIC_NOT_MAPPED;
+        goto Cleanup;
+    }
+
+    /* Capture the security descriptor */
+    Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
+                                         UserMode,
+                                         PagedPool,
+                                         FALSE,
+                                         &CapturedSecurityDescriptor);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to capture security descriptor!\n");
+        goto Cleanup;
+    }
+
+    /* Validate the Security descriptor */
+    if ((SepGetOwnerFromDescriptor(CapturedSecurityDescriptor) == NULL) ||
+        (SepGetGroupFromDescriptor(CapturedSecurityDescriptor) == NULL))
+    {
+        Status = STATUS_INVALID_SECURITY_DESCR;
+        DPRINT1("Invalid security descriptor\n");
+        goto Cleanup;
+    }
+
+    /* Probe and capture the subsystem name */
+    Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName,
+                                          UserMode,
+                                          SubsystemName);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to capture subsystem name!\n");
+        goto Cleanup;
+    }
+
+    /* Probe and capture the object type name */
+    Status = ProbeAndCaptureUnicodeString(&CapturedObjectTypeName,
+                                          UserMode,
+                                          ObjectTypeName);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to capture object type name!\n");
+        goto Cleanup;
+    }
+
+    /* Probe and capture the object name */
+    Status = ProbeAndCaptureUnicodeString(&CapturedObjectName,
+                                          UserMode,
+                                          ObjectName);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to capture object name!\n");
+        goto Cleanup;
+    }
+
+    /* Check if we have a PrincipalSelfSid */
+    if (PrincipalSelfSid != NULL)
+    {
+        /* Capture it */
+        Status = SepCaptureSid(PrincipalSelfSid,
+                               UserMode,
+                               PagedPool,
+                               FALSE,
+                               &CapturedPrincipalSelfSid);
+        if (!NT_SUCCESS(Status))
+        {
+            DPRINT1("Failed to capture PrincipalSelfSid!\n");
+            goto Cleanup;
+        }
+    }
+
+    /* Capture the object type list */
+    Status = SeCaptureObjectTypeList(ObjectTypeList,
+                                     ObjectTypeListLength,
+                                     UserMode,
+                                     &CapturedObjectTypeList);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("Failed to capture object type list!\n");
+        goto Cleanup;
+    }
+
+    /* Call the worker routine with the captured buffers */
+    SepAccessCheckAndAuditAlarmWorker(&CapturedSubsystemName,
+                                      HandleId,
+                                      &SubjectContext,
+                                      &CapturedObjectTypeName,
+                                      &CapturedObjectName,
+                                      CapturedSecurityDescriptor,
+                                      CapturedPrincipalSelfSid,
+                                      DesiredAccess,
+                                      AuditType,
+                                      HaveAuditPrivilege,
+                                      CapturedObjectTypeList,
+                                      ObjectTypeListLength,
+                                      &LocalGenericMapping,
+                                      SafeGrantedAccessList,
+                                      SafeAccessStatusList,
+                                      &LocalGenerateOnClose,
+                                      UseResultList);
+
+    /* Enter SEH to copy the data back to user mode */
+    _SEH2_TRY
+    {
+        /* Loop all result entries (only 1 when no list was requested) */
+        NT_ASSERT(UseResultList || (ResultListLength == 1));
+        for (i = 0; i < ResultListLength; i++)
+        {
+            AccessStatusList[i] = SafeAccessStatusList[i];
+            GrantedAccessList[i] = SafeGrantedAccessList[i];
+        }
+
+        *GenerateOnClose = LocalGenerateOnClose;
+    }
+    _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
+    {
+        Status = _SEH2_GetExceptionCode();
+        DPRINT1("Exception while copying back data: 0x%lx\n", Status);
+    }
Cleanup:
+
+    if (CapturedObjectTypeList != NULL)
+        SeReleaseObjectTypeList(CapturedObjectTypeList, UserMode);
+
+    if (CapturedPrincipalSelfSid != NULL)
+        SepReleaseSid(CapturedPrincipalSelfSid, UserMode, FALSE);
+
+    if (CapturedObjectName.Buffer != NULL)
+        ReleaseCapturedUnicodeString(&CapturedObjectName, UserMode);
+
+    if (CapturedObjectTypeName.Buffer != NULL)
+        ReleaseCapturedUnicodeString(&CapturedObjectTypeName, UserMode);
+
+    if (CapturedSubsystemName.Buffer != NULL)
+        ReleaseCapturedUnicodeString(&CapturedSubsystemName, UserMode);
+
+    if (CapturedSecurityDescriptor != NULL)
+        SeReleaseSecurityDescriptor(CapturedSecurityDescriptor, UserMode, FALSE);
+
+    if (ClientToken != NULL)
+    {
+        ObDereferenceObject(ClientToken);
+        SubjectContext.ClientToken = SubjectContextToken;
+    }
+
+    if (AllocatedResultLists)
+        ExFreePoolWithTag(SafeGrantedAccessList, TAG_SEPA);
/* Release the security subject context */
     SeReleaseSubjectContext(&SubjectContext);
@@ -620,6 +941,9 @@
     PreviousMode = ExGetPreviousMode();
     ASSERT(PreviousMode != KernelMode);
+    CapturedSubsystemName.Buffer = NULL;
+    CapturedServiceName.Buffer = NULL;
+
     /* Reference the client token */
     Status = ObReferenceObjectByHandle(ClientToken,
                                        TOKEN_QUERY,
@@ -724,8 +1048,8 @@
/* Call the internal function */
     SepAdtPrivilegedServiceAuditAlarm(&SubjectContext,
-                                      &CapturedSubsystemName,
-                                      &CapturedServiceName,
+                                      SubsystemName ? &CapturedSubsystemName : NULL,
+                                      ServiceName ? &CapturedServiceName : NULL,
                                       Token,
                                       SubjectContext.PrimaryToken,
                                       CapturedPrivileges,
@@ -738,9 +1062,9 @@
Cleanup:
     /* Cleanup resources */
-    if (SubsystemName != NULL)
+    if (CapturedSubsystemName.Buffer != NULL)
         ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode);
-    if (ServiceName != NULL)
+    if (CapturedServiceName.Buffer != NULL)
         ReleaseCapturedUnicodeString(&CapturedServiceName, PreviousMode);
     if (CapturedPrivileges != NULL)
         ExFreePoolWithTag(CapturedPrivileges, 0);

    