[ekohl] 74103: [NTOS:OB] - Define and use a pool tag for directory security descriptors. - Use a custom security descriptor to create the KernelObjects directory.
Author: ekohl Date: Sun Mar 5 21:28:10 2017 New Revision: 74103
URL: http://svn.reactos.org/svn/reactos?rev=74103&view=rev Log: [NTOS:OB] - Define and use a pool tag for directory security descriptors. - Use a custom security descriptor to create the KernelObjects directory.
Modified: trunk/reactos/ntoskrnl/include/internal/tag.h trunk/reactos/ntoskrnl/ob/obinit.c trunk/reactos/ntoskrnl/ob/obname.c
Modified: trunk/reactos/ntoskrnl/include/internal/tag.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/t... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/tag.h [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/include/internal/tag.h [iso-8859-1] Sun Mar 5 21:28:10 2017 @@ -150,6 +150,8 @@ /* Object Manager Tags */ #define OB_NAME_TAG 'mNbO' #define OB_DIR_TAG 'iDbO' +#define TAG_OB_DIR_SD 'sDbO' +
/* formerly located in ps/cid.c */ #define TAG_CIDOBJECT 'ODIC'
Modified: trunk/reactos/ntoskrnl/ob/obinit.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obinit.c?rev=74... ============================================================================== --- trunk/reactos/ntoskrnl/ob/obinit.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ob/obinit.c [iso-8859-1] Sun Mar 5 21:28:10 2017 @@ -53,6 +53,82 @@ ULONG ObpInitializationPhase;
/* PRIVATE FUNCTIONS *********************************************************/ + +static +NTSTATUS +NTAPI +INIT_FUNCTION +ObpCreateKernelObjectsSD(OUT PSECURITY_DESCRIPTOR SecurityDescriptor) +{ + ULONG AclLength; + PACL Dacl; + NTSTATUS Status; + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(SecurityDescriptor, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + /* Allocate the DACL */ + AclLength = sizeof(ACL) + + sizeof(ACE) + RtlLengthSid(SeWorldSid) + + sizeof(ACE) + RtlLengthSid(SeAliasAdminsSid) + + sizeof(ACE) + RtlLengthSid(SeLocalSystemSid); + + Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD); + if (Dacl == NULL) + { + return STATUS_INSUFFICIENT_RESOURCES; + } + + /* Initialize the DACL */ + RtlCreateAcl(Dacl, AclLength, ACL_REVISION); + + /* Add the ACEs */ + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_READ, + SeWorldSid); + + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeAliasAdminsSid); + + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + SeLocalSystemSid); + + /* Attach the DACL to the SD */ + Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor, + TRUE, + Dacl, + FALSE); + + return Status; +} + +static +VOID +NTAPI +INIT_FUNCTION +ObpFreeKernelObjectsSD(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor) +{ + PACL Dacl = NULL; + BOOLEAN DaclPresent, Defaulted; + NTSTATUS Status; + + Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor, + &DaclPresent, + &Dacl, + &Defaulted); + if (NT_SUCCESS(Status) && Dacl != NULL) + { + ExFreePool(Dacl); + } +}
BOOLEAN INIT_FUNCTION @@ -136,6 +212,7 @@ POBJECT_HEADER Header; POBJECT_HEADER_CREATOR_INFO CreatorInfo; POBJECT_HEADER_NAME_INFO NameInfo; + SECURITY_DESCRIPTOR KernelObjectsSD; NTSTATUS Status;
/* Check if this is actually Phase 1 initialization */ @@ -258,25 +335,31 @@ Status = NtClose(Handle); if (!NT_SUCCESS(Status)) return FALSE;
- /* Initialize Object Types directory attributes */ + /* Create a custom security descriptor for the KernelObjects directory */ + Status = ObpCreateKernelObjectsSD(&KernelObjectsSD); + if (!NT_SUCCESS(Status)) + return FALSE; + + /* Initialize the KernelObjects directory attributes */ RtlInitUnicodeString(&Name, L"\KernelObjects"); InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE | OBJ_PERMANENT, NULL, - NULL); - + &KernelObjectsSD); + /* Create the directory */ Status = NtCreateDirectoryObject(&Handle, DIRECTORY_ALL_ACCESS, &ObjectAttributes); - if (!NT_SUCCESS(Status)) return FALSE; - + ObpFreeKernelObjectsSD(&KernelObjectsSD); + if (!NT_SUCCESS(Status)) return FALSE; + /* Close the extra handle */ Status = NtClose(Handle); if (!NT_SUCCESS(Status)) return FALSE;
- /* Initialize Object Types directory attributes */ + /* Initialize ObjectTypes directory attributes */ RtlInitUnicodeString(&Name, L"\ObjectTypes"); InitializeObjectAttributes(&ObjectAttributes, &Name,
Modified: trunk/reactos/ntoskrnl/ob/obname.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obname.c?rev=74... ============================================================================== --- trunk/reactos/ntoskrnl/ob/obname.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ob/obname.c [iso-8859-1] Sun Mar 5 21:28:10 2017 @@ -55,10 +55,10 @@ sizeof(ACE) + RtlLengthSid(SeLocalSystemSid) + sizeof(ACE) + RtlLengthSid(SeCreatorOwnerSid);
- Dacl = ExAllocatePool(PagedPool, AclLength); + Dacl = ExAllocatePoolWithTag(PagedPool, AclLength, TAG_OB_DIR_SD); if (Dacl == NULL) { - return STATUS_NO_MEMORY; + return STATUS_INSUFFICIENT_RESOURCES; }
/* Initialize the DACL */
-
ekohl@svn.reactos.org