Author: tkreuzer Date: Sat Jan 11 15:31:16 2014 New Revision: 61584 URL: http://svn.reactos.org/svn/reactos?rev=61584&view=rev Log: [NTOSKRNL] Halfplement NtCloseObjectAuditAlarm (the internal function SepAdtCloseObjectAuditAlarm is not implemented yet, but the function now returns a proper status code) Modified: trunk/reactos/include/ndk/psfuncs.h trunk/reactos/ntoskrnl/se/audit.c Modified: trunk/reactos/include/ndk/psfuncs.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/include/ndk/psfuncs.h?rev=… ============================================================================== --- trunk/reactos/include/ndk/psfuncs.h [iso-8859-1] (original) +++ trunk/reactos/include/ndk/psfuncs.h [iso-8859-1] Sat Jan 11 15:31:16 2014 @@ -149,6 +149,13 @@ // // Process Impersonation Functions // +NTKERNELAPI +BOOLEAN +NTAPI +PsIsThreadImpersonating( + _In_ PETHREAD Thread +); + NTKERNELAPI VOID NTAPI Modified: trunk/reactos/ntoskrnl/se/audit.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/audit.c?rev=61… ============================================================================== --- trunk/reactos/ntoskrnl/se/audit.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/audit.c [iso-8859-1] Sat Jan 11 15:31:16 2014 @@ -336,6 +336,16 @@ UNIMPLEMENTED; } +VOID +NTAPI +SepAdtCloseObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId, + PSID Sid) +{ + UNIMPLEMENTED; +} + /* SYSTEM CALLS ***************************************************************/ NTSTATUS @@ -357,13 +367,90 @@ } -NTSTATUS NTAPI -NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, - IN PVOID HandleId, - IN BOOLEAN GenerateOnClose) -{ - UNIMPLEMENTED; - return STATUS_NOT_IMPLEMENTED; +NTSTATUS +NTAPI +NtCloseObjectAuditAlarm( + PUNICODE_STRING SubsystemName, + PVOID HandleId, + BOOLEAN GenerateOnClose) +{ + UNICODE_STRING CapturedSubsystemName; + KPROCESSOR_MODE PreviousMode; + BOOLEAN UseImpersonationToken; + PETHREAD CurrentThread; + BOOLEAN CopyOnOpen, EffectiveOnly; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + NTSTATUS Status; + PTOKEN Token; + PAGED_CODE(); + + /* Get the previous mode (only user mode is supported!) */ + PreviousMode = ExGetPreviousMode(); + ASSERT(PreviousMode != KernelMode); + + /* Do we even need to do anything? */ + if (!GenerateOnClose) + { + /* Nothing to do, return success */ + return STATUS_SUCCESS; + } + + /* Validate privilege */ + if (!SeSinglePrivilegeCheck(SeAuditPrivilege, PreviousMode)) + { + DPRINT1("Caller does not have SeAuditPrivilege\n"); + return STATUS_PRIVILEGE_NOT_HELD; + } + + /* Probe and capture the subsystem name */ + Status = ProbeAndCaptureUnicodeString(&CapturedSubsystemName, + PreviousMode, + SubsystemName); + if (!NT_SUCCESS(Status)) + { + DPRINT1("Failed to capture subsystem name!\n"); + return Status; + } + + /* Get the current thread and check if it's impersonating */ + CurrentThread = PsGetCurrentThread(); + if (PsIsThreadImpersonating(CurrentThread)) + { + /* Get the impersonation token */ + Token = PsReferenceImpersonationToken(CurrentThread, + &CopyOnOpen, + &EffectiveOnly, + &ImpersonationLevel); + UseImpersonationToken = TRUE; + } + else + { + /* Get the primary token */ + Token = PsReferencePrimaryToken(PsGetCurrentProcess()); + UseImpersonationToken = FALSE; + } + + /* Call the internal function */ + SepAdtCloseObjectAuditAlarm(&CapturedSubsystemName, + HandleId, + Token->UserAndGroups->Sid); + + /* Release the captured subsystem name */ + ReleaseCapturedUnicodeString(&CapturedSubsystemName, PreviousMode); + + /* Check what token we used */ + if (UseImpersonationToken) + { + /* Release impersonation token */ + PsDereferenceImpersonationToken(Token); + } + else + { + /* Release primary token */ + PsDereferencePrimaryToken(Token); + } + + return STATUS_SUCCESS; }