377 lines
10 KiB
C
377 lines
10 KiB
C
|
/*++
|
|||
|
|
|||
|
Copyright (c) 1989-2000 Microsoft Corporation
|
|||
|
|
|||
|
Module Name:
|
|||
|
|
|||
|
AcChkSup.c
|
|||
|
|
|||
|
Abstract:
|
|||
|
|
|||
|
This module implements the FAT access checking routine
|
|||
|
|
|||
|
// @@BEGIN_DDKSPLIT
|
|||
|
|
|||
|
Author:
|
|||
|
|
|||
|
Gary Kimura [GaryKi] 12-Jun-1989
|
|||
|
|
|||
|
Revision History:
|
|||
|
|
|||
|
// @@END_DDKSPLIT
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
#include "FatProcs.h"
|
|||
|
|
|||
|
//
|
|||
|
// Our debug trace level
|
|||
|
//
|
|||
|
|
|||
|
#define Dbg (DEBUG_TRACE_ACCHKSUP)
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
FatCreateRestrictEveryoneToken(
|
|||
|
IN PACCESS_TOKEN Token,
|
|||
|
OUT PACCESS_TOKEN *RestrictedToken
|
|||
|
);
|
|||
|
|
|||
|
#ifdef ALLOC_PRAGMA
|
|||
|
#pragma alloc_text(PAGE, FatCheckFileAccess)
|
|||
|
#pragma alloc_text(PAGE, FatCreateRestrictEveryoneToken)
|
|||
|
#pragma alloc_text(PAGE, FatExplicitDeviceAccessGranted)
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
BOOLEAN
|
|||
|
FatCheckFileAccess (
|
|||
|
PIRP_CONTEXT IrpContext,
|
|||
|
IN UCHAR DirentAttributes,
|
|||
|
IN PACCESS_MASK DesiredAccess
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
This routine checks if a desired access is allowed to a file represented
|
|||
|
by the specified DirentAttriubutes.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
DirentAttributes - Supplies the Dirent attributes to check access for
|
|||
|
|
|||
|
DesiredAccess - Supplies the desired access mask that we are checking for
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
BOOLEAN - TRUE if access is allowed and FALSE otherwise
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
{
|
|||
|
BOOLEAN Result;
|
|||
|
|
|||
|
DebugTrace(+1, Dbg, "FatCheckFileAccess\n", 0);
|
|||
|
DebugTrace( 0, Dbg, "DirentAttributes = %8lx\n", DirentAttributes);
|
|||
|
DebugTrace( 0, Dbg, "DesiredAccess = %8lx\n", *DesiredAccess);
|
|||
|
|
|||
|
//
|
|||
|
// This procedures is programmed like a string of filters each
|
|||
|
// filter checks to see if some access is allowed, if it is not allowed
|
|||
|
// the filter return FALSE to the user without further checks otherwise
|
|||
|
// it moves on to the next filter. The filter check is to check for
|
|||
|
// desired access flags that are not allowed for a particular dirent
|
|||
|
//
|
|||
|
|
|||
|
Result = TRUE;
|
|||
|
|
|||
|
try {
|
|||
|
|
|||
|
//
|
|||
|
// Check for Volume ID or Device Dirents, these are not allowed user
|
|||
|
// access at all
|
|||
|
//
|
|||
|
|
|||
|
if (FlagOn(DirentAttributes, FAT_DIRENT_ATTR_VOLUME_ID) ||
|
|||
|
FlagOn(DirentAttributes, FAT_DIRENT_ATTR_DEVICE)) {
|
|||
|
|
|||
|
DebugTrace(0, Dbg, "Cannot access volume id or device\n", 0);
|
|||
|
|
|||
|
try_return( Result = FALSE );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Check the desired access for the object - we only blackball that
|
|||
|
// we do not understand. The model of filesystems using ACLs is that
|
|||
|
// they do not type the ACL to the object the ACL is on. Permissions
|
|||
|
// are not checked for consistency vs. the object type - dir/file.
|
|||
|
//
|
|||
|
|
|||
|
if (FlagOn(*DesiredAccess, ~(DELETE |
|
|||
|
READ_CONTROL |
|
|||
|
WRITE_OWNER |
|
|||
|
WRITE_DAC |
|
|||
|
SYNCHRONIZE |
|
|||
|
ACCESS_SYSTEM_SECURITY |
|
|||
|
FILE_WRITE_DATA |
|
|||
|
FILE_READ_EA |
|
|||
|
FILE_WRITE_EA |
|
|||
|
FILE_READ_ATTRIBUTES |
|
|||
|
FILE_WRITE_ATTRIBUTES |
|
|||
|
FILE_LIST_DIRECTORY |
|
|||
|
FILE_TRAVERSE |
|
|||
|
FILE_DELETE_CHILD |
|
|||
|
FILE_APPEND_DATA))) {
|
|||
|
|
|||
|
DebugTrace(0, Dbg, "Cannot open object\n", 0);
|
|||
|
|
|||
|
try_return( Result = FALSE );
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Check for a read-only Dirent
|
|||
|
//
|
|||
|
|
|||
|
if (FlagOn(DirentAttributes, FAT_DIRENT_ATTR_READ_ONLY)) {
|
|||
|
|
|||
|
//
|
|||
|
// Check the desired access for a read-only dirent, we blackball
|
|||
|
// WRITE, FILE_APPEND_DATA, FILE_ADD_FILE,
|
|||
|
// FILE_ADD_SUBDIRECTORY, and FILE_DELETE_CHILD
|
|||
|
//
|
|||
|
|
|||
|
if (FlagOn(*DesiredAccess, ~(DELETE |
|
|||
|
READ_CONTROL |
|
|||
|
WRITE_OWNER |
|
|||
|
WRITE_DAC |
|
|||
|
SYNCHRONIZE |
|
|||
|
ACCESS_SYSTEM_SECURITY |
|
|||
|
FILE_READ_DATA |
|
|||
|
FILE_READ_EA |
|
|||
|
FILE_WRITE_EA |
|
|||
|
FILE_READ_ATTRIBUTES |
|
|||
|
FILE_WRITE_ATTRIBUTES |
|
|||
|
FILE_EXECUTE |
|
|||
|
FILE_LIST_DIRECTORY |
|
|||
|
FILE_TRAVERSE))) {
|
|||
|
|
|||
|
DebugTrace(0, Dbg, "Cannot open readonly\n", 0);
|
|||
|
|
|||
|
try_return( Result = FALSE );
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
try_exit: NOTHING;
|
|||
|
} finally {
|
|||
|
|
|||
|
DebugUnwind( FatCheckFileAccess );
|
|||
|
|
|||
|
DebugTrace(-1, Dbg, "FatCheckFileAccess -> %08lx\n", Result);
|
|||
|
}
|
|||
|
|
|||
|
UNREFERENCED_PARAMETER( IrpContext );
|
|||
|
|
|||
|
return Result;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
FatExplicitDeviceAccessGranted (
|
|||
|
IN PIRP_CONTEXT IrpContext,
|
|||
|
IN PDEVICE_OBJECT DeviceObject,
|
|||
|
IN PACCESS_STATE AccessState,
|
|||
|
IN KPROCESSOR_MODE ProcessorMode
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
This function asks whether the SID described in the input access state has
|
|||
|
been granted any explicit access to the given device object. It does this
|
|||
|
by acquiring a token stripped of its ability to acquire access via the
|
|||
|
Everyone SID and re-doing the access check.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
DeviceObject - the device whose ACL will be checked
|
|||
|
|
|||
|
AccessState - the access state describing the security context to be checked
|
|||
|
|
|||
|
ProcessorMode - the mode this check should occur against
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
NTSTATUS - Indicating whether explicit access was granted.
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
{
|
|||
|
NTSTATUS Status;
|
|||
|
BOOLEAN Result;
|
|||
|
|
|||
|
PACCESS_TOKEN OriginalAccessToken;
|
|||
|
PACCESS_TOKEN RestrictedAccessToken;
|
|||
|
|
|||
|
PACCESS_TOKEN *EffectiveToken;
|
|||
|
|
|||
|
PRIVILEGE_SET PrivilegeSet;
|
|||
|
|
|||
|
ACCESS_MASK GrantedAccess;
|
|||
|
|
|||
|
//
|
|||
|
// If the access state indicates that specific access other
|
|||
|
// than traverse was acquired, either Everyone does have such
|
|||
|
// access or explicit access was granted. In both cases, we're
|
|||
|
// happy to let this proceed.
|
|||
|
//
|
|||
|
|
|||
|
if (AccessState->PreviouslyGrantedAccess & (SPECIFIC_RIGHTS_ALL ^
|
|||
|
FILE_TRAVERSE)) {
|
|||
|
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// If the manage volume privilege is held, this also permits access.
|
|||
|
//
|
|||
|
|
|||
|
PrivilegeSet.PrivilegeCount = 1;
|
|||
|
PrivilegeSet.Control = PRIVILEGE_SET_ALL_NECESSARY;
|
|||
|
PrivilegeSet.Privilege[0].Luid = RtlConvertLongToLuid( SE_MANAGE_VOLUME_PRIVILEGE );
|
|||
|
PrivilegeSet.Privilege[0].Attributes = 0;
|
|||
|
|
|||
|
if (SePrivilegeCheck( &PrivilegeSet,
|
|||
|
&AccessState->SubjectSecurityContext,
|
|||
|
ProcessorMode )) {
|
|||
|
|
|||
|
return STATUS_SUCCESS;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Capture the subject context as a prelude to everything below.
|
|||
|
//
|
|||
|
|
|||
|
SeLockSubjectContext( &AccessState->SubjectSecurityContext );
|
|||
|
|
|||
|
//
|
|||
|
// Convert the token in the subject context into one which does not
|
|||
|
// acquire access through the Everyone SID.
|
|||
|
//
|
|||
|
// The logic for deciding which token is effective comes from
|
|||
|
// SeQuerySubjectContextToken; since there is no natural way
|
|||
|
// of getting a pointer to it, do it by hand.
|
|||
|
//
|
|||
|
|
|||
|
if (ARGUMENT_PRESENT( AccessState->SubjectSecurityContext.ClientToken )) {
|
|||
|
EffectiveToken = &AccessState->SubjectSecurityContext.ClientToken;
|
|||
|
} else {
|
|||
|
EffectiveToken = &AccessState->SubjectSecurityContext.PrimaryToken;
|
|||
|
}
|
|||
|
|
|||
|
OriginalAccessToken = *EffectiveToken;
|
|||
|
Status = FatCreateRestrictEveryoneToken( OriginalAccessToken, &RestrictedAccessToken );
|
|||
|
|
|||
|
if (!NT_SUCCESS(Status)) {
|
|||
|
|
|||
|
SeReleaseSubjectContext( &AccessState->SubjectSecurityContext );
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
//
|
|||
|
// Now see if the resulting context has access to the device through
|
|||
|
// its explicitly granted access. We swap in our restricted token
|
|||
|
// for this check as the effective client token.
|
|||
|
//
|
|||
|
|
|||
|
*EffectiveToken = RestrictedAccessToken;
|
|||
|
|
|||
|
Result = SeAccessCheck( DeviceObject->SecurityDescriptor,
|
|||
|
&AccessState->SubjectSecurityContext,
|
|||
|
FALSE,
|
|||
|
AccessState->OriginalDesiredAccess,
|
|||
|
0,
|
|||
|
NULL,
|
|||
|
IoGetFileObjectGenericMapping(),
|
|||
|
ProcessorMode,
|
|||
|
&GrantedAccess,
|
|||
|
&Status );
|
|||
|
|
|||
|
*EffectiveToken = OriginalAccessToken;
|
|||
|
|
|||
|
//
|
|||
|
// Cleanup and return.
|
|||
|
//
|
|||
|
|
|||
|
SeUnlockSubjectContext( &AccessState->SubjectSecurityContext );
|
|||
|
ObDereferenceObject( RestrictedAccessToken );
|
|||
|
|
|||
|
return Status;
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
FatCreateRestrictEveryoneToken (
|
|||
|
IN PACCESS_TOKEN Token,
|
|||
|
OUT PACCESS_TOKEN *RestrictedToken
|
|||
|
)
|
|||
|
|
|||
|
/*++
|
|||
|
|
|||
|
Routine Description:
|
|||
|
|
|||
|
This function takes a token as the input and returns a new restricted token
|
|||
|
from which Everyone sid has been disabled. The resulting token may be used
|
|||
|
to find out if access is available to a user-sid by explicit means.
|
|||
|
|
|||
|
Arguments:
|
|||
|
|
|||
|
Token - Input token from which Everyone sid needs to be deactivated.
|
|||
|
|
|||
|
RestrictedToken - Receives the the new restricted token.
|
|||
|
This must be released using ObDereferenceObject(*RestrictedToken);
|
|||
|
|
|||
|
Return Value:
|
|||
|
|
|||
|
NTSTATUS - Returned by SeFilterToken.
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
{
|
|||
|
//
|
|||
|
// Array of sids to disable.
|
|||
|
//
|
|||
|
|
|||
|
TOKEN_GROUPS SidsToDisable;
|
|||
|
|
|||
|
NTSTATUS Status = STATUS_SUCCESS;
|
|||
|
|
|||
|
//
|
|||
|
// Restricted token will contain the original sids with one change:
|
|||
|
// If Everyone sid is present in the token, it will be marked for DenyOnly.
|
|||
|
//
|
|||
|
|
|||
|
*RestrictedToken = NULL;
|
|||
|
|
|||
|
//
|
|||
|
// Put Everyone sid in the array of sids to disable. This will mark it
|
|||
|
// for SE_GROUP_USE_FOR_DENY_ONLY and it'll only be applicable for Deny aces.
|
|||
|
//
|
|||
|
|
|||
|
SidsToDisable.GroupCount = 1;
|
|||
|
SidsToDisable.Groups[0].Attributes = 0;
|
|||
|
SidsToDisable.Groups[0].Sid = SeExports->SeWorldSid;
|
|||
|
|
|||
|
Status = SeFilterToken(
|
|||
|
Token, // Token that needs to be restricted.
|
|||
|
0, // No flags
|
|||
|
&SidsToDisable, // Disable everyone sid
|
|||
|
NULL, // Do not create any restricted sids
|
|||
|
NULL, // Do not delete any privileges
|
|||
|
RestrictedToken // Restricted token
|
|||
|
);
|
|||
|
|
|||
|
return Status;
|
|||
|
}
|