1163 lines
29 KiB
C
1163 lines
29 KiB
C
|
/*++
|
||
|
|
||
|
Copyright (c) 2000 Microsoft Corporation
|
||
|
|
||
|
Module Name:
|
||
|
|
||
|
authzp.h
|
||
|
|
||
|
Abstract:
|
||
|
|
||
|
Internal header file for authorization APIs.
|
||
|
|
||
|
Author:
|
||
|
|
||
|
Kedar Dubhashi - March 2000
|
||
|
|
||
|
Environment:
|
||
|
|
||
|
User mode only.
|
||
|
|
||
|
Revision History:
|
||
|
|
||
|
Created - March 2000
|
||
|
|
||
|
--*/
|
||
|
|
||
|
#ifndef __AUTHZP_H__
|
||
|
#define __AUTHZP_H__
|
||
|
|
||
|
#define _AUTHZ_
|
||
|
|
||
|
#include <authz.h>
|
||
|
#include <authzi.h>
|
||
|
|
||
|
#if 0
|
||
|
#define AUTHZ_DEBUG
|
||
|
#define AUTHZ_DEBUG_QUEUE
|
||
|
#define AUTHZ_DEBUG_MEMLEAK
|
||
|
#else
|
||
|
#define AUTHZ_PARAM_CHECK
|
||
|
#define AUTHZ_AUDIT_COUNTER
|
||
|
#endif
|
||
|
|
||
|
#define AuthzpCloseHandleNonNull(h) if (NULL != (h)) { AuthzpCloseHandle((h)); }
|
||
|
#define AuthzpCloseHandle(h) CloseHandle((h))
|
||
|
|
||
|
//
|
||
|
// Size of the local stack buffer used to save a kernel call as well as a memory
|
||
|
// allocation.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_MAX_STACK_BUFFER_SIZE 1024
|
||
|
|
||
|
#ifndef AUTHZ_DEBUG_MEMLEAK
|
||
|
|
||
|
#define AuthzpAlloc(s) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (s))
|
||
|
#define AuthzpFree(p) LocalFree((p))
|
||
|
|
||
|
#else
|
||
|
|
||
|
//
|
||
|
// This is to be used for debugging memory leaks. Primitive method but works in
|
||
|
// a small project like this.
|
||
|
//
|
||
|
|
||
|
PVOID
|
||
|
AuthzpAlloc(IN DWORD Size);
|
||
|
|
||
|
VOID
|
||
|
AuthzpFree(PVOID l);
|
||
|
|
||
|
#endif
|
||
|
|
||
|
//
|
||
|
// Given two sids and length of the first sid, compare the two sids.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_EQUAL_SID(s, d, l) ((*((DWORD*) s) == *((DWORD*) d)) && (RtlEqualMemory((s), (d), (l))))
|
||
|
|
||
|
//
|
||
|
// Compares a given sids with a well known constant PrincipalSelfSid.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_IS_PRINCIPAL_SELF_SID(s) (RtlEqualMemory(pAuthzPrincipalSelfSid, (s), 12))
|
||
|
|
||
|
//
|
||
|
// The client context is restricted if the restricted sid and attribute array is
|
||
|
// present.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_TOKEN_RESTRICTED(t) (NULL != (t)->RestrictedSids)
|
||
|
|
||
|
//
|
||
|
// Two privileges are inportant for access check:
|
||
|
// SeSecurityPrivilege
|
||
|
// SeTakeOwnershipPrivilege
|
||
|
// Both these are detected at the time of client context capture from token
|
||
|
// and stored in the flags.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_PRIVILEGE_CHECK(t, f) (FLAG_ON((t)->Flags, (f)))
|
||
|
|
||
|
//
|
||
|
// Flags in the cached handle.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_DENY_ACE_PRESENT 0x00000001
|
||
|
#define AUTHZ_PRINCIPAL_SELF_ACE_PRESENT 0x00000002
|
||
|
#define AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT 0x00000004
|
||
|
#define AUTHZ_DYNAMIC_DENY_ACE_PRESENT 0x00000008
|
||
|
#define AUTHZ_DYNAMIC_EVALUATION_PRESENT (AUTHZ_PRINCIPAL_SELF_ACE_PRESENT | \
|
||
|
AUTHZ_DYNAMIC_ALLOW_ACE_PRESENT | \
|
||
|
AUTHZ_DYNAMIC_DENY_ACE_PRESENT)
|
||
|
|
||
|
//
|
||
|
// There are only two valid attributes from access check point of view
|
||
|
// SE_GROUP_ENABLED
|
||
|
// SE_GROUP_USE_FOR_DENY_ONLY
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_VALID_SID_ATTRIBUTES (SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY)
|
||
|
|
||
|
#ifdef FLAG_ON
|
||
|
#undef FLAG_ON
|
||
|
#endif
|
||
|
|
||
|
#define FLAG_ON(f, b) (0 != ((f) & (b)))
|
||
|
|
||
|
#ifdef AUTHZ_NON_NULL_PTR
|
||
|
#undef AUTHZ_NON_NULL_PTR
|
||
|
#endif
|
||
|
|
||
|
#define AUTHZ_NON_NULL_PTR(f) (NULL != (f))
|
||
|
|
||
|
//
|
||
|
// If the pointer is not null then free it. This will save us a function call in
|
||
|
// cases when the pointer is null. Note that LocalFree would also take care null
|
||
|
// pointer being freed.
|
||
|
//
|
||
|
|
||
|
#define AuthzpFreeNonNull(p) if (NULL != (p)) { AuthzpFree((p)); }
|
||
|
|
||
|
//
|
||
|
// Check to see if the memory allocation failed.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_ALLOCATION_FAILED(p) (NULL == (p))
|
||
|
|
||
|
//
|
||
|
// Macros to traverse the acl.
|
||
|
// The first one gets the first ace in a given acl.
|
||
|
// The second one gives the next ace given the current one.
|
||
|
//
|
||
|
|
||
|
#define FirstAce(Acl) ((PVOID)((PUCHAR)(Acl) + sizeof(ACL)))
|
||
|
#define NextAce(Ace) ((PVOID)((PUCHAR)(Ace) + ((PACE_HEADER)(Ace))->AceSize))
|
||
|
|
||
|
//
|
||
|
// These do not need to be defined now since the decision was to put the burden
|
||
|
// on the resource managers. There are disadvantages of making it thread safe.
|
||
|
// Our choices are:
|
||
|
// 1. Have exactly one lock in authz.dll and suffer heavy contention.
|
||
|
// 2. Define one lock per client context which might be too expensive in
|
||
|
// cases where the clients are too many.
|
||
|
// 3. Let the resource manager decide whether they need locking - unlikely
|
||
|
// that locks are needed since it is wrong design on part of the RM to
|
||
|
// have one thread that changes the client context while the other one
|
||
|
// is doing an access check.
|
||
|
//
|
||
|
|
||
|
#define AuthzpAcquireClientContextWriteLock(c)
|
||
|
#define AuthzpAcquireClientContextReadLock(c)
|
||
|
#define AuthzpReleaseClientContextLock(c)
|
||
|
|
||
|
#define AuthzpAcquireClientCacheWriteLock(c)
|
||
|
#define AuthzpReleaseClientCacheLock(c)
|
||
|
#define AuthzpZeroMemory(p, s) RtlZeroMemory((p), (s))
|
||
|
|
||
|
#define AuthzObjectAceSid(Ace) \
|
||
|
((PSID)(((PUCHAR)&(((PKNOWN_OBJECT_ACE)(Ace))->SidStart)) + \
|
||
|
(RtlObjectAceObjectTypePresent(Ace) ? sizeof(GUID) : 0 ) + \
|
||
|
(RtlObjectAceInheritedObjectTypePresent(Ace) ? sizeof(GUID) : 0 )))
|
||
|
|
||
|
#define AuthzAceSid(Ace) ((PSID)&((PKNOWN_ACE)Ace)->SidStart)
|
||
|
|
||
|
#define AuthzCallbackAceSid(Ace) AuthzAceSid(Ace)
|
||
|
|
||
|
#define AuthzCallbackObjectAceSid(Ace) AuthzObjectAceSid(Ace)
|
||
|
|
||
|
//
|
||
|
// Internal structure of the object type list.
|
||
|
//
|
||
|
// Level - Level of the element in the tree. The level of the root is 0.
|
||
|
// Flags - To be used for auditing. The valid ones are
|
||
|
// AUTHZ_OBJECT_SUCCESS_AUDIT
|
||
|
// AUTHZ_OBJECT_FAILURE_AUDIT
|
||
|
// ObjectType - Pointer to the guid for this element.
|
||
|
// ParentIndex - The index of the parent of this element in the array. The
|
||
|
// parent index for the root is -1.
|
||
|
// Remaining - Remaining access bits for this element, used during normal access
|
||
|
// check algorithm.
|
||
|
// CurrentGranted - Granted access bits so far for this element, used during
|
||
|
// maximum allowed access check.
|
||
|
// CurrentDenied - Explicitly denied access bits for this element, used during
|
||
|
// maximum allowed access check.
|
||
|
//
|
||
|
|
||
|
typedef struct _IOBJECT_TYPE_LIST {
|
||
|
USHORT Level;
|
||
|
USHORT Flags;
|
||
|
#define AUTHZ_OBJECT_SUCCESS_AUDIT 0x1
|
||
|
#define AUTHZ_OBJECT_FAILURE_AUDIT 0x2
|
||
|
GUID ObjectType;
|
||
|
LONG ParentIndex;
|
||
|
ACCESS_MASK Remaining;
|
||
|
ACCESS_MASK CurrentGranted;
|
||
|
ACCESS_MASK CurrentDenied;
|
||
|
} IOBJECT_TYPE_LIST, *PIOBJECT_TYPE_LIST;
|
||
|
|
||
|
typedef struct _AUTHZI_AUDIT_QUEUE
|
||
|
{
|
||
|
|
||
|
//
|
||
|
// Flags defined in authz.h
|
||
|
//
|
||
|
|
||
|
DWORD Flags;
|
||
|
|
||
|
//
|
||
|
// High and low marks for the auditing queue
|
||
|
//
|
||
|
|
||
|
DWORD dwAuditQueueHigh;
|
||
|
DWORD dwAuditQueueLow;
|
||
|
|
||
|
//
|
||
|
// CS for locking the audit queue
|
||
|
//
|
||
|
|
||
|
RTL_CRITICAL_SECTION AuthzAuditQueueLock;
|
||
|
|
||
|
//
|
||
|
// The audit queue and length.
|
||
|
//
|
||
|
|
||
|
LIST_ENTRY AuthzAuditQueue;
|
||
|
ULONG AuthzAuditQueueLength;
|
||
|
|
||
|
//
|
||
|
// Handle to the thread that maintains the audit queue.
|
||
|
//
|
||
|
|
||
|
HANDLE hAuthzAuditThread;
|
||
|
|
||
|
//
|
||
|
// This event signals that an audit was placed on the queue.
|
||
|
//
|
||
|
|
||
|
HANDLE hAuthzAuditAddedEvent;
|
||
|
|
||
|
//
|
||
|
// This event signals that the queue is empty. Initially signalled.
|
||
|
//
|
||
|
|
||
|
HANDLE hAuthzAuditQueueEmptyEvent;
|
||
|
|
||
|
//
|
||
|
// This boolean indicates that the queue size has reached the RM-specified high water mark.
|
||
|
//
|
||
|
|
||
|
BOOL bAuthzAuditQueueHighEvent;
|
||
|
|
||
|
//
|
||
|
// This event signals that the queue size is at or below the RM-specified low water mark.
|
||
|
//
|
||
|
|
||
|
HANDLE hAuthzAuditQueueLowEvent;
|
||
|
|
||
|
//
|
||
|
// This boolean is set to TRUE during the life of the resource manager. When it turns to FALSE, the
|
||
|
// dequeue thread knows that it should exit.
|
||
|
//
|
||
|
|
||
|
BOOL bWorker;
|
||
|
|
||
|
} AUTHZI_AUDIT_QUEUE, *PAUTHZI_AUDIT_QUEUE;
|
||
|
|
||
|
typedef struct _AUTHZI_RESOURCE_MANAGER
|
||
|
{
|
||
|
//
|
||
|
// No valid flags have been defined yet.
|
||
|
//
|
||
|
|
||
|
DWORD Flags;
|
||
|
|
||
|
//
|
||
|
// Callback function registered by AuthzRegisterRMAccessCheckCallback, to be
|
||
|
// used to interpret callback aces. If no such function is registered by the
|
||
|
// RM then the default behavior is to return TRUE for a deny ACE, FALSE for
|
||
|
// a grant ACE.
|
||
|
//
|
||
|
|
||
|
PFN_AUTHZ_DYNAMIC_ACCESS_CHECK pfnDynamicAccessCheck;
|
||
|
|
||
|
//
|
||
|
// Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
|
||
|
// used to compute groups to be added to the client context. If no such
|
||
|
// function is registered by the RM then the default behavior is to return
|
||
|
// no groups.
|
||
|
//
|
||
|
|
||
|
PFN_AUTHZ_COMPUTE_DYNAMIC_GROUPS pfnComputeDynamicGroups;
|
||
|
|
||
|
//
|
||
|
// Callback function registered by AuthzRegisterDynamicGroupsCallback, to be
|
||
|
// used to free memory allocated by ComputeDynamicGroupsFn.
|
||
|
//
|
||
|
|
||
|
PFN_AUTHZ_FREE_DYNAMIC_GROUPS pfnFreeDynamicGroups;
|
||
|
|
||
|
//
|
||
|
// String name of resource manager. Appears in audits.
|
||
|
//
|
||
|
|
||
|
PWSTR szResourceManagerName;
|
||
|
|
||
|
//
|
||
|
// The user SID and Authentication ID of the RM process
|
||
|
//
|
||
|
|
||
|
PSID pUserSID;
|
||
|
LUID AuthID;
|
||
|
|
||
|
//
|
||
|
// Default queue and audit events for the RM
|
||
|
//
|
||
|
|
||
|
#define AUTHZP_DEFAULT_RM_EVENTS 0x2
|
||
|
|
||
|
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
|
||
|
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAETDS;
|
||
|
|
||
|
AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
|
||
|
|
||
|
} AUTHZI_RESOURCE_MANAGER, *PAUTHZI_RESOURCE_MANAGER;
|
||
|
|
||
|
|
||
|
typedef struct _AUTHZI_CLIENT_CONTEXT AUTHZI_CLIENT_CONTEXT, *PAUTHZI_CLIENT_CONTEXT;
|
||
|
typedef struct _AUTHZI_HANDLE AUTHZI_HANDLE, *PAUTHZI_HANDLE;
|
||
|
|
||
|
//
|
||
|
// the number of sids that we hash is equal to
|
||
|
// the number of bits in AUTHZI_SID_HASH_ENTRY
|
||
|
//
|
||
|
|
||
|
#ifdef _WIN64_
|
||
|
typedef ULONGLONG AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;
|
||
|
#else
|
||
|
typedef DWORD AUTHZI_SID_HASH_ENTRY, *PAUTHZI_SID_HASH_ENTRY;
|
||
|
#endif
|
||
|
|
||
|
#define AUTHZI_SID_HASH_ENTRY_NUM_BITS (8*sizeof(AUTHZI_SID_HASH_ENTRY))
|
||
|
|
||
|
//
|
||
|
// the hash size is not related to the number of bits. it is the size
|
||
|
// required to hold two 16 element arrays
|
||
|
//
|
||
|
|
||
|
#define AUTHZI_SID_HASH_SIZE 32
|
||
|
|
||
|
struct _AUTHZI_CLIENT_CONTEXT
|
||
|
{
|
||
|
|
||
|
//
|
||
|
// The client context structure is recursive to support delegated clients.
|
||
|
// Not in the picture yet though.
|
||
|
//
|
||
|
|
||
|
PAUTHZI_CLIENT_CONTEXT Server;
|
||
|
|
||
|
//
|
||
|
// Context will always be created with Revision of AUTHZ_CURRENT_CONTEXT_REVISION.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_CURRENT_CONTEXT_REVISION 1
|
||
|
|
||
|
DWORD Revision;
|
||
|
|
||
|
//
|
||
|
// Resource manager supplied identifier. We do not ever use this.
|
||
|
//
|
||
|
|
||
|
LUID Identifier;
|
||
|
|
||
|
//
|
||
|
// AuthenticationId captured from the token of the client. Needed for
|
||
|
// auditing.
|
||
|
//
|
||
|
|
||
|
LUID AuthenticationId;
|
||
|
|
||
|
//
|
||
|
// Token expiration time. This one will be checked at the time of access check against
|
||
|
// the current time.
|
||
|
//
|
||
|
|
||
|
LARGE_INTEGER ExpirationTime;
|
||
|
|
||
|
//
|
||
|
// Internal flags for the token.
|
||
|
//
|
||
|
|
||
|
#define AUTHZ_TAKE_OWNERSHIP_PRIVILEGE_ENABLED 0x00000001
|
||
|
#define AUTHZ_SECURITY_PRIVILEGE_ENABLED 0x00000002
|
||
|
|
||
|
|
||
|
DWORD Flags;
|
||
|
|
||
|
//
|
||
|
// Sids used for normal access checks.
|
||
|
//
|
||
|
|
||
|
DWORD SidCount;
|
||
|
DWORD SidLength;
|
||
|
PSID_AND_ATTRIBUTES Sids;
|
||
|
|
||
|
AUTHZI_SID_HASH_ENTRY SidHash[AUTHZI_SID_HASH_SIZE];
|
||
|
|
||
|
|
||
|
//
|
||
|
// Sids used if the token is resticted. These will usually be 0 and NULL respectively.
|
||
|
//
|
||
|
|
||
|
DWORD RestrictedSidCount;
|
||
|
DWORD RestrictedSidLength;
|
||
|
PSID_AND_ATTRIBUTES RestrictedSids;
|
||
|
|
||
|
AUTHZI_SID_HASH_ENTRY RestrictedSidHash[AUTHZI_SID_HASH_SIZE];
|
||
|
|
||
|
//
|
||
|
// Privileges used in access checks. Relevant ones are:
|
||
|
// 1. SeSecurityPrivilege
|
||
|
// 2. SeTakeOwnershipPrivilege
|
||
|
// If there are no privileges associated with the client context then the PrivilegeCount = 0
|
||
|
// and Privileges = NULL
|
||
|
//
|
||
|
|
||
|
DWORD PrivilegeCount;
|
||
|
DWORD PrivilegeLength;
|
||
|
PLUID_AND_ATTRIBUTES Privileges;
|
||
|
|
||
|
//
|
||
|
// Handles open for this client. When the client context is destroyed all the handles are
|
||
|
// cleaned up.
|
||
|
//
|
||
|
|
||
|
PAUTHZI_HANDLE AuthzHandleHead;
|
||
|
|
||
|
//
|
||
|
// Pointer to the resource manager, needed to retrieve static auditing information.
|
||
|
//
|
||
|
|
||
|
PAUTHZI_RESOURCE_MANAGER pResourceManager;
|
||
|
|
||
|
};
|
||
|
|
||
|
struct _AUTHZI_HANDLE
|
||
|
{
|
||
|
//
|
||
|
// Pointers to the next handle maintained by the AuthzClientContext object.
|
||
|
//
|
||
|
|
||
|
PAUTHZI_HANDLE next;
|
||
|
|
||
|
//
|
||
|
// Pointer to the security descriptors provided by the RM at the time of first access
|
||
|
// check call. We do not make a copy of the security descriptors. The assumption
|
||
|
// is that the SDs will be valid at least as long as the the handle is open.
|
||
|
//
|
||
|
|
||
|
PSECURITY_DESCRIPTOR pSecurityDescriptor;
|
||
|
PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray;
|
||
|
DWORD OptionalSecurityDescriptorCount;
|
||
|
|
||
|
//
|
||
|
// Flags for internal usage only.
|
||
|
//
|
||
|
|
||
|
DWORD Flags;
|
||
|
|
||
|
//
|
||
|
// Back pointer to the client context that created this handle, required if the static
|
||
|
// access granted is insufficient and access check needs to be performed again.
|
||
|
//
|
||
|
|
||
|
PAUTHZI_CLIENT_CONTEXT pAuthzClientContext;
|
||
|
|
||
|
//
|
||
|
// Results of the maximum allowed static access.
|
||
|
//
|
||
|
|
||
|
DWORD ResultListLength;
|
||
|
ACCESS_MASK GrantedAccessMask[ANYSIZE_ARRAY];
|
||
|
};
|
||
|
|
||
|
|
||
|
//
|
||
|
// This structure stores per access audit information. The structure
|
||
|
// is opaque and initialized with AuthzInitAuditInfo
|
||
|
//
|
||
|
|
||
|
typedef struct _AUTHZI_AUDIT_EVENT
|
||
|
{
|
||
|
|
||
|
//
|
||
|
// size of allocated blob for this structure
|
||
|
//
|
||
|
|
||
|
DWORD dwSize;
|
||
|
|
||
|
//
|
||
|
// Flags are specified in authz.h, and this single private flag for DS callers.
|
||
|
//
|
||
|
|
||
|
DWORD Flags;
|
||
|
|
||
|
//
|
||
|
// AuditParams used for audit if available. If no AuditParams is available
|
||
|
// and the audit id is SE_AUDITID_OBJECT_OPERATION then Authz will construct a
|
||
|
// suitable structure.
|
||
|
//
|
||
|
|
||
|
PAUDIT_PARAMS pAuditParams;
|
||
|
|
||
|
//
|
||
|
// Structure defining the Audit Event category and id
|
||
|
//
|
||
|
|
||
|
AUTHZ_AUDIT_EVENT_TYPE_HANDLE hAET;
|
||
|
|
||
|
//
|
||
|
// millisecond timeout value
|
||
|
//
|
||
|
|
||
|
DWORD dwTimeOut;
|
||
|
|
||
|
//
|
||
|
// RM specified strings describing this event.
|
||
|
//
|
||
|
|
||
|
PWSTR szOperationType;
|
||
|
PWSTR szObjectType;
|
||
|
PWSTR szObjectName;
|
||
|
PWSTR szAdditionalInfo;
|
||
|
|
||
|
AUTHZ_AUDIT_QUEUE_HANDLE hAuditQueue;
|
||
|
|
||
|
} AUTHZI_AUDIT_EVENT, *PAUTHZI_AUDIT_EVENT;
|
||
|
|
||
|
//
|
||
|
// structure to maintain queue of audits to be sent to LSA
|
||
|
//
|
||
|
|
||
|
typedef struct _AUTHZ_AUDIT_QUEUE_ENTRY
|
||
|
{
|
||
|
LIST_ENTRY list;
|
||
|
PAUTHZ_AUDIT_EVENT_TYPE_OLD pAAETO;
|
||
|
DWORD Flags;
|
||
|
AUDIT_PARAMS * pAuditParams;
|
||
|
PVOID pReserved;
|
||
|
} AUTHZ_AUDIT_QUEUE_ENTRY, *PAUTHZ_AUDIT_QUEUE_ENTRY;
|
||
|
|
||
|
//
|
||
|
// Enumeration type to be used to specify what type of coloring should be
|
||
|
// passed on to the rest of the tree starting at a given node.
|
||
|
// Deny gets propagted down the entire subtree as well as to all the
|
||
|
// ancestors (but NOT to siblings and below)
|
||
|
// Grants get propagated down the subtree. When a grant exists on all the
|
||
|
// siblings the parent automatically gets it.
|
||
|
// Remaining is propagated downwards. The remaining on the parent is a
|
||
|
// logical OR of the remaining bits on all the children.
|
||
|
//
|
||
|
|
||
|
typedef enum {
|
||
|
AuthzUpdateRemaining = 1,
|
||
|
AuthzUpdateCurrentGranted,
|
||
|
AuthzUpdateCurrentDenied
|
||
|
} ACCESS_MASK_FIELD_TO_UPDATE;
|
||
|
|
||
|
//
|
||
|
// Enumeration type to be used to specify the kind of well known sid for context
|
||
|
// changes. We are not going to support these unless we get a requirement.
|
||
|
//
|
||
|
|
||
|
typedef enum _AUTHZ_WELL_KNOWN_SID_TYPE
|
||
|
{
|
||
|
AuthzWorldSid = 1,
|
||
|
AuthzUserSid,
|
||
|
AuthzAdminSid,
|
||
|
AuthzDomainAdminSid,
|
||
|
AuthzAuthenticatedUsersSid,
|
||
|
AuthzSystemSid
|
||
|
} AUTHZ_WELL_KNOWN_SID_TYPE;
|
||
|
|
||
|
BOOL
|
||
|
AuthzpVerifyAccessCheckArguments(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpVerifyOpenObjectArguments(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN PAUTHZI_AUDIT_EVENT pAuditEvent
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpCaptureObjectTypeList(
|
||
|
IN POBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeLocalTypeListLength,
|
||
|
OUT PIOBJECT_TYPE_LIST *CapturedObjectTypeList,
|
||
|
OUT PIOBJECT_TYPE_LIST *CapturedCachingObjectTypeList OPTIONAL
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpFillReplyStructure(
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN DWORD Error,
|
||
|
IN ACCESS_MASK GrantedAccess
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpMaximumAllowedAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN BOOL ObjectTypeListPresent,
|
||
|
OUT PDWORD pCachingFlags
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpMaximumAllowedMultipleSDAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN BOOL ObjectTypeListPresent,
|
||
|
IN BOOL Restricted,
|
||
|
OUT PDWORD pCachingFlags
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpMaximumAllowedSingleAclAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pHash,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PACL pAcl,
|
||
|
IN PSID pOwnerSid,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN BOOL ObjectTypeListPresent,
|
||
|
OUT PDWORD pCachingFlags
|
||
|
);
|
||
|
|
||
|
|
||
|
BOOL
|
||
|
AuthzpSidApplicable(
|
||
|
IN DWORD SidCount,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pHash,
|
||
|
IN PSID pSid,
|
||
|
IN PSID PrincipalSelfSid,
|
||
|
IN PSID CreatorOwnerSid,
|
||
|
IN BOOL DenyAce,
|
||
|
OUT PDWORD pCachingFlags
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAccessCheckWithCaching(
|
||
|
IN DWORD Flags,
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
OUT PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults OPTIONAL,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalCachingTypeList OPTIONAL,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpNormalAccessCheckWithoutCaching(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpNormalMultipleSDAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN ACCESS_MASK Remaining,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpOwnerSidInClientContext(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PISECURITY_DESCRIPTOR pSecurityDescriptor
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpNormalAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN ACCESS_MASK Remaining,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PACL pAcl,
|
||
|
IN PSID pOwnerSid,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpQuickMaximumAllowedAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZI_HANDLE pAH,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpQuickNormalAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZI_HANDLE pAH,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllowOnlyNormalMultipleSDAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN ACCESS_MASK Remaining,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllowOnlyNormalSingleAclAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN ACCESS_MASK Remaining,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PACL pAcl,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllowOnlySidApplicable(
|
||
|
IN DWORD SidCount,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN PSID pSid
|
||
|
);
|
||
|
|
||
|
|
||
|
VOID
|
||
|
AuthzpAddAccessTypeList (
|
||
|
IN PIOBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeListLength,
|
||
|
IN DWORD StartIndex,
|
||
|
IN ACCESS_MASK AccessMask,
|
||
|
IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpObjectInTypeList (
|
||
|
IN GUID *ObjectType,
|
||
|
IN PIOBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeListLength,
|
||
|
OUT PDWORD ReturnedIndex
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpCacheResults(
|
||
|
IN DWORD Flags,
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PIOBJECT_TYPE_LIST LocalCachingTypeList,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN DWORD CachingFlags,
|
||
|
IN PAUTHZ_ACCESS_CHECK_RESULTS_HANDLE phAccessCheckResults
|
||
|
);
|
||
|
|
||
|
|
||
|
BOOL
|
||
|
AuthzpVerifyCachedAccessCheckArguments(
|
||
|
IN PAUTHZI_HANDLE pAH,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllowOnlyMaximumAllowedMultipleSDAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN BOOL ObjectTypeListPresent,
|
||
|
IN BOOL Restricted
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllowOnlyMaximumAllowedSingleAclAccessCheck(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN DWORD SidCount,
|
||
|
IN PAUTHZI_SID_HASH_ENTRY pSidHash,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PACL pAcl,
|
||
|
IN PSID pOwnerSid,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD LocalTypeListLength,
|
||
|
IN BOOL ObjectTypeListPresent
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpAddAccessTypeList (
|
||
|
IN OUT PIOBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeListLength,
|
||
|
IN DWORD StartIndex,
|
||
|
IN ACCESS_MASK AccessMask,
|
||
|
IN ACCESS_MASK_FIELD_TO_UPDATE FieldToUpdate
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpUpdateParentTypeList(
|
||
|
IN OUT PIOBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeListLength,
|
||
|
IN DWORD StartIndex
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpObjectInTypeList (
|
||
|
IN GUID *ObjectType,
|
||
|
IN PIOBJECT_TYPE_LIST ObjectTypeList,
|
||
|
IN DWORD ObjectTypeListLength,
|
||
|
OUT PDWORD ReturnedIndex
|
||
|
);
|
||
|
|
||
|
|
||
|
BOOL
|
||
|
AuthzpGenerateAudit(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PAUTHZI_AUDIT_EVENT pAuditEvent,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpCopySidsAndAttributes(
|
||
|
IN OUT PSID_AND_ATTRIBUTES DestSidAttr,
|
||
|
IN PSID_AND_ATTRIBUTES SidAttr1,
|
||
|
IN DWORD Count1,
|
||
|
IN PSID_AND_ATTRIBUTES SidAttr2,
|
||
|
IN DWORD Count2
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpCopyLuidAndAttributes(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PLUID_AND_ATTRIBUTES Source,
|
||
|
IN DWORD Count,
|
||
|
IN OUT PLUID_AND_ATTRIBUTES Destination
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpDefaultAccessCheck(
|
||
|
IN AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext,
|
||
|
IN PACE_HEADER pAce,
|
||
|
IN PVOID pArgs OPTIONAL,
|
||
|
IN OUT PBOOL pbAceApplicable
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzPrintContext(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpFillReplyFromParameters(
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN PIOBJECT_TYPE_LIST LocalTypeList
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpGetAllGroupsBySid(
|
||
|
IN PSID pUserSid,
|
||
|
IN DWORD Flags,
|
||
|
OUT PSID_AND_ATTRIBUTES *ppSidAttr,
|
||
|
OUT PDWORD pSidCount,
|
||
|
OUT PDWORD pSidLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpGetAllGroupsByName(
|
||
|
IN PUNICODE_STRING pusUserName,
|
||
|
IN PUNICODE_STRING pusDomainName,
|
||
|
IN DWORD Flags,
|
||
|
OUT PSID_AND_ATTRIBUTES *ppSidAttr,
|
||
|
OUT PDWORD pSidCount,
|
||
|
OUT PDWORD pSidLength
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAllocateAndInitializeClientContext(
|
||
|
OUT PAUTHZI_CLIENT_CONTEXT *ppCC,
|
||
|
IN PAUTHZI_CLIENT_CONTEXT Server,
|
||
|
IN DWORD Revision,
|
||
|
IN LUID Identifier,
|
||
|
IN LARGE_INTEGER ExpirationTime,
|
||
|
IN DWORD Flags,
|
||
|
IN DWORD SidCount,
|
||
|
IN DWORD SidLength,
|
||
|
IN PSID_AND_ATTRIBUTES Sids,
|
||
|
IN DWORD RestrictedSidCount,
|
||
|
IN DWORD RestrictedSidLength,
|
||
|
IN PSID_AND_ATTRIBUTES RestrictedSids,
|
||
|
IN DWORD PrivilegeCount,
|
||
|
IN DWORD PrivilegeLength,
|
||
|
IN PLUID_AND_ATTRIBUTES Privileges,
|
||
|
IN LUID AuthenticationId,
|
||
|
IN PAUTHZI_HANDLE AuthzHandleHead,
|
||
|
IN PAUTHZI_RESOURCE_MANAGER pRM
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpAddDynamicSidsToToken(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZI_RESOURCE_MANAGER pRM,
|
||
|
IN PVOID DynamicGroupsArgs,
|
||
|
IN PSID_AND_ATTRIBUTES Sids,
|
||
|
IN DWORD SidLength,
|
||
|
IN DWORD SidCount,
|
||
|
IN PSID_AND_ATTRIBUTES RestrictedSids,
|
||
|
IN DWORD RestrictedSidLength,
|
||
|
IN DWORD RestrictedSidCount,
|
||
|
IN PLUID_AND_ATTRIBUTES Privileges,
|
||
|
IN DWORD PrivilegeLength,
|
||
|
IN DWORD PrivilegeCount,
|
||
|
IN BOOL bAllocated
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpExamineSingleSacl(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN ACCESS_MASK AccessMask,
|
||
|
IN PACL pAcl,
|
||
|
IN PSID pOwnerSid,
|
||
|
IN UCHAR AuditMaskType,
|
||
|
IN BOOL bMaximumFailed,
|
||
|
OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
OUT PBOOL pbGenerateAudit
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpExamineSacl(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN PAUTHZ_ACCESS_REPLY pReply,
|
||
|
OUT PBOOL pbGenerateAudit
|
||
|
);
|
||
|
|
||
|
|
||
|
BOOL
|
||
|
AuthzpExamineSaclForObjectTypeList(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
IN PSECURITY_DESCRIPTOR *OptionalSecurityDescriptorArray OPTIONAL,
|
||
|
IN DWORD OptionalSecurityDescriptorCount,
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
OUT PBOOL pbGenerateSuccessAudit,
|
||
|
OUT PBOOL pbGenerateFailureAudit
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpExamineSingleSaclForObjectTypeList(
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pCC,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PACL pAcl,
|
||
|
IN PSID pOwnerSid,
|
||
|
IN PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
OUT PBOOL pbGenerateSuccessAudit,
|
||
|
OUT PBOOL pbGenerateFailureAudit
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpSetAuditInfoForObjectType(
|
||
|
IN PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN OUT PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN DWORD StartIndex,
|
||
|
IN ACCESS_MASK AceAccessMask,
|
||
|
IN ACCESS_MASK DesiredAccessMask,
|
||
|
IN UCHAR AceFlags,
|
||
|
OUT PBOOL pbGenerateSuccessAudit,
|
||
|
OUT PBOOL pbGenerateFailureAudit
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpCreateAndLogAudit(
|
||
|
IN DWORD AuditTypeFlag,
|
||
|
IN PAUTHZI_CLIENT_CONTEXT pAuthzClientContext,
|
||
|
IN PAUTHZI_AUDIT_EVENT pAuditEvent,
|
||
|
IN PAUTHZI_RESOURCE_MANAGER pRM,
|
||
|
IN PIOBJECT_TYPE_LIST LocalTypeList,
|
||
|
IN PAUTHZ_ACCESS_REQUEST pRequest,
|
||
|
IN PAUTHZ_ACCESS_REPLY pReply
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpFillReplyStructureFromCachedGrantedAccessMask(
|
||
|
IN OUT PAUTHZ_ACCESS_REPLY pReply,
|
||
|
IN ACCESS_MASK DesiredAccess,
|
||
|
IN PACCESS_MASK GrantedAccessMask
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpSendAuditToLsa(
|
||
|
IN AUDIT_HANDLE hAuditContext,
|
||
|
IN DWORD Flags,
|
||
|
IN PAUDIT_PARAMS pAuditParams,
|
||
|
IN PVOID Reserved
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpEnQueueAuditEvent(
|
||
|
PAUTHZI_AUDIT_QUEUE pQueue,
|
||
|
PAUTHZ_AUDIT_QUEUE_ENTRY pAudit
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpEnQueueAuditEventMonitor(
|
||
|
PAUTHZI_AUDIT_QUEUE pQueue,
|
||
|
PAUTHZ_AUDIT_QUEUE_ENTRY pAudit
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpMarshallAuditParams(
|
||
|
OUT PAUDIT_PARAMS * ppMarshalledAuditParams,
|
||
|
IN PAUDIT_PARAMS pAuditParams
|
||
|
);
|
||
|
|
||
|
ULONG
|
||
|
AuthzpDeQueueThreadWorker(
|
||
|
LPVOID lpParameter
|
||
|
);
|
||
|
|
||
|
#define AUTHZ_SID_HASH_LOW_MASK 0xf
|
||
|
#define AUTHZ_SID_HASH_HIGH_MASK 0xf0
|
||
|
#define AUTHZ_SID_HASH_HIGH 16
|
||
|
#define AUTHZ_SID_HASH_LOOKUP(table, byte) (((table)[(byte) & 0xf]) & ((table)[AUTHZ_SID_HASH_HIGH + (((byte) & 0xf0) >> 4)]))
|
||
|
|
||
|
VOID
|
||
|
AuthzpInitSidHash(
|
||
|
IN PSID_AND_ATTRIBUTES pSidAttr,
|
||
|
IN ULONG SidCount,
|
||
|
OUT PAUTHZI_SID_HASH_ENTRY pHash
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpGetThreadTokenInfo(
|
||
|
OUT PSID* pUserSid,
|
||
|
OUT PLUID pAuthenticationId
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpGetProcessTokenInfo(
|
||
|
OUT PSID* ppUserSid,
|
||
|
OUT PLUID pAuthenticationId
|
||
|
);
|
||
|
|
||
|
VOID
|
||
|
AuthzpReferenceAuditEventType(
|
||
|
IN AUTHZ_AUDIT_EVENT_TYPE_HANDLE
|
||
|
);
|
||
|
BOOL
|
||
|
AuthzpDereferenceAuditEventType(
|
||
|
IN OUT AUTHZ_AUDIT_EVENT_TYPE_HANDLE
|
||
|
);
|
||
|
|
||
|
BOOL
|
||
|
AuthzpEveryoneIncludesAnonymous(
|
||
|
);
|
||
|
|
||
|
#endif
|