driver: build security descriptor from sddl
This is a bit easier to read. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
b3bf490434
commit
6154c73032
@ -96,7 +96,7 @@
|
|||||||
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
<AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
</Link>
|
</Link>
|
||||||
<DriverSign>
|
<DriverSign>
|
||||||
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
|
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
|
||||||
|
@ -45,22 +45,9 @@ NTSTATUS
|
|||||||
NTAPI
|
NTAPI
|
||||||
ZwYieldExecution(VOID);
|
ZwYieldExecution(VOID);
|
||||||
|
|
||||||
NTSYSAPI
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
RtlSetSaclSecurityDescriptor(
|
SeSddlSecurityDescriptorFromSDDL(
|
||||||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
const PUNICODE_STRING SecurityDescriptorString,
|
||||||
_In_ BOOLEAN SaclPresent,
|
BOOLEAN SuppliedByDefaultMechanism,
|
||||||
_In_opt_ PACL Sacl,
|
PSECURITY_DESCRIPTOR *SecurityDescriptor);
|
||||||
_In_opt_ BOOLEAN SaclDefaulted);
|
|
||||||
|
|
||||||
NTSYSAPI
|
|
||||||
NTSTATUS
|
|
||||||
NTAPI
|
|
||||||
RtlAddMandatoryAce(
|
|
||||||
_Inout_ PACL Acl,
|
|
||||||
_In_ ULONG AceRevision,
|
|
||||||
_In_ ULONG AceFlags,
|
|
||||||
_In_ PSID Sid,
|
|
||||||
_In_ UCHAR AceType,
|
|
||||||
_In_ ULONG AccessMask);
|
|
||||||
|
@ -844,86 +844,9 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID);
|
|||||||
_Use_decl_annotations_
|
_Use_decl_annotations_
|
||||||
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
||||||
{
|
{
|
||||||
NTSTATUS Status;
|
UNICODE_STRING Sddl;
|
||||||
struct
|
RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)");
|
||||||
{
|
return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor);
|
||||||
SID Sid;
|
|
||||||
} LocalSystem;
|
|
||||||
struct
|
|
||||||
{
|
|
||||||
SID Sid;
|
|
||||||
ULONG ExtraAuthority;
|
|
||||||
} BuiltinAdministrators;
|
|
||||||
struct
|
|
||||||
{
|
|
||||||
SID Sid;
|
|
||||||
} HighLabel;
|
|
||||||
ULONG SidSize = sizeof(LocalSystem);
|
|
||||||
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
|
|
||||||
return Status;
|
|
||||||
SidSize = sizeof(BuiltinAdministrators);
|
|
||||||
if (!NT_SUCCESS(
|
|
||||||
Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
|
|
||||||
return Status;
|
|
||||||
SidSize = sizeof(HighLabel);
|
|
||||||
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
|
|
||||||
return Status;
|
|
||||||
struct
|
|
||||||
{
|
|
||||||
ACL Dacl;
|
|
||||||
ACCESS_ALLOWED_ACE Ace1;
|
|
||||||
SID Sid1;
|
|
||||||
ACCESS_ALLOWED_ACE Ace2;
|
|
||||||
SID Sid2;
|
|
||||||
} DaclStorage = { 0 };
|
|
||||||
struct
|
|
||||||
{
|
|
||||||
ACL Sacl;
|
|
||||||
SYSTEM_MANDATORY_LABEL_ACE Ace;
|
|
||||||
SID Sid;
|
|
||||||
} SaclStorage = { 0 };
|
|
||||||
if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
|
|
||||||
return Status;
|
|
||||||
if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
|
|
||||||
return Status;
|
|
||||||
ACCESS_MASK AccessMask = GENERIC_ALL;
|
|
||||||
RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
|
|
||||||
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
|
|
||||||
return Status;
|
|
||||||
if (!NT_SUCCESS(
|
|
||||||
Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
|
|
||||||
return Status;
|
|
||||||
if (!NT_SUCCESS(RtlAddMandatoryAce(
|
|
||||||
&SaclStorage.Sacl,
|
|
||||||
ACL_REVISION,
|
|
||||||
0,
|
|
||||||
&HighLabel.Sid,
|
|
||||||
SYSTEM_MANDATORY_LABEL_ACE_TYPE,
|
|
||||||
SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
|
|
||||||
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
|
|
||||||
return Status;
|
|
||||||
SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
|
|
||||||
if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
|
|
||||||
return Status;
|
|
||||||
if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
|
|
||||||
return Status;
|
|
||||||
if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
|
|
||||||
return Status;
|
|
||||||
SecurityDescriptor.Control |= SE_DACL_PROTECTED;
|
|
||||||
ULONG RequiredBytes = 0;
|
|
||||||
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
|
|
||||||
if (Status != STATUS_BUFFER_TOO_SMALL)
|
|
||||||
return NT_SUCCESS(Status) ? STATUS_INSUFFICIENT_RESOURCES : Status;
|
|
||||||
TunDispatchSecurityDescriptor = ExAllocatePoolWithTag(NonPagedPoolNx, RequiredBytes, TUN_MEMORY_TAG);
|
|
||||||
if (!TunDispatchSecurityDescriptor)
|
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
|
||||||
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, TunDispatchSecurityDescriptor, &RequiredBytes);
|
|
||||||
if (!NT_SUCCESS(Status))
|
|
||||||
{
|
|
||||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
|
||||||
return Status;
|
|
||||||
}
|
|
||||||
return STATUS_SUCCESS;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
@ -1493,7 +1416,7 @@ TunUnload(PDRIVER_OBJECT DriverObject)
|
|||||||
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
|
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
|
||||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
ExFreePool(TunDispatchSecurityDescriptor);
|
||||||
}
|
}
|
||||||
|
|
||||||
DRIVER_INITIALIZE DriverEntry;
|
DRIVER_INITIALIZE DriverEntry;
|
||||||
@ -1569,6 +1492,6 @@ cleanupNotifier:
|
|||||||
cleanupResources:
|
cleanupResources:
|
||||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
ExFreePool(TunDispatchSecurityDescriptor);
|
||||||
return Status;
|
return Status;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user