driver: build security descriptor from sddl
This is a bit easier to read. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld
parent
b3bf490434
commit
6154c73032
@ -96,7 +96,7 @@
|
||||
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
<DriverSign>
|
||||
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
|
||||
|
||||
@ -45,22 +45,9 @@ NTSTATUS
|
||||
NTAPI
|
||||
ZwYieldExecution(VOID);
|
||||
|
||||
NTSYSAPI
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
RtlSetSaclSecurityDescriptor(
|
||||
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||
_In_ BOOLEAN SaclPresent,
|
||||
_In_opt_ PACL Sacl,
|
||||
_In_opt_ BOOLEAN SaclDefaulted);
|
||||
|
||||
NTSYSAPI
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
RtlAddMandatoryAce(
|
||||
_Inout_ PACL Acl,
|
||||
_In_ ULONG AceRevision,
|
||||
_In_ ULONG AceFlags,
|
||||
_In_ PSID Sid,
|
||||
_In_ UCHAR AceType,
|
||||
_In_ ULONG AccessMask);
|
||||
SeSddlSecurityDescriptorFromSDDL(
|
||||
const PUNICODE_STRING SecurityDescriptorString,
|
||||
BOOLEAN SuppliedByDefaultMechanism,
|
||||
PSECURITY_DESCRIPTOR *SecurityDescriptor);
|
||||
|
||||
@ -844,86 +844,9 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID);
|
||||
_Use_decl_annotations_
|
||||
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
||||
{
|
||||
NTSTATUS Status;
|
||||
struct
|
||||
{
|
||||
SID Sid;
|
||||
} LocalSystem;
|
||||
struct
|
||||
{
|
||||
SID Sid;
|
||||
ULONG ExtraAuthority;
|
||||
} BuiltinAdministrators;
|
||||
struct
|
||||
{
|
||||
SID Sid;
|
||||
} HighLabel;
|
||||
ULONG SidSize = sizeof(LocalSystem);
|
||||
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
|
||||
return Status;
|
||||
SidSize = sizeof(BuiltinAdministrators);
|
||||
if (!NT_SUCCESS(
|
||||
Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
|
||||
return Status;
|
||||
SidSize = sizeof(HighLabel);
|
||||
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
|
||||
return Status;
|
||||
struct
|
||||
{
|
||||
ACL Dacl;
|
||||
ACCESS_ALLOWED_ACE Ace1;
|
||||
SID Sid1;
|
||||
ACCESS_ALLOWED_ACE Ace2;
|
||||
SID Sid2;
|
||||
} DaclStorage = { 0 };
|
||||
struct
|
||||
{
|
||||
ACL Sacl;
|
||||
SYSTEM_MANDATORY_LABEL_ACE Ace;
|
||||
SID Sid;
|
||||
} SaclStorage = { 0 };
|
||||
if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
|
||||
return Status;
|
||||
if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
|
||||
return Status;
|
||||
ACCESS_MASK AccessMask = GENERIC_ALL;
|
||||
RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
|
||||
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
|
||||
return Status;
|
||||
if (!NT_SUCCESS(
|
||||
Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
|
||||
return Status;
|
||||
if (!NT_SUCCESS(RtlAddMandatoryAce(
|
||||
&SaclStorage.Sacl,
|
||||
ACL_REVISION,
|
||||
0,
|
||||
&HighLabel.Sid,
|
||||
SYSTEM_MANDATORY_LABEL_ACE_TYPE,
|
||||
SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
|
||||
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
|
||||
return Status;
|
||||
SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
|
||||
if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
|
||||
return Status;
|
||||
if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
|
||||
return Status;
|
||||
if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
|
||||
return Status;
|
||||
SecurityDescriptor.Control |= SE_DACL_PROTECTED;
|
||||
ULONG RequiredBytes = 0;
|
||||
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
|
||||
if (Status != STATUS_BUFFER_TOO_SMALL)
|
||||
return NT_SUCCESS(Status) ? STATUS_INSUFFICIENT_RESOURCES : Status;
|
||||
TunDispatchSecurityDescriptor = ExAllocatePoolWithTag(NonPagedPoolNx, RequiredBytes, TUN_MEMORY_TAG);
|
||||
if (!TunDispatchSecurityDescriptor)
|
||||
return STATUS_INSUFFICIENT_RESOURCES;
|
||||
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, TunDispatchSecurityDescriptor, &RequiredBytes);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
||||
return Status;
|
||||
}
|
||||
return STATUS_SUCCESS;
|
||||
UNICODE_STRING Sddl;
|
||||
RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)");
|
||||
return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor);
|
||||
}
|
||||
|
||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||
@ -1493,7 +1416,7 @@ TunUnload(PDRIVER_OBJECT DriverObject)
|
||||
NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle);
|
||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
||||
ExFreePool(TunDispatchSecurityDescriptor);
|
||||
}
|
||||
|
||||
DRIVER_INITIALIZE DriverEntry;
|
||||
@ -1569,6 +1492,6 @@ cleanupNotifier:
|
||||
cleanupResources:
|
||||
ExDeleteResourceLite(&TunDispatchCtxGuard);
|
||||
ExDeleteResourceLite(&TunDispatchDeviceListLock);
|
||||
ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG);
|
||||
ExFreePool(TunDispatchSecurityDescriptor);
|
||||
return Status;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user