huwcampbell.com
Reactos
1/*++ NDK Version: 0098
2
3Copyright (c) Alex Ionescu. All rights reserved.
4
5Header Name:
6
7 setypes.h
8
9Abstract:
10
11 Type definitions for the security manager.
12
13Author:
14
15 Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
16
17--*/
18
19#ifndef _SETYPES_H
20#define _SETYPES_H
21
22//
23// Dependencies
24//
25#include <umtypes.h>
26
27//
28// Well Known SIDs
29//
30#define SECURITY_INTERNETSITE_AUTHORITY {0,0,0,0,0,7}
31
32#ifdef NTOS_MODE_USER
33//
34// Privilege constants
35//
36#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
37#define SE_CREATE_TOKEN_PRIVILEGE (2L)
38#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
39#define SE_LOCK_MEMORY_PRIVILEGE (4L)
40#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
41#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L)
42#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
43#define SE_TCB_PRIVILEGE (7L)
44#define SE_SECURITY_PRIVILEGE (8L)
45#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
46#define SE_LOAD_DRIVER_PRIVILEGE (10L)
47#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
48#define SE_SYSTEMTIME_PRIVILEGE (12L)
49#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
50#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
51#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
52#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
53#define SE_BACKUP_PRIVILEGE (17L)
54#define SE_RESTORE_PRIVILEGE (18L)
55#define SE_SHUTDOWN_PRIVILEGE (19L)
56#define SE_DEBUG_PRIVILEGE (20L)
57#define SE_AUDIT_PRIVILEGE (21L)
58#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
59#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
60#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
61#define SE_UNDOCK_PRIVILEGE (25L)
62#define SE_SYNC_AGENT_PRIVILEGE (26L)
63#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
64#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
65#define SE_IMPERSONATE_PRIVILEGE (29L)
66#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
67#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_CREATE_GLOBAL_PRIVILEGE)
68
69typedef struct _TOKEN_MANDATORY_POLICY {
70 ULONG Policy;
71} TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY;
72
73typedef struct _TOKEN_ACCESS_INFORMATION
74{
75 struct _SID_AND_ATTRIBUTES_HASH *SidHash;
76 struct _SID_AND_ATTRIBUTES_HASH *RestrictedSidHash;
77 struct _TOKEN_PRIVILEGES *Privileges;
78 LUID AuthenticationId;
79 TOKEN_TYPE TokenType;
80 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
81 TOKEN_MANDATORY_POLICY MandatoryPolicy;
82 ULONG Flags;
83} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;
84
85#else
86
87//
88// User and Group-related SID Attributes
89//
90#define SE_GROUP_MANDATORY 0x00000001
91#define SE_GROUP_ENABLED_BY_DEFAULT 0x00000002
92#define SE_GROUP_ENABLED 0x00000004
93#define SE_GROUP_OWNER 0x00000008
94#define SE_GROUP_USE_FOR_DENY_ONLY 0x00000010
95#define SE_GROUP_INTEGRITY 0x00000020
96#define SE_GROUP_INTEGRITY_ENABLED 0x00000040
97#define SE_GROUP_RESOURCE 0x20000000
98#define SE_GROUP_LOGON_ID 0xC0000000
99
100#define SE_GROUP_VALID_ATTRIBUTES \
101 (SE_GROUP_MANDATORY | \
102 SE_GROUP_ENABLED_BY_DEFAULT | \
103 SE_GROUP_ENABLED | \
104 SE_GROUP_OWNER | \
105 SE_GROUP_USE_FOR_DENY_ONLY | \
106 SE_GROUP_LOGON_ID | \
107 SE_GROUP_RESOURCE | \
108 SE_GROUP_INTEGRITY | \
109 SE_GROUP_INTEGRITY_ENABLED)
110
111//
112// Privilege token filtering flags
113//
114#define DISABLE_MAX_PRIVILEGE 0x1
115#define SANDBOX_INERT 0x2
116#if (NTDDI_VERSION >= NTDDI_LONGHORN)
117#define LUA_TOKEN 0x4
118#define WRITE_RESTRICTED 0x8
119#endif
120
121//
122// Proxy Class enumeration
123//
124typedef enum _PROXY_CLASS
125{
126 ProxyFull = 0,
127 ProxyService,
128 ProxyTree,
129 ProxyDirectory
130} PROXY_CLASS;
131
132//
133// Audit and Policy Structures
134//
135typedef struct _SEP_AUDIT_POLICY_CATEGORIES
136{
137 UCHAR System:4;
138 UCHAR Logon:4;
139 UCHAR ObjectAccess:4;
140 UCHAR PrivilegeUse:4;
141 UCHAR DetailedTracking:4;
142 UCHAR PolicyChange:4;
143 UCHAR AccountManagement:4;
144 UCHAR DirectoryServiceAccess:4;
145 UCHAR AccountLogon:4;
146} SEP_AUDIT_POLICY_CATEGORIES, *PSEP_AUDIT_POLICY_CATEGORIES;
147
148typedef struct _SEP_AUDIT_POLICY_OVERLAY
149{
150 ULONGLONG PolicyBits:36;
151 ULONGLONG SetBit:1;
152} SEP_AUDIT_POLICY_OVERLAY, *PSEP_AUDIT_POLICY_OVERLAY;
153
154typedef struct _SEP_AUDIT_POLICY
155{
156 union
157 {
158 SEP_AUDIT_POLICY_CATEGORIES PolicyElements;
159 SEP_AUDIT_POLICY_OVERLAY PolicyOverlay;
160 ULONGLONG Overlay;
161 };
162} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;
163
164//
165// Security Logon Session References
166//
167typedef struct _SEP_LOGON_SESSION_REFERENCES
168{
169 struct _SEP_LOGON_SESSION_REFERENCES *Next;
170 LUID LogonId;
171 ULONG ReferenceCount;
172 ULONG Flags;
173 PDEVICE_MAP pDeviceMap;
174 LIST_ENTRY TokenList;
175} SEP_LOGON_SESSION_REFERENCES, *PSEP_LOGON_SESSION_REFERENCES;
176
177typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
178{
179 POBJECT_NAME_INFORMATION ImageFileName;
180} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;
181
182//
183// Token Audit Data
184//
185typedef struct _SECURITY_TOKEN_AUDIT_DATA
186{
187 ULONG Length;
188 ULONG GrantMask;
189 ULONG DenyMask;
190} SECURITY_TOKEN_AUDIT_DATA, *PSECURITY_TOKEN_AUDIT_DATA;
191
192//
193// Token Proxy Data
194//
195typedef struct _SECURITY_TOKEN_PROXY_DATA
196{
197 ULONG Length;
198 PROXY_CLASS ProxyClass;
199 UNICODE_STRING PathInfo;
200 ULONG ContainerMask;
201 ULONG ObjectMask;
202} SECURITY_TOKEN_PROXY_DATA, *PSECURITY_TOKEN_PROXY_DATA;
203
204//
205// Token and auxiliary data
206//
207// ===================!!!IMPORTANT NOTE!!!=====================
208// ImageFileName, ProcessCid, ThreadCid and CreateMethod field
209// names are taken from Windows Server 2003 SP2 checked build
210// WinDBG debug extensions command purposes (such as !logonsession
211// command respectively). As such names are hardcoded, we have
212// to be compatible with them. THESE FIELD NAMES MUST NOT BE
213// CHANGED!!!
214// ============================================================
215typedef struct _TOKEN
216{
217 TOKEN_SOURCE TokenSource; /* 0x00 */
218 LUID TokenId; /* 0x10 */
219 LUID AuthenticationId; /* 0x18 */
220 LUID ParentTokenId; /* 0x20 */
221 LARGE_INTEGER ExpirationTime; /* 0x28 */
222 PERESOURCE TokenLock; /* 0x30 */
223 SEP_AUDIT_POLICY AuditPolicy; /* 0x38 */
224 LUID ModifiedId; /* 0x40 */
225 ULONG SessionId; /* 0x48 */
226 ULONG UserAndGroupCount; /* 0x4C */
227 ULONG RestrictedSidCount; /* 0x50 */
228 ULONG PrivilegeCount; /* 0x54 */
229 ULONG VariableLength; /* 0x58 */
230 ULONG DynamicCharged; /* 0x5C */
231 ULONG DynamicAvailable; /* 0x60 */
232 ULONG DefaultOwnerIndex; /* 0x64 */
233 PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68 */
234 PSID_AND_ATTRIBUTES RestrictedSids; /* 0x6C */
235 PSID PrimaryGroup; /* 0x70 */
236 PLUID_AND_ATTRIBUTES Privileges; /* 0x74 */
237 PULONG DynamicPart; /* 0x78 */
238 PACL DefaultDacl; /* 0x7C */
239 TOKEN_TYPE TokenType; /* 0x80 */
240 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; /* 0x84 */
241 ULONG TokenFlags; /* 0x88 */
242 BOOLEAN TokenInUse; /* 0x8C */
243 PSECURITY_TOKEN_PROXY_DATA ProxyData; /* 0x90 */
244 PSECURITY_TOKEN_AUDIT_DATA AuditData; /* 0x94 */
245 PSEP_LOGON_SESSION_REFERENCES LogonSession; /* 0x98 */
246 LUID OriginatingLogonSession; /* 0x9C */
247#if DBG
248 UCHAR ImageFileName[16]; /* 0xA4 */
249 HANDLE ProcessCid; /* 0xB4 */
250 HANDLE ThreadCid; /* 0xB8 */
251 ULONG CreateMethod; /* 0xBC */
252#endif
253 ULONG VariablePart; /* 0xC0 */
254} TOKEN, *PTOKEN;
255
256typedef struct _AUX_ACCESS_DATA
257{
258 PPRIVILEGE_SET PrivilegesUsed;
259 GENERIC_MAPPING GenericMapping;
260 ACCESS_MASK AccessesToAudit;
261 ACCESS_MASK MaximumAuditMask;
262#if (NTDDI_VERSION >= NTDDI_LONGHORN)
263 GUID TransactionId;
264#endif
265#if (NTDDI_VERSION >= NTDDI_WIN7)
266 PVOID NewSecurityDescriptor;
267 PVOID ExistingSecurityDescriptor;
268 PVOID ParentSecurityDescriptor;
269 VOID (NTAPI *DerefSecurityDescriptor)(PVOID, PVOID);
270 PVOID SDLock;
271 ACCESS_REASONS AccessReasons;
272#endif
273#if (NTDDI_VERSION >= NTDDI_WIN8)
274 BOOLEAN GenerateStagingEvents;
275#endif
276} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
277
278//
279// External SRM Data
280//
281extern PACL NTSYSAPI SePublicDefaultDacl;
282extern PACL NTSYSAPI SeSystemDefaultDacl;
283
284#endif
285#endif