security.h (12898B)
1/** 2 * WinPR: Windows Portable Runtime 3 * Security Definitions 4 * 5 * Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com> 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); 8 * you may not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, 15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20#ifndef WINPR_SECURITY_H 21#define WINPR_SECURITY_H 22 23#include <winpr/winpr.h> 24#include <winpr/wtypes.h> 25 26/** 27 * Windows Integrity Mechanism Design: 28 * http://msdn.microsoft.com/en-us/library/bb625963.aspx 29 */ 30 31#ifndef _WIN32 32 33#include <winpr/nt.h> 34 35#define ANYSIZE_ARRAY 1 36 37typedef enum _SECURITY_IMPERSONATION_LEVEL 38{ 39 SecurityAnonymous, 40 SecurityIdentification, 41 SecurityImpersonation, 42 SecurityDelegation 43} SECURITY_IMPERSONATION_LEVEL, 44 *PSECURITY_IMPERSONATION_LEVEL; 45 46#define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation 47#define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous 48#define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation 49#define VALID_IMPERSONATION_LEVEL(L) \ 50 (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL)) 51 52#define TOKEN_ASSIGN_PRIMARY (0x0001) 53#define TOKEN_DUPLICATE (0x0002) 54#define TOKEN_IMPERSONATE (0x0004) 55#define TOKEN_QUERY (0x0008) 56#define TOKEN_QUERY_SOURCE (0x0010) 57#define TOKEN_ADJUST_PRIVILEGES (0x0020) 58#define TOKEN_ADJUST_GROUPS (0x0040) 59#define TOKEN_ADJUST_DEFAULT (0x0080) 60#define TOKEN_ADJUST_SESSIONID (0x0100) 61 62#define TOKEN_ALL_ACCESS_P \ 63 (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | \ 64 TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | \ 65 TOKEN_ADJUST_DEFAULT) 66 67#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID) 68 69#define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) 70 71#define TOKEN_WRITE \ 72 (STANDARD_RIGHTS_WRITE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT) 73 74#define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) 75 76#define TOKEN_MANDATORY_POLICY_OFF 0x0 77#define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 78#define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 79 80#define TOKEN_MANDATORY_POLICY_VALID_MASK \ 81 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) 82 83#define POLICY_AUDIT_SUBCATEGORY_COUNT (56) 84 85#define TOKEN_SOURCE_LENGTH 8 86 87#define SID_REVISION (1) 88#define SID_MAX_SUB_AUTHORITIES (15) 89#define SID_RECOMMENDED_SUB_AUTHORITIES (1) 90 91#define SID_HASH_SIZE 32 92 93#define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000 94#define SECURITY_MANDATORY_LOW_RID 0x1000 95#define SECURITY_MANDATORY_MEDIUM_RID 0x2000 96#define SECURITY_MANDATORY_HIGH_RID 0x3000 97#define SECURITY_MANDATORY_SYSTEM_RID 0x4000 98 99#define SECURITY_NULL_SID_AUTHORITY \ 100 { \ 101 0, 0, 0, 0, 0, 0 \ 102 } 103#define SECURITY_WORLD_SID_AUTHORITY \ 104 { \ 105 0, 0, 0, 0, 0, 1 \ 106 } 107#define SECURITY_LOCAL_SID_AUTHORITY \ 108 { \ 109 0, 0, 0, 0, 0, 2 \ 110 } 111#define SECURITY_CREATOR_SID_AUTHORITY \ 112 { \ 113 0, 0, 0, 0, 0, 3 \ 114 } 115#define SECURITY_NON_UNIQUE_AUTHORITY \ 116 { \ 117 0, 0, 0, 0, 0, 4 \ 118 } 119#define SECURITY_RESOURCE_MANAGER_AUTHORITY \ 120 { \ 121 0, 0, 0, 0, 0, 9 \ 122 } 123 124#define SECURITY_NULL_RID (0x00000000L) 125#define SECURITY_WORLD_RID (0x00000000L) 126#define SECURITY_LOCAL_RID (0x00000000L) 127#define SECURITY_LOCAL_LOGON_RID (0x00000001L) 128 129#define SECURITY_CREATOR_OWNER_RID (0x00000000L) 130#define SECURITY_CREATOR_GROUP_RID (0x00000001L) 131#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) 132#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) 133#define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L) 134 135typedef PVOID PACCESS_TOKEN; 136typedef PVOID PCLAIMS_BLOB; 137 138typedef struct _LUID_AND_ATTRIBUTES 139{ 140 LUID Luid; 141 DWORD Attributes; 142} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; 143typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 144typedef LUID_AND_ATTRIBUTES_ARRAY* PLUID_AND_ATTRIBUTES_ARRAY; 145 146typedef struct _SID_IDENTIFIER_AUTHORITY 147{ 148 BYTE Value[6]; 149} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; 150 151typedef struct _SID 152{ 153 BYTE Revision; 154 BYTE SubAuthorityCount; 155 SID_IDENTIFIER_AUTHORITY IdentifierAuthority; 156 DWORD SubAuthority[ANYSIZE_ARRAY]; 157} SID, *PISID; 158 159typedef enum _SID_NAME_USE 160{ 161 SidTypeUser = 1, 162 SidTypeGroup, 163 SidTypeDomain, 164 SidTypeAlias, 165 SidTypeWellKnownGroup, 166 SidTypeDeletedAccount, 167 SidTypeInvalid, 168 SidTypeUnknown, 169 SidTypeComputer, 170 SidTypeLabel 171} SID_NAME_USE, 172 *PSID_NAME_USE; 173 174typedef struct _SID_AND_ATTRIBUTES 175{ 176 PSID Sid; 177 DWORD Attributes; 178} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; 179 180typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; 181typedef SID_AND_ATTRIBUTES_ARRAY* PSID_AND_ATTRIBUTES_ARRAY; 182 183typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY; 184 185typedef struct _SID_AND_ATTRIBUTES_HASH 186{ 187 DWORD SidCount; 188 PSID_AND_ATTRIBUTES SidAttr; 189 SID_HASH_ENTRY Hash[SID_HASH_SIZE]; 190} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; 191 192typedef enum _TOKEN_TYPE 193{ 194 TokenPrimary = 1, 195 TokenImpersonation 196} TOKEN_TYPE; 197typedef TOKEN_TYPE* PTOKEN_TYPE; 198 199typedef enum _TOKEN_ELEVATION_TYPE 200{ 201 TokenElevationTypeDefault = 1, 202 TokenElevationTypeFull, 203 TokenElevationTypeLimited 204} TOKEN_ELEVATION_TYPE, 205 *PTOKEN_ELEVATION_TYPE; 206 207typedef enum _TOKEN_INFORMATION_CLASS 208{ 209 TokenUser = 1, 210 TokenGroups, 211 TokenPrivileges, 212 TokenOwner, 213 TokenPrimaryGroup, 214 TokenDefaultDacl, 215 TokenSource, 216 TokenType, 217 TokenImpersonationLevel, 218 TokenStatistics, 219 TokenRestrictedSids, 220 TokenSessionId, 221 TokenGroupsAndPrivileges, 222 TokenSessionReference, 223 TokenSandBoxInert, 224 TokenAuditPolicy, 225 TokenOrigin, 226 TokenElevationType, 227 TokenLinkedToken, 228 TokenElevation, 229 TokenHasRestrictions, 230 TokenAccessInformation, 231 TokenVirtualizationAllowed, 232 TokenVirtualizationEnabled, 233 TokenIntegrityLevel, 234 TokenUIAccess, 235 TokenMandatoryPolicy, 236 TokenLogonSid, 237 TokenIsAppContainer, 238 TokenCapabilities, 239 TokenAppContainerSid, 240 TokenAppContainerNumber, 241 TokenUserClaimAttributes, 242 TokenDeviceClaimAttributes, 243 TokenRestrictedUserClaimAttributes, 244 TokenRestrictedDeviceClaimAttributes, 245 TokenDeviceGroups, 246 TokenRestrictedDeviceGroups, 247 TokenSecurityAttributes, 248 TokenIsRestricted, 249 MaxTokenInfoClass 250} TOKEN_INFORMATION_CLASS, 251 *PTOKEN_INFORMATION_CLASS; 252 253typedef struct _TOKEN_USER 254{ 255 SID_AND_ATTRIBUTES User; 256} TOKEN_USER, *PTOKEN_USER; 257 258typedef struct _TOKEN_GROUPS 259{ 260 DWORD GroupCount; 261 SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; 262} TOKEN_GROUPS, *PTOKEN_GROUPS; 263 264typedef struct _TOKEN_PRIVILEGES 265{ 266 DWORD PrivilegeCount; 267 LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; 268} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES; 269 270typedef struct _TOKEN_OWNER 271{ 272 PSID Owner; 273} TOKEN_OWNER, *PTOKEN_OWNER; 274 275typedef struct _TOKEN_PRIMARY_GROUP 276{ 277 PSID PrimaryGroup; 278} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; 279 280typedef struct _TOKEN_DEFAULT_DACL 281{ 282 PACL DefaultDacl; 283} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; 284 285typedef struct _TOKEN_USER_CLAIMS 286{ 287 PCLAIMS_BLOB UserClaims; 288} TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS; 289 290typedef struct _TOKEN_DEVICE_CLAIMS 291{ 292 PCLAIMS_BLOB DeviceClaims; 293} TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS; 294 295typedef struct _TOKEN_GROUPS_AND_PRIVILEGES 296{ 297 DWORD SidCount; 298 DWORD SidLength; 299 PSID_AND_ATTRIBUTES Sids; 300 DWORD RestrictedSidCount; 301 DWORD RestrictedSidLength; 302 PSID_AND_ATTRIBUTES RestrictedSids; 303 DWORD PrivilegeCount; 304 DWORD PrivilegeLength; 305 PLUID_AND_ATTRIBUTES Privileges; 306 LUID AuthenticationId; 307} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; 308 309typedef struct _TOKEN_LINKED_TOKEN 310{ 311 HANDLE LinkedToken; 312} TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN; 313 314typedef struct _TOKEN_ELEVATION 315{ 316 DWORD TokenIsElevated; 317} TOKEN_ELEVATION, *PTOKEN_ELEVATION; 318 319typedef struct _TOKEN_MANDATORY_LABEL 320{ 321 SID_AND_ATTRIBUTES Label; 322} TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; 323 324typedef struct _TOKEN_MANDATORY_POLICY 325{ 326 DWORD Policy; 327} TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; 328 329typedef struct _TOKEN_ACCESS_INFORMATION 330{ 331 PSID_AND_ATTRIBUTES_HASH SidHash; 332 PSID_AND_ATTRIBUTES_HASH RestrictedSidHash; 333 PTOKEN_PRIVILEGES Privileges; 334 LUID AuthenticationId; 335 TOKEN_TYPE TokenType; 336 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 337 TOKEN_MANDATORY_POLICY MandatoryPolicy; 338 DWORD Flags; 339 DWORD AppContainerNumber; 340 PSID PackageSid; 341 PSID_AND_ATTRIBUTES_HASH CapabilitiesHash; 342} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION; 343 344typedef struct _TOKEN_AUDIT_POLICY 345{ 346 BYTE PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1]; 347} TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; 348 349typedef struct _TOKEN_SOURCE 350{ 351 CHAR SourceName[TOKEN_SOURCE_LENGTH]; 352 LUID SourceIdentifier; 353} TOKEN_SOURCE, *PTOKEN_SOURCE; 354 355typedef struct _TOKEN_STATISTICS 356{ 357 LUID TokenId; 358 LUID AuthenticationId; 359 LARGE_INTEGER ExpirationTime; 360 TOKEN_TYPE TokenType; 361 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; 362 DWORD DynamicCharged; 363 DWORD DynamicAvailable; 364 DWORD GroupCount; 365 DWORD PrivilegeCount; 366 LUID ModifiedId; 367} TOKEN_STATISTICS, *PTOKEN_STATISTICS; 368 369typedef struct _TOKEN_CONTROL 370{ 371 LUID TokenId; 372 LUID AuthenticationId; 373 LUID ModifiedId; 374 TOKEN_SOURCE TokenSource; 375} TOKEN_CONTROL, *PTOKEN_CONTROL; 376 377typedef struct _TOKEN_ORIGIN 378{ 379 LUID OriginatingLogonSession; 380} TOKEN_ORIGIN, *PTOKEN_ORIGIN; 381 382typedef enum _MANDATORY_LEVEL 383{ 384 MandatoryLevelUntrusted = 0, 385 MandatoryLevelLow, 386 MandatoryLevelMedium, 387 MandatoryLevelHigh, 388 MandatoryLevelSystem, 389 MandatoryLevelSecureProcess, 390 MandatoryLevelCount 391} MANDATORY_LEVEL, 392 *PMANDATORY_LEVEL; 393 394typedef struct _TOKEN_APPCONTAINER_INFORMATION 395{ 396 PSID TokenAppContainer; 397} TOKEN_APPCONTAINER_INFORMATION, *PTOKEN_APPCONTAINER_INFORMATION; 398 399#ifdef __cplusplus 400extern "C" 401{ 402#endif 403 404 WINPR_API BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, 405 DWORD dwRevision); 406 WINPR_API DWORD GetSecurityDescriptorLength(PSECURITY_DESCRIPTOR pSecurityDescriptor); 407 WINPR_API BOOL IsValidSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor); 408 409 WINPR_API BOOL GetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 410 PSECURITY_DESCRIPTOR_CONTROL pControl, 411 LPDWORD lpdwRevision); 412 WINPR_API BOOL SetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 413 SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, 414 SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet); 415 416 WINPR_API BOOL GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 417 LPBOOL lpbDaclPresent, PACL* pDacl, 418 LPBOOL lpbDaclDefaulted); 419 WINPR_API BOOL SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 420 BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted); 421 422 WINPR_API BOOL GetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, 423 PSID* pGroup, LPBOOL lpbGroupDefaulted); 424 WINPR_API BOOL SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup, 425 BOOL bGroupDefaulted); 426 427 WINPR_API BOOL GetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, 428 PSID* pOwner, LPBOOL lpbOwnerDefaulted); 429 WINPR_API BOOL SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner, 430 BOOL bOwnerDefaulted); 431 432 WINPR_API DWORD GetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor, 433 PUCHAR RMControl); 434 WINPR_API DWORD SetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor, 435 PUCHAR RMControl); 436 437 WINPR_API BOOL GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 438 LPBOOL lpbSaclPresent, PACL* pSacl, 439 LPBOOL lpbSaclDefaulted); 440 WINPR_API BOOL SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, 441 BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted); 442 443#ifdef __cplusplus 444} 445#endif 446 447#endif 448 449#endif /* WINPR_SECURITY_H */