/** * WinPR: Windows Portable Runtime * Security Definitions * * Copyright 2012 Marc-Andre Moreau * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef WINPR_SECURITY_H #define WINPR_SECURITY_H #include #include /** * Windows Integrity Mechanism Design: * http://msdn.microsoft.com/en-us/library/bb625963.aspx */ #ifndef _WIN32 #include #define ANYSIZE_ARRAY 1 typedef enum _SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation } SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation #define VALID_IMPERSONATION_LEVEL(L) \ (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL)) #define TOKEN_ASSIGN_PRIMARY (0x0001) #define TOKEN_DUPLICATE (0x0002) #define TOKEN_IMPERSONATE (0x0004) #define TOKEN_QUERY (0x0008) #define TOKEN_QUERY_SOURCE (0x0010) #define TOKEN_ADJUST_PRIVILEGES (0x0020) #define TOKEN_ADJUST_GROUPS (0x0040) #define TOKEN_ADJUST_DEFAULT (0x0080) #define TOKEN_ADJUST_SESSIONID (0x0100) #define TOKEN_ALL_ACCESS_P \ (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | \ TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | \ TOKEN_ADJUST_DEFAULT) #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID) #define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY) #define TOKEN_WRITE \ (STANDARD_RIGHTS_WRITE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT) #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) #define TOKEN_MANDATORY_POLICY_OFF 0x0 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2 #define TOKEN_MANDATORY_POLICY_VALID_MASK \ (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) #define POLICY_AUDIT_SUBCATEGORY_COUNT (56) #define TOKEN_SOURCE_LENGTH 8 #define SID_REVISION (1) #define SID_MAX_SUB_AUTHORITIES (15) #define SID_RECOMMENDED_SUB_AUTHORITIES (1) #define SID_HASH_SIZE 32 #define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000 #define SECURITY_MANDATORY_LOW_RID 0x1000 #define SECURITY_MANDATORY_MEDIUM_RID 0x2000 #define SECURITY_MANDATORY_HIGH_RID 0x3000 #define SECURITY_MANDATORY_SYSTEM_RID 0x4000 #define SECURITY_NULL_SID_AUTHORITY \ { \ 0, 0, 0, 0, 0, 0 \ } #define SECURITY_WORLD_SID_AUTHORITY \ { \ 0, 0, 0, 0, 0, 1 \ } #define SECURITY_LOCAL_SID_AUTHORITY \ { \ 0, 0, 0, 0, 0, 2 \ } #define SECURITY_CREATOR_SID_AUTHORITY \ { \ 0, 0, 0, 0, 0, 3 \ } #define SECURITY_NON_UNIQUE_AUTHORITY \ { \ 0, 0, 0, 0, 0, 4 \ } #define SECURITY_RESOURCE_MANAGER_AUTHORITY \ { \ 0, 0, 0, 0, 0, 9 \ } #define SECURITY_NULL_RID (0x00000000L) #define SECURITY_WORLD_RID (0x00000000L) #define SECURITY_LOCAL_RID (0x00000000L) #define SECURITY_LOCAL_LOGON_RID (0x00000001L) #define SECURITY_CREATOR_OWNER_RID (0x00000000L) #define SECURITY_CREATOR_GROUP_RID (0x00000001L) #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L) typedef PVOID PACCESS_TOKEN; typedef PVOID PCLAIMS_BLOB; typedef struct _LUID_AND_ATTRIBUTES { LUID Luid; DWORD Attributes; } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; typedef LUID_AND_ATTRIBUTES_ARRAY* PLUID_AND_ATTRIBUTES_ARRAY; typedef struct _SID_IDENTIFIER_AUTHORITY { BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; typedef struct _SID { BYTE Revision; BYTE SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; DWORD SubAuthority[ANYSIZE_ARRAY]; } SID, *PISID; typedef enum _SID_NAME_USE { SidTypeUser = 1, SidTypeGroup, SidTypeDomain, SidTypeAlias, SidTypeWellKnownGroup, SidTypeDeletedAccount, SidTypeInvalid, SidTypeUnknown, SidTypeComputer, SidTypeLabel } SID_NAME_USE, *PSID_NAME_USE; typedef struct _SID_AND_ATTRIBUTES { PSID Sid; DWORD Attributes; } SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; typedef SID_AND_ATTRIBUTES_ARRAY* PSID_AND_ATTRIBUTES_ARRAY; typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY; typedef struct _SID_AND_ATTRIBUTES_HASH { DWORD SidCount; PSID_AND_ATTRIBUTES SidAttr; SID_HASH_ENTRY Hash[SID_HASH_SIZE]; } SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; typedef enum _TOKEN_TYPE { TokenPrimary = 1, TokenImpersonation } TOKEN_TYPE; typedef TOKEN_TYPE* PTOKEN_TYPE; typedef enum _TOKEN_ELEVATION_TYPE { TokenElevationTypeDefault = 1, TokenElevationTypeFull, TokenElevationTypeLimited } TOKEN_ELEVATION_TYPE, *PTOKEN_ELEVATION_TYPE; typedef enum _TOKEN_INFORMATION_CLASS { TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, TokenSecurityAttributes, TokenIsRestricted, MaxTokenInfoClass } TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS; typedef struct _TOKEN_USER { SID_AND_ATTRIBUTES User; } TOKEN_USER, *PTOKEN_USER; typedef struct _TOKEN_GROUPS { DWORD GroupCount; SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; } TOKEN_GROUPS, *PTOKEN_GROUPS; typedef struct _TOKEN_PRIVILEGES { DWORD PrivilegeCount; LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES; typedef struct _TOKEN_OWNER { PSID Owner; } TOKEN_OWNER, *PTOKEN_OWNER; typedef struct _TOKEN_PRIMARY_GROUP { PSID PrimaryGroup; } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; typedef struct _TOKEN_DEFAULT_DACL { PACL DefaultDacl; } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; typedef struct _TOKEN_USER_CLAIMS { PCLAIMS_BLOB UserClaims; } TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS; typedef struct _TOKEN_DEVICE_CLAIMS { PCLAIMS_BLOB DeviceClaims; } TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS; typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { DWORD SidCount; DWORD SidLength; PSID_AND_ATTRIBUTES Sids; DWORD RestrictedSidCount; DWORD RestrictedSidLength; PSID_AND_ATTRIBUTES RestrictedSids; DWORD PrivilegeCount; DWORD PrivilegeLength; PLUID_AND_ATTRIBUTES Privileges; LUID AuthenticationId; } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES; typedef struct _TOKEN_LINKED_TOKEN { HANDLE LinkedToken; } TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN; typedef struct _TOKEN_ELEVATION { DWORD TokenIsElevated; } TOKEN_ELEVATION, *PTOKEN_ELEVATION; typedef struct _TOKEN_MANDATORY_LABEL { SID_AND_ATTRIBUTES Label; } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL; typedef struct _TOKEN_MANDATORY_POLICY { DWORD Policy; } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY; typedef struct _TOKEN_ACCESS_INFORMATION { PSID_AND_ATTRIBUTES_HASH SidHash; PSID_AND_ATTRIBUTES_HASH RestrictedSidHash; PTOKEN_PRIVILEGES Privileges; LUID AuthenticationId; TOKEN_TYPE TokenType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; TOKEN_MANDATORY_POLICY MandatoryPolicy; DWORD Flags; DWORD AppContainerNumber; PSID PackageSid; PSID_AND_ATTRIBUTES_HASH CapabilitiesHash; } TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION; typedef struct _TOKEN_AUDIT_POLICY { BYTE PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1]; } TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; typedef struct _TOKEN_SOURCE { CHAR SourceName[TOKEN_SOURCE_LENGTH]; LUID SourceIdentifier; } TOKEN_SOURCE, *PTOKEN_SOURCE; typedef struct _TOKEN_STATISTICS { LUID TokenId; LUID AuthenticationId; LARGE_INTEGER ExpirationTime; TOKEN_TYPE TokenType; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; DWORD DynamicCharged; DWORD DynamicAvailable; DWORD GroupCount; DWORD PrivilegeCount; LUID ModifiedId; } TOKEN_STATISTICS, *PTOKEN_STATISTICS; typedef struct _TOKEN_CONTROL { LUID TokenId; LUID AuthenticationId; LUID ModifiedId; TOKEN_SOURCE TokenSource; } TOKEN_CONTROL, *PTOKEN_CONTROL; typedef struct _TOKEN_ORIGIN { LUID OriginatingLogonSession; } TOKEN_ORIGIN, *PTOKEN_ORIGIN; typedef enum _MANDATORY_LEVEL { MandatoryLevelUntrusted = 0, MandatoryLevelLow, MandatoryLevelMedium, MandatoryLevelHigh, MandatoryLevelSystem, MandatoryLevelSecureProcess, MandatoryLevelCount } MANDATORY_LEVEL, *PMANDATORY_LEVEL; typedef struct _TOKEN_APPCONTAINER_INFORMATION { PSID TokenAppContainer; } TOKEN_APPCONTAINER_INFORMATION, *PTOKEN_APPCONTAINER_INFORMATION; #ifdef __cplusplus extern "C" { #endif WINPR_API BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision); WINPR_API DWORD GetSecurityDescriptorLength(PSECURITY_DESCRIPTOR pSecurityDescriptor); WINPR_API BOOL IsValidSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor); WINPR_API BOOL GetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSECURITY_DESCRIPTOR_CONTROL pControl, LPDWORD lpdwRevision); WINPR_API BOOL SetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor, SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet); WINPR_API BOOL GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbDaclPresent, PACL* pDacl, LPBOOL lpbDaclDefaulted); WINPR_API BOOL SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted); WINPR_API BOOL GetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID* pGroup, LPBOOL lpbGroupDefaulted); WINPR_API BOOL SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup, BOOL bGroupDefaulted); WINPR_API BOOL GetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID* pOwner, LPBOOL lpbOwnerDefaulted); WINPR_API BOOL SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner, BOOL bOwnerDefaulted); WINPR_API DWORD GetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor, PUCHAR RMControl); WINPR_API DWORD SetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor, PUCHAR RMControl); WINPR_API BOOL GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, LPBOOL lpbSaclPresent, PACL* pSacl, LPBOOL lpbSaclDefaulted); WINPR_API BOOL SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted); #ifdef __cplusplus } #endif #endif #endif /* WINPR_SECURITY_H */