X-Git-Url: https://wimlib.net/git/?p=wimlib;a=blobdiff_plain;f=src%2Fsecurity.h;h=d6d7d60a55c99743579cd937b9ad8a13ef67cc42;hp=490a7c337ebd21ac1e10d760eb4f512175f6edfb;hb=ebd6c0ec0ff47ac18af4ef918fd78fb8d9f19540;hpb=d0e7f039e4ab206b9fd973c983e3fb841fcd2bf2 diff --git a/src/security.h b/src/security.h index 490a7c33..d6d7d60a 100644 --- a/src/security.h +++ b/src/security.h @@ -6,225 +6,24 @@ */ #include "util.h" +#include "rbtree.h" +#include "sha1.h" #ifndef _WIMLIB_SECURITY_H #define _WIMLIB_SECURITY_H -#define SECURITY_DESCRIPTOR_REVISION 1 -#define SECURITY_DESCRIPTOR_REVISION1 1 - -/* inherit AceFlags */ -#define OBJECT_INHERIT_ACE 0x01 -#define CONTAINER_INHERIT_ACE 0x02 -#define NO_PROPAGATE_INHERIT_ACE 0x04 -#define INHERIT_ONLY_ACE 0x08 -#define INHERITED_ACE 0x10 -#define VALID_INHERIT_FLAGS 0x1F - -#define SE_OWNER_DEFAULTED 0x00000001 -#define SE_GROUP_DEFAULTED 0x00000002 -#define SE_DACL_PRESENT 0x00000004 -#define SE_DACL_DEFAULTED 0x00000008 -#define SE_SACL_PRESENT 0x00000010 -#define SE_SACL_DEFAULTED 0x00000020 -#define SE_DACL_AUTO_INHERIT_REQ 0x00000100 -#define SE_SACL_AUTO_INHERIT_REQ 0x00000200 -#define SE_DACL_AUTO_INHERITED 0x00000400 -#define SE_SACL_AUTO_INHERITED 0x00000800 -#define SE_DACL_PROTECTED 0x00001000 -#define SE_SACL_PROTECTED 0x00002000 -#define SE_RM_CONTROL_VALID 0x00004000 -#define SE_SELF_RELATIVE 0x00008000 - -/* Flags in access control entries */ -#define DELETE 0x00010000 -#define READ_CONTROL 0x00020000 -#define WRITE_DAC 0x00040000 -#define WRITE_OWNER 0x00080000 -#define SYNCHRONIZE 0x00100000 -#define STANDARD_RIGHTS_REQUIRED 0x000f0000 - -#define STANDARD_RIGHTS_READ READ_CONTROL -#define STANDARD_RIGHTS_WRITE READ_CONTROL -#define STANDARD_RIGHTS_EXECUTE READ_CONTROL - -#define STANDARD_RIGHTS_ALL 0x001f0000 - -#define SPECIFIC_RIGHTS_ALL 0x0000ffff - -#define GENERIC_READ 0x80000000 -#define GENERIC_WRITE 0x40000000 -#define GENERIC_EXECUTE 0x20000000 -#define GENERIC_ALL 0x10000000 - -#define MAXIMUM_ALLOWED 0x02000000 -#define ACCESS_SYSTEM_SECURITY 0x01000000 - -#define EVENT_QUERY_STATE 0x0001 -#define EVENT_MODIFY_STATE 0x0002 -#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) - -#define SEMAPHORE_MODIFY_STATE 0x0002 -#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) - -#define MUTEX_MODIFY_STATE 0x0001 -#define MUTEX_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x1) - -#define JOB_OBJECT_ASSIGN_PROCESS 0x0001 -#define JOB_OBJECT_SET_ATTRIBUTES 0x0002 -#define JOB_OBJECT_QUERY 0x0004 -#define JOB_OBJECT_TERMINATE 0x0008 -#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010 -#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x1f) - -#define TIMER_QUERY_STATE 0x0001 -#define TIMER_MODIFY_STATE 0x0002 -#define TIMER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) - -#define PROCESS_TERMINATE 0x0001 -#define PROCESS_CREATE_THREAD 0x0002 -#define PROCESS_VM_OPERATION 0x0008 -#define PROCESS_VM_READ 0x0010 -#define PROCESS_VM_WRITE 0x0020 -#define PROCESS_DUP_HANDLE 0x0040 -#define PROCESS_CREATE_PROCESS 0x0080 -#define PROCESS_SET_QUOTA 0x0100 -#define PROCESS_SET_INFORMATION 0x0200 -#define PROCESS_QUERY_INFORMATION 0x0400 -#define PROCESS_SUSPEND_RESUME 0x0800 -#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 -#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0xfff) - -#define THREAD_TERMINATE 0x0001 -#define THREAD_SUSPEND_RESUME 0x0002 -#define THREAD_GET_CONTEXT 0x0008 -#define THREAD_SET_CONTEXT 0x0010 -#define THREAD_SET_INFORMATION 0x0020 -#define THREAD_QUERY_INFORMATION 0x0040 -#define THREAD_SET_THREAD_TOKEN 0x0080 -#define THREAD_IMPERSONATE 0x0100 -#define THREAD_DIRECT_IMPERSONATION 0x0200 -#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3ff) - -#define THREAD_BASE_PRIORITY_LOWRT 15 -#define THREAD_BASE_PRIORITY_MAX 2 -#define THREAD_BASE_PRIORITY_MIN -2 -#define THREAD_BASE_PRIORITY_IDLE -15 - -/* predefined authority values for SID's (security identifiers) */ -enum sid_authority_value { - SECURITY_NULL_SID_AUTHORITY = 0, - SECURITY_WORLD_SID_AUTHORITY = 1, - SECURITY_LOCAL_SID_AUTHORITY = 2, - SECURITY_CREATOR_SID_AUTHORITY = 3, - SECURITY_NON_UNIQUE_AUTHORITY = 4, - SECURITY_NT_AUTHORITY = 5, +#if defined(WITH_NTFS_3G) || defined(__CYGWIN__) || defined(__WIN32__) +/* Red-black tree that maps SHA1 message digests of security descriptors to + * security IDs, which are themselves indices into the table of security + * descriptors in the 'struct wim_security_data'. */ +struct sd_set { + struct wim_security_data *sd; + struct rb_root rb_root; }; - -/* local administrators group */ -#define SECURITY_BUILTIN_DOMAIN_RID 32 -#define DOMAIN_ALIAS_RID_ADMINS 544 - -/* See ACEHeader. */ -enum ace_type { - ACCESS_ALLOWED_ACE_TYPE = 0, - ACCESS_DENIED_ACE_TYPE = 1, - SYSTEM_AUDIT_ACE_TYPE = 2, -}; - -/* At the start of each type of access control entry. */ -typedef struct { - /* enum ace_type, specifies what type of ACE this is. */ - u8 type; - - /* bitwise OR of the inherit ACE flags #defined above */ - u8 flags; - - /* Size of the access control entry. */ - u8 size; -} ACEHeader; - -/* Grants rights to a user or group */ -typedef struct { - ACEHeader hdr; - u32 mask; - u32 sid_start; -} AccessAllowedACE; - -/* Denies rights to a user or group */ -typedef struct { - ACEHeader hdr; - u32 mask; - u32 sid_start; -} AccessDeniedACE; - -typedef struct { - ACEHeader hdr; - u32 mask; - u32 sid_start; -} SystemAuditACE; - - -/* Header of an access control list. */ -typedef struct { - /* ACL_REVISION or ACL_REVISION_DS */ - u8 revision; - - /* padding */ - u8 sbz1; - - /* Total size of the ACL, including all access control entries */ - u16 acl_size; - - /* Number of access control entry structures that follow the ACL - * structure. */ - u16 ace_count; - - /* padding */ - u16 sbz2; -} ACL; - -/* A structure used to identify users or groups. */ -typedef struct { - - /* example: 0x1 */ - u8 revision; - u8 sub_authority_count; - - /* Identifies the authority that issued the SID. Can be, but does not - * have to be, one of enum sid_authority_value */ - u8 identifier_authority[6]; - - u32 sub_authority[0]; -} SID; - - -typedef struct { - /* Example: 0x1 */ - u8 revision; - /* Example: 0x0 */ - u8 sbz1; - /* Example: 0x4149 */ - u16 security_descriptor_control; - - /* Offset of a SID structure in the security descriptor. */ - /* Example: 0x14 */ - u32 owner_offset; - - /* Offset of a SID structure in the security descriptor. */ - /* Example: 0x24 */ - u32 group_offset; - - /* Offset of an ACL structure in the security descriptor. */ - /* System ACL. */ - /* Example: 0x00 */ - u32 sacl_offset; - - /* Offset of an ACL structure in the security descriptor. */ - /* Discretionary ACL. */ - /* Example: 0x34 */ - u32 dacl_offset; -} SecurityDescriptor; - +void destroy_sd_set(struct sd_set *sd_set); +int lookup_sd(struct sd_set *set, const u8 hash[SHA1_HASH_SIZE]); +int sd_set_add_sd(struct sd_set *sd_set, const char descriptor[], + size_t size); +#endif #endif /* _WIMLIB_SECURITY_H */