/// <summary>
/// Convert an enumerable access rights to a string
/// </summary>
/// <param name="granted_access">The granted access mask.</param>
/// <param name="generic_mapping">Generic mapping for object type.</param>
/// <param name="enum_type">Enum type to convert to string.</param>
/// <param name="map_to_generic">True to try and convert to generic rights where possible.</param>
/// <returns>The string format of the access rights</returns>
public static string GrantedAccessAsString(AccessMask granted_access, GenericMapping generic_mapping, Type enum_type, bool map_to_generic)
{
if (granted_access == 0)
{
return("None");
}
AccessMask mapped_access = generic_mapping.MapMask(granted_access);
if (map_to_generic)
{
mapped_access = generic_mapping.UnmapMask(mapped_access);
}
else if (generic_mapping.HasAll(granted_access))
{
return("Full Access");
}
return(AccessRightsToString(enum_type, mapped_access));
}
/// <summary>
/// Checks if an access mask represents a execute permission on this type
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it has execute permissions</returns>
public bool HasExecutePermission(AccessMask access_mask)
{
return(GenericMapping.HasExecute(access_mask));
}
/// <summary>
/// Checks if an access mask represents a read permission on this type
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it has read permissions</returns>
public bool HasReadPermission(AccessMask access_mask)
{
return(GenericMapping.HasRead(access_mask));
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the maximum allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The maximum allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static AccessMask GetMaximumAccess(SecurityDescriptor sd, NtToken token, Sid principal, GenericMapping generic_mapping)
{
return(GetAllowedAccess(sd, token, GenericAccessRights.MaximumAllowed, principal, generic_mapping));
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
AccessMask access_rights, GenericMapping generic_mapping)
{
return(GetAllowedAccess
(sd, token, access_rights, null, generic_mapping));
}
/// <summary>
/// Checks if a access mask represents a full permission on this type
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it has full permissions</returns>
public bool HasFullPermission(uint access_mask)
{
access_mask = GenericMapping.MapMask(access_mask);
return((access_mask & GenericMapping.GenericAll) == GenericMapping.GenericAll);
}
public static extern void RtlMapGenericMask(ref AccessMask AccessMask, ref GenericMapping mapping);
/// <summary>
/// Checks if an access mask is valid for access of this object type.
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it valid access</returns>
public bool IsValidAccess(AccessMask access_mask)
{
return((GenericMapping.MapMask(access_mask) & ~ValidAccess).IsEmpty);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="base_object">Base object for security descriptor</param>
/// <param name="token">Token for determining user rights</param>
/// <param name="is_directory">True if a directory security descriptor</param>
public SecurityDescriptor(NtObject base_object, NtToken token, bool is_directory) : this()
{
if ((base_object == null) && (token == null))
{
throw new ArgumentNullException();
}
SecurityDescriptor parent_sd = null;
if (base_object != null)
{
parent_sd = base_object.SecurityDescriptor;
}
SecurityDescriptor creator_sd = null;
if (token != null)
{
creator_sd = new SecurityDescriptor();
creator_sd.Owner = new SecurityDescriptorSid(token.Owner, false);
creator_sd.Group = new SecurityDescriptorSid(token.PrimaryGroup, false);
creator_sd.Dacl = token.DefaultDalc;
}
NtType type = NtType.GetTypeByName(base_object.NtTypeName);
SafeBuffer parent_sd_buffer = SafeHGlobalBuffer.Null;
SafeBuffer creator_sd_buffer = SafeHGlobalBuffer.Null;
SafeSecurityObjectHandle security_obj = null;
try
{
if (parent_sd != null)
{
parent_sd_buffer = parent_sd.ToSafeBuffer();
}
if (creator_sd != null)
{
creator_sd_buffer = creator_sd.ToSafeBuffer();
}
GenericMapping mapping = type.GenericMapping;
NtRtl.RtlNewSecurityObject(parent_sd_buffer, creator_sd_buffer, out security_obj, is_directory,
token != null ? token.Handle : SafeKernelObjectHandle.Null, ref mapping).ToNtException();
ParseSecurityDescriptor(security_obj);
}
finally
{
if (parent_sd_buffer != null)
{
parent_sd_buffer.Close();
}
if (creator_sd_buffer != null)
{
creator_sd_buffer.Close();
}
if (security_obj != null)
{
security_obj.Close();
}
}
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the maximum allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The maximum allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static uint GetMaximumAccess(SecurityDescriptor sd, NtToken token, GenericMapping generic_mapping)
{
return(GetAllowedAccess(sd, token, GenericAccessRights.MaximumAllowed, generic_mapping));
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static uint GetAllowedAccess(SecurityDescriptor sd, NtToken token, GenericAccessRights access_rights, GenericMapping generic_mapping)
{
if (sd == null)
{
throw new ArgumentNullException("sd");
}
if (token == null)
{
throw new ArgumentNullException("token");
}
using (var sd_buffer = sd.ToSafeBuffer())
{
using (NtToken imp_token = token.DuplicateToken(SecurityImpersonationLevel.Identification))
{
uint granted_access;
NtStatus result_status;
using (var privs = new SafePrivilegeSetBuffer())
{
int buffer_length = privs.Length;
NtSystemCalls.NtAccessCheck(sd_buffer, imp_token.Handle, (uint)access_rights,
ref generic_mapping, privs, ref buffer_length, out granted_access, out result_status).ToNtException();
if (result_status.IsSuccess())
{
return(granted_access);
}
return(0);
}
}
}
}
/// <summary>
/// Map generic access rights to specific access rights for this type
/// </summary>
/// <param name="access_mask">The access mask to map</param>
/// <returns>The mapped access mask</returns>
public AccessMask MapGenericRights(AccessMask access_mask)
{
return GenericMapping.MapMask(access_mask);
}
/// <summary>
/// Map generic access rights to specific access rights for this type
/// </summary>
/// <param name="access_mask">The access mask to map</param>
/// <returns>The mapped access mask</returns>
public uint MapGenericRights(uint access_mask)
{
return(GenericMapping.MapMask(access_mask));
}
/// <summary>
/// Checks if an access mask represents a full permission on this type
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it has full permissions</returns>
public bool HasFullPermission(AccessMask access_mask)
{
return(GenericMapping.HasAll(access_mask));
}
/// <summary>
/// Get the maximum access mask for the type's default mandatory access policy.
/// </summary>
/// <returns>The allowed access mask for the type with the default policy.</returns>
public AccessMask GetDefaultMandatoryAccess()
{
return(GenericMapping.GetAllowedMandatoryAccess(_type_factory.DefaultMandatoryPolicy));
}
/// <summary>
/// Unmap specific access rights to generic access rights for this type
/// </summary>
/// <param name="access_mask">The access mask to unmap</param>
/// <returns>The unmapped access mask</returns>
public AccessMask UnmapGenericRights(AccessMask access_mask)
{
return(GenericMapping.UnmapMask(access_mask));
}
/// <summary>
/// Get a fake type object. This can be used in access checking for operations which need an NtType object
/// but there's no real NT object.
/// </summary>
/// <param name="name">The name of the fake type. Informational only.</param>
/// <param name="generic_mapping">The GENERIC_MAPPING for security checking.</param>
/// <param name="access_rights_type">The access rights enumeration type.</param>
/// <param name="container_access_rights_type">The access rights enumeration type of the object is a container.</param>
/// <returns>The fake NT type object.</returns>
public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)
{
return(new NtType(name, generic_mapping, access_rights_type, container_access_rights_type, MandatoryLabelPolicy.NoWriteUp));
}
/// <summary>
/// Get a fake type object. This can be used in access checking for operations which need an NtType object
/// but there's no real NT object.
/// </summary>
/// <param name="name">The name of the fake type. Informational only.</param>
/// <param name="generic_mapping">The GENERIC_MAPPING for security checking.</param>
/// <param name="access_rights_type">The access rights enumeration type.</param>
/// <returns></returns>
public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type)
{
return(new NtType(name, generic_mapping, access_rights_type));
}
/// <summary>
/// Do an access check between a security descriptor and a token to determine the allowed access.
/// </summary>
/// <param name="sd">The security descriptor</param>
/// <param name="token">The access token.</param>
/// <param name="access_rights">The set of access rights to check against</param>
/// <param name="principal">An optional principal SID used to replace the SELF SID in a security descriptor.</param>
/// <param name="generic_mapping">The type specific generic mapping (get from corresponding NtType entry).</param>
/// <returns>The allowed access mask as a unsigned integer.</returns>
/// <exception cref="NtException">Thrown if an error occurred in the access check.</exception>
public static AccessMask GetAllowedAccess(SecurityDescriptor sd, NtToken token,
AccessMask access_rights, Sid principal, GenericMapping generic_mapping)
{
if (sd == null)
{
throw new ArgumentNullException("sd");
}
if (token == null)
{
throw new ArgumentNullException("token");
}
if (access_rights.IsEmpty)
{
return(AccessMask.Empty);
}
using (SafeBuffer sd_buffer = sd.ToSafeBuffer())
{
using (NtToken imp_token = DuplicateForAccessCheck(token))
{
using (var privs = new SafePrivilegeSetBuffer())
{
int buffer_length = privs.Length;
using (var self_sid = principal != null ? principal.ToSafeBuffer() : SafeSidBufferHandle.Null)
{
NtSystemCalls.NtAccessCheckByType(sd_buffer, self_sid, imp_token.Handle, access_rights,
SafeHGlobalBuffer.Null, 0, ref generic_mapping, privs,
ref buffer_length, out AccessMask granted_access, out NtStatus result_status).ToNtException();
if (result_status.IsSuccess())
{
return(granted_access);
}
return(AccessMask.Empty);
}
}
}
}
}
public static extern NtStatus RtlNewSecurityObject(SafeBuffer ParentDescriptor,
SafeBuffer CreatorDescriptor,
out SafeSecurityObjectBuffer NewDescriptor,
bool IsDirectoryObject,
SafeKernelObjectHandle Token,
ref GenericMapping GenericMapping);
/// <summary>
/// Checks if a access mask represents a execute permission on this type
/// </summary>
/// <param name="access_mask">The access mask to check</param>
/// <returns>True if it has execute permissions</returns>
public bool HasExecutePermission(uint access_mask)
{
access_mask = GenericMapping.MapMask(access_mask);
return((access_mask & GenericMapping.GenericExecute & ~GenericMapping.GenericRead) != 0);
}
