20 #ifndef WINPR_SECURITY_H
21 #define WINPR_SECURITY_H
23 #include <winpr/winpr.h>
24 #include <winpr/wtypes.h>
35 #define ANYSIZE_ARRAY 1
40 SecurityIdentification,
41 SecurityImpersonation,
43 } SECURITY_IMPERSONATION_LEVEL,
44 *PSECURITY_IMPERSONATION_LEVEL;
46 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
47 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
48 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
49 #define VALID_IMPERSONATION_LEVEL(L) \
50 (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL))
52 #define TOKEN_ASSIGN_PRIMARY (0x0001)
53 #define TOKEN_DUPLICATE (0x0002)
54 #define TOKEN_IMPERSONATE (0x0004)
55 #define TOKEN_QUERY (0x0008)
56 #define TOKEN_QUERY_SOURCE (0x0010)
57 #define TOKEN_ADJUST_PRIVILEGES (0x0020)
58 #define TOKEN_ADJUST_GROUPS (0x0040)
59 #define TOKEN_ADJUST_DEFAULT (0x0080)
60 #define TOKEN_ADJUST_SESSIONID (0x0100)
62 #define TOKEN_ALL_ACCESS_P \
63 (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | \
64 TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | \
67 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID)
69 #define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY)
72 (STANDARD_RIGHTS_WRITE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT)
74 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
76 #define TOKEN_MANDATORY_POLICY_OFF 0x0
77 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1
78 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2
80 #define TOKEN_MANDATORY_POLICY_VALID_MASK \
81 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)
83 #define POLICY_AUDIT_SUBCATEGORY_COUNT (56)
85 #define TOKEN_SOURCE_LENGTH 8
87 #define SID_REVISION (1)
88 #define SID_MAX_SUB_AUTHORITIES (15)
89 #define SID_RECOMMENDED_SUB_AUTHORITIES (1)
91 #define SID_HASH_SIZE 32
93 #define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000
94 #define SECURITY_MANDATORY_LOW_RID 0x1000
95 #define SECURITY_MANDATORY_MEDIUM_RID 0x2000
96 #define SECURITY_MANDATORY_HIGH_RID 0x3000
97 #define SECURITY_MANDATORY_SYSTEM_RID 0x4000
99 #define SECURITY_NULL_SID_AUTHORITY \
103 #define SECURITY_WORLD_SID_AUTHORITY \
107 #define SECURITY_LOCAL_SID_AUTHORITY \
111 #define SECURITY_CREATOR_SID_AUTHORITY \
115 #define SECURITY_NON_UNIQUE_AUTHORITY \
119 #define SECURITY_RESOURCE_MANAGER_AUTHORITY \
124 #define SECURITY_NULL_RID (0x00000000L)
125 #define SECURITY_WORLD_RID (0x00000000L)
126 #define SECURITY_LOCAL_RID (0x00000000L)
127 #define SECURITY_LOCAL_LOGON_RID (0x00000001L)
129 #define SECURITY_CREATOR_OWNER_RID (0x00000000L)
130 #define SECURITY_CREATOR_GROUP_RID (0x00000001L)
131 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
132 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
133 #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L)
135 typedef PVOID PACCESS_TOKEN;
136 typedef PVOID PCLAIMS_BLOB;
144 typedef LUID_AND_ATTRIBUTES_ARRAY* PLUID_AND_ATTRIBUTES_ARRAY;
154 BYTE SubAuthorityCount;
156 DWORD SubAuthority[ANYSIZE_ARRAY];
165 SidTypeWellKnownGroup,
166 SidTypeDeletedAccount,
181 typedef SID_AND_ATTRIBUTES_ARRAY* PSID_AND_ATTRIBUTES_ARRAY;
183 typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY;
189 SID_HASH_ENTRY Hash[SID_HASH_SIZE];
197 typedef TOKEN_TYPE* PTOKEN_TYPE;
201 TokenElevationTypeDefault = 1,
202 TokenElevationTypeFull,
203 TokenElevationTypeLimited
204 } TOKEN_ELEVATION_TYPE,
205 *PTOKEN_ELEVATION_TYPE;
217 TokenImpersonationLevel,
221 TokenGroupsAndPrivileges,
222 TokenSessionReference,
229 TokenHasRestrictions,
230 TokenAccessInformation,
231 TokenVirtualizationAllowed,
232 TokenVirtualizationEnabled,
235 TokenMandatoryPolicy,
239 TokenAppContainerSid,
240 TokenAppContainerNumber,
241 TokenUserClaimAttributes,
242 TokenDeviceClaimAttributes,
243 TokenRestrictedUserClaimAttributes,
244 TokenRestrictedDeviceClaimAttributes,
246 TokenRestrictedDeviceGroups,
247 TokenSecurityAttributes,
250 } TOKEN_INFORMATION_CLASS,
251 *PTOKEN_INFORMATION_CLASS;
266 DWORD PrivilegeCount;
287 PCLAIMS_BLOB UserClaims;
292 PCLAIMS_BLOB DeviceClaims;
300 DWORD RestrictedSidCount;
301 DWORD RestrictedSidLength;
303 DWORD PrivilegeCount;
304 DWORD PrivilegeLength;
306 LUID AuthenticationId;
316 DWORD TokenIsElevated;
334 LUID AuthenticationId;
335 TOKEN_TYPE TokenType;
336 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
339 DWORD AppContainerNumber;
346 BYTE PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1];
351 CHAR SourceName[TOKEN_SOURCE_LENGTH];
352 LUID SourceIdentifier;
358 LUID AuthenticationId;
360 TOKEN_TYPE TokenType;
361 SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
362 DWORD DynamicCharged;
363 DWORD DynamicAvailable;
365 DWORD PrivilegeCount;
372 LUID AuthenticationId;
379 LUID OriginatingLogonSession;
384 MandatoryLevelUntrusted = 0,
386 MandatoryLevelMedium,
388 MandatoryLevelSystem,
389 MandatoryLevelSecureProcess,
396 PSID TokenAppContainer;
404 WINPR_API BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,
406 WINPR_API DWORD GetSecurityDescriptorLength(PSECURITY_DESCRIPTOR pSecurityDescriptor);
407 WINPR_API BOOL IsValidSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor);
409 WINPR_API BOOL GetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
410 PSECURITY_DESCRIPTOR_CONTROL pControl,
411 LPDWORD lpdwRevision);
412 WINPR_API BOOL SetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
413 SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
414 SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);
416 WINPR_API BOOL GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
417 LPBOOL lpbDaclPresent, PACL* pDacl,
418 LPBOOL lpbDaclDefaulted);
419 WINPR_API BOOL SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
420 BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted);
422 WINPR_API BOOL GetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor,
423 PSID* pGroup, LPBOOL lpbGroupDefaulted);
424 WINPR_API BOOL SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup,
425 BOOL bGroupDefaulted);
427 WINPR_API BOOL GetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor,
428 PSID* pOwner, LPBOOL lpbOwnerDefaulted);
429 WINPR_API BOOL SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner,
430 BOOL bOwnerDefaulted);
432 WINPR_API DWORD GetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,
434 WINPR_API DWORD SetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,
437 WINPR_API BOOL GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
438 LPBOOL lpbSaclPresent, PACL* pSacl,
439 LPBOOL lpbSaclDefaulted);
440 WINPR_API BOOL SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
441 BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted);