FreeRDP
winpr/include/winpr/security.h
1 
20 #ifndef WINPR_SECURITY_H
21 #define WINPR_SECURITY_H
22 
23 #include <winpr/winpr.h>
24 #include <winpr/wtypes.h>
25 
31 #ifndef _WIN32
32 
33 #include <winpr/nt.h>
34 
35 #define ANYSIZE_ARRAY 1
36 
37 typedef enum
38 {
39  SecurityAnonymous,
40  SecurityIdentification,
41  SecurityImpersonation,
42  SecurityDelegation
43 } SECURITY_IMPERSONATION_LEVEL,
44  *PSECURITY_IMPERSONATION_LEVEL;
45 
46 #define SECURITY_MAX_IMPERSONATION_LEVEL SecurityDelegation
47 #define SECURITY_MIN_IMPERSONATION_LEVEL SecurityAnonymous
48 #define DEFAULT_IMPERSONATION_LEVEL SecurityImpersonation
49 #define VALID_IMPERSONATION_LEVEL(L) \
50  (((L) >= SECURITY_MIN_IMPERSONATION_LEVEL) && ((L) <= SECURITY_MAX_IMPERSONATION_LEVEL))
51 
52 #define TOKEN_ASSIGN_PRIMARY (0x0001)
53 #define TOKEN_DUPLICATE (0x0002)
54 #define TOKEN_IMPERSONATE (0x0004)
55 #define TOKEN_QUERY (0x0008)
56 #define TOKEN_QUERY_SOURCE (0x0010)
57 #define TOKEN_ADJUST_PRIVILEGES (0x0020)
58 #define TOKEN_ADJUST_GROUPS (0x0040)
59 #define TOKEN_ADJUST_DEFAULT (0x0080)
60 #define TOKEN_ADJUST_SESSIONID (0x0100)
61 
62 #define TOKEN_ALL_ACCESS_P \
63  (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | \
64  TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | \
65  TOKEN_ADJUST_DEFAULT)
66 
67 #define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | TOKEN_ADJUST_SESSIONID)
68 
69 #define TOKEN_READ (STANDARD_RIGHTS_READ | TOKEN_QUERY)
70 
71 #define TOKEN_WRITE \
72  (STANDARD_RIGHTS_WRITE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT)
73 
74 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
75 
76 #define TOKEN_MANDATORY_POLICY_OFF 0x0
77 #define TOKEN_MANDATORY_POLICY_NO_WRITE_UP 0x1
78 #define TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN 0x2
79 
80 #define TOKEN_MANDATORY_POLICY_VALID_MASK \
81  (TOKEN_MANDATORY_POLICY_NO_WRITE_UP | TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)
82 
83 #define POLICY_AUDIT_SUBCATEGORY_COUNT (56)
84 
85 #define TOKEN_SOURCE_LENGTH 8
86 
87 #define SID_REVISION (1)
88 #define SID_MAX_SUB_AUTHORITIES (15)
89 #define SID_RECOMMENDED_SUB_AUTHORITIES (1)
90 
91 #define SID_HASH_SIZE 32
92 
93 #define SECURITY_MANDATORY_UNTRUSTED_RID 0x0000
94 #define SECURITY_MANDATORY_LOW_RID 0x1000
95 #define SECURITY_MANDATORY_MEDIUM_RID 0x2000
96 #define SECURITY_MANDATORY_HIGH_RID 0x3000
97 #define SECURITY_MANDATORY_SYSTEM_RID 0x4000
98 
99 #define SECURITY_NULL_SID_AUTHORITY \
100  { \
101  0, 0, 0, 0, 0, 0 \
102  }
103 #define SECURITY_WORLD_SID_AUTHORITY \
104  { \
105  0, 0, 0, 0, 0, 1 \
106  }
107 #define SECURITY_LOCAL_SID_AUTHORITY \
108  { \
109  0, 0, 0, 0, 0, 2 \
110  }
111 #define SECURITY_CREATOR_SID_AUTHORITY \
112  { \
113  0, 0, 0, 0, 0, 3 \
114  }
115 #define SECURITY_NON_UNIQUE_AUTHORITY \
116  { \
117  0, 0, 0, 0, 0, 4 \
118  }
119 #define SECURITY_RESOURCE_MANAGER_AUTHORITY \
120  { \
121  0, 0, 0, 0, 0, 9 \
122  }
123 
124 #define SECURITY_NULL_RID (0x00000000L)
125 #define SECURITY_WORLD_RID (0x00000000L)
126 #define SECURITY_LOCAL_RID (0x00000000L)
127 #define SECURITY_LOCAL_LOGON_RID (0x00000001L)
128 
129 #define SECURITY_CREATOR_OWNER_RID (0x00000000L)
130 #define SECURITY_CREATOR_GROUP_RID (0x00000001L)
131 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
132 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
133 #define SECURITY_CREATOR_OWNER_RIGHTS_RID (0x00000004L)
134 
135 typedef PVOID PACCESS_TOKEN;
136 typedef PVOID PCLAIMS_BLOB;
137 
138 typedef struct
139 {
140  LUID Luid;
141  DWORD Attributes;
142 } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES;
143 typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
144 typedef LUID_AND_ATTRIBUTES_ARRAY* PLUID_AND_ATTRIBUTES_ARRAY;
145 
146 typedef struct
147 {
148  BYTE Value[6];
149 } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
150 
151 typedef struct
152 {
153  BYTE Revision;
154  BYTE SubAuthorityCount;
155  SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
156  DWORD SubAuthority[ANYSIZE_ARRAY];
157 } SID, *PISID;
158 
159 typedef enum
160 {
161  SidTypeUser = 1,
162  SidTypeGroup,
163  SidTypeDomain,
164  SidTypeAlias,
165  SidTypeWellKnownGroup,
166  SidTypeDeletedAccount,
167  SidTypeInvalid,
168  SidTypeUnknown,
169  SidTypeComputer,
170  SidTypeLabel
171 } SID_NAME_USE,
172  *PSID_NAME_USE;
173 
174 typedef struct
175 {
176  PSID Sid;
177  DWORD Attributes;
178 } SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;
179 
180 typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
181 typedef SID_AND_ATTRIBUTES_ARRAY* PSID_AND_ATTRIBUTES_ARRAY;
182 
183 typedef ULONG_PTR SID_HASH_ENTRY, *PSID_HASH_ENTRY;
184 
185 typedef struct
186 {
187  DWORD SidCount;
188  PSID_AND_ATTRIBUTES SidAttr;
189  SID_HASH_ENTRY Hash[SID_HASH_SIZE];
190 } SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH;
191 
192 typedef enum
193 {
194  TokenPrimary = 1,
195  TokenImpersonation
196 } TOKEN_TYPE;
197 typedef TOKEN_TYPE* PTOKEN_TYPE;
198 
199 typedef enum
200 {
201  TokenElevationTypeDefault = 1,
202  TokenElevationTypeFull,
203  TokenElevationTypeLimited
204 } TOKEN_ELEVATION_TYPE,
205  *PTOKEN_ELEVATION_TYPE;
206 
207 typedef enum
208 {
209  TokenUser = 1,
210  TokenGroups,
211  TokenPrivileges,
212  TokenOwner,
213  TokenPrimaryGroup,
214  TokenDefaultDacl,
215  TokenSource,
216  TokenType,
217  TokenImpersonationLevel,
218  TokenStatistics,
219  TokenRestrictedSids,
220  TokenSessionId,
221  TokenGroupsAndPrivileges,
222  TokenSessionReference,
223  TokenSandBoxInert,
224  TokenAuditPolicy,
225  TokenOrigin,
226  TokenElevationType,
227  TokenLinkedToken,
228  TokenElevation,
229  TokenHasRestrictions,
230  TokenAccessInformation,
231  TokenVirtualizationAllowed,
232  TokenVirtualizationEnabled,
233  TokenIntegrityLevel,
234  TokenUIAccess,
235  TokenMandatoryPolicy,
236  TokenLogonSid,
237  TokenIsAppContainer,
238  TokenCapabilities,
239  TokenAppContainerSid,
240  TokenAppContainerNumber,
241  TokenUserClaimAttributes,
242  TokenDeviceClaimAttributes,
243  TokenRestrictedUserClaimAttributes,
244  TokenRestrictedDeviceClaimAttributes,
245  TokenDeviceGroups,
246  TokenRestrictedDeviceGroups,
247  TokenSecurityAttributes,
248  TokenIsRestricted,
249  MaxTokenInfoClass
250 } TOKEN_INFORMATION_CLASS,
251  *PTOKEN_INFORMATION_CLASS;
252 
253 typedef struct
254 {
255  SID_AND_ATTRIBUTES User;
256 } TOKEN_USER, *PTOKEN_USER;
257 
258 typedef struct
259 {
260  DWORD GroupCount;
261  SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
262 } TOKEN_GROUPS, *PTOKEN_GROUPS;
263 
264 typedef struct
265 {
266  DWORD PrivilegeCount;
267  LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
268 } TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES;
269 
270 typedef struct
271 {
272  PSID Owner;
273 } TOKEN_OWNER, *PTOKEN_OWNER;
274 
275 typedef struct
276 {
277  PSID PrimaryGroup;
278 } TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP;
279 
280 typedef struct
281 {
282  PACL DefaultDacl;
283 } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL;
284 
285 typedef struct
286 {
287  PCLAIMS_BLOB UserClaims;
288 } TOKEN_USER_CLAIMS, *PTOKEN_USER_CLAIMS;
289 
290 typedef struct
291 {
292  PCLAIMS_BLOB DeviceClaims;
293 } TOKEN_DEVICE_CLAIMS, *PTOKEN_DEVICE_CLAIMS;
294 
295 typedef struct
296 {
297  DWORD SidCount;
298  DWORD SidLength;
299  PSID_AND_ATTRIBUTES Sids;
300  DWORD RestrictedSidCount;
301  DWORD RestrictedSidLength;
302  PSID_AND_ATTRIBUTES RestrictedSids;
303  DWORD PrivilegeCount;
304  DWORD PrivilegeLength;
305  PLUID_AND_ATTRIBUTES Privileges;
306  LUID AuthenticationId;
307 } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
308 
309 typedef struct
310 {
311  HANDLE LinkedToken;
312 } TOKEN_LINKED_TOKEN, *PTOKEN_LINKED_TOKEN;
313 
314 typedef struct
315 {
316  DWORD TokenIsElevated;
317 } TOKEN_ELEVATION, *PTOKEN_ELEVATION;
318 
319 typedef struct
320 {
321  SID_AND_ATTRIBUTES Label;
322 } TOKEN_MANDATORY_LABEL, *PTOKEN_MANDATORY_LABEL;
323 
324 typedef struct
325 {
326  DWORD Policy;
327 } TOKEN_MANDATORY_POLICY, *PTOKEN_MANDATORY_POLICY;
328 
329 typedef struct
330 {
331  PSID_AND_ATTRIBUTES_HASH SidHash;
332  PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;
333  PTOKEN_PRIVILEGES Privileges;
334  LUID AuthenticationId;
335  TOKEN_TYPE TokenType;
336  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
337  TOKEN_MANDATORY_POLICY MandatoryPolicy;
338  DWORD Flags;
339  DWORD AppContainerNumber;
340  PSID PackageSid;
341  PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;
342 } TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;
343 
344 typedef struct
345 {
346  BYTE PerUserPolicy[((POLICY_AUDIT_SUBCATEGORY_COUNT) >> 1) + 1];
347 } TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY;
348 
349 typedef struct
350 {
351  CHAR SourceName[TOKEN_SOURCE_LENGTH];
352  LUID SourceIdentifier;
353 } TOKEN_SOURCE, *PTOKEN_SOURCE;
354 
355 typedef struct
356 {
357  LUID TokenId;
358  LUID AuthenticationId;
359  LARGE_INTEGER ExpirationTime;
360  TOKEN_TYPE TokenType;
361  SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
362  DWORD DynamicCharged;
363  DWORD DynamicAvailable;
364  DWORD GroupCount;
365  DWORD PrivilegeCount;
366  LUID ModifiedId;
367 } TOKEN_STATISTICS, *PTOKEN_STATISTICS;
368 
369 typedef struct
370 {
371  LUID TokenId;
372  LUID AuthenticationId;
373  LUID ModifiedId;
374  TOKEN_SOURCE TokenSource;
375 } TOKEN_CONTROL, *PTOKEN_CONTROL;
376 
377 typedef struct
378 {
379  LUID OriginatingLogonSession;
380 } TOKEN_ORIGIN, *PTOKEN_ORIGIN;
381 
382 typedef enum
383 {
384  MandatoryLevelUntrusted = 0,
385  MandatoryLevelLow,
386  MandatoryLevelMedium,
387  MandatoryLevelHigh,
388  MandatoryLevelSystem,
389  MandatoryLevelSecureProcess,
390  MandatoryLevelCount
391 } MANDATORY_LEVEL,
392  *PMANDATORY_LEVEL;
393 
394 typedef struct
395 {
396  PSID TokenAppContainer;
397 } TOKEN_APPCONTAINER_INFORMATION, *PTOKEN_APPCONTAINER_INFORMATION;
398 
399 #ifdef __cplusplus
400 extern "C"
401 {
402 #endif
403 
404  WINPR_API BOOL InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,
405  DWORD dwRevision);
406  WINPR_API DWORD GetSecurityDescriptorLength(PSECURITY_DESCRIPTOR pSecurityDescriptor);
407  WINPR_API BOOL IsValidSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor);
408 
409  WINPR_API BOOL GetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
410  PSECURITY_DESCRIPTOR_CONTROL pControl,
411  LPDWORD lpdwRevision);
412  WINPR_API BOOL SetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
413  SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
414  SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);
415 
416  WINPR_API BOOL GetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
417  LPBOOL lpbDaclPresent, PACL* pDacl,
418  LPBOOL lpbDaclDefaulted);
419  WINPR_API BOOL SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
420  BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted);
421 
422  WINPR_API BOOL GetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor,
423  PSID* pGroup, LPBOOL lpbGroupDefaulted);
424  WINPR_API BOOL SetSecurityDescriptorGroup(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pGroup,
425  BOOL bGroupDefaulted);
426 
427  WINPR_API BOOL GetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor,
428  PSID* pOwner, LPBOOL lpbOwnerDefaulted);
429  WINPR_API BOOL SetSecurityDescriptorOwner(PSECURITY_DESCRIPTOR pSecurityDescriptor, PSID pOwner,
430  BOOL bOwnerDefaulted);
431 
432  WINPR_API DWORD GetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,
433  PUCHAR RMControl);
434  WINPR_API DWORD SetSecurityDescriptorRMControl(PSECURITY_DESCRIPTOR SecurityDescriptor,
435  PUCHAR RMControl);
436 
437  WINPR_API BOOL GetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
438  LPBOOL lpbSaclPresent, PACL* pSacl,
439  LPBOOL lpbSaclDefaulted);
440  WINPR_API BOOL SetSecurityDescriptorSacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,
441  BOOL bSaclPresent, PACL pSacl, BOOL bSaclDefaulted);
442 
443 #ifdef __cplusplus
444 }
445 #endif
446 
447 #endif
448 
449 #endif /* WINPR_SECURITY_H */
LUID_AND_ATTRIBUTES
Definition: winpr/include/winpr/security.h:139
SID_AND_ATTRIBUTES_HASH
Definition: winpr/include/winpr/security.h:186
SID_AND_ATTRIBUTES
Definition: winpr/include/winpr/security.h:175
SID_IDENTIFIER_AUTHORITY
Definition: winpr/include/winpr/security.h:147
TOKEN_ACCESS_INFORMATION
Definition: winpr/include/winpr/security.h:330
TOKEN_APPCONTAINER_INFORMATION
Definition: winpr/include/winpr/security.h:395
TOKEN_AUDIT_POLICY
Definition: winpr/include/winpr/security.h:345
TOKEN_CONTROL
Definition: winpr/include/winpr/security.h:370
TOKEN_DEFAULT_DACL
Definition: winpr/include/winpr/security.h:281
TOKEN_DEVICE_CLAIMS
Definition: winpr/include/winpr/security.h:291
TOKEN_ELEVATION
Definition: winpr/include/winpr/security.h:315
TOKEN_GROUPS_AND_PRIVILEGES
Definition: winpr/include/winpr/security.h:296
TOKEN_GROUPS
Definition: winpr/include/winpr/security.h:259
TOKEN_LINKED_TOKEN
Definition: winpr/include/winpr/security.h:310
TOKEN_MANDATORY_LABEL
Definition: winpr/include/winpr/security.h:320
TOKEN_MANDATORY_POLICY
Definition: winpr/include/winpr/security.h:325
TOKEN_ORIGIN
Definition: winpr/include/winpr/security.h:378
TOKEN_OWNER
Definition: winpr/include/winpr/security.h:271
TOKEN_PRIMARY_GROUP
Definition: winpr/include/winpr/security.h:276
TOKEN_PRIVILEGES
Definition: winpr/include/winpr/security.h:265
TOKEN_SOURCE
Definition: winpr/include/winpr/security.h:350
TOKEN_STATISTICS
Definition: winpr/include/winpr/security.h:356
TOKEN_USER_CLAIMS
Definition: winpr/include/winpr/security.h:286
TOKEN_USER
Definition: winpr/include/winpr/security.h:254