summaryrefslogtreecommitdiff
path: root/src/inc/securitywrapper.h
blob: a14d90a9224b6ef96a7d0ba7a5c516d826b3d139 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//*****************************************************************************
// File: SecurityWrapper.h
//
// Wrapper around Win32 Security functions
//
//*****************************************************************************


#ifndef _SECURITY_WRAPPER_H
#define _SECURITY_WRAPPER_H

// This file should not even be included on Rotor.

//-----------------------------------------------------------------------------
// Wrapper around a PSID.
// This class does not own the memory.
//-----------------------------------------------------------------------------
class Sid
{
public:
    // Initial the Sid wrapper around an existing SID.
    Sid(PSID pSid);
    static bool Equals(const Sid & a, const Sid & b) { return Equals(a.m_pSid, b.m_pSid); }
    static bool Equals(const Sid & a, PSID b)        { return Equals(a.m_pSid, b); }
    static bool Equals(PSID a, const Sid & b)        { return Equals(a, b.m_pSid); }    
    static bool Equals(PSID a, PSID b);

    PSID RawSid() { return m_pSid; }
protected:
    // Pointer to Sid buffer. We don't owner the data.
    PSID m_pSid;  
};

//-----------------------------------------------------------------------------
// Wrapper around a PSID with buffer.
//-----------------------------------------------------------------------------
class SidBuffer
{
public:
    SidBuffer();
    ~SidBuffer();

    // Get the underlying sid
    Sid GetSid();

    // Do we not have a sid? This will be true if init fails.
    bool IsNull() { return m_pBuffer == NULL; }

    // Go to definitions to see detailed comments
    HRESULT InitFromProcessNoThrow(DWORD pid);
    void InitFromProcess(DWORD pid); // throws
    HRESULT InitFromProcessUserNoThrow(DWORD pid);
    void InitFromProcessUser(DWORD pid); // throws
    HRESULT InitFromProcessAppContainerSidNoThrow(DWORD pid);

protected:
    BYTE * m_pBuffer;
};

#ifndef FEATURE_PAL

//-----------------------------------------------------------------------------
// Access Control List.
//-----------------------------------------------------------------------------
class Dacl
{
public:
    Dacl(PACL pAcl);

    SIZE_T GetAceCount();    
    ACE_HEADER * GetAce(SIZE_T dwAceIndex);
protected:
    PACL m_acl;
};

//-----------------------------------------------------------------------------
// Represent a win32 SECURITY_DESCRIPTOR object.
// (Note there's a "SecurityDescriptor" class in the VM for managed goo, 
// so we prefix this with "Win32" to avoid a naming collision.)
//-----------------------------------------------------------------------------
class Win32SecurityDescriptor
{
public:
    Win32SecurityDescriptor();
    ~Win32SecurityDescriptor();

    HRESULT InitFromHandleNoThrow(HANDLE h);
    void InitFromHandle(HANDLE h); // throws

    // Gets the owner SID from this SecurityDescriptor.
    HRESULT GetOwnerNoThrow( PSID* ppSid );
    Sid GetOwner(); // throws
    Dacl GetDacl(); // throws

protected:
    PSECURITY_DESCRIPTOR m_pDesc;
};

#endif // FEATURE_PAL

//-----------------------------------------------------------------------------
// Check if the handle owner belongs to either the process specified by the pid 
// or the current process. This lets us know if the handle is spoofed.
//-----------------------------------------------------------------------------
bool IsHandleSpoofed(HANDLE handle, DWORD pid);


#endif // _SECURITY_WRAPPER_H