1 files changed, 344 insertions, 0 deletions
diff --git a/policy.h b/policy.h
new file mode 100644
index 0000000..a85c4fc
--- /dev/null
+++ b/policy.h
@@ -0,0 +1,344 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              policy.h
+ *
+ * Abstract:
+ *
+ *              This module defines various types used by security policy related routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 16-Feb-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __POLICY_H__
+#define __POLICY_H__
+#define POLICY_MAX_SERVICE_NAME_LENGTH          64
+#define POLICY_MAX_OBJECT_NAME_LENGTH           192
+#define POLICY_MAX_RULE_LENGTH                          256
+// maximum number of '*' characters in a regex
+#define POLICY_TOTAL_NUMBER_OF_STARS            5
+#define isalpha(c)      ( ((c) >= 'a' && (c) <= 'z') || ((c) >= 'A' && (c) <= 'Z') )
+#if 0
+typedef enum _ActionType
+{
+        ACTION_NONE=0,
+        ACTION_PERMIT,
+        ACTION_PERMIT_DEFAULT,
+        ACTION_LOG,
+        ACTION_LOG_DEFAULT,
+        ACTION_PROCESS,                         /* further processing is required                                                                       */
+        ACTION_RESERVED1,
+        ACTION_RESERVED2,
+        ACTION_RESERVED3,
+        ACTION_TERMINATE,                       /* terminate process                                                                                            */
+        ACTION_ASK,                                     /* XXX user prompt (interactive session only?)                                          */
+        ACTION_ASK_PERMIT,                      /* User chose permit                                                                                            */
+        ACTION_ASK_LOG,                         /* User chose log                                                                                                       */
+        ACTION_ASK_TERMINATE,           /* User chose terminate                                                                                         */
+        ACTION_DENY,                            /* all actions listed after ACTION_DENY are treated as DENY actions     */
+        ACTION_ASK_DENY,                        /* User chose deny                                                                                                      */
+        ACTION_DENY_DEFAULT,            /* default deny policy action, used to distinguish between default and explicit deny actions */
+        ACTION_QUIETDENY,                       /* deny but do not log                                                                                          */
+        ACTION_QUIETDENY_DEFAULT,       /* deny but do not log (default action)                                                         */
+} ACTION_TYPE;
+#endif
+typedef unsigned char   ACTION_TYPE;
+#define ACTION_DEFAULT                          (1 << 7)
+#define ACTION_DENY                                     (1 << 6)
+#define ACTION_PERMIT                           (1 << 5)
+#define ACTION_LOG                                      (1 << 4)
+#define ACTION_TERMINATE                        (1 << 3)
+#define ACTION_NONE                                      0
+#define ACTION_ASK                                       1
+#define ACTION_ASK_PERMIT                       (ACTION_ASK | ACTION_PERMIT)
+#define ACTION_ASK_LOG                          (ACTION_ASK | ACTION_LOG)
+#define ACTION_ASK_TERMINATE            (ACTION_ASK | ACTION_TERMINATE)
+#define ACTION_ASK_DENY                         (ACTION_ASK | ACTION_DENY)
+#define ACTION_QUIETDENY                        (2 | ACTION_DENY)
+#define ACTION_PROCESS                           3
+#define ACTION_RESERVED1                         4
+#define ACTION_RESERVED2                         5
+#define ACTION_RESERVED3                         6
+#define ACTION_RESERVED4                         7
+#define ACTION_DENY_DEFAULT                     (ACTION_DENY | ACTION_DEFAULT)
+#define ACTION_PERMIT_DEFAULT           (ACTION_PERMIT | ACTION_DEFAULT)
+#define ACTION_LOG_DEFAULT                      (ACTION_LOG | ACTION_DEFAULT)
+#define ACTION_QUIETDENY_DEFAULT        (ACTION_QUIETDENY | ACTION_DEFAULT)
+#define ACTION_ASK_DEFAULT                      (ACTION_ASK | ACTION_DEFAULT)
+#define DEFAULT_POLICY_ACTION   ACTION_PERMIT_DEFAULT
+/*
+ * WARNING: ObjectParseOps (policy.c) && RuleTypeData (learn.c) structures depend on the order of the
+ * following enum values
+ *
+ * RuleType enumerates all possible object types.
+ * (in C++ we would have a separate class for each)
+ */
+typedef enum _RuleType
+{
+        RULE_FILE = 0,
+        RULE_DIRECTORY,
+        RULE_MAILSLOT,
+        RULE_NAMEDPIPE,
+        RULE_REGISTRY,
+        RULE_SECTION,
+        RULE_DLL,
+        RULE_EVENT,
+        RULE_SEMAPHORE,
+        RULE_JOB,
+        RULE_MUTANT,
+        RULE_PORT,
+        RULE_SYMLINK,
+        RULE_TIMER,
+        RULE_PROCESS,
+        RULE_DRIVER,
+        RULE_DIROBJ,
+        RULE_ATOM,
+        
+        RULE_NETWORK,
+        RULE_SERVICE,
+        RULE_TIME,
+        RULE_TOKEN,
+        RULE_SYSCALL,
+        RULE_LASTONE,           /* not a real rule, just a convinient way of iterating through all rules (i < RULE_LASTONE) */
+} RULE_TYPE;
+typedef enum _MatchType
+{
+        MATCH_SINGLE = 0,
+        MATCH_WILDCARD,
+        MATCH_ALL,
+        MATCH_NONE
+} MATCH_TYPE;
+typedef enum _AlertPriority
+{
+        ALERT_PRIORITY_HIGH = 1,
+        ALERT_PRIORITY_MEDIUM,
+        ALERT_PRIORITY_LOW,
+        ALERT_PRIORITY_INFO,
+} ALERT_PRIORITY;
+/*
+ * Operation Types
+ */
+#define OP_INVALID                      0x00
+#define OP_NONE                         0x00
+// file ops
+#define OP_READ                         0x01
+#define OP_WRITE                        0x02
+#define OP_READ_WRITE           (OP_READ | OP_WRITE)
+#define OP_EXECUTE                      0x04
+#define OP_DELETE                       0x08
+#define OP_APPEND                       0x10
+// dirobj & job ops
+#define OP_CREATE                       0x01
+#define OP_OPEN                         0x02
+// directory ops
+#define OP_DIR_TRAVERSE         0x01
+#define OP_DIR_CREATE           0x02
+// process ops
+#define OP_PROC_EXECUTE         0x01
+#define OP_PROC_OPEN            0x02
+// port ops
+#define OP_PORT_CONNECT         0x01
+#define OP_PORT_CREATE          0x02
+// network ops
+#define OP_TCPCONNECT           0x01
+#define OP_UDPCONNECT           0x02
+#define OP_CONNECT                      0x03
+#define OP_BIND                         0x04
+// atom ops
+#define OP_FIND                         0x01
+#define OP_ADD                          0x02
+// service ops
+#define OP_SERVICE_START        0x01
+#define OP_SERVICE_STOP         0x02
+#define OP_SERVICE_CREATE       0x03
+#define OP_SERVICE_DELETE       0x04
+// dll/driver ops
+#define OP_LOAD                         0x01
+#define OP_REGLOAD                      0x02
+#define OP_UNLOAD                       0x03    // XXX 0x04?
+// time change op
+#define OP_TIME_CHANGE          0x01
+// vdm ops
+#define OP_VDM_USE                      0x01
+// debug ops
+#define OP_DEBUG                        0x01
+// token ops
+#define OP_TOKEN_MODIFY         0x01
+// buffer overflow protection "virtual op"
+#define OP_INVALIDCALL          0x01
+#define OP_ALL                          0xFF
+// forward declaration
+typedef struct _SECURITY_POLICY SECURITY_POLICY, *PSECURITY_POLICY;
+/* Rule should really be a class */
+typedef struct _POLICY_RULE
+{
+        struct _POLICY_RULE             *Next;
+        PSECURITY_POLICY                pSecurityPolicy;
+        ACTION_TYPE                             ActionType;
+        MATCH_TYPE                              MatchType;
+        UCHAR                                   OperationType;
+        UCHAR                                   RuleNumber;                                     /* is used to associate text descriptions with certain rules */
+        USHORT                                  PolicyLineNumber;                       /* line number in the policy file */
+        /* 
+         * the majority of rules use the struct below to hold information about string objects they represent
+         * RULE_SYSCALL though does not have any names associated with it and uses ServiceBitArray to create
+         * a bit index for all system calls. Both Name & ServiceBitArray are allocated dynamically.
+         * (in C++ we would have 2 different classes for this)
+         */
+        union
+        {
+                struct
+                {
+                        USHORT                  NameLength;
+                        CHAR                    Name[ANYSIZE_ARRAY];
+                };
+                ULONG                           ServiceBitArray[ANYSIZE_ARRAY];
+        };
+} POLICY_RULE, *PPOLICY_RULE;
+typedef struct _SECURITY_POLICY
+{
+        PPOLICY_RULE            RuleList[RULE_LASTONE];
+        KSPIN_LOCK                      SpinLock;
+        BOOLEAN                         Initialized;                            /* Has this policy been initialized already? */
+#define PROTECTION_OVERFLOW                     (1 << 0)
+#define PROTECTION_USERLAND                     (1 << 1)
+#define PROTECTION_DEBUGGING            (1 << 2)
+#define PROTECTION_VDM                          (1 << 3)
+#define PROTECTION_KEYBOARD                     (1 << 4)
+#define PROTECTION_MODEM                        (1 << 5)
+#define PROTECTION_SNIFFER                      (1 << 6)
+#define PROTECTION_EXTENSION            (1 << 7)
+        USHORT                          ProtectionFlags;
+        ACTION_TYPE                     DefaultPolicyAction;
+        PWSTR                           Name;
+} SECURITY_POLICY, *PSECURITY_POLICY;
+#define IS_OVERFLOW_PROTECTION_ON(SecPolicy)    (((SecPolicy).ProtectionFlags & PROTECTION_OVERFLOW) == PROTECTION_OVERFLOW)
+#define IS_USERLAND_PROTECTION_ON(SecPolicy)    (((SecPolicy).ProtectionFlags & PROTECTION_USERLAND) == PROTECTION_USERLAND)
+#define IS_DEBUGGING_PROTECTION_ON(SecPolicy)   (((SecPolicy).ProtectionFlags & PROTECTION_DEBUGGING) == PROTECTION_DEBUGGING)
+#define IS_VDM_PROTECTION_ON(SecPolicy)                 (((SecPolicy).ProtectionFlags & PROTECTION_VDM) == PROTECTION_VDM)
+#define IS_EXTENSION_PROTECTION_ON(SecPolicy)   (((SecPolicy).ProtectionFlags & PROTECTION_EXTENSION) == PROTECTION_EXTENSION)
+#define TURN_DEBUGGING_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_DEBUGGING)
+#define TURN_VDM_PROTECTION_OFF(SecPolicy)              ((SecPolicy).ProtectionFlags &= ~PROTECTION_VDM)
+#define TURN_EXTENSION_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_EXTENSION)
+#define PROTECTION_ALL_ON       0xFFFF
+#define PROTECTION_ALL_OFF      0x0000
+#define INVALID_OBJECT_SIZE     (-1)
+extern SECURITY_POLICY  gSecPolicy;
+extern CHAR                             SystemDrive, SystemRoot[], SystemRootUnresolved[], *SystemRootDirectory, CDrive[];
+extern USHORT                   SystemRootLength, SystemRootUnresolvedLength, SystemRootDirectoryLength, CDriveLength;
+extern ULONG                    NumberOfBitsInUlong, UlongBitShift;
+#define WILDCARD_MATCH          1
+#define WILDCARD_NO_MATCH       0
+BOOLEAN InitPolicy();
+void    PolicyRemove();
+void    PolicyDelete(IN PSECURITY_POLICY pSecPolicy);
+BOOLEAN LoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR PolicyFile, IN PWSTR FilePath);
+BOOLEAN FindAndLoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR filename, IN PWSTR UserName);
+ACTION_TYPE     PolicyCheck(RULE_TYPE RuleType, PCHAR Object, UCHAR OperationType, UCHAR *RuleNumber, PWSTR *PolicyFilename, USHORT *PolicyLineNumber);
+BOOLEAN PolicyParseObjectRule(PSECURITY_POLICY pSecPolicy, RULE_TYPE RuleType, PCHAR Operation, PCHAR rule);
+VOID    InsertPolicyRule(PSECURITY_POLICY pSecPolicy, PPOLICY_RULE PolicyRule, RULE_TYPE RuleType);
+BOOLEAN PolicyPostBootup();
+int             WildcardMatch(PCHAR path, PCHAR regex);
+#endif  /* __POLICY_H__ */

diff --git a/policy.h b/policy.h new file mode 100644 index 0000000..a85c4fc --- /dev/null +++ b/policy.h
@@ -0,0 +1,344 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* policy.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various types used by security policy related routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 16-Feb-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#ifndef __POLICY_H__
	23	#define __POLICY_H__
	24
	25
	26	#define POLICY_MAX_SERVICE_NAME_LENGTH 64
	27	#define POLICY_MAX_OBJECT_NAME_LENGTH 192
	28	#define POLICY_MAX_RULE_LENGTH 256
	29
	30	// maximum number of '*' characters in a regex
	31	#define POLICY_TOTAL_NUMBER_OF_STARS 5
	32
	33	#define isalpha(c) ( ((c) >= 'a' && (c) <= 'z') \|\| ((c) >= 'A' && (c) <= 'Z') )
	34
	35	#if 0
	36	typedef enum _ActionType
	37	{
	38	ACTION_NONE=0,
	39	ACTION_PERMIT,
	40	ACTION_PERMIT_DEFAULT,
	41	ACTION_LOG,
	42	ACTION_LOG_DEFAULT,
	43	ACTION_PROCESS, /* further processing is required */
	44	ACTION_RESERVED1,
	45	ACTION_RESERVED2,
	46	ACTION_RESERVED3,
	47	ACTION_TERMINATE, /* terminate process */
	48	ACTION_ASK, /* XXX user prompt (interactive session only?) */
	49	ACTION_ASK_PERMIT, /* User chose permit */
	50	ACTION_ASK_LOG, /* User chose log */
	51	ACTION_ASK_TERMINATE, /* User chose terminate */
	52	ACTION_DENY, /* all actions listed after ACTION_DENY are treated as DENY actions */
	53	ACTION_ASK_DENY, /* User chose deny */
	54	ACTION_DENY_DEFAULT, /* default deny policy action, used to distinguish between default and explicit deny actions */
	55	ACTION_QUIETDENY, /* deny but do not log */
	56	ACTION_QUIETDENY_DEFAULT, /* deny but do not log (default action) */
	57
	58	} ACTION_TYPE;
	59	#endif
	60
	61
	62	typedef unsigned char ACTION_TYPE;
	63
	64	#define ACTION_DEFAULT (1 << 7)
	65	#define ACTION_DENY (1 << 6)
	66	#define ACTION_PERMIT (1 << 5)
	67	#define ACTION_LOG (1 << 4)
	68	#define ACTION_TERMINATE (1 << 3)
	69
	70	#define ACTION_NONE 0
	71	#define ACTION_ASK 1
	72	#define ACTION_ASK_PERMIT (ACTION_ASK \| ACTION_PERMIT)
	73	#define ACTION_ASK_LOG (ACTION_ASK \| ACTION_LOG)
	74	#define ACTION_ASK_TERMINATE (ACTION_ASK \| ACTION_TERMINATE)
	75	#define ACTION_ASK_DENY (ACTION_ASK \| ACTION_DENY)
	76	#define ACTION_QUIETDENY (2 \| ACTION_DENY)
	77	#define ACTION_PROCESS 3
	78	#define ACTION_RESERVED1 4
	79	#define ACTION_RESERVED2 5
	80	#define ACTION_RESERVED3 6
	81	#define ACTION_RESERVED4 7
	82
	83	#define ACTION_DENY_DEFAULT (ACTION_DENY \| ACTION_DEFAULT)
	84	#define ACTION_PERMIT_DEFAULT (ACTION_PERMIT \| ACTION_DEFAULT)
	85	#define ACTION_LOG_DEFAULT (ACTION_LOG \| ACTION_DEFAULT)
	86	#define ACTION_QUIETDENY_DEFAULT (ACTION_QUIETDENY \| ACTION_DEFAULT)
	87	#define ACTION_ASK_DEFAULT (ACTION_ASK \| ACTION_DEFAULT)
	88
	89
	90	#define DEFAULT_POLICY_ACTION ACTION_PERMIT_DEFAULT
	91
	92
	93	/*
	94	* WARNING: ObjectParseOps (policy.c) && RuleTypeData (learn.c) structures depend on the order of the
	95	* following enum values
	96	*
	97	* RuleType enumerates all possible object types.
	98	* (in C++ we would have a separate class for each)
	99	*/
	100
	101	typedef enum _RuleType
	102	{
	103	RULE_FILE = 0,
	104	RULE_DIRECTORY,
	105	RULE_MAILSLOT,
	106	RULE_NAMEDPIPE,
	107	RULE_REGISTRY,
	108	RULE_SECTION,
	109	RULE_DLL,
	110	RULE_EVENT,
	111	RULE_SEMAPHORE,
	112	RULE_JOB,
	113	RULE_MUTANT,
	114	RULE_PORT,
	115	RULE_SYMLINK,
	116	RULE_TIMER,
	117	RULE_PROCESS,
	118	RULE_DRIVER,
	119	RULE_DIROBJ,
	120	RULE_ATOM,
	121
	122	RULE_NETWORK,
	123	RULE_SERVICE,
	124	RULE_TIME,
	125	RULE_TOKEN,
	126	RULE_SYSCALL,
	127	RULE_LASTONE, /* not a real rule, just a convinient way of iterating through all rules (i < RULE_LASTONE) */
	128
	129	} RULE_TYPE;
	130
	131
	132	typedef enum _MatchType
	133	{
	134	MATCH_SINGLE = 0,
	135	MATCH_WILDCARD,
	136	MATCH_ALL,
	137	MATCH_NONE
	138
	139	} MATCH_TYPE;
	140
	141
	142	typedef enum _AlertPriority
	143	{
	144	ALERT_PRIORITY_HIGH = 1,
	145	ALERT_PRIORITY_MEDIUM,
	146	ALERT_PRIORITY_LOW,
	147	ALERT_PRIORITY_INFO,
	148
	149	} ALERT_PRIORITY;
	150
	151
	152	/*
	153	* Operation Types
	154	*/
	155
	156
	157	#define OP_INVALID 0x00
	158	#define OP_NONE 0x00
	159
	160	// file ops
	161
	162	#define OP_READ 0x01
	163	#define OP_WRITE 0x02
	164	#define OP_READ_WRITE (OP_READ \| OP_WRITE)
	165	#define OP_EXECUTE 0x04
	166	#define OP_DELETE 0x08
	167	#define OP_APPEND 0x10
	168
	169	// dirobj & job ops
	170	#define OP_CREATE 0x01
	171	#define OP_OPEN 0x02
	172
	173	// directory ops
	174
	175	#define OP_DIR_TRAVERSE 0x01
	176	#define OP_DIR_CREATE 0x02
	177
	178	// process ops
	179
	180	#define OP_PROC_EXECUTE 0x01
	181	#define OP_PROC_OPEN 0x02
	182
	183	// port ops
	184
	185	#define OP_PORT_CONNECT 0x01
	186	#define OP_PORT_CREATE 0x02
	187
	188	// network ops
	189
	190	#define OP_TCPCONNECT 0x01
	191	#define OP_UDPCONNECT 0x02
	192	#define OP_CONNECT 0x03
	193	#define OP_BIND 0x04
	194
	195	// atom ops
	196
	197	#define OP_FIND 0x01
	198	#define OP_ADD 0x02
	199
	200	// service ops
	201
	202	#define OP_SERVICE_START 0x01
	203	#define OP_SERVICE_STOP 0x02
	204	#define OP_SERVICE_CREATE 0x03
	205	#define OP_SERVICE_DELETE 0x04
	206
	207	// dll/driver ops
	208
	209	#define OP_LOAD 0x01
	210	#define OP_REGLOAD 0x02
	211	#define OP_UNLOAD 0x03 // XXX 0x04?
	212
	213	// time change op
	214
	215	#define OP_TIME_CHANGE 0x01
	216
	217	// vdm ops
	218
	219	#define OP_VDM_USE 0x01
	220
	221	// debug ops
	222
	223	#define OP_DEBUG 0x01
	224
	225	// token ops
	226
	227	#define OP_TOKEN_MODIFY 0x01
	228
	229	// buffer overflow protection "virtual op"
	230
	231	#define OP_INVALIDCALL 0x01
	232
	233
	234	#define OP_ALL 0xFF
	235
	236
	237	// forward declaration
	238	typedef struct _SECURITY_POLICY SECURITY_POLICY, *PSECURITY_POLICY;
	239
	240
	241	/* Rule should really be a class */
	242
	243	typedef struct _POLICY_RULE
	244	{
	245	struct _POLICY_RULE *Next;
	246
	247	PSECURITY_POLICY pSecurityPolicy;
	248
	249	ACTION_TYPE ActionType;
	250	MATCH_TYPE MatchType;
	251	UCHAR OperationType;
	252
	253	UCHAR RuleNumber; /* is used to associate text descriptions with certain rules */
	254
	255	USHORT PolicyLineNumber; /* line number in the policy file */
	256
	257	/*
	258	* the majority of rules use the struct below to hold information about string objects they represent
	259	* RULE_SYSCALL though does not have any names associated with it and uses ServiceBitArray to create
	260	* a bit index for all system calls. Both Name & ServiceBitArray are allocated dynamically.
	261	* (in C++ we would have 2 different classes for this)
	262	*/
	263	union
	264	{
	265	struct
	266	{
	267	USHORT NameLength;
	268	CHAR Name[ANYSIZE_ARRAY];
	269	};
	270
	271	ULONG ServiceBitArray[ANYSIZE_ARRAY];
	272	};
	273
	274	} POLICY_RULE, *PPOLICY_RULE;
	275
	276
	277
	278	typedef struct _SECURITY_POLICY
	279	{
	280	PPOLICY_RULE RuleList[RULE_LASTONE];
	281
	282	KSPIN_LOCK SpinLock;
	283
	284	BOOLEAN Initialized; /* Has this policy been initialized already? */
	285
	286
	287	#define PROTECTION_OVERFLOW (1 << 0)
	288	#define PROTECTION_USERLAND (1 << 1)
	289	#define PROTECTION_DEBUGGING (1 << 2)
	290	#define PROTECTION_VDM (1 << 3)
	291	#define PROTECTION_KEYBOARD (1 << 4)
	292	#define PROTECTION_MODEM (1 << 5)
	293	#define PROTECTION_SNIFFER (1 << 6)
	294	#define PROTECTION_EXTENSION (1 << 7)
	295
	296	USHORT ProtectionFlags;
	297
	298	ACTION_TYPE DefaultPolicyAction;
	299
	300	PWSTR Name;
	301
	302	} SECURITY_POLICY, *PSECURITY_POLICY;
	303
	304
	305	#define IS_OVERFLOW_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_OVERFLOW) == PROTECTION_OVERFLOW)
	306	#define IS_USERLAND_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_USERLAND) == PROTECTION_USERLAND)
	307	#define IS_DEBUGGING_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_DEBUGGING) == PROTECTION_DEBUGGING)
	308	#define IS_VDM_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_VDM) == PROTECTION_VDM)
	309	#define IS_EXTENSION_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_EXTENSION) == PROTECTION_EXTENSION)
	310
	311	#define TURN_DEBUGGING_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_DEBUGGING)
	312	#define TURN_VDM_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_VDM)
	313	#define TURN_EXTENSION_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_EXTENSION)
	314
	315
	316	#define PROTECTION_ALL_ON 0xFFFF
	317	#define PROTECTION_ALL_OFF 0x0000
	318
	319	#define INVALID_OBJECT_SIZE (-1)
	320
	321
	322	extern SECURITY_POLICY gSecPolicy;
	323	extern CHAR SystemDrive, SystemRoot[], SystemRootUnresolved[], *SystemRootDirectory, CDrive[];
	324	extern USHORT SystemRootLength, SystemRootUnresolvedLength, SystemRootDirectoryLength, CDriveLength;
	325	extern ULONG NumberOfBitsInUlong, UlongBitShift;
	326
	327
	328	#define WILDCARD_MATCH 1
	329	#define WILDCARD_NO_MATCH 0
	330
	331
	332	BOOLEAN InitPolicy();
	333	void PolicyRemove();
	334	void PolicyDelete(IN PSECURITY_POLICY pSecPolicy);
	335	BOOLEAN LoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR PolicyFile, IN PWSTR FilePath);
	336	BOOLEAN FindAndLoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR filename, IN PWSTR UserName);
	337	ACTION_TYPE PolicyCheck(RULE_TYPE RuleType, PCHAR Object, UCHAR OperationType, UCHAR RuleNumber, PWSTR PolicyFilename, USHORT *PolicyLineNumber);
	338	BOOLEAN PolicyParseObjectRule(PSECURITY_POLICY pSecPolicy, RULE_TYPE RuleType, PCHAR Operation, PCHAR rule);
	339	VOID InsertPolicyRule(PSECURITY_POLICY pSecPolicy, PPOLICY_RULE PolicyRule, RULE_TYPE RuleType);
	340	BOOLEAN PolicyPostBootup();
	341	int WildcardMatch(PCHAR path, PCHAR regex);
	342
	343
	344	#endif /* __POLICY_H__ */