1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* policy.h
*
* Abstract:
*
* This module defines various types used by security policy related routines.
*
* Author:
*
* Eugene Tsyrklevich 16-Feb-2004
*
* Revision History:
*
* None.
*/
#ifndef __POLICY_H__
#define __POLICY_H__
#define POLICY_MAX_SERVICE_NAME_LENGTH 64
#define POLICY_MAX_OBJECT_NAME_LENGTH 192
#define POLICY_MAX_RULE_LENGTH 256
// maximum number of '*' characters in a regex
#define POLICY_TOTAL_NUMBER_OF_STARS 5
#define isalpha(c) ( ((c) >= 'a' && (c) <= 'z') || ((c) >= 'A' && (c) <= 'Z') )
#if 0
typedef enum _ActionType
{
ACTION_NONE=0,
ACTION_PERMIT,
ACTION_PERMIT_DEFAULT,
ACTION_LOG,
ACTION_LOG_DEFAULT,
ACTION_PROCESS, /* further processing is required */
ACTION_RESERVED1,
ACTION_RESERVED2,
ACTION_RESERVED3,
ACTION_TERMINATE, /* terminate process */
ACTION_ASK, /* XXX user prompt (interactive session only?) */
ACTION_ASK_PERMIT, /* User chose permit */
ACTION_ASK_LOG, /* User chose log */
ACTION_ASK_TERMINATE, /* User chose terminate */
ACTION_DENY, /* all actions listed after ACTION_DENY are treated as DENY actions */
ACTION_ASK_DENY, /* User chose deny */
ACTION_DENY_DEFAULT, /* default deny policy action, used to distinguish between default and explicit deny actions */
ACTION_QUIETDENY, /* deny but do not log */
ACTION_QUIETDENY_DEFAULT, /* deny but do not log (default action) */
} ACTION_TYPE;
#endif
typedef unsigned char ACTION_TYPE;
#define ACTION_DEFAULT (1 << 7)
#define ACTION_DENY (1 << 6)
#define ACTION_PERMIT (1 << 5)
#define ACTION_LOG (1 << 4)
#define ACTION_TERMINATE (1 << 3)
#define ACTION_NONE 0
#define ACTION_ASK 1
#define ACTION_ASK_PERMIT (ACTION_ASK | ACTION_PERMIT)
#define ACTION_ASK_LOG (ACTION_ASK | ACTION_LOG)
#define ACTION_ASK_TERMINATE (ACTION_ASK | ACTION_TERMINATE)
#define ACTION_ASK_DENY (ACTION_ASK | ACTION_DENY)
#define ACTION_QUIETDENY (2 | ACTION_DENY)
#define ACTION_PROCESS 3
#define ACTION_RESERVED1 4
#define ACTION_RESERVED2 5
#define ACTION_RESERVED3 6
#define ACTION_RESERVED4 7
#define ACTION_DENY_DEFAULT (ACTION_DENY | ACTION_DEFAULT)
#define ACTION_PERMIT_DEFAULT (ACTION_PERMIT | ACTION_DEFAULT)
#define ACTION_LOG_DEFAULT (ACTION_LOG | ACTION_DEFAULT)
#define ACTION_QUIETDENY_DEFAULT (ACTION_QUIETDENY | ACTION_DEFAULT)
#define ACTION_ASK_DEFAULT (ACTION_ASK | ACTION_DEFAULT)
#define DEFAULT_POLICY_ACTION ACTION_PERMIT_DEFAULT
/*
* WARNING: ObjectParseOps (policy.c) && RuleTypeData (learn.c) structures depend on the order of the
* following enum values
*
* RuleType enumerates all possible object types.
* (in C++ we would have a separate class for each)
*/
typedef enum _RuleType
{
RULE_FILE = 0,
RULE_DIRECTORY,
RULE_MAILSLOT,
RULE_NAMEDPIPE,
RULE_REGISTRY,
RULE_SECTION,
RULE_DLL,
RULE_EVENT,
RULE_SEMAPHORE,
RULE_JOB,
RULE_MUTANT,
RULE_PORT,
RULE_SYMLINK,
RULE_TIMER,
RULE_PROCESS,
RULE_DRIVER,
RULE_DIROBJ,
RULE_ATOM,
RULE_NETWORK,
RULE_SERVICE,
RULE_TIME,
RULE_TOKEN,
RULE_SYSCALL,
RULE_LASTONE, /* not a real rule, just a convinient way of iterating through all rules (i < RULE_LASTONE) */
} RULE_TYPE;
typedef enum _MatchType
{
MATCH_SINGLE = 0,
MATCH_WILDCARD,
MATCH_ALL,
MATCH_NONE
} MATCH_TYPE;
typedef enum _AlertPriority
{
ALERT_PRIORITY_HIGH = 1,
ALERT_PRIORITY_MEDIUM,
ALERT_PRIORITY_LOW,
ALERT_PRIORITY_INFO,
} ALERT_PRIORITY;
/*
* Operation Types
*/
#define OP_INVALID 0x00
#define OP_NONE 0x00
// file ops
#define OP_READ 0x01
#define OP_WRITE 0x02
#define OP_READ_WRITE (OP_READ | OP_WRITE)
#define OP_EXECUTE 0x04
#define OP_DELETE 0x08
#define OP_APPEND 0x10
// dirobj & job ops
#define OP_CREATE 0x01
#define OP_OPEN 0x02
// directory ops
#define OP_DIR_TRAVERSE 0x01
#define OP_DIR_CREATE 0x02
// process ops
#define OP_PROC_EXECUTE 0x01
#define OP_PROC_OPEN 0x02
// port ops
#define OP_PORT_CONNECT 0x01
#define OP_PORT_CREATE 0x02
// network ops
#define OP_TCPCONNECT 0x01
#define OP_UDPCONNECT 0x02
#define OP_CONNECT 0x03
#define OP_BIND 0x04
// atom ops
#define OP_FIND 0x01
#define OP_ADD 0x02
// service ops
#define OP_SERVICE_START 0x01
#define OP_SERVICE_STOP 0x02
#define OP_SERVICE_CREATE 0x03
#define OP_SERVICE_DELETE 0x04
// dll/driver ops
#define OP_LOAD 0x01
#define OP_REGLOAD 0x02
#define OP_UNLOAD 0x03 // XXX 0x04?
// time change op
#define OP_TIME_CHANGE 0x01
// vdm ops
#define OP_VDM_USE 0x01
// debug ops
#define OP_DEBUG 0x01
// token ops
#define OP_TOKEN_MODIFY 0x01
// buffer overflow protection "virtual op"
#define OP_INVALIDCALL 0x01
#define OP_ALL 0xFF
// forward declaration
typedef struct _SECURITY_POLICY SECURITY_POLICY, *PSECURITY_POLICY;
/* Rule should really be a class */
typedef struct _POLICY_RULE
{
struct _POLICY_RULE *Next;
PSECURITY_POLICY pSecurityPolicy;
ACTION_TYPE ActionType;
MATCH_TYPE MatchType;
UCHAR OperationType;
UCHAR RuleNumber; /* is used to associate text descriptions with certain rules */
USHORT PolicyLineNumber; /* line number in the policy file */
/*
* the majority of rules use the struct below to hold information about string objects they represent
* RULE_SYSCALL though does not have any names associated with it and uses ServiceBitArray to create
* a bit index for all system calls. Both Name & ServiceBitArray are allocated dynamically.
* (in C++ we would have 2 different classes for this)
*/
union
{
struct
{
USHORT NameLength;
CHAR Name[ANYSIZE_ARRAY];
};
ULONG ServiceBitArray[ANYSIZE_ARRAY];
};
} POLICY_RULE, *PPOLICY_RULE;
typedef struct _SECURITY_POLICY
{
PPOLICY_RULE RuleList[RULE_LASTONE];
KSPIN_LOCK SpinLock;
BOOLEAN Initialized; /* Has this policy been initialized already? */
#define PROTECTION_OVERFLOW (1 << 0)
#define PROTECTION_USERLAND (1 << 1)
#define PROTECTION_DEBUGGING (1 << 2)
#define PROTECTION_VDM (1 << 3)
#define PROTECTION_KEYBOARD (1 << 4)
#define PROTECTION_MODEM (1 << 5)
#define PROTECTION_SNIFFER (1 << 6)
#define PROTECTION_EXTENSION (1 << 7)
USHORT ProtectionFlags;
ACTION_TYPE DefaultPolicyAction;
PWSTR Name;
} SECURITY_POLICY, *PSECURITY_POLICY;
#define IS_OVERFLOW_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_OVERFLOW) == PROTECTION_OVERFLOW)
#define IS_USERLAND_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_USERLAND) == PROTECTION_USERLAND)
#define IS_DEBUGGING_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_DEBUGGING) == PROTECTION_DEBUGGING)
#define IS_VDM_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_VDM) == PROTECTION_VDM)
#define IS_EXTENSION_PROTECTION_ON(SecPolicy) (((SecPolicy).ProtectionFlags & PROTECTION_EXTENSION) == PROTECTION_EXTENSION)
#define TURN_DEBUGGING_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_DEBUGGING)
#define TURN_VDM_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_VDM)
#define TURN_EXTENSION_PROTECTION_OFF(SecPolicy) ((SecPolicy).ProtectionFlags &= ~PROTECTION_EXTENSION)
#define PROTECTION_ALL_ON 0xFFFF
#define PROTECTION_ALL_OFF 0x0000
#define INVALID_OBJECT_SIZE (-1)
extern SECURITY_POLICY gSecPolicy;
extern CHAR SystemDrive, SystemRoot[], SystemRootUnresolved[], *SystemRootDirectory, CDrive[];
extern USHORT SystemRootLength, SystemRootUnresolvedLength, SystemRootDirectoryLength, CDriveLength;
extern ULONG NumberOfBitsInUlong, UlongBitShift;
#define WILDCARD_MATCH 1
#define WILDCARD_NO_MATCH 0
BOOLEAN InitPolicy();
void PolicyRemove();
void PolicyDelete(IN PSECURITY_POLICY pSecPolicy);
BOOLEAN LoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR PolicyFile, IN PWSTR FilePath);
BOOLEAN FindAndLoadSecurityPolicy(OUT PSECURITY_POLICY pSecPolicy, IN PWSTR filename, IN PWSTR UserName);
ACTION_TYPE PolicyCheck(RULE_TYPE RuleType, PCHAR Object, UCHAR OperationType, UCHAR *RuleNumber, PWSTR *PolicyFilename, USHORT *PolicyLineNumber);
BOOLEAN PolicyParseObjectRule(PSECURITY_POLICY pSecPolicy, RULE_TYPE RuleType, PCHAR Operation, PCHAR rule);
VOID InsertPolicyRule(PSECURITY_POLICY pSecPolicy, PPOLICY_RULE PolicyRule, RULE_TYPE RuleType);
BOOLEAN PolicyPostBootup();
int WildcardMatch(PCHAR path, PCHAR regex);
#endif /* __POLICY_H__ */
|
