Added calculation of default access for a mandatory policy.

tyranid · tyranid · commit 51038b9f8e12 · 2020-01-20T16:42:41.000-08:00
diff --git a/NtApiDotNet/GenericMapping.cs b/NtApiDotNet/GenericMapping.cs
@@ -123,6 +123,70 @@ public AccessMask UnmapMask(AccessMask mask)
             return result | remaining;
         }
 
+        /// <summary>
+        /// Get the allowed access mask for a specified mandatory access policy.
+        /// </summary>
+        /// <param name="policy">The mandatory access policy.</param>
+        /// <returns>The allowed access mask for the policy.</returns>
+        /// <remarks>In general NoWriteUp will always be set on the policy.</remarks>
+        public AccessMask GetAllowedMandatoryAccess(MandatoryLabelPolicy policy)
+        {
+            bool can_read = !policy.HasFlag(MandatoryLabelPolicy.NoReadUp);
+            bool can_write = !policy.HasFlag(MandatoryLabelPolicy.NoWriteUp);
+            bool can_execute = !policy.HasFlag(MandatoryLabelPolicy.NoExecuteUp);
+
+            AccessMask allowed_access;
+            if (can_write)
+            {
+                allowed_access = GenericAll | GenericRead | GenericExecute | GenericAccessRights.Synchronize | GenericAccessRights.ReadControl;
+            }
+            else
+            {
+                allowed_access = GenericRead | GenericExecute | GenericAccessRights.Synchronize | GenericAccessRights.ReadControl;
+            }
+            AccessMask allowed_write_access = GenericAccessRights.Delete | GenericAccessRights.WriteDac | GenericAccessRights.WriteOwner | GenericAccessRights.AccessSystemSecurity;
+            AccessMask allowed_read_access = GenericAccessRights.ReadControl;
+            AccessMask allowed_execute_access = GenericAccessRights.Synchronize;
+
+            if (policy == MandatoryLabelPolicy.None)
+                return GenericAll;
+
+            if (!can_read)
+            {
+                AccessMask temp_mask = 0;
+                if (can_write)
+                    temp_mask = GenericWrite | allowed_write_access;
+                if (can_execute)
+                    temp_mask |= (~GenericRead & GenericExecute) | GenericAccessRights.Synchronize;
+                temp_mask = ~temp_mask & (GenericRead | allowed_read_access);
+                allowed_access &= ~temp_mask;
+            }
+
+            if (!can_execute)
+            {
+                AccessMask temp_mask = 0;
+                if (can_write)
+                    temp_mask = GenericWrite | allowed_write_access;
+                if (can_read)
+                    temp_mask |= GenericRead | allowed_read_access;
+                temp_mask = ~temp_mask & ((~GenericRead & GenericExecute) | allowed_execute_access);
+                allowed_access &= ~temp_mask;
+            }
+
+            if (!can_write)
+            {
+                AccessMask temp_mask = 0;
+                if (can_execute)
+                    temp_mask = (~GenericRead & GenericExecute) | allowed_execute_access;
+                if (can_read)
+                    temp_mask |= GenericRead | allowed_read_access;
+                temp_mask =  ~temp_mask & (GenericWrite | allowed_write_access);
+                allowed_access &= ~temp_mask;
+            }
+
+            return allowed_access;
+        }
+
         /// <summary>
         /// Convert generic mapping to a string.
         /// </summary>
diff --git a/NtApiDotNet/NtObjectWithDuplicate.cs b/NtApiDotNet/NtObjectWithDuplicate.cs
@@ -26,13 +26,23 @@ public abstract class NtObjectWithDuplicate<O, A> : NtObject where O : NtObject
     {
         internal abstract class NtTypeFactoryImplBase : NtTypeFactory
         {
-            protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open) 
-                : base(typeof(A), container_access_rights_type, typeof(O), can_open)
+            protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open, MandatoryLabelPolicy default_policy) 
+                : base(typeof(A), container_access_rights_type, typeof(O), can_open, default_policy)
+            {
+            }
+
+            protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open)
+                : this(container_access_rights_type, can_open, MandatoryLabelPolicy.NoWriteUp)
+            {
+            }
+
+            protected NtTypeFactoryImplBase(bool can_open, MandatoryLabelPolicy default_policy)
+                : this(typeof(A), can_open, default_policy)
             {
             }
 
             protected NtTypeFactoryImplBase(bool can_open)
-                : this(typeof(A), can_open)
+                : this(can_open, MandatoryLabelPolicy.NoWriteUp)
             {
             }
 
diff --git a/NtApiDotNet/NtProcess.cs b/NtApiDotNet/NtProcess.cs
@@ -218,7 +218,7 @@ internal NtProcess(SafeKernelObjectHandle handle) : base(handle)
 
         internal sealed class NtTypeFactoryImpl : NtTypeFactoryImplBase
         {
-            public NtTypeFactoryImpl() : base(false)
+            public NtTypeFactoryImpl() : base(false, MandatoryLabelPolicy.NoWriteUp | MandatoryLabelPolicy.NoReadUp)
             {
             }
         }
diff --git a/NtApiDotNet/NtSecurityNative.cs b/NtApiDotNet/NtSecurityNative.cs
@@ -865,6 +865,7 @@ public enum AceFlags : byte
     [Flags]
     public enum MandatoryLabelPolicy : uint
     {
+        None = 0x0,
         NoWriteUp = 0x1,
         NoReadUp = 0x2,
         NoExecuteUp = 0x4,
diff --git a/NtApiDotNet/NtThread.cs b/NtApiDotNet/NtThread.cs
@@ -97,7 +97,7 @@ internal NtThread(SafeKernelObjectHandle handle)
 
         internal sealed class NtTypeFactoryImpl : NtTypeFactoryImplBase
         {
-            public NtTypeFactoryImpl() : base(false)
+            public NtTypeFactoryImpl() : base(false, MandatoryLabelPolicy.NoWriteUp | MandatoryLabelPolicy.NoReadUp)
             {
             }
         }
diff --git a/NtApiDotNet/NtType.cs b/NtApiDotNet/NtType.cs
@@ -417,6 +417,15 @@ public bool IsValidAccess(AccessMask access_mask)
             return (GenericMapping.MapMask(access_mask) & ~ValidAccess).IsEmpty;
         }
 
+        /// <summary>
+        /// Get the maximum access mask for the types default mandatory access policy.
+        /// </summary>
+        /// <returns>The allowed access mask for the type with the default policy.</returns>
+        public AccessMask GetDefaultMandatoryAccess()
+        {
+            return GenericMapping.GetAllowedMandatoryAccess(_type_factory.DefaultMandatoryPolicy);
+        }
+
         /// <summary>
         /// Overridden ToString method.
         /// </summary>
@@ -441,13 +450,13 @@ public NtType(string name)
         {
         }
 
-        internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)
+        internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type, MandatoryLabelPolicy default_policy)
         {
             if (!access_rights_type.IsEnum)
             {
                 throw new ArgumentException("Specify an enumerated type", "access_rights_type");
             }
-            _type_factory = new NtTypeFactory(access_rights_type, container_access_rights_type, typeof(object), false);
+            _type_factory = new NtTypeFactory(access_rights_type, container_access_rights_type, typeof(object), false, default_policy);
             Name = name;
             ValidAccess = CalculateValidAccess(access_rights_type) | CalculateValidAccess(container_access_rights_type);
             GenericMapping = generic_mapping;
@@ -659,7 +668,7 @@ public static NtType GetTypeByType<T>() where T : NtObject
         /// <returns>The fake NT type object.</returns>
         public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)
         {
-            return new NtType(name, generic_mapping, access_rights_type, container_access_rights_type);
+            return new NtType(name, generic_mapping, access_rights_type, container_access_rights_type, MandatoryLabelPolicy.NoWriteUp);
         }
 
         /// <summary>
@@ -690,7 +699,9 @@ public static NtType GetFakeType(string name, GenericMapping generic_mapping, Ty
         public static NtType GetFakeType(string name, AccessMask generic_read, AccessMask generic_write,
             AccessMask generic_exec, AccessMask generic_all, Type access_rights_type, Type container_access_rights_type)
         {
-            return new NtType(name, new GenericMapping() { GenericRead = generic_read, GenericWrite = generic_write, GenericExecute = generic_exec, GenericAll = generic_all }, access_rights_type, container_access_rights_type);
+            return new NtType(name, new GenericMapping() { GenericRead = generic_read, GenericWrite = generic_write, 
+                GenericExecute = generic_exec, GenericAll = generic_all }, access_rights_type, container_access_rights_type,
+                MandatoryLabelPolicy.NoWriteUp);
         }
 
         /// <summary>
diff --git a/NtApiDotNet/NtTypeFactory.cs b/NtApiDotNet/NtTypeFactory.cs
@@ -37,6 +37,7 @@ internal class NtTypeFactory
         public Type AccessRightsType { get; }
         public Type ContainerAccessRightsType { get; }
         public bool CanOpen { get; }
+        public MandatoryLabelPolicy DefaultMandatoryPolicy { get; }
 
         public virtual NtObject FromHandle(SafeKernelObjectHandle handle)
         {
@@ -48,12 +49,13 @@ public virtual NtResult<NtObject> Open(ObjectAttributes obj_attributes, AccessMa
             return NtStatus.STATUS_NOT_IMPLEMENTED.CreateResultFromError<NtObject>(throw_on_error);
         }
 
-        internal NtTypeFactory(Type access_rights_type, Type container_access_rights_type, Type object_type, bool can_open)
+        internal NtTypeFactory(Type access_rights_type, Type container_access_rights_type, Type object_type, bool can_open, MandatoryLabelPolicy default_policy)
         {
             AccessRightsType = access_rights_type;
             ContainerAccessRightsType = container_access_rights_type;
             ObjectType = object_type;
             CanOpen = can_open;
+            DefaultMandatoryPolicy = default_policy;
         }
 
         public static Dictionary<string, NtTypeFactory> GetAssemblyNtTypeFactories(Assembly assembly)
diff --git a/NtApiDotNet/Win32/ServiceUtils.cs b/NtApiDotNet/Win32/ServiceUtils.cs
@@ -1110,10 +1110,12 @@ public static NtType GetServiceNtType(string type_name)
             {
                 case "service":
                     return new NtType("Service", GetServiceGenericMapping(), 
-                        typeof(ServiceAccessRights), typeof(ServiceAccessRights));
+                        typeof(ServiceAccessRights), typeof(ServiceAccessRights),
+                        MandatoryLabelPolicy.NoWriteUp);
                 case "scm":
                     return new NtType("SCM", GetScmGenericMapping(),
-                        typeof(ServiceControlManagerAccessRights), typeof(ServiceControlManagerAccessRights));
+                        typeof(ServiceControlManagerAccessRights), typeof(ServiceControlManagerAccessRights),
+                        MandatoryLabelPolicy.NoWriteUp);
             }
             return null;
         }
diff --git a/NtObjectManager/NtSecurityCmdlets.cs b/NtObjectManager/NtSecurityCmdlets.cs
@@ -829,6 +829,7 @@ public sealed class NewNtSecurityDescriptorCmdlet : PSCmdlet
         /// <summary>
         /// <para type="description">Specify a default NT type for the security descriptor.</para>
         /// </summary>
+        [Parameter(ParameterSetName = "FromToken"), Parameter(ParameterSetName = "FromSddl"), Parameter(ParameterSetName = "FromBytes"), Parameter(ParameterSetName = "FromKey")]
         public NtType Type { get; set; }
 
         /// <summary>
@@ -863,7 +864,7 @@ protected override void ProcessRecord()
         {
             if (MapType && Type == null)
             {
-                WriteWarning("Must specify NtType for MapType to work correctly.");
+                WriteWarning("Must specify Type for MapType to work correctly.");
             }
 
             SecurityDescriptor sd = null;

Original file line number	Diff line number	Diff line change
`@@ -26,13 +26,23 @@ public abstract class NtObjectWithDuplicate<O, A> : NtObject where O : NtObject`
`26`	`26`	`{`
`27`	`27`	`internal abstract class NtTypeFactoryImplBase : NtTypeFactory`
`28`	`28`	`{`
`29`		`- protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open)`
`30`		`- : base(typeof(A), container_access_rights_type, typeof(O), can_open)`
	`29`	`+ protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open, MandatoryLabelPolicy default_policy)`
	`30`	`+ : base(typeof(A), container_access_rights_type, typeof(O), can_open, default_policy)`
	`31`	`+ {`
	`32`	`+ }`
	`33`	`+`
	`34`	`+ protected NtTypeFactoryImplBase(Type container_access_rights_type, bool can_open)`
	`35`	`+ : this(container_access_rights_type, can_open, MandatoryLabelPolicy.NoWriteUp)`
	`36`	`+ {`
	`37`	`+ }`
	`38`	`+`
	`39`	`+ protected NtTypeFactoryImplBase(bool can_open, MandatoryLabelPolicy default_policy)`
	`40`	`+ : this(typeof(A), can_open, default_policy)`
`31`	`41`	`{`
`32`	`42`	`}`
`33`	`43`
`34`	`44`	`protected NtTypeFactoryImplBase(bool can_open)`
`35`		`- : this(typeof(A), can_open)`
	`45`	`+ : this(can_open, MandatoryLabelPolicy.NoWriteUp)`
`36`	`46`	`{`
`37`	`47`	`}`
`38`	`48`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ internal NtProcess(SafeKernelObjectHandle handle) : base(handle)`
`218`	`218`
`219`	`219`	`internal sealed class NtTypeFactoryImpl : NtTypeFactoryImplBase`
`220`	`220`	`{`
`221`		`- public NtTypeFactoryImpl() : base(false)`
	`221`	`+ public NtTypeFactoryImpl() : base(false, MandatoryLabelPolicy.NoWriteUp \| MandatoryLabelPolicy.NoReadUp)`
`222`	`222`	`{`
`223`	`223`	`}`
`224`	`224`	`}`
Original file line number	Diff line number	Diff line change
`@@ -865,6 +865,7 @@ public enum AceFlags : byte`
`865`	`865`	`[Flags]`
`866`	`866`	`public enum MandatoryLabelPolicy : uint`
`867`	`867`	`{`
	`868`	`+ None = 0x0,`
`868`	`869`	`NoWriteUp = 0x1,`
`869`	`870`	`NoReadUp = 0x2,`
`870`	`871`	`NoExecuteUp = 0x4,`
Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ internal NtThread(SafeKernelObjectHandle handle)`
`97`	`97`
`98`	`98`	`internal sealed class NtTypeFactoryImpl : NtTypeFactoryImplBase`
`99`	`99`	`{`
`100`		`- public NtTypeFactoryImpl() : base(false)`
	`100`	`+ public NtTypeFactoryImpl() : base(false, MandatoryLabelPolicy.NoWriteUp \| MandatoryLabelPolicy.NoReadUp)`
`101`	`101`	`{`
`102`	`102`	`}`
`103`	`103`	`}`
Original file line number	Diff line number	Diff line change
`@@ -417,6 +417,15 @@ public bool IsValidAccess(AccessMask access_mask)`
`417`	`417`	`return (GenericMapping.MapMask(access_mask) & ~ValidAccess).IsEmpty;`
`418`	`418`	`}`
`419`	`419`
	`420`	`+ /// <summary>`
	`421`	`+ /// Get the maximum access mask for the types default mandatory access policy.`
	`422`	`+ /// </summary>`
	`423`	`+ /// <returns>The allowed access mask for the type with the default policy.</returns>`
	`424`	`+ public AccessMask GetDefaultMandatoryAccess()`
	`425`	`+ {`
	`426`	`+ return GenericMapping.GetAllowedMandatoryAccess(_type_factory.DefaultMandatoryPolicy);`
	`427`	`+ }`
	`428`	`+`
`420`	`429`	`/// <summary>`
`421`	`430`	`/// Overridden ToString method.`
`422`	`431`	`/// </summary>`
`@@ -441,13 +450,13 @@ public NtType(string name)`
`441`	`450`	`{`
`442`	`451`	`}`
`443`	`452`
`444`		`- internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)`
	`453`	`+ internal NtType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type, MandatoryLabelPolicy default_policy)`
`445`	`454`	`{`
`446`	`455`	`if (!access_rights_type.IsEnum)`
`447`	`456`	`{`
`448`	`457`	`throw new ArgumentException("Specify an enumerated type", "access_rights_type");`
`449`	`458`	`}`
`450`		`- _type_factory = new NtTypeFactory(access_rights_type, container_access_rights_type, typeof(object), false);`
	`459`	`+ _type_factory = new NtTypeFactory(access_rights_type, container_access_rights_type, typeof(object), false, default_policy);`
`451`	`460`	`Name = name;`
`452`	`461`	`ValidAccess = CalculateValidAccess(access_rights_type) \| CalculateValidAccess(container_access_rights_type);`
`453`	`462`	`GenericMapping = generic_mapping;`
`@@ -659,7 +668,7 @@ public static NtType GetTypeByType<T>() where T : NtObject`
`659`	`668`	`/// <returns>The fake NT type object.</returns>`
`660`	`669`	`public static NtType GetFakeType(string name, GenericMapping generic_mapping, Type access_rights_type, Type container_access_rights_type)`
`661`	`670`	`{`
`662`		`- return new NtType(name, generic_mapping, access_rights_type, container_access_rights_type);`
	`671`	`+ return new NtType(name, generic_mapping, access_rights_type, container_access_rights_type, MandatoryLabelPolicy.NoWriteUp);`
`663`	`672`	`}`
`664`	`673`
`665`	`674`	`/// <summary>`
`@@ -690,7 +699,9 @@ public static NtType GetFakeType(string name, GenericMapping generic_mapping, Ty`
`690`	`699`	`public static NtType GetFakeType(string name, AccessMask generic_read, AccessMask generic_write,`
`691`	`700`	`AccessMask generic_exec, AccessMask generic_all, Type access_rights_type, Type container_access_rights_type)`
`692`	`701`	`{`
`693`		`- return new NtType(name, new GenericMapping() { GenericRead = generic_read, GenericWrite = generic_write, GenericExecute = generic_exec, GenericAll = generic_all }, access_rights_type, container_access_rights_type);`
	`702`	`+ return new NtType(name, new GenericMapping() { GenericRead = generic_read, GenericWrite = generic_write,`
	`703`	`+ GenericExecute = generic_exec, GenericAll = generic_all }, access_rights_type, container_access_rights_type,`
	`704`	`+ MandatoryLabelPolicy.NoWriteUp);`
`694`	`705`	`}`
`695`	`706`
`696`	`707`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ internal class NtTypeFactory`
`37`	`37`	`public Type AccessRightsType { get; }`
`38`	`38`	`public Type ContainerAccessRightsType { get; }`
`39`	`39`	`public bool CanOpen { get; }`
	`40`	`+ public MandatoryLabelPolicy DefaultMandatoryPolicy { get; }`
`40`	`41`
`41`	`42`	`public virtual NtObject FromHandle(SafeKernelObjectHandle handle)`
`42`	`43`	`{`
`@@ -48,12 +49,13 @@ public virtual NtResult<NtObject> Open(ObjectAttributes obj_attributes, AccessMa`
`48`	`49`	`return NtStatus.STATUS_NOT_IMPLEMENTED.CreateResultFromError<NtObject>(throw_on_error);`
`49`	`50`	`}`
`50`	`51`
`51`		`- internal NtTypeFactory(Type access_rights_type, Type container_access_rights_type, Type object_type, bool can_open)`
	`52`	`+ internal NtTypeFactory(Type access_rights_type, Type container_access_rights_type, Type object_type, bool can_open, MandatoryLabelPolicy default_policy)`
`52`	`53`	`{`
`53`	`54`	`AccessRightsType = access_rights_type;`
`54`	`55`	`ContainerAccessRightsType = container_access_rights_type;`
`55`	`56`	`ObjectType = object_type;`
`56`	`57`	`CanOpen = can_open;`
	`58`	`+ DefaultMandatoryPolicy = default_policy;`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`public static Dictionary<string, NtTypeFactory> GetAssemblyNtTypeFactories(Assembly assembly)`
Original file line number	Diff line number	Diff line change
`@@ -1110,10 +1110,12 @@ public static NtType GetServiceNtType(string type_name)`
`1110`	`1110`	`{`
`1111`	`1111`	`case "service":`
`1112`	`1112`	`return new NtType("Service", GetServiceGenericMapping(),`
`1113`		`- typeof(ServiceAccessRights), typeof(ServiceAccessRights));`
	`1113`	`+ typeof(ServiceAccessRights), typeof(ServiceAccessRights),`
	`1114`	`+ MandatoryLabelPolicy.NoWriteUp);`
`1114`	`1115`	`case "scm":`
`1115`	`1116`	`return new NtType("SCM", GetScmGenericMapping(),`
`1116`		`- typeof(ServiceControlManagerAccessRights), typeof(ServiceControlManagerAccessRights));`
	`1117`	`+ typeof(ServiceControlManagerAccessRights), typeof(ServiceControlManagerAccessRights),`
	`1118`	`+ MandatoryLabelPolicy.NoWriteUp);`
`1117`	`1119`	`}`
`1118`	`1120`	`return null;`
`1119`	`1121`	`}`
Original file line number	Diff line number	Diff line change
`@@ -829,6 +829,7 @@ public sealed class NewNtSecurityDescriptorCmdlet : PSCmdlet`
`829`	`829`	`/// <summary>`
`830`	`830`	`/// <para type="description">Specify a default NT type for the security descriptor.</para>`
`831`	`831`	`/// </summary>`
	`832`	`+ [Parameter(ParameterSetName = "FromToken"), Parameter(ParameterSetName = "FromSddl"), Parameter(ParameterSetName = "FromBytes"), Parameter(ParameterSetName = "FromKey")]`
`832`	`833`	`public NtType Type { get; set; }`
`833`	`834`
`834`	`835`	`/// <summary>`
`@@ -863,7 +864,7 @@ protected override void ProcessRecord()`
`863`	`864`	`{`
`864`	`865`	`if (MapType && Type == null)`
`865`	`866`	`{`
`866`		`- WriteWarning("Must specify NtType for MapType to work correctly.");`
	`867`	`+ WriteWarning("Must specify Type for MapType to work correctly.");`
`867`	`868`	`}`
`868`	`869`
`869`	`870`	`SecurityDescriptor sd = null;`