Initialize COM and configure security settings in the daemon.

remoting/host/win/host_service.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements the Windows service controlling Me2Me host processes
 // running within user sessions.
 
 #include "remoting/host/win/host_service.h"
 
+#include <sddl.h>
 #include <windows.h>
 #include <wtsapi32.h>
 
 #include "base/base_paths.h"
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/message_loop.h"
 #include "base/run_loop.h"
 #include "base/scoped_native_library.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread.h"
 #include "base/utf_string_conversions.h"
+#include "base/win/scoped_com_initializer.h"
 #include "base/win/wrapped_window_proc.h"
 #include "remoting/base/auto_thread.h"
 #include "remoting/base/scoped_sc_handle_win.h"
 #include "remoting/base/stoppable.h"
 #include "remoting/host/branding.h"
 #include "remoting/host/host_exit_codes.h"
 #include "remoting/host/logging.h"
+#include "remoting/host/win/security_descriptor.h"
 
 #if defined(REMOTING_MULTI_PROCESS)
 #include "remoting/host/daemon_process.h"
 #endif  // defined(REMOTING_MULTI_PROCESS)
 
 #include "remoting/host/win/core_resource.h"
 #include "remoting/host/win/wts_terminal_observer.h"
 
 #if !defined(REMOTING_MULTI_PROCESS)
 #include "remoting/host/win/wts_console_session_process_driver.h"
 #endif  // !defined(REMOTING_MULTI_PROCESS)
 
+namespace remoting {
+
 namespace {
 
 // Used to query the endpoint of an attached RDP client.
 const WINSTATIONINFOCLASS kWinStationRemoteAddress =
     static_cast<WINSTATIONINFOCLASS>(29);
 
 // Session id that does not represent any session.
 const uint32 kInvalidSessionId = 0xffffffffu;
 
 const char kIoThreadName[] = "I/O thread";
 
 // A window class for the session change notifications window.
 const wchar_t kSessionNotificationWindowClass[] =
   L"Chromoting_SessionNotificationWindow";
 
 // Command line switches:
 
 // "--console" runs the service interactively for debugging purposes.
 const char kConsoleSwitchName[] = "console";
 
+// Concatenates ACE type, permissions and sid given as SDDL strings into an ACE
+// definition is SDDL form.

[Wez, 2013/03/05 02:25:28]

typo: is -> in

[alexeypa (please no reviews), 2013/03/05 18:00:28]

Done.

+#define SDDL_ACE(type, permissions, sid) \
+    L"(" type L";;" permissions L";;;" sid L")"
+
+// Text representation of COM_RIGHTS_EXECUTE and COM_RIGHTS_EXECUTE_LOCAL
+// permission bits that is used in the SDDL definition below.
+#define SDDL_COM_EXECUTE_LOCAL L"0x3"
+
+// A security descriptor that gives SYSTEM and LocalSystem accounts
+// COM_RIGHTS_EXECUTE and COM_RIGHTS_EXECUTE_LOCAL rights. The descriptor
+// specifies a mandatory label with "no execute up" policy for medium integrity
+// level.

[Wez, 2013/03/05 02:25:28]

nit: Clarify why, e.g. "The descriptor has the "no execute up" mandatory label,
preventing lower integrity level processes using it."?

[alexeypa (please no reviews), 2013/03/05 18:00:28]

Done.

+const wchar_t kComProcessSd[] =
+    SDDL_OWNER L":" SDDL_LOCAL_SYSTEM
+    SDDL_GROUP L":" SDDL_LOCAL_SYSTEM
+    SDDL_DACL L":"
+    SDDL_ACE(SDDL_ACCESS_ALLOWED, SDDL_COM_EXECUTE_LOCAL, SDDL_LOCAL_SYSTEM)
+    SDDL_ACE(SDDL_ACCESS_ALLOWED, SDDL_COM_EXECUTE_LOCAL, SDDL_LOCAL_SERVICE)
+    SDDL_SACL L":"
+    SDDL_ACE(SDDL_MANDATORY_LABEL, SDDL_NO_EXECUTE_UP, SDDL_ML_MEDIUM);
+
+#undef SDDL_ACE
+#undef SDDL_COM_EXECUTE_LOCAL
+
+// Allows incoming calls from clients running under SYSTEM or LocalSystem at
+// medium integrity level.
+bool InitializeComSecurity() {
+  // Convert the SDDL description into a security descriptor in absolute format.
+  ScopedSd relative_sd = ConvertSddlToSd(WideToUTF8(kComProcessSd));
+  if (!relative_sd) {
+    LOG_GETLASTERROR(ERROR) << "Failed to create a security descriptor";
+    return false;
+  }
+  ScopedSd absolute_sd;
+  ScopedAcl dacl;
+  ScopedSid group;
+  ScopedSid owner;
+  ScopedAcl sacl;
+  if (!MakeScopedAbsoluteSd(relative_sd, &absolute_sd, &dacl, &group, &owner,
+                            &sacl)) {
+    LOG_GETLASTERROR(ERROR) << "MakeScopedAbsoluteSd() failed";
+    return false;
+  }
+
+  // Apply the security descriptor and the following settings:
+  //   - The daemon authenticates that all data received is from the expected
+  //     client.
+  //   - The daemon can check identity of the client but cannot act on its
+  //     behalf.
+  //   - Dynamic cloaking is used. DCOM verifies the caller's identify on every

[Wez, 2013/03/05 02:25:28]

nit: Is the second sentence just a description of the first? In which case
suggest "DCOM ... every call (aka 'Dynamic cloaking')"

[Wez, 2013/03/05 02:25:28]

typo: identity

[alexeypa (please no reviews), 2013/03/05 18:00:28]

Done.

[alexeypa (please no reviews), 2013/03/05 18:00:28]

No.
Done.

+  //     call.
+  //   - Activations where the activated COM server would run under the daemon's
+  //     identify are prohibited.

[Wez, 2013/03/05 02:25:28]

typo: identify -> identity

[alexeypa (please no reviews), 2013/03/05 18:00:28]

Done.

+  HRESULT result = CoInitializeSecurity(
+      absolute_sd.get(),
+      -1,

[Wez, 2013/03/05 02:25:28]

nit: Comment the numeric/NULL parameters, e.g. -1, // i^2 or something.

[alexeypa (please no reviews), 2013/03/05 18:00:28]

Done.

+      NULL,
+      NULL,
+      RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+      RPC_C_IMP_LEVEL_IDENTIFY,
+      NULL,
+      EOAC_DYNAMIC_CLOAKING | EOAC_DISABLE_AAA,
+      NULL);
+  if (FAILED(result)) {
+    LOG(ERROR) << "CoInitializeSecurity() failed, result=0x"
+               << std::hex << result << std::dec << ".";
+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace
 
-namespace remoting {
-
 HostService* HostService::GetInstance() {
   return Singleton<HostService>::get();
 }
 
 bool HostService::InitWithCommandLine(const CommandLine* command_line) {
   CommandLine::StringVector args = command_line->GetArgs();
   if (!args.empty()) {
     LOG(ERROR) << "No positional parameters expected.";
     return false;
   }
@@ skipping 304 matching lines @@
 
   // Wait until the service thread completely exited to avoid concurrent
   // teardown of objects registered with base::AtExitManager and object
   // destoyed by the service thread.
   stopped_event_.Wait();
 
   return kSuccessExitCode;
 }
 
 void HostService::RunAsServiceImpl() {
-  MessageLoop message_loop(MessageLoop::TYPE_DEFAULT);
+  MessageLoop message_loop(MessageLoop::TYPE_UI);
   base::RunLoop run_loop;
   main_task_runner_ = message_loop.message_loop_proxy();
 
   // Register the service control handler.
   service_status_handle_ = RegisterServiceCtrlHandlerExW(
       kWindowsServiceName, &HostService::ServiceControlHandler, this);
   if (service_status_handle_ == 0) {
     LOG_GETLASTERROR(ERROR)
         << "Failed to register the service control handler";
     return;
   }
 
   // Report running status of the service.
   SERVICE_STATUS service_status;
   ZeroMemory(&service_status, sizeof(service_status));
   service_status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
   service_status.dwCurrentState = SERVICE_RUNNING;
   service_status.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN |
                                       SERVICE_ACCEPT_STOP |
                                       SERVICE_ACCEPT_SESSIONCHANGE;
   service_status.dwWin32ExitCode = kSuccessExitCode;
   if (!SetServiceStatus(service_status_handle_, &service_status)) {
     LOG_GETLASTERROR(ERROR)
         << "Failed to report service status to the service control manager";
     return;
   }
 
+  // Initialize COM.
+  base::win::ScopedCOMInitializer com_initializer;
+  if (!com_initializer.succeeded())
+    return;
+
+  if (!InitializeComSecurity())
+    return;
+
   CreateLauncher(scoped_refptr<AutoThreadTaskRunner>(
       new AutoThreadTaskRunner(main_task_runner_,
                                run_loop.QuitClosure())));
 
   // Run the service.
   run_loop.Run();
 
   // Tell SCM that the service is stopped.
   service_status.dwCurrentState = SERVICE_STOPPED;
   service_status.dwControlsAccepted = 0;
   if (!SetServiceStatus(service_status_handle_, &service_status)) {
     LOG_GETLASTERROR(ERROR)
         << "Failed to report service status to the service control manager";
     return;
   }
 }
 
 int HostService::RunInConsole() {
   MessageLoop message_loop(MessageLoop::TYPE_UI);
   base::RunLoop run_loop;
   main_task_runner_ = message_loop.message_loop_proxy();
 
   int result = kInitializationFailed;
 
+  // Initialize COM.
+  base::win::ScopedCOMInitializer com_initializer;
+  if (!com_initializer.succeeded())
+    return result;
+
+  if (!InitializeComSecurity())
+    return result;
+
   // Subscribe to Ctrl-C and other console events.
   if (!SetConsoleCtrlHandler(&HostService::ConsoleControlHandler, TRUE)) {
     LOG_GETLASTERROR(ERROR)
         << "Failed to set console control handler";
     return result;
   }
 
   // Create a window for receiving session change notifications.
   HWND window = NULL;
   WNDCLASSEX window_class;
@@ skipping 132 matching lines @@
 int DaemonProcessMain() {
   HostService* service = HostService::GetInstance();
   if (!service->InitWithCommandLine(CommandLine::ForCurrentProcess())) {
     return kUsageExitCode;
   }
 
   return service->Run();
 }
 
 } // namespace remoting