Initialize COM and configure security settings in the daemon.

remoting/host/win/host_service.cc

Index: remoting/host/win/host_service.cc
diff --git a/remoting/host/win/host_service.cc b/remoting/host/win/host_service.cc
index 71ef8b23b61478f874637cc86e8893a5b1b4f941..e30938c354a67c692e1dc9a7deab0d6c048d0068 100644
--- a/remoting/host/win/host_service.cc
+++ b/remoting/host/win/host_service.cc
@@ -21,6 +21,7 @@
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread.h"
 #include "base/utf_string_conversions.h"
+#include "base/win/scoped_com_initializer.h"
 #include "base/win/wrapped_window_proc.h"
 #include "remoting/base/auto_thread.h"
 #include "remoting/base/scoped_sc_handle_win.h"
@@ -28,6 +29,7 @@
 #include "remoting/host/branding.h"
 #include "remoting/host/host_exit_codes.h"
 #include "remoting/host/logging.h"
+#include "remoting/host/win/security_descriptor.h"
 
 #if defined(REMOTING_MULTI_PROCESS)
 #include "remoting/host/daemon_process.h"
@@ -40,6 +42,8 @@
 #include "remoting/host/win/wts_console_session_process_driver.h"
 #endif  // !defined(REMOTING_MULTI_PROCESS)
 
+namespace remoting {
+
 namespace {
 
 // Used to query the endpoint of an attached RDP client.
@@ -60,9 +64,62 @@ const wchar_t kSessionNotificationWindowClass[] =
 // "--console" runs the service interactively for debugging purposes.
 const char kConsoleSwitchName[] = "console";
 
-}  // namespace
+// A security descriptor that gives SYSTEM and LocalSystem accounts
+// COM_RIGHTS_EXECUTE and COM_RIGHTS_EXECUTE_LOCAL rights. The descriptor
+// specifies a mandatory label with "no execute up" policy for medium integrity
+// level.
+const char kComProcessSd[] =
+    "O:SYG:SYD:(A;;0x3;;;SY)(A;;0x3;;;LS)S:(ML;;NX;;;ME)";

[jschuh, 2013/03/04 21:12:33]

SDDL can be pretty impenetrable. Generally, I find it much clearer to break the
string into pieces with comments and build it using the macros from sddl.h, like
we do in restricted_token_utils.cc.

[alexeypa (please no reviews), 2013/03/04 21:46:30]

Done.

+
+// Allows incoming calls from clients running under SYSTEM or LocalSystem at
+// medium integrity level.
+bool InitializeComSecurity() {
+  // Convert the SDDL description into a security descriptor in absolute format.
+  ScopedSd relative_sd = ConvertSddlToSd(kComProcessSd);
+  if (!relative_sd) {
+    LOG_GETLASTERROR(ERROR) << "Failed to create a security descriptor";
+    return false;
+  }
+  ScopedSd absolute_sd;
+  ScopedAcl dacl;
+  ScopedSid group;
+  ScopedSid owner;
+  ScopedAcl sacl;
+  if (!MakeAbsoluteSd(relative_sd, &absolute_sd, &dacl, &group, &owner,
+                      &sacl)) {
+    LOG_GETLASTERROR(ERROR) << "MakeAbsoluteSd() failed";
+    return false;
+  }
 
-namespace remoting {
+  // Apply the security descriptor and the following settings:
+  //   - The daemon authenticates that all data received is from the expected
+  //     client.
+  //   - The daemon can check identity of the client but cannot act on its
+  //     behalf.
+  //   - Dynamic cloacking is used. DCOM verifies the caller's identify on every

[jschuh, 2013/03/04 21:12:33]

nit: cloaking

[alexeypa (please no reviews), 2013/03/04 21:46:30]

Done.

+  //     call.
+  //   - Activations where the activated COM server would run under the daemon's
+  //     identify are prohibited.
+  HRESULT result = CoInitializeSecurity(
+      absolute_sd.get(),
+      -1,
+      NULL,
+      NULL,
+      RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+      RPC_C_IMP_LEVEL_IDENTIFY,
+      NULL,
+      EOAC_DYNAMIC_CLOAKING | EOAC_DISABLE_AAA,
+      NULL);
+  if (FAILED(result)) {
+    LOG(ERROR) << "CoInitializeSecurity() failed, result=0x"
+               << std::hex << result << std::dec << ".";
+    return false;
+  }
+
+  return true;
+}
+
+}  // namespace
 
 HostService* HostService::GetInstance() {
   return Singleton<HostService>::get();
@@ -388,7 +445,7 @@ int HostService::RunAsService() {
 }
 
 void HostService::RunAsServiceImpl() {
-  MessageLoop message_loop(MessageLoop::TYPE_DEFAULT);
+  MessageLoop message_loop(MessageLoop::TYPE_UI);
   base::RunLoop run_loop;
   main_task_runner_ = message_loop.message_loop_proxy();
 
@@ -416,6 +473,14 @@ void HostService::RunAsServiceImpl() {
     return;
   }
 
+  // Initialize COM.
+  base::win::ScopedCOMInitializer com_initializer;
+  if (!com_initializer.succeeded())
+    return;
+
+  if (!InitializeComSecurity())
+    return;
+
   CreateLauncher(scoped_refptr<AutoThreadTaskRunner>(
       new AutoThreadTaskRunner(main_task_runner_,
                                run_loop.QuitClosure())));
@@ -440,6 +505,14 @@ int HostService::RunInConsole() {
 
   int result = kInitializationFailed;
 
+  // Initialize COM.
+  base::win::ScopedCOMInitializer com_initializer;
+  if (!com_initializer.succeeded())
+    return result;
+
+  if (!InitializeComSecurity())
+    return result;
+
   // Subscribe to Ctrl-C and other console events.
   if (!SetConsoleCtrlHandler(&HostService::ConsoleControlHandler, TRUE)) {
     LOG_GETLASTERROR(ERROR)