win: Lower integrity level of connection pipe

util/win/exception_handler_server.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
 #include "util/win/exception_handler_server.h"
 
+#include <aclapi.h>
+#include <sddl.h>
 #include <string.h>
 
 #include "base/logging.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/rand_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "minidump/minidump_file_writer.h"
 #include "snapshot/crashpad_info_client_options.h"
 #include "snapshot/win/process_snapshot_win.h"
 #include "util/file/file_writer.h"
 #include "util/misc/tri_state.h"
 #include "util/misc/uuid.h"
 #include "util/win/get_function.h"
 #include "util/win/handle.h"
 #include "util/win/registration_protocol_win.h"
+#include "util/win/scoped_local_free.h"
 #include "util/win/xp_compat.h"
 
 namespace crashpad {
 
 namespace {
 
 // We create two pipe instances, so that there's one listening while the
 // PipeServiceProc is processing a registration.
 const size_t kPipeInstances = 2;
 
 // Wraps CreateNamedPipe() to create a single named pipe instance.
 //
 // If first_instance is true, the named pipe instance will be created with
 // FILE_FLAG_FIRST_PIPE_INSTANCE. This ensures that the the pipe name is not
 // already in use when created.
+//
+// The integrity level of the pipe is lowered so that it can be connected to by
+// low integrity processes.

[jschuh, 2015/11/05 20:05:13]

Should be "connected to by processes at any integrity level".

[scottmg, 2015/11/05 20:15:30]

Done.

 HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
                                bool first_instance) {
-  return CreateNamedPipe(pipe_name.c_str(),
-                         PIPE_ACCESS_DUPLEX |
-                             (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE
-                                             : 0),
-                         PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
-                         kPipeInstances,
-                         512,
-                         512,
-                         0,
-                         nullptr);
+  ScopedFileHandle pipe(CreateNamedPipe(
+      pipe_name.c_str(),
+      PIPE_ACCESS_DUPLEX | (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE : 0),
+      PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
+      kPipeInstances,
+      512,
+      512,
+      0,
+      nullptr));
+  if (!pipe.is_valid()) {
+    PLOG(ERROR) << "CreateNamedPipe";
+    return INVALID_HANDLE_VALUE;
+  }
+
+  // We only need to set the integrity level on the first instance of the pipe.

[Mark Mentovai, 2015/11/05 20:08:01]

Shouldn’t we still do this if we run crashpad_handler in persistent --pipe-name
mode without having its client start it?

[scottmg, 2015/11/05 20:15:30]

Yes, we should, but don't we still in ExceptionHandlerServer::Run, regardless of
whether we created the pipe name or someone else did? (I'm probably
misunderstanding what you're saying.)

[Mark Mentovai, 2015/11/05 21:01:13]

scottmg wrote:
first_instance only controls whether FILE_FLAG_FIRST_PIPE_INSTANCE is set. It’s
set when called by CreatePipe() to establish a pipe name before Run(), but it’s
not set if SetPipeName() establishes the name but no pipe. Run() doesn’t set it.

You can change this up appropriately, but as written now, none of this new stuff
will happen in persistent mode with a well-known --pipe-name.

+  if (!first_instance)
+    return pipe.release();
+
+  // Lower the integrity of the pipe so that it can be connected to from low
+  // integrity processes (on Vista and later).
+  const DWORD version = GetVersion();
+  const DWORD major_version = LOBYTE(LOWORD(version));
+  const bool is_pre_vista = major_version < 6;
+  if (is_pre_vista)
+    return pipe.release();
+
+  // Mandatory Label, no ACE flags, no ObjectType, integrity level untrusted.
+  const wchar_t kSddl[] = L"S:(ML;;;;;S-1-16-0)";
+
+  PSECURITY_DESCRIPTOR sec_desc = nullptr;

[Mark Mentovai, 2015/11/05 20:08:01]

SECURITY_DESCRIPTOR*, ACL*.

[scottmg, 2015/11/05 20:15:30]

Done.

+
+  PACL sacl = nullptr;
+  if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
+          kSddl, SDDL_REVISION, &sec_desc, nullptr)) {
+    PLOG(ERROR) << "ConvertStringSecurityDescriptorToSecurityDescriptorW";

[Mark Mentovai, 2015/11/05 20:08:01]

No W on the end.

[scottmg, 2015/11/05 20:15:30]

Done.

+    return INVALID_HANDLE_VALUE;
+  }
+
+  // Take ownership of the allocated SECURITY_DESCRIPTOR.
+  ScopedLocalFree scoped_sec_desc(sec_desc);
+
+  BOOL sacl_present = FALSE;
+  BOOL sacl_defaulted = FALSE;
+  if (!GetSecurityDescriptorSacl(
+          sec_desc, &sacl_present, &sacl, &sacl_defaulted)) {
+    PLOG(ERROR) << "GetSecurityDescriptorSacl";
+    return INVALID_HANDLE_VALUE;
+  }
+
+  DWORD error = SetSecurityInfo(pipe.get(),
+                                SE_KERNEL_OBJECT,
+                                LABEL_SECURITY_INFORMATION,
+                                nullptr,
+                                nullptr,
+                                nullptr,
+                                sacl);
+  if (error != ERROR_SUCCESS) {
+    LOG(ERROR) << "SetSecurityInfo: "
+               << logging::SystemErrorCodeToString(error);
+    return INVALID_HANDLE_VALUE;
+  }
+
+  return pipe.release();
 }
 
 decltype(GetNamedPipeClientProcessId)* GetNamedPipeClientProcessIdFunction() {
   static const auto get_named_pipe_client_process_id =
       GET_FUNCTION(L"kernel32.dll", ::GetNamedPipeClientProcessId);
   return get_named_pipe_client_process_id;
 }
 
 HANDLE DuplicateEvent(HANDLE process, HANDLE event) {
   HANDLE handle;
@@ skipping 491 matching lines @@
 void __stdcall ExceptionHandlerServer::OnProcessEnd(void* ctx, BOOLEAN) {
   // This function is executed on the thread pool.
   internal::ClientData* client = reinterpret_cast<internal::ClientData*>(ctx);
   base::AutoLock lock(*client->lock());
 
   // Post back to the main thread to have it delete this client record.
   PostQueuedCompletionStatus(client->port(), 0, ULONG_PTR(client), nullptr);
 }
 
 }  // namespace crashpad