win: Lower integrity level of connection pipe

util/win/exception_handler_server.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
 #include "util/win/exception_handler_server.h"
 
+#include <sddl.h>
 #include <string.h>
 
 #include "base/logging.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/rand_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "minidump/minidump_file_writer.h"
 #include "snapshot/crashpad_info_client_options.h"
 #include "snapshot/win/process_snapshot_win.h"
 #include "util/file/file_writer.h"
 #include "util/misc/tri_state.h"
 #include "util/misc/uuid.h"
 #include "util/win/get_function.h"
 #include "util/win/handle.h"
 #include "util/win/registration_protocol_win.h"
+#include "util/win/scoped_local_alloc.h"
 #include "util/win/xp_compat.h"
 
 namespace crashpad {
 
 namespace {
 
 // We create two pipe instances, so that there's one listening while the
 // PipeServiceProc is processing a registration.
 const size_t kPipeInstances = 2;
 
 // Wraps CreateNamedPipe() to create a single named pipe instance.
 //
 // If first_instance is true, the named pipe instance will be created with
 // FILE_FLAG_FIRST_PIPE_INSTANCE. This ensures that the the pipe name is not
-// already in use when created.
+// already in use when created. The first instance will be created with an
+// untrusted integrity SACL so instances of this pipe can be connected to by
+// processes of any integrity level.
 HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
                                bool first_instance) {
-  return CreateNamedPipe(pipe_name.c_str(),
-                         PIPE_ACCESS_DUPLEX |
-                             (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE
-                                             : 0),
-                         PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
-                         kPipeInstances,
-                         512,
-                         512,
-                         0,
-                         nullptr);
+  SECURITY_ATTRIBUTES security_attributes;
+  SECURITY_ATTRIBUTES* security_attributes_pointer = nullptr;
+  ScopedLocalAlloc scoped_sec_desc;
+
+  if (first_instance) {
+    // Pre-Vista does not have integrity levels.
+    const DWORD version = GetVersion();
+    const DWORD major_version = LOBYTE(LOWORD(version));
+    const bool is_vista_or_later = major_version >= 6;
+    if (is_vista_or_later) {
+      // Mandatory Label, no ACE flags, no ObjectType, integrity level
+      // untrusted.
+      const wchar_t kSddl[] = L"S:(ML;;;;;S-1-16-0)";
+
+      PSECURITY_DESCRIPTOR sec_desc;
+      PCHECK(ConvertStringSecurityDescriptorToSecurityDescriptor(
+          kSddl, SDDL_REVISION_1, &sec_desc, nullptr))
+          << "ConvertStringSecurityDescriptorToSecurityDescriptor";
+
+      // Take ownership of the allocated SECURITY_DESCRIPTOR.
+      scoped_sec_desc.reset(sec_desc);
+
+      memset(&security_attributes, 0, sizeof(security_attributes));
+      security_attributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+      security_attributes.lpSecurityDescriptor = sec_desc;
+      security_attributes.bInheritHandle = FALSE;
+      security_attributes_pointer = &security_attributes;
+    }
+  }
+
+  return CreateNamedPipe(
+      pipe_name.c_str(),
+      PIPE_ACCESS_DUPLEX | (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE : 0),
+      PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
+      kPipeInstances,
+      512,
+      512,
+      0,
+      security_attributes_pointer);
 }
 
 decltype(GetNamedPipeClientProcessId)* GetNamedPipeClientProcessIdFunction() {
   static const auto get_named_pipe_client_process_id =
       GET_FUNCTION(L"kernel32.dll", ::GetNamedPipeClientProcessId);
   return get_named_pipe_client_process_id;
 }
 
 HANDLE DuplicateEvent(HANDLE process, HANDLE event) {
   HANDLE handle;
@@ skipping 243 matching lines @@
 }
 
 void ExceptionHandlerServer::Run(Delegate* delegate) {
   uint64_t shutdown_token = base::RandUint64();
   ScopedKernelHANDLE thread_handles[kPipeInstances];
   for (int i = 0; i < arraysize(thread_handles); ++i) {
     HANDLE pipe;
     if (first_pipe_instance_.is_valid()) {
       pipe = first_pipe_instance_.release();
     } else {
-      pipe = CreateNamedPipeInstance(pipe_name_, false);
+      pipe = CreateNamedPipeInstance(pipe_name_, i == 0);
       PCHECK(pipe != INVALID_HANDLE_VALUE) << "CreateNamedPipe";
     }
 
     // Ownership of this object (and the pipe instance) is given to the new
     // thread. We close the thread handles at the end of the scope. They clean
     // up the context object and the pipe instance on termination.
     internal::PipeServiceContext* context =
         new internal::PipeServiceContext(port_.get(),
                                          pipe,
                                          delegate,
@@ skipping 227 matching lines @@
 void __stdcall ExceptionHandlerServer::OnProcessEnd(void* ctx, BOOLEAN) {
   // This function is executed on the thread pool.
   internal::ClientData* client = reinterpret_cast<internal::ClientData*>(ctx);
   base::AutoLock lock(*client->lock());
 
   // Post back to the main thread to have it delete this client record.
   PostQueuedCompletionStatus(client->port(), 0, ULONG_PTR(client), nullptr);
 }
 
 }  // namespace crashpad