base: Create file mappings with reduced access control permissions.

base/memory/shared_memory_win.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/memory/shared_memory.h"
 
 #include <aclapi.h>
 #include <stddef.h>
 #include <stdint.h>
 
@@ skipping 44 matching lines @@
   // The handle must have SECTION_QUERY access for this to succeed.
   SECTION_BASIC_INFORMATION basic_information = {};
   ULONG status =
       nt_query_section_func(handle, SectionBasicInformation, &basic_information,
                             sizeof(basic_information), nullptr);
   if (status)
     return false;
   return (basic_information.Attributes & SEC_IMAGE) != SEC_IMAGE;
 }
 
+// Returns a HANDLE on success and |nullptr| on failure.
+// This function is similar to CreateFileMapping, but removes the permissions
+// WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE.
+//
+// A newly created file mapping has two sets of permissions. It has access
+// control permissions (WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE) and
+// file permissions (FILE_MAP_READ, FILE_MAP_WRITE, etc.). ::DuplicateHandle()
+// with the parameter DUPLICATE_SAME_ACCESS copies both sets of permissions.
+//
+// The Chrome sandbox prevents HANDLEs with the WRITE_DAC permission from being
+// duplicated into unprivileged processes. But the only way to copy file
+// permissions is with the parameter DUPLICATE_SAME_ACCESS. This means that
+// there is no way for a privileged process to duplicate a file mapping into an
+// unprivileged process while maintaining the previous file permissions.
+//
+// By removing all access control permissions of a file mapping immediately
+// after creation, ::DuplicateHandle() effectively only copies the file
+// permissions.
+HANDLE CreateFileMappingWithReducedPermissions(SECURITY_ATTRIBUTES* sa,
+                                               size_t rounded_size,
+                                               LPCWSTR name) {
+  HANDLE h = CreateFileMapping(INVALID_HANDLE_VALUE, sa, PAGE_READWRITE, 0,
+                               static_cast<DWORD>(rounded_size), name);
+  if (!h)
+    return nullptr;
+
+  HANDLE h2;
+  BOOL success = ::DuplicateHandle(
+      GetCurrentProcess(), h, GetCurrentProcess(), &h2,
+      FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY, FALSE, 0);
+  BOOL rv = ::CloseHandle(h);
+  DCHECK(rv);
+  return success ? h2 : nullptr;
+}
+
 }  // namespace.
 
 namespace base {
 
 SharedMemoryCreateOptions::SharedMemoryCreateOptions()
     : name_deprecated(nullptr),
       open_existing_deprecated(false),
       size(0),
       executable(false),
       share_read_only(false) {}
@@ skipping 87 matching lines @@
       static_cast<size_t>(std::numeric_limits<int>::max()) - kSectionMask)
     return false;
 
   size_t rounded_size = (options.size + kSectionMask) & ~kSectionMask;
   name_ = options.name_deprecated ?
       ASCIIToUTF16(*options.name_deprecated) : L"";
   SECURITY_ATTRIBUTES sa = { sizeof(sa), NULL, FALSE };
   SECURITY_DESCRIPTOR sd;
   ACL dacl;
 
-  if (options.share_read_only && name_.empty()) {
+  if (name_.empty()) {
     // Add an empty DACL to enforce anonymous read-only sections.
     sa.lpSecurityDescriptor = &sd;
     if (!InitializeAcl(&dacl, sizeof(dacl), ACL_REVISION))
       return false;
     if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
       return false;
     if (!SetSecurityDescriptorDacl(&sd, TRUE, &dacl, FALSE))
       return false;
 
     // Windows ignores DACLs on certain unnamed objects (like shared sections).
     // So, we generate a random name when we need to enforce read-only.
     uint64_t rand_values[4];
     RandBytes(&rand_values, sizeof(rand_values));
     name_ = StringPrintf(L"CrSharedMem_%016llx%016llx%016llx%016llx",
                          rand_values[0], rand_values[1],
                          rand_values[2], rand_values[3]);
   }
-  mapped_file_ = CreateFileMapping(INVALID_HANDLE_VALUE, &sa,
-      PAGE_READWRITE, 0, static_cast<DWORD>(rounded_size),
-      name_.empty() ? nullptr : name_.c_str());
+  mapped_file_ = CreateFileMappingWithReducedPermissions(
+      &sa, rounded_size, name_.empty() ? nullptr : name_.c_str());
   if (!mapped_file_)
     return false;
 
   requested_size_ = options.size;
 
   // Check if the shared memory pre-exists.
   if (GetLastError() == ERROR_ALREADY_EXISTS) {
     // If the file already existed, set requested_size_ to 0 to show that
     // we don't know the size.
     requested_size_ = 0;
@@ skipping 102 matching lines @@
     ::CloseHandle(mapped_file_);
     mapped_file_ = NULL;
   }
 }
 
 SharedMemoryHandle SharedMemory::handle() const {
   return SharedMemoryHandle(mapped_file_, base::GetCurrentProcId());
 }
 
 }  // namespace base