mojo/edk/embedder/named_platform_channel_pair_win.cc - Issue 1893313003: [mojo] Use a pipe path to initialise Mojo in elevated utility processes.

Side by Side Diff: mojo/edk/embedder/named_platform_channel_pair_win.cc

Issue 1893313003: [mojo] Use a pipe path to initialise Mojo in elevated utility processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Rebase Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "mojo/edk/embedder/named_platform_channel_pair.h"

	6

	7 #include <windows.h>

	8

	9 #include <string>

	10 #include <utility>

	11

	12 #include "base/command_line.h"

	13 #include "base/logging.h"

	14 #include "base/rand_util.h"

	15 #include "base/strings/string_number_conversions.h"

	16 #include "base/strings/stringprintf.h"

	17 #include "base/win/windows_version.h"

	18 #include "mojo/edk/embedder/platform_handle.h"

	19

	20 namespace mojo {

	21 namespace edk {

	22

	23 namespace {

	24

	25 const char kMojoNamedPlatformChannelPipeSwitch[] =

	26 "mojo-named-platform-channel-pipe";
	ncarter (slow) 2016/05/11 00:14:23 It seems unusual to have switches defined outside It seems unusual to have switches defined outside of a switches namespace. Anand Mistry (off Chromium) 2016/05/11 04:15:20 I'm following the pattern in PlatformChannelPair. Show quoted text On 2016/05/11 00:14:23, ncarter wrote: > It seems unusual to have switches defined outside of a switches namespace. I'm following the pattern in PlatformChannelPair. PlatformChannelPair needs a bit of a refactor (it has some dead code and obsolete comments) and I'd prefer to keep these two looking similar until I get around to it.
	27

	28 std::wstring GeneratePipeName() {

	29 return base::StringPrintf(L"\\\\.\\pipe\\mojo.%u.%u.%I64u",

	30 GetCurrentProcessId(), GetCurrentThreadId(),

	31 base::RandUint64());

	32

	33 }

	34

	35 } // namespace

	36

	37 NamedPlatformChannelPair::NamedPlatformChannelPair() {

	38 pipe_name_ = GeneratePipeName();

	39

	40 const DWORD kOpenMode =

	41 PIPE_ACCESS_DUPLEX \| FILE_FLAG_OVERLAPPED \| FILE_FLAG_FIRST_PIPE_INSTANCE;

	42 const DWORD kPipeMode = PIPE_TYPE_BYTE \| PIPE_READMODE_BYTE;
	forshaw 2016/05/11 00:01:40 I'd recommend specifying PIPE_REJECT_REMOTE_CLIENT I'd recommend specifying PIPE_REJECT_REMOTE_CLIENTS here just in case. Even though the name should be pretty hard to guess or exploit, no reason to expose it remotely. Anand Mistry (off Chromium) 2016/05/11 04:15:20 Done. Show quoted text On 2016/05/11 00:01:40, forshaw wrote: > I'd recommend specifying PIPE_REJECT_REMOTE_CLIENTS here just in case. Even > though the name should be pretty hard to guess or exploit, no reason to expose > it remotely. Done.
	43 PlatformHandle handle(

	44 CreateNamedPipeW(pipe_name_.c_str(), kOpenMode, kPipeMode,

	45 1, // Max instances.

	46 4096, // Out buffer size.

	47 4096, // In buffer size.

	48 5000, // Timeout in milliseconds.

	49 nullptr)); // Default security descriptor.
	forshaw 2016/05/11 00:01:40 Is there any advantage to another user on the syst Is there any advantage to another user on the system (say on a terminal server) being able to open the server pipe with only read access? The default DACL gives access to Everyone and the Anonymous user for Read. If there's some benefit to having this limited access then we might want to ensure the DACL is explicitly locked down. Perhaps as this is only expected to be opened by an elevated user could specify only Administrators group. Anand Mistry (off Chromium) 2016/05/11 04:15:20 I've tried to add an acl here to restrict access, Show quoted text On 2016/05/11 00:01:40, forshaw wrote: > Is there any advantage to another user on the system (say on a terminal server) > being able to open the server pipe with only read access? The default DACL gives > access to Everyone and the Anonymous user for Read. If there's some benefit to > having this limited access then we might want to ensure the DACL is explicitly > locked down. Perhaps as this is only expected to be opened by an elevated user > could specify only Administrators group. I've tried to add an acl here to restrict access, but can't get it to work. Frankly, this is far beyond my level of windows knowledge. forshaw 2016/05/11 12:03:15 Well it's probably not needed, but a simple exampl Show quoted text > I've tried to add an acl here to restrict access, but can't get it to work. > Frankly, this is far beyond my level of windows knowledge. Well it's probably not needed, but a simple example would be this: #include <sddl.h> PSECURITY_DESCRIPTOR security_desc = nullptr; ULONG security_desc_len = 0; if (!::ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;OW)", SDDL_REVISION_1, &security_desc, &security_desc_len)) { return false; } std::unique_ptr<void, decltype(::LocalFree)> p(security_desc, ::LocalFree); SECURITY_ATTRIBUTES sa = {}; sa.nLength = sizeof(sa); sa.lpSecurityDescriptor = security_desc; Just pass the sa variable as the last parameter to CreateNamedPipeW. That will setup the pipe so only Local System, Local Administrators and the Owner of the pipe can access it. This removes the implicit Everyone and Anonymous group access control entries. Anand Mistry (off Chromium)* 2016/05/12 01:17:07 Thanks. Added and it appears to work on my windows Show quoted text On 2016/05/11 12:03:15, forshaw wrote: > > I've tried to add an acl here to restrict access, but can't get it to work. > > Frankly, this is far beyond my level of windows knowledge. > > Well it's probably not needed, but a simple example would be this: > > #include <sddl.h> > > PSECURITY_DESCRIPTOR security_desc = nullptr; > ULONG security_desc_len = 0; > if > (!::ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;OW)", > > SDDL_REVISION_1, &security_desc, &security_desc_len)) { > return false; > } > std::unique_ptr<void, decltype(::LocalFree)*> p(security_desc, ::LocalFree); > SECURITY_ATTRIBUTES sa = {}; > sa.nLength = sizeof(sa); > sa.lpSecurityDescriptor = security_desc; > > Just pass the sa variable as the last parameter to CreateNamedPipeW. That will > setup the pipe so only Local System, Local Administrators and the Owner of the > pipe can access it. This removes the implicit Everyone and Anonymous group > access control entries. Thanks. Added and it appears to work on my windows box. Lets see if it passes the trybots.
	50 handle.needs_connection = true;

	51 server_handle_.reset(handle);

	52 PCHECK(server_handle_.is_valid());

	53 }

	54

	55 NamedPlatformChannelPair::~NamedPlatformChannelPair() {}

	56

	57 ScopedPlatformHandle NamedPlatformChannelPair::PassServerHandle() {

	58 return std::move(server_handle_);

	59 }

	60

	61 // static

	62 ScopedPlatformHandle

	63 NamedPlatformChannelPair::PassClientHandleFromParentProcess(

	64 const base::CommandLine& command_line) {

	65 std::wstring client_handle_string =

	66 command_line.GetSwitchValueNative(kMojoNamedPlatformChannelPipeSwitch);

	67

	68 if (client_handle_string.empty())

	69 return ScopedPlatformHandle();

	70

	71 // Note: This may block.

	72 BOOL ok = WaitNamedPipeW(client_handle_string.c_str(),

	73 NMPWAIT_USE_DEFAULT_WAIT);

	74 if (!ok)

	75 return ScopedPlatformHandle();

	76

	77 // In order to support passing the pipe name on the command line, the pipe

	78 // handle is lazily created from the pipe name when requested.

	79 const DWORD kDesiredAccess = GENERIC_READ \| GENERIC_WRITE;

	80 // The SECURITY_ANONYMOUS flag means that the server side cannot impersonate

	81 // the client.

	82 const DWORD kFlags =

	83 SECURITY_SQOS_PRESENT \| SECURITY_ANONYMOUS \| FILE_FLAG_OVERLAPPED;

	84 ScopedPlatformHandle handle(

	85 PlatformHandle(CreateFileW(client_handle_string.c_str(), kDesiredAccess,

	86 0, // No sharing.

	87 nullptr, OPEN_EXISTING, kFlags,

	88 nullptr))); // No template file.

	89 PCHECK(handle.is_valid());

	90 return handle;

	91 }

	92

	93 void NamedPlatformChannelPair::PrepareToPassClientHandleToChildProcess(

	94 base::CommandLine* command_line) const {

	95 DCHECK(command_line);

	96

	97 // Log a warning if the command line already has the switch, but "clobber" it

	98 // anyway, since it's reasonably likely that all the switches were just copied

	99 // from the parent.

	100 LOG_IF(WARNING,

	101 command_line->HasSwitch(kMojoNamedPlatformChannelPipeSwitch))

	102 << "Child command line already has switch --"

	103 << kMojoNamedPlatformChannelPipeSwitch << "="

	104 << command_line->GetSwitchValueNative(

	105 kMojoNamedPlatformChannelPipeSwitch);

	106 // (Any existing switch won't actually be removed from the command line, but

	107 // the last one appended takes precedence.)

	108 command_line->AppendSwitchNative(

	109 kMojoNamedPlatformChannelPipeSwitch, pipe_name_);

	110 }

	111

	112 } // namespace edk

	113 } // namespace mojo

OLD	NEW

« content/child/child_thread_impl.cc ('K') | « mojo/edk/embedder/named_platform_channel_pair.h ('k') | mojo/edk/embedder/platform_handle.h » ('j') | mojo/edk/system/channel_win.cc » ('J')