Removing WinXP and Vista specific code from Chromoting.

remoting/host/win/unprivileged_process_delegate.cc

 
 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements the Windows service controlling Me2Me host processes
 // running within user sessions.
 
 #include "remoting/host/win/unprivileged_process_delegate.h"
 
 #include <sddl.h>
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/files/file.h"
 #include "base/logging.h"
 #include "base/rand_util.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string16.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/synchronization/lock.h"
 #include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
 #include "ipc/attachment_broker.h"
 #include "ipc/ipc_channel.h"
 #include "ipc/ipc_channel_proxy.h"
 #include "ipc/ipc_message.h"
 #include "remoting/base/typed_buffer.h"
 #include "remoting/host/ipc_util.h"
 #include "remoting/host/switches.h"
 #include "remoting/host/win/launch_process_with_token.h"
 #include "remoting/host/win/security_descriptor.h"
 #include "remoting/host/win/window_station_and_desktop.h"
@@ skipping 49 matching lines @@
                  LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT,
                  &temp_handle)) {
     return false;
   }
   ScopedHandle token(temp_handle);
 
   sandbox::RestrictedToken restricted_token;
   if (restricted_token.Init(token.Get()) != ERROR_SUCCESS)
     return false;
 
-  if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
-    // "SeChangeNotifyPrivilege" is needed to access the machine certificate
-    // (including its private key) in the "Local Machine" cert store. This is
-    // needed for HTTPS client third-party authentication . But the presence of
-    // "SeChangeNotifyPrivilege" also allows it to open and manipulate objects
-    // owned by the same user. This risk is only mitigated by setting the
-    // process integrity level to Low, which is why it is unsafe to enable
-    // "SeChangeNotifyPrivilege" on Windows XP where we don't have process
-    // integrity to protect us.
-    std::vector<base::string16> exceptions;
-    exceptions.push_back(base::string16(L"SeChangeNotifyPrivilege"));
+  // "SeChangeNotifyPrivilege" is needed to access the machine certificate
+  // (including its private key) in the "Local Machine" cert store. This is
+  // needed for HTTPS client third-party authentication . But the presence of
+  // "SeChangeNotifyPrivilege" also allows it to open and manipulate objects
+  // owned by the same user. This risk is only mitigated by setting the
+  // process integrity level to Low.
+  std::vector<base::string16> exceptions;
+  exceptions.push_back(base::string16(L"SeChangeNotifyPrivilege"));
 
-    // Remove privileges in the token.
-    if (restricted_token.DeleteAllPrivileges(&exceptions) != ERROR_SUCCESS)
-      return false;
+  // Remove privileges in the token.
+  if (restricted_token.DeleteAllPrivileges(&exceptions) != ERROR_SUCCESS)
+    return false;
 
-    // Set low integrity level if supported by the OS.
-    if (restricted_token.SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW)
-        != ERROR_SUCCESS) {
-      return false;
-    }
-  } else {
-    // Remove all privileges in the token.
-    // Since "SeChangeNotifyPrivilege" is among the privileges being removed,
-    // the network process won't be able to acquire certificates from the local
-    // machine store. This means third-party authentication won't work.
-    if (restricted_token.DeleteAllPrivileges(nullptr) != ERROR_SUCCESS)
-      return false;
+  // Set low integrity level.
+  if (restricted_token.SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW) !=
+      ERROR_SUCCESS) {
+    return false;
   }
 
   // Return the resulting token.
   DWORD result = restricted_token.GetRestrictedToken(token_out);
   if (result != ERROR_SUCCESS) {
     LOG(ERROR) << "Failed to get the restricted token: " << result;
     return false;
   }
 
   return true;
 }
 
 // Creates a window station with a given name and the default desktop giving
 // the complete access to |logon_sid|.
 bool CreateWindowStationAndDesktop(ScopedSid logon_sid,
                                    WindowStationAndDesktop* handles_out) {
   // Convert the logon SID into a string.
   std::string logon_sid_string = ConvertSidToString(logon_sid.get());
   if (logon_sid_string.empty()) {
     PLOG(ERROR) << "Failed to convert a SID to string";
     return false;
   }
 
   // Format the security descriptors in SDDL form.
   std::string desktop_sddl =
-      base::StringPrintf(kDesktopSdFormat, logon_sid_string.c_str());
+      base::StringPrintf(kDesktopSdFormat, logon_sid_string.c_str()) +
+      kLowIntegrityMandatoryLabel;
   std::string window_station_sddl =
       base::StringPrintf(kWindowStationSdFormat, logon_sid_string.c_str(),
-                         logon_sid_string.c_str());
-
-  // The worker runs at low integrity level. Make sure it will be able to attach
-  // to the window station and desktop.
-  if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
-    desktop_sddl += kLowIntegrityMandatoryLabel;
-    window_station_sddl += kLowIntegrityMandatoryLabel;
-  }
+                         logon_sid_string.c_str()) +
+      kLowIntegrityMandatoryLabel;
 
   // Create the desktop and window station security descriptors.
   ScopedSd desktop_sd = ConvertSddlToSd(desktop_sddl);
   ScopedSd window_station_sd = ConvertSddlToSd(window_station_sddl);
   if (!desktop_sd || !window_station_sd) {
     PLOG(ERROR) << "Failed to create a security descriptor.";
     return false;
   }
 
   // GetProcessWindowStation() returns the current handle which does not need to
   // be freed.
   HWINSTA current_window_station = GetProcessWindowStation();
 
   // Generate a unique window station name.
   std::string window_station_name = base::StringPrintf(
       "chromoting-%d-%d",
       base::GetCurrentProcId(),
       base::RandInt(1, std::numeric_limits<int>::max()));
 
   // Make sure that a new window station will be created instead of opening
   // an existing one.
-  DWORD window_station_flags = 0;
-  if (base::win::GetVersion() >= base::win::VERSION_VISTA)
-    window_station_flags = CWF_CREATE_ONLY;
+  DWORD window_station_flags = CWF_CREATE_ONLY;
 
   // Request full access because this handle will be inherited by the worker
   // process which needs full access in order to attach to the window station.
   DWORD desired_access =
       WINSTA_ALL_ACCESS | DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER;
 
   SECURITY_ATTRIBUTES security_attributes = {0};
   security_attributes.nLength = sizeof(security_attributes);
   security_attributes.lpSecurityDescriptor = window_station_sd.get();
   security_attributes.bInheritHandle = TRUE;
@@ skipping 239 matching lines @@
     PLOG(ERROR) << "Failed to duplicate a handle";
     ReportFatalError();
     return;
   }
   ScopedHandle limited_handle(temp_handle);
 
   event_handler_->OnProcessLaunched(std::move(limited_handle));
 }
 
 }  // namespace remoting