Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(8)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mojo/edk/embedder/named_platform_handle_utils_win.cc

Issue 2444793002: Allow custom security descriptors when creating named pipes on Windows. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « mojo/edk/embedder/named_platform_handle_utils_posix.cc ('k') | mojo/edk/test/multiprocess_test_helper.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "mojo/edk/embedder/named_platform_handle_utils.h" 5 #include "mojo/edk/embedder/named_platform_handle_utils.h"
6 6
7 #include <sddl.h> 7 #include <sddl.h>
8 #include <windows.h> 8 #include <windows.h>
9 9
10 #include <memory> 10 #include <memory>
11 11
12 #include "base/logging.h" 12 #include "base/logging.h"
13 #include "base/win/windows_version.h" 13 #include "base/win/windows_version.h"
14 #include "mojo/edk/embedder/named_platform_handle.h" 14 #include "mojo/edk/embedder/named_platform_handle.h"
15 15
16 namespace mojo { 16 namespace mojo {
17 namespace edk { 17 namespace edk {
18 namespace {
19
20 // A DACL to grant:
21 // GA = Generic All
22 // access to:
23 // SY = LOCAL_SYSTEM
24 // BA = BUILTIN_ADMINISTRATORS
25 // OW = OWNER_RIGHTS
26 constexpr base::char16 kDefaultSecurityDescriptor[] =
27 L"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;OW)";
28
29 } // namespace
18 30
19 ScopedPlatformHandle CreateClientHandle( 31 ScopedPlatformHandle CreateClientHandle(
20 const NamedPlatformHandle& named_handle) { 32 const NamedPlatformHandle& named_handle) {
21 if (!named_handle.is_valid()) 33 if (!named_handle.is_valid())
22 return ScopedPlatformHandle(); 34 return ScopedPlatformHandle();
23 35
24 base::string16 pipe_name = named_handle.pipe_name(); 36 base::string16 pipe_name = named_handle.pipe_name();
25 37
26 // Note: This may block. 38 // Note: This may block.
27 if (!WaitNamedPipeW(pipe_name.c_str(), NMPWAIT_USE_DEFAULT_WAIT)) 39 if (!WaitNamedPipeW(pipe_name.c_str(), NMPWAIT_USE_DEFAULT_WAIT))
28 return ScopedPlatformHandle(); 40 return ScopedPlatformHandle();
29 41
30 const DWORD kDesiredAccess = GENERIC_READ | GENERIC_WRITE; 42 const DWORD kDesiredAccess = GENERIC_READ | GENERIC_WRITE;
31 // The SECURITY_ANONYMOUS flag means that the server side cannot impersonate 43 // The SECURITY_ANONYMOUS flag means that the server side cannot impersonate
32 // the client. 44 // the client.
33 const DWORD kFlags = 45 const DWORD kFlags =
34 SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS | FILE_FLAG_OVERLAPPED; 46 SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS | FILE_FLAG_OVERLAPPED;
35 ScopedPlatformHandle handle( 47 ScopedPlatformHandle handle(
36 PlatformHandle(CreateFileW(pipe_name.c_str(), kDesiredAccess, 48 PlatformHandle(CreateFileW(pipe_name.c_str(), kDesiredAccess,
37 0, // No sharing. 49 0, // No sharing.
38 nullptr, OPEN_EXISTING, kFlags, 50 nullptr, OPEN_EXISTING, kFlags,
39 nullptr))); // No template file. 51 nullptr))); // No template file.
40 PCHECK(handle.is_valid()); 52 PCHECK(handle.is_valid());
41 return handle; 53 return handle;
42 } 54 }
43 55
44 ScopedPlatformHandle CreateServerHandle(const NamedPlatformHandle& named_handle, 56 ScopedPlatformHandle CreateServerHandle(
45 bool enforce_uniqueness) { 57 const NamedPlatformHandle& named_handle,
58 const CreateServerHandleOptions& options) {
46 if (!named_handle.is_valid()) 59 if (!named_handle.is_valid())
47 return ScopedPlatformHandle(); 60 return ScopedPlatformHandle();
48 61
49 PSECURITY_DESCRIPTOR security_desc = nullptr; 62 PSECURITY_DESCRIPTOR security_desc = nullptr;
50 ULONG security_desc_len = 0; 63 ULONG security_desc_len = 0;
51 // Create a DACL to grant:
52 // GA = Generic All
53 // access to:
54 // SY = LOCAL_SYSTEM
55 // BA = BUILTIN_ADMINISTRATORS
56 // OW = OWNER_RIGHTS
57 PCHECK(ConvertStringSecurityDescriptorToSecurityDescriptor( 64 PCHECK(ConvertStringSecurityDescriptorToSecurityDescriptor(
58 L"D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;OW)", SDDL_REVISION_1, 65 options.security_descriptor.empty() ? kDefaultSecurityDescriptor
59 &security_desc, &security_desc_len)); 66 : options.security_descriptor.c_str(),
67 SDDL_REVISION_1, &security_desc, &security_desc_len));
60 std::unique_ptr<void, decltype(::LocalFree)*> p(security_desc, ::LocalFree); 68 std::unique_ptr<void, decltype(::LocalFree)*> p(security_desc, ::LocalFree);
61 SECURITY_ATTRIBUTES security_attributes = {sizeof(SECURITY_ATTRIBUTES), 69 SECURITY_ATTRIBUTES security_attributes = {sizeof(SECURITY_ATTRIBUTES),
62 security_desc, FALSE}; 70 security_desc, FALSE};
63 71
64 const DWORD kOpenMode = enforce_uniqueness 72 const DWORD kOpenMode = options.enforce_uniqueness
65 ? PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED | 73 ? PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED |
66 FILE_FLAG_FIRST_PIPE_INSTANCE 74 FILE_FLAG_FIRST_PIPE_INSTANCE
67 : PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED; 75 : PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED;
68 const DWORD kPipeMode = 76 const DWORD kPipeMode =
69 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_REJECT_REMOTE_CLIENTS; 77 PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_REJECT_REMOTE_CLIENTS;
70 PlatformHandle handle( 78 PlatformHandle handle(
71 CreateNamedPipeW(named_handle.pipe_name().c_str(), kOpenMode, kPipeMode, 79 CreateNamedPipeW(named_handle.pipe_name().c_str(), kOpenMode, kPipeMode,
72 enforce_uniqueness ? 1 : 255, // Max instances. 80 options.enforce_uniqueness ? 1 : 255, // Max instances.
73 4096, // Out buffer size. 81 4096, // Out buffer size.
74 4096, // In buffer size. 82 4096, // In buffer size.
75 5000, // Timeout in milliseconds. 83 5000, // Timeout in milliseconds.
76 &security_attributes)); 84 &security_attributes));
77 handle.needs_connection = true; 85 handle.needs_connection = true;
78 return ScopedPlatformHandle(handle); 86 return ScopedPlatformHandle(handle);
79 } 87 }
80 88
81 } // namespace edk 89 } // namespace edk
82 } // namespace mojo 90 } // namespace mojo
OLDNEW
« no previous file with comments | « mojo/edk/embedder/named_platform_handle_utils_posix.cc ('k') | mojo/edk/test/multiprocess_test_helper.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698