2023-01-28 04:54:20 +00:00
|
|
|
|
// Copyright 2015 The Crashpad Authors
|
2022-04-02 01:21:55 +00:00
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
#include "util/win/registration_protocol_win.h"
|
|
|
|
|
|
|
|
|
|
#include <windows.h>
|
|
|
|
|
#include <aclapi.h>
|
|
|
|
|
#include <sddl.h>
|
|
|
|
|
#include <stddef.h>
|
|
|
|
|
|
2022-08-16 00:48:53 +00:00
|
|
|
|
#include <iterator>
|
|
|
|
|
|
2024-04-30 00:11:06 +00:00
|
|
|
|
#include "base/check.h"
|
2022-04-02 01:21:55 +00:00
|
|
|
|
#include "base/logging.h"
|
|
|
|
|
#include "util/win/exception_handler_server.h"
|
|
|
|
|
#include "util/win/loader_lock.h"
|
|
|
|
|
#include "util/win/scoped_handle.h"
|
|
|
|
|
#include "util/win/scoped_local_alloc.h"
|
|
|
|
|
|
|
|
|
|
namespace crashpad {
|
|
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
|
|
void* GetSecurityDescriptorWithUser(const wchar_t* sddl_string, size_t* size) {
|
|
|
|
|
if (size)
|
|
|
|
|
*size = 0;
|
|
|
|
|
|
|
|
|
|
PSECURITY_DESCRIPTOR base_sec_desc;
|
|
|
|
|
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
|
|
|
|
|
sddl_string, SDDL_REVISION_1, &base_sec_desc, nullptr)) {
|
|
|
|
|
PLOG(ERROR) << "ConvertStringSecurityDescriptorToSecurityDescriptor";
|
|
|
|
|
return nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ScopedLocalAlloc base_sec_desc_owner(base_sec_desc);
|
|
|
|
|
EXPLICIT_ACCESS access;
|
|
|
|
|
wchar_t username[] = L"CURRENT_USER";
|
|
|
|
|
BuildExplicitAccessWithName(
|
|
|
|
|
&access, username, GENERIC_ALL, GRANT_ACCESS, NO_INHERITANCE);
|
|
|
|
|
|
|
|
|
|
PSECURITY_DESCRIPTOR user_sec_desc;
|
|
|
|
|
ULONG user_sec_desc_size;
|
|
|
|
|
DWORD error = BuildSecurityDescriptor(nullptr,
|
|
|
|
|
nullptr,
|
|
|
|
|
1,
|
|
|
|
|
&access,
|
|
|
|
|
0,
|
|
|
|
|
nullptr,
|
|
|
|
|
base_sec_desc,
|
|
|
|
|
&user_sec_desc_size,
|
|
|
|
|
&user_sec_desc);
|
|
|
|
|
if (error != ERROR_SUCCESS) {
|
|
|
|
|
SetLastError(error);
|
|
|
|
|
PLOG(ERROR) << "BuildSecurityDescriptor";
|
|
|
|
|
return nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*size = user_sec_desc_size;
|
|
|
|
|
return user_sec_desc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
|
|
bool SendToCrashHandlerServer(const std::wstring& pipe_name,
|
|
|
|
|
const ClientToServerMessage& message,
|
|
|
|
|
ServerToClientMessage* response) {
|
|
|
|
|
// Retry CreateFile() in a loop. If the handler isn’t actively waiting in
|
|
|
|
|
// ConnectNamedPipe() on a pipe instance because it’s busy doing something
|
|
|
|
|
// else, CreateFile() will fail with ERROR_PIPE_BUSY. WaitNamedPipe() waits
|
|
|
|
|
// until a pipe instance is ready, but there’s no way to wait for this
|
|
|
|
|
// condition and atomically open the client side of the pipe in a single
|
|
|
|
|
// operation. CallNamedPipe() implements similar retry logic to this, also in
|
|
|
|
|
// user-mode code.
|
|
|
|
|
//
|
|
|
|
|
// This loop is only intended to retry on ERROR_PIPE_BUSY. Notably, if the
|
|
|
|
|
// handler is so lazy that it hasn’t even called CreateNamedPipe() yet,
|
|
|
|
|
// CreateFile() will fail with ERROR_FILE_NOT_FOUND, and this function is
|
|
|
|
|
// expected to fail without retrying anything. If the handler is started at
|
|
|
|
|
// around the same time as its client, something external to this code must be
|
|
|
|
|
// done to guarantee correct ordering. When the client starts the handler
|
|
|
|
|
// itself, CrashpadClient::StartHandler() provides this synchronization.
|
|
|
|
|
for (;;) {
|
|
|
|
|
ScopedFileHANDLE pipe(
|
|
|
|
|
CreateFile(pipe_name.c_str(),
|
|
|
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
|
|
|
0,
|
|
|
|
|
nullptr,
|
|
|
|
|
OPEN_EXISTING,
|
|
|
|
|
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
|
|
|
|
|
nullptr));
|
|
|
|
|
if (!pipe.is_valid()) {
|
|
|
|
|
if (GetLastError() != ERROR_PIPE_BUSY) {
|
|
|
|
|
PLOG(ERROR) << "CreateFile";
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!WaitNamedPipe(pipe_name.c_str(), NMPWAIT_WAIT_FOREVER)) {
|
|
|
|
|
PLOG(ERROR) << "WaitNamedPipe";
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DWORD mode = PIPE_READMODE_MESSAGE;
|
|
|
|
|
if (!SetNamedPipeHandleState(pipe.get(), &mode, nullptr, nullptr)) {
|
|
|
|
|
PLOG(ERROR) << "SetNamedPipeHandleState";
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
DWORD bytes_read = 0;
|
|
|
|
|
BOOL result = TransactNamedPipe(
|
|
|
|
|
pipe.get(),
|
|
|
|
|
// This is [in], but is incorrectly declared non-const.
|
|
|
|
|
const_cast<ClientToServerMessage*>(&message),
|
|
|
|
|
sizeof(message),
|
|
|
|
|
response,
|
|
|
|
|
sizeof(*response),
|
|
|
|
|
&bytes_read,
|
|
|
|
|
nullptr);
|
|
|
|
|
if (!result) {
|
|
|
|
|
PLOG(ERROR) << "TransactNamedPipe";
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
if (bytes_read != sizeof(*response)) {
|
|
|
|
|
LOG(ERROR) << "TransactNamedPipe: expected " << sizeof(*response)
|
|
|
|
|
<< ", observed " << bytes_read;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
|
|
|
|
|
bool first_instance) {
|
|
|
|
|
SECURITY_ATTRIBUTES security_attributes;
|
|
|
|
|
SECURITY_ATTRIBUTES* security_attributes_pointer = nullptr;
|
|
|
|
|
|
|
|
|
|
if (first_instance) {
|
|
|
|
|
// Pre-Vista does not have integrity levels.
|
|
|
|
|
const DWORD version = GetVersion();
|
|
|
|
|
const DWORD major_version = LOBYTE(LOWORD(version));
|
|
|
|
|
const bool is_vista_or_later = major_version >= 6;
|
|
|
|
|
if (is_vista_or_later) {
|
|
|
|
|
memset(&security_attributes, 0, sizeof(security_attributes));
|
|
|
|
|
security_attributes.nLength = sizeof(SECURITY_ATTRIBUTES);
|
|
|
|
|
security_attributes.lpSecurityDescriptor =
|
|
|
|
|
const_cast<void*>(GetSecurityDescriptorForNamedPipeInstance(nullptr));
|
|
|
|
|
security_attributes.bInheritHandle = TRUE;
|
|
|
|
|
security_attributes_pointer = &security_attributes;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CreateNamedPipe(
|
|
|
|
|
pipe_name.c_str(),
|
|
|
|
|
PIPE_ACCESS_DUPLEX | (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE : 0),
|
|
|
|
|
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
|
|
|
|
|
ExceptionHandlerServer::kPipeInstances,
|
|
|
|
|
512,
|
|
|
|
|
512,
|
|
|
|
|
0,
|
|
|
|
|
security_attributes_pointer);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const void* GetFallbackSecurityDescriptorForNamedPipeInstance(size_t* size) {
|
|
|
|
|
// Mandatory Label, no ACE flags, no ObjectType, integrity level untrusted is
|
|
|
|
|
// "S:(ML;;;;;S-1-16-0)". This static security descriptor is used as a
|
|
|
|
|
// fallback if GetSecurityDescriptorWithUser fails, to avoid losing crashes
|
|
|
|
|
// from non-AppContainer sandboxed applications.
|
|
|
|
|
|
|
|
|
|
#pragma pack(push, 1)
|
|
|
|
|
static constexpr struct SecurityDescriptorBlob {
|
|
|
|
|
// See https://msdn.microsoft.com/library/cc230366.aspx.
|
|
|
|
|
SECURITY_DESCRIPTOR_RELATIVE sd_rel;
|
|
|
|
|
struct {
|
|
|
|
|
ACL acl;
|
|
|
|
|
struct {
|
|
|
|
|
// This is equivalent to SYSTEM_MANDATORY_LABEL_ACE, but there's no
|
|
|
|
|
// DWORD offset to the SID, instead it's inline.
|
|
|
|
|
ACE_HEADER header;
|
|
|
|
|
ACCESS_MASK mask;
|
|
|
|
|
SID sid;
|
|
|
|
|
} ace[1];
|
|
|
|
|
} sacl;
|
|
|
|
|
} kSecDescBlob = {
|
|
|
|
|
// sd_rel.
|
|
|
|
|
{
|
|
|
|
|
SECURITY_DESCRIPTOR_REVISION1, // Revision.
|
|
|
|
|
0x00, // Sbz1.
|
|
|
|
|
SE_SELF_RELATIVE | SE_SACL_PRESENT, // Control.
|
|
|
|
|
0, // OffsetOwner.
|
|
|
|
|
0, // OffsetGroup.
|
|
|
|
|
offsetof(SecurityDescriptorBlob, sacl), // OffsetSacl.
|
|
|
|
|
0, // OffsetDacl.
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// sacl.
|
|
|
|
|
{
|
|
|
|
|
// acl.
|
|
|
|
|
{
|
|
|
|
|
ACL_REVISION, // AclRevision.
|
|
|
|
|
0, // Sbz1.
|
|
|
|
|
sizeof(kSecDescBlob.sacl), // AclSize.
|
2022-08-16 00:48:53 +00:00
|
|
|
|
static_cast<WORD>(std::size(kSecDescBlob.sacl.ace)), // AceCount.
|
2022-04-02 01:21:55 +00:00
|
|
|
|
0, // Sbz2.
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// ace[0].
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
// header.
|
|
|
|
|
{
|
|
|
|
|
SYSTEM_MANDATORY_LABEL_ACE_TYPE, // AceType.
|
|
|
|
|
0, // AceFlags.
|
|
|
|
|
sizeof(kSecDescBlob.sacl.ace[0]), // AceSize.
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// mask.
|
|
|
|
|
0,
|
|
|
|
|
|
|
|
|
|
// sid.
|
|
|
|
|
{
|
|
|
|
|
SID_REVISION, // Revision.
|
|
|
|
|
// SubAuthorityCount.
|
2022-08-16 00:48:53 +00:00
|
|
|
|
static_cast<BYTE>(
|
|
|
|
|
std::size(kSecDescBlob.sacl.ace[0].sid.SubAuthority)),
|
2022-04-02 01:21:55 +00:00
|
|
|
|
// IdentifierAuthority.
|
|
|
|
|
{SECURITY_MANDATORY_LABEL_AUTHORITY},
|
|
|
|
|
{SECURITY_MANDATORY_UNTRUSTED_RID}, // SubAuthority.
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
#pragma pack(pop)
|
|
|
|
|
|
|
|
|
|
if (size)
|
|
|
|
|
*size = sizeof(kSecDescBlob);
|
|
|
|
|
return reinterpret_cast<const void*>(&kSecDescBlob);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const void* GetSecurityDescriptorForNamedPipeInstance(size_t* size) {
|
|
|
|
|
CHECK(!IsThreadInLoaderLock());
|
|
|
|
|
|
|
|
|
|
// Get a security descriptor which grants the current user and SYSTEM full
|
|
|
|
|
// access to the named pipe. Also grant AppContainer RW access through the ALL
|
|
|
|
|
// APPLICATION PACKAGES SID (S-1-15-2-1). Finally add an Untrusted Mandatory
|
|
|
|
|
// Label for non-AppContainer sandboxed users.
|
|
|
|
|
static size_t sd_size;
|
|
|
|
|
static void* sec_desc = GetSecurityDescriptorWithUser(
|
|
|
|
|
L"D:(A;;GA;;;SY)(A;;GWGR;;;S-1-15-2-1)S:(ML;;;;;S-1-16-0)", &sd_size);
|
|
|
|
|
|
|
|
|
|
if (!sec_desc)
|
|
|
|
|
return GetFallbackSecurityDescriptorForNamedPipeInstance(size);
|
|
|
|
|
|
|
|
|
|
if (size)
|
|
|
|
|
*size = sd_size;
|
|
|
|
|
return sec_desc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} // namespace crashpad
|