kicad/thirdparty/sentry-native/external/crashpad/util/win/registration_protocol_win.cc

272 lines
9.1 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Copyright 2015 The Crashpad Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "util/win/registration_protocol_win.h"
#include <windows.h>
#include <aclapi.h>
#include <sddl.h>
#include <stddef.h>
#include <iterator>
#include "base/check.h"
#include "base/logging.h"
#include "util/win/exception_handler_server.h"
#include "util/win/loader_lock.h"
#include "util/win/scoped_handle.h"
#include "util/win/scoped_local_alloc.h"
namespace crashpad {
namespace {
void* GetSecurityDescriptorWithUser(const wchar_t* sddl_string, size_t* size) {
if (size)
*size = 0;
PSECURITY_DESCRIPTOR base_sec_desc;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
sddl_string, SDDL_REVISION_1, &base_sec_desc, nullptr)) {
PLOG(ERROR) << "ConvertStringSecurityDescriptorToSecurityDescriptor";
return nullptr;
}
ScopedLocalAlloc base_sec_desc_owner(base_sec_desc);
EXPLICIT_ACCESS access;
wchar_t username[] = L"CURRENT_USER";
BuildExplicitAccessWithName(
&access, username, GENERIC_ALL, GRANT_ACCESS, NO_INHERITANCE);
PSECURITY_DESCRIPTOR user_sec_desc;
ULONG user_sec_desc_size;
DWORD error = BuildSecurityDescriptor(nullptr,
nullptr,
1,
&access,
0,
nullptr,
base_sec_desc,
&user_sec_desc_size,
&user_sec_desc);
if (error != ERROR_SUCCESS) {
SetLastError(error);
PLOG(ERROR) << "BuildSecurityDescriptor";
return nullptr;
}
*size = user_sec_desc_size;
return user_sec_desc;
}
} // namespace
bool SendToCrashHandlerServer(const std::wstring& pipe_name,
const ClientToServerMessage& message,
ServerToClientMessage* response) {
// Retry CreateFile() in a loop. If the handler isnt actively waiting in
// ConnectNamedPipe() on a pipe instance because its busy doing something
// else, CreateFile() will fail with ERROR_PIPE_BUSY. WaitNamedPipe() waits
// until a pipe instance is ready, but theres no way to wait for this
// condition and atomically open the client side of the pipe in a single
// operation. CallNamedPipe() implements similar retry logic to this, also in
// user-mode code.
//
// This loop is only intended to retry on ERROR_PIPE_BUSY. Notably, if the
// handler is so lazy that it hasnt even called CreateNamedPipe() yet,
// CreateFile() will fail with ERROR_FILE_NOT_FOUND, and this function is
// expected to fail without retrying anything. If the handler is started at
// around the same time as its client, something external to this code must be
// done to guarantee correct ordering. When the client starts the handler
// itself, CrashpadClient::StartHandler() provides this synchronization.
for (;;) {
ScopedFileHANDLE pipe(
CreateFile(pipe_name.c_str(),
GENERIC_READ | GENERIC_WRITE,
0,
nullptr,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
nullptr));
if (!pipe.is_valid()) {
if (GetLastError() != ERROR_PIPE_BUSY) {
PLOG(ERROR) << "CreateFile";
return false;
}
if (!WaitNamedPipe(pipe_name.c_str(), NMPWAIT_WAIT_FOREVER)) {
PLOG(ERROR) << "WaitNamedPipe";
return false;
}
continue;
}
DWORD mode = PIPE_READMODE_MESSAGE;
if (!SetNamedPipeHandleState(pipe.get(), &mode, nullptr, nullptr)) {
PLOG(ERROR) << "SetNamedPipeHandleState";
return false;
}
DWORD bytes_read = 0;
BOOL result = TransactNamedPipe(
pipe.get(),
// This is [in], but is incorrectly declared non-const.
const_cast<ClientToServerMessage*>(&message),
sizeof(message),
response,
sizeof(*response),
&bytes_read,
nullptr);
if (!result) {
PLOG(ERROR) << "TransactNamedPipe";
return false;
}
if (bytes_read != sizeof(*response)) {
LOG(ERROR) << "TransactNamedPipe: expected " << sizeof(*response)
<< ", observed " << bytes_read;
return false;
}
return true;
}
}
HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
bool first_instance) {
SECURITY_ATTRIBUTES security_attributes;
SECURITY_ATTRIBUTES* security_attributes_pointer = nullptr;
if (first_instance) {
// Pre-Vista does not have integrity levels.
const DWORD version = GetVersion();
const DWORD major_version = LOBYTE(LOWORD(version));
const bool is_vista_or_later = major_version >= 6;
if (is_vista_or_later) {
memset(&security_attributes, 0, sizeof(security_attributes));
security_attributes.nLength = sizeof(SECURITY_ATTRIBUTES);
security_attributes.lpSecurityDescriptor =
const_cast<void*>(GetSecurityDescriptorForNamedPipeInstance(nullptr));
security_attributes.bInheritHandle = TRUE;
security_attributes_pointer = &security_attributes;
}
}
return CreateNamedPipe(
pipe_name.c_str(),
PIPE_ACCESS_DUPLEX | (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE : 0),
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
ExceptionHandlerServer::kPipeInstances,
512,
512,
0,
security_attributes_pointer);
}
const void* GetFallbackSecurityDescriptorForNamedPipeInstance(size_t* size) {
// Mandatory Label, no ACE flags, no ObjectType, integrity level untrusted is
// "S:(ML;;;;;S-1-16-0)". This static security descriptor is used as a
// fallback if GetSecurityDescriptorWithUser fails, to avoid losing crashes
// from non-AppContainer sandboxed applications.
#pragma pack(push, 1)
static constexpr struct SecurityDescriptorBlob {
// See https://msdn.microsoft.com/library/cc230366.aspx.
SECURITY_DESCRIPTOR_RELATIVE sd_rel;
struct {
ACL acl;
struct {
// This is equivalent to SYSTEM_MANDATORY_LABEL_ACE, but there's no
// DWORD offset to the SID, instead it's inline.
ACE_HEADER header;
ACCESS_MASK mask;
SID sid;
} ace[1];
} sacl;
} kSecDescBlob = {
// sd_rel.
{
SECURITY_DESCRIPTOR_REVISION1, // Revision.
0x00, // Sbz1.
SE_SELF_RELATIVE | SE_SACL_PRESENT, // Control.
0, // OffsetOwner.
0, // OffsetGroup.
offsetof(SecurityDescriptorBlob, sacl), // OffsetSacl.
0, // OffsetDacl.
},
// sacl.
{
// acl.
{
ACL_REVISION, // AclRevision.
0, // Sbz1.
sizeof(kSecDescBlob.sacl), // AclSize.
static_cast<WORD>(std::size(kSecDescBlob.sacl.ace)), // AceCount.
0, // Sbz2.
},
// ace[0].
{
{
// header.
{
SYSTEM_MANDATORY_LABEL_ACE_TYPE, // AceType.
0, // AceFlags.
sizeof(kSecDescBlob.sacl.ace[0]), // AceSize.
},
// mask.
0,
// sid.
{
SID_REVISION, // Revision.
// SubAuthorityCount.
static_cast<BYTE>(
std::size(kSecDescBlob.sacl.ace[0].sid.SubAuthority)),
// IdentifierAuthority.
{SECURITY_MANDATORY_LABEL_AUTHORITY},
{SECURITY_MANDATORY_UNTRUSTED_RID}, // SubAuthority.
},
},
},
},
};
#pragma pack(pop)
if (size)
*size = sizeof(kSecDescBlob);
return reinterpret_cast<const void*>(&kSecDescBlob);
}
const void* GetSecurityDescriptorForNamedPipeInstance(size_t* size) {
CHECK(!IsThreadInLoaderLock());
// Get a security descriptor which grants the current user and SYSTEM full
// access to the named pipe. Also grant AppContainer RW access through the ALL
// APPLICATION PACKAGES SID (S-1-15-2-1). Finally add an Untrusted Mandatory
// Label for non-AppContainer sandboxed users.
static size_t sd_size;
static void* sec_desc = GetSecurityDescriptorWithUser(
L"D:(A;;GA;;;SY)(A;;GWGR;;;S-1-15-2-1)S:(ML;;;;;S-1-16-0)", &sd_size);
if (!sec_desc)
return GetFallbackSecurityDescriptorForNamedPipeInstance(size);
if (size)
*size = sd_size;
return sec_desc;
}
} // namespace crashpad