// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // A library to manage RLZ information for access-points shared // across different client applications. #include "rlz/lib/rlz_lib.h" #include #include #include #include "base/basictypes.h" #include "base/win/registry.h" #include "rlz/lib/assert.h" #include "rlz/lib/rlz_value_store.h" #include "rlz/win/lib/machine_deal.h" #include "rlz/win/lib/rlz_value_store_registry.h" namespace rlz_lib { // OEM Deal confirmation storage functions. template class typed_buffer_ptr { scoped_ptr buffer_; public: typed_buffer_ptr() { } explicit typed_buffer_ptr(size_t size) : buffer_(new char[size]) { } void reset(size_t size) { buffer_.reset(new char[size]); } operator T*() { return reinterpret_cast(buffer_.get()); } }; // Check if this SID has the desired access by scanning the ACEs in the DACL. // This function is part of the rlz_lib namespace so that it can be called from // unit tests. Non-unit test code should not call this function. bool HasAccess(PSID sid, ACCESS_MASK access_mask, ACL* dacl) { if (dacl == NULL) return false; ACL_SIZE_INFORMATION info; if (!GetAclInformation(dacl, &info, sizeof(info), AclSizeInformation)) return false; GENERIC_MAPPING generic_mapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS}; MapGenericMask(&access_mask, &generic_mapping); for (DWORD i = 0; i < info.AceCount; ++i) { ACCESS_ALLOWED_ACE* ace; if (GetAce(dacl, i, reinterpret_cast(&ace))) { if ((ace->Header.AceFlags & INHERIT_ONLY_ACE) == INHERIT_ONLY_ACE) continue; PSID existing_sid = reinterpret_cast(&ace->SidStart); DWORD mask = ace->Mask; MapGenericMask(&mask, &generic_mapping); if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && (mask & access_mask) == access_mask && EqualSid(existing_sid, sid)) return true; if (ace->Header.AceType == ACCESS_DENIED_ACE_TYPE && (mask & access_mask) != 0 && EqualSid(existing_sid, sid)) return false; } } return false; } bool CreateMachineState() { LibMutex lock; if (lock.failed()) return false; base::win::RegKey hklm_key; if (hklm_key.Create(HKEY_LOCAL_MACHINE, RlzValueStoreRegistry::GetWideLibKeyName().c_str(), KEY_ALL_ACCESS | KEY_WOW64_32KEY) != ERROR_SUCCESS) { ASSERT_STRING("rlz_lib::CreateMachineState: " "Unable to create / open machine key."); return false; } // Create a SID that represents ALL USERS. DWORD users_sid_size = SECURITY_MAX_SID_SIZE; typed_buffer_ptr users_sid(users_sid_size); CreateWellKnownSid(WinBuiltinUsersSid, NULL, users_sid, &users_sid_size); // Get the security descriptor for the registry key. DWORD original_sd_size = 0; ::RegGetKeySecurity(hklm_key.Handle(), DACL_SECURITY_INFORMATION, NULL, &original_sd_size); typed_buffer_ptr original_sd(original_sd_size); LONG result = ::RegGetKeySecurity(hklm_key.Handle(), DACL_SECURITY_INFORMATION, original_sd, &original_sd_size); if (result != ERROR_SUCCESS) { ASSERT_STRING("rlz_lib::CreateMachineState: " "Unable to create / open machine key."); return false; } // Make a copy of the security descriptor so we can modify it. The one // returned by RegGetKeySecurity() is self-relative, so we need to make it // absolute. DWORD new_sd_size = 0; DWORD dacl_size = 0; DWORD sacl_size = 0; DWORD owner_size = 0; DWORD group_size = 0; ::MakeAbsoluteSD(original_sd, NULL, &new_sd_size, NULL, &dacl_size, NULL, &sacl_size, NULL, &owner_size, NULL, &group_size); typed_buffer_ptr new_sd(new_sd_size); // Make sure the DACL is big enough to add one more ACE. typed_buffer_ptr dacl(dacl_size + SECURITY_MAX_SID_SIZE); typed_buffer_ptr sacl(sacl_size); typed_buffer_ptr owner(owner_size); typed_buffer_ptr group(group_size); if (!::MakeAbsoluteSD(original_sd, new_sd, &new_sd_size, dacl, &dacl_size, sacl, &sacl_size, owner, &owner_size, group, &group_size)) { ASSERT_STRING("rlz_lib::CreateMachineState: MakeAbsoluteSD failed"); return false; } // If all users already have read/write access to the registry key, then // nothing to do. Otherwise change the security descriptor of the key to // give everyone access. if (HasAccess(users_sid, KEY_ALL_ACCESS, dacl)) { return false; } // Add ALL-USERS ALL-ACCESS ACL. EXPLICIT_ACCESS ea; ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = GENERIC_ALL | KEY_ALL_ACCESS; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.ptstrName = L"Everyone"; ACL* new_dacl = NULL; result = SetEntriesInAcl(1, &ea, dacl, &new_dacl); if (result != ERROR_SUCCESS) { ASSERT_STRING("rlz_lib::CreateMachineState: SetEntriesInAcl failed"); return false; } BOOL ok = SetSecurityDescriptorDacl(new_sd, TRUE, new_dacl, FALSE); if (!ok) { ASSERT_STRING("rlz_lib::CreateMachineState: " "SetSecurityDescriptorOwner failed"); LocalFree(new_dacl); return false; } result = ::RegSetKeySecurity(hklm_key.Handle(), DACL_SECURITY_INFORMATION, new_sd); // Note that the new DACL cannot be freed until after the call to // RegSetKeySecurity(). LocalFree(new_dacl); bool success = true; if (result != ERROR_SUCCESS) { ASSERT_STRING("rlz_lib::CreateMachineState: " "Unable to create / open machine key."); success = false; } return success; } bool SetMachineDealCode(const char* dcc) { return MachineDealCode::Set(dcc); } bool GetMachineDealCodeAsCgi(char* cgi, size_t cgi_size) { return MachineDealCode::GetAsCgi(cgi, cgi_size); } bool GetMachineDealCode(char* dcc, size_t dcc_size) { return MachineDealCode::Get(dcc, dcc_size); } // Combined functions. bool SetMachineDealCodeFromPingResponse(const char* response) { return MachineDealCode::SetFromPingResponse(response); } } // namespace rlz_lib