1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/host/win/chromoting_module.h"
#include <sddl.h>
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/message_loop/message_loop.h"
#include "base/run_loop.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/scoped_handle.h"
#include "base/win/windows_version.h"
#include "remoting/base/auto_thread_task_runner.h"
#include "remoting/base/typed_buffer.h"
#include "remoting/host/host_exit_codes.h"
#include "remoting/host/win/com_security.h"
#include "remoting/host/win/elevated_controller.h"
#include "remoting/host/win/rdp_desktop_session.h"
namespace remoting {
namespace {
// A security descriptor allowing local processes running under SYSTEM, built-in
// administrators and interactive users to call COM methods.
const wchar_t kElevatedControllerSd[] =
SDDL_OWNER L":" SDDL_BUILTIN_ADMINISTRATORS
SDDL_GROUP L":" SDDL_BUILTIN_ADMINISTRATORS
SDDL_DACL L":"
SDDL_ACE(SDDL_ACCESS_ALLOWED, SDDL_COM_EXECUTE_LOCAL, SDDL_LOCAL_SYSTEM)
SDDL_ACE(SDDL_ACCESS_ALLOWED, SDDL_COM_EXECUTE_LOCAL,
SDDL_BUILTIN_ADMINISTRATORS)
SDDL_ACE(SDDL_ACCESS_ALLOWED, SDDL_COM_EXECUTE_LOCAL, SDDL_INTERACTIVE);
// Holds a reference to the task runner used by the module.
base::LazyInstance<scoped_refptr<AutoThreadTaskRunner> > g_module_task_runner =
LAZY_INSTANCE_INITIALIZER;
// Lowers the process integrity level such that it does not exceed |max_level|.
// |max_level| is expected to be one of SECURITY_MANDATORY_XXX constants.
bool LowerProcessIntegrityLevel(DWORD max_level) {
HANDLE temp_handle;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_WRITE,
&temp_handle)) {
PLOG(ERROR) << "OpenProcessToken() failed";
return false;
}
base::win::ScopedHandle token(temp_handle);
TypedBuffer<TOKEN_MANDATORY_LABEL> mandatory_label;
DWORD length = 0;
// Get the size of the buffer needed to hold the mandatory label.
BOOL result = GetTokenInformation(token, TokenIntegrityLevel,
mandatory_label.get(), length, &length);
if (!result && GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
// Allocate a buffer that is large enough.
TypedBuffer<TOKEN_MANDATORY_LABEL> buffer(length);
mandatory_label.Swap(buffer);
// Get the the mandatory label.
result = GetTokenInformation(token, TokenIntegrityLevel,
mandatory_label.get(), length, &length);
}
if (!result) {
PLOG(ERROR) << "Failed to get the mandatory label";
return false;
}
// Read the current integrity level.
DWORD sub_authority_count =
*GetSidSubAuthorityCount(mandatory_label->Label.Sid);
DWORD* current_level = GetSidSubAuthority(mandatory_label->Label.Sid,
sub_authority_count - 1);
// Set the integrity level to |max_level| if needed.
if (*current_level > max_level) {
*current_level = max_level;
if (!SetTokenInformation(token, TokenIntegrityLevel, mandatory_label.get(),
length)) {
PLOG(ERROR) << "Failed to set the mandatory label";
return false;
}
}
return true;
}
} // namespace
ChromotingModule::ChromotingModule(
ATL::_ATL_OBJMAP_ENTRY* classes,
ATL::_ATL_OBJMAP_ENTRY* classes_end)
: classes_(classes),
classes_end_(classes_end) {
// Don't do anything if COM initialization failed.
if (!com_initializer_.succeeded())
return;
ATL::_AtlComModule.ExecuteObjectMain(true);
}
ChromotingModule::~ChromotingModule() {
// Don't do anything if COM initialization failed.
if (!com_initializer_.succeeded())
return;
Term();
ATL::_AtlComModule.ExecuteObjectMain(false);
}
// static
scoped_refptr<AutoThreadTaskRunner> ChromotingModule::task_runner() {
return g_module_task_runner.Get();
}
bool ChromotingModule::Run() {
// Don't do anything if COM initialization failed.
if (!com_initializer_.succeeded())
return false;
// Register class objects.
HRESULT result = RegisterClassObjects(CLSCTX_LOCAL_SERVER,
REGCLS_MULTIPLEUSE | REGCLS_SUSPENDED);
if (FAILED(result)) {
LOG(ERROR) << "Failed to register class objects, result=0x"
<< std::hex << result << std::dec << ".";
return false;
}
// Arrange to run |message_loop| until no components depend on it.
base::MessageLoopForUI message_loop;
base::RunLoop run_loop;
g_module_task_runner.Get() = new AutoThreadTaskRunner(
message_loop.message_loop_proxy(), run_loop.QuitClosure());
// Start accepting activations.
result = CoResumeClassObjects();
if (FAILED(result)) {
LOG(ERROR) << "CoResumeClassObjects() failed, result=0x"
<< std::hex << result << std::dec << ".";
return false;
}
// Run the loop until the module lock counter reaches zero.
run_loop.Run();
// Unregister class objects.
result = RevokeClassObjects();
if (FAILED(result)) {
LOG(ERROR) << "Failed to unregister class objects, result=0x"
<< std::hex << result << std::dec << ".";
return false;
}
return true;
}
LONG ChromotingModule::Unlock() {
LONG count = ATL::CAtlModuleT<ChromotingModule>::Unlock();
if (!count) {
// Stop accepting activations.
HRESULT hr = CoSuspendClassObjects();
CHECK(SUCCEEDED(hr));
// Release the message loop reference, causing the message loop to exit.
g_module_task_runner.Get() = NULL;
}
return count;
}
HRESULT ChromotingModule::RegisterClassObjects(DWORD class_context,
DWORD flags) {
for (ATL::_ATL_OBJMAP_ENTRY* i = classes_; i != classes_end_; ++i) {
HRESULT result = i->RegisterClassObject(class_context, flags);
if (FAILED(result))
return result;
}
return S_OK;
}
HRESULT ChromotingModule::RevokeClassObjects() {
for (ATL::_ATL_OBJMAP_ENTRY* i = classes_; i != classes_end_; ++i) {
HRESULT result = i->RevokeClassObject();
if (FAILED(result))
return result;
}
return S_OK;
}
// Elevated controller entry point.
int ElevatedControllerMain() {
ATL::_ATL_OBJMAP_ENTRY elevated_controller_entry[] = {
OBJECT_ENTRY(__uuidof(ElevatedController), ElevatedController)
};
ChromotingModule module(elevated_controller_entry,
elevated_controller_entry + 1);
if (!InitializeComSecurity(WideToUTF8(kElevatedControllerSd), "", true))
return kInitializationFailed;
if (!module.Run())
return kInitializationFailed;
return kSuccessExitCode;
}
// RdpClient entry point.
int RdpDesktopSessionMain() {
// Lower the integrity level to medium, which is the lowest level at which
// the RDP ActiveX control can run.
if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
if (!LowerProcessIntegrityLevel(SECURITY_MANDATORY_MEDIUM_RID))
return kInitializationFailed;
}
ATL::_ATL_OBJMAP_ENTRY rdp_client_entry[] = {
OBJECT_ENTRY(__uuidof(RdpDesktopSession), RdpDesktopSession)
};
ChromotingModule module(rdp_client_entry, rdp_client_entry + 1);
return module.Run() ? kSuccessExitCode : kInitializationFailed;
}
} // namespace remoting
|