Chromoting: Implemented security attention sequence (SAS) emulation on Windows.

remoting/host/wts_session_process_launcher_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file implements the Windows service controlling Me2Me host processes
 // running within user sessions.
 
 #include "remoting/host/wts_session_process_launcher_win.h"
 
 #include <windows.h>
 
 #include "base/logging.h"
+#include "base/threading/thread.h"
 #include "base/utf_string_conversions.h"
 #include "base/win/scoped_handle.h"
+#include "ipc/ipc_channel_proxy.h"
+#include "ipc/ipc_message.h"
+#include "ipc/ipc_message_macros.h"
 
+#include "remoting/host/chromoting_session_messages.h"
+#include "remoting/host/sas_injector_win.h"
 #include "remoting/host/wts_console_monitor_win.h"
 
 using base::win::ScopedHandle;
 using base::TimeDelta;
 
 namespace {
 
 // The minimum and maximum delays between attempts to inject host process into
 // a session.
 const int kMaxLaunchDelaySeconds = 60;
 const int kMinLaunchDelaySeconds = 1;
 
 // Name of the default session desktop.
 const char kDefaultDesktopName[] = "winsta0\\default";
 
+// Name of the chromoting service IPC channel.
+const char kChromotingSessionChannelName[] = "chromoting_session";
+
 // Takes the process token and makes a copy of it. The returned handle will have
 // |desired_access| rights.
 bool CopyProcessToken(DWORD desired_access,
                       ScopedHandle* token_out) {
 
   HANDLE handle;
   if (!OpenProcessToken(GetCurrentProcess(),
                         TOKEN_DUPLICATE | desired_access,
                         &handle)) {
     LOG_GETLASTERROR(ERROR) << "Failed to open process token";
@@ skipping 107 matching lines @@
   process_out->set_handle(process_info.hProcess);
   return true;
 }
 
 } // namespace
 
 namespace remoting {
 
 WtsSessionProcessLauncher::WtsSessionProcessLauncher(
     WtsConsoleMonitor* monitor,
-    const FilePath& host_binary)
+    const FilePath& host_binary,
+    base::Thread* io_thread)
     : host_binary_(host_binary),
+      io_thread_(io_thread),
       monitor_(monitor),
       state_(StateDetached) {
   monitor_->AddWtsConsoleObserver(this);
 }
 
 WtsSessionProcessLauncher::~WtsSessionProcessLauncher() {
   DCHECK(state_ == StateDetached);
   DCHECK(!timer_.IsRunning());
   DCHECK(process_.handle() == NULL);
   DCHECK(process_watcher_.GetWatchedObject() == NULL);
+  DCHECK(chromoting_session_.get() == NULL);
 
   monitor_->RemoveWtsConsoleObserver(this);
 }
 
 void WtsSessionProcessLauncher::LaunchProcess() {
   DCHECK(state_ == StateStarting);
   DCHECK(!timer_.IsRunning());
   DCHECK(process_.handle() == NULL);
   DCHECK(process_watcher_.GetWatchedObject() == NULL);
+  DCHECK(chromoting_session_.get() == NULL);
+
+  launch_time_ = base::Time::Now();
+
+  // Create the chromoting service IPC channel on the I/O thread.
+  // N.B. IPC::Channel passes NULL as the security attributes pointer to
+  //      CreateNamedPipe() so the pipe gets the default security descriptor.
+  //      The ACLs in the default security descriptor for a named pipe grant
+  //      full control to the LocalSystem account, administrators, and
+  //      the creator owner. They also grant read access to members of the
+  //      Everyone group and the anonymous account.
+  //
+  //      IPC::Channel also specifies the PIPE_ACCESS_DUPLEX mode for
+  //      the created pipe. A client has to specify the same duplex mode in
+  //      order to connect. Which means that clients with read-only access
+  //      (Everyone and anonymous) will not be able to connect.

[Wez, 2012/03/08 00:01:33]

nit: ... to connect, which means ...

The comment makes more sense, but as a security guarantee it seems a little
weak.

[alexeypa (please no reviews), 2012/03/08 01:52:54]

Actually, there is much more serious problem with the client end of the pipe. In
it's current implementation it can leak LocalSystem context to a low-privileged
process. I'll need to harden this a little bit.

+  chromoting_session_.reset(new IPC::ChannelProxy(
+                                    kChromotingSessionChannelName,
+                                    IPC::Channel::MODE_SERVER,
+                                    this,
+                                    io_thread_->message_loop_proxy().get()));
 
   // Try to launch the process and attach an object watcher to the returned
   // handle so that we get notified when the process terminates.
-  launch_time_ = base::Time::Now();
   if (LaunchProcessAsUser(host_binary_, session_token_, &process_)) {
     if (process_watcher_.StartWatching(process_.handle(), this)) {
       state_ = StateAttached;
       return;
     } else {
       LOG(ERROR) << "Failed to arm the process watcher.";
       process_.Terminate(0);
       process_.Close();
+      chromoting_session_.reset();
     }
   }
 
   // Something went wrong. Try to launch the host again later. The attempts rate
   // is limited by exponential backoff.
   launch_backoff_ = std::max(launch_backoff_ * 2,
                              TimeDelta::FromSeconds(kMinLaunchDelaySeconds));
   launch_backoff_ = std::min(launch_backoff_,
                              TimeDelta::FromSeconds(kMaxLaunchDelaySeconds));
   timer_.Start(FROM_HERE, launch_backoff_,
                this, &WtsSessionProcessLauncher::LaunchProcess);
 }
 
 void WtsSessionProcessLauncher::OnObjectSignaled(HANDLE object) {
   DCHECK(state_ == StateAttached);
   DCHECK(!timer_.IsRunning());
   DCHECK(process_.handle() != NULL);
   DCHECK(process_watcher_.GetWatchedObject() == NULL);
+  DCHECK(chromoting_session_.get() != NULL);
 
   // The host process has been terminated for some reason. The handle can now be
   // closed.
   process_.Close();
+  chromoting_session_.reset();
 
   // Expand the backoff interval if the process has died quickly or reset it if
   // it was up longer than the maximum backoff delay.
   base::TimeDelta delta = base::Time::Now() - launch_time_;
   if (delta < base::TimeDelta() ||
       delta >= base::TimeDelta::FromSeconds(kMaxLaunchDelaySeconds)) {
     launch_backoff_ = base::TimeDelta();
   } else {
     launch_backoff_ = std::max(launch_backoff_ * 2,
                                TimeDelta::FromSeconds(kMinLaunchDelaySeconds));
     launch_backoff_ = std::min(launch_backoff_,
                                TimeDelta::FromSeconds(kMaxLaunchDelaySeconds));
   }
 
   // Try to restart the host.
   state_ = StateStarting;
   timer_.Start(FROM_HERE, launch_backoff_,
                this, &WtsSessionProcessLauncher::LaunchProcess);
 }
 
+bool WtsSessionProcessLauncher::OnMessageReceived(const IPC::Message& message) {
+  bool handled = true;
+  IPC_BEGIN_MESSAGE_MAP(WtsSessionProcessLauncher, message)
+      IPC_MESSAGE_HANDLER(ChromotingSessionMsg_SendSasToConsole,
+                          OnSendSasToConsole)
+      IPC_MESSAGE_UNHANDLED(handled = false)
+  IPC_END_MESSAGE_MAP()
+  return handled;
+}
+
+void WtsSessionProcessLauncher::OnSendSasToConsole() {
+  if (state_ == StateAttached) {
+    if (sas_injector_.get() == NULL) {
+      sas_injector_ = SasInjector::Create();
+    }
+
+    if (sas_injector_.get() != NULL) {
+      sas_injector_->InjectSas();
+    }
+  }
+}
+
 void WtsSessionProcessLauncher::OnSessionAttached(uint32 session_id) {
   DCHECK(state_ == StateDetached);
   DCHECK(!timer_.IsRunning());
   DCHECK(process_.handle() == NULL);
   DCHECK(process_watcher_.GetWatchedObject() == NULL);
+  DCHECK(chromoting_session_.get() == NULL);
 
   // Temporarily enable the SE_TCB_NAME privilege. The privileged token is
   // created as needed and kept for later reuse.
   if (privileged_token_.Get() == NULL) {
     if (!CreatePrivilegedToken(&privileged_token_)) {
       return;
     }
   }
 
   if (!ImpersonateLoggedOnUser(privileged_token_)) {
     LOG_GETLASTERROR(ERROR) <<
         "Failed to impersonate the privileged token";
     return;
   }
 
-  // While the SE_TCB_NAME progolege is enabled, create a session token for
+  // While the SE_TCB_NAME privilege is enabled, create a session token for
   // the launched process.
   bool result = CreateSessionToken(session_id, &session_token_);
 
   // Revert to the default token. The default token is sufficient to call
   // CreateProcessAsUser() successfully.
   CHECK(RevertToSelf());
 
   if (!result)
     return;
 
   // Now try to launch the host.
   state_ = StateStarting;
   LaunchProcess();
 }
 
 void WtsSessionProcessLauncher::OnSessionDetached() {
   DCHECK(state_ == StateDetached ||
          state_ == StateStarting ||
          state_ == StateAttached);
 
   switch (state_) {
     case StateDetached:
       DCHECK(!timer_.IsRunning());
       DCHECK(process_.handle() == NULL);
       DCHECK(process_watcher_.GetWatchedObject() == NULL);
+      DCHECK(chromoting_session_.get() == NULL);
       break;
 
     case StateStarting:
       DCHECK(timer_.IsRunning());
       DCHECK(process_.handle() == NULL);
       DCHECK(process_watcher_.GetWatchedObject() == NULL);
+      DCHECK(chromoting_session_.get() == NULL);
 
       timer_.Stop();
       launch_backoff_ = base::TimeDelta();
       state_ = StateDetached;
       break;
 
     case StateAttached:
       DCHECK(!timer_.IsRunning());
       DCHECK(process_.handle() != NULL);
       DCHECK(process_watcher_.GetWatchedObject() != NULL);
+      DCHECK(chromoting_session_.get() != NULL);
 
       process_watcher_.StopWatching();
       process_.Terminate(0);
       process_.Close();
+      chromoting_session_.reset();
       state_ = StateDetached;
       break;
   }
 }
 
 } // namespace remoting