1 // Copyright 2021 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/win/security_util.h"
6
7 #include <windows.h>
8
9 #include <winternl.h>
10
11 #include <optional>
12
13 #include "base/check.h"
14 #include "base/containers/to_vector.h"
15 #include "base/files/file_path.h"
16 #include "base/logging.h"
17 #include "base/threading/scoped_blocking_call.h"
18 #include "base/win/access_control_list.h"
19 #include "base/win/scoped_handle.h"
20 #include "base/win/security_descriptor.h"
21
22 namespace base {
23 namespace win {
24
25 namespace {
26
AddACEToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive,SecurityAccessMode access_mode)27 bool AddACEToPath(const FilePath& path,
28 const std::vector<Sid>& sids,
29 DWORD access_mask,
30 DWORD inheritance,
31 bool recursive,
32 SecurityAccessMode access_mode) {
33 DCHECK(!path.empty());
34 if (sids.empty()) {
35 return true;
36 }
37 base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
38 base::BlockingType::MAY_BLOCK);
39
40 std::optional<SecurityDescriptor> sd =
41 SecurityDescriptor::FromFile(path, DACL_SECURITY_INFORMATION);
42 if (!sd) {
43 return false;
44 }
45
46 std::vector<ExplicitAccessEntry> entries;
47 for (const Sid& sid : sids) {
48 entries.emplace_back(sid, access_mode, access_mask, inheritance);
49 }
50
51 if (!sd->SetDaclEntries(entries)) {
52 return false;
53 }
54
55 if (recursive) {
56 return sd->WriteToFile(path, DACL_SECURITY_INFORMATION);
57 }
58
59 ScopedHandle handle(::CreateFile(path.value().c_str(), WRITE_DAC, 0, nullptr,
60 OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS,
61 nullptr));
62 if (!handle.is_valid()) {
63 DPLOG(ERROR) << "Failed opening path \"" << path.value()
64 << "\" to write DACL";
65 return false;
66 }
67 return sd->WriteToHandle(handle.get(), SecurityObjectType::kKernel,
68 DACL_SECURITY_INFORMATION);
69 }
70
71 } // namespace
72
GrantAccessToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive)73 bool GrantAccessToPath(const FilePath& path,
74 const std::vector<Sid>& sids,
75 DWORD access_mask,
76 DWORD inheritance,
77 bool recursive) {
78 return AddACEToPath(path, sids, access_mask, inheritance, recursive,
79 SecurityAccessMode::kGrant);
80 }
81
DenyAccessToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive)82 bool DenyAccessToPath(const FilePath& path,
83 const std::vector<Sid>& sids,
84 DWORD access_mask,
85 DWORD inheritance,
86 bool recursive) {
87 return AddACEToPath(path, sids, access_mask, inheritance, recursive,
88 SecurityAccessMode::kDeny);
89 }
90
CloneSidVector(const std::vector<Sid> & sids)91 std::vector<Sid> CloneSidVector(const std::vector<Sid>& sids) {
92 return base::ToVector(sids, &Sid::Clone);
93 }
94
AppendSidVector(std::vector<Sid> & base_sids,const std::vector<Sid> & append_sids)95 void AppendSidVector(std::vector<Sid>& base_sids,
96 const std::vector<Sid>& append_sids) {
97 for (const Sid& sid : append_sids) {
98 base_sids.push_back(sid.Clone());
99 }
100 }
101
GetGrantedAccess(HANDLE handle)102 std::optional<ACCESS_MASK> GetGrantedAccess(HANDLE handle) {
103 PUBLIC_OBJECT_BASIC_INFORMATION basic_info = {};
104 if (!NT_SUCCESS(::NtQueryObject(handle, ObjectBasicInformation, &basic_info,
105 sizeof(basic_info), nullptr))) {
106 return std::nullopt;
107 }
108 return basic_info.GrantedAccess;
109 }
110
111 } // namespace win
112 } // namespace base
113