1*6777b538SAndroid Build Coastguard Worker // Copyright 2021 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include "base/win/security_util.h"
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker #include <windows.h>
8*6777b538SAndroid Build Coastguard Worker
9*6777b538SAndroid Build Coastguard Worker #include <winternl.h>
10*6777b538SAndroid Build Coastguard Worker
11*6777b538SAndroid Build Coastguard Worker #include <optional>
12*6777b538SAndroid Build Coastguard Worker
13*6777b538SAndroid Build Coastguard Worker #include "base/check.h"
14*6777b538SAndroid Build Coastguard Worker #include "base/containers/to_vector.h"
15*6777b538SAndroid Build Coastguard Worker #include "base/files/file_path.h"
16*6777b538SAndroid Build Coastguard Worker #include "base/logging.h"
17*6777b538SAndroid Build Coastguard Worker #include "base/threading/scoped_blocking_call.h"
18*6777b538SAndroid Build Coastguard Worker #include "base/win/access_control_list.h"
19*6777b538SAndroid Build Coastguard Worker #include "base/win/scoped_handle.h"
20*6777b538SAndroid Build Coastguard Worker #include "base/win/security_descriptor.h"
21*6777b538SAndroid Build Coastguard Worker
22*6777b538SAndroid Build Coastguard Worker namespace base {
23*6777b538SAndroid Build Coastguard Worker namespace win {
24*6777b538SAndroid Build Coastguard Worker
25*6777b538SAndroid Build Coastguard Worker namespace {
26*6777b538SAndroid Build Coastguard Worker
AddACEToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive,SecurityAccessMode access_mode)27*6777b538SAndroid Build Coastguard Worker bool AddACEToPath(const FilePath& path,
28*6777b538SAndroid Build Coastguard Worker const std::vector<Sid>& sids,
29*6777b538SAndroid Build Coastguard Worker DWORD access_mask,
30*6777b538SAndroid Build Coastguard Worker DWORD inheritance,
31*6777b538SAndroid Build Coastguard Worker bool recursive,
32*6777b538SAndroid Build Coastguard Worker SecurityAccessMode access_mode) {
33*6777b538SAndroid Build Coastguard Worker DCHECK(!path.empty());
34*6777b538SAndroid Build Coastguard Worker if (sids.empty()) {
35*6777b538SAndroid Build Coastguard Worker return true;
36*6777b538SAndroid Build Coastguard Worker }
37*6777b538SAndroid Build Coastguard Worker base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
38*6777b538SAndroid Build Coastguard Worker base::BlockingType::MAY_BLOCK);
39*6777b538SAndroid Build Coastguard Worker
40*6777b538SAndroid Build Coastguard Worker std::optional<SecurityDescriptor> sd =
41*6777b538SAndroid Build Coastguard Worker SecurityDescriptor::FromFile(path, DACL_SECURITY_INFORMATION);
42*6777b538SAndroid Build Coastguard Worker if (!sd) {
43*6777b538SAndroid Build Coastguard Worker return false;
44*6777b538SAndroid Build Coastguard Worker }
45*6777b538SAndroid Build Coastguard Worker
46*6777b538SAndroid Build Coastguard Worker std::vector<ExplicitAccessEntry> entries;
47*6777b538SAndroid Build Coastguard Worker for (const Sid& sid : sids) {
48*6777b538SAndroid Build Coastguard Worker entries.emplace_back(sid, access_mode, access_mask, inheritance);
49*6777b538SAndroid Build Coastguard Worker }
50*6777b538SAndroid Build Coastguard Worker
51*6777b538SAndroid Build Coastguard Worker if (!sd->SetDaclEntries(entries)) {
52*6777b538SAndroid Build Coastguard Worker return false;
53*6777b538SAndroid Build Coastguard Worker }
54*6777b538SAndroid Build Coastguard Worker
55*6777b538SAndroid Build Coastguard Worker if (recursive) {
56*6777b538SAndroid Build Coastguard Worker return sd->WriteToFile(path, DACL_SECURITY_INFORMATION);
57*6777b538SAndroid Build Coastguard Worker }
58*6777b538SAndroid Build Coastguard Worker
59*6777b538SAndroid Build Coastguard Worker ScopedHandle handle(::CreateFile(path.value().c_str(), WRITE_DAC, 0, nullptr,
60*6777b538SAndroid Build Coastguard Worker OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS,
61*6777b538SAndroid Build Coastguard Worker nullptr));
62*6777b538SAndroid Build Coastguard Worker if (!handle.is_valid()) {
63*6777b538SAndroid Build Coastguard Worker DPLOG(ERROR) << "Failed opening path \"" << path.value()
64*6777b538SAndroid Build Coastguard Worker << "\" to write DACL";
65*6777b538SAndroid Build Coastguard Worker return false;
66*6777b538SAndroid Build Coastguard Worker }
67*6777b538SAndroid Build Coastguard Worker return sd->WriteToHandle(handle.get(), SecurityObjectType::kKernel,
68*6777b538SAndroid Build Coastguard Worker DACL_SECURITY_INFORMATION);
69*6777b538SAndroid Build Coastguard Worker }
70*6777b538SAndroid Build Coastguard Worker
71*6777b538SAndroid Build Coastguard Worker } // namespace
72*6777b538SAndroid Build Coastguard Worker
GrantAccessToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive)73*6777b538SAndroid Build Coastguard Worker bool GrantAccessToPath(const FilePath& path,
74*6777b538SAndroid Build Coastguard Worker const std::vector<Sid>& sids,
75*6777b538SAndroid Build Coastguard Worker DWORD access_mask,
76*6777b538SAndroid Build Coastguard Worker DWORD inheritance,
77*6777b538SAndroid Build Coastguard Worker bool recursive) {
78*6777b538SAndroid Build Coastguard Worker return AddACEToPath(path, sids, access_mask, inheritance, recursive,
79*6777b538SAndroid Build Coastguard Worker SecurityAccessMode::kGrant);
80*6777b538SAndroid Build Coastguard Worker }
81*6777b538SAndroid Build Coastguard Worker
DenyAccessToPath(const FilePath & path,const std::vector<Sid> & sids,DWORD access_mask,DWORD inheritance,bool recursive)82*6777b538SAndroid Build Coastguard Worker bool DenyAccessToPath(const FilePath& path,
83*6777b538SAndroid Build Coastguard Worker const std::vector<Sid>& sids,
84*6777b538SAndroid Build Coastguard Worker DWORD access_mask,
85*6777b538SAndroid Build Coastguard Worker DWORD inheritance,
86*6777b538SAndroid Build Coastguard Worker bool recursive) {
87*6777b538SAndroid Build Coastguard Worker return AddACEToPath(path, sids, access_mask, inheritance, recursive,
88*6777b538SAndroid Build Coastguard Worker SecurityAccessMode::kDeny);
89*6777b538SAndroid Build Coastguard Worker }
90*6777b538SAndroid Build Coastguard Worker
CloneSidVector(const std::vector<Sid> & sids)91*6777b538SAndroid Build Coastguard Worker std::vector<Sid> CloneSidVector(const std::vector<Sid>& sids) {
92*6777b538SAndroid Build Coastguard Worker return base::ToVector(sids, &Sid::Clone);
93*6777b538SAndroid Build Coastguard Worker }
94*6777b538SAndroid Build Coastguard Worker
AppendSidVector(std::vector<Sid> & base_sids,const std::vector<Sid> & append_sids)95*6777b538SAndroid Build Coastguard Worker void AppendSidVector(std::vector<Sid>& base_sids,
96*6777b538SAndroid Build Coastguard Worker const std::vector<Sid>& append_sids) {
97*6777b538SAndroid Build Coastguard Worker for (const Sid& sid : append_sids) {
98*6777b538SAndroid Build Coastguard Worker base_sids.push_back(sid.Clone());
99*6777b538SAndroid Build Coastguard Worker }
100*6777b538SAndroid Build Coastguard Worker }
101*6777b538SAndroid Build Coastguard Worker
GetGrantedAccess(HANDLE handle)102*6777b538SAndroid Build Coastguard Worker std::optional<ACCESS_MASK> GetGrantedAccess(HANDLE handle) {
103*6777b538SAndroid Build Coastguard Worker PUBLIC_OBJECT_BASIC_INFORMATION basic_info = {};
104*6777b538SAndroid Build Coastguard Worker if (!NT_SUCCESS(::NtQueryObject(handle, ObjectBasicInformation, &basic_info,
105*6777b538SAndroid Build Coastguard Worker sizeof(basic_info), nullptr))) {
106*6777b538SAndroid Build Coastguard Worker return std::nullopt;
107*6777b538SAndroid Build Coastguard Worker }
108*6777b538SAndroid Build Coastguard Worker return basic_info.GrantedAccess;
109*6777b538SAndroid Build Coastguard Worker }
110*6777b538SAndroid Build Coastguard Worker
111*6777b538SAndroid Build Coastguard Worker } // namespace win
112*6777b538SAndroid Build Coastguard Worker } // namespace base
113