| // Copyright 2022 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "base/win/access_control_list.h" |
| |
| #include <windows.h> |
| |
| #include <aclapi.h> |
| #include <stdint.h> |
| |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include "base/check.h" |
| #include "base/compiler_specific.h" |
| #include "base/containers/heap_array.h" |
| #include "base/logging.h" |
| #include "base/notreached.h" |
| #include "base/numerics/checked_math.h" |
| #include "base/win/scoped_localalloc.h" |
| |
| namespace base::win { |
| |
| namespace { |
| |
| base::HeapArray<uint8_t> AclToBuffer(const ACL* acl) { |
| if (!acl) { |
| return {}; |
| } |
| const size_t size = acl->AclSize; |
| CHECK_GE(size, sizeof(*acl)); |
| // SAFETY: ACL structure is followed in memory by ACEs. The size of the ACL |
| // struct and all the data related to it is placed in `acl->AclSize`, thus it |
| // is safe to copy `acl->AclSize` bytes starting at address of `acl`. The fact |
| // that the data pertaining to ACL is placed after the ACL structure in memory |
| // is also the reason why we cannot use `base::span_from_ref()` here. |
| return base::HeapArray<uint8_t>::CopiedFrom( |
| UNSAFE_BUFFERS(base::span(reinterpret_cast<const uint8_t*>(acl), size))); |
| } |
| |
| base::HeapArray<uint8_t> EmptyAclToBuffer() { |
| ACL acl = {}; |
| acl.AclRevision = ACL_REVISION; |
| acl.AclSize = static_cast<WORD>(sizeof(acl)); |
| return AclToBuffer(&acl); |
| } |
| |
| ACCESS_MODE ConvertAccessMode(SecurityAccessMode access_mode) { |
| switch (access_mode) { |
| case SecurityAccessMode::kGrant: |
| return GRANT_ACCESS; |
| case SecurityAccessMode::kSet: |
| return SET_ACCESS; |
| case SecurityAccessMode::kDeny: |
| return DENY_ACCESS; |
| case SecurityAccessMode::kRevoke: |
| return REVOKE_ACCESS; |
| } |
| } |
| |
| // Note: on error, this function returns an empty heap array. If such an array |
| // were placed inside `AccessControlList::acl_`, it would cause the access |
| // control list to become a null ACL (allowing everyone access!). |
| base::HeapArray<uint8_t> AddACEToAcl( |
| ACL* old_acl, |
| const std::vector<ExplicitAccessEntry>& entries) { |
| std::vector<EXPLICIT_ACCESS> access_entries(entries.size()); |
| auto entries_interator = access_entries.begin(); |
| for (const ExplicitAccessEntry& entry : entries) { |
| EXPLICIT_ACCESS& new_access = *entries_interator++; |
| new_access.grfAccessMode = ConvertAccessMode(entry.mode()); |
| new_access.grfAccessPermissions = entry.access_mask(); |
| new_access.grfInheritance = entry.inheritance(); |
| ::BuildTrusteeWithSid(&new_access.Trustee, entry.sid().GetPSID()); |
| } |
| |
| PACL new_acl = nullptr; |
| DWORD error = ::SetEntriesInAcl(checked_cast<ULONG>(access_entries.size()), |
| access_entries.data(), old_acl, &new_acl); |
| if (error != ERROR_SUCCESS) { |
| ::SetLastError(error); |
| DPLOG(ERROR) << "Failed adding ACEs to ACL"; |
| return {}; |
| } |
| auto new_acl_ptr = TakeLocalAlloc(new_acl); |
| return AclToBuffer(new_acl_ptr.get()); |
| } |
| |
| } // namespace |
| |
| ExplicitAccessEntry ExplicitAccessEntry::Clone() const { |
| return ExplicitAccessEntry{sid_, mode_, access_mask_, inheritance_}; |
| } |
| |
| ExplicitAccessEntry::ExplicitAccessEntry(const Sid& sid, |
| SecurityAccessMode mode, |
| DWORD access_mask, |
| DWORD inheritance) |
| : sid_(sid.Clone()), |
| mode_(mode), |
| access_mask_(access_mask), |
| inheritance_(inheritance) {} |
| |
| ExplicitAccessEntry::ExplicitAccessEntry(WellKnownSid known_sid, |
| SecurityAccessMode mode, |
| DWORD access_mask, |
| DWORD inheritance) |
| : ExplicitAccessEntry(Sid(known_sid), mode, access_mask, inheritance) {} |
| |
| ExplicitAccessEntry::ExplicitAccessEntry(ExplicitAccessEntry&&) = default; |
| ExplicitAccessEntry& ExplicitAccessEntry::operator=(ExplicitAccessEntry&&) = |
| default; |
| ExplicitAccessEntry::~ExplicitAccessEntry() = default; |
| |
| std::optional<AccessControlList> AccessControlList::FromPACL(ACL* acl) { |
| if (acl && !::IsValidAcl(acl)) { |
| ::SetLastError(ERROR_INVALID_ACL); |
| return std::nullopt; |
| } |
| return AccessControlList{acl}; |
| } |
| |
| std::optional<AccessControlList> AccessControlList::FromMandatoryLabel( |
| DWORD integrity_level, |
| DWORD inheritance, |
| DWORD mandatory_policy) { |
| Sid sid = Sid::FromIntegrityLevel(integrity_level); |
| // Get total ACL length. SYSTEM_MANDATORY_LABEL_ACE contains the first DWORD |
| // of the SID so remove it from total. |
| DWORD length = sizeof(ACL) + sizeof(SYSTEM_MANDATORY_LABEL_ACE) + |
| ::GetLengthSid(sid.GetPSID()) - sizeof(DWORD); |
| auto sacl_ptr = base::HeapArray<uint8_t>::Uninit(length); |
| PACL sacl = reinterpret_cast<PACL>(sacl_ptr.data()); |
| |
| if (!::InitializeAcl(sacl, length, ACL_REVISION)) { |
| return std::nullopt; |
| } |
| |
| if (!::AddMandatoryAce(sacl, ACL_REVISION, inheritance, mandatory_policy, |
| sid.GetPSID())) { |
| return std::nullopt; |
| } |
| |
| DCHECK(::IsValidAcl(sacl)); |
| AccessControlList ret; |
| ret.acl_ = std::move(sacl_ptr); |
| return ret; |
| } |
| |
| AccessControlList::AccessControlList() : acl_(EmptyAclToBuffer()) {} |
| AccessControlList::AccessControlList(AccessControlList&&) = default; |
| AccessControlList& AccessControlList::operator=(AccessControlList&&) = default; |
| AccessControlList::~AccessControlList() = default; |
| |
| bool AccessControlList::SetEntries( |
| const std::vector<ExplicitAccessEntry>& entries) { |
| if (entries.empty()) { |
| return true; |
| } |
| |
| base::HeapArray<uint8_t> acl = AddACEToAcl(get(), entries); |
| if (acl.empty()) { |
| return false; |
| } |
| |
| acl_ = std::move(acl); |
| return true; |
| } |
| |
| bool AccessControlList::SetEntry(const Sid& sid, |
| SecurityAccessMode mode, |
| DWORD access_mask, |
| DWORD inheritance) { |
| std::vector<ExplicitAccessEntry> ace_list; |
| ace_list.emplace_back(sid, mode, access_mask, inheritance); |
| return SetEntries(ace_list); |
| } |
| |
| bool AccessControlList::AddAccessAllowedConditionalAce( |
| const Sid& sid, |
| DWORD ace_flags, |
| DWORD access_mask, |
| std::wstring_view condition) { |
| base::HeapArray<uint8_t> base_acl = |
| acl_.empty() ? EmptyAclToBuffer() |
| : base::HeapArray<uint8_t>::CopiedFrom(acl_); |
| std::wstring condition_str(condition); |
| DWORD length; |
| if (::AddConditionalAce(reinterpret_cast<ACL*>(base_acl.data()), ACL_REVISION, |
| ace_flags, ACCESS_ALLOWED_CALLBACK_ACE_TYPE, |
| access_mask, sid.GetPSID(), condition_str.data(), |
| &length)) { |
| ::SetLastError(ERROR_INVALID_PARAMETER); |
| return false; |
| } |
| |
| if (::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { |
| return false; |
| } |
| |
| base::HeapArray<uint8_t> acl = base::HeapArray<uint8_t>::Uninit(length); |
| acl.copy_prefix_from(base_acl); |
| ACL* pacl = reinterpret_cast<ACL*>(acl.data()); |
| pacl->AclSize = checked_cast<WORD>(length); |
| if (!::AddConditionalAce(pacl, ACL_REVISION, ace_flags, |
| ACCESS_ALLOWED_CALLBACK_ACE_TYPE, access_mask, |
| sid.GetPSID(), condition_str.data(), &length)) { |
| return false; |
| } |
| |
| acl_ = std::move(acl); |
| return true; |
| } |
| |
| AccessControlList AccessControlList::Clone() const { |
| return AccessControlList{get()}; |
| } |
| |
| void AccessControlList::Clear() { |
| acl_ = EmptyAclToBuffer(); |
| } |
| |
| AccessControlList::AccessControlList(const ACL* acl) : acl_(AclToBuffer(acl)) {} |
| |
| } // namespace base::win |
