win: Lower integrity level of connection pipe

This is necessary to be able to connect to crashpad_handler from a
Chrome renderer.

R=jschuh@chromium.org, mark@chromium.org
BUG=chromium:546288

Review URL: https://codereview.chromium.org/1405093013 .

test/win/win_child_process.cc

@@ -26,6 +26,7 @@
 #include "util/stdlib/string_number_conversion.h"
 #include "util/string/split_string.h"
 #include "util/win/handle.h"
+#include "util/win/scoped_local_alloc.h"
 #include "test/paths.h"
 
 namespace crashpad {
@@ -34,20 +35,11 @@ namespace test {
 namespace {
 
 const char kIsMultiprocessChild[] = "--is-multiprocess-child";
-struct LocalFreeTraits {
-  static HLOCAL InvalidValue() { return nullptr; }
-  static void Free(HLOCAL mem) {
-    if (LocalFree(mem) != nullptr)
-      PLOG(ERROR) << "LocalFree";
-  }
-};
-
-using ScopedLocalFree = base::ScopedGeneric<HLOCAL, LocalFreeTraits>;
 
 bool GetSwitch(const char* switch_name, std::string* value) {
   int num_args;
   wchar_t** args = CommandLineToArgvW(GetCommandLine(), &num_args);
-  ScopedLocalFree scoped_args(args);  // Take ownership.
+  ScopedLocalAlloc scoped_args(args);  // Take ownership.
   if (!args) {
     PLOG(FATAL) << "CommandLineToArgvW";
     return false;

util/util.gyp

@@ -175,6 +175,8 @@
         'win/registration_protocol_win.h',
         'win/scoped_handle.cc',
         'win/scoped_handle.h',
+        'win/scoped_local_alloc.cc',
+        'win/scoped_local_alloc.h',
         'win/scoped_process_suspend.cc',
         'win/scoped_process_suspend.h',
         'win/time.cc',
@@ -246,6 +248,7 @@
         ['OS=="win"', {
           'link_settings': {
             'libraries': [
+              '-ladvapi32.lib',
               '-lrpcrt4.lib',
               '-lwinhttp.lib',
             ],

util/win/command_line_test.cc

@@ -22,22 +22,12 @@
 #include "base/scoped_generic.h"
 #include "gtest/gtest.h"
 #include "test/errors.h"
+#include "util/win/scoped_local_alloc.h"
 
 namespace crashpad {
 namespace test {
 namespace {
 
-struct LocalAllocTraits {
-  static HLOCAL InvalidValue() {
-    return nullptr;
-  }
-
-  static void Free(HLOCAL memory) {
-    PLOG_IF(ERROR, LocalFree(memory) != nullptr) << "LocalFree";
-  }
-};
-using ScopedLocalAlloc = base::ScopedGeneric<HLOCAL, LocalAllocTraits>;
-
 // Calls AppendCommandLineArgument() for every argument in argv, then calls
 // CommandLineToArgvW() to decode the string into a vector again, and compares
 // the input and output.

util/win/exception_handler_server.cc

@@ -14,6 +14,7 @@
 
 #include "util/win/exception_handler_server.h"
 
+#include <sddl.h>
 #include <string.h>
 
 #include "base/logging.h"
@@ -30,6 +31,7 @@
 #include "util/win/get_function.h"
 #include "util/win/handle.h"
 #include "util/win/registration_protocol_win.h"
+#include "util/win/scoped_local_alloc.h"
 #include "util/win/xp_compat.h"
 
 namespace crashpad {
@@ -44,19 +46,50 @@ const size_t kPipeInstances = 2;
 //
 // If first_instance is true, the named pipe instance will be created with
 // FILE_FLAG_FIRST_PIPE_INSTANCE. This ensures that the the pipe name is not
-// already in use when created.
+// already in use when created. The first instance will be created with an
+// untrusted integrity SACL so instances of this pipe can be connected to by
+// processes of any integrity level.
 HANDLE CreateNamedPipeInstance(const std::wstring& pipe_name,
                                bool first_instance) {
-  return CreateNamedPipe(pipe_name.c_str(),
-                         PIPE_ACCESS_DUPLEX |
-                             (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE
-                                             : 0),
-                         PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
-                         kPipeInstances,
-                         512,
-                         512,
-                         0,
-                         nullptr);
+  SECURITY_ATTRIBUTES security_attributes;
+  SECURITY_ATTRIBUTES* security_attributes_pointer = nullptr;
+  ScopedLocalAlloc scoped_sec_desc;
+
+  if (first_instance) {
+    // Pre-Vista does not have integrity levels.
+    const DWORD version = GetVersion();
+    const DWORD major_version = LOBYTE(LOWORD(version));
+    const bool is_vista_or_later = major_version >= 6;
+    if (is_vista_or_later) {
+      // Mandatory Label, no ACE flags, no ObjectType, integrity level
+      // untrusted.
+      const wchar_t kSddl[] = L"S:(ML;;;;;S-1-16-0)";
+
+      PSECURITY_DESCRIPTOR sec_desc;
+      PCHECK(ConvertStringSecurityDescriptorToSecurityDescriptor(
+          kSddl, SDDL_REVISION_1, &sec_desc, nullptr))
+          << "ConvertStringSecurityDescriptorToSecurityDescriptor";
+
+      // Take ownership of the allocated SECURITY_DESCRIPTOR.
+      scoped_sec_desc.reset(sec_desc);
+
+      memset(&security_attributes, 0, sizeof(security_attributes));
+      security_attributes.nLength = sizeof(SECURITY_ATTRIBUTES);
+      security_attributes.lpSecurityDescriptor = sec_desc;
+      security_attributes.bInheritHandle = FALSE;
+      security_attributes_pointer = &security_attributes;
+    }
+  }
+
+  return CreateNamedPipe(
+      pipe_name.c_str(),
+      PIPE_ACCESS_DUPLEX | (first_instance ? FILE_FLAG_FIRST_PIPE_INSTANCE : 0),
+      PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
+      kPipeInstances,
+      512,
+      512,
+      0,
+      security_attributes_pointer);
 }
 
 decltype(GetNamedPipeClientProcessId)* GetNamedPipeClientProcessIdFunction() {
@@ -320,7 +353,7 @@ void ExceptionHandlerServer::Run(Delegate* delegate) {
     if (first_pipe_instance_.is_valid()) {
       pipe = first_pipe_instance_.release();
     } else {
-      pipe = CreateNamedPipeInstance(pipe_name_, false);
+      pipe = CreateNamedPipeInstance(pipe_name_, i == 0);
       PCHECK(pipe != INVALID_HANDLE_VALUE) << "CreateNamedPipe";
     }
 

util/win/scoped_local_alloc.cc

@@ -0,0 +1,26 @@
+// Copyright 2015 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "util/win/scoped_local_alloc.h"
+
+#include "base/logging.h"
+
+namespace crashpad {
+
+// static
+void LocalAllocTraits::Free(HLOCAL memory) {
+  PLOG_IF(ERROR, LocalFree(memory) != nullptr) << "LocalFree";
+}
+
+}  // namespace crashpad

util/win/scoped_local_alloc.h

@@ -0,0 +1,33 @@
+// Copyright 2015 The Crashpad Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef CRASHPAD_UTIL_WIN_SCOPED_LOCAL_ALLOC_H_
+#define CRASHPAD_UTIL_WIN_SCOPED_LOCAL_ALLOC_H_
+
+#include <windows.h>
+
+#include "base/scoped_generic.h"
+
+namespace crashpad {
+
+struct LocalAllocTraits {
+  static HLOCAL InvalidValue() { return nullptr; }
+  static void Free(HLOCAL mem);
+};
+
+using ScopedLocalAlloc = base::ScopedGeneric<HLOCAL, LocalAllocTraits>;
+
+}  // namespace crashpad
+
+#endif  // CRASHPAD_UTIL_WIN_SCOPED_LOCAL_ALLOC_H_