1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/elevation_service/caller_validation.h"
#include <windows.h> // Must be in front of other Windows header files.
#include <psapi.h>
#include <algorithm>
#include <string>
#include <vector>
#include "base/files/file_path.h"
#include "base/logging.h"
#include "base/process/process.h"
#include "base/strings/strcat.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "base/strings/sys_string_conversions.h"
#include "base/strings/utf_string_conversions.h"
#include "base/syslog_logging.h"
#include "base/types/expected.h"
#include "base/version.h"
#include "chrome/elevation_service/elevation_service_idl.h"
#include "chrome/elevation_service/elevator.h"
namespace elevation_service {
namespace {
// Paths look like this: "C:\Program Files\Blah\app.exe".
// This function will remove the final EXE, then it will remove paths that match
// 'Temp', 'Application' or a version pattern if they are the final directory.
//
// Examples:
// "C:\Program Files\Blah\app.exe" ->
// "C:\Program Files\Blah"
//
// "C:\Program Files\Blah\app2.exe" ->
// "C:\Program Files\Blah"
//
// "C:\Program Files\Blah\Temp\app.exe" ->
// "C:\Program Files\Blah"
//
// "C:\Program Files\Blah\Application\app.exe" ->
// "C:\Program Files\Blah"
//
// "C:\Program Files (x86)\Blah\Application\app.exe" ->
// "C:\Program Files\Blah"
//
// "C:\Program Files (x86)\Blah\Application\1.2.3.4\app.exe" ->
// "C:\Program Files\Blah"
//
base::FilePath MaybeTrimProcessPath(const base::FilePath& full_path) {
auto components = full_path.GetComponents();
std::vector<std::wstring> trimmed_components;
size_t token = 0;
for (auto it = components.crbegin(); it != components.crend(); ++it) {
token++;
if (token == 1 &&
base::EndsWith(*it, L".exe", base::CompareCase::INSENSITIVE_ASCII)) {
continue;
}
if (token == 2 && (base::EqualsCaseInsensitiveASCII(*it, "Temp") ||
base::EqualsCaseInsensitiveASCII(*it, "Application"))) {
continue;
}
if (token == 2 && it->starts_with(L"scoped_dir")) {
token--;
continue;
}
if (token == 2 && base::Version(base::WideToASCII(it->data())).IsValid()) {
token--;
continue;
}
// In Windows Vista and later, the paths to the 'Program Files' and 'Common
// Files' directories are not localized (translated) on disk. Instead, the
// localized names are NTFS junction points to the non-localized locations.
// Since this code is dealing with NT paths the junction has already been
// resolved to the non-localized version so it is safe to use hard-coded
// strings here.
if (base::EqualsCaseInsensitiveASCII(*it, L"Program Files (x86)")) {
trimmed_components.push_back(L"Program Files");
continue;
}
trimmed_components.push_back(*it);
}
base::FilePath trimmed_path;
for (auto it = trimmed_components.crbegin(); it != trimmed_components.crend();
++it) {
trimmed_path = trimmed_path.Append(*it);
}
return trimmed_path;
}
base::expected<base::FilePath, DWORD> GetProcessExecutablePath(
const base::Process& process) {
std::wstring image_path(MAX_PATH, L'\0');
DWORD path_length = image_path.size();
BOOL success = ::QueryFullProcessImageNameW(process.Handle(), 0,
image_path.data(), &path_length);
if (!success && ::GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
// Process name is potentially greater than MAX_PATH, try larger max size.
// https://docs.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation
image_path.resize(UNICODE_STRING_MAX_CHARS);
path_length = image_path.size();
success = ::QueryFullProcessImageNameW(process.Handle(), 0,
image_path.data(), &path_length);
}
if (!success) {
PLOG_IF(ERROR, ::GetLastError() != ERROR_GEN_FAILURE)
<< "Failed to get process image path";
return base::unexpected(::GetLastError());
}
return base::FilePath(image_path);
}
// Generate path based validation data, or return empty string if this was not
// possible.
base::expected<std::vector<uint8_t>, HRESULT> GeneratePathValidationData(
const base::FilePath& process_path) {
if (process_path.IsNetwork()) {
return base::unexpected(
elevation_service::Elevator::kErrorUnsupportedFilePath);
}
// Wide to narrow data loss is fine here, because the same system will always
// be dealing with the same data.
const auto narrow_path =
base::SysWideToUTF8(MaybeTrimProcessPath(process_path).value());
return std::vector<uint8_t>(narrow_path.begin(), narrow_path.end());
}
HRESULT ValidatePath(const base::Process& process,
base::span<const uint8_t> data) {
const auto process_path = GetProcessExecutablePath(process);
if (!process_path.has_value()) {
return elevation_service::Elevator::kErrorCouldNotObtainPath;
}
auto current_path_data = GeneratePathValidationData(*process_path);
if (!current_path_data.has_value()) {
return current_path_data.error();
}
if (data.size() == current_path_data->size() &&
std::equal(data.begin(), data.end(), current_path_data->cbegin())) {
return S_OK;
}
SYSLOG(WARNING) << "Failed to authenticate caller process: "
<< process_path->value();
return elevation_service::Elevator::kValidationDidNotPass;
}
} // namespace
base::expected<std::vector<uint8_t>, HRESULT> GenerateValidationData(
ProtectionLevel level,
const base::Process& process) {
switch (level) {
case ProtectionLevel::PROTECTION_NONE:
return std::vector<uint8_t>{ProtectionLevel::PROTECTION_NONE};
case ProtectionLevel::PROTECTION_PATH_VALIDATION_OLD:
return base::unexpected(
elevation_service::Elevator::kErrorUnsupportedProtectionLevel);
case ProtectionLevel::PROTECTION_PATH_VALIDATION: {
const auto process_path = GetProcessExecutablePath(process);
if (!process_path.has_value()) {
return base::unexpected(
elevation_service::Elevator::kErrorCouldNotObtainPath);
}
auto path_validation_data = GeneratePathValidationData(*process_path);
if (path_validation_data.has_value()) {
path_validation_data->insert(
path_validation_data->cbegin(),
ProtectionLevel::PROTECTION_PATH_VALIDATION);
return *path_validation_data;
}
return base::unexpected(path_validation_data.error());
}
case ProtectionLevel::PROTECTION_MAX:
return base::unexpected(
elevation_service::Elevator::kErrorUnsupportedProtectionLevel);
}
}
HRESULT ValidateData(const base::Process& process,
base::span<const uint8_t> validation_data) {
if (validation_data.empty()) {
return E_INVALIDARG;
}
ProtectionLevel level = static_cast<ProtectionLevel>(validation_data[0]);
if (level >= ProtectionLevel::PROTECTION_MAX) {
return E_INVALIDARG;
}
switch (level) {
case ProtectionLevel::PROTECTION_NONE:
// No validation always returns true.
return S_OK;
case ProtectionLevel::PROTECTION_PATH_VALIDATION_OLD:
case ProtectionLevel::PROTECTION_PATH_VALIDATION:
return ValidatePath(process, validation_data.subspan<1>());
case ProtectionLevel::PROTECTION_MAX:
return E_INVALIDARG;
}
}
base::FilePath MaybeTrimProcessPathForTesting(const base::FilePath& full_path) {
return MaybeTrimProcessPath(full_path);
}
} // namespace elevation_service
|
