File: platform_handle_in_transit.h

package info (click to toggle)
chromium 138.0.7204.183-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,908 kB
  • sloc: cpp: 34,937,088; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (120 lines) | stat: -rw-r--r-- 4,786 bytes parent folder | download | duplicates (10) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_
#define MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_

#include "base/process/process.h"
#include "build/build_config.h"
#include "mojo/public/cpp/platform/platform_handle.h"

#if BUILDFLAG(IS_WIN)
#include <windows.h>
#endif

namespace mojo {
namespace core {

// Owns a PlatformHandle which may actually belong to another process. On
// Windows and (sometimes) Mac, handles in a message object may take on values
// which only have meaning in the context of a remote process.
//
// This class provides a safe way of scoping the lifetime of such handles so
// that they don't leak when transmission can't be completed.
class PlatformHandleInTransit {
 public:
  PlatformHandleInTransit();
  explicit PlatformHandleInTransit(PlatformHandle handle);
  PlatformHandleInTransit(PlatformHandleInTransit&&);

  PlatformHandleInTransit(const PlatformHandleInTransit&) = delete;
  PlatformHandleInTransit& operator=(const PlatformHandleInTransit&) = delete;

  ~PlatformHandleInTransit();

  PlatformHandleInTransit& operator=(PlatformHandleInTransit&&);

  // Accessor for the owned handle. Must be owned by the calling process.
  const PlatformHandle& handle() const {
    DCHECK(!owning_process_.IsValid());
    return handle_;
  }

  // Returns the process which owns this handle. If this is invalid, the handle
  // is owned by the current process.
  const base::Process& owning_process() const { return owning_process_; }

  // Takes ownership of the held handle as-is. The handle must belong to the
  // current process.
  PlatformHandle TakeHandle();

  // Discards the handle owned by this object. The implication is that its
  // value has been successfully communicated to the owning process and the
  // calling process is no longer responsible for managing the handle's
  // lifetime.
  void CompleteTransit();

  // Designates the relative trust level of the destination process compared to
  // the source process, in the context of a handle transfer operation. This
  // may be expanded to more granular degrees of trust in the future.
  enum TransferTargetTrustLevel {
    // No special constraints on what can be transferred or how.
    kTrustedTarget,

    // On some platforms, transfers with this destination type may be restricted
    // to block certain types of handles.
    kUntrustedTarget,
  };

  // Transfers ownership of this (local) handle to |target_process|.
  bool TransferToProcess(base::Process target_process,
                         TransferTargetTrustLevel trust = kTrustedTarget);

#if BUILDFLAG(IS_WIN)
  HANDLE remote_handle() const { return remote_handle_; }

  // Indicates whether |handle| is a known pseudo handle value. In a fuzzing
  // environment we merely simulate IPC, so we end up accepting "remote" handle
  // values from our own process. This means that unlike in production
  // scenarios, we may end up successfully calling DuplicateHandle on a fuzzed
  // pseudo handle value (in production if a remote process sent us a pseudo
  // handle value, DuplicateHandle would always fail).
  //
  // For some reason, a small number of special pseudo handle values always
  // duplicate to the same real handle value when DUPLICATE_CLOSE_SOURCE is
  // specified, presumably because the returned handle is closed before it's
  // even returned. For example, duplicating -10 with DUPLICATE_CLOSE_SOURCE
  // always yields the handle value 0x50. This ends up interacting poorly with
  // the rest of Mojo's handle deserialization code and eventually crashes
  // in ScopedHandleVerifier.
  //
  // We avoid the issue by explicitly discarding any known pseudo handle values,
  // since they are always invalid when received from a remote process anyway
  // and thus always signal a misbehaving client.
  static bool IsPseudoHandle(HANDLE handle);

  // Returns a new local handle, with ownership of |handle| being transferred
  // from |owning_process| to the caller.
  static PlatformHandle TakeIncomingRemoteHandle(
      HANDLE handle,
      base::ProcessHandle owning_process);
#endif

 private:
#if BUILDFLAG(IS_WIN)
  // We don't use a ScopedHandle (or, by extension, PlatformHandle) here because
  // the handle verifier expects all handle values to be owned by this process.
  // On Windows we use |handle_| for locally owned handles and |remote_handle_|
  // otherwise. On all other platforms we use |handle_| regardless of ownership.
  HANDLE remote_handle_ = INVALID_HANDLE_VALUE;
#endif

  PlatformHandle handle_;
  base::Process owning_process_;
};

}  // namespace core
}  // namespace mojo

#endif  // MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_