1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/host/mojo_caller_security_checker.h"
#include <memory>
#include "base/containers/fixed_flat_set.h"
#include "base/files/file_path.h"
#include "base/logging.h"
#include "base/no_destructor.h"
#include "base/notreached.h"
#include "base/process/process_handle.h"
#include "base/strings/string_util.h"
#include "build/build_config.h"
#include "components/named_mojo_ipc_server/connection_info.h"
#include "remoting/host/base/process_util.h"
#if BUILDFLAG(IS_MAC)
#include <array>
#include <string_view>
#include "remoting/host/mac/constants_mac.h"
#include "remoting/host/mac/trust_util.h"
#endif
#if BUILDFLAG(IS_WIN)
#include "remoting/host/win/trust_util.h"
#endif
namespace remoting {
namespace {
#if BUILDFLAG(IS_LINUX)
constexpr auto kAllowedCallerProgramNames =
base::MakeFixedFlatSet<base::FilePath::StringViewType>({
"remote-open-url",
"remote-webauthn",
});
#elif BUILDFLAG(IS_WIN)
constexpr auto kAllowedCallerProgramNames =
base::MakeFixedFlatSet<base::FilePath::StringViewType>({
L"remote_open_url.exe",
L"remote_webauthn.exe",
L"remote_security_key.exe",
});
#elif BUILDFLAG(IS_MAC)
// Can't use constexpr here since `kBundleId` is not a constexpr.
// remoting_me2me_host is the bundle executable, so its identifier is the bundle
// identifier. For other binaries, the identifier is just the name of the
// binary.
static const auto kAllowedIdentifiers =
std::to_array<const std::string_view>({kBundleId, "remote_webauthn"});
#endif
} // namespace
bool IsTrustedMojoEndpoint(
const named_mojo_ipc_server::ConnectionInfo& caller) {
#if BUILDFLAG(IS_MAC)
return IsProcessTrusted(caller.audit_token, kAllowedIdentifiers);
#elif BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_WIN)
// TODO: yuweih - see if it's possible to move away from PID-based security
// checks, which might be susceptible of PID reuse attacks.
static base::NoDestructor<base::FilePath> current_process_image_path(
GetProcessImagePath(base::GetCurrentProcId()));
base::FilePath caller_process_image_path = GetProcessImagePath(caller.pid);
if (caller_process_image_path.empty()) {
LOG(ERROR) << "Cannot resolve process image path for PID " << caller.pid;
return false;
}
if (caller_process_image_path == *current_process_image_path) {
// IPCs initiated from the same binary should be allowed.
return true;
}
if (caller_process_image_path.DirName() !=
current_process_image_path->DirName()) {
LOG(ERROR) << "Process image " << caller_process_image_path
<< " is not under " << current_process_image_path->DirName();
return false;
}
base::FilePath::StringType program_name =
caller_process_image_path.BaseName().value();
if (!kAllowedCallerProgramNames.contains(program_name)) {
#if BUILDFLAG(IS_LINUX) && !defined(NDEBUG)
// Linux binaries generated in out/Debug are underscore-separated. To make
// debugging easier, we just check the name again with underscores replaced
// with hyphens.
std::string program_name_hyphenated;
base::ReplaceChars(program_name, "_", "-", &program_name_hyphenated);
if (kAllowedCallerProgramNames.contains(program_name_hyphenated)) {
return true;
}
#endif // BUILDFLAG(IS_LINUX) && !defined(NDEBUG)
LOG(ERROR) << caller_process_image_path.BaseName()
<< " is not in the list of allowed caller programs.";
return false;
}
#if BUILDFLAG(IS_WIN)
return IsBinaryTrusted(caller_process_image_path);
#else
// Linux binaries are not code-signed, so we just return true.
return true;
#endif
#else // Unsupported platform
NOTREACHED();
#endif
}
} // namespace remoting
|
