// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This macro is used in <wrl/module.h>. Since only the COM functionality is
// used here (while WinRT isn't being used), define this macro to optimize
// compilation of <wrl/module.h> for COM-only.
#ifndef __WRL_CLASSIC_COM_STRICT__
#define __WRL_CLASSIC_COM_STRICT__
#endif // __WRL_CLASSIC_COM_STRICT__
#include "chrome/elevation_service/service_main.h"
#include <atlsecurity.h>
#include <sddl.h>
#include <wrl/module.h>
#include <type_traits>
#include "base/command_line.h"
#include "base/logging.h"
#include "base/no_destructor.h"
#include "base/win/scoped_com_initializer.h"
#include "chrome/elevation_service/elevated_recovery_impl.h"
#include "chrome/elevation_service/elevator.h"
#include "chrome/install_static/install_util.h"
namespace elevation_service {
namespace {
// Command line switch "--console" runs the service interactively for
// debugging purposes.
constexpr char kConsoleSwitchName[] = "console";
// NOTE: this value is ignored because service type is SERVICE_WIN32_OWN_PROCESS
// please see
// https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_table_entrya#members
constexpr wchar_t kWindowsServiceName[] = L"ChromeElevationService";
} // namespace
ServiceMain* ServiceMain::GetInstance() {
static base::NoDestructor<ServiceMain> instance;
return instance.get();
}
bool ServiceMain::InitWithCommandLine(const base::CommandLine* command_line) {
const base::CommandLine::StringVector args = command_line->GetArgs();
if (!args.empty()) {
LOG(ERROR) << "No positional parameters expected.";
return false;
}
// Run interactively if needed.
if (command_line->HasSwitch(kConsoleSwitchName))
run_routine_ = &ServiceMain::RunInteractive;
return true;
}
// Start() is the entry point called by WinMain.
int ServiceMain::Start() {
return (this->*run_routine_)();
}
void ServiceMain::CreateWRLModule() {
Microsoft::WRL::Module<Microsoft::WRL::OutOfProc>::Create(
this, &ServiceMain::SignalExit);
}
// When _ServiceMain gets called, it initializes COM, and then calls Run().
// Run() initializes security, then calls RegisterClassObject().
HRESULT ServiceMain::RegisterClassObject() {
auto& module = Microsoft::WRL::Module<Microsoft::WRL::OutOfProc>::GetModule();
// We hand-register a unique CLSID for each Chrome channel.
Microsoft::WRL::ComPtr<IUnknown> factory;
unsigned int flags = Microsoft::WRL::ModuleType::OutOfProc;
HRESULT hr = Microsoft::WRL::Details::CreateClassFactory<
Microsoft::WRL::SimpleClassFactory<Elevator>>(
&flags, nullptr, __uuidof(IClassFactory), &factory);
if (FAILED(hr)) {
LOG(ERROR) << "Factory creation failed; hr: " << hr;
return hr;
}
Microsoft::WRL::ComPtr<IClassFactory> class_factory;
hr = factory.As(&class_factory);
if (FAILED(hr)) {
LOG(ERROR) << "IClassFactory object creation failed; hr: " << hr;
return hr;
}
// The pointer in this array is unowned. Do not release it.
IClassFactory* class_factories[] = {class_factory.Get()};
static_assert(std::extent<decltype(cookies_)>() == std::size(class_factories),
"Arrays cookies_ and class_factories must be the same size.");
IID class_ids[] = {install_static::GetElevatorClsid()};
if (base::CommandLine::ForCurrentProcess()->HasSwitch(
switches::kElevatorClsIdForTestingSwitch)) {
class_ids[0] = {kTestElevatorClsid};
}
DCHECK_EQ(std::size(cookies_), std::size(class_ids));
static_assert(std::extent<decltype(cookies_)>() == std::size(class_ids),
"Arrays cookies_ and class_ids must be the same size.");
hr = module.RegisterCOMObject(nullptr, class_ids, class_factories, cookies_,
std::size(cookies_));
if (FAILED(hr)) {
LOG(ERROR) << "RegisterCOMObject failed; hr: " << hr;
return hr;
}
return hr;
}
void ServiceMain::UnregisterClassObject() {
auto& module = Microsoft::WRL::Module<Microsoft::WRL::OutOfProc>::GetModule();
const HRESULT hr =
module.UnregisterCOMObject(nullptr, cookies_, std::size(cookies_));
if (FAILED(hr))
LOG(ERROR) << "UnregisterCOMObject failed; hr: " << hr;
}
bool ServiceMain::IsExitSignaled() {
return exit_signal_.IsSignaled();
}
void ServiceMain::ResetExitSignaled() {
exit_signal_.Reset();
}
ServiceMain::ServiceMain()
: run_routine_(&ServiceMain::RunAsService),
service_status_handle_(nullptr),
service_status_(),
cookies_(),
exit_signal_(base::WaitableEvent::ResetPolicy::MANUAL,
base::WaitableEvent::InitialState::NOT_SIGNALED) {
service_status_.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
service_status_.dwCurrentState = SERVICE_STOPPED;
service_status_.dwControlsAccepted = SERVICE_ACCEPT_STOP;
}
ServiceMain::~ServiceMain() = default;
int ServiceMain::RunAsService() {
static constexpr SERVICE_TABLE_ENTRY dispatch_table[] = {
{const_cast<LPTSTR>(kWindowsServiceName), &ServiceMain::ServiceMainEntry},
{nullptr, nullptr}};
if (!::StartServiceCtrlDispatcher(dispatch_table)) {
service_status_.dwWin32ExitCode = ::GetLastError();
PLOG(ERROR) << "Failed to connect to the service control manager";
}
return service_status_.dwWin32ExitCode;
}
void ServiceMain::ServiceMainImpl() {
service_status_handle_ = ::RegisterServiceCtrlHandler(
kWindowsServiceName, &ServiceMain::ServiceControlHandler);
if (service_status_handle_ == nullptr) {
PLOG(ERROR) << "RegisterServiceCtrlHandler failed";
return;
}
SetServiceStatus(SERVICE_RUNNING);
service_status_.dwWin32ExitCode = ERROR_SUCCESS;
service_status_.dwCheckPoint = 0;
service_status_.dwWaitHint = 0;
// Initialize COM for the current thread.
base::win::ScopedCOMInitializer com_initializer(
base::win::ScopedCOMInitializer::kMTA);
if (!com_initializer.Succeeded()) {
PLOG(ERROR) << "Failed to initialize COM";
SetServiceStatus(SERVICE_STOPPED);
return;
}
// When the Run function returns, the service has stopped.
const HRESULT hr = Run();
if (FAILED(hr)) {
service_status_.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR;
service_status_.dwServiceSpecificExitCode = hr;
}
SetServiceStatus(SERVICE_STOPPED);
}
int ServiceMain::RunInteractive() {
return Run();
}
// static
void ServiceMain::ServiceControlHandler(DWORD control) {
ServiceMain* self = ServiceMain::GetInstance();
switch (control) {
case SERVICE_CONTROL_STOP:
self->SetServiceStatus(SERVICE_STOP_PENDING);
self->SignalExit();
break;
default:
break;
}
}
// static
void WINAPI ServiceMain::ServiceMainEntry(DWORD argc, wchar_t* argv[]) {
ServiceMain::GetInstance()->ServiceMainImpl();
}
void ServiceMain::SetServiceStatus(DWORD state) {
::InterlockedExchange(&service_status_.dwCurrentState, state);
::SetServiceStatus(service_status_handle_, &service_status_);
}
HRESULT ServiceMain::Run() {
LOG_IF(WARNING, FAILED(CleanupChromeRecoveryDirectory()));
HRESULT hr = InitializeComSecurity();
if (FAILED(hr))
return hr;
CreateWRLModule();
hr = RegisterClassObject();
if (SUCCEEDED(hr)) {
WaitForExitSignal();
UnregisterClassObject();
}
return hr;
}
// static
HRESULT ServiceMain::InitializeComSecurity() {
CDacl dacl;
constexpr auto com_rights_execute_local =
COM_RIGHTS_EXECUTE | COM_RIGHTS_EXECUTE_LOCAL;
if (!dacl.AddAllowedAce(Sids::System(), com_rights_execute_local) ||
!dacl.AddAllowedAce(Sids::Admins(), com_rights_execute_local) ||
!dacl.AddAllowedAce(Sids::Interactive(), com_rights_execute_local)) {
return E_ACCESSDENIED;
}
CSecurityDesc sd;
sd.SetDacl(dacl);
sd.MakeAbsolute();
sd.SetOwner(Sids::Admins());
sd.SetGroup(Sids::Admins());
// These are the flags being set:
// EOAC_DYNAMIC_CLOAKING: DCOM uses the thread token (if present) when
// determining the client's identity. Useful when impersonating another
// user.
// EOAC_SECURE_REFS: Authenticates distributed reference count calls to
// prevent malicious users from releasing objects that are still being used.
// EOAC_DISABLE_AAA: Causes any activation where a server process would be
// launched under the caller's identity (activate-as-activator) to fail with
// E_ACCESSDENIED.
// EOAC_NO_CUSTOM_MARSHAL: reduces the chances of executing arbitrary DLLs
// because it allows the marshaling of only CLSIDs that are implemented in
// Ole32.dll, ComAdmin.dll, ComSvcs.dll, or Es.dll, or that implement the
// CATID_MARSHALER category ID.
// RPC_C_AUTHN_LEVEL_PKT_PRIVACY: prevents replay attacks, verifies that none
// of the data transferred between the client and server has been modified,
// ensures that the data transferred can only be seen unencrypted by the
// client and the server.
return ::CoInitializeSecurity(
const_cast<SECURITY_DESCRIPTOR*>(sd.GetPSECURITY_DESCRIPTOR()), -1,
nullptr, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IDENTIFY,
nullptr,
EOAC_DYNAMIC_CLOAKING | EOAC_DISABLE_AAA | EOAC_SECURE_REFS |
EOAC_NO_CUSTOM_MARSHAL,
nullptr);
}
void ServiceMain::WaitForExitSignal() {
exit_signal_.Wait();
}
void ServiceMain::SignalExit() {
exit_signal_.Signal();
}
} // namespace elevation_service
Codebase Browser
chromium