mirror of
https://github.com/microsoft/PowerToys.git
synced 2024-12-01 01:49:06 +08:00
Settings: initialize COM security to allow communication between elevated Settings and WebView
This commit is contained in:
parent
cd6ac4f8c2
commit
482ad0e5ee
@ -106,4 +106,4 @@ struct on_scope_exit
|
||||
{
|
||||
_f();
|
||||
}
|
||||
};
|
||||
};
|
||||
|
@ -482,11 +482,82 @@ void parse_args()
|
||||
LocalFree(argument_list);
|
||||
}
|
||||
|
||||
bool initialize_com_security_policy_for_webview()
|
||||
{
|
||||
const wchar_t* security_descriptor =
|
||||
L"O:BA" // Owner: Builtin (local) administrator
|
||||
L"G:BA" // Group: Builtin (local) administrator
|
||||
L"D:"
|
||||
L"(A;;0x7;;;PS)" // Access allowed on COM_RIGHTS_EXECUTE, _LOCAL, & _REMOTE for Personal self
|
||||
L"(A;;0x3;;;SY)" // Access allowed on COM_RIGHTS_EXECUTE, & _LOCAL for Local system
|
||||
L"(A;;0x7;;;BA)" // Access allowed on COM_RIGHTS_EXECUTE, _LOCAL, & _REMOTE for Builtin (local) administrator
|
||||
L"(A;;0x3;;;S-1-15-3-1310292540-1029022339-4008023048-2190398717-53961996-4257829345-603366646)" // Access allowed on COM_RIGHTS_EXECUTE, & _LOCAL for Win32WebViewHost package capability
|
||||
L"S:"
|
||||
L"(ML;;NX;;;LW)"; // Integrity label on No execute up for Low mandatory level
|
||||
PSECURITY_DESCRIPTOR self_relative_sd{};
|
||||
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(security_descriptor, SDDL_REVISION_1, &self_relative_sd, nullptr))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
on_scope_exit free_realtive_sd([&] {
|
||||
LocalFree(self_relative_sd);
|
||||
});
|
||||
|
||||
DWORD absolute_sd_size = 0;
|
||||
DWORD dacl_size = 0;
|
||||
DWORD group_size = 0;
|
||||
DWORD owner_size = 0;
|
||||
DWORD sacl_size = 0;
|
||||
|
||||
if (!MakeAbsoluteSD(self_relative_sd, nullptr, &absolute_sd_size, nullptr, &dacl_size, nullptr, &sacl_size, nullptr, &owner_size, nullptr, &group_size))
|
||||
{
|
||||
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
typed_storage<SECURITY_DESCRIPTOR> absolute_sd{ absolute_sd_size };
|
||||
typed_storage<ACL> dacl{ dacl_size };
|
||||
typed_storage<ACL> sacl{ sacl_size };
|
||||
typed_storage<SID> owner{ owner_size };
|
||||
typed_storage<SID> group{ group_size };
|
||||
|
||||
if (!MakeAbsoluteSD(self_relative_sd,
|
||||
absolute_sd,
|
||||
&absolute_sd_size,
|
||||
dacl,
|
||||
&dacl_size,
|
||||
sacl,
|
||||
&sacl_size,
|
||||
owner,
|
||||
&owner_size,
|
||||
group,
|
||||
&group_size))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return !FAILED(CoInitializeSecurity(
|
||||
absolute_sd,
|
||||
-1,
|
||||
nullptr,
|
||||
nullptr,
|
||||
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
|
||||
RPC_C_IMP_LEVEL_IDENTIFY,
|
||||
nullptr,
|
||||
EOAC_DYNAMIC_CLOAKING | EOAC_DISABLE_AAA,
|
||||
nullptr));
|
||||
}
|
||||
|
||||
int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
|
||||
{
|
||||
CoInitialize(nullptr);
|
||||
|
||||
if (is_process_elevated())
|
||||
const bool should_try_drop_privileges = !initialize_com_security_policy_for_webview() && is_process_elevated();
|
||||
|
||||
if (should_try_drop_privileges)
|
||||
{
|
||||
if (!drop_elevated_privileges())
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user