Settings: initialize COM security to allow communication between elevated Settings and WebView

This commit is contained in:
yuyoyuppe 2020-01-24 18:26:44 +03:00 committed by yuyoyuppe
parent cd6ac4f8c2
commit 482ad0e5ee
2 changed files with 73 additions and 2 deletions

View File

@ -106,4 +106,4 @@ struct on_scope_exit
{
_f();
}
};
};

View File

@ -482,11 +482,82 @@ void parse_args()
LocalFree(argument_list);
}
bool initialize_com_security_policy_for_webview()
{
const wchar_t* security_descriptor =
L"O:BA" // Owner: Builtin (local) administrator
L"G:BA" // Group: Builtin (local) administrator
L"D:"
L"(A;;0x7;;;PS)" // Access allowed on COM_RIGHTS_EXECUTE, _LOCAL, & _REMOTE for Personal self
L"(A;;0x3;;;SY)" // Access allowed on COM_RIGHTS_EXECUTE, & _LOCAL for Local system
L"(A;;0x7;;;BA)" // Access allowed on COM_RIGHTS_EXECUTE, _LOCAL, & _REMOTE for Builtin (local) administrator
L"(A;;0x3;;;S-1-15-3-1310292540-1029022339-4008023048-2190398717-53961996-4257829345-603366646)" // Access allowed on COM_RIGHTS_EXECUTE, & _LOCAL for Win32WebViewHost package capability
L"S:"
L"(ML;;NX;;;LW)"; // Integrity label on No execute up for Low mandatory level
PSECURITY_DESCRIPTOR self_relative_sd{};
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(security_descriptor, SDDL_REVISION_1, &self_relative_sd, nullptr))
{
return false;
}
on_scope_exit free_realtive_sd([&] {
LocalFree(self_relative_sd);
});
DWORD absolute_sd_size = 0;
DWORD dacl_size = 0;
DWORD group_size = 0;
DWORD owner_size = 0;
DWORD sacl_size = 0;
if (!MakeAbsoluteSD(self_relative_sd, nullptr, &absolute_sd_size, nullptr, &dacl_size, nullptr, &sacl_size, nullptr, &owner_size, nullptr, &group_size))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
return false;
}
}
typed_storage<SECURITY_DESCRIPTOR> absolute_sd{ absolute_sd_size };
typed_storage<ACL> dacl{ dacl_size };
typed_storage<ACL> sacl{ sacl_size };
typed_storage<SID> owner{ owner_size };
typed_storage<SID> group{ group_size };
if (!MakeAbsoluteSD(self_relative_sd,
absolute_sd,
&absolute_sd_size,
dacl,
&dacl_size,
sacl,
&sacl_size,
owner,
&owner_size,
group,
&group_size))
{
return false;
}
return !FAILED(CoInitializeSecurity(
absolute_sd,
-1,
nullptr,
nullptr,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_IMP_LEVEL_IDENTIFY,
nullptr,
EOAC_DYNAMIC_CLOAKING | EOAC_DISABLE_AAA,
nullptr));
}
int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
CoInitialize(nullptr);
if (is_process_elevated())
const bool should_try_drop_privileges = !initialize_com_security_policy_for_webview() && is_process_elevated();
if (should_try_drop_privileges)
{
if (!drop_elevated_privileges())
{