[Spice-commits] 2 commits - gtk/controller
Marc-André Lureau
elmarco at kemper.freedesktop.org
Thu Oct 25 04:14:41 PDT 2012
gtk/controller/Makefile.am | 2
gtk/controller/spice-controller-listener.c | 3
gtk/controller/spice-foreign-menu-listener.c | 3
gtk/controller/win32-util.c | 162 +++++++++++++++++++++++++++
gtk/controller/win32-util.h | 30 +++++
5 files changed, 198 insertions(+), 2 deletions(-)
New commits:
commit 3506668c73b959baa3890389a779be72f68ede91
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date: Wed Oct 24 19:42:39 2012 +0200
controller/win32: limit access to current user only
Based on RHEV spicec-win only code.
diff --git a/gtk/controller/win32-util.c b/gtk/controller/win32-util.c
index f540452..3562154 100644
--- a/gtk/controller/win32-util.c
+++ b/gtk/controller/win32-util.c
@@ -64,17 +64,63 @@ end:
return success;
}
+
+static gboolean
+get_user_security_attributes (SECURITY_ATTRIBUTES* psa, SECURITY_DESCRIPTOR* psd, PACL* ppdacl)
+{
+ EXPLICIT_ACCESS ea;
+ TRUSTEE trst;
+ DWORD ret = 0;
+
+ ZeroMemory (psa, sizeof (*psa));
+ ZeroMemory (psd, sizeof (*psd));
+ psa->nLength = sizeof (*psa);
+ psa->bInheritHandle = FALSE;
+ psa->lpSecurityDescriptor = psd;
+
+ ZeroMemory (&trst, sizeof (trst));
+ trst.pMultipleTrustee = NULL;
+ trst.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+ trst.TrusteeForm = TRUSTEE_IS_NAME;
+ trst.TrusteeType = TRUSTEE_IS_USER;
+ trst.ptstrName = "CURRENT_USER";
+
+ ZeroMemory (&ea, sizeof (ea));
+ ea.grfAccessPermissions = GENERIC_WRITE | GENERIC_READ;
+ ea.grfAccessMode = SET_ACCESS;
+ ea.grfInheritance = NO_INHERITANCE;
+ ea.Trustee = trst;
+
+ ret = SetEntriesInAcl (1, &ea, NULL, ppdacl);
+ if (ret != ERROR_SUCCESS)
+ return FALSE;
+
+ if (!InitializeSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION))
+ return FALSE;
+
+ if (!SetSecurityDescriptorDacl (psd, TRUE, *ppdacl, FALSE))
+ return FALSE;
+
+ return TRUE;
+}
+
#define DEFAULT_PIPE_BUF_SIZE 4096
SpiceNamedPipe*
spice_win32_user_pipe_new (gchar *name, GError **error)
{
+ SECURITY_ATTRIBUTES sa;
+ SECURITY_DESCRIPTOR sd;
+ PACL dacl = NULL;
HANDLE pipe;
SpiceNamedPipe *np = NULL;
g_return_val_if_fail (name != NULL, NULL);
g_return_val_if_fail (error != NULL, NULL);
+ if (!get_user_security_attributes (&sa, &sd, &dacl))
+ return NULL;
+
pipe = CreateNamedPipe (name,
PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED |
/* FIXME: why is FILE_FLAG_FIRST_PIPE_INSTANCE needed for WRITE_DAC
@@ -84,7 +130,7 @@ spice_win32_user_pipe_new (gchar *name, GError **error)
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
DEFAULT_PIPE_BUF_SIZE, DEFAULT_PIPE_BUF_SIZE,
- 0, NULL);
+ 0, &sa);
if (pipe == INVALID_HANDLE_VALUE) {
int errsv = GetLastError ();
@@ -110,5 +156,7 @@ spice_win32_user_pipe_new (gchar *name, GError **error)
NULL, error, "handle", pipe, NULL));
end:
+ LocalFree (dacl);
+
return np;
}
commit cd2c31ddd458dffe1295938255a3c590f5d87b8c
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date: Wed Oct 24 19:04:05 2012 +0200
controller/win32: allow ActiveX connection on untrusted website
Set low integrity on named-pipes.
This bug was originally resolved as:
https://bugzilla.redhat.com/show_bug.cgi?id=668980
Fixes regression:
https://bugzilla.redhat.com/show_bug.cgi?id=844461
diff --git a/gtk/controller/Makefile.am b/gtk/controller/Makefile.am
index 7bfa51b..f2abf93 100644
--- a/gtk/controller/Makefile.am
+++ b/gtk/controller/Makefile.am
@@ -56,6 +56,8 @@ libspice_controller_la_SOURCES += \
namedpipeconnection.h \
namedpipelistener.c \
namedpipelistener.h \
+ win32-util.c \
+ win32-util.h \
$(NULL)
endif
libspice_controller_la_LDFLAGS = \
diff --git a/gtk/controller/spice-controller-listener.c b/gtk/controller/spice-controller-listener.c
index da1121e..0189848 100644
--- a/gtk/controller/spice-controller-listener.c
+++ b/gtk/controller/spice-controller-listener.c
@@ -25,6 +25,7 @@
#include <windows.h>
#include "namedpipe.h"
#include "namedpipelistener.h"
+#include "win32-util.h"
#endif
#ifdef G_OS_UNIX
@@ -89,7 +90,7 @@ spice_controller_listener_new (const gchar *address, GError **error)
listener = G_OBJECT (spice_named_pipe_listener_new ());
- np = spice_named_pipe_new (addr, error);
+ np = spice_win32_user_pipe_new (addr, error);
if (!np) {
g_object_unref (listener);
listener = NULL;
diff --git a/gtk/controller/spice-foreign-menu-listener.c b/gtk/controller/spice-foreign-menu-listener.c
index 8322a13..6693e21 100644
--- a/gtk/controller/spice-foreign-menu-listener.c
+++ b/gtk/controller/spice-foreign-menu-listener.c
@@ -25,6 +25,7 @@
#include <windows.h>
#include "namedpipe.h"
#include "namedpipelistener.h"
+#include "win32-util.h"
#endif
#ifdef G_OS_UNIX
@@ -91,7 +92,7 @@ spice_foreign_menu_listener_new (const gchar *address, GError **error)
listener = G_OBJECT (spice_named_pipe_listener_new ());
- np = spice_named_pipe_new (addr, error);
+ np = spice_win32_user_pipe_new (addr, error);
if (!np) {
g_object_unref (listener);
listener = NULL;
diff --git a/gtk/controller/win32-util.c b/gtk/controller/win32-util.c
new file mode 100644
index 0000000..f540452
--- /dev/null
+++ b/gtk/controller/win32-util.c
@@ -0,0 +1,114 @@
+/*
+ Copyright (C) 2012 Red Hat, Inc.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "win32-util.h"
+#include <windows.h>
+#include <sddl.h>
+#include <aclapi.h>
+
+gboolean
+spice_win32_set_low_integrity (void* handle, GError **error)
+{
+ g_return_val_if_fail (handle != NULL, FALSE);
+ g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
+
+ /* see also http://msdn.microsoft.com/en-us/library/bb625960.aspx */
+ PSECURITY_DESCRIPTOR psd = NULL;
+ PACL psacl = NULL;
+ BOOL sacl_present = FALSE;
+ BOOL sacl_defaulted = FALSE;
+ char *emsg;
+ int errsv;
+ gboolean success = FALSE;
+
+ if (!ConvertStringSecurityDescriptorToSecurityDescriptor ("S:(ML;;NW;;;LW)",
+ SDDL_REVISION_1, &psd, NULL))
+ goto failed;
+
+ if (!GetSecurityDescriptorSacl (psd, &sacl_present, &psacl, &sacl_defaulted))
+ goto failed;
+
+ if (SetSecurityInfo (handle, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION,
+ NULL, NULL, NULL, psacl) != ERROR_SUCCESS)
+ goto failed;
+
+ success = TRUE;
+ goto end;
+
+failed:
+ errsv = GetLastError ();
+ emsg = g_win32_error_message (errsv);
+ g_set_error (error, G_IO_ERROR,
+ g_io_error_from_win32_error (errsv),
+ "Error setting integrity: %s",
+ emsg);
+ g_free (emsg);
+
+end:
+ if (psd != NULL)
+ LocalFree (psd);
+
+ return success;
+}
+#define DEFAULT_PIPE_BUF_SIZE 4096
+
+SpiceNamedPipe*
+spice_win32_user_pipe_new (gchar *name, GError **error)
+{
+ HANDLE pipe;
+ SpiceNamedPipe *np = NULL;
+
+ g_return_val_if_fail (name != NULL, NULL);
+ g_return_val_if_fail (error != NULL, NULL);
+
+ pipe = CreateNamedPipe (name,
+ PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED |
+ /* FIXME: why is FILE_FLAG_FIRST_PIPE_INSTANCE needed for WRITE_DAC
+ * (apparently needed by SetSecurityInfo). This will prevent
+ * multiple pipe listener....?! */
+ FILE_FLAG_FIRST_PIPE_INSTANCE | WRITE_DAC,
+ PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
+ PIPE_UNLIMITED_INSTANCES,
+ DEFAULT_PIPE_BUF_SIZE, DEFAULT_PIPE_BUF_SIZE,
+ 0, NULL);
+
+ if (pipe == INVALID_HANDLE_VALUE) {
+ int errsv = GetLastError ();
+ gchar *emsg = g_win32_error_message (errsv);
+
+ g_set_error (error,
+ G_IO_ERROR,
+ g_io_error_from_win32_error (errsv),
+ "Error CreateNamedPipe(): %s",
+ emsg);
+
+ g_free (emsg);
+ goto end;
+ }
+
+ /* lower integrity on Vista/Win7+ */
+ if ((LOBYTE (g_win32_get_windows_version()) > 0x05
+ || LOWORD (g_win32_get_windows_version()) > 0x0105) &&
+ !spice_win32_set_low_integrity (pipe, error))
+ goto end;
+
+ np = SPICE_NAMED_PIPE (g_initable_new (SPICE_TYPE_NAMED_PIPE,
+ NULL, error, "handle", pipe, NULL));
+
+end:
+ return np;
+}
diff --git a/gtk/controller/win32-util.h b/gtk/controller/win32-util.h
new file mode 100644
index 0000000..b24ac77
--- /dev/null
+++ b/gtk/controller/win32-util.h
@@ -0,0 +1,30 @@
+/*
+ Copyright (C) 2012 Red Hat, Inc.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+#ifndef __WIN32_UTIL_H__
+#define __WIN32_UTIL_H__
+
+#include <gio/gio.h>
+#include "namedpipe.h"
+
+G_BEGIN_DECLS
+
+gboolean spice_win32_set_low_integrity (void* handle, GError **error);
+SpiceNamedPipe* spice_win32_user_pipe_new (gchar *name, GError **error);
+
+G_END_DECLS
+
+#endif /* __WIN32_UTIL_H__ */
More information about the Spice-commits
mailing list