[Spice-devel] [PATCH spice-gtk 1/2] controller/win32: allow ActiveX connection on untrusted website

Marc-André Lureau marcandre.lureau at gmail.com
Wed Oct 24 10:45:15 PDT 2012 

Set low integrity on named-pipes.

This bug was originally resolved as:
https://bugzilla.redhat.com/show_bug.cgi?id=668980

Fixes regression:
https://bugzilla.redhat.com/show_bug.cgi?id=844461
---
 gtk/controller/Makefile.am                   |   2 +
 gtk/controller/spice-controller-listener.c   |   3 +-
 gtk/controller/spice-foreign-menu-listener.c |   3 +-
 gtk/controller/win32-util.c                  | 111 +++++++++++++++++++++++++++
 gtk/controller/win32-util.h                  |  30 ++++++++
 5 files changed, 147 insertions(+), 2 deletions(-)
 create mode 100644 gtk/controller/win32-util.c
 create mode 100644 gtk/controller/win32-util.h

diff --git a/gtk/controller/Makefile.am b/gtk/controller/Makefile.am
index 7bfa51b..f2abf93 100644
--- a/gtk/controller/Makefile.am
+++ b/gtk/controller/Makefile.am
@@ -56,6 +56,8 @@ libspice_controller_la_SOURCES +=		\
 	namedpipeconnection.h			\
 	namedpipelistener.c			\
 	namedpipelistener.h			\
+	win32-util.c                            \
+	win32-util.h                            \
 	$(NULL)
 endif
 libspice_controller_la_LDFLAGS =		\
diff --git a/gtk/controller/spice-controller-listener.c b/gtk/controller/spice-controller-listener.c
index da1121e..0189848 100644
--- a/gtk/controller/spice-controller-listener.c
+++ b/gtk/controller/spice-controller-listener.c
@@ -25,6 +25,7 @@
 #include <windows.h>
 #include "namedpipe.h"
 #include "namedpipelistener.h"
+#include "win32-util.h"
 #endif
 
 #ifdef G_OS_UNIX
@@ -89,7 +90,7 @@ spice_controller_listener_new (const gchar *address, GError **error)
 
         listener = G_OBJECT (spice_named_pipe_listener_new ());
 
-        np = spice_named_pipe_new (addr, error);
+        np = spice_win32_user_pipe_new (addr, error);
         if (!np) {
             g_object_unref (listener);
             listener = NULL;
diff --git a/gtk/controller/spice-foreign-menu-listener.c b/gtk/controller/spice-foreign-menu-listener.c
index 8322a13..6693e21 100644
--- a/gtk/controller/spice-foreign-menu-listener.c
+++ b/gtk/controller/spice-foreign-menu-listener.c
@@ -25,6 +25,7 @@
 #include <windows.h>
 #include "namedpipe.h"
 #include "namedpipelistener.h"
+#include "win32-util.h"
 #endif
 
 #ifdef G_OS_UNIX
@@ -91,7 +92,7 @@ spice_foreign_menu_listener_new (const gchar *address, GError **error)
 
         listener = G_OBJECT (spice_named_pipe_listener_new ());
 
-        np = spice_named_pipe_new (addr, error);
+        np = spice_win32_user_pipe_new (addr, error);
         if (!np) {
             g_object_unref (listener);
             listener = NULL;
diff --git a/gtk/controller/win32-util.c b/gtk/controller/win32-util.c
new file mode 100644
index 0000000..4e3ec4c
--- /dev/null
+++ b/gtk/controller/win32-util.c
@@ -0,0 +1,111 @@
+/*
+   Copyright (C) 2012 Red Hat, Inc.
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "win32-util.h"
+#include <windows.h>
+#include <sddl.h>
+#include <aclapi.h>
+
+gboolean
+spice_win32_set_low_integrity (void* handle, GError **error)
+{
+    g_return_val_if_fail (handle != NULL, FALSE);
+    g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
+
+    /* see also http://msdn.microsoft.com/en-us/library/bb625960.aspx */
+    PSECURITY_DESCRIPTOR psd = NULL;
+    PACL psacl = NULL;
+    BOOL sacl_present = FALSE;
+    BOOL sacl_defaulted = FALSE;
+    char *emsg;
+    int errsv;
+    gboolean success = FALSE;
+
+    if (!ConvertStringSecurityDescriptorToSecurityDescriptor ("S:(ML;;NW;;;LW)",
+                                                              SDDL_REVISION_1, &psd, NULL))
+        goto failed;
+
+    if (!GetSecurityDescriptorSacl (psd, &sacl_present, &psacl, &sacl_defaulted))
+        goto failed;
+
+    if (SetSecurityInfo (handle, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION,
+                         NULL, NULL, NULL, psacl) != ERROR_SUCCESS)
+        goto failed;
+
+    success = TRUE;
+    goto end;
+
+failed:
+    errsv = GetLastError ();
+    emsg = g_win32_error_message (errsv);
+    g_set_error (error, G_IO_ERROR,
+                 g_io_error_from_win32_error (errsv),
+                 "Error setting integrity: %s",
+                 emsg);
+    g_free (emsg);
+
+end:
+    if (psd != NULL)
+        LocalFree (psd);
+
+    return success;
+}
+#define DEFAULT_PIPE_BUF_SIZE 4096
+
+SpiceNamedPipe*
+spice_win32_user_pipe_new (gchar *name, GError **error)
+{
+    HANDLE pipe;
+    SpiceNamedPipe *np = NULL;
+
+    g_return_val_if_fail (name != NULL, NULL);
+    g_return_val_if_fail (error != NULL, NULL);
+
+    pipe = CreateNamedPipe (name,
+        PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED |
+    /* FIXME: why is FILE_FLAG_FIRST_PIPE_INSTANCE needed for WRITE_DAC
+     * (apparently needed by SetSecurityInfo). This will prevent
+     * multiple pipe listener....?! */
+        FILE_FLAG_FIRST_PIPE_INSTANCE | WRITE_DAC,
+        PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
+        PIPE_UNLIMITED_INSTANCES,
+        DEFAULT_PIPE_BUF_SIZE, DEFAULT_PIPE_BUF_SIZE,
+        0, NULL);
+
+    if (pipe == INVALID_HANDLE_VALUE) {
+        int errsv = GetLastError ();
+        gchar *emsg = g_win32_error_message (errsv);
+
+        g_set_error (error,
+                     G_IO_ERROR,
+                     g_io_error_from_win32_error (errsv),
+                     "Error CreateNamedPipe(): %s",
+                     emsg);
+
+        g_free (emsg);
+        goto end;
+    }
+
+    if (!spice_win32_set_low_integrity (pipe, error))
+        goto end;
+
+    np = SPICE_NAMED_PIPE (g_initable_new (SPICE_TYPE_NAMED_PIPE,
+                                           NULL, error, "handle", pipe, NULL));
+
+end:
+    return np;
+}
diff --git a/gtk/controller/win32-util.h b/gtk/controller/win32-util.h
new file mode 100644
index 0000000..b24ac77
--- /dev/null
+++ b/gtk/controller/win32-util.h
@@ -0,0 +1,30 @@
+/*
+   Copyright (C) 2012 Red Hat, Inc.
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+#ifndef __WIN32_UTIL_H__
+#define __WIN32_UTIL_H__
+
+#include <gio/gio.h>
+#include "namedpipe.h"
+
+G_BEGIN_DECLS
+
+gboolean        spice_win32_set_low_integrity (void* handle, GError **error);
+SpiceNamedPipe* spice_win32_user_pipe_new (gchar *name, GError **error);
+
+G_END_DECLS
+
+#endif /* __WIN32_UTIL_H__ */
-- 
1.7.11.7

More information about the Spice-devel mailing list