1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "remoting/host/win/com_security.h"
6
7 #include <objidl.h>
8
9 #include "base/compiler_specific.h"
10 #include "base/logging.h"
11 #include "remoting/host/win/security_descriptor.h"
12
13 namespace remoting {
14
InitializeComSecurity(const std::string & security_descriptor,const std::string & mandatory_label,bool activate_as_activator)15 bool InitializeComSecurity(const std::string& security_descriptor,
16 const std::string& mandatory_label,
17 bool activate_as_activator) {
18 std::string sddl = security_descriptor + mandatory_label;
19
20 // Convert the SDDL description into a security descriptor in absolute format.
21 ScopedSd relative_sd = ConvertSddlToSd(sddl);
22 if (!relative_sd) {
23 PLOG(ERROR) << "Failed to create a security descriptor";
24 return false;
25 }
26 ScopedSd absolute_sd;
27 ScopedAcl dacl;
28 ScopedSid group;
29 ScopedSid owner;
30 ScopedAcl sacl;
31 if (!MakeScopedAbsoluteSd(relative_sd, &absolute_sd, &dacl, &group, &owner,
32 &sacl)) {
33 PLOG(ERROR) << "MakeScopedAbsoluteSd() failed";
34 return false;
35 }
36
37 DWORD capabilities = EOAC_DYNAMIC_CLOAKING;
38 if (!activate_as_activator)
39 capabilities |= EOAC_DISABLE_AAA;
40
41 // Apply the security descriptor and default security settings. See
42 // InitializeComSecurity's declaration for details.
43 HRESULT result = CoInitializeSecurity(
44 absolute_sd.get(),
45 -1, // Let COM choose which authentication services to register.
46 nullptr, // See above.
47 nullptr, // Reserved, must be nullptr.
48 RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
49 RPC_C_IMP_LEVEL_IDENTIFY,
50 nullptr, // Default authentication information is not provided.
51 capabilities,
52 nullptr); /// Reserved, must be nullptr
53 if (FAILED(result)) {
54 LOG(ERROR) << "CoInitializeSecurity() failed, result=0x"
55 << std::hex << result << std::dec << ".";
56 return false;
57 }
58
59 return true;
60 }
61
62 } // namespace remoting
63