host/win/com_security.cc

// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "remoting/host/win/com_security.h"

#include <objidl.h>

#include "base/compiler_specific.h"
#include "base/logging.h"
#include "remoting/host/win/security_descriptor.h"

namespace remoting {

bool InitializeComSecurity(const std::string& security_descriptor,
                           const std::string& mandatory_label,
                           bool activate_as_activator) {
  std::string sddl = security_descriptor + mandatory_label;

  // Convert the SDDL description into a security descriptor in absolute format.
  ScopedSd relative_sd = ConvertSddlToSd(sddl);
  if (!relative_sd) {
    PLOG(ERROR) << "Failed to create a security descriptor";
    return false;
  }
  ScopedSd absolute_sd;
  ScopedAcl dacl;
  ScopedSid group;
  ScopedSid owner;
  ScopedAcl sacl;
  if (!MakeScopedAbsoluteSd(relative_sd, &absolute_sd, &dacl, &group, &owner,
                            &sacl)) {
    PLOG(ERROR) << "MakeScopedAbsoluteSd() failed";
    return false;
  }

  DWORD capabilities = EOAC_DYNAMIC_CLOAKING;
  if (!activate_as_activator)
    capabilities |= EOAC_DISABLE_AAA;

  // Apply the security descriptor and default security settings. See
  // InitializeComSecurity's declaration for details.
  HRESULT result = CoInitializeSecurity(
      absolute_sd.get(),
      -1,       // Let COM choose which authentication services to register.
      nullptr,     // See above.
      nullptr,     // Reserved, must be nullptr.
      RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
      RPC_C_IMP_LEVEL_IDENTIFY,
      nullptr,     // Default authentication information is not provided.
      capabilities,
      nullptr);    /// Reserved, must be nullptr
  if (FAILED(result)) {
    LOG(ERROR) << "CoInitializeSecurity() failed, result=0x"
               << std::hex << result << std::dec << ".";
    return false;
  }

  return true;
}

} // namespace remoting