Milestone 5: deliver embedded RDP sessions and lifecycle hardening

third_party/FreeRDP/winpr/libwinpr/security/CMakeLists.txt

@@ -0,0 +1,22 @@
+# WinPR: Windows Portable Runtime
+# libwinpr-security cmake build script
+#
+# Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+winpr_module_add(security.c)
+
+if(BUILD_TESTING_INTERNAL OR BUILD_TESTING)
+  add_subdirectory(test)
+endif()

third_party/FreeRDP/winpr/libwinpr/security/ModuleOptions.cmake

@@ -0,0 +1,9 @@
+set(MINWIN_LAYER "1")
+set(MINWIN_GROUP "security")
+set(MINWIN_MAJOR_VERSION "2")
+set(MINWIN_MINOR_VERSION "0")
+set(MINWIN_SHORT_NAME "base")
+set(MINWIN_LONG_NAME "Base Security Functions")
+set(MODULE_LIBRARY_NAME
+    "api-ms-win-${MINWIN_GROUP}-${MINWIN_SHORT_NAME}-l${MINWIN_LAYER}-${MINWIN_MAJOR_VERSION}-${MINWIN_MINOR_VERSION}"
+)

third_party/FreeRDP/winpr/libwinpr/security/security.c

@@ -0,0 +1,256 @@
+/**
+ * WinPR: Windows Portable Runtime
+ * Base Security Functions
+ *
+ * Copyright 2013 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <winpr/config.h>
+
+#include <winpr/crt.h>
+
+#ifdef WINPR_HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <winpr/security.h>
+
+#include "../handle/handle.h"
+
+/**
+ * api-ms-win-security-base-l1-2-0.dll:
+ *
+ * AccessCheck
+ * AccessCheckAndAuditAlarmW
+ * AccessCheckByType
+ * AccessCheckByTypeAndAuditAlarmW
+ * AccessCheckByTypeResultList
+ * AccessCheckByTypeResultListAndAuditAlarmByHandleW
+ * AccessCheckByTypeResultListAndAuditAlarmW
+ * AddAccessAllowedAce
+ * AddAccessAllowedAceEx
+ * AddAccessAllowedObjectAce
+ * AddAccessDeniedAce
+ * AddAccessDeniedAceEx
+ * AddAccessDeniedObjectAce
+ * AddAce
+ * AddAuditAccessAce
+ * AddAuditAccessAceEx
+ * AddAuditAccessObjectAce
+ * AddMandatoryAce
+ * AddResourceAttributeAce
+ * AddScopedPolicyIDAce
+ * AdjustTokenGroups
+ * AdjustTokenPrivileges
+ * AllocateAndInitializeSid
+ * AllocateLocallyUniqueId
+ * AreAllAccessesGranted
+ * AreAnyAccessesGranted
+ * CheckTokenCapability
+ * CheckTokenMembership
+ * CheckTokenMembershipEx
+ * ConvertToAutoInheritPrivateObjectSecurity
+ * CopySid
+ * CreatePrivateObjectSecurity
+ * CreatePrivateObjectSecurityEx
+ * CreatePrivateObjectSecurityWithMultipleInheritance
+ * CreateRestrictedToken
+ * CreateWellKnownSid
+ * DeleteAce
+ * DestroyPrivateObjectSecurity
+ * DuplicateToken
+ * DuplicateTokenEx
+ * EqualDomainSid
+ * EqualPrefixSid
+ * EqualSid
+ * FindFirstFreeAce
+ * FreeSid
+ * GetAce
+ * GetAclInformation
+ * GetAppContainerAce
+ * GetCachedSigningLevel
+ * GetFileSecurityW
+ * GetKernelObjectSecurity
+ * GetLengthSid
+ * GetPrivateObjectSecurity
+ * GetSidIdentifierAuthority
+ * GetSidLengthRequired
+ * GetSidSubAuthority
+ * GetSidSubAuthorityCount
+ * GetTokenInformation
+ * GetWindowsAccountDomainSid
+ * ImpersonateAnonymousToken
+ * ImpersonateLoggedOnUser
+ * ImpersonateSelf
+ * InitializeAcl
+ * InitializeSid
+ * IsTokenRestricted
+ * IsValidAcl
+ * IsValidSid
+ * IsWellKnownSid
+ * MakeAbsoluteSD
+ * MakeSelfRelativeSD
+ * MapGenericMask
+ * ObjectCloseAuditAlarmW
+ * ObjectDeleteAuditAlarmW
+ * ObjectOpenAuditAlarmW
+ * ObjectPrivilegeAuditAlarmW
+ * PrivilegeCheck
+ * PrivilegedServiceAuditAlarmW
+ * QuerySecurityAccessMask
+ * RevertToSelf
+ * SetAclInformation
+ * SetCachedSigningLevel
+ * SetFileSecurityW
+ * SetKernelObjectSecurity
+ * SetPrivateObjectSecurity
+ * SetPrivateObjectSecurityEx
+ * SetSecurityAccessMask
+ * SetTokenInformation
+ */
+
+#ifndef _WIN32
+#include <winpr/wlog.h>
+#include "security.h"
+
+BOOL InitializeSecurityDescriptor(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                  WINPR_ATTR_UNUSED DWORD dwRevision)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+DWORD GetSecurityDescriptorLength(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return 0;
+}
+
+BOOL IsValidSecurityDescriptor(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL GetSecurityDescriptorControl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                  WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR_CONTROL pControl,
+                                  WINPR_ATTR_UNUSED LPDWORD lpdwRevision)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL SetSecurityDescriptorControl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                  WINPR_ATTR_UNUSED SECURITY_DESCRIPTOR_CONTROL
+                                      ControlBitsOfInterest,
+                                  WINPR_ATTR_UNUSED SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL GetSecurityDescriptorDacl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                               WINPR_ATTR_UNUSED LPBOOL lpbDaclPresent,
+                               WINPR_ATTR_UNUSED PACL* pDacl,
+                               WINPR_ATTR_UNUSED LPBOOL lpbDaclDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL SetSecurityDescriptorDacl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                               WINPR_ATTR_UNUSED BOOL bDaclPresent, WINPR_ATTR_UNUSED PACL pDacl,
+                               WINPR_ATTR_UNUSED BOOL bDaclDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL GetSecurityDescriptorGroup(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                WINPR_ATTR_UNUSED PSID* pGroup,
+                                WINPR_ATTR_UNUSED LPBOOL lpbGroupDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL SetSecurityDescriptorGroup(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                WINPR_ATTR_UNUSED PSID pGroup,
+                                WINPR_ATTR_UNUSED BOOL bGroupDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL GetSecurityDescriptorOwner(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                WINPR_ATTR_UNUSED PSID* pOwner,
+                                WINPR_ATTR_UNUSED LPBOOL lpbOwnerDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL SetSecurityDescriptorOwner(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                                WINPR_ATTR_UNUSED PSID pOwner,
+                                WINPR_ATTR_UNUSED BOOL bOwnerDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+DWORD GetSecurityDescriptorRMControl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                     WINPR_ATTR_UNUSED PUCHAR RMControl)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return 0;
+}
+
+DWORD SetSecurityDescriptorRMControl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR SecurityDescriptor,
+                                     WINPR_ATTR_UNUSED PUCHAR RMControl)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return 0;
+}
+
+BOOL GetSecurityDescriptorSacl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                               WINPR_ATTR_UNUSED LPBOOL lpbSaclPresent,
+                               WINPR_ATTR_UNUSED PACL* pSacl,
+                               WINPR_ATTR_UNUSED LPBOOL lpbSaclDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+BOOL SetSecurityDescriptorSacl(WINPR_ATTR_UNUSED PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                               WINPR_ATTR_UNUSED BOOL bSaclPresent, WINPR_ATTR_UNUSED PACL pSacl,
+                               WINPR_ATTR_UNUSED BOOL bSaclDefaulted)
+{
+	WLog_ERR("TODO", "TODO: Implement");
+	return TRUE;
+}
+
+#endif
+
+BOOL AccessTokenIsValid(HANDLE handle)
+{
+	WINPR_HANDLE* h = (WINPR_HANDLE*)handle;
+
+	if (!h || (h->Type != HANDLE_TYPE_ACCESS_TOKEN))
+	{
+		SetLastError(ERROR_INVALID_PARAMETER);
+		return FALSE;
+	}
+	return TRUE;
+}

third_party/FreeRDP/winpr/libwinpr/security/security.h

@@ -0,0 +1,45 @@
+/**
+ * WinPR: Windows Portable Runtime
+ * Base Security Functions
+ *
+ * Copyright 2013 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef WINPR_SECURITY_PRIVATE_H
+#define WINPR_SECURITY_PRIVATE_H
+
+#ifndef _WIN32
+
+#include <winpr/security.h>
+
+#include "../handle/handle.h"
+
+struct winpr_access_token
+{
+	WINPR_HANDLE common;
+
+	LPSTR Username;
+	LPSTR Domain;
+
+	DWORD UserId;
+	DWORD GroupId;
+};
+typedef struct winpr_access_token WINPR_ACCESS_TOKEN;
+
+BOOL AccessTokenIsValid(HANDLE handle);
+
+#endif
+
+#endif /* WINPR_SECURITY_PRIVATE_H */

third_party/FreeRDP/winpr/libwinpr/security/test/CMakeLists.txt

@@ -0,0 +1,21 @@
+set(MODULE_NAME "TestSecurity")
+set(MODULE_PREFIX "TEST_SECURITY")
+
+disable_warnings_for_directory(${CMAKE_CURRENT_BINARY_DIR})
+
+set(${MODULE_PREFIX}_DRIVER ${MODULE_NAME}.c)
+
+set(${MODULE_PREFIX}_TESTS TestSecurityToken.c)
+
+create_test_sourcelist(${MODULE_PREFIX}_SRCS ${${MODULE_PREFIX}_DRIVER} ${${MODULE_PREFIX}_TESTS})
+
+add_executable(${MODULE_NAME} ${${MODULE_PREFIX}_SRCS})
+
+set_target_properties(${MODULE_NAME} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${TESTING_OUTPUT_DIRECTORY}")
+
+foreach(test ${${MODULE_PREFIX}_TESTS})
+  get_filename_component(TestName ${test} NAME_WE)
+  add_test(${TestName} ${TESTING_OUTPUT_DIRECTORY}/${MODULE_NAME} ${TestName})
+endforeach()
+
+set_property(TARGET ${MODULE_NAME} PROPERTY FOLDER "WinPR/Test")

third_party/FreeRDP/winpr/libwinpr/security/test/TestSecurityToken.c

@@ -0,0 +1,9 @@
+
+#include <winpr/crt.h>
+#include <winpr/tchar.h>
+#include <winpr/security.h>
+
+int TestSecurityToken(int argc, char* argv[])
+{
+	return 0;
+}