Add chrome_cleaner sandboxed engine Mojo interfaces

R=wfh Bug: 830892 Change-Id: I0a4b25b2ba04b65a80e2c03e9151b5ef55912432 Reviewed-on: https://chromium-review.googlesource.com/1171737 Commit-Queue: Joe Mason <joenotcharles@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#585025}

Add chrome_cleaner sandboxed engine Mojo interfaces
R=wfh Bug: 830892 Change-Id: I0a4b25b2ba04b65a80e2c03e9151b5ef55912432 Reviewed-on: https://chromium-review.googlesource.com/1171737 Commit-Queue: Joe Mason <joenotcharles@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#585025}
0a12bc8f · Joe Mason · Commit Bot · 5d58a97a · 0a12bc8f · 0a12bc8f
Commit 0a12bc8f authored Aug 22, 2018 by Joe Mason Committed by Commit Bot Aug 22, 2018
9 changed files
--- a/chrome/chrome_cleaner/interfaces/BUILD.gn
+++ b/chrome/chrome_cleaner/interfaces/BUILD.gn
+# Copyright 2018 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+import("//mojo/public/tools/bindings/mojom.gni")
+mojom("engine_sandbox_interface") {
+  sources = [
+    "cleaner_engine_requests.mojom",
+    "engine_file_requests.mojom",
+    "engine_requests.mojom",
+    "engine_sandbox.mojom",
+    "pup.mojom",
+    "string16_embedded_nulls.mojom",
+    "windows_handle.mojom",
+  ]
+  deps = [
+    "//components/chrome_cleaner/public/interfaces:interfaces",
+    "//mojo/public/mojom/base",
+  ]
+}
--- a/chrome/chrome_cleaner/interfaces/OWNERS
+++ b/chrome/chrome_cleaner/interfaces/OWNERS
+per-file *.mojom=set noparent
+per-file *.mojom=file://ipc/SECURITY_OWNERS
--- a/chrome/chrome_cleaner/interfaces/cleaner_engine_requests.mojom
+++ b/chrome/chrome_cleaner/interfaces/cleaner_engine_requests.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+import "chrome/chrome_cleaner/interfaces/string16_embedded_nulls.mojom";
+import "components/chrome_cleaner/public/interfaces/chrome_prompt.mojom";
+import "mojo/public/mojom/base/string16.mojom";
+// Passes requests that can mutate the system from the low-privilege sandbox
+// target process to the high-privilege broker process. It is implemented in
+// CleanerEngineRequestsImpl in engines/broker.
+//
+// This interface is only used when in cleaning mode, in which case the broker
+// process runs with administrator privileges, so the parameters of each method
+// must be carefully validated to ensure that the requests are safe.
+interface CleanerEngineRequests {
+  // Attempts to deletes the given file, applying some basic checks to ensure
+  // the file is safe to delete.
+  SandboxDeleteFile(FilePath file_name) => (bool result);
+  // Schedules the given file for post-reboot removal, applying some basic
+  // checks to ensure the file is safe to delete.
+  SandboxDeleteFilePostReboot(FilePath file_name) => (bool result);
+  // Deletes the given registry key. |key| may contain null characters.
+  SandboxNtDeleteRegistryKey(String16EmbeddedNulls key) => (bool result);
+  // Deletes the given value for the given registry key. |key| and |key_name|
+  // may contain null characters.
+  SandboxNtDeleteRegistryValue(String16EmbeddedNulls key,
+                               String16EmbeddedNulls value_name)
+    => (bool result);
+  // Updates the value of the given key's value to |new_value|.
+  // |new_value| must be a subset of the existing value. This is intended to be
+  // used to delete parts of a value, not to set a new value.
+  SandboxNtChangeRegistryValue(String16EmbeddedNulls key,
+                               String16EmbeddedNulls value_name,
+                               String16EmbeddedNulls new_value)
+    => (bool result);
+  // Deletes the given service.
+  SandboxDeleteService(mojo_base.mojom.String16 name) => (bool result);
+  // Deletes the given task.
+  SandboxDeleteTask(mojo_base.mojom.String16 name) => (bool result);
+  // Terminates the given process.
+  // The broker process can't be terminated.
+  SandboxTerminateProcess(uint32 process_id) => (bool result);
+};
--- a/chrome/chrome_cleaner/interfaces/engine_file_requests.mojom
+++ b/chrome/chrome_cleaner/interfaces/engine_file_requests.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+import "components/chrome_cleaner/public/interfaces/chrome_prompt.mojom";
+// Handles returned by FindFirstFile aren't real handles, so we can't pass them
+// through mojo as handles, since they can't be duplicated.
+struct FindHandle {
+  int64 find_handle;
+};
+struct FindFileData {
+  array<uint8> data;
+};
+// Passes file handling requests from the low-privilege sandbox target process
+// to the high-privilege broker process. It is implemented in
+// EngineFileRequestsImpl in engines/broker.
+//
+// This interface is used in scanning and cleaning mode, and when initializing
+// the engine (which may need to load auxiliary file resources.)
+interface EngineFileRequests {
+  // Calls ::FindFirstFile for the given path, returning the results from
+  // ::FindFirstFile.
+  SandboxFindFirstFile(FilePath file_name) =>
+    (uint32 result, FindFileData win32_find_data, FindHandle find_handle);
+  // Calls ::FindNextFile for the given handle, returning the results from
+  // ::FindNextFile.
+  SandboxFindNextFile(FindHandle find_handle) =>
+    (uint32 result, FindFileData win32_find_data);
+  // Calls ::FindClose on the given handle, returning the results from
+  // ::FindClose.
+  SandboxFindClose(FindHandle find_handle) => (uint32 result);
+  // Returns a read-only file handle for the given file. The only acceptable
+  // values for |dwFlagsAndAttributes| are FILE_FLAG_NO_BUFFERING,
+  // FILE_FLAG_SEQUENTIAL_SCAN, FILE_FLAG_RANDOM_ACCESS, and
+  // FILE_FLAG_OPEN_REPARSE_POINT.
+  SandboxOpenReadOnlyFile(FilePath file_name, uint32 dwFlagsAndAttributes) =>
+    (handle result);
+};
--- a/chrome/chrome_cleaner/interfaces/engine_requests.mojom
+++ b/chrome/chrome_cleaner/interfaces/engine_requests.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+import "chrome/chrome_cleaner/interfaces/string16_embedded_nulls.mojom";
+import "chrome/chrome_cleaner/interfaces/windows_handle.mojom";
+import "components/chrome_cleaner/public/interfaces/chrome_prompt.mojom";
+import "mojo/public/mojom/base/process_id.mojom";
+import "mojo/public/mojom/base/string16.mojom";
+enum KnownFolder {
+  kWindows = 0,
+  kProgramFiles = 1,
+  kProgramFilesX86 = 2,
+  kAppData = 3,
+};
+struct StringSid {
+  mojo_base.mojom.String16 value;
+};
+struct ScheduledTaskAction {
+  FilePath path;
+  FilePath working_dir;
+  mojo_base.mojom.String16 arguments;
+};
+struct ScheduledTask {
+  mojo_base.mojom.String16 name;
+  mojo_base.mojom.String16 description;
+  array<ScheduledTaskAction> actions;
+};
+struct UserInformation {
+  mojo_base.mojom.String16 name;
+  mojo_base.mojom.String16 domain;
+  // User account type (SID_NAME_USE). See
+  // https://msdn.microsoft.com/en-us/library/windows/desktop/aa379601(v=vs.85).aspx
+  uint32 account_type;
+};
+// Passes requests that do not mutate the system from the low-privilege sandbox
+// target process to the high-privilege broker process. It is implemented in
+// EngineRequestsImpl in engines/broker.
+//
+// This interface is used in scanning and cleaning mode.
+interface EngineRequests {
+  // Converts the given KnownFolder Id to its folder path.
+  SandboxGetKnownFolderPath(KnownFolder folder_id) =>
+    (bool result, FilePath folder_path);
+  // Gets all of the processes currently running on the machine.
+  SandboxGetProcesses() =>
+      (bool result, array<mojo_base.mojom.ProcessId> processes);
+  // Gets all the tasks on the system.
+  SandboxGetTasks() => (bool result, array<ScheduledTask> tasks);
+  // Returns the path to the executable of the given process.
+  SandboxGetProcessImagePath(mojo_base.mojom.ProcessId pid) =>
+    (bool result, FilePath image_path);
+  // Gets all of the modules loaded into memory for the given process.
+  SandboxGetLoadedModules(mojo_base.mojom.ProcessId pid) =>
+    (bool result, array<mojo_base.mojom.String16> modules);
+  // Gets the command line for the given process.
+  SandboxGetProcessCommandLine(mojo_base.mojom.ProcessId pid) =>
+    (bool result, mojo_base.mojom.String16 command_line);
+  // Gets the given UserInformation values for |sid|.
+  SandboxGetUserInfoFromSID(StringSid sid) => (bool result,
+                                               UserInformation user_info);
+  // Gets a read-only registry key handle to the given key.
+  // |dw_access| may specify KEY_WOW64_32KEY or KEY_WOW64_64KEY. |root_key| must
+  // be non-null, and |sub_key| can't have any null characters.
+  SandboxOpenReadOnlyRegistry(WindowsHandle root_key,
+          mojo_base.mojom.String16 sub_key, uint32 dw_access) =>
+    (uint32 result, WindowsHandle reg_handle);
+  // Gets a read-only registry key handle to the given key.
+  // |dw_access| may not specify KEY_WOW64_32KEY or KEY_WOW64_64KEY.
+  // ||root_key| may be null, and |sub_key| may have null characters.
+  SandboxNtOpenReadOnlyRegistry(WindowsHandle root_key,
+                                String16EmbeddedNulls sub_key,
+                                uint32 dw_access) =>
+    (uint32 result, WindowsHandle reg_handle);
+};
--- a/chrome/chrome_cleaner/interfaces/engine_sandbox.mojom
+++ b/chrome/chrome_cleaner/interfaces/engine_sandbox.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+import "chrome/chrome_cleaner/interfaces/cleaner_engine_requests.mojom";
+import "chrome/chrome_cleaner/interfaces/engine_requests.mojom";
+import "chrome/chrome_cleaner/interfaces/engine_file_requests.mojom";
+import "chrome/chrome_cleaner/interfaces/pup.mojom";
+import "components/chrome_cleaner/public/interfaces/chrome_prompt.mojom";
+// All result_code parameters and return values in these interfaces correspond
+// to ESETResultCode values for the ESET engine, and to
+// EngineOperationStatus::ResultCode values the Urza engine.
+// This interface passes scan results back from the target process to the
+// broker process.
+interface EngineScanResults {
+  // Called zero or more times with details of UwS.
+  FoundUwS(uint32 pup_id, PUP pup);
+  // Called exactly once, after any calls to FoundUwS.
+  Done(uint32 result_code);
+};
+// This interface passes cleanup results back from the target process to the
+// broker process.
+interface EngineCleanupResults {
+  // Called once the cleaner has finished cleaning.
+  Done(uint32 result_code);
+};
+// This interface connects the sandbox broker process to the sandbox target
+// process, which implements the interface using functions declared in
+// third_party/eset_lib/src/api/eset_cleaner.h.
+interface EngineCommands {
+  // Runs the engine's initialization routine.
+  Initialize(associated EngineFileRequests file_requests,
+             FilePath log_directory) => (uint32 result_code);
+  // Starts scanning the user's system.
+  // |enabled_uws| contains a list of UwS IDs to scan for.
+  // |enabled_trace_locations| is a list of trace locations, to which scanning
+  // should be limited.
+  // |include_details| is true if the results should include full details of
+  // each UwS found, false if the results should include only the ID.
+  // |results| is an interface which will be used to return results:
+  // FoundUwS will be called 0 or more times with details of the UwS found,
+  // followed by exactly one call to Done.
+  //
+  // If the scan request returns an error immediately, that error is returned
+  // and |results| is not used. Otherwise a success result code is returned and
+  // any further errors will be reported by calling Done on the |results|
+  // interface.
+  StartScan(array<uint32> enabled_uws,
+            array<TraceLocation> enabled_trace_locations,
+            bool include_details,
+            associated EngineFileRequests file_requests,
+            associated EngineRequests sandboxed_engine_requests,
+            associated EngineScanResults results) => (uint32 result_code);
+  // Starts cleaning up the user's system. |enabled_uws| contains a list of UwS
+  // IDs to cleanup.
+  //
+  // If the cleanup request returns an error immediately, that error is returned
+  // and |results| is not used. Otherwise a success result code is returned and
+  // any further errors will be reported by calling Done on the |results|
+  // interface.
+  StartCleanup(array<uint32> enabled_uws,
+               associated EngineFileRequests file_requests,
+               associated EngineRequests sandboxed_engine_requests,
+               associated CleanerEngineRequests
+                 sandboxed_cleaner_engine_requests,
+               associated EngineCleanupResults results) => (uint32 result_code);
+  // Runs the engine's finalization routine.
+  Finalize() => (uint32 result_code);
+};
--- a/chrome/chrome_cleaner/interfaces/pup.mojom
+++ b/chrome/chrome_cleaner/interfaces/pup.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+import "chrome/chrome_cleaner/interfaces/string16_embedded_nulls.mojom";
+import "chrome/chrome_cleaner/interfaces/windows_handle.mojom";
+import "components/chrome_cleaner/public/interfaces/chrome_prompt.mojom";
+import "mojo/public/mojom/base/string16.mojom";
+// Source:
+//   https://msdn.microsoft.com/en-us/library/windows/desktop/aa384129.aspx
+enum Wow64Access {
+  kNone = 0,
+  // KEY_WOW64_64KEY
+  k64Key = 0x0100,
+  // KEY_WOW64_32KEY
+  k32Key = 0x0200,
+};
+// Typemapped to chrome_cleaner::RegKeyPath.
+struct RegKeyPath {
+  WindowsHandle rootkey;
+  // This is only sent by URZA, which currently doesn't support registry paths
+  // with embedded nulls.
+  mojo_base.mojom.String16 subkey;
+  Wow64Access wow64access;
+};
+// Used for reporting detected registry footprints.
+// Typemapped to chrome_cleaner::PUPData::RegistryFootprint.
+struct RegistryFootprint {
+  RegKeyPath key_path;
+  String16EmbeddedNulls value_name;
+  String16EmbeddedNulls value_substring;
+  // An enumerator of chrome_cleaner::RegistryMatchRule.
+  uint32 rule;
+};
+// Typemapped to chrome_cleaner::UwS::TraceLocation enumeration from
+// chrome_cleaner/logging/proto/shared_data.proto.
+// The struct is used here as a work-around to make Mojo check passed values
+// without having to duplicate the enum definition.
+struct TraceLocation {
+  int32 value;
+};
+// Typemapped to chrome_cleaner::PUPData::FileInfo.
+struct FileInfo {
+  array<TraceLocation> found_in;
+};
+// Partially typemapped to chrome_cleaner::PUPData::PUP.
+// UwS signatures are not included.
+struct PUP {
+  array<FilePath> expanded_disk_footprints;
+  array<RegistryFootprint> expanded_registry_footprints;
+  array<mojo_base.mojom.String16> expanded_scheduled_tasks;
+  map<FilePath, FileInfo> disk_footprints_info;
+};
--- a/chrome/chrome_cleaner/interfaces/string16_embedded_nulls.mojom
+++ b/chrome/chrome_cleaner/interfaces/string16_embedded_nulls.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+// Typemapped to chrome_cleaner::String16EmbeddedNulls.
+//
+// Note: Mojo doesn't allow sending null arrays over the wire, and the strings
+//       represented by this type can be empty (without a null at the end).
+//       Because of that, represented as a union of either something that is
+//       always empty (NullValue) or a non-empty array of uint16.
+union String16EmbeddedNulls {
+  // The underlying string is a null array (not the same as an empty string,
+  // which has at least one character '\0').
+  NullValue? null_value;
+  // The underlying string is either a null-terminated empty string (size is 1),
+  // or a non-empty string that can be either null-terminated or not.
+  array<uint16> value;
+};
+struct NullValue {
+};
--- a/chrome/chrome_cleaner/interfaces/windows_handle.mojom
+++ b/chrome/chrome_cleaner/interfaces/windows_handle.mojom
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+module chrome_cleaner.mojom;
+enum SpecialWindowsHandle {
+  NULL_HANDLE,
+  INVALID_HANDLE,
+  CLASSES_ROOT,
+  CURRENT_CONFIG,
+  CURRENT_USER,
+  LOCAL_MACHINE,
+  USERS,
+};
+// Mojo's |handle| type passes handles with DUPLICATE_CLOSE_SOURCE. The special
+// handles above can't be closed, so they can't be passed as |handle|. Use a
+// wrapper that puts these in |special_handle| and plain handles in
+// |raw_handle|. Typemapped to HANDLE.
+union WindowsHandle {
+  handle raw_handle;
+  SpecialWindowsHandle special_handle;
+};
+interface TestWindowsHandle {
+  EchoHandle(WindowsHandle in_WindowsHandle) =>
+    (WindowsHandle out_WindowsHandle);
+  EchoRawHandle(handle in_handle) => (handle out_handle);
+};