[MacOs Host] Provide user with a prompt to enable input injection on Mojave

This change is required due to new security restrictions in Mojave. We can no longer inject input w/o being added as an accessibility app in the security applet. While this sounds like a usefulk speedbump, it causes remote access applications quite a bit of trouble: 1.) We don't use the restricted API until a user connects so they cannot approve remotely 2.) The dialog appears to only show up once (regardless of approve/deny status) 3.) Users connecting to a locked machine will never see the dialog This is affecting quite a few CRD users, basically everyone who upgrades to Mojave will experience this one way or another. This is the simplest fix (and easiest to merge) that I could think of to unblock users. The prompt will only be shown on 10.14+ platforms and the request is only shown if the app has not been approved. I'd like to look at the user feedback after releasing this change to see if more work is needed. One problem I anticipate is that the dialog shown doesn't have a lot of context and it refers to the wrapper script (org.chromium.chromoting.me2me.sh) instead of Chrome Remote Desktop. If this is confusing, we can wrap the prompt request in a dialog where we control the text. My concern with checking in the feature first is that the new strings won't be available for merging. Another behavior to call about this impl is that the prompt will be displayed in two instances: 1.) When the host is first started (choosing enable via app/website) 2.) When the user signs in and the host service is started Scenario #2 will have less context but that is the only way to ask for permission for users who upgraded and had CRD installed previously. The dialog is not displayed at the login screen (i.e. when no one is signed in). One last note, there is no way that I can see to specify this permission in the manifest or set up via a script / at install time. It requires a user action to complete. Bug: 901021 Change-Id: I9dd1b24b6d4d083e7e019af32a0da816f6060a86 Reviewed-on: https://chromium-review.googlesource.com/c/1313170 Commit-Queue: Joe Downing <joedow@chromium.org> Reviewed-by: Jamie Walch <jamiewalch@chromium.org> Cr-Commit-Position: refs/heads/master@{#604723}

[MacOs Host] Provide user with a prompt to enable input injection on Mojave
This change is required due to new security restrictions in Mojave. We can no longer inject input w/o being added as an accessibility app in the security applet. While this sounds like a usefulk speedbump, it causes remote access applications quite a bit of trouble: 1.) We don't use the restricted API until a user connects so they cannot approve remotely 2.) The dialog appears to only show up once (regardless of approve/deny status) 3.) Users connecting to a locked machine will never see the dialog This is affecting quite a few CRD users, basically everyone who upgrades to Mojave will experience this one way or another. This is the simplest fix (and easiest to merge) that I could think of to unblock users. The prompt will only be shown on 10.14+ platforms and the request is only shown if the app has not been approved. I'd like to look at the user feedback after releasing this change to see if more work is needed. One problem I anticipate is that the dialog shown doesn't have a lot of context and it refers to the wrapper script (org.chromium.chromoting.me2me.sh) instead of Chrome Remote Desktop. If this is confusing, we can wrap the prompt request in a dialog where we control the text. My concern with checking in the feature first is that the new strings won't be available for merging. Another behavior to call about this impl is that the prompt will be displayed in two instances: 1.) When the host is first started (choosing enable via app/website) 2.) When the user signs in and the host service is started Scenario #2 will have less context but that is the only way to ask for permission for users who upgraded and had CRD installed previously. The dialog is not displayed at the login screen (i.e. when no one is signed in). One last note, there is no way that I can see to specify this permission in the manifest or set up via a script / at install time. It requires a user action to complete. Bug: 901021 Change-Id: I9dd1b24b6d4d083e7e019af32a0da816f6060a86 Reviewed-on: https://chromium-review.googlesource.com/c/1313170 Commit-Queue: Joe Downing <joedow@chromium.org> Reviewed-by: Jamie Walch <jamiewalch@chromium.org> Cr-Commit-Position: refs/heads/master@{#604723}
19b1b85c · Joe Downing · Commit Bot · 2da1ad3e · 19b1b85c · 19b1b85c
Commit 19b1b85c authored Nov 01, 2018 by Joe Downing Committed by Commit Bot Nov 01, 2018
4 changed files
--- a/remoting/host/mac/BUILD.gn
+++ b/remoting/host/mac/BUILD.gn
@@ -73,6 +73,11 @@ target("mac_app_bundle", "remoting_me2me_host") {
  #   defines = [ "REMOTING_ENABLE_BREAKPAD" ]
  # }

+  sources = [
+    "permission_utils.h",
+    "permission_utils.mm",
+  ]
+
  deps = [
    "//remoting/base:breakpad",
    "//remoting/host:main",

--- a/remoting/host/mac/permission_utils.h
+++ b/remoting/host/mac/permission_utils.h
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef REMOTING_HOST_MAC_PERMISSION_UTILS_H_
+#define REMOTING_HOST_MAC_PERMISSION_UTILS_H_
+
+namespace remoting {
+namespace mac {
+
+// Prompts the user to add the current application to the set of trusted
+// Accessibility applications.  This is only required for input injection on
+// 10.14 and later OSes.
+void PromptUserToChangeTrustStateIfNeeded();
+
+}  // namespace mac
+}  // namespace remoting
+
+#endif  // REMOTING_HOST_MAC_PERMISSION_UTILS_H_
--- a/remoting/host/mac/permission_utils.mm
+++ b/remoting/host/mac/permission_utils.mm
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#import "remoting/host/mac/permission_utils.h"
+
+#import <Cocoa/Cocoa.h>
+
+#include "base/logging.h"
+
+namespace remoting {
+namespace mac {
+
+void PromptUserToChangeTrustStateIfNeeded() {
+  // This method will only display a permission prompt if the application is
+  // not trusted.
+  NSDictionary* options = @{(NSString*)kAXTrustedCheckOptionPrompt : @YES };
+  if (!AXIsProcessTrustedWithOptions((CFDictionaryRef)options)) {
+    LOG(WARNING) << "AXIsProcessTrustedWithOptions: App is not trusted";
+  }
+}
+
+}  // namespace mac
+}  // namespace remoting
--- a/remoting/host/remoting_me2me_host.cc
+++ b/remoting/host/remoting_me2me_host.cc
@@ -112,7 +112,9 @@
 #endif  // defined(OS_POSIX)

 #if defined(OS_MACOSX)
+#include "base/mac/mac_util.h"
 #include "base/mac/scoped_cftyperef.h"
+#include "remoting/host/mac/permission_utils.h"
 #endif  // defined(OS_MACOSX)

 #if defined(OS_LINUX)
@@ -1569,6 +1571,19 @@ void HostProcess::StartHost() {
      HostEventLogger::Create(host_->status_monitor(), kApplicationName);
 #endif  // !defined(REMOTING_MULTI_PROCESS)

+#if defined(OS_MACOSX)
+  // Ensure we are not running as root (i.e. at the login screen).
+  DCHECK_NE(getuid(), 0);
+
+  // MacOs 10.14+ requires an addition, runtime permission for injecting input
+  // using CGEventPost (we use this in our input injector for Mac).  This method
+  // will request that the user enable this permission for us if they are on an
+  // affected platform and the permission has not already been approved.
+  if (base::mac::IsAtLeastOS10_14()) {
+    mac::PromptUserToChangeTrustStateIfNeeded();
+  }
+#endif
+
  host_->Start(host_owner_email_);

  CreateAuthenticatorFactory();