Explicitly set file permissions when installing SODA components

This CL updates the SODA component installers to explicitly set the read and execute bit for the BUILTIN\Users group, allowing the speech recognition sandbox to access the component files using a USER_LIMITED token.

Bug: 1111079
Change-Id: I5b92dbe8c68bd79be57010e8da7cbbc24a21e9c1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2573876
Commit-Queue: Evan Liu <evliu@google.com>
Reviewed-by: James Forshaw <forshaw@chromium.org>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#834403}

chrome/browser/component_updater/soda_component_installer.cc

@@ -21,6 +21,12 @@
 #include "crypto/sha2.h"
 #include "media/base/media_switches.h"
 
+#if defined(OS_WIN)
+#include <aclapi.h>
+#include <windows.h>
+#include "sandbox/win/src/sid.h"
+#endif
+
 using content::BrowserThread;
 
 namespace component_updater {
@@ -66,10 +72,42 @@ void SODAComponentInstallerPolicy::UpdateSODAComponentOnDemand() {
       }));
 }
 
-bool SODAComponentInstallerPolicy::VerifyInstallation(
-    const base::DictionaryValue& manifest,
-    const base::FilePath& install_dir) const {
-  return base::PathExists(install_dir.Append(speech::kSodaBinaryRelativePath));
+update_client::CrxInstaller::Result
+SODAComponentInstallerPolicy::SetComponentDirectoryPermission(
+    const base::FilePath& install_dir) {
+#if defined(OS_WIN)
+  sandbox::Sid users_sid = sandbox::Sid(WinBuiltinUsersSid);
+
+  // Initialize an EXPLICIT_ACCESS structure for an ACE.
+  EXPLICIT_ACCESS explicit_access[1] = {};
+  explicit_access[0].grfAccessPermissions = GENERIC_READ | GENERIC_EXECUTE;
+  explicit_access[0].grfAccessMode = GRANT_ACCESS;
+  explicit_access[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
+  explicit_access[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+  explicit_access[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+  explicit_access[0].Trustee.ptstrName =
+      reinterpret_cast<LPTSTR>(users_sid.GetPSID());
+
+  PACL acl = nullptr;
+  if (::SetEntriesInAcl(base::size(explicit_access), explicit_access, nullptr,
+                        &acl) != ERROR_SUCCESS) {
+    return update_client::CrxInstaller::Result(
+        update_client::InstallError::SET_PERMISSIONS_FAILED);
+  }
+
+  // Change the security attributes.
+  LPWSTR file_name = const_cast<LPWSTR>(install_dir.value().c_str());
+  bool success = ::SetNamedSecurityInfo(file_name, SE_FILE_OBJECT,
+                                        DACL_SECURITY_INFORMATION, nullptr,
+                                        nullptr, acl, nullptr) == ERROR_SUCCESS;
+  ::LocalFree(acl);
+  if (!success) {
+    return update_client::CrxInstaller::Result(
+        update_client::InstallError::SET_PERMISSIONS_FAILED);
+  }
+#endif
+
+  return update_client::CrxInstaller::Result(update_client::InstallError::NONE);
 }
 
 bool SODAComponentInstallerPolicy::SupportsGroupPolicyEnabledComponentUpdates()
@@ -85,11 +123,18 @@ update_client::CrxInstaller::Result
 SODAComponentInstallerPolicy::OnCustomInstall(
     const base::DictionaryValue& manifest,
     const base::FilePath& install_dir) {
-  return update_client::CrxInstaller::Result(0);  // Nothing custom here.
+  return SODAComponentInstallerPolicy::SetComponentDirectoryPermission(
+      install_dir);
 }
 
 void SODAComponentInstallerPolicy::OnCustomUninstall() {}
 
+bool SODAComponentInstallerPolicy::VerifyInstallation(
+    const base::DictionaryValue& manifest,
+    const base::FilePath& install_dir) const {
+  return base::PathExists(install_dir.Append(speech::kSodaBinaryRelativePath));
+}
+
 void SODAComponentInstallerPolicy::ComponentReady(
     const base::Version& version,
     const base::FilePath& install_dir,

chrome/browser/component_updater/soda_component_installer.h

@@ -29,6 +29,9 @@ class SODAComponentInstallerPolicy : public ComponentInstallerPolicy {
   static const std::string GetExtensionId();
   static void UpdateSODAComponentOnDemand();
 
+  static update_client::CrxInstaller::Result SetComponentDirectoryPermission(
+      const base::FilePath& install_dir);
+
  private:
   FRIEND_TEST_ALL_PREFIXES(SODAComponentInstallerTest,
                            ComponentReady_CallsLambda);

chrome/browser/component_updater/soda_en_us_component_installer.cc

@@ -8,6 +8,7 @@
 #include "base/files/file_util.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/browser/component_updater/soda_component_installer.h"
 #include "chrome/common/pref_names.h"
 #include "components/component_updater/component_updater_service.h"
 #include "components/crx_file/id_util.h"
@@ -83,7 +84,8 @@ update_client::CrxInstaller::Result
 SodaEnUsComponentInstallerPolicy::OnCustomInstall(
     const base::DictionaryValue& manifest,
     const base::FilePath& install_dir) {
-  return update_client::CrxInstaller::Result(0);  // Nothing custom here.
+  return SODAComponentInstallerPolicy::SetComponentDirectoryPermission(
+      install_dir);
 }
 
 void SodaEnUsComponentInstallerPolicy::OnCustomUninstall() {}

chrome/browser/component_updater/soda_ja_jp_component_installer.cc

@@ -8,6 +8,7 @@
 #include "base/files/file_util.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/browser/component_updater/soda_component_installer.h"
 #include "chrome/common/pref_names.h"
 #include "components/component_updater/component_updater_service.h"
 #include "components/crx_file/id_util.h"
@@ -83,7 +84,8 @@ update_client::CrxInstaller::Result
 SodaJaJpComponentInstallerPolicy::OnCustomInstall(
     const base::DictionaryValue& manifest,
     const base::FilePath& install_dir) {
-  return update_client::CrxInstaller::Result(0);  // Nothing custom here.
+  return SODAComponentInstallerPolicy::SetComponentDirectoryPermission(
+      install_dir);
 }
 
 void SodaJaJpComponentInstallerPolicy::OnCustomUninstall() {}