Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make config1.db readable from AppContainer apps #1080

Merged
merged 1 commit into from
Oct 16, 2024
Merged

Make config1.db readable from AppContainer apps #1080

merged 1 commit into from
Oct 16, 2024

Conversation

yukawa
Copy link
Collaborator

@yukawa yukawa commented Oct 14, 2024
edited
Loading

Description

This attempts to avoid the deadlock issue discussed in #1076.

From what I can observe on Windows 11 23H2 (22631.4317), it looks to be dangerous for us to call File I/O Win32 APIs such as CreateFile from AppContainer processes unless we are confident that the target file/dir is accessible to the AppContainer process. When such an access is not allowed at the ACL level, the debugger shows that Windows.Storage.OneCore.dll tries to forward it to a broker process (e.g. via Windows.Storage.OneCore.dll!BrokeredCreateFile2). The issue is that Windows.Storage.OneCore.dll is a WinRT component, which means that just calling CreateFile() results in dynamically invoking RoInitialize() internally, which can confuse TSF runtime as we have already seen in #856.

To summarize, the safest option is to ensure that the target file/dir is always accessible to AppContainer so that Windows.Storage.OneCore.dll will not be involved if the file/dir is opened with CreateFile() from MozcTip{32,64}.dll.

If this commit is not sufficient to address #1076, we then need to take care of other File I/O APIs such as CreateDirectoryW() and GetFileAttributes().

Issue IDs

#1076.

Steps to test new behaviors

A clear and concise description about how to verify new behaviors.

  • OS: Windows 11 23H2
  • Steps:
    1. Install a previous version of Mozc.
    2. Open the config dialog then update the config. Then save it.
    3. cacls %LOCALAPPDATA%Low\Mozc\config1.db
    4. Create and install Mozc64.msi with this commit to update Mozc.
    5. cacls %LOCALAPPDATA%Low\Mozc\config1.db
  • At the step 3, there is no entry about ALL APPLICATION PACKAGES.
  • At the step 5, there should be an entry about ALL APPLICATION PACKAGES as follows.
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(special access:)
                                                       READ_CONTROL
                                                       SYNCHRONIZE
                                                       FILE_GENERIC_READ
                                                       FILE_READ_DATA
                                                       FILE_READ_EA
                                                       FILE_READ_ATTRIBUTES

Steps to test new behaviors

Not yet confirmed to be a valid fix.

hiroyuki-komatsu
hiroyuki-komatsu reviewed Oct 14, 2024
View reviewed changes
Copy link
Collaborator

@hiroyuki-komatsu hiroyuki-komatsu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi yukawa,
Thank you for your PR.

We appreciate your fix against #1076.

src/base/config_file_stream.cc Outdated Show resolved Hide resolved
src/base/config_file_stream.h Show resolved Hide resolved
src/base/win32/win_sandbox.cc Outdated Show resolved Hide resolved
src/win32/custom_action/custom_action.cc Show resolved Hide resolved
@yukawa yukawa force-pushed the issue_1076_3 branch 3 times, most recently from 6babeef to 353599a Compare October 14, 2024 16:47
@yukawa
Make config1.db readable from AppContainer apps
d1e0ab3 
This attempts to avoid the deadlock issue discussed in google#1076.

Our current hypothesis to explain google#1076 is that "broadFileSystemAccess"
capability given to SearchHost.exe is playing an interesting role.

When TIP DLL calls CreateFileW API to open "config1.db", the process
itself does not have sufficient  permission to open it. Then
"broadFileSystemAccess" capability will take place and

  Windows.Storage.OneCore.dll

will attempts brokered file access after initializing the thread with
RoInitialize() when not yet initialized. If this happens in a certain
situation, TSF runtime gets confused and may start re-initializing Mozc
TIP.

  1. TSF calls back into Mozc TIP
  2. Mozc TIP calls CreateFileW()
  3. The system invokes RoInitialize() before returning from
     CreateFileW()
  4. TSF calls back into Mozc TIP before returning from RoInitialize()
  5. Now Mozc TIP is handling a reentrant callback.

Given that whether the target app has "broadFileSystemAccess" capability
or not is completely out of Mozc TIP's control, the safest option would
be to ensure that the target file/dir is always accessible to
AppContainer processes.

As the first step, this commit makes 'config1.db' readable from
AppContainer processes. There are two cases when the file permission
of 'config1.db' is updated.

 A. When the installer is installing a new version of Mozc.
 B. When 'config1.db' is updated by mozc_server or mozc_tool.

If this commit is not sufficient to address google#1076, we then need to take
care of other cases such as calling GetFileAttributes() against the
user profile directory.
@hiroyuki-komatsu hiroyuki-komatsu merged commit 161849a into google:master Oct 16, 2024
1 check passed
@hiroyuki-komatsu
Copy link
Collaborator

We have merged your PR.
Thank you for your contribution!

@yukawa yukawa deleted the issue_1076_3 branch October 16, 2024 05:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiroyuki-komatsu hiroyuki-komatsu hiroyuki-komatsu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yukawa @hiroyuki-komatsu