From b3bf490434c78b565c369064f371788eaecace35 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 24 Jun 2021 12:10:12 +0200
Subject: driver: allow admins but require high integrity label

Might be more reasonable.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 driver/driver.vcxproj |  2 +-
 driver/undocumented.h | 20 ++++++++++++++++++
 driver/wintun.c       | 56 ++++++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 70 insertions(+), 8 deletions(-)

diff --git a/driver/driver.vcxproj b/driver/driver.vcxproj
index 4457db2..915326e 100644
--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@@ -96,7 +96,7 @@
       <PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ResourceCompile>
     <Link>
-      <AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
     <DriverSign>
       <FileDigestAlgorithm>sha256</FileDigestAlgorithm>
diff --git a/driver/undocumented.h b/driver/undocumented.h
index 199e3c7..7f538b7 100644
--- a/driver/undocumented.h
+++ b/driver/undocumented.h
@@ -44,3 +44,23 @@ NTSYSAPI
 NTSTATUS
 NTAPI
 ZwYieldExecution(VOID);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetSaclSecurityDescriptor(
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ BOOLEAN SaclPresent,
+    _In_opt_ PACL Sacl,
+    _In_opt_ BOOLEAN SaclDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddMandatoryAce(
+    _Inout_ PACL Acl,
+    _In_ ULONG AceRevision,
+    _In_ ULONG AceFlags,
+    _In_ PSID Sid,
+    _In_ UCHAR AceType,
+    _In_ ULONG AccessMask);
diff --git a/driver/wintun.c b/driver/wintun.c
index 9d87005..d7e3ef4 100644
--- a/driver/wintun.c
+++ b/driver/wintun.c
@@ -845,28 +845,70 @@ _Use_decl_annotations_
 static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
 {
     NTSTATUS Status;
-    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
-    SID LocalSystem = { 0 };
-    if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
+    struct
+    {
+        SID Sid;
+    } LocalSystem;
+    struct
+    {
+        SID Sid;
+        ULONG ExtraAuthority;
+    } BuiltinAdministrators;
+    struct
+    {
+        SID Sid;
+    } HighLabel;
+    ULONG SidSize = sizeof(LocalSystem);
+    if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
+        return Status;
+    SidSize = sizeof(BuiltinAdministrators);
+    if (!NT_SUCCESS(
+            Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
+        return Status;
+    SidSize = sizeof(HighLabel);
+    if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
         return Status;
-    *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
     struct
     {
         ACL Dacl;
-        ACCESS_ALLOWED_ACE AceFiller;
-        SID SidFiller;
+        ACCESS_ALLOWED_ACE Ace1;
+        SID Sid1;
+        ACCESS_ALLOWED_ACE Ace2;
+        SID Sid2;
     } DaclStorage = { 0 };
+    struct
+    {
+        ACL Sacl;
+        SYSTEM_MANDATORY_LABEL_ACE Ace;
+        SID Sid;
+    } SaclStorage = { 0 };
     if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
         return Status;
+    if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
+        return Status;
     ACCESS_MASK AccessMask = GENERIC_ALL;
     RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
-    if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem)))
+    if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
+        return Status;
+    if (!NT_SUCCESS(
+            Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
+        return Status;
+    if (!NT_SUCCESS(RtlAddMandatoryAce(
+            &SaclStorage.Sacl,
+            ACL_REVISION,
+            0,
+            &HighLabel.Sid,
+            SYSTEM_MANDATORY_LABEL_ACE_TYPE,
+            SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
+                SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
         return Status;
     SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
     if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
         return Status;
     if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
         return Status;
+    if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
+        return Status;
     SecurityDescriptor.Control |= SE_DACL_PROTECTED;
     ULONG RequiredBytes = 0;
     Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
-- 
cgit v1.2.3-59-g8ed1b