aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOdd Stranne <odd@mullvad.net>2019-03-06 14:58:25 +0100
committerOdd Stranne <odd@mullvad.net>2019-03-07 16:09:13 +0100
commit1d594c4fca411ab8d96a88cb74c49de21e4dd91a (patch)
tree5c37bca905465f7adddb289bc7ac8a39e722eb5c
parentWindows: Fix pipe name (diff)
downloadwireguard-go-os/fix-pipe-name-acl.tar.xz
wireguard-go-os/fix-pipe-name-acl.zip
Windows: Apply strict security descriptor on pipe serveros/fix-pipe-name-acl
Signed-off-by: Odd Stranne <odd@mullvad.net>
-rw-r--r--ipc/uapi_windows.go13
1 files changed, 12 insertions, 1 deletions
diff --git a/ipc/uapi_windows.go b/ipc/uapi_windows.go
index 2249221..246f31c 100644
--- a/ipc/uapi_windows.go
+++ b/ipc/uapi_windows.go
@@ -46,9 +46,20 @@ func (l *UAPIListener) Addr() net.Addr {
return l.listener.Addr()
}
+func GetSystemSecurityDescriptor() string {
+ //
+ // SDDL encoded.
+ //
+ // (system = SECURITY_NT_AUTHORITY | SECURITY_LOCAL_SYSTEM_RID)
+ // owner: system
+ // grant: GENERIC_ALL to system
+ //
+ return "O:SYD:(A;;GA;;;SY)"
+}
+
func UAPIListen(name string) (net.Listener, error) {
config := winio.PipeConfig{
- SecurityDescriptor: "", //TODO: we want this to be a very locked down pipe.
+ SecurityDescriptor: GetSystemSecurityDescriptor(),
}
listener, err := winio.ListenPipe("\\\\.\\pipe\\wireguard_"+name, &config)
if err != nil {