uapi: windows: work out pipe semantics

Pipes can be arranged like this, so that's fine. We also apply a strict SDDL that can't be inherited and only gives access to local system. Developed-with: Odd Stranne <odd@mullvad.net>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-03-08 01:40:54 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-03-08 01:40:54 +0100
commit: 5c7cc256e39a772dcaeb879bb4371ecb68b3e280 (patch)
tree: dd70540781d0532722a9689a4481c64d0ce2a1d7 /ipc
parent: wintun: Cleanup (diff)
download: wireguard-go-5c7cc256e39a772dcaeb879bb4371ecb68b3e280.tar.xz
wireguard-go-5c7cc256e39a772dcaeb879bb4371ecb68b3e280.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/ipc/uapi_windows.go b/ipc/uapi_windows.go
index 209d0d2..158c5a8 100644
--- a/ipc/uapi_windows.go
+++ b/ipc/uapi_windows.go
@@ -48,9 +48,9 @@ func (l *UAPIListener) Addr() net.Addr {
 
 func UAPIListen(name string) (net.Listener, error) {
 	config := winio.PipeConfig{
-		SecurityDescriptor: "", //TODO: we want this to be a very locked down pipe.
+		SecurityDescriptor: "O:SYD:P(A;;GA;;;SY)", /* Local System only, not inheritable */
 	}
-	listener, err := winio.ListenPipe("\\\\.\\pipe\\wireguard\\"+name, &config) //TODO: choose sane name.
+	listener, err := winio.ListenPipe("\\\\.\\pipe\\WireGuard\\"+name, &config)
 	if err != nil {
 		return nil, err
 	}
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-03-08 01:40:54 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-03-08 01:40:54 +0100
commit	5c7cc256e39a772dcaeb879bb4371ecb68b3e280 (patch)
tree	dd70540781d0532722a9689a4481c64d0ce2a1d7 /ipc
parent	wintun: Cleanup (diff)
download	wireguard-go-5c7cc256e39a772dcaeb879bb4371ecb68b3e280.tar.xz wireguard-go-5c7cc256e39a772dcaeb879bb4371ecb68b3e280.zip