firewall: pass blob of security descriptor instead of raw, and give dacl

5 files changed, 33 insertions, 30 deletions

diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go
index 4aea0a19..5945d69a 100644
--- a/service/firewall/helpers.go
+++ b/service/firewall/helpers.go
@@ -7,19 +7,11 @@ package firewall
 
 import (
 	"fmt"
+	"golang.org/x/sys/windows"
 	"runtime"
 	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
 )
 
-func (bb *wtFwpByteBlob) free() {
-	if bb != nil {
-		fwpmFreeMemory0(unsafe.Pointer(&bb))
-	}
-}
-
 func (m wtFwpMatchType) String() string {
 	switch m {
 	case cFWP_MATCH_EQUAL:
diff --git a/service/firewall/rules.go b/service/firewall/rules.go
index bae78602..b36ed87f 100644
--- a/service/firewall/rules.go
+++ b/service/firewall/rules.go
@@ -109,19 +109,18 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64
 	return nil
 }
 
-func getCurrentProcessSecurityDescriptor() (uintptr, error) {
+func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) {
 	procHandle, err := windows.GetCurrentProcess()
 	if err != nil {
 		panic(err)
 	}
-
-	sd := uintptr(0)
-	err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, 0, nil, nil, nil, nil, &sd)
+	blob := &wtFwpByteBlob{}
+	err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, cDACL_SECURITY_INFORMATION, nil, nil, nil, nil, (*uintptr)(unsafe.Pointer(&blob.data)))
 	if err != nil {
-		return 0, wrapErr(err)
+		return nil, wrapErr(err)
 	}
-
-	return sd, nil
+	blob.size = getSecurityDescriptorLength(uintptr(unsafe.Pointer(blob.data)))
+	return blob, nil
 }
 
 func getCurrentProcessAppId() (*wtFwpByteBlob, error) {
@@ -153,7 +152,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error {
 	if err != nil {
 		return wrapErr(err)
 	}
-	defer appId.free()
+	defer fwpmFreeMemory0(unsafe.Pointer(&appId))
 
 	conditions[0] = wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
@@ -172,14 +171,14 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error {
 	if err != nil {
 		return wrapErr(err)
 	}
-	defer windows.LocalFree(windows.Handle(sd))
+	defer windows.LocalFree(windows.Handle(unsafe.Pointer(sd.data)))
 
 	conditions[1] = wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_ALE_USER_ID,
 		matchType: cFWP_MATCH_EQUAL,
 		conditionValue: wtFwpConditionValue0{
 			_type: cFWP_SECURITY_DESCRIPTOR_TYPE,
-			value: sd,
+			value: uintptr(unsafe.Pointer(sd)),
 		},
 	}
 
diff --git a/service/firewall/syscall_windows.go b/service/firewall/syscall_windows.go
index 924c4b82..49c64951 100644
--- a/service/firewall/syscall_windows.go
+++ b/service/firewall/syscall_windows.go
@@ -37,3 +37,6 @@ package firewall
 
 // https://docs.microsoft.com/sv-se/windows/desktop/api/aclapi/nf-aclapi-getsecurityinfo
 //sys	getSecurityInfo(handle windows.Handle, objectType wtObjectType, si uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *uintptr, sacl *uintptr, securityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-getsecuritydescriptorlength
+//sys	getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength
diff --git a/service/firewall/types_windows.go b/service/firewall/types_windows.go
index 1d28772d..ec933e10 100644
--- a/service/firewall/types_windows.go
+++ b/service/firewall/types_windows.go
@@ -400,6 +400,8 @@ type wtObjectType uint32
 
 const (
 	cSE_KERNEL_OBJECT wtObjectType = 6
+
+	cDACL_SECURITY_INFORMATION = 4
 )
 
 type wtIfType uint32
diff --git a/service/firewall/zsyscall_windows.go b/service/firewall/zsyscall_windows.go
index badbacb5..cb461314 100644
--- a/service/firewall/zsyscall_windows.go
+++ b/service/firewall/zsyscall_windows.go
@@ -40,17 +40,18 @@ var (
 	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
 	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
 
-	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
-	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
-	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
-	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
-	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
-	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
-	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
-	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
-	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
-	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
-	procGetSecurityInfo           = modadvapi32.NewProc("GetSecurityInfo")
+	procFwpmEngineOpen0             = modfwpuclnt.NewProc("FwpmEngineOpen0")
+	procFwpmEngineClose0            = modfwpuclnt.NewProc("FwpmEngineClose0")
+	procFwpmSubLayerAdd0            = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
+	procFwpmGetAppIdFromFileName0   = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
+	procFwpmFreeMemory0             = modfwpuclnt.NewProc("FwpmFreeMemory0")
+	procFwpmFilterAdd0              = modfwpuclnt.NewProc("FwpmFilterAdd0")
+	procFwpmTransactionBegin0       = modfwpuclnt.NewProc("FwpmTransactionBegin0")
+	procFwpmTransactionCommit0      = modfwpuclnt.NewProc("FwpmTransactionCommit0")
+	procFwpmTransactionAbort0       = modfwpuclnt.NewProc("FwpmTransactionAbort0")
+	procFwpmProviderAdd0            = modfwpuclnt.NewProc("FwpmProviderAdd0")
+	procGetSecurityInfo             = modadvapi32.NewProc("GetSecurityInfo")
+	procGetSecurityDescriptorLength = modadvapi32.NewProc("GetSecurityDescriptorLength")
 )
 
 func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *wtSecWinntAuthIdentityW, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
@@ -177,3 +178,9 @@ func getSecurityInfo(handle windows.Handle, objectType wtObjectType, si uint32,
 	}
 	return
 }
+
+func getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) {
+	r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(securityDescriptor), 0, 0)
+	len = uint32(r0)
+	return
+}