diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-28 08:27:19 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-28 08:43:49 +0200 |
commit | 45245bde0bc81509828990ad1dfb729f32fcd8e5 (patch) | |
tree | 12e1375372adb4b33a7a041b4a599b61e9397b60 | |
parent | ui: use normal line edit in confview (diff) | |
download | wireguard-windows-45245bde0bc81509828990ad1dfb729f32fcd8e5.tar.xz wireguard-windows-45245bde0bc81509828990ad1dfb729f32fcd8e5.zip |
build: backport security attributes helper from 1.13
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | Makefile | 13 | ||||
-rw-r--r-- | build.bat | 16 | ||||
-rw-r--r-- | golang-security-attribute-process-creation.patch | 50 | ||||
-rw-r--r-- | installer/build.bat | 4 |
4 files changed, 71 insertions, 12 deletions
@@ -3,9 +3,11 @@ GOFLAGS := -ldflags="-H windowsgui -s -w" -v WINDRES := x86_64-w64-mingw32-windres export CGO_ENABLED := 1 export GOOS := windows +OLD_GOROOT := $(GOROOT) +export GOROOT := $(PWD)/.deps/goroot rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d)) -SOURCE_FILES := $(call rwildcard,,*.go *.c *.h) +SOURCE_FILES := $(call rwildcard,,*.go *.c *.h) .deps/prepared RESOURCE_FILES := resources.rc manifest.xml ui/icon/icon.ico DEPLOYMENT_HOST ?= winvm @@ -13,6 +15,13 @@ DEPLOYMENT_PATH ?= Desktop all: amd64/wireguard.exe x86/wireguard.exe +.deps/prepared: export GOROOT := $(OLD_GOROOT) +.deps/prepared: $(wildcard golang-*.patch) + rm -rf .deps && mkdir -p .deps + rsync --exclude=pkg/obj/go-build/trim.txt -aq $$(go env GOROOT)/ .deps/goroot + cat $^ | patch -f -N -r- -p1 -d .deps/goroot + touch $@ + resources_amd64.syso: $(RESOURCE_FILES) x86_64-w64-mingw32-windres -i $< -o $@ -O coff @@ -34,6 +43,6 @@ deploy: amd64/wireguard.exe scp $< $(DEPLOYMENT_HOST):$(DEPLOYMENT_PATH) clean: - rm -rf *.syso x86/ amd64/ + rm -rf *.syso x86/ amd64/ .deps .PHONY: deploy clean all @@ -15,14 +15,10 @@ if exist .deps\prepared goto :build call :download mingw-x86.zip https://download.wireguard.com/windows-toolchain/distfiles/i686-w64-mingw32-native-20190425.zip 5810b4a9af34c12690ec355ad2a237d2a4c16f5e8cb68988dc0f2e48457534d0 || goto :error rem Mirror of https://musl.cc/x86_64-w64-mingw32-native.zip call :download mingw-amd64.zip https://download.wireguard.com/windows-toolchain/distfiles/x86_64-w64-mingw32-native-20190307.zip 5390762183e181804b28eb13815b6210f85a1280057b815f749b06768215f817 || goto :error - echo [+] Extracting go.zip - tar -xf go.zip || goto :error - echo [+] Extracting mingw-x86.zip - tar -xf mingw-x86.zip || goto :error - echo [+] Extracting mingw-amd64.zip - tar -xf mingw-amd64.zip || goto :error - echo [+] Cleaning up - del go.zip mingw-x86.zip mingw-amd64.zip || goto :error + rem Mirror of https://sourceforge.net/projects/gnuwin32/files/patch/2.5.9-7/patch-2.5.9-7-bin.zip with fixed manifest + call :download patch.zip https://download.wireguard.com/windows-toolchain/distfiles/patch-2.5.9-7-bin-fixed-manifest.zip 25977006ca9713f2662a5d0a2ed3a5a138225b8be3757035bd7da9dcf985d0a1 "--strip-components 1 bin" || goto :error + echo [+] Patching go + .\patch.exe -f -N -r- -d go -p1 --binary < ..\golang-security-attribute-process-creation.patch || goto :error copy /y NUL prepared > NUL || goto :error cd .. || goto :error @@ -60,6 +56,10 @@ if exist .deps\prepared goto :build curl -#fLo %1 %2 || exit /b 1 echo [+] Verifying %1 for /f %%a in ('CertUtil -hashfile %1 SHA256 ^| findstr /r "^[0-9a-f]*$"') do if not "%%a"=="%~3" exit /b 1 + echo [+] Extracting %1 + tar -xf %1 %~4 || exit /b 1 + echo [+] Cleaning up %1 + del %1 || exit /b 1 goto :eof :build_plat diff --git a/golang-security-attribute-process-creation.patch b/golang-security-attribute-process-creation.patch new file mode 100644 index 00000000..8c14e3a4 --- /dev/null +++ b/golang-security-attribute-process-creation.patch @@ -0,0 +1,50 @@ +From 049c8dbfdbdd414359699c215f15764a7aa733b5 Mon Sep 17 00:00:00 2001 +From: Jason A. Donenfeld <Jason@zx2c4.com> +Date: Sat, 27 Apr 2019 11:45:11 +0200 +Subject: [PATCH] syscall: allow setting security attributes on processes + +This allows creating processes that can only be debugged/accessed by +certain tokens, according to a particular security descriptor. We +already had everything ready for this but just neglected to pass through +the value from the user-accessible SysProcAttr. + +Change-Id: I4a3fcc9f5078aa0058b26c103355c984093ae03f +Reviewed-on: https://go-review.googlesource.com/c/go/+/174197 +Run-TryBot: Jason Donenfeld <Jason@zx2c4.com> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Alex Brainman <alex.brainman@gmail.com> +--- + +diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go +index c78bad8..8d6141c 100644 +--- a/src/syscall/exec_windows.go ++++ b/src/syscall/exec_windows.go +@@ -219,10 +219,12 @@ + } + + type SysProcAttr struct { +- HideWindow bool +- CmdLine string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess +- CreationFlags uint32 +- Token Token // if set, runs new process in the security context represented by the token ++ HideWindow bool ++ CmdLine string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess ++ CreationFlags uint32 ++ Token Token // if set, runs new process in the security context represented by the token ++ ProcessAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the new process ++ ThreadAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the main thread of the new process + } + + var zeroProcAttr ProcAttr +@@ -323,9 +325,9 @@ + + flags := sys.CreationFlags | CREATE_UNICODE_ENVIRONMENT + if sys.Token != 0 { +- err = CreateProcessAsUser(sys.Token, argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi) ++ err = CreateProcessAsUser(sys.Token, argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi) + } else { +- err = CreateProcess(argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi) ++ err = CreateProcess(argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi) + } + if err != nil { + return 0, 0, err diff --git a/installer/build.bat b/installer/build.bat index 6e53b66f..c7322857 100644 --- a/installer/build.bat +++ b/installer/build.bat @@ -18,13 +18,13 @@ if exist .deps\prepared goto :build rmdir /s /q .deps 2> NUL mkdir .deps || goto :error cd .deps || goto :error - call :download wix-binaries.zip http://wixtoolset.org/downloads/v3.14.0.2812/wix314-binaries.zip 923892298f37514622c58cbbd9c2cadf2822d9bb53df8ee83aaeb05280777611 || goto :error call :download wintun-x86.msm https://www.wintun.net/builds/wintun-x86-0.1.msm 49b4f142c699d9d04c7506b85dc2ab614c4761643fbb44a68c81de2f6b6ceeb9 || goto :error call :download wintun-amd64.msm https://www.wintun.net/builds/wintun-amd64-0.1.msm d8f2d162f2da067b2266a367e9bb0a5190e437ed596b69bfef92bf41d45cf305 || goto :error + call :download wix-binaries.zip http://wixtoolset.org/downloads/v3.14.0.2812/wix314-binaries.zip 923892298f37514622c58cbbd9c2cadf2822d9bb53df8ee83aaeb05280777611 || goto :error echo [+] Extracting wix-binaries.zip mkdir wix\bin || goto :error tar -xf wix-binaries.zip -C wix\bin || goto :error - echo [+] Cleaning up + echo [+] Cleaning up wix-binaries.zip del wix-binaries.zip || goto :error copy /y NUL prepared > NUL || goto :error cd .. || goto :error |