build: backport security attributes helper from 1.13

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

4 files changed, 71 insertions, 12 deletions

diff --git a/Makefile b/Makefile
index 23bba17c..c287f30a 100644
--- a/Makefile
+++ b/Makefile
@@ -3,9 +3,11 @@ GOFLAGS := -ldflags="-H windowsgui -s -w" -v
 WINDRES := x86_64-w64-mingw32-windres
 export CGO_ENABLED := 1
 export GOOS := windows
+OLD_GOROOT := $(GOROOT)
+export GOROOT := $(PWD)/.deps/goroot
 
 rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
-SOURCE_FILES := $(call rwildcard,,*.go *.c *.h)
+SOURCE_FILES := $(call rwildcard,,*.go *.c *.h) .deps/prepared
 RESOURCE_FILES := resources.rc manifest.xml ui/icon/icon.ico
 
 DEPLOYMENT_HOST ?= winvm
@@ -13,6 +15,13 @@ DEPLOYMENT_PATH ?= Desktop
 
 all: amd64/wireguard.exe x86/wireguard.exe
 
+.deps/prepared: export GOROOT := $(OLD_GOROOT)
+.deps/prepared: $(wildcard golang-*.patch)
+	rm -rf .deps && mkdir -p .deps
+	rsync --exclude=pkg/obj/go-build/trim.txt -aq $$(go env GOROOT)/ .deps/goroot
+	cat $^ | patch -f -N -r- -p1 -d .deps/goroot
+	touch $@
+
 resources_amd64.syso: $(RESOURCE_FILES)
 	x86_64-w64-mingw32-windres -i $< -o $@ -O coff
 
@@ -34,6 +43,6 @@ deploy: amd64/wireguard.exe
 	scp $< $(DEPLOYMENT_HOST):$(DEPLOYMENT_PATH)
 
 clean:
-	rm -rf *.syso x86/ amd64/
+	rm -rf *.syso x86/ amd64/ .deps
 
 .PHONY: deploy clean all
diff --git a/build.bat b/build.bat
index 12a43a67..250b90eb 100644
--- a/build.bat
+++ b/build.bat
@@ -15,14 +15,10 @@ if exist .deps\prepared goto :build
 	call :download mingw-x86.zip https://download.wireguard.com/windows-toolchain/distfiles/i686-w64-mingw32-native-20190425.zip 5810b4a9af34c12690ec355ad2a237d2a4c16f5e8cb68988dc0f2e48457534d0 || goto :error
 	rem Mirror of https://musl.cc/x86_64-w64-mingw32-native.zip
 	call :download mingw-amd64.zip https://download.wireguard.com/windows-toolchain/distfiles/x86_64-w64-mingw32-native-20190307.zip 5390762183e181804b28eb13815b6210f85a1280057b815f749b06768215f817 || goto :error
-	echo [+] Extracting go.zip
-	tar -xf go.zip || goto :error
-	echo [+] Extracting mingw-x86.zip
-	tar -xf mingw-x86.zip || goto :error
-	echo [+] Extracting mingw-amd64.zip
-	tar -xf mingw-amd64.zip || goto :error
-	echo [+] Cleaning up
-	del go.zip mingw-x86.zip mingw-amd64.zip || goto :error
+	rem Mirror of https://sourceforge.net/projects/gnuwin32/files/patch/2.5.9-7/patch-2.5.9-7-bin.zip with fixed manifest
+	call :download patch.zip https://download.wireguard.com/windows-toolchain/distfiles/patch-2.5.9-7-bin-fixed-manifest.zip 25977006ca9713f2662a5d0a2ed3a5a138225b8be3757035bd7da9dcf985d0a1 "--strip-components 1 bin" || goto :error
+	echo [+] Patching go
+	.\patch.exe -f -N -r- -d go -p1 --binary < ..\golang-security-attribute-process-creation.patch || goto :error
 	copy /y NUL prepared > NUL || goto :error
 	cd .. || goto :error
 
@@ -60,6 +56,10 @@ if exist .deps\prepared goto :build
 	curl -#fLo %1 %2 || exit /b 1
 	echo [+] Verifying %1
 	for /f %%a in ('CertUtil -hashfile %1 SHA256 ^| findstr /r "^[0-9a-f]*$"') do if not "%%a"=="%~3" exit /b 1
+	echo [+] Extracting %1
+	tar -xf %1 %~4 || exit /b 1
+	echo [+] Cleaning up %1
+	del %1 || exit /b 1
 	goto :eof
 
 :build_plat
diff --git a/golang-security-attribute-process-creation.patch b/golang-security-attribute-process-creation.patch
new file mode 100644
index 00000000..8c14e3a4
--- /dev/null
+++ b/golang-security-attribute-process-creation.patch
@@ -0,0 +1,50 @@
+From 049c8dbfdbdd414359699c215f15764a7aa733b5 Mon Sep 17 00:00:00 2001
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+Date: Sat, 27 Apr 2019 11:45:11 +0200
+Subject: [PATCH] syscall: allow setting security attributes on processes
+
+This allows creating processes that can only be debugged/accessed by
+certain tokens, according to a particular security descriptor. We
+already had everything ready for this but just neglected to pass through
+the value from the user-accessible SysProcAttr.
+
+Change-Id: I4a3fcc9f5078aa0058b26c103355c984093ae03f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/174197
+Run-TryBot: Jason Donenfeld <Jason@zx2c4.com>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
+---
+
+diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
+index c78bad8..8d6141c 100644
+--- a/src/syscall/exec_windows.go
++++ b/src/syscall/exec_windows.go
+@@ -219,10 +219,12 @@
+ }
+ 
+ type SysProcAttr struct {
+-	HideWindow    bool
+-	CmdLine       string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess
+-	CreationFlags uint32
+-	Token         Token // if set, runs new process in the security context represented by the token
++	HideWindow        bool
++	CmdLine           string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess
++	CreationFlags     uint32
++	Token             Token               // if set, runs new process in the security context represented by the token
++	ProcessAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the new process
++	ThreadAttributes  *SecurityAttributes // if set, applies these security attributes as the descriptor for the main thread of the new process
+ }
+ 
+ var zeroProcAttr ProcAttr
+@@ -323,9 +325,9 @@
+ 
+ 	flags := sys.CreationFlags | CREATE_UNICODE_ENVIRONMENT
+ 	if sys.Token != 0 {
+-		err = CreateProcessAsUser(sys.Token, argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
++		err = CreateProcessAsUser(sys.Token, argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
+ 	} else {
+-		err = CreateProcess(argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
++		err = CreateProcess(argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
+ 	}
+ 	if err != nil {
+ 		return 0, 0, err
diff --git a/installer/build.bat b/installer/build.bat
index 6e53b66f..c7322857 100644
--- a/installer/build.bat
+++ b/installer/build.bat
@@ -18,13 +18,13 @@ if exist .deps\prepared goto :build
 	rmdir /s /q .deps 2> NUL
 	mkdir .deps || goto :error
 	cd .deps || goto :error
-	call :download wix-binaries.zip http://wixtoolset.org/downloads/v3.14.0.2812/wix314-binaries.zip 923892298f37514622c58cbbd9c2cadf2822d9bb53df8ee83aaeb05280777611 || goto :error
 	call :download wintun-x86.msm https://www.wintun.net/builds/wintun-x86-0.1.msm 49b4f142c699d9d04c7506b85dc2ab614c4761643fbb44a68c81de2f6b6ceeb9 || goto :error
 	call :download wintun-amd64.msm https://www.wintun.net/builds/wintun-amd64-0.1.msm d8f2d162f2da067b2266a367e9bb0a5190e437ed596b69bfef92bf41d45cf305 || goto :error
+	call :download wix-binaries.zip http://wixtoolset.org/downloads/v3.14.0.2812/wix314-binaries.zip 923892298f37514622c58cbbd9c2cadf2822d9bb53df8ee83aaeb05280777611 || goto :error
 	echo [+] Extracting wix-binaries.zip
 	mkdir wix\bin || goto :error
 	tar -xf wix-binaries.zip -C wix\bin || goto :error
-	echo [+] Cleaning up
+	echo [+] Cleaning up wix-binaries.zip
 	del wix-binaries.zip || goto :error
 	copy /y NUL prepared > NUL || goto :error
 	cd .. || goto :error