diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:25:36 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:25:36 +0200 |
commit | de808bae6a0f80addc05b590f0d4cc66639ff42d (patch) | |
tree | af1d24ef43a9e04923567a681f5c64702827e33a /service/firewall/rules.go | |
parent | firewall: wrap errors because there are lots of syscalls (diff) | |
download | wireguard-windows-de808bae6a0f80addc05b590f0d4cc66639ff42d.tar.xz wireguard-windows-de808bae6a0f80addc05b590f0d4cc66639ff42d.zip |
firewall: pass blob of security descriptor instead of raw, and give dacl
Diffstat (limited to '')
-rw-r--r-- | service/firewall/rules.go | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/service/firewall/rules.go b/service/firewall/rules.go index bae78602..b36ed87f 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -109,19 +109,18 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 return nil } -func getCurrentProcessSecurityDescriptor() (uintptr, error) { +func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) { procHandle, err := windows.GetCurrentProcess() if err != nil { panic(err) } - - sd := uintptr(0) - err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, 0, nil, nil, nil, nil, &sd) + blob := &wtFwpByteBlob{} + err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, cDACL_SECURITY_INFORMATION, nil, nil, nil, nil, (*uintptr)(unsafe.Pointer(&blob.data))) if err != nil { - return 0, wrapErr(err) + return nil, wrapErr(err) } - - return sd, nil + blob.size = getSecurityDescriptorLength(uintptr(unsafe.Pointer(blob.data))) + return blob, nil } func getCurrentProcessAppId() (*wtFwpByteBlob, error) { @@ -153,7 +152,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { if err != nil { return wrapErr(err) } - defer appId.free() + defer fwpmFreeMemory0(unsafe.Pointer(&appId)) conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_ALE_APP_ID, @@ -172,14 +171,14 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { if err != nil { return wrapErr(err) } - defer windows.LocalFree(windows.Handle(sd)) + defer windows.LocalFree(windows.Handle(unsafe.Pointer(sd.data))) conditions[1] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_ALE_USER_ID, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ _type: cFWP_SECURITY_DESCRIPTOR_TYPE, - value: sd, + value: uintptr(unsafe.Pointer(sd)), }, } |