aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/service
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-11 22:13:31 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-11 22:15:02 +0200
commit8e5b2564c8c51ca4428a7244fb52483ffc7c4c25 (patch)
tree4a5bddef7103b4339778f4678b08795eb87c92b6 /service
parentui: allow editing existing tunnels without changing name (diff)
downloadwireguard-windows-8e5b2564c8c51ca4428a7244fb52483ffc7c4c25.tar.xz
wireguard-windows-8e5b2564c8c51ca4428a7244fb52483ffc7c4c25.zip
service: run UI at high integrity
Diffstat (limited to 'service')
-rw-r--r--service/securityapi.go16
-rw-r--r--service/service_manager.go5
-rw-r--r--service/zsyscall_windows.go13
3 files changed, 34 insertions, 0 deletions
diff --git a/service/securityapi.go b/service/securityapi.go
index bf90625f..cf2e597a 100644
--- a/service/securityapi.go
+++ b/service/securityapi.go
@@ -111,6 +111,7 @@ type ACE_HEADER struct {
//sys initializeAcl(acl *byte, len uint32, revision uint32) (err error) = advapi32.InitializeAcl
//sys makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDescriptor *byte, absoluteSecurityDescriptorSize *uint32, dacl *byte, daclSize *uint32, sacl *byte, saclSize *uint32, owner *byte, ownerSize *uint32, primaryGroup *byte, primaryGroupSize *uint32) (err error) = advapi32.MakeAbsoluteSD
//sys makeSelfRelativeSd(absoluteSecurityDescriptor *byte, relativeSecurityDescriptor *byte, relativeSecurityDescriptorSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
+//sys setTokenInformation(token windows.Token, infoClass uint32, info *byte, infoSize uint32) (err error) = advapi32.SetTokenInformation
//sys createEnvironmentBlock(block *uintptr, token windows.Token, inheritExisting bool) (err error) = userenv.CreateEnvironmentBlock
//sys destroyEnvironmentBlock(block uintptr) (err error) = userenv.DestroyEnvironmentBlock
@@ -296,3 +297,18 @@ func getSecurityAttributes(mainToken windows.Token, tokenThatHasLogonSession win
return relativeSecurityDescriptor, nil
}
+
+func addElevatedIntegrityToUserToken(elevatedToken, userToken windows.Token) error {
+ //TODO: We really don't want to be doing this. See the note above. We'd rather the UI process have very few permissions in its token, and do everything with its SACL. But we can't.
+ var integrityLevel [0x2000]byte
+ len := uint32(len(integrityLevel))
+ err := windows.GetTokenInformation(elevatedToken, windows.TokenIntegrityLevel, &integrityLevel[0], len, &len)
+ if err != nil {
+ return err
+ }
+ err = setTokenInformation(userToken, windows.TokenIntegrityLevel, &integrityLevel[0], len)
+ if err != nil {
+ return err
+ }
+ return nil
+}
diff --git a/service/service_manager.go b/service/service_manager.go
index 109eeb8c..c1416c49 100644
--- a/service/service_manager.go
+++ b/service/service_manager.go
@@ -132,6 +132,11 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest
log.Printf("Unable to extract security attributes from manager token and combine them with SID from user token: %v", err)
return
}
+ err = addElevatedIntegrityToUserToken(userTokenInfo.elevatedToken, userToken)
+ if err != nil {
+ log.Printf("Unable to copy integrity level from elevated token to user token")
+ return
+ }
first := true
for {
if stoppingManager {
diff --git a/service/zsyscall_windows.go b/service/zsyscall_windows.go
index 38983370..9819b1f2 100644
--- a/service/zsyscall_windows.go
+++ b/service/zsyscall_windows.go
@@ -55,6 +55,7 @@ var (
procInitializeAcl = modadvapi32.NewProc("InitializeAcl")
procMakeAbsoluteSD = modadvapi32.NewProc("MakeAbsoluteSD")
procMakeSelfRelativeSD = modadvapi32.NewProc("MakeSelfRelativeSD")
+ procSetTokenInformation = modadvapi32.NewProc("SetTokenInformation")
procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock")
procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock")
procNotifyServiceStatusChangeW = modadvapi32.NewProc("NotifyServiceStatusChangeW")
@@ -234,6 +235,18 @@ func makeSelfRelativeSd(absoluteSecurityDescriptor *byte, relativeSecurityDescri
return
}
+func setTokenInformation(token windows.Token, infoClass uint32, info *byte, infoSize uint32) (err error) {
+ r1, _, e1 := syscall.Syscall6(procSetTokenInformation.Addr(), 4, uintptr(token), uintptr(infoClass), uintptr(unsafe.Pointer(info)), uintptr(infoSize), 0, 0)
+ if r1 == 0 {
+ if e1 != 0 {
+ err = errnoErr(e1)
+ } else {
+ err = syscall.EINVAL
+ }
+ }
+ return
+}
+
func createEnvironmentBlock(block *uintptr, token windows.Token, inheritExisting bool) (err error) {
var _p0 uint32
if inheritExisting {