diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:25:36 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-03 17:25:36 +0200 |
commit | eb9782f0c0afa7c1b225e64ef13be4de746b6d27 (patch) | |
tree | af1d24ef43a9e04923567a681f5c64702827e33a /service | |
parent | firewall: wrap errors because there are lots of syscalls (diff) | |
download | wireguard-windows-eb9782f0c0afa7c1b225e64ef13be4de746b6d27.tar.xz wireguard-windows-eb9782f0c0afa7c1b225e64ef13be4de746b6d27.zip |
firewall: pass blob of security descriptor instead of raw, and give dacl
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'service')
-rw-r--r-- | service/firewall/helpers.go | 10 | ||||
-rw-r--r-- | service/firewall/rules.go | 19 | ||||
-rw-r--r-- | service/firewall/syscall_windows.go | 3 | ||||
-rw-r--r-- | service/firewall/types_windows.go | 2 | ||||
-rw-r--r-- | service/firewall/zsyscall_windows.go | 29 |
5 files changed, 33 insertions, 30 deletions
diff --git a/service/firewall/helpers.go b/service/firewall/helpers.go index 4aea0a19..5945d69a 100644 --- a/service/firewall/helpers.go +++ b/service/firewall/helpers.go @@ -7,19 +7,11 @@ package firewall import ( "fmt" + "golang.org/x/sys/windows" "runtime" "syscall" - "unsafe" - - "golang.org/x/sys/windows" ) -func (bb *wtFwpByteBlob) free() { - if bb != nil { - fwpmFreeMemory0(unsafe.Pointer(&bb)) - } -} - func (m wtFwpMatchType) String() string { switch m { case cFWP_MATCH_EQUAL: diff --git a/service/firewall/rules.go b/service/firewall/rules.go index bae78602..b36ed87f 100644 --- a/service/firewall/rules.go +++ b/service/firewall/rules.go @@ -109,19 +109,18 @@ func permitTunInterface(session uintptr, baseObjects *baseObjects, ifLuid uint64 return nil } -func getCurrentProcessSecurityDescriptor() (uintptr, error) { +func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) { procHandle, err := windows.GetCurrentProcess() if err != nil { panic(err) } - - sd := uintptr(0) - err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, 0, nil, nil, nil, nil, &sd) + blob := &wtFwpByteBlob{} + err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, cDACL_SECURITY_INFORMATION, nil, nil, nil, nil, (*uintptr)(unsafe.Pointer(&blob.data))) if err != nil { - return 0, wrapErr(err) + return nil, wrapErr(err) } - - return sd, nil + blob.size = getSecurityDescriptorLength(uintptr(unsafe.Pointer(blob.data))) + return blob, nil } func getCurrentProcessAppId() (*wtFwpByteBlob, error) { @@ -153,7 +152,7 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { if err != nil { return wrapErr(err) } - defer appId.free() + defer fwpmFreeMemory0(unsafe.Pointer(&appId)) conditions[0] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_ALE_APP_ID, @@ -172,14 +171,14 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects) error { if err != nil { return wrapErr(err) } - defer windows.LocalFree(windows.Handle(sd)) + defer windows.LocalFree(windows.Handle(unsafe.Pointer(sd.data))) conditions[1] = wtFwpmFilterCondition0{ fieldKey: cFWPM_CONDITION_ALE_USER_ID, matchType: cFWP_MATCH_EQUAL, conditionValue: wtFwpConditionValue0{ _type: cFWP_SECURITY_DESCRIPTOR_TYPE, - value: sd, + value: uintptr(unsafe.Pointer(sd)), }, } diff --git a/service/firewall/syscall_windows.go b/service/firewall/syscall_windows.go index 924c4b82..49c64951 100644 --- a/service/firewall/syscall_windows.go +++ b/service/firewall/syscall_windows.go @@ -37,3 +37,6 @@ package firewall // https://docs.microsoft.com/sv-se/windows/desktop/api/aclapi/nf-aclapi-getsecurityinfo //sys getSecurityInfo(handle windows.Handle, objectType wtObjectType, si uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *uintptr, sacl *uintptr, securityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo + +// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-getsecuritydescriptorlength +//sys getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength diff --git a/service/firewall/types_windows.go b/service/firewall/types_windows.go index 1d28772d..ec933e10 100644 --- a/service/firewall/types_windows.go +++ b/service/firewall/types_windows.go @@ -400,6 +400,8 @@ type wtObjectType uint32 const ( cSE_KERNEL_OBJECT wtObjectType = 6 + + cDACL_SECURITY_INFORMATION = 4 ) type wtIfType uint32 diff --git a/service/firewall/zsyscall_windows.go b/service/firewall/zsyscall_windows.go index badbacb5..cb461314 100644 --- a/service/firewall/zsyscall_windows.go +++ b/service/firewall/zsyscall_windows.go @@ -40,17 +40,18 @@ var ( modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll") modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") - procFwpmEngineOpen0 = modfwpuclnt.NewProc("FwpmEngineOpen0") - procFwpmEngineClose0 = modfwpuclnt.NewProc("FwpmEngineClose0") - procFwpmSubLayerAdd0 = modfwpuclnt.NewProc("FwpmSubLayerAdd0") - procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0") - procFwpmFreeMemory0 = modfwpuclnt.NewProc("FwpmFreeMemory0") - procFwpmFilterAdd0 = modfwpuclnt.NewProc("FwpmFilterAdd0") - procFwpmTransactionBegin0 = modfwpuclnt.NewProc("FwpmTransactionBegin0") - procFwpmTransactionCommit0 = modfwpuclnt.NewProc("FwpmTransactionCommit0") - procFwpmTransactionAbort0 = modfwpuclnt.NewProc("FwpmTransactionAbort0") - procFwpmProviderAdd0 = modfwpuclnt.NewProc("FwpmProviderAdd0") - procGetSecurityInfo = modadvapi32.NewProc("GetSecurityInfo") + procFwpmEngineOpen0 = modfwpuclnt.NewProc("FwpmEngineOpen0") + procFwpmEngineClose0 = modfwpuclnt.NewProc("FwpmEngineClose0") + procFwpmSubLayerAdd0 = modfwpuclnt.NewProc("FwpmSubLayerAdd0") + procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0") + procFwpmFreeMemory0 = modfwpuclnt.NewProc("FwpmFreeMemory0") + procFwpmFilterAdd0 = modfwpuclnt.NewProc("FwpmFilterAdd0") + procFwpmTransactionBegin0 = modfwpuclnt.NewProc("FwpmTransactionBegin0") + procFwpmTransactionCommit0 = modfwpuclnt.NewProc("FwpmTransactionCommit0") + procFwpmTransactionAbort0 = modfwpuclnt.NewProc("FwpmTransactionAbort0") + procFwpmProviderAdd0 = modfwpuclnt.NewProc("FwpmProviderAdd0") + procGetSecurityInfo = modadvapi32.NewProc("GetSecurityInfo") + procGetSecurityDescriptorLength = modadvapi32.NewProc("GetSecurityDescriptorLength") ) func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *wtSecWinntAuthIdentityW, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) { @@ -177,3 +178,9 @@ func getSecurityInfo(handle windows.Handle, objectType wtObjectType, si uint32, } return } + +func getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) { + r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(securityDescriptor), 0, 0) + len = uint32(r0) + return +} |