diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-06-04 15:56:15 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-06-07 11:31:53 +0200 |
commit | 19561a1dfd111b7b2dd941ac2ca0d46ee5ce16f6 (patch) | |
tree | 3cd352125f2f0370a84f553f9646f6ed2663dbef /services/tokens.go | |
parent | tunnel: don't fail on v6 family lookup unless using v6 (diff) | |
download | wireguard-windows-19561a1dfd111b7b2dd941ac2ca0d46ee5ce16f6.tar.xz wireguard-windows-19561a1dfd111b7b2dd941ac2ca0d46ee5ce16f6.zip |
tunnel: retain SeLoadDriverPrivilege
This is a big loss. We'll need to revisit this.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | services/tokens.go | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/services/tokens.go b/services/tokens.go index ae89a185..bca75475 100644 --- a/services/tokens.go +++ b/services/tokens.go @@ -29,11 +29,18 @@ func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool { return isAdmin } -func DropAllPrivileges() error { +func DropAllPrivileges(retainDriverLoading bool) error { processHandle, err := windows.GetCurrentProcess() if err != nil { return err } + var luid windows.LUID + if retainDriverLoading { + err = windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr("SeLoadDriverPrivilege"), &luid) + if err != nil { + return err + } + } var processToken windows.Token err = windows.OpenProcessToken(processHandle, windows.TOKEN_READ|windows.TOKEN_WRITE, &processToken) if err != nil { @@ -57,7 +64,11 @@ func DropAllPrivileges() error { } tokenPrivileges := (*windows.Tokenprivileges)(unsafe.Pointer(&buffer[0])) for i := uint32(0); i < tokenPrivileges.PrivilegeCount; i++ { - (*windows.LUIDAndAttributes)(unsafe.Pointer(uintptr(unsafe.Pointer(&tokenPrivileges.Privileges[0])) + unsafe.Sizeof(tokenPrivileges.Privileges[0])*uintptr(i))).Attributes = windows.SE_PRIVILEGE_REMOVED + item := (*windows.LUIDAndAttributes)(unsafe.Pointer(uintptr(unsafe.Pointer(&tokenPrivileges.Privileges[0])) + unsafe.Sizeof(tokenPrivileges.Privileges[0])*uintptr(i))) + if retainDriverLoading && item.Luid == luid { + continue + } + item.Attributes = windows.SE_PRIVILEGE_REMOVED } err = windows.AdjustTokenPrivileges(processToken, false, tokenPrivileges, 0, nil, nil) runtime.KeepAlive(buffer) |