global: use SECURITY_DESCRIPTOR apis from x/sys/windows

author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-09-16 23:36:49 -0600
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-09-23 15:29:18 +0200
commit: 5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5 (patch)
tree: 1f123998f801c375674326ba7946da568be32df0 /tunnel/firewall
parent: updater: use correct length for security attributes (diff)
download: wireguard-windows-5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5.tar.xz
wireguard-windows-5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5.zip
5 files changed, 25 insertions, 71 deletions
diff --git a/tunnel/firewall/helpers.go b/tunnel/firewall/helpers.go
index abb2684c..04e5c664 100644
--- a/tunnel/firewall/helpers.go
+++ b/tunnel/firewall/helpers.go
@@ -71,8 +71,9 @@ func wrapErr(err error) error {
 	return fmt.Errorf("Firewall error at %s:%d: %v", file, line, err)
 }
 
-func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) {
-	processToken, err := windows.OpenCurrentProcessToken()
+func getCurrentProcessSecurityDescriptor() (*windows.SECURITY_DESCRIPTOR, error) {
+	var processToken windows.Token
+	err := windows.OpenProcessToken(windows.GetCurrentProcess(), windows.TOKEN_QUERY, &processToken)
 	if err != nil {
 		return nil, wrapErr(err)
 	}
@@ -99,21 +100,32 @@ func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) {
 		return nil, wrapErr(windows.ERROR_NO_SUCH_GROUP)
 	}
 
-	access := &wtExplicitAccess{
-		accessPermissions: cFWP_ACTRL_MATCH_FILTER,
-		accessMode:        cGRANT_ACCESS,
-		trustee: wtTrustee{
-			trusteeForm: cTRUSTEE_IS_SID,
-			trusteeType: cTRUSTEE_IS_GROUP,
-			sid:         sid,
+	access := []windows.EXPLICIT_ACCESS{{
+		AccessPermissions: cFWP_ACTRL_MATCH_FILTER,
+		AccessMode:        windows.GRANT_ACCESS,
+		Trustee: windows.TRUSTEE{
+			TrusteeForm:  windows.TRUSTEE_IS_SID,
+			TrusteeType:  windows.TRUSTEE_IS_GROUP,
+			TrusteeValue: windows.TrusteeValueFromSID(sid),
 		},
+	}}
+	dacl, err := windows.ACLFromEntries(access, nil)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	sd, err := windows.NewSecurityDescriptor()
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+	err = sd.SetDACL(dacl, true, false)
+	if err != nil {
+		return nil, wrapErr(err)
 	}
-	blob := &wtFwpByteBlob{}
-	err = buildSecurityDescriptor(nil, nil, 1, access, 0, nil, nil, &blob.size, &blob.data)
+	sd, err = sd.ToSelfRelative()
 	if err != nil {
 		return nil, wrapErr(err)
 	}
-	return blob, nil
+	return sd, nil
 }
 
 func getCurrentProcessAppID() (*wtFwpByteBlob, error) {
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go
index 0ef64692..7bca508b 100644
--- a/tunnel/firewall/rules.go
+++ b/tunnel/firewall/rules.go
@@ -154,14 +154,13 @@ func permitWireGuardService(session uintptr, baseObjects *baseObjects, weight ui
 	if err != nil {
 		return wrapErr(err)
 	}
-	defer windows.LocalFree(windows.Handle(unsafe.Pointer(sd.data)))
 
 	conditions[1] = wtFwpmFilterCondition0{
 		fieldKey:  cFWPM_CONDITION_ALE_USER_ID,
 		matchType: cFWP_MATCH_EQUAL,
 		conditionValue: wtFwpConditionValue0{
 			_type: cFWP_SECURITY_DESCRIPTOR_TYPE,
-			value: uintptr(unsafe.Pointer(sd)),
+			value: uintptr(unsafe.Pointer(&wtFwpByteBlob{sd.Length(), (*byte)(unsafe.Pointer(sd))})),
 		},
 	}
 
diff --git a/tunnel/firewall/syscall_windows.go b/tunnel/firewall/syscall_windows.go
index ac705b41..1d2696a1 100644
--- a/tunnel/firewall/syscall_windows.go
+++ b/tunnel/firewall/syscall_windows.go
@@ -34,6 +34,3 @@ package firewall
 
 // https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
 //sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/aclapi/nf-aclapi-buildsecuritydescriptorw
-//sys	buildSecurityDescriptor(owner *wtTrustee, group *wtTrustee, countAccessEntries uint32, accessEntries *wtExplicitAccess, countAuditEntries uint32, auditEntries *wtExplicitAccess, oldSd **byte, sizeNewSd *uint32, newSd **byte) (ret error) = advapi32.BuildSecurityDescriptorW
diff --git a/tunnel/firewall/types_windows.go b/tunnel/firewall/types_windows.go
index fd313993..d61c6480 100644
--- a/tunnel/firewall/types_windows.go
+++ b/tunnel/firewall/types_windows.go
@@ -405,50 +405,6 @@ const (
 	cIPPROTO_UDP    wtIPProto = 17
 )
 
-type wtExplicitAccess struct {
-	accessPermissions uint32
-	accessMode        uint32
-	inheritance       uint32
-	trustee           wtTrustee
-}
-
-type wtTrustee struct {
-	multipleTrustee          *wtTrustee
-	multipleTrusteeOperation uint32
-	trusteeForm              uint32
-	trusteeType              uint32
-	sid                      *windows.SID
-}
-
-const (
-	cTRUSTEE_IS_UNKNOWN = iota
-	cTRUSTEE_IS_USER
-	cTRUSTEE_IS_GROUP
-	cTRUSTEE_IS_DOMAIN
-	cTRUSTEE_IS_ALIAS
-	cTRUSTEE_IS_WELL_KNOWN_GROUP
-	cTRUSTEE_IS_DELETED
-	cTRUSTEE_IS_INVALID
-	cTRUSTEE_IS_COMPUTER
-)
-const (
-	cTRUSTEE_IS_SID = iota
-	cTRUSTEE_IS_NAME
-	cTRUSTEE_BAD_FORM
-	cTRUSTEE_IS_OBJECTS_AND_SID
-	cTRUSTEE_IS_OBJECTS_AND_NAME
-)
-
-const (
-	cNOT_USED_ACCESS = iota
-	cGRANT_ACCESS
-	cSET_ACCESS
-	cDENY_ACCESS
-	cREVOKE_ACCESS
-	cSET_AUDIT_SUCCESS
-	cSET_AUDIT_FAILURE
-)
-
 const (
 	cFWP_ACTRL_MATCH_FILTER = 1
 )
diff --git a/tunnel/firewall/zsyscall_windows.go b/tunnel/firewall/zsyscall_windows.go
index 8e83d6e3..846d4ae8 100644
--- a/tunnel/firewall/zsyscall_windows.go
+++ b/tunnel/firewall/zsyscall_windows.go
@@ -38,7 +38,6 @@ func errnoErr(e syscall.Errno) error {
 
 var (
 	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
-	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
 
 	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
 	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
@@ -50,7 +49,6 @@ var (
 	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
 	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
 	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
-	procBuildSecurityDescriptorW  = modadvapi32.NewProc("BuildSecurityDescriptorW")
 )
 
 func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
@@ -165,11 +163,3 @@ func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintpt
 	}
 	return
 }
-
-func buildSecurityDescriptor(owner *wtTrustee, group *wtTrustee, countAccessEntries uint32, accessEntries *wtExplicitAccess, countAuditEntries uint32, auditEntries *wtExplicitAccess, oldSd **byte, sizeNewSd *uint32, newSd **byte) (ret error) {
-	r0, _, _ := syscall.Syscall9(procBuildSecurityDescriptorW.Addr(), 9, uintptr(unsafe.Pointer(owner)), uintptr(unsafe.Pointer(group)), uintptr(countAccessEntries), uintptr(unsafe.Pointer(accessEntries)), uintptr(countAuditEntries), uintptr(unsafe.Pointer(auditEntries)), uintptr(unsafe.Pointer(oldSd)), uintptr(unsafe.Pointer(sizeNewSd)), uintptr(unsafe.Pointer(newSd)))
-	if r0 != 0 {
-		ret = syscall.Errno(r0)
-	}
-	return
-}
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-09-16 23:36:49 -0600
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-09-23 15:29:18 +0200
commit	5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5 (patch)
tree	1f123998f801c375674326ba7946da568be32df0 /tunnel/firewall
parent	updater: use correct length for security attributes (diff)
download	wireguard-windows-5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5.tar.xz wireguard-windows-5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5.zip