diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-12-06 14:17:57 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-12-11 12:06:25 +0100 |
| commit | 1a6777aaf882381aabcbf5851fa7d38621223bb6 (patch) | |
| tree | 68bb9bde3f8b3c531022a9871a0149c7f145048b /tunnel | |
| parent | elevate: add service impersonation (diff) | |
| download | wireguard-windows-1a6777aaf882381aabcbf5851fa7d38621223bb6.tar.xz wireguard-windows-1a6777aaf882381aabcbf5851fa7d38621223bb6.zip | |
firewall: add escape hatch for same-process admins
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'tunnel')
| -rw-r--r-- | tunnel/firewall/helpers.go | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/tunnel/firewall/helpers.go b/tunnel/firewall/helpers.go index 0c9e8e3f..91c6617e 100644 --- a/tunnel/firewall/helpers.go +++ b/tunnel/firewall/helpers.go @@ -71,6 +71,8 @@ func wrapErr(err error) error { return fmt.Errorf("Firewall error at %s:%d: %v", file, line, err) } +var ExemptBuiltinAdministrators = false + func getCurrentProcessSecurityDescriptor() (*windows.SECURITY_DESCRIPTOR, error) { var processToken windows.Token err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &processToken) @@ -109,6 +111,21 @@ func getCurrentProcessSecurityDescriptor() (*windows.SECURITY_DESCRIPTOR, error) TrusteeValue: windows.TrusteeValueFromSID(sid), }, }} + if ExemptBuiltinAdministrators { + builtinAdmins, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) + if err != nil { + return nil, err + } + access = append(access, windows.EXPLICIT_ACCESS{ + AccessPermissions: cFWP_ACTRL_MATCH_FILTER, + AccessMode: windows.GRANT_ACCESS, + Trustee: windows.TRUSTEE{ + TrusteeForm: windows.TRUSTEE_IS_SID, + TrusteeType: windows.TRUSTEE_IS_GROUP, + TrusteeValue: windows.TrusteeValueFromSID(builtinAdmins), + }, + }) + } dacl, err := windows.ACLFromEntries(access, nil) if err != nil { return nil, wrapErr(err) |