diff options
| -rw-r--r-- | service/securityapi.go | 43 | ||||
| -rw-r--r-- | service/zsyscall_windows.go | 77 |
2 files changed, 56 insertions, 64 deletions
diff --git a/service/securityapi.go b/service/securityapi.go index b0de8604..1124c497 100644 --- a/service/securityapi.go +++ b/service/securityapi.go @@ -102,16 +102,15 @@ type ACE_HEADER struct { } //sys getSecurityInfo(handle windows.Handle, objectType uint32, si uint32, owner *uintptr, group *uintptr, dacl *uintptr, sacl *uintptr, securityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo -//sys getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength -//sys addAccessAllowedAce(acl uintptr, aceRevision uint32, accessmask uint32, sid *windows.SID) (err error) = advapi32.AddAccessAllowedAce -//sys setSecurityDescriptorDacl(securityDescriptor uintptr, daclPresent bool, dacl uintptr, defaulted bool) (err error) = advapi32.SetSecurityDescriptorDacl -//sys setSecurityDescriptorSacl(securityDescriptor uintptr, saclPresent bool, sacl uintptr, defaulted bool) (err error) = advapi32.SetSecurityDescriptorSacl -//sys getAclInformation(acl uintptr, info unsafe.Pointer, len uint32, infoclass uint32) (err error) = advapi32.GetAclInformation -//sys getAce(acl uintptr, index uint32, ace *uintptr) (err error) = advapi32.GetAce -//sys addAce(acl uintptr, revision uint32, index uint32, ace uintptr, lenAce uint32) (err error) = advapi32.AddAce -//sys initializeAcl(acl uintptr, len uint32, revision uint32) (err error) = advapi32.InitializeAcl -//sys makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDescriptor uintptr, absoluteSecurityDescriptorSize *uint32, dacl uintptr, daclSize *uint32, sacl uintptr, saclSize *uint32, owner uintptr, ownerSize *uint32, primaryGroup uintptr, primaryGroupSize *uint32) (err error) = advapi32.MakeAbsoluteSD -//sys makeSelfRelativeSd(absoluteSecurityDescriptor uintptr, relativeSecurityDescriptor uintptr, relativeSecurityDescriptorSize *uint32) (err error) = advapi32.MakeSelfRelativeSD +//sys addAccessAllowedAce(acl *byte, aceRevision uint32, accessmask uint32, sid *windows.SID) (err error) = advapi32.AddAccessAllowedAce +//sys setSecurityDescriptorDacl(securityDescriptor *byte, daclPresent bool, dacl *byte, defaulted bool) (err error) = advapi32.SetSecurityDescriptorDacl +//sys setSecurityDescriptorSacl(securityDescriptor *byte, saclPresent bool, sacl *byte, defaulted bool) (err error) = advapi32.SetSecurityDescriptorSacl +//sys getAclInformation(acl *byte, info *ACL_SIZE_INFORMATION, len uint32, infoclass uint32) (err error) = advapi32.GetAclInformation +//sys getAce(acl *byte, index uint32, ace **ACE_HEADER) (err error) = advapi32.GetAce +//sys addAce(acl *byte, revision uint32, index uint32, ace *ACE_HEADER, lenAce uint32) (err error) = advapi32.AddAce +//sys initializeAcl(acl *byte, len uint32, revision uint32) (err error) = advapi32.InitializeAcl +//sys makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDescriptor *byte, absoluteSecurityDescriptorSize *uint32, dacl *byte, daclSize *uint32, sacl *byte, saclSize *uint32, owner *byte, ownerSize *uint32, primaryGroup *byte, primaryGroupSize *uint32) (err error) = advapi32.MakeAbsoluteSD +//sys makeSelfRelativeSd(absoluteSecurityDescriptor *byte, relativeSecurityDescriptor *byte, relativeSecurityDescriptorSize *uint32) (err error) = advapi32.MakeSelfRelativeSD //sys createEnvironmentBlock(block *uintptr, token windows.Token, inheritExisting bool) (err error) = userenv.CreateEnvironmentBlock //sys destroyEnvironmentBlock(block uintptr) (err error) = userenv.DestroyEnvironmentBlock @@ -226,7 +225,7 @@ func getSecurityAttributes(mainToken windows.Token, tokenThatHasLogonSession win ownerSize uint32 primaryGroupSize uint32 ) - err = makeAbsoluteSd(originalSecurityDescriptor, 0, &absoluteSecurityDescriptorSize, 0, &daclSize, 0, &saclSize, 0, &ownerSize, 0, &primaryGroupSize) + err = makeAbsoluteSd(originalSecurityDescriptor, nil, &absoluteSecurityDescriptorSize, nil, &daclSize, nil, &saclSize, nil, &ownerSize, nil, &primaryGroupSize) if err != windows.ERROR_INSUFFICIENT_BUFFER { windows.LocalFree(windows.Handle(originalSecurityDescriptor)) return nil, fmt.Errorf("Expected insufficient buffer from MakeAbsoluteSd, but got: %v", err) @@ -236,7 +235,7 @@ func getSecurityAttributes(mainToken windows.Token, tokenThatHasLogonSession win sacl := make([]byte, saclSize) owner := make([]byte, ownerSize) primaryGroup := make([]byte, primaryGroupSize) - err = makeAbsoluteSd(originalSecurityDescriptor, uintptr(unsafe.Pointer(&absoluteSecurityDescriptor[0])), &absoluteSecurityDescriptorSize, uintptr(unsafe.Pointer(&dacl[0])), &daclSize, uintptr(unsafe.Pointer(&sacl[0])), &saclSize, uintptr(unsafe.Pointer(&owner[0])), &ownerSize, uintptr(unsafe.Pointer(&primaryGroup[0])), &primaryGroupSize) + err = makeAbsoluteSd(originalSecurityDescriptor, &absoluteSecurityDescriptor[0], &absoluteSecurityDescriptorSize, &dacl[0], &daclSize, &sacl[0], &saclSize, &owner[0], &ownerSize, &primaryGroup[0], &primaryGroupSize) if err != nil { windows.LocalFree(windows.Handle(originalSecurityDescriptor)) return nil, err @@ -244,48 +243,48 @@ func getSecurityAttributes(mainToken windows.Token, tokenThatHasLogonSession win windows.LocalFree(windows.Handle(originalSecurityDescriptor)) var daclInfo ACL_SIZE_INFORMATION - err = getAclInformation(uintptr(unsafe.Pointer(&dacl[0])), unsafe.Pointer(&daclInfo), uint32(unsafe.Sizeof(daclInfo)), AclSizeInformation) + err = getAclInformation(&dacl[0], &daclInfo, uint32(unsafe.Sizeof(daclInfo)), AclSizeInformation) if err != nil { return nil, err } newDacl := make([]byte, daclInfo.aclBytesInUse*2) - err = initializeAcl(uintptr(unsafe.Pointer(&newDacl[0])), uint32(len(newDacl)), ACL_REVISION) + err = initializeAcl(&newDacl[0], uint32(len(newDacl)), ACL_REVISION) if err != nil { return nil, err } - var ace uintptr + var ace *ACE_HEADER for i := uint32(0); i < daclInfo.aceCount; i++ { - err = getAce(uintptr(unsafe.Pointer(&dacl[0])), i, &ace) + err = getAce(&dacl[0], i, &ace) if err != nil { return nil, err } - err = addAce(uintptr(unsafe.Pointer(&newDacl[0])), ACL_REVISION, ^uint32(0), ace, uint32(((*ACE_HEADER)(unsafe.Pointer(ace))).aceSize)) + err = addAce(&newDacl[0], ACL_REVISION, ^uint32(0), ace, uint32(ace.aceSize)) if err != nil { return nil, err } } runtime.KeepAlive(dacl) - err = addAccessAllowedAce(uintptr(unsafe.Pointer(&newDacl[0])), ACL_REVISION, PROCESS_QUERY_LIMITED_INFORMATION, logonSid) + err = addAccessAllowedAce(&newDacl[0], ACL_REVISION, PROCESS_QUERY_LIMITED_INFORMATION, logonSid) if err != nil { return nil, err } runtime.KeepAlive(gs) - err = setSecurityDescriptorDacl(uintptr(unsafe.Pointer(&absoluteSecurityDescriptor[0])), true, uintptr(unsafe.Pointer(&newDacl[0])), false) + err = setSecurityDescriptorDacl(&absoluteSecurityDescriptor[0], true, &newDacl[0], false) if err != nil { return nil, err } //TODO: This should not be required!! But right now we can't give the process the high integrity SACL, which is unfortunate. So we unset it. - err = setSecurityDescriptorSacl(uintptr(unsafe.Pointer(&absoluteSecurityDescriptor[0])), false, 0, true) + err = setSecurityDescriptorSacl(&absoluteSecurityDescriptor[0], false, nil, true) if err != nil { return nil, err } var selfRelativeSecurityDescriptorSize uint32 - err = makeSelfRelativeSd(uintptr(unsafe.Pointer(&absoluteSecurityDescriptor[0])), 0, &selfRelativeSecurityDescriptorSize) + err = makeSelfRelativeSd(&absoluteSecurityDescriptor[0], nil, &selfRelativeSecurityDescriptorSize) if err != windows.ERROR_INSUFFICIENT_BUFFER { return nil, fmt.Errorf("Expected insufficient buffer from MakeSelfRelativeSd, but got: %v", err) } relativeSecurityDescriptor := make([]byte, selfRelativeSecurityDescriptorSize) - err = makeSelfRelativeSd(uintptr(unsafe.Pointer(&absoluteSecurityDescriptor[0])), uintptr(unsafe.Pointer(&relativeSecurityDescriptor[0])), &selfRelativeSecurityDescriptorSize) + err = makeSelfRelativeSd(&absoluteSecurityDescriptor[0], &relativeSecurityDescriptor[0], &selfRelativeSecurityDescriptorSize) if err != nil { return nil, err } diff --git a/service/zsyscall_windows.go b/service/zsyscall_windows.go index fca55092..e8e035b7 100644 --- a/service/zsyscall_windows.go +++ b/service/zsyscall_windows.go @@ -42,24 +42,23 @@ var ( moduserenv = windows.NewLazySystemDLL("userenv.dll") modkernel32 = windows.NewLazySystemDLL("kernel32.dll") - procWTSQueryUserToken = modwtsapi32.NewProc("WTSQueryUserToken") - procWTSEnumerateSessionsW = modwtsapi32.NewProc("WTSEnumerateSessionsW") - procWTSFreeMemory = modwtsapi32.NewProc("WTSFreeMemory") - procGetSecurityInfo = modadvapi32.NewProc("GetSecurityInfo") - procGetSecurityDescriptorLength = modadvapi32.NewProc("GetSecurityDescriptorLength") - procAddAccessAllowedAce = modadvapi32.NewProc("AddAccessAllowedAce") - procSetSecurityDescriptorDacl = modadvapi32.NewProc("SetSecurityDescriptorDacl") - procSetSecurityDescriptorSacl = modadvapi32.NewProc("SetSecurityDescriptorSacl") - procGetAclInformation = modadvapi32.NewProc("GetAclInformation") - procGetAce = modadvapi32.NewProc("GetAce") - procAddAce = modadvapi32.NewProc("AddAce") - procInitializeAcl = modadvapi32.NewProc("InitializeAcl") - procMakeAbsoluteSD = modadvapi32.NewProc("MakeAbsoluteSD") - procMakeSelfRelativeSD = modadvapi32.NewProc("MakeSelfRelativeSD") - procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock") - procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock") - procNotifyServiceStatusChangeW = modadvapi32.NewProc("NotifyServiceStatusChangeW") - procSleepEx = modkernel32.NewProc("SleepEx") + procWTSQueryUserToken = modwtsapi32.NewProc("WTSQueryUserToken") + procWTSEnumerateSessionsW = modwtsapi32.NewProc("WTSEnumerateSessionsW") + procWTSFreeMemory = modwtsapi32.NewProc("WTSFreeMemory") + procGetSecurityInfo = modadvapi32.NewProc("GetSecurityInfo") + procAddAccessAllowedAce = modadvapi32.NewProc("AddAccessAllowedAce") + procSetSecurityDescriptorDacl = modadvapi32.NewProc("SetSecurityDescriptorDacl") + procSetSecurityDescriptorSacl = modadvapi32.NewProc("SetSecurityDescriptorSacl") + procGetAclInformation = modadvapi32.NewProc("GetAclInformation") + procGetAce = modadvapi32.NewProc("GetAce") + procAddAce = modadvapi32.NewProc("AddAce") + procInitializeAcl = modadvapi32.NewProc("InitializeAcl") + procMakeAbsoluteSD = modadvapi32.NewProc("MakeAbsoluteSD") + procMakeSelfRelativeSD = modadvapi32.NewProc("MakeSelfRelativeSD") + procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock") + procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock") + procNotifyServiceStatusChangeW = modadvapi32.NewProc("NotifyServiceStatusChangeW") + procSleepEx = modkernel32.NewProc("SleepEx") ) func wtsQueryUserToken(session uint32, token *windows.Token) (err error) { @@ -103,14 +102,8 @@ func getSecurityInfo(handle windows.Handle, objectType uint32, si uint32, owner return } -func getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) { - r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(securityDescriptor), 0, 0) - len = uint32(r0) - return -} - -func addAccessAllowedAce(acl uintptr, aceRevision uint32, accessmask uint32, sid *windows.SID) (err error) { - r1, _, e1 := syscall.Syscall6(procAddAccessAllowedAce.Addr(), 4, uintptr(acl), uintptr(aceRevision), uintptr(accessmask), uintptr(unsafe.Pointer(sid)), 0, 0) +func addAccessAllowedAce(acl *byte, aceRevision uint32, accessmask uint32, sid *windows.SID) (err error) { + r1, _, e1 := syscall.Syscall6(procAddAccessAllowedAce.Addr(), 4, uintptr(unsafe.Pointer(acl)), uintptr(aceRevision), uintptr(accessmask), uintptr(unsafe.Pointer(sid)), 0, 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -121,7 +114,7 @@ func addAccessAllowedAce(acl uintptr, aceRevision uint32, accessmask uint32, sid return } -func setSecurityDescriptorDacl(securityDescriptor uintptr, daclPresent bool, dacl uintptr, defaulted bool) (err error) { +func setSecurityDescriptorDacl(securityDescriptor *byte, daclPresent bool, dacl *byte, defaulted bool) (err error) { var _p0 uint32 if daclPresent { _p0 = 1 @@ -134,7 +127,7 @@ func setSecurityDescriptorDacl(securityDescriptor uintptr, daclPresent bool, dac } else { _p1 = 0 } - r1, _, e1 := syscall.Syscall6(procSetSecurityDescriptorDacl.Addr(), 4, uintptr(securityDescriptor), uintptr(_p0), uintptr(dacl), uintptr(_p1), 0, 0) + r1, _, e1 := syscall.Syscall6(procSetSecurityDescriptorDacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(_p0), uintptr(unsafe.Pointer(dacl)), uintptr(_p1), 0, 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -145,7 +138,7 @@ func setSecurityDescriptorDacl(securityDescriptor uintptr, daclPresent bool, dac return } -func setSecurityDescriptorSacl(securityDescriptor uintptr, saclPresent bool, sacl uintptr, defaulted bool) (err error) { +func setSecurityDescriptorSacl(securityDescriptor *byte, saclPresent bool, sacl *byte, defaulted bool) (err error) { var _p0 uint32 if saclPresent { _p0 = 1 @@ -158,7 +151,7 @@ func setSecurityDescriptorSacl(securityDescriptor uintptr, saclPresent bool, sac } else { _p1 = 0 } - r1, _, e1 := syscall.Syscall6(procSetSecurityDescriptorSacl.Addr(), 4, uintptr(securityDescriptor), uintptr(_p0), uintptr(sacl), uintptr(_p1), 0, 0) + r1, _, e1 := syscall.Syscall6(procSetSecurityDescriptorSacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(_p0), uintptr(unsafe.Pointer(sacl)), uintptr(_p1), 0, 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -169,8 +162,8 @@ func setSecurityDescriptorSacl(securityDescriptor uintptr, saclPresent bool, sac return } -func getAclInformation(acl uintptr, info unsafe.Pointer, len uint32, infoclass uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procGetAclInformation.Addr(), 4, uintptr(acl), uintptr(info), uintptr(len), uintptr(infoclass), 0, 0) +func getAclInformation(acl *byte, info *ACL_SIZE_INFORMATION, len uint32, infoclass uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procGetAclInformation.Addr(), 4, uintptr(unsafe.Pointer(acl)), uintptr(unsafe.Pointer(info)), uintptr(len), uintptr(infoclass), 0, 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -181,8 +174,8 @@ func getAclInformation(acl uintptr, info unsafe.Pointer, len uint32, infoclass u return } -func getAce(acl uintptr, index uint32, ace *uintptr) (err error) { - r1, _, e1 := syscall.Syscall(procGetAce.Addr(), 3, uintptr(acl), uintptr(index), uintptr(unsafe.Pointer(ace))) +func getAce(acl *byte, index uint32, ace **ACE_HEADER) (err error) { + r1, _, e1 := syscall.Syscall(procGetAce.Addr(), 3, uintptr(unsafe.Pointer(acl)), uintptr(index), uintptr(unsafe.Pointer(ace))) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -193,8 +186,8 @@ func getAce(acl uintptr, index uint32, ace *uintptr) (err error) { return } -func addAce(acl uintptr, revision uint32, index uint32, ace uintptr, lenAce uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procAddAce.Addr(), 5, uintptr(acl), uintptr(revision), uintptr(index), uintptr(ace), uintptr(lenAce), 0) +func addAce(acl *byte, revision uint32, index uint32, ace *ACE_HEADER, lenAce uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procAddAce.Addr(), 5, uintptr(unsafe.Pointer(acl)), uintptr(revision), uintptr(index), uintptr(unsafe.Pointer(ace)), uintptr(lenAce), 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -205,8 +198,8 @@ func addAce(acl uintptr, revision uint32, index uint32, ace uintptr, lenAce uint return } -func initializeAcl(acl uintptr, len uint32, revision uint32) (err error) { - r1, _, e1 := syscall.Syscall(procInitializeAcl.Addr(), 3, uintptr(acl), uintptr(len), uintptr(revision)) +func initializeAcl(acl *byte, len uint32, revision uint32) (err error) { + r1, _, e1 := syscall.Syscall(procInitializeAcl.Addr(), 3, uintptr(unsafe.Pointer(acl)), uintptr(len), uintptr(revision)) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -217,8 +210,8 @@ func initializeAcl(acl uintptr, len uint32, revision uint32) (err error) { return } -func makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDescriptor uintptr, absoluteSecurityDescriptorSize *uint32, dacl uintptr, daclSize *uint32, sacl uintptr, saclSize *uint32, owner uintptr, ownerSize *uint32, primaryGroup uintptr, primaryGroupSize *uint32) (err error) { - r1, _, e1 := syscall.Syscall12(procMakeAbsoluteSD.Addr(), 11, uintptr(selfRelativeSecurityDescriptor), uintptr(absoluteSecurityDescriptor), uintptr(unsafe.Pointer(absoluteSecurityDescriptorSize)), uintptr(dacl), uintptr(unsafe.Pointer(daclSize)), uintptr(sacl), uintptr(unsafe.Pointer(saclSize)), uintptr(owner), uintptr(unsafe.Pointer(ownerSize)), uintptr(primaryGroup), uintptr(unsafe.Pointer(primaryGroupSize)), 0) +func makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDescriptor *byte, absoluteSecurityDescriptorSize *uint32, dacl *byte, daclSize *uint32, sacl *byte, saclSize *uint32, owner *byte, ownerSize *uint32, primaryGroup *byte, primaryGroupSize *uint32) (err error) { + r1, _, e1 := syscall.Syscall12(procMakeAbsoluteSD.Addr(), 11, uintptr(selfRelativeSecurityDescriptor), uintptr(unsafe.Pointer(absoluteSecurityDescriptor)), uintptr(unsafe.Pointer(absoluteSecurityDescriptorSize)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(daclSize)), uintptr(unsafe.Pointer(sacl)), uintptr(unsafe.Pointer(saclSize)), uintptr(unsafe.Pointer(owner)), uintptr(unsafe.Pointer(ownerSize)), uintptr(unsafe.Pointer(primaryGroup)), uintptr(unsafe.Pointer(primaryGroupSize)), 0) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) @@ -229,8 +222,8 @@ func makeAbsoluteSd(selfRelativeSecurityDescriptor uintptr, absoluteSecurityDesc return } -func makeSelfRelativeSd(absoluteSecurityDescriptor uintptr, relativeSecurityDescriptor uintptr, relativeSecurityDescriptorSize *uint32) (err error) { - r1, _, e1 := syscall.Syscall(procMakeSelfRelativeSD.Addr(), 3, uintptr(absoluteSecurityDescriptor), uintptr(relativeSecurityDescriptor), uintptr(unsafe.Pointer(relativeSecurityDescriptorSize))) +func makeSelfRelativeSd(absoluteSecurityDescriptor *byte, relativeSecurityDescriptor *byte, relativeSecurityDescriptorSize *uint32) (err error) { + r1, _, e1 := syscall.Syscall(procMakeSelfRelativeSD.Addr(), 3, uintptr(unsafe.Pointer(absoluteSecurityDescriptor)), uintptr(unsafe.Pointer(relativeSecurityDescriptor)), uintptr(unsafe.Pointer(relativeSecurityDescriptorSize))) if r1 == 0 { if e1 != 0 { err = errnoErr(e1) |