diff options
Diffstat (limited to '')
-rw-r--r-- | tunnel/firewall/helpers.go | 50 |
1 files changed, 46 insertions, 4 deletions
diff --git a/tunnel/firewall/helpers.go b/tunnel/firewall/helpers.go index e340b802..6bc71806 100644 --- a/tunnel/firewall/helpers.go +++ b/tunnel/firewall/helpers.go @@ -72,16 +72,58 @@ func wrapErr(err error) error { } func getCurrentProcessSecurityDescriptor() (*wtFwpByteBlob, error) { - procHandle, err := windows.GetCurrentProcess() + processToken, err := windows.OpenCurrentProcessToken() if err != nil { - panic(err) + return nil, wrapErr(err) + } + defer processToken.Close() + gs, err := processToken.GetTokenGroups() + if err != nil { + return nil, wrapErr(err) + } + var sid *windows.SID + groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount] + for _, g := range groups { + if g.Attributes != windows.SE_GROUP_ENABLED|windows.SE_GROUP_ENABLED_BY_DEFAULT|windows.SE_GROUP_OWNER { + continue + } + if *(*byte)(unsafe.Pointer(g.Sid)) != 1 { // The revision. + continue + } + if *getSidIdentifierAuthority(g.Sid) != windows.SECURITY_NT_AUTHORITY { + continue + } + // We could be checking != 6, but hopefully Microsoft will update + // RtlCreateServiceSid to use SHA2, which will then likely bump + // this up. So instead just roll with a minimum. + if *getSidSubAuthorityCount(g.Sid) < 6 { + continue + } + if *getSidSubAuthority(g.Sid, 0) != 80 { + continue + } + + sid = g.Sid + break + } + if sid == nil { + return nil, wrapErr(windows.ERROR_NO_SUCH_GROUP) + } + + access := &wtExplicitAccess{ + accessPermissions: cFWP_ACTRL_MATCH_FILTER, + accessMode: cGRANT_ACCESS, + trustee: wtTrustee{ + trusteeForm: cTRUSTEE_IS_SID, + trusteeType: cTRUSTEE_IS_GROUP, + sid: sid, + }, } blob := &wtFwpByteBlob{} - err = getSecurityInfo(procHandle, cSE_KERNEL_OBJECT, cDACL_SECURITY_INFORMATION, nil, nil, nil, nil, (*uintptr)(unsafe.Pointer(&blob.data))) + err = buildSecurityDescriptor(nil, nil, 1, access, 0, nil, nil, &blob.size, &blob.data) if err != nil { return nil, wrapErr(err) } - blob.size = getSecurityDescriptorLength(uintptr(unsafe.Pointer(blob.data))) return blob, nil } |