From ceb00aa41003ff6d7f3e57fb67e49cb8ae81d33f Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 6 Dec 2019 14:17:57 +0100
Subject: firewall: add escape hatch for same-process admins

---
 tunnel/firewall/helpers.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tunnel/firewall/helpers.go b/tunnel/firewall/helpers.go
index 0c9e8e3f..91c6617e 100644
--- a/tunnel/firewall/helpers.go
+++ b/tunnel/firewall/helpers.go
@@ -71,6 +71,8 @@ func wrapErr(err error) error {
 	return fmt.Errorf("Firewall error at %s:%d: %v", file, line, err)
 }
 
+var ExemptBuiltinAdministrators = false
+
 func getCurrentProcessSecurityDescriptor() (*windows.SECURITY_DESCRIPTOR, error) {
 	var processToken windows.Token
 	err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &processToken)
@@ -109,6 +111,21 @@ func getCurrentProcessSecurityDescriptor() (*windows.SECURITY_DESCRIPTOR, error)
 			TrusteeValue: windows.TrusteeValueFromSID(sid),
 		},
 	}}
+	if ExemptBuiltinAdministrators {
+		builtinAdmins, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+		if err != nil {
+			return nil, err
+		}
+		access = append(access, windows.EXPLICIT_ACCESS{
+			AccessPermissions: cFWP_ACTRL_MATCH_FILTER,
+			AccessMode:        windows.GRANT_ACCESS,
+			Trustee: windows.TRUSTEE{
+				TrusteeForm:  windows.TRUSTEE_IS_SID,
+				TrusteeType:  windows.TRUSTEE_IS_GROUP,
+				TrusteeValue: windows.TrusteeValueFromSID(builtinAdmins),
+			},
+		})
+	}
 	dacl, err := windows.ACLFromEntries(access, nil)
 	if err != nil {
 		return nil, wrapErr(err)
-- 
cgit v1.2.3-59-g8ed1b