From 5878d9a6b2251e5a0c464cb427a5eac7d1ada6e5 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 16 Sep 2019 23:36:49 -0600 Subject: global: use SECURITY_DESCRIPTOR apis from x/sys/windows --- conf/migration_windows.go | 27 +++++---------------------- conf/zsyscall_windows.go | 27 --------------------------- 2 files changed, 5 insertions(+), 49 deletions(-) (limited to 'conf') diff --git a/conf/migration_windows.go b/conf/migration_windows.go index 4b7ffe30..d8d349f5 100644 --- a/conf/migration_windows.go +++ b/conf/migration_windows.go @@ -13,44 +13,27 @@ import ( "golang.org/x/sys/windows" ) -//sys getFileSecurity(fileName *uint16, securityInformation uint32, securityDescriptor *byte, descriptorLen uint32, requestedLen *uint32) (err error) = advapi32.GetFileSecurityW -//sys getSecurityDescriptorOwner(securityDescriptor *byte, sid **windows.SID, ownerDefaulted *bool) (err error) = advapi32.GetSecurityDescriptorOwner -const ownerSecurityInformation = 0x00000001 - func maybeMigrate(c string) { vol := filepath.VolumeName(c) withoutVol := strings.TrimPrefix(c, vol) oldRoot := filepath.Join(vol, "\\windows.old") oldC := filepath.Join(oldRoot, withoutVol) - var err error - var sd []byte - reqLen := uint32(128) - for { - sd = make([]byte, reqLen) - //XXX: Since this takes a file path, it's technically a TOCTOU. - err = getFileSecurity(windows.StringToUTF16Ptr(oldRoot), ownerSecurityInformation, &sd[0], uint32(len(sd)), &reqLen) - if err != windows.ERROR_INSUFFICIENT_BUFFER { - break - } - } + sd, err := windows.GetNamedSecurityInfo(oldRoot, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION) if err == windows.ERROR_PATH_NOT_FOUND || err == windows.ERROR_FILE_NOT_FOUND { return } if err != nil { - log.Printf("Not migrating configuration from ‘%s’ due to GetFileSecurity error: %v", oldRoot, err) + log.Printf("Not migrating configuration from ‘%s’ due to GetNamedSecurityInfo error: %v", oldRoot, err) return } - var defaulted bool - var sid *windows.SID - err = getSecurityDescriptorOwner(&sd[0], &sid, &defaulted) + owner, defaulted, err := sd.Owner() if err != nil { log.Printf("Not migrating configuration from ‘%s’ due to GetSecurityDescriptorOwner error: %v", oldRoot, err) return } - if defaulted || !sid.IsWellKnown(windows.WinLocalSystemSid) { - sidStr, _ := sid.String() - log.Printf("Not migrating configuration from ‘%s’, as it is not explicitly owned by SYSTEM, but rather ‘%s’", oldRoot, sidStr) + if defaulted || !owner.IsWellKnown(windows.WinLocalSystemSid) { + log.Printf("Not migrating configuration from ‘%s’, as it is not explicitly owned by SYSTEM, but rather ‘%v’", oldRoot, owner) return } err = windows.MoveFileEx(windows.StringToUTF16Ptr(oldC), windows.StringToUTF16Ptr(c), windows.MOVEFILE_COPY_ALLOWED) diff --git a/conf/zsyscall_windows.go b/conf/zsyscall_windows.go index ec63bc3d..9dcf68fe 100644 --- a/conf/zsyscall_windows.go +++ b/conf/zsyscall_windows.go @@ -38,12 +38,9 @@ func errnoErr(e syscall.Errno) error { var ( modwininet = windows.NewLazySystemDLL("wininet.dll") - modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") modkernel32 = windows.NewLazySystemDLL("kernel32.dll") procInternetGetConnectedState = modwininet.NewProc("InternetGetConnectedState") - procGetFileSecurityW = modadvapi32.NewProc("GetFileSecurityW") - procGetSecurityDescriptorOwner = modadvapi32.NewProc("GetSecurityDescriptorOwner") procFindFirstChangeNotificationW = modkernel32.NewProc("FindFirstChangeNotificationW") procFindNextChangeNotification = modkernel32.NewProc("FindNextChangeNotification") ) @@ -54,30 +51,6 @@ func internetGetConnectedState(flags *uint32, reserved uint32) (connected bool) return } -func getFileSecurity(fileName *uint16, securityInformation uint32, securityDescriptor *byte, descriptorLen uint32, requestedLen *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procGetFileSecurityW.Addr(), 5, uintptr(unsafe.Pointer(fileName)), uintptr(securityInformation), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(descriptorLen), uintptr(unsafe.Pointer(requestedLen)), 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} - -func getSecurityDescriptorOwner(securityDescriptor *byte, sid **windows.SID, ownerDefaulted *bool) (err error) { - r1, _, e1 := syscall.Syscall(procGetSecurityDescriptorOwner.Addr(), 3, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(ownerDefaulted))) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} - func findFirstChangeNotification(path *uint16, watchSubtree bool, filter uint32) (handle windows.Handle, err error) { var _p0 uint32 if watchSubtree { -- cgit v1.2.3-59-g8ed1b