From 12152f40756a2853badd19dec220170024553386 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Sun, 28 Apr 2019 08:27:19 +0200 Subject: build: backport security attributes helper from 1.13 --- golang-security-attribute-process-creation.patch | 50 ++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 golang-security-attribute-process-creation.patch (limited to 'golang-security-attribute-process-creation.patch') diff --git a/golang-security-attribute-process-creation.patch b/golang-security-attribute-process-creation.patch new file mode 100644 index 00000000..8c14e3a4 --- /dev/null +++ b/golang-security-attribute-process-creation.patch @@ -0,0 +1,50 @@ +From 049c8dbfdbdd414359699c215f15764a7aa733b5 Mon Sep 17 00:00:00 2001 +From: Jason A. Donenfeld +Date: Sat, 27 Apr 2019 11:45:11 +0200 +Subject: [PATCH] syscall: allow setting security attributes on processes + +This allows creating processes that can only be debugged/accessed by +certain tokens, according to a particular security descriptor. We +already had everything ready for this but just neglected to pass through +the value from the user-accessible SysProcAttr. + +Change-Id: I4a3fcc9f5078aa0058b26c103355c984093ae03f +Reviewed-on: https://go-review.googlesource.com/c/go/+/174197 +Run-TryBot: Jason Donenfeld +TryBot-Result: Gobot Gobot +Reviewed-by: Alex Brainman +--- + +diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go +index c78bad8..8d6141c 100644 +--- a/src/syscall/exec_windows.go ++++ b/src/syscall/exec_windows.go +@@ -219,10 +219,12 @@ + } + + type SysProcAttr struct { +- HideWindow bool +- CmdLine string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess +- CreationFlags uint32 +- Token Token // if set, runs new process in the security context represented by the token ++ HideWindow bool ++ CmdLine string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess ++ CreationFlags uint32 ++ Token Token // if set, runs new process in the security context represented by the token ++ ProcessAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the new process ++ ThreadAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the main thread of the new process + } + + var zeroProcAttr ProcAttr +@@ -323,9 +325,9 @@ + + flags := sys.CreationFlags | CREATE_UNICODE_ENVIRONMENT + if sys.Token != 0 { +- err = CreateProcessAsUser(sys.Token, argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi) ++ err = CreateProcessAsUser(sys.Token, argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi) + } else { +- err = CreateProcess(argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi) ++ err = CreateProcess(argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi) + } + if err != nil { + return 0, 0, err -- cgit v1.2.3-59-g8ed1b