Windows: Apply strict security descriptor on pipe server

author Odd Stranne <odd@mullvad.net>

Wed, 6 Mar 2019 13:58:25 +0000 (14:58 +0100)

committer Simon Rozman <simon@rozman.si>

Fri, 8 Mar 2019 09:03:56 +0000 (10:03 +0100)
author Odd Stranne <odd@mullvad.net>
Wed, 6 Mar 2019 13:58:25 +0000 (14:58 +0100)
committer Simon Rozman <simon@rozman.si>
Fri, 8 Mar 2019 09:03:56 +0000 (10:03 +0100)
diff --git a/ipc/uapi_windows.go b/ipc/uapi_windows.go

index 158c5a826e55f2bec933182ea9e04429db7014e3..8f0268dc4fe9f08b0955d50c660a2b8d6d209a1b 100644 (file)
--- a/ipc/uapi_windows.go
+++ b/ipc/uapi_windows.go
@@ -46,9 +46,20 @@ func (l *UAPIListener) Addr() net.Addr {
         return l.listener.Addr()
  }
  
+func GetSystemSecurityDescriptor() string {
+       //
+       // SDDL encoded.
+       //
+       // (system = SECURITY_NT_AUTHORITY | SECURITY_LOCAL_SYSTEM_RID)
+       // owner: system
+       // grant: GENERIC_ALL to system
+       //
+       return "O:SYD:(A;;GA;;;SY)"
+}
+
  func UAPIListen(name string) (net.Listener, error) {
         config := winio.PipeConfig{
-               SecurityDescriptor: "O:SYD:P(A;;GA;;;SY)", /* Local System only, not inheritable */
+               SecurityDescriptor: GetSystemSecurityDescriptor(),
         }
         listener, err := winio.ListenPipe("\\\\.\\pipe\\WireGuard\\"+name, &config)
         if err != nil {
author	Odd Stranne <odd@mullvad.net>
	Wed, 6 Mar 2019 13:58:25 +0000 (14:58 +0100)
committer	Simon Rozman <simon@rozman.si>
	Fri, 8 Mar 2019 09:03:56 +0000 (10:03 +0100)