Windows: Apply strict security descriptor on pipe server

Signed-off-by: Odd Stranne <odd@mullvad.net>
This commit is contained in:
Odd Stranne 2019-03-06 14:58:25 +01:00 committed by Simon Rozman
parent 5c7cc256e3
commit a6d5ef82f4

View file

@ -46,9 +46,20 @@ func (l *UAPIListener) Addr() net.Addr {
return l.listener.Addr()
}
func GetSystemSecurityDescriptor() string {
//
// SDDL encoded.
//
// (system = SECURITY_NT_AUTHORITY | SECURITY_LOCAL_SYSTEM_RID)
// owner: system
// grant: GENERIC_ALL to system
//
return "O:SYD:(A;;GA;;;SY)"
}
func UAPIListen(name string) (net.Listener, error) {
config := winio.PipeConfig{
SecurityDescriptor: "O:SYD:P(A;;GA;;;SY)", /* Local System only, not inheritable */
SecurityDescriptor: GetSystemSecurityDescriptor(),
}
listener, err := winio.ListenPipe("\\\\.\\pipe\\WireGuard\\"+name, &config)
if err != nil {