From 6154c73032eff727ba239134b4ed5fc296918458 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 25 Jun 2021 14:10:29 +0200 Subject: [PATCH] driver: build security descriptor from sddl This is a bit easier to read. Signed-off-by: Jason A. Donenfeld --- driver/driver.vcxproj | 2 +- driver/undocumented.h | 21 ++--------- driver/wintun.c | 87 +++---------------------------------------- 3 files changed, 10 insertions(+), 100 deletions(-) diff --git a/driver/driver.vcxproj b/driver/driver.vcxproj index 915326e..4457db2 100644 --- a/driver/driver.vcxproj +++ b/driver/driver.vcxproj @@ -96,7 +96,7 @@ NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions) - ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies) + ndis.lib;wdmsec.lib;%(AdditionalDependencies) sha256 diff --git a/driver/undocumented.h b/driver/undocumented.h index 7f538b7..c642361 100644 --- a/driver/undocumented.h +++ b/driver/undocumented.h @@ -45,22 +45,9 @@ NTSTATUS NTAPI ZwYieldExecution(VOID); -NTSYSAPI NTSTATUS NTAPI -RtlSetSaclSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ BOOLEAN SaclPresent, - _In_opt_ PACL Sacl, - _In_opt_ BOOLEAN SaclDefaulted); - -NTSYSAPI -NTSTATUS -NTAPI -RtlAddMandatoryAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ PSID Sid, - _In_ UCHAR AceType, - _In_ ULONG AccessMask); +SeSddlSecurityDescriptorFromSDDL( + const PUNICODE_STRING SecurityDescriptorString, + BOOLEAN SuppliedByDefaultMechanism, + PSECURITY_DESCRIPTOR *SecurityDescriptor); diff --git a/driver/wintun.c b/driver/wintun.c index d7e3ef4..d3f2bd9 100644 --- a/driver/wintun.c +++ b/driver/wintun.c @@ -844,86 +844,9 @@ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID); _Use_decl_annotations_ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID) { - NTSTATUS Status; - struct - { - SID Sid; - } LocalSystem; - struct - { - SID Sid; - ULONG ExtraAuthority; - } BuiltinAdministrators; - struct - { - SID Sid; - } HighLabel; - ULONG SidSize = sizeof(LocalSystem); - if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize))) - return Status; - SidSize = sizeof(BuiltinAdministrators); - if (!NT_SUCCESS( - Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize))) - return Status; - SidSize = sizeof(HighLabel); - if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize))) - return Status; - struct - { - ACL Dacl; - ACCESS_ALLOWED_ACE Ace1; - SID Sid1; - ACCESS_ALLOWED_ACE Ace2; - SID Sid2; - } DaclStorage = { 0 }; - struct - { - ACL Sacl; - SYSTEM_MANDATORY_LABEL_ACE Ace; - SID Sid; - } SaclStorage = { 0 }; - if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION))) - return Status; - if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION))) - return Status; - ACCESS_MASK AccessMask = GENERIC_ALL; - RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping()); - if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid))) - return Status; - if (!NT_SUCCESS( - Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid))) - return Status; - if (!NT_SUCCESS(RtlAddMandatoryAce( - &SaclStorage.Sacl, - ACL_REVISION, - 0, - &HighLabel.Sid, - SYSTEM_MANDATORY_LABEL_ACE_TYPE, - SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | - SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP))) - return Status; - SECURITY_DESCRIPTOR SecurityDescriptor = { 0 }; - if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))) - return Status; - if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE))) - return Status; - if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE))) - return Status; - SecurityDescriptor.Control |= SE_DACL_PROTECTED; - ULONG RequiredBytes = 0; - Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes); - if (Status != STATUS_BUFFER_TOO_SMALL) - return NT_SUCCESS(Status) ? STATUS_INSUFFICIENT_RESOURCES : Status; - TunDispatchSecurityDescriptor = ExAllocatePoolWithTag(NonPagedPoolNx, RequiredBytes, TUN_MEMORY_TAG); - if (!TunDispatchSecurityDescriptor) - return STATUS_INSUFFICIENT_RESOURCES; - Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, TunDispatchSecurityDescriptor, &RequiredBytes); - if (!NT_SUCCESS(Status)) - { - ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG); - return Status; - } - return STATUS_SUCCESS; + UNICODE_STRING Sddl; + RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)"); + return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor); } _IRQL_requires_max_(PASSIVE_LEVEL) @@ -1493,7 +1416,7 @@ TunUnload(PDRIVER_OBJECT DriverObject) NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle); ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchDeviceListLock); - ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG); + ExFreePool(TunDispatchSecurityDescriptor); } DRIVER_INITIALIZE DriverEntry; @@ -1569,6 +1492,6 @@ cleanupNotifier: cleanupResources: ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchDeviceListLock); - ExFreePoolWithTag(TunDispatchSecurityDescriptor, TUN_MEMORY_TAG); + ExFreePool(TunDispatchSecurityDescriptor); return Status; }