driver: allow admins but require high integrity label

Might be more reasonable.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2021-06-24 12:10:12 +02:00
parent 59bf6be8b6
commit b3bf490434
3 changed files with 70 additions and 8 deletions

View File

@ -96,7 +96,7 @@
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>

View File

@ -44,3 +44,23 @@ NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution(VOID);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN SaclPresent,
_In_opt_ PACL Sacl,
_In_opt_ BOOLEAN SaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddMandatoryAce(
_Inout_ PACL Acl,
_In_ ULONG AceRevision,
_In_ ULONG AceFlags,
_In_ PSID Sid,
_In_ UCHAR AceType,
_In_ ULONG AccessMask);

View File

@ -845,28 +845,70 @@ _Use_decl_annotations_
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
{
NTSTATUS Status;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
SID LocalSystem = { 0 };
if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
struct
{
SID Sid;
} LocalSystem;
struct
{
SID Sid;
ULONG ExtraAuthority;
} BuiltinAdministrators;
struct
{
SID Sid;
} HighLabel;
ULONG SidSize = sizeof(LocalSystem);
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
return Status;
SidSize = sizeof(BuiltinAdministrators);
if (!NT_SUCCESS(
Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
return Status;
SidSize = sizeof(HighLabel);
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
return Status;
*RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
struct
{
ACL Dacl;
ACCESS_ALLOWED_ACE AceFiller;
SID SidFiller;
ACCESS_ALLOWED_ACE Ace1;
SID Sid1;
ACCESS_ALLOWED_ACE Ace2;
SID Sid2;
} DaclStorage = { 0 };
struct
{
ACL Sacl;
SYSTEM_MANDATORY_LABEL_ACE Ace;
SID Sid;
} SaclStorage = { 0 };
if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
return Status;
if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
return Status;
ACCESS_MASK AccessMask = GENERIC_ALL;
RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem)))
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
return Status;
if (!NT_SUCCESS(
Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
return Status;
if (!NT_SUCCESS(RtlAddMandatoryAce(
&SaclStorage.Sacl,
ACL_REVISION,
0,
&HighLabel.Sid,
SYSTEM_MANDATORY_LABEL_ACE_TYPE,
SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
return Status;
SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
return Status;
if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
return Status;
if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
return Status;
SecurityDescriptor.Control |= SE_DACL_PROTECTED;
ULONG RequiredBytes = 0;
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);