driver: allow admins but require high integrity label
Might be more reasonable. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
59bf6be8b6
commit
b3bf490434
@ -96,7 +96,7 @@
|
|||||||
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
<AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
</Link>
|
</Link>
|
||||||
<DriverSign>
|
<DriverSign>
|
||||||
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
|
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
|
||||||
|
@ -44,3 +44,23 @@ NTSYSAPI
|
|||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
ZwYieldExecution(VOID);
|
ZwYieldExecution(VOID);
|
||||||
|
|
||||||
|
NTSYSAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
RtlSetSaclSecurityDescriptor(
|
||||||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||||||
|
_In_ BOOLEAN SaclPresent,
|
||||||
|
_In_opt_ PACL Sacl,
|
||||||
|
_In_opt_ BOOLEAN SaclDefaulted);
|
||||||
|
|
||||||
|
NTSYSAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
RtlAddMandatoryAce(
|
||||||
|
_Inout_ PACL Acl,
|
||||||
|
_In_ ULONG AceRevision,
|
||||||
|
_In_ ULONG AceFlags,
|
||||||
|
_In_ PSID Sid,
|
||||||
|
_In_ UCHAR AceType,
|
||||||
|
_In_ ULONG AccessMask);
|
||||||
|
@ -845,28 +845,70 @@ _Use_decl_annotations_
|
|||||||
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID)
|
||||||
{
|
{
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
|
struct
|
||||||
SID LocalSystem = { 0 };
|
{
|
||||||
if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1)))
|
SID Sid;
|
||||||
|
} LocalSystem;
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
SID Sid;
|
||||||
|
ULONG ExtraAuthority;
|
||||||
|
} BuiltinAdministrators;
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
SID Sid;
|
||||||
|
} HighLabel;
|
||||||
|
ULONG SidSize = sizeof(LocalSystem);
|
||||||
|
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize)))
|
||||||
|
return Status;
|
||||||
|
SidSize = sizeof(BuiltinAdministrators);
|
||||||
|
if (!NT_SUCCESS(
|
||||||
|
Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize)))
|
||||||
|
return Status;
|
||||||
|
SidSize = sizeof(HighLabel);
|
||||||
|
if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize)))
|
||||||
return Status;
|
return Status;
|
||||||
*RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID;
|
|
||||||
struct
|
struct
|
||||||
{
|
{
|
||||||
ACL Dacl;
|
ACL Dacl;
|
||||||
ACCESS_ALLOWED_ACE AceFiller;
|
ACCESS_ALLOWED_ACE Ace1;
|
||||||
SID SidFiller;
|
SID Sid1;
|
||||||
|
ACCESS_ALLOWED_ACE Ace2;
|
||||||
|
SID Sid2;
|
||||||
} DaclStorage = { 0 };
|
} DaclStorage = { 0 };
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
ACL Sacl;
|
||||||
|
SYSTEM_MANDATORY_LABEL_ACE Ace;
|
||||||
|
SID Sid;
|
||||||
|
} SaclStorage = { 0 };
|
||||||
if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
|
if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION)))
|
||||||
return Status;
|
return Status;
|
||||||
|
if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION)))
|
||||||
|
return Status;
|
||||||
ACCESS_MASK AccessMask = GENERIC_ALL;
|
ACCESS_MASK AccessMask = GENERIC_ALL;
|
||||||
RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
|
RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping());
|
||||||
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem)))
|
if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid)))
|
||||||
|
return Status;
|
||||||
|
if (!NT_SUCCESS(
|
||||||
|
Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid)))
|
||||||
|
return Status;
|
||||||
|
if (!NT_SUCCESS(RtlAddMandatoryAce(
|
||||||
|
&SaclStorage.Sacl,
|
||||||
|
ACL_REVISION,
|
||||||
|
0,
|
||||||
|
&HighLabel.Sid,
|
||||||
|
SYSTEM_MANDATORY_LABEL_ACE_TYPE,
|
||||||
|
SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
|
||||||
|
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP)))
|
||||||
return Status;
|
return Status;
|
||||||
SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
|
SECURITY_DESCRIPTOR SecurityDescriptor = { 0 };
|
||||||
if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
|
if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)))
|
||||||
return Status;
|
return Status;
|
||||||
if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
|
if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE)))
|
||||||
return Status;
|
return Status;
|
||||||
|
if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE)))
|
||||||
|
return Status;
|
||||||
SecurityDescriptor.Control |= SE_DACL_PROTECTED;
|
SecurityDescriptor.Control |= SE_DACL_PROTECTED;
|
||||||
ULONG RequiredBytes = 0;
|
ULONG RequiredBytes = 0;
|
||||||
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
|
Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes);
|
||||||
|
Loading…
Reference in New Issue
Block a user