gandc/zapret2
Template
1
0
Fork 0
mirror of https://github.com/bol-van/zapret2.git synced 2026-03-14 06:13:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

winws2: set low mandatory label on logs and autohostlist

Browse Source
This commit is contained in:
bol-van
2025-11-23 23:25:16 +03:00
parent 3b92197bb3
commit 2b85262ee2
4 changed files with 55 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
nfq2/darkmagic.c
View File

@@ -22,6 +22,7 @@
#ifdef __CYGWIN__
#include <wlanapi.h>
#include <netlistmgr.h>
#include <aclapi.h>
#ifndef ERROR_INVALID_IMAGE_HASH
#define ERROR_INVALID_IMAGE_HASH __MSABI_LONG(577)
@@ -676,6 +677,36 @@ static BOOL WinSandbox(void)
// this is not much but better than nothing
return RemoveTokenPrivs();
}
BOOL SetMandatoryLabelFile(LPCSTR lpFileName, DWORD dwMandatoryLabelRID)
{
BOOL bRes=FALSE;
DWORD dwErr, dwFileAttributes;
char buf_label[16], buf_pacl[32];
PSID label = (PSID)buf_label;
PACL pacl = (PACL)buf_pacl;
dwFileAttributes = GetFileAttributesA(lpFileName);
if (dwFileAttributes == INVALID_FILE_ATTRIBUTES)
return FALSE;
InitializeSid(label, &label_authority, 1);
*GetSidSubAuthority(label, 0) = dwMandatoryLabelRID;
if (InitializeAcl(pacl, sizeof(buf_pacl), ACL_REVISION) && AddMandatoryAce(pacl, (dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? ACL_REVISION_DS : ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, label))
{
dwErr = SetNamedSecurityInfoA((LPSTR)lpFileName, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pacl);
SetLastError(dwErr);
bRes = dwErr==ERROR_SUCCESS;
}
if (!bRes) w_win32_error = GetLastError();
return bRes;
}
bool ensure_file_access(const char *filename)
{
return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID);
}
bool win_irreversible_sandbox(void)
{
// there's no way to return privs
@@ -693,6 +724,8 @@ bool win_irreversible_sandbox_if_possible(void)
return true;
}
static HANDLE w_filter = NULL;
static OVERLAPPED ovl = { .hEvent = NULL };
static const struct str_list_head *wlan_filter_ssid = NULL, *nlm_filter_net = NULL;
@@ -1229,6 +1262,11 @@ bool rawsend(const struct sockaddr* dst,uint32_t fwmark,const char *ifout,const
#else // *nix
bool ensure_file_access(const char *filename)
{
return !chown(filename, params.uid, -1);
}
static int rawsend_sock4=-1, rawsend_sock6=-1;
static bool b_bind_fix4=false, b_bind_fix6=false;
static void rawsend_clean_sock(int *sock)

3
nfq2/darkmagic.h
View File

@@ -89,6 +89,9 @@ bool tcp_has_fastopen(const struct tcphdr *tcp);
bool ip_has_df(const struct ip *ip);
bool ensure_file_access(const char *filename);
#ifdef __CYGWIN__
extern uint32_t w_win32_error;

19
nfq2/nfqws.c
View File

@@ -2401,11 +2401,14 @@ int main(int argc, char **argv)
DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
#ifndef __CYGWIN__
if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1))
fprintf(stderr, "could not chown %s. log file may not be writable after privilege drop\n", params.debug_logfile);
if (params.droproot && *params.hostlist_auto_debuglog && chown(params.hostlist_auto_debuglog, params.uid, -1))
DLOG_ERR("could not chown %s. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
if (params.droproot)
#endif
{
if (params.debug_target == LOG_TARGET_FILE && !ensure_file_access(params.debug_logfile))
DLOG_ERR("could not make '%s' accessible. log file may not be writable after privilege drop\n", params.debug_logfile);
if (*params.hostlist_auto_debuglog && !ensure_file_access(params.hostlist_auto_debuglog))
DLOG_ERR("could not make '%s' accessible. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
}
LIST_FOREACH(dpl, &params.desync_profiles, next)
{
dp = &dpl->dp;
@@ -2417,9 +2420,13 @@ int main(int argc, char **argv)
}
#ifndef __CYGWIN__
if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1))
DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
if (params.droproot)
#endif
{
if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename))
DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
}
LuaDesyncDebug(dp);
}

1
nfq2/protocol.c
View File

@@ -1398,4 +1398,5 @@ bool IsMTProto(const uint8_t *data, size_t len)
aes_ctr_crypt(data+8, 32, data+40, data, 64, decrypt);
return !memcmp(decrypt+56,"\xEF\xEF\xEF\xEF",4);
}
return false;
}