From 2b85262ee2fd234bee49a24efe21463003e435e0 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Sun, 23 Nov 2025 23:25:16 +0300
Subject: [PATCH] winws2: set low mandatory label on logs and autohostlist

---
 nfq2/darkmagic.c | 38 ++++++++++++++++++++++++++++++++++++++
 nfq2/darkmagic.h |  3 +++
 nfq2/nfqws.c     | 19 +++++++++++++------
 nfq2/protocol.c  |  1 +
 4 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/nfq2/darkmagic.c b/nfq2/darkmagic.c
index 36aa88b..259a523 100644
--- a/nfq2/darkmagic.c
+++ b/nfq2/darkmagic.c
@@ -22,6 +22,7 @@
 #ifdef __CYGWIN__
 #include <wlanapi.h>
 #include <netlistmgr.h>
+#include <aclapi.h>
 
 #ifndef ERROR_INVALID_IMAGE_HASH
 #define ERROR_INVALID_IMAGE_HASH __MSABI_LONG(577)
@@ -676,6 +677,36 @@ static BOOL WinSandbox(void)
 	// this is not much but better than nothing
 	return RemoveTokenPrivs();
 }
+
+BOOL SetMandatoryLabelFile(LPCSTR lpFileName, DWORD dwMandatoryLabelRID)
+{
+	BOOL bRes=FALSE;
+	DWORD dwErr, dwFileAttributes;
+	char buf_label[16], buf_pacl[32];
+	PSID label = (PSID)buf_label;
+	PACL pacl = (PACL)buf_pacl;
+
+	dwFileAttributes = GetFileAttributesA(lpFileName);
+	if (dwFileAttributes == INVALID_FILE_ATTRIBUTES)
+		return FALSE;
+
+	InitializeSid(label, &label_authority, 1);
+	*GetSidSubAuthority(label, 0) = dwMandatoryLabelRID;
+	if (InitializeAcl(pacl, sizeof(buf_pacl), ACL_REVISION) && AddMandatoryAce(pacl, (dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? ACL_REVISION_DS : ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, label))
+	{
+		dwErr = SetNamedSecurityInfoA((LPSTR)lpFileName, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pacl);
+		SetLastError(dwErr);
+		bRes = dwErr==ERROR_SUCCESS;
+	}
+	if (!bRes) w_win32_error = GetLastError();
+	return bRes;
+}
+
+bool ensure_file_access(const char *filename)
+{
+	return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID);
+}
+
 bool win_irreversible_sandbox(void)
 {
 	// there's no way to return privs
@@ -693,6 +724,8 @@ bool win_irreversible_sandbox_if_possible(void)
 	return true;
 }
 
+
+
 static HANDLE w_filter = NULL;
 static OVERLAPPED ovl = { .hEvent = NULL };
 static const struct str_list_head *wlan_filter_ssid = NULL, *nlm_filter_net = NULL;
@@ -1229,6 +1262,11 @@ bool rawsend(const struct sockaddr* dst,uint32_t fwmark,const char *ifout,const
 
 #else // *nix
 
+bool ensure_file_access(const char *filename)
+{
+	return !chown(filename, params.uid, -1);
+}
+
 static int rawsend_sock4=-1, rawsend_sock6=-1;
 static bool b_bind_fix4=false, b_bind_fix6=false;
 static void rawsend_clean_sock(int *sock)
diff --git a/nfq2/darkmagic.h b/nfq2/darkmagic.h
index 569c8cb..4063776 100644
--- a/nfq2/darkmagic.h
+++ b/nfq2/darkmagic.h
@@ -89,6 +89,9 @@ bool tcp_has_fastopen(const struct tcphdr *tcp);
 
 bool ip_has_df(const struct ip *ip);
 
+
+bool ensure_file_access(const char *filename);
+
 #ifdef __CYGWIN__
 extern uint32_t w_win32_error;
 
diff --git a/nfq2/nfqws.c b/nfq2/nfqws.c
index 4e8a5a6..a11414b 100644
--- a/nfq2/nfqws.c
+++ b/nfq2/nfqws.c
@@ -2401,11 +2401,14 @@ int main(int argc, char **argv)
 	DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
 
 #ifndef __CYGWIN__
-	if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1))
-		fprintf(stderr, "could not chown %s. log file may not be writable after privilege drop\n", params.debug_logfile);
-	if (params.droproot && *params.hostlist_auto_debuglog && chown(params.hostlist_auto_debuglog, params.uid, -1))
-		DLOG_ERR("could not chown %s. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
+	if (params.droproot)
 #endif
+	{
+		if (params.debug_target == LOG_TARGET_FILE && !ensure_file_access(params.debug_logfile))
+			DLOG_ERR("could not make '%s' accessible. log file may not be writable after privilege drop\n", params.debug_logfile);
+		if (*params.hostlist_auto_debuglog && !ensure_file_access(params.hostlist_auto_debuglog))
+			DLOG_ERR("could not make '%s' accessible. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
+	}
 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
 		dp = &dpl->dp;
@@ -2417,9 +2420,13 @@ int main(int argc, char **argv)
 		}
 
 #ifndef __CYGWIN__
-		if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1))
-			DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
+		if (params.droproot)
 #endif
+		{
+			if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename))
+				DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
+
+		}
 		LuaDesyncDebug(dp);
 	}
 
diff --git a/nfq2/protocol.c b/nfq2/protocol.c
index 07693fc..a80a119 100644
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -1398,4 +1398,5 @@ bool IsMTProto(const uint8_t *data, size_t len)
 		aes_ctr_crypt(data+8, 32, data+40, data, 64, decrypt);
 		return !memcmp(decrypt+56,"\xEF\xEF\xEF\xEF",4);
 	}
+	return false;
 }