gandc/zapret2
Template
1
0
Fork 0
mirror of https://github.com/bol-van/zapret2.git synced 2026-03-14 06:13:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

winws2: set low mandatory label on logs and autohostlist

Browse Source
This commit is contained in:
bol-van
2025-11-23 23:25:16 +03:00
parent 3b92197bb3
commit 2b85262ee2
4 changed files with 55 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
nfq2/darkmagic.c
View File

@@ -22,6 +22,7 @@
#ifdef __CYGWIN__
#include <wlanapi.h>
#include <netlistmgr.h>
#include <aclapi.h>
#ifndef ERROR_INVALID_IMAGE_HASH
#define ERROR_INVALID_IMAGE_HASH __MSABI_LONG(577)
@@ -676,6 +677,36 @@ static BOOL WinSandbox(void)
// this is not much but better than nothing
return RemoveTokenPrivs();
}
BOOL SetMandatoryLabelFile(LPCSTR lpFileName, DWORD dwMandatoryLabelRID)
{
BOOL bRes=FALSE;
DWORD dwErr, dwFileAttributes;
char buf_label[16], buf_pacl[32];
PSID label = (PSID)buf_label;
PACL pacl = (PACL)buf_pacl;
dwFileAttributes = GetFileAttributesA(lpFileName);
if (dwFileAttributes == INVALID_FILE_ATTRIBUTES)
return FALSE;
InitializeSid(label, &label_authority, 1);
*GetSidSubAuthority(label, 0) = dwMandatoryLabelRID;
if (InitializeAcl(pacl, sizeof(buf_pacl), ACL_REVISION) && AddMandatoryAce(pacl, (dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? ACL_REVISION_DS : ACL_REVISION, 0, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, label))
{
dwErr = SetNamedSecurityInfoA((LPSTR)lpFileName, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pacl);
SetLastError(dwErr);
bRes = dwErr==ERROR_SUCCESS;
}
if (!bRes) w_win32_error = GetLastError();
return bRes;
}
bool ensure_file_access(const char *filename)
{
return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID);
}
bool win_irreversible_sandbox(void)
{
// there's no way to return privs
@@ -693,6 +724,8 @@ bool win_irreversible_sandbox_if_possible(void)
return true;
}
static HANDLE w_filter = NULL;
static OVERLAPPED ovl = { .hEvent = NULL };
static const struct str_list_head *wlan_filter_ssid = NULL, *nlm_filter_net = NULL;
@@ -1229,6 +1262,11 @@ bool rawsend(const struct sockaddr* dst,uint32_t fwmark,const char *ifout,const
#else // *nix
bool ensure_file_access(const char *filename)
{
return !chown(filename, params.uid, -1);
}
static int rawsend_sock4=-1, rawsend_sock6=-1;
static bool b_bind_fix4=false, b_bind_fix6=false;
static void rawsend_clean_sock(int *sock)