winws2: set low mandatory if possible

2026-03-13 22:03:09 +00:00 · 2025-11-23 20:52:33 +03:00
parent ed4eb043a2
commit 9d49f35324
7 changed files with 67 additions and 6 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -12,3 +12,8 @@ v0.1.2
 * nfqws2: 'known' protocol and payload filter
 * nfqws2: 'aes_ctr' luacall
 * zapret-antidpi: rst
+* github actions: remove FFI from luajit
+
+v0.1.3
+
+* winws2: set low mandatory level in process token if possible : no --wlan-filter or --nlm-filter (no windivert reinit required)
--- a/nfq2/crypto/aes-gcm.c
+++ b/nfq2/crypto/aes-gcm.c
@@ -5,6 +5,8 @@ int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_
 	int ret = 0;
 	gcm_context ctx;

+	gcm_initialize();
+
 	if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len)))
 	{
 		ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);
--- a/nfq2/darkmagic.c
+++ b/nfq2/darkmagic.c
@@ -609,7 +609,7 @@ uint8_t ttl46(const struct ip *ip, const struct ip6_hdr *ip6)

 uint32_t w_win32_error=0;

-static BOOL RemoveTokenPrivs()
+static BOOL RemoveTokenPrivs(void)
 {
 	BOOL bRes = FALSE;
 	HANDLE hToken;
@@ -643,7 +643,32 @@ static BOOL RemoveTokenPrivs()
 	if (!bRes) w_win32_error = GetLastError();
 	return bRes;
 }
-static BOOL WinSandbox()
+
+static SID_IDENTIFIER_AUTHORITY label_authority = SECURITY_MANDATORY_LABEL_AUTHORITY;
+BOOL LowMandatoryLevel(void)
+{
+	BOOL bRes = FALSE;
+	HANDLE hToken;
+	char buf1[32];
+	TOKEN_MANDATORY_LABEL label_low;
+
+	label_low.Label.Sid = (PSID)buf1;
+	InitializeSid(label_low.Label.Sid, &label_authority, 1);
+	label_low.Label.Attributes = 0;
+	*GetSidSubAuthority(label_low.Label.Sid, 0) = SECURITY_MANDATORY_LOW_RID;
+
+	// S-1-16-12288 : Mandatory Label\High Mandatory Level
+	// S-1-16-8192  : Mandatory Label\Medium Mandatory Level
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, &hToken))
+	{
+		bRes = SetTokenInformation(hToken, TokenIntegrityLevel, &label_low, sizeof(label_low));
+		CloseHandle(hToken);
+	}
+	if (!bRes) w_win32_error = GetLastError();
+	return bRes;
+}
+
+static BOOL WinSandbox(void)
 {
 	// unfortunately there's no way to remove or disable Administrators group in the current process's token
 	// only possible run child process with restricted token
@@ -651,7 +676,22 @@ static BOOL WinSandbox()
 	// this is not much but better than nothing
 	return RemoveTokenPrivs();
 }
-
+bool win_irreversible_sandbox(void)
+{
+	// there's no way to return privs
+	return LowMandatoryLevel();
+}
+static bool b_isandbox_set = false;
+bool win_irreversible_sandbox_if_possible(void)
+{
+	if (!b_isandbox_set)
+	{
+		if (!logical_net_filter_present() && !win_irreversible_sandbox())
+			return false;
+		b_isandbox_set = true;
+	}
+	return true;
+}

 static HANDLE w_filter = NULL;
 static OVERLAPPED ovl = { .hEvent = NULL };
@@ -1004,6 +1044,13 @@ bool logical_net_filter_match(void)
 	return wlan_filter_match(wlan_filter_ssid) && nlm_filter_match(nlm_filter_net);
 }

+bool logical_net_filter_present(void)
+{
+	return (wlan_filter_ssid && !LIST_EMPTY(wlan_filter_ssid)) || (nlm_filter_net && !LIST_EMPTY(nlm_filter_net));
+}
+
+
+
 static bool logical_net_filter_match_rate_limited(void)
 {
 	DWORD dwTick = GetTickCount() / 1000;
@@ -1093,14 +1140,17 @@ static bool windivert_recv_filter(HANDLE hFilter, uint8_t *packet, size_t *len,
 		return false;
 	}
 	usleep(0);
+
 	if (WinDivertRecvEx(hFilter, packet, *len, &recv_len, 0, wa, NULL, &ovl))
 	{
 		*len = recv_len;
 		return true;
 	}
+
 	for(;;)
 	{
 		w_win32_error = GetLastError();
+
 		switch(w_win32_error)
 		{
 			case ERROR_IO_PENDING:
--- a/nfq2/darkmagic.h
+++ b/nfq2/darkmagic.h
@@ -92,8 +92,11 @@ bool ip_has_df(const struct ip *ip);
 #ifdef __CYGWIN__
 extern uint32_t w_win32_error;

+bool win_irreversible_sandbox(void);
+bool win_irreversible_sandbox_if_possible(void);
 bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_list_head *nlm_filter);
 bool win_dark_deinit(void);
+bool logical_net_filter_present(void);
 bool logical_net_filter_match(void);
 bool nlm_list(bool bAll);
 bool windivert_init(const char *filter);
--- a/nfq2/lua.c
+++ b/nfq2/lua.c
@@ -3,6 +3,7 @@
 #include "lua.h"
 #include "params.h"
 #include "helpers.h"
+#include "conntrack.h"
 #include "crypto/sha.h"
 #include "crypto/aes-gcm.h"
 #include "crypto/aes-ctr.h"
@@ -2244,6 +2245,8 @@ void lua_shutdown()
 	if (params.L)
 	{
 		DLOG("LUA SHUTDOWN\n");
+		// conntrack holds lua state. must clear it before lua shoudown
+		ConntrackPoolDestroy(&params.conntrack);
 		lua_close(params.L);
 		params.L=NULL;
 	}
--- a/nfq2/nfqws.c
+++ b/nfq2/nfqws.c
@@ -631,7 +631,7 @@ static int win_main()
 			DLOG_CONDUP("logical network now present\n");
 		}

-		if (!windivert_init(params.windivert_filter))
+		if (!windivert_init(params.windivert_filter) || !win_irreversible_sandbox_if_possible())
 		{
 			res=w_win32_error; goto ex;
 		}
--- a/nfq2/params.c
+++ b/nfq2/params.c
@@ -381,9 +381,7 @@ void cleanup_params(struct params_s *params)
 #endif

 	ConntrackPoolDestroy(&params->conntrack);
-
 	dp_list_destroy(&params->desync_profiles);
-
 	hostlist_files_destroy(&params->hostlists);
 	ipset_files_destroy(&params->ipsets);
 	ipcacheDestroy(&params->ipcache);