202 lines
6.3 KiB
Go
202 lines
6.3 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package safesocket
|
|
|
|
//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go pipe_windows.go
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net"
|
|
"runtime"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/tailscale/go-winio"
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
func connect(ctx context.Context, path string) (net.Conn, error) {
|
|
ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
|
|
defer cancel()
|
|
// We use the identification impersonation level so that tailscaled may
|
|
// obtain information about our token for access control purposes.
|
|
return winio.DialPipeAccessImpLevel(ctx, path, windows.GENERIC_READ|windows.GENERIC_WRITE, winio.PipeImpLevelIdentification)
|
|
}
|
|
|
|
// windowsSDDL is the Security Descriptor set on the namedpipe.
|
|
// It provides read/write access to all users and the local system.
|
|
// It is a var for testing, do not change this value.
|
|
var windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
|
|
|
|
func listen(path string) (net.Listener, error) {
|
|
lc, err := winio.ListenPipe(
|
|
path,
|
|
&winio.PipeConfig{
|
|
SecurityDescriptor: windowsSDDL,
|
|
InputBufferSize: 256 * 1024,
|
|
OutputBufferSize: 256 * 1024,
|
|
},
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("namedpipe.Listen: %w", err)
|
|
}
|
|
return &winIOPipeListener{Listener: lc}, nil
|
|
}
|
|
|
|
// WindowsClientConn is an implementation of net.Conn that permits retrieval of
|
|
// the Windows access token associated with the connection's client. The
|
|
// embedded net.Conn must be a go-winio PipeConn.
|
|
type WindowsClientConn struct {
|
|
winioPipeConn
|
|
tokenOnce sync.Once
|
|
token windows.Token // or zero, if we couldn't obtain the client's token
|
|
tokenErr error
|
|
}
|
|
|
|
// winioPipeConn is a subset of the interface implemented by the go-winio's
|
|
// unexported *win32pipe type, as returned by go-winio's ListenPipe
|
|
// net.Listener's Accept method. This type is used in places where we really are
|
|
// assuming that specific unexported type and its Fd method.
|
|
type winioPipeConn interface {
|
|
net.Conn
|
|
// Fd returns the Windows handle associated with the connection.
|
|
Fd() uintptr
|
|
}
|
|
|
|
func resolvePipeHandle(pc winioPipeConn) windows.Handle {
|
|
return windows.Handle(pc.Fd())
|
|
}
|
|
|
|
func (conn *WindowsClientConn) handle() windows.Handle {
|
|
return resolvePipeHandle(conn.winioPipeConn)
|
|
}
|
|
|
|
// ClientPID returns the pid of conn's client, or else an error.
|
|
func (conn *WindowsClientConn) ClientPID() (int, error) {
|
|
var pid uint32
|
|
if err := getNamedPipeClientProcessId(conn.handle(), &pid); err != nil {
|
|
return -1, fmt.Errorf("GetNamedPipeClientProcessId: %w", err)
|
|
}
|
|
return int(pid), nil
|
|
}
|
|
|
|
// CheckToken returns an error if the client user's access token could not be retrieved,
|
|
// for example when the client opens the pipe with an anonymous impersonation level.
|
|
//
|
|
// Deprecated: use [WindowsClientConn.Token] instead.
|
|
func (conn *WindowsClientConn) CheckToken() error {
|
|
_, err := conn.getToken()
|
|
return err
|
|
}
|
|
|
|
// getToken returns the Windows access token of the client user,
|
|
// or an error if the token could not be retrieved, for example
|
|
// when the client opens the pipe with an anonymous impersonation level.
|
|
//
|
|
// The connection retains ownership of the returned token handle;
|
|
// the caller must not close it.
|
|
//
|
|
// TODO(nickkhyl): Remove this, along with [WindowsClientConn.CheckToken],
|
|
// once [ipnauth.ConnIdentity] is removed in favor of [ipnauth.Actor].
|
|
func (conn *WindowsClientConn) getToken() (windows.Token, error) {
|
|
conn.tokenOnce.Do(func() {
|
|
conn.token, conn.tokenErr = clientUserAccessToken(conn.winioPipeConn)
|
|
})
|
|
return conn.token, conn.tokenErr
|
|
}
|
|
|
|
// Token returns the Windows access token of the client user,
|
|
// or an error if the token could not be retrieved, for example
|
|
// when the client opens the pipe with an anonymous impersonation level.
|
|
//
|
|
// The caller is responsible for closing the returned token handle.
|
|
func (conn *WindowsClientConn) Token() (windows.Token, error) {
|
|
token, err := conn.getToken()
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var dupToken windows.Handle
|
|
if err := windows.DuplicateHandle(
|
|
windows.CurrentProcess(),
|
|
windows.Handle(token),
|
|
windows.CurrentProcess(),
|
|
&dupToken,
|
|
0,
|
|
false,
|
|
windows.DUPLICATE_SAME_ACCESS,
|
|
); err != nil {
|
|
return 0, err
|
|
}
|
|
return windows.Token(dupToken), nil
|
|
}
|
|
|
|
func (conn *WindowsClientConn) Close() error {
|
|
// Either wait for any pending [WindowsClientConn.Token] calls to complete,
|
|
// or ensure that the token will never be opened.
|
|
conn.tokenOnce.Do(func() {
|
|
conn.tokenErr = net.ErrClosed
|
|
})
|
|
if conn.token != 0 {
|
|
conn.token.Close()
|
|
conn.token = 0
|
|
}
|
|
return conn.winioPipeConn.Close()
|
|
}
|
|
|
|
// winIOPipeListener is a net.Listener that wraps a go-winio PipeListener and
|
|
// returns net.Conn values of type *WindowsClientConn with the associated
|
|
// windows.Token.
|
|
type winIOPipeListener struct {
|
|
net.Listener // must be from winio.ListenPipe
|
|
}
|
|
|
|
func (lw *winIOPipeListener) Accept() (net.Conn, error) {
|
|
conn, err := lw.Listener.Accept()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pipeConn, ok := conn.(winioPipeConn)
|
|
if !ok {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("unexpected type %T from winio.ListenPipe listener (itself a %T)", conn, lw.Listener)
|
|
}
|
|
return &WindowsClientConn{winioPipeConn: pipeConn}, nil
|
|
}
|
|
|
|
func clientUserAccessToken(pc winioPipeConn) (windows.Token, error) {
|
|
h := resolvePipeHandle(pc)
|
|
if h == 0 {
|
|
return 0, fmt.Errorf("clientUserAccessToken failed to get handle from pipeConn %T", pc)
|
|
}
|
|
|
|
// Impersonation touches thread-local state, so we need to lock until the
|
|
// client access token has been extracted.
|
|
runtime.LockOSThread()
|
|
defer runtime.UnlockOSThread()
|
|
|
|
if err := impersonateNamedPipeClient(h); err != nil {
|
|
return 0, err
|
|
}
|
|
defer func() {
|
|
// Revert the current thread's impersonation.
|
|
if err := windows.RevertToSelf(); err != nil {
|
|
panic(fmt.Errorf("could not revert impersonation: %w", err))
|
|
}
|
|
}()
|
|
|
|
// Extract the client's access token from the thread-local state.
|
|
var token windows.Token
|
|
if err := windows.OpenThreadToken(windows.CurrentThread(), windows.TOKEN_DUPLICATE|windows.TOKEN_QUERY, true, &token); err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
return token, nil
|
|
}
|
|
|
|
//sys getNamedPipeClientProcessId(h windows.Handle, clientPid *uint32) (err error) [int32(failretval)==0] = kernel32.GetNamedPipeClientProcessId
|
|
//sys impersonateNamedPipeClient(h windows.Handle) (err error) [int32(failretval)==0] = advapi32.ImpersonateNamedPipeClient
|