Restrict relay access to a single application

6 files changed, 43 insertions, 72 deletions

diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index 7661fe95d4..65b5762500 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -91,7 +91,7 @@ void AppendRelayRules
 (
 	FwContext::Ruleset &ruleset,
 	const WinFwRelay &relay,
-	const std::vector<std::wstring> &approvedApplications
+	const std::wstring &relayClient
 )
 {
 	auto sublayer =
@@ -105,7 +105,7 @@ void AppendRelayRules
 		wfp::IpAddress(relay.ip),
 		relay.port,
 		TranslateProtocol(relay.protocol),
-		approvedApplications,
+		relayClient,
 		sublayer
 	));
 }
@@ -120,11 +120,9 @@ void AppendNetBlockedRules(FwContext::Ruleset &ruleset)
 
 FwContext::FwContext
 (
-	uint32_t timeout,
-	const std::vector<std::wstring> &approvedApplications
+	uint32_t timeout
 )
-	: m_approvedApplications(approvedApplications)
-	, m_baseline(0)
+	: m_baseline(0)
 	, m_activePolicy(Policy::None)
 {
 	auto engine = wfp::FilterEngine::StandardSession(timeout);
@@ -146,11 +144,9 @@ FwContext::FwContext
 FwContext::FwContext
 (
 	uint32_t timeout,
-	const WinFwSettings &settings,
-	const std::vector<std::wstring> &approvedApplications
+	const WinFwSettings &settings
 )
-	: m_approvedApplications(approvedApplications)
-	, m_baseline(0)
+	: m_baseline(0)
 	, m_activePolicy(Policy::None)
 {
 	auto engine = wfp::FilterEngine::StandardSession(timeout);
@@ -175,6 +171,7 @@ bool FwContext::applyPolicyConnecting
 (
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
+	const std::wstring &relayClient,
 	const std::optional<PingableHosts> &pingableHosts
 )
 {
@@ -182,7 +179,7 @@ bool FwContext::applyPolicyConnecting
 
 	AppendNetBlockedRules(ruleset);
 	AppendSettingsRules(ruleset, settings);
-	AppendRelayRules(ruleset, relay, m_approvedApplications);
+	AppendRelayRules(ruleset, relay, relayClient);
 
 	//
 	// Permit pinging the gateway inside the tunnel.
@@ -211,6 +208,7 @@ bool FwContext::applyPolicyConnected
 (
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
+	const std::wstring &relayClient,
 	const std::wstring &tunnelInterfaceAlias,
 	const std::vector<wfp::IpAddress> &tunnelDnsServers
 )
@@ -219,7 +217,7 @@ bool FwContext::applyPolicyConnected
 
 	AppendNetBlockedRules(ruleset);
 	AppendSettingsRules(ruleset, settings);
-	AppendRelayRules(ruleset, relay, m_approvedApplications);
+	AppendRelayRules(ruleset, relay, relayClient);
 
 	ruleset.emplace_back(std::make_unique<dns::PermitTunnel>(
 		tunnelInterfaceAlias, tunnelDnsServers
diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h
index fd8871e26b..e342f52fe5 100644
--- a/windows/winfw/src/winfw/fwcontext.h
+++ b/windows/winfw/src/winfw/fwcontext.h
@@ -7,20 +7,20 @@
 #include <cstdint>
 #include <memory>
 #include <vector>
+#include <string>
 #include <optional>
 
 class FwContext
 {
 public:
 
-	FwContext(uint32_t timeout, const std::vector<std::wstring> &approvedApplications);
+	FwContext(uint32_t timeout);
 
 	// This ctor applies the "blocked" policy.
 	FwContext
 	(
 		uint32_t timeout,
-		const WinFwSettings &settings,
-		const std::vector<std::wstring> &approvedApplications
+		const WinFwSettings &settings
 	);
 
 	struct PingableHosts
@@ -33,6 +33,7 @@ public:
 	(
 		const WinFwSettings &settings,
 		const WinFwRelay &relay,
+		const std::wstring &relayClient,
 		const std::optional<PingableHosts> &pingableHosts
 	);
 
@@ -40,6 +41,7 @@ public:
 	(
 		const WinFwSettings &settings,
 		const WinFwRelay &relay,
+		const std::wstring &relayClient,
 		const std::wstring &tunnelInterfaceAlias,
 		const std::vector<wfp::IpAddress> &tunnelDnsServers
 	);
@@ -74,8 +76,6 @@ private:
 	bool applyRuleset(const Ruleset &ruleset);
 	bool applyRulesetDirectly(const Ruleset &ruleset, SessionController &controller);
 
-	const std::vector<std::wstring> m_approvedApplications;
-
 	std::unique_ptr<SessionController> m_sessionController;
 
 	uint32_t m_baseline;
diff --git a/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp
index db14ee4852..35e56ba167 100644
--- a/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp
+++ b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.cpp
@@ -63,19 +63,15 @@ PermitVpnRelay::PermitVpnRelay
 	const wfp::IpAddress &relay,
 	uint16_t relayPort,
 	Protocol protocol,
-	const std::vector<std::wstring> &approvedApplications,
+	const std::wstring &relayClient,
 	Sublayer sublayer
 )
 	: m_relay(relay)
 	, m_relayPort(relayPort)
 	, m_protocol(protocol)
-	, m_approvedApplications(approvedApplications)
+	, m_relayClient(relayClient)
 	, m_sublayer(sublayer)
 {
-	if (m_approvedApplications.empty())
-	{
-		THROW_ERROR("Cannot configure relay access without list of approved applications");
-	}
 }
 
 bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller)
@@ -101,11 +97,7 @@ bool PermitVpnRelay::apply(IObjectInstaller &objectInstaller)
 	conditionBuilder.add_condition(ConditionIp::Remote(m_relay));
 	conditionBuilder.add_condition(ConditionPort::Remote(m_relayPort));
 	conditionBuilder.add_condition(CreateProtocolCondition(m_protocol));
-
-	for (const auto &app : m_approvedApplications)
-	{
-		conditionBuilder.add_condition(std::make_unique<ConditionApplication>(app));
-	}
+	conditionBuilder.add_condition(std::make_unique<ConditionApplication>(m_relayClient));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }
diff --git a/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h
index e40fce159d..22b7956588 100644
--- a/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h
+++ b/windows/winfw/src/winfw/rules/multi/permitvpnrelay.h
@@ -3,7 +3,6 @@
 #include <winfw/rules/ifirewallrule.h>
 #include <libwfp/ipaddress.h>
 #include <string>
-#include <vector>
 
 namespace rules::multi
 {
@@ -29,7 +28,7 @@ public:
 		const wfp::IpAddress &relay,
 		uint16_t relayPort,
 		Protocol protocol,
-		const std::vector<std::wstring> &approvedApplications,
+		const std::wstring &relayClient,
 		Sublayer sublayer
 	);
 	
@@ -40,7 +39,7 @@ private:
 	const wfp::IpAddress m_relay;
 	const uint16_t m_relayPort;
 	const Protocol m_protocol;
-	const std::vector<std::wstring> m_approvedApplications;
+	const std::wstring m_relayClient;
 	const Sublayer m_sublayer;
 };
 
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index 55587e03f9..3ce26376f7 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -42,27 +42,6 @@ std::optional<FwContext::PingableHosts> ConvertPingableHosts(const PingableHosts
 	return converted;
 }
 
-std::vector<std::wstring> ConvertApprovedApplications
-(
-	WinFwApprovedApplications *approvedApplications
-)
-{
-	if (nullptr == approvedApplications
-		|| 0 == approvedApplications->numApps)
-	{
-		THROW_ERROR("Invalid list of approved applications (empty list)");
-	}
-
-	std::vector<std::wstring> converted;
-
-	for (size_t i = 0; i < approvedApplications->numApps; ++i)
-	{
-		converted.emplace_back(std::wstring(approvedApplications->apps[i]));
-	}
-
-	return converted;
-}
-
 } // anonymous namespace
 
 WINFW_LINKAGE
@@ -70,7 +49,6 @@ bool
 WINFW_API
 WinFw_Initialize(
 	uint32_t timeout,
-	WinFwApprovedApplications *approvedApplications,
 	MullvadLogSink logSink,
 	void *logSinkContext
 )
@@ -92,8 +70,7 @@ WinFw_Initialize(
 		g_logSink = logSink;
 		g_logSinkContext = logSinkContext;
 
-		g_fwContext = new FwContext(timeout_ms,
-			ConvertApprovedApplications(approvedApplications));
+		g_fwContext = new FwContext(timeout_ms);
 	}
 	catch (std::exception &err)
 	{
@@ -119,7 +96,6 @@ WINFW_API
 WinFw_InitializeBlocked(
 	uint32_t timeout,
 	const WinFwSettings *settings,
-	WinFwApprovedApplications *approvedApplications,
 	MullvadLogSink logSink,
 	void *logSinkContext
 )
@@ -146,8 +122,7 @@ WinFw_InitializeBlocked(
 		g_logSink = logSink;
 		g_logSinkContext = logSinkContext;
 
-		g_fwContext = new FwContext(timeout_ms, *settings,
-			ConvertApprovedApplications(approvedApplications));
+		g_fwContext = new FwContext(timeout_ms, *settings);
 	}
 	catch (std::exception &err)
 	{
@@ -206,6 +181,7 @@ WINFW_API
 WinFw_ApplyPolicyConnecting(
 	const WinFwSettings *settings,
 	const WinFwRelay *relay,
+	const wchar_t *relayClient,
 	const PingableHosts *pingableHosts
 )
 {
@@ -226,7 +202,17 @@ WinFw_ApplyPolicyConnecting(
 			THROW_ERROR("Invalid argument: relay");
 		}
 
-		return g_fwContext->applyPolicyConnecting(*settings, *relay, ConvertPingableHosts(pingableHosts));
+		if (nullptr == relayClient)
+		{
+			THROW_ERROR("Invalid argument: relayClient");
+		}
+
+		return g_fwContext->applyPolicyConnecting(
+			*settings,
+			*relay,
+			relayClient,
+			ConvertPingableHosts(pingableHosts)
+		);
 	}
 	catch (std::exception &err)
 	{
@@ -249,6 +235,7 @@ WINFW_API
 WinFw_ApplyPolicyConnected(
 	const WinFwSettings *settings,
 	const WinFwRelay *relay,
+	const wchar_t *relayClient,
 	const wchar_t *tunnelInterfaceAlias,
 	const wchar_t *v4DnsHost,
 	const wchar_t *v6DnsHost
@@ -271,6 +258,11 @@ WinFw_ApplyPolicyConnected(
 			THROW_ERROR("Invalid argument: relay");
 		}
 
+		if (nullptr == relayClient)
+		{
+			THROW_ERROR("Invalid argument: relayClient");
+		}
+
 		if (nullptr == tunnelInterfaceAlias)
 		{
 			THROW_ERROR("Invalid argument: tunnelInterfaceAlias");
@@ -291,6 +283,7 @@ WinFw_ApplyPolicyConnected(
 		return g_fwContext->applyPolicyConnected(
 			*settings,
 			*relay,
+			relayClient,
 			tunnelInterfaceAlias,
 			tunnelDnsServers
 		);
diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h
index 100c166d32..ca4e4b8317 100644
--- a/windows/winfw/src/winfw/winfw.h
+++ b/windows/winfw/src/winfw/winfw.h
@@ -45,17 +45,6 @@ typedef struct tag_WinFwRelay
 }
 WinFwRelay;
 
-//
-// This structure is used to define the set of applications
-// that are allowed to communicate with the relay.
-//
-typedef struct tag_WinFwApprovedApplications
-{
-	const wchar_t **apps;
-	size_t numApps;
-}
-WinFwApprovedApplications;
-
 #pragma pack(pop)
 
 ///////////////////////////////////////////////////////////////////////////////
@@ -78,7 +67,6 @@ bool
 WINFW_API
 WinFw_Initialize(
 	uint32_t timeout,
-	WinFwApprovedApplications *approvedApplications,
 	MullvadLogSink logSink,
 	void *logSinkContext
 );
@@ -100,7 +88,6 @@ WINFW_API
 WinFw_InitializeBlocked(
 	uint32_t timeout,
 	const WinFwSettings *settings,
-	WinFwApprovedApplications *approvedApplications,
 	MullvadLogSink logSink,
 	void *logSinkContext
 );
@@ -160,6 +147,7 @@ WINFW_API
 WinFw_ApplyPolicyConnecting(
 	const WinFwSettings *settings,
 	const WinFwRelay *relay,
+	const wchar_t *relayClient,
 	const PingableHosts *pingableHosts
 );
 
@@ -186,6 +174,7 @@ WINFW_API
 WinFw_ApplyPolicyConnected(
 	const WinFwSettings *settings,
 	const WinFwRelay *relay,
+	const wchar_t *relayClient,
 	const wchar_t *tunnelInterfaceAlias,
 	const wchar_t *v4DnsHost,
 	const wchar_t *v6DnsHost