diff options
| author | David Lönnhager <david.l@mullvad.net> | 2021-11-30 18:50:56 +0100 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2021-12-08 10:56:00 +0100 |
| commit | c774e86e6ef95d4efd4d08eb294d4957909651d0 (patch) | |
| tree | e62ae70422d7f0ff4974257333418fbb7e47e1cc | |
| parent | c9b676bef8c420523a74d1f530243a5e30e00613 (diff) | |
| download | mullvadvpn-c774e86e6ef95d4efd4d08eb294d4957909651d0.tar.xz mullvadvpn-c774e86e6ef95d4efd4d08eb294d4957909651d0.zip | |
Update WinFw to allow restricting API communication to a set of programs
| -rw-r--r-- | windows/winfw/src/winfw/fwcontext.cpp | 25 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/fwcontext.h | 10 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitendpoint.cpp | 6 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/rules/baseline/permitendpoint.h | 3 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.cpp | 6 | ||||
| -rw-r--r-- | windows/winfw/src/winfw/winfw.h | 18 |
6 files changed, 48 insertions, 20 deletions
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp index 6f2667c429..fe6c227e7f 100644 --- a/windows/winfw/src/winfw/fwcontext.cpp +++ b/windows/winfw/src/winfw/fwcontext.cpp @@ -104,13 +104,20 @@ void AppendRelayRules void AppendAllowedEndpointRules ( FwContext::Ruleset &ruleset, - const WinFwEndpoint &endpoint + const WinFwAllowedEndpoint &endpoint ) { + std::vector<std::wstring> clients; + clients.reserve(endpoint.numClients); + for (uint32_t i = 0; i < endpoint.numClients; i++) { + clients.push_back(endpoint.clients[i]); + } + ruleset.emplace_back(std::make_unique<baseline::PermitEndpoint>( - wfp::IpAddress(endpoint.ip), - endpoint.port, - endpoint.protocol + wfp::IpAddress(endpoint.endpoint.ip), + clients, + endpoint.endpoint.port, + endpoint.endpoint.protocol )); } @@ -149,7 +156,7 @@ FwContext::FwContext ( uint32_t timeout, const WinFwSettings &settings, - const std::optional<WinFwEndpoint> &allowedEndpoint + const std::optional<WinFwAllowedEndpoint> &allowedEndpoint ) : m_baseline(0) , m_activePolicy(Policy::None) @@ -178,7 +185,7 @@ bool FwContext::applyPolicyConnecting const WinFwEndpoint &relay, const std::wstring &relayClient, const std::optional<std::wstring> &tunnelInterfaceAlias, - const std::optional<WinFwEndpoint> &allowedEndpoint + const std::optional<WinFwAllowedEndpoint> &allowedEndpoint ) { Ruleset ruleset; @@ -260,7 +267,7 @@ bool FwContext::applyPolicyConnected return status; } -bool FwContext::applyPolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwEndpoint> &allowedEndpoint) +bool FwContext::applyPolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwAllowedEndpoint> &allowedEndpoint) { const auto status = applyRuleset(composePolicyBlocked(settings, allowedEndpoint)); @@ -292,7 +299,7 @@ FwContext::Policy FwContext::activePolicy() const return m_activePolicy; } -FwContext::Ruleset FwContext::composePolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwEndpoint> &allowedEndpoint) +FwContext::Ruleset FwContext::composePolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwAllowedEndpoint> &allowedEndpoint) { Ruleset ruleset; @@ -315,7 +322,7 @@ bool FwContext::applyBaseConfiguration() }); } -bool FwContext::applyBlockedBaseConfiguration(const WinFwSettings &settings, const std::optional<WinFwEndpoint> &allowedEndpoint, uint32_t &checkpoint) +bool FwContext::applyBlockedBaseConfiguration(const WinFwSettings &settings, const std::optional<WinFwAllowedEndpoint> &allowedEndpoint, uint32_t &checkpoint) { return m_sessionController->executeTransaction([&](SessionController &controller, wfp::FilterEngine &engine) { diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h index a3b23f2c8b..bf67565993 100644 --- a/windows/winfw/src/winfw/fwcontext.h +++ b/windows/winfw/src/winfw/fwcontext.h @@ -21,7 +21,7 @@ public: ( uint32_t timeout, const WinFwSettings &settings, - const std::optional<WinFwEndpoint> &allowedEndpoint + const std::optional<WinFwAllowedEndpoint> &allowedEndpoint ); bool applyPolicyConnecting @@ -30,7 +30,7 @@ public: const WinFwEndpoint &relay, const std::wstring &relayClient, const std::optional<std::wstring> &tunnelInterfaceAlias, - const std::optional<WinFwEndpoint> &allowedEndpoint + const std::optional<WinFwAllowedEndpoint> &allowedEndpoint ); bool applyPolicyConnected @@ -45,7 +45,7 @@ public: bool applyPolicyBlocked( const WinFwSettings &settings, - const std::optional<WinFwEndpoint> &allowedEndpoint + const std::optional<WinFwAllowedEndpoint> &allowedEndpoint ); bool reset(); @@ -67,10 +67,10 @@ private: FwContext(const FwContext &) = delete; FwContext &operator=(const FwContext &) = delete; - Ruleset composePolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwEndpoint> &allowedEndpoint); + Ruleset composePolicyBlocked(const WinFwSettings &settings, const std::optional<WinFwAllowedEndpoint> &allowedEndpoint); bool applyBaseConfiguration(); - bool applyBlockedBaseConfiguration(const WinFwSettings &settings, const std::optional<WinFwEndpoint> &allowedEndpoint, uint32_t &checkpoint); + bool applyBlockedBaseConfiguration(const WinFwSettings &settings, const std::optional<WinFwAllowedEndpoint> &allowedEndpoint, uint32_t &checkpoint); bool applyCommonBaseConfiguration(SessionController &controller, wfp::FilterEngine &engine); bool applyRuleset(const Ruleset &ruleset); diff --git a/windows/winfw/src/winfw/rules/baseline/permitendpoint.cpp b/windows/winfw/src/winfw/rules/baseline/permitendpoint.cpp index 5b79d64ceb..09d8937535 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitendpoint.cpp +++ b/windows/winfw/src/winfw/rules/baseline/permitendpoint.cpp @@ -48,10 +48,12 @@ std::unique_ptr<ConditionProtocol> CreateProtocolCondition(WinFwProtocol protoco PermitEndpoint::PermitEndpoint ( const wfp::IpAddress &address, + const std::vector<std::wstring> &clients, uint16_t port, WinFwProtocol protocol ) : m_address(address) + , m_clients(clients) , m_port(port) , m_protocol(protocol) { @@ -81,6 +83,10 @@ bool PermitEndpoint::apply(IObjectInstaller &objectInstaller) conditionBuilder.add_condition(ConditionPort::Remote(m_port)); conditionBuilder.add_condition(CreateProtocolCondition(m_protocol)); + for (const auto client : m_clients) { + conditionBuilder.add_condition(std::make_unique<ConditionApplication>(client)); + } + return objectInstaller.addFilter(filterBuilder, conditionBuilder); } diff --git a/windows/winfw/src/winfw/rules/baseline/permitendpoint.h b/windows/winfw/src/winfw/rules/baseline/permitendpoint.h index 93564dbd1e..9e5e2fc923 100644 --- a/windows/winfw/src/winfw/rules/baseline/permitendpoint.h +++ b/windows/winfw/src/winfw/rules/baseline/permitendpoint.h @@ -3,6 +3,7 @@ #include <winfw/rules/ifirewallrule.h> #include <winfw/winfw.h> #include <libwfp/ipaddress.h> +#include <vector> #include <string> namespace rules::baseline @@ -15,6 +16,7 @@ public: PermitEndpoint ( const wfp::IpAddress &address, + const std::vector<std::wstring> &clients, uint16_t port, WinFwProtocol protocol ); @@ -24,6 +26,7 @@ public: private: const wfp::IpAddress m_address; + const std::vector<std::wstring> m_clients; const uint16_t m_port; const WinFwProtocol m_protocol; }; diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp index 57610409c4..ae0f0791de 100644 --- a/windows/winfw/src/winfw/winfw.cpp +++ b/windows/winfw/src/winfw/winfw.cpp @@ -118,7 +118,7 @@ WINFW_API WinFw_InitializeBlocked( uint32_t timeout, const WinFwSettings *settings, - const WinFwEndpoint *allowedEndpoint, + const WinFwAllowedEndpoint *allowedEndpoint, MullvadLogSink logSink, void *logSinkContext ) @@ -233,7 +233,7 @@ WinFw_ApplyPolicyConnecting( const WinFwEndpoint *relay, const wchar_t *relayClient, const wchar_t *tunnelInterfaceAlias, - const WinFwEndpoint *allowedEndpoint + const WinFwAllowedEndpoint *allowedEndpoint ) { if (nullptr == g_fwContext) @@ -433,7 +433,7 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyBlocked( const WinFwSettings *settings, - const WinFwEndpoint *allowedEndpoint + const WinFwAllowedEndpoint *allowedEndpoint ) { if (nullptr == g_fwContext) diff --git a/windows/winfw/src/winfw/winfw.h b/windows/winfw/src/winfw/winfw.h index 5a34b7784b..0a4680bc1d 100644 --- a/windows/winfw/src/winfw/winfw.h +++ b/windows/winfw/src/winfw/winfw.h @@ -45,6 +45,18 @@ typedef struct tag_WinFwEndpoint } WinFwEndpoint; +typedef struct tag_WinFwAllowedEndpoint +{ + uint32_t numClients; + + // A list of paths that are allowed to reach the given endpoint, + // even when traffic would otherwise be blocked. + const wchar_t **clients; + + WinFwEndpoint endpoint; +} +WinFwAllowedEndpoint; + #pragma pack(pop) /////////////////////////////////////////////////////////////////////////////// @@ -88,7 +100,7 @@ WINFW_API WinFw_InitializeBlocked( uint32_t timeout, const WinFwSettings *settings, - const WinFwEndpoint *allowedEndpoint, + const WinFwAllowedEndpoint *allowedEndpoint, MullvadLogSink logSink, void *logSinkContext ); @@ -142,7 +154,7 @@ WinFw_ApplyPolicyConnecting( const WinFwEndpoint *relay, const wchar_t *relayClient, const wchar_t *tunnelInterfaceAlias, - const WinFwEndpoint *allowedEndpoint + const WinFwAllowedEndpoint *allowedEndpoint ); // @@ -189,7 +201,7 @@ WINFW_POLICY_STATUS WINFW_API WinFw_ApplyPolicyBlocked( const WinFwSettings *settings, - const WinFwEndpoint *allowedEndpoint + const WinFwAllowedEndpoint *allowedEndpoint ); // |