Skip to content

Commit

Permalink
Explicitly set SDDL on the device
Browse files Browse the repository at this point in the history 
Some users are getting Access Denied error when device is
accessed by the app running as unprivileged process. The problem
can be workarounded by running openvpn process as privileged.

While I cannot reproduce it, this change should likely
solve it by explicitly enable read and write access to
the device by everyone.

To set SDDL, we need to assign unique device name. Using
WdfDeviceInitSetCharacteristics() with FILE_AUTOGENERATED_DEVICE_NAME
didn't work for me.

Fixes OpenVPN#38

Signed-off-by: Lev Stipakov <[email protected]>
  • Loading branch information
@lstipakov
lstipakov committed Jan 22, 2024
1 parent 1b8b417 commit 444a675
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 16 deletions.
12 changes: 12 additions & 0 deletions Driver.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include <wsk.h>
#include <wdf.h>
#include <wdfrequest.h>
#include <Ntstrsafe.h>

#include "bufferpool.h"
#include "driver.h"
Expand All @@ -36,6 +37,8 @@ TRACELOGGING_DEFINE_PROVIDER(g_hOvpnEtwProvider,
"OpenVPN.OvpnDCO",
(0x4970f9cf, 0x2c0c, 0x4f11, 0xb1, 0xcc, 0xe3, 0xa1, 0xe9, 0x95, 0x88, 0x33));

#define DEVICE_OBJECT_NAME_LENGTH 128

// WSK Client Dispatch table that denotes the WSK version
// that the WSK application wants to use and optionally a pointer
// to the WskClientEvent callback function
Expand Down Expand Up @@ -414,6 +417,12 @@ OvpnEvtDeviceAdd(WDFDRIVER wdfDriver, PWDFDEVICE_INIT deviceInit) {
DECLARE_CONST_UNICODE_STRING(symLink, L"\\DosDevices\\ovpn-dco");

NTSTATUS status;

// we need to assign unique name to be able to assign SDDL string
static ULONG deviceNum = 0;
DECLARE_UNICODE_STRING_SIZE(deviceName, DEVICE_OBJECT_NAME_LENGTH);
GOTO_IF_NOT_NT_SUCCESS(done, status, RtlUnicodeStringPrintf(&deviceName, L"%ws%u", L"\\Device\\ovpn-dco-", deviceNum++));

GOTO_IF_NOT_NT_SUCCESS(done, status, NetDeviceInitConfig(deviceInit));

WDF_PNPPOWER_EVENT_CALLBACKS pnpPowerCallbacks;
Expand All @@ -430,6 +439,9 @@ OvpnEvtDeviceAdd(WDFDRIVER wdfDriver, PWDFDEVICE_INIT deviceInit) {
objAttributes.SynchronizationScope = WdfSynchronizationScopeNone;
objAttributes.EvtCleanupCallback = OvpnEvtDeviceCleanup;

GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceInitAssignName(deviceInit, &deviceName));
GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceInitAssignSDDLString(deviceInit, &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX));

WDFDEVICE wdfDevice;
GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceCreate(&deviceInit, &objAttributes, &wdfDevice));

Expand Down
32 changes: 16 additions & 16 deletions ovpn-dco-win.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand All @@ -456,7 +456,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand All @@ -478,7 +478,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -505,7 +505,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -526,7 +526,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PreBuildEvent>
<Command>
Expand All @@ -550,7 +550,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PreBuildEvent>
<Command>
Expand Down Expand Up @@ -580,7 +580,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -607,7 +607,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -628,7 +628,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand All @@ -644,7 +644,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand All @@ -661,7 +661,7 @@
<UseFullPaths>false</UseFullPaths>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -683,7 +683,7 @@
<UseFullPaths>false</UseFullPaths>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -710,7 +710,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -737,7 +737,7 @@
<Outputs>$(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML</Outputs>
</CustomBuildStep>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
<GenerateDebugInformation>DebugFull</GenerateDebugInformation>
<Profile>false</Profile>
Expand All @@ -758,7 +758,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand All @@ -774,7 +774,7 @@
<PreprocessorDefinitions>OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Inf />
<DriverSign>
Expand Down

0 comments on commit 444a675

Please sign in to comment.