From 444a6759b95239ba45371fd61fe53fd94b0952d4 Mon Sep 17 00:00:00 2001 From: Lev Stipakov Date: Wed, 17 Jan 2024 16:39:04 +0200 Subject: [PATCH] Explicitly set SDDL on the device Some users are getting Access Denied error when device is accessed by the app running as unprivileged process. The problem can be workarounded by running openvpn process as privileged. While I cannot reproduce it, this change should likely solve it by explicitly enable read and write access to the device by everyone. To set SDDL, we need to assign unique device name. Using WdfDeviceInitSetCharacteristics() with FILE_AUTOGENERATED_DEVICE_NAME didn't work for me. Fixes https://github.com/OpenVPN/ovpn-dco-win/issues/38 Signed-off-by: Lev Stipakov --- Driver.cpp | 12 ++++++++++++ ovpn-dco-win.vcxproj | 32 ++++++++++++++++---------------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/Driver.cpp b/Driver.cpp index 6462f1e..add19d4 100644 --- a/Driver.cpp +++ b/Driver.cpp @@ -24,6 +24,7 @@ #include #include #include +#include #include "bufferpool.h" #include "driver.h" @@ -36,6 +37,8 @@ TRACELOGGING_DEFINE_PROVIDER(g_hOvpnEtwProvider, "OpenVPN.OvpnDCO", (0x4970f9cf, 0x2c0c, 0x4f11, 0xb1, 0xcc, 0xe3, 0xa1, 0xe9, 0x95, 0x88, 0x33)); +#define DEVICE_OBJECT_NAME_LENGTH 128 + // WSK Client Dispatch table that denotes the WSK version // that the WSK application wants to use and optionally a pointer // to the WskClientEvent callback function @@ -414,6 +417,12 @@ OvpnEvtDeviceAdd(WDFDRIVER wdfDriver, PWDFDEVICE_INIT deviceInit) { DECLARE_CONST_UNICODE_STRING(symLink, L"\\DosDevices\\ovpn-dco"); NTSTATUS status; + + // we need to assign unique name to be able to assign SDDL string + static ULONG deviceNum = 0; + DECLARE_UNICODE_STRING_SIZE(deviceName, DEVICE_OBJECT_NAME_LENGTH); + GOTO_IF_NOT_NT_SUCCESS(done, status, RtlUnicodeStringPrintf(&deviceName, L"%ws%u", L"\\Device\\ovpn-dco-", deviceNum++)); + GOTO_IF_NOT_NT_SUCCESS(done, status, NetDeviceInitConfig(deviceInit)); WDF_PNPPOWER_EVENT_CALLBACKS pnpPowerCallbacks; @@ -430,6 +439,9 @@ OvpnEvtDeviceAdd(WDFDRIVER wdfDriver, PWDFDEVICE_INIT deviceInit) { objAttributes.SynchronizationScope = WdfSynchronizationScopeNone; objAttributes.EvtCleanupCallback = OvpnEvtDeviceCleanup; + GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceInitAssignName(deviceInit, &deviceName)); + GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceInitAssignSDDLString(deviceInit, &SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX)); + WDFDEVICE wdfDevice; GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDeviceCreate(&deviceInit, &objAttributes, &wdfDevice)); diff --git a/ovpn-dco-win.vcxproj b/ovpn-dco-win.vcxproj index 3fc5a88..03a5513 100644 --- a/ovpn-dco-win.vcxproj +++ b/ovpn-dco-win.vcxproj @@ -440,7 +440,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -456,7 +456,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -478,7 +478,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -505,7 +505,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -526,7 +526,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -550,7 +550,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -580,7 +580,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -607,7 +607,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -628,7 +628,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -644,7 +644,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -661,7 +661,7 @@ false - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -683,7 +683,7 @@ false - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -710,7 +710,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -737,7 +737,7 @@ $(ProjectDir)$(Platform)\$(ConfigurationName)\ovpn-dco.DVL.XML - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) /Brepro %(AdditionalOptions) DebugFull false @@ -758,7 +758,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies) @@ -774,7 +774,7 @@ OVPN_DCO_VERSION_MAJOR=$(OVPN_DCO_VERSION_MAJOR);OVPN_DCO_VERSION_MINOR=$(OVPN_DCO_VERSION_MINOR);OVPN_DCO_VERSION_PATCH=$(OVPN_DCO_VERSION_PATCH);OVPN_DCO_VERSION_STR=$(OVPN_DCO_VERSION_MAJOR).$(OVPN_DCO_VERSION_MINOR).$(OVPN_DCO_VERSION_PATCH);NETADAPTER_VERSION_MAJOR=$(NETADAPTER_VERSION_MAJOR);NETADAPTER_VERSION_MINOR=$(NETADAPTER_VERSION_MINOR);%(PreprocessorDefinitions) - uuid.lib;Netio.lib;cng.lib;%(AdditionalDependencies) + uuid.lib;Netio.lib;cng.lib;Wdmsec.lib;%(AdditionalDependencies)