Improve and test ACL code (#20)

* Move ALC to WindowsUtils * Small fix * Refactor ACL to remove duplicate code between named pipes and files * More stuff * Cleanup * Add some basic tests
FabricMC · Dec 10, 2024 · 03dead0 · 03dead0
1 parent 7506ed3
commit 03dead0
Show file tree

Hide file tree

Showing 9 changed files with 353 additions and 269 deletions.
diff --git a/windows/Sources/FabricSandbox/FabricSandbox.swift b/windows/Sources/FabricSandbox/FabricSandbox.swift
@@ -106,51 +106,51 @@ class FabricSandbox {
 
       // Grant full access to the mounted disk
       try grantAccess(
-        sandboxRoot, appContainer: container,
+        sandboxRoot, trustee: container,
         accessPermissions: [.genericAll])
 
       if let assetsDir = commandLine.getAssetsDir(), isDevEnv {
         // Grant read access to the assets dir in dev
         try grantAccess(
-          assetsDir, appContainer: container,
+          assetsDir, trustee: container,
           accessPermissions: [.genericRead])
       }
 
       if let log4jConfig = commandLine.getJvmProp("log4j.configurationFile") {
         // Grant read access to the log4j configuration file
         try grantAccess(
-          File(log4jConfig), appContainer: container,
+          File(log4jConfig), trustee: container,
           accessPermissions: [.genericRead])
       }
     } else {
       logger.debug("Working directory is not root, granting access")
       // Grant read and execute to .minecraft
       try grantAccess(
-        sandboxRoot, appContainer: container,
+        sandboxRoot, trustee: container,
         accessPermissions: [.genericRead, .genericExecute])
 
       // Grant full access to the working directory
       try grantAccess(
-        sandboxWorkingDirectory, appContainer: container,
+        sandboxWorkingDirectory, trustee: container,
         accessPermissions: [.genericAll])
 
       try grantAccess(
-        tempDir, appContainer: container,
+        tempDir, trustee: container,
         accessPermissions: [.genericAll])
     }
 
     // Grant read and execute to Java home
     try grantAccess(
-      javaDirectory, appContainer: container,
+      javaDirectory, trustee: container,
       accessPermissions: [.genericRead, .genericExecute])
 
     // Create a named pipe server for IPC with the sandboxed process
     let namedPipeServer = try SandboxNamedPipeServer(
       pipeName: "\\\\.\\pipe\\FabricSandbox" + randomString(length: 10))
 
     // Grant access to the named pipe
-    try grantNamedPipeAccess(
-      pipe: namedPipeServer, appContainer: container,
+    try grantAccess(
+      namedPipeServer, trustee: container,
       accessPermissions: [.genericRead, .genericWrite])
 
     let args = try commandLine.getSandboxArgs(

diff --git a/windows/Sources/Sandbox/Acl.swift b/windows/Sources/Sandbox/Acl.swift
diff --git a/windows/Sources/Sandbox/AppContainer.swift b/windows/Sources/Sandbox/AppContainer.swift
@@ -2,9 +2,10 @@ import WinSDK
 import WinSDKExtras
 import WindowsUtils
 
-public class AppContainer {
+public class AppContainer: Trustee {
   public let name: String
   public let sid: Sid
+  public let trustee: TRUSTEE_W
   let attributes: [SidAndAttributes]
   // Less Privileged App Container
   let lpac: Bool
@@ -18,6 +19,13 @@ public class AppContainer {
     self.attributes = attributes
     self.lpac = lpac
     self.mutex = mutex
+    self.trustee = TRUSTEE_W(
+      pMultipleTrustee: nil,
+      MultipleTrusteeOperation: NO_MULTIPLE_TRUSTEE,
+      TrusteeForm: TRUSTEE_IS_SID,
+      TrusteeType: TRUSTEE_IS_WELL_KNOWN_GROUP,
+      ptstrName: _CASTSID(sid.value)
+    )
   }
 
   deinit {