syscall: allow setting security attributes on processes

This allows creating processes that can only be debugged/accessed by certain tokens, according to a particular security descriptor. We already had everything ready for this but just neglected to pass through the value from the user-accessible SysProcAttr. Change-Id: I4a3fcc9f5078aa0058b26c103355c984093ae03f Reviewed-on: https://go-review.googlesource.com/c/go/+/174197 Run-TryBot: Jason Donenfeld <Jason@zx2c4.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-04-27 11:45:11 +0200
committer: Alex Brainman <alex.brainman@gmail.com> 2019-04-28 05:44:03 +0000
commit: 049c8dbfdbdd414359699c215f15764a7aa733b5 (patch)
tree: 5ae0301bbc4981866f80d859a0ceded4b51b8bbf /src/syscall/exec_windows.go
parent: e85d61953040b5e44abbb974d8bfa8802c2e891a (diff)
download: go-049c8dbfdbdd414359699c215f15764a7aa733b5.tar.xz
1 files changed, 8 insertions, 6 deletions
diff --git a/src/syscall/exec_windows.go b/src/syscall/exec_windows.go
index c78bad8e00..8d6141c0ca 100644
--- a/src/syscall/exec_windows.go
+++ b/src/syscall/exec_windows.go
@@ -219,10 +219,12 @@ type ProcAttr struct {
 }
 
 type SysProcAttr struct {
-	HideWindow    bool
-	CmdLine       string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess
-	CreationFlags uint32
-	Token         Token // if set, runs new process in the security context represented by the token
+	HideWindow        bool
+	CmdLine           string // used if non-empty, else the windows command line is built by escaping the arguments passed to StartProcess
+	CreationFlags     uint32
+	Token             Token               // if set, runs new process in the security context represented by the token
+	ProcessAttributes *SecurityAttributes // if set, applies these security attributes as the descriptor for the new process
+	ThreadAttributes  *SecurityAttributes // if set, applies these security attributes as the descriptor for the main thread of the new process
 }
 
 var zeroProcAttr ProcAttr
@@ -323,9 +325,9 @@ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle
 
 	flags := sys.CreationFlags | CREATE_UNICODE_ENVIRONMENT
 	if sys.Token != 0 {
-		err = CreateProcessAsUser(sys.Token, argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
+		err = CreateProcessAsUser(sys.Token, argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
 	} else {
-		err = CreateProcess(argv0p, argvp, nil, nil, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
+		err = CreateProcess(argv0p, argvp, sys.ProcessAttributes, sys.ThreadAttributes, true, flags, createEnvBlock(attr.Env), dirp, si, pi)
 	}
 	if err != nil {
 		return 0, 0, err
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-04-27 11:45:11 +0200
committer	Alex Brainman <alex.brainman@gmail.com>	2019-04-28 05:44:03 +0000
commit	049c8dbfdbdd414359699c215f15764a7aa733b5 (patch)
tree	5ae0301bbc4981866f80d859a0ceded4b51b8bbf /src/syscall/exec_windows.go
parent	e85d61953040b5e44abbb974d8bfa8802c2e891a (diff)
download	go-049c8dbfdbdd414359699c215f15764a7aa733b5.tar.xz