Merge pull request #94 from amnezia-vpn/AVP-01-011

AVP-01-011 (Privileged process access list)

client/defines.h

@@ -4,7 +4,7 @@
 #define APPLICATION_NAME    "AmneziaVPN"
 #define SERVICE_NAME        "AmneziaVPN-service"
 #define ORGANIZATION_NAME   "AmneziaVPN.ORG"
-#define APP_MAJOR_VERSION   "2.0.10"
+#define APP_MAJOR_VERSION   "2.1.0"
-#define APP_VERSION         "2.0.10.0"
+#define APP_VERSION         "2.1.0.0"
 
 #endif // DEFINES_H

client/protocols/ikev2_vpn_protocol_windows.cpp

@@ -199,7 +199,7 @@ ErrorCode Ikev2Protocol::start()
             setLastError(ErrorCode::AmneziaServiceConnectionFailed);
             return ErrorCode::AmneziaServiceConnectionFailed;
         }
-        certInstallProcess->setProgram("certutil");
+        certInstallProcess->setProgram(PermittedProcess::CertUtil);
         QStringList arguments({"-f" , "-importpfx",
                                "-p", m_config[config_key::password].toString(),
                                certFile.fileName(), "NoExport"

client/protocols/openvpnprotocol.cpp

@@ -132,24 +132,13 @@ void OpenVpnProtocol::updateRouteGateway(QString line)
     qDebug() << "Set VPN route gateway" << m_routeGateway;
 }
 
-QString OpenVpnProtocol::openVpnExecPath() const
-{
-#ifdef Q_OS_WIN
-    return Utils::executable("openvpn/openvpn", true);
-#elif defined Q_OS_LINUX
-    return Utils::usrExecutable("openvpn");
-#else
-    return Utils::executable("/openvpn", true);
-#endif
-}
-
 ErrorCode OpenVpnProtocol::start()
 {
 #ifndef Q_OS_IOS
     //qDebug() << "Start OpenVPN connection";
     OpenVpnProtocol::stop();
 
-    if (!QFileInfo::exists(openVpnExecPath())) {
+    if (!QFileInfo::exists(Utils::openVpnExecPath())) {
         setLastError(ErrorCode::OpenVpnExecutableMissing);
         return lastError();
     }
@@ -183,7 +172,7 @@ ErrorCode OpenVpnProtocol::start()
         setLastError(ErrorCode::AmneziaServiceConnectionFailed);
         return ErrorCode::AmneziaServiceConnectionFailed;
     }
-    m_openVpnProcess->setProgram(openVpnExecPath());
+    m_openVpnProcess->setProgram(PermittedProcess::OpenVPN);
     QStringList arguments({"--config" , configPath(),
                       "--management", m_managementHost, QString::number(m_managementPort),
                       "--management-client"/*, "--log", vpnLogFileNamePath */

client/protocols/openvpnprotocol.h

@@ -30,7 +30,6 @@ protected slots:
 
 private:
     QString configPath() const;
-    QString openVpnExecPath() const;
     bool openVpnProcessIsRunning() const;
     bool sendTermSignal();
     void readOpenVpnConfiguration(const QJsonObject &configuration);

client/protocols/wireguardprotocol.cpp

@@ -12,25 +12,20 @@
 WireguardProtocol::WireguardProtocol(const QJsonObject &configuration, QObject* parent) :
     VpnProtocol(configuration, parent)
 {
-    //m_configFile.setFileTemplate(QDir::tempPath() + QDir::separator() + serviceName() + ".conf");
     m_configFile.setFileName(QDir::tempPath() + QDir::separator() + serviceName() + ".conf");
     readWireguardConfiguration(configuration);
 }
 
 WireguardProtocol::~WireguardProtocol()
 {
-    //qDebug() << "WireguardProtocol::~WireguardProtocol() 1";
     WireguardProtocol::stop();
     QThread::msleep(200);
-    //qDebug() << "WireguardProtocol::~WireguardProtocol() 2";
 }
 
 void WireguardProtocol::stop()
 {
-    //qDebug() << "WireguardProtocol::stop() 1";
-
 #ifndef Q_OS_IOS
-    if (!QFileInfo::exists(wireguardExecPath())) {
+    if (!QFileInfo::exists(Utils::wireguardExecPath())) {
         qCritical() << "Wireguard executable missing!";
         setLastError(ErrorCode::ExecutableMissing);
         return;
@@ -51,7 +46,7 @@ void WireguardProtocol::stop()
         return;
     }
 
-    m_wireguardStopProcess->setProgram(wireguardExecPath());
+    m_wireguardStopProcess->setProgram(PermittedProcess::Wireguard);
 
 
     QStringList arguments({"--remove", configPath()});
@@ -74,7 +69,6 @@ void WireguardProtocol::stop()
     setConnectionState(VpnProtocol::Disconnected);
 #endif
 
-    //qDebug() << "WireguardProtocol::stop() 2";
 }
 
 void WireguardProtocol::readWireguardConfiguration(const QJsonObject &configuration)
@@ -97,11 +91,6 @@ void WireguardProtocol::readWireguardConfiguration(const QJsonObject &configurat
 
 }
 
-//bool WireguardProtocol::openVpnProcessIsRunning() const
-//{
-//    return Utils::processIsRunning("openvpn");
-//}
-
 QString WireguardProtocol::configPath() const
 {
     return m_configFileName;
@@ -117,31 +106,17 @@ void WireguardProtocol::updateRouteGateway(QString line)
     qDebug() << "Set VPN route gateway" << m_routeGateway;
 }
 
-QString WireguardProtocol::wireguardExecPath() const
-{
-#ifdef Q_OS_WIN
-    return Utils::executable("wireguard/wireguard-service", true);
-#elif defined Q_OS_LINUX
-    return Utils::usrExecutable("wg");
-#else
-    return Utils::executable("/wireguard", true);
-#endif
-}
-
 ErrorCode WireguardProtocol::start()
 {
-    //qDebug() << "WireguardProtocol::start() 1";
-
 #ifndef Q_OS_IOS
     if (!m_isConfigLoaded) {
         setLastError(ErrorCode::ConfigMissing);
         return lastError();
     }
 
-    //qDebug() << "Start Wireguard connection";
     WireguardProtocol::stop();
 
-    if (!QFileInfo::exists(wireguardExecPath())) {
+    if (!QFileInfo::exists(Utils::wireguardExecPath())) {
         setLastError(ErrorCode::ExecutableMissing);
         return lastError();
     }
@@ -156,7 +131,6 @@ ErrorCode WireguardProtocol::start()
     m_wireguardStartProcess = IpcClient::CreatePrivilegedProcess();
 
     if (!m_wireguardStartProcess) {
-        //qWarning() << "IpcProcess replica is not created!";
         setLastError(ErrorCode::AmneziaServiceConnectionFailed);
         return ErrorCode::AmneziaServiceConnectionFailed;
     }
@@ -168,7 +142,7 @@ ErrorCode WireguardProtocol::start()
         return ErrorCode::AmneziaServiceConnectionFailed;
     }
 
-    m_wireguardStartProcess->setProgram(wireguardExecPath());
+    m_wireguardStartProcess->setProgram(PermittedProcess::Wireguard);
 
 
     QStringList arguments({"--add", configPath()});
@@ -210,8 +184,6 @@ ErrorCode WireguardProtocol::start()
     m_wireguardStartProcess->start();
     m_wireguardStartProcess->waitForFinished(10000);
 
-    //qDebug() << "WireguardProtocol::start() 2";
-
     return ErrorCode::NoError;
 #else
     return ErrorCode::NotImplementedError;

client/protocols/wireguardprotocol.h

@@ -23,8 +23,6 @@ public:
 
 private:
     QString configPath() const;
-    QString wireguardExecPath() const;
-    //bool openVpnProcessIsRunning() const;
     void readWireguardConfiguration(const QJsonObject &configuration);
 
     void updateRouteGateway(QString line);

client/utils.cpp

@@ -213,6 +213,38 @@ QStringList Utils::summarizeRoutes(const QStringList &ips, const QString cidr)
     return QStringList();
 }
 
+QString Utils::openVpnExecPath()
+{
+#ifdef Q_OS_WIN
+    return Utils::executable("openvpn/openvpn", true);
+#elif defined Q_OS_LINUX
+    return Utils::usrExecutable("openvpn");
+#else
+    return Utils::executable("/openvpn", true);
+#endif
+}
+
+QString Utils::wireguardExecPath()
+{
+#ifdef Q_OS_WIN
+    return Utils::executable("wireguard/wireguard-service", true);
+#elif defined Q_OS_LINUX
+    return Utils::usrExecutable("wg");
+#else
+    return Utils::executable("/wireguard", true);
+#endif
+}
+
+QString Utils::certUtilPath()
+{
+#ifdef Q_OS_WIN
+    QString winPath = QString::fromUtf8(qgetenv("windir"));
+    return winPath + "system32\\certutil.exe";
+#else
+    return "";
+#endif
+}
+
 #ifdef Q_OS_WIN
 // Inspired from http://stackoverflow.com/a/15281070/1529139
 // and http://stackoverflow.com/q/40059902/1529139

client/utils.h

@@ -44,6 +44,11 @@ public:
 
     static QStringList summarizeRoutes(const QStringList &ips, const QString cidr);
 
+    static QString openVpnExecPath();
+    static QString wireguardExecPath();
+    static QString certUtilPath();
+
+
 #ifdef Q_OS_WIN
     static bool signalCtrl(DWORD dwProcessId, DWORD dwCtrlEvent);
 #endif

ipc/ipc.h

@@ -4,10 +4,32 @@
 #include <QObject>
 #include <QString>
 
+#include "../client/utils.h"
+
 #define IPC_SERVICE_URL "local:AmneziaVpnIpcInterface"
 
 namespace amnezia {
 
+enum PermittedProcess {
+    OpenVPN,
+    Wireguard,
+    CertUtil
+};
+
+inline QString permittedProcessPath(PermittedProcess pid)
+{
+    if (pid == PermittedProcess::OpenVPN) {
+        return Utils::openVpnExecPath();
+    }
+    if (pid == PermittedProcess::Wireguard) {
+        return Utils::wireguardExecPath();
+    }
+    else if (pid == PermittedProcess::CertUtil) {
+        return Utils::certUtilPath();
+    }
+}
+
+
 inline QString getIpcServiceUrl() {
 #ifdef Q_OS_WIN
     return IPC_SERVICE_URL;

ipc/ipc_process_interface.rep

@@ -3,7 +3,7 @@
 
 class IpcProcessInterface
 {
-    SLOT( start(const QString &program, const QStringList &args) );
+    //SLOT( start(const QString &program, const QStringList &args) );
     SLOT( start() );
     SLOT( close() );
 
@@ -11,7 +11,7 @@ class IpcProcessInterface
     SLOT( setInputChannelMode(QProcess::InputChannelMode mode) );
     SLOT( setNativeArguments(const QString &arguments) );
     SLOT( setProcessChannelMode(QProcess::ProcessChannelMode mode) );
-    SLOT( setProgram(const QString &program) );
+    SLOT( setProgram(int programId) );
     SLOT( setWorkingDirectory(const QString &dir) );
 
     SLOT( QByteArray readAll() );

ipc/ipcserverprocess.cpp

@@ -1,4 +1,5 @@
 #include "ipcserverprocess.h"
+#include "ipc.h"
 #include <QProcess>
 
 #ifndef Q_OS_IOS
@@ -19,18 +20,6 @@ IpcServerProcess::IpcServerProcess(QObject *parent) :
         qDebug() << "IpcServerProcess errorOccurred " << error;
     });
 
-//    connect(m_process.data(), &QProcess::readyReadStandardError, this, [this](){
-//        qDebug() << "IpcServerProcess StandardError " << m_process->readAllStandardError();
-
-//    });
-//    connect(m_process.data(), &QProcess::readyReadStandardOutput, this, [this](){
-//        qDebug() << "IpcServerProcess StandardOutput " << m_process->readAllStandardOutput();
-//    });
-
-//    connect(m_process.data(), &QProcess::readyRead, this, [this](){
-//        qDebug() << "IpcServerProcess StandardOutput " << m_process->readAll();
-//    });
-
 }
 
 IpcServerProcess::~IpcServerProcess()
@@ -38,16 +27,11 @@ IpcServerProcess::~IpcServerProcess()
     qDebug() << "IpcServerProcess::~IpcServerProcess";
 }
 
-void IpcServerProcess::start(const QString &program, const QStringList &arguments)
-{
-    m_process->start(program, arguments);
-    qDebug() << "IpcServerProcess started, " << arguments;
-
-    m_process->waitForStarted();
-}
-
 void IpcServerProcess::start()
 {
+    if (m_process->program().isEmpty()) {
+        qDebug() << "IpcServerProcess failed to start, program is empty";
+    }
     m_process->start();
     qDebug() << "IpcServerProcess started, " << m_process->program() << m_process->arguments();
 
@@ -81,9 +65,9 @@ void IpcServerProcess::setProcessChannelMode(QProcess::ProcessChannelMode mode)
     m_process->setProcessChannelMode(mode);
 }
 
-void IpcServerProcess::setProgram(const QString &program)
+void IpcServerProcess::setProgram(int programId)
 {
-    m_process->setProgram(program);
+    m_process->setProgram(amnezia::permittedProcessPath(static_cast<amnezia::PermittedProcess>(programId)));
 }
 
 void IpcServerProcess::setWorkingDirectory(const QString &dir)

ipc/ipcserverprocess.h

@@ -13,7 +13,6 @@ public:
     explicit IpcServerProcess(QObject *parent = nullptr);
     virtual ~IpcServerProcess();
 
-    void start(const QString &program, const QStringList &arguments) override;
     void start() override;
     void close() override;
 
@@ -21,7 +20,7 @@ public:
     void setInputChannelMode(QProcess::InputChannelMode mode) override;
     void setNativeArguments(const QString &arguments) override;
     void setProcessChannelMode(QProcess::ProcessChannelMode mode) override;
-    void setProgram(const QString &program) override;
+    void setProgram(int programId) override;
     void setWorkingDirectory(const QString &dir) override;
 
     QByteArray readAll() override;