Merge branch 'develop'

.github/workflows/windows-dll.yml

@@ -0,0 +1,41 @@
+name: Windows Portmaster Core DLL
+
+on:
+  push:
+    paths:
+      - 'windows_core_dll/**'
+    branches:
+      - master
+      - develop
+
+  pull_request:
+    paths:
+      - 'windows_core_dll/**'
+    branches:
+      - master
+      - develop
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build
+    runs-on: windows-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+    - name: Add msbuild to PATH
+      uses: microsoft/setup-msbuild@v2
+    - name: Build DLL
+      run: msbuild windows_core_dll\windows_core_dll.sln -t:rebuild -property:Configuration=Release
+    - name: Verify DLL
+      shell: powershell
+      run: |
+        if (!(Test-Path "windows_core_dll/x64/Release/portmaster-core.dll")) {
+          Write-Error "DLL build failed: portmaster-core.dll not found"
+          exit 1
+        }
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: portmaster-core-dll
+        path: windows_core_dll/x64/Release/portmaster-core.dll

.gitignore

@@ -52,3 +52,4 @@ go.work.sum
 
 # Kext releases
 windows_kext/release/kext_release_*.zip
+windows_core_dll/.vs/windows_core_dll

Earthfile

@@ -420,7 +420,7 @@ rust-base:
     DO rust+INIT --keep_fingerprints=true
 
     # For now we need tauri-cli 2.0.0 for bulding
-    DO rust+CARGO --args="install tauri-cli --version ^2.0.0-beta"
+    DO rust+CARGO --args="install tauri-cli --version 2.1.0"
 
     # Explicitly cache here.
     SAVE IMAGE --cache-hint

base/database/storage/fstree/fstree.go

@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hectane/go-acl"
 	"github.com/safing/portmaster/base/database/iterator"
 	"github.com/safing/portmaster/base/database/query"
 	"github.com/safing/portmaster/base/database/record"
@@ -288,10 +289,13 @@ func writeFile(filename string, data []byte, perm os.FileMode) error {
 	defer t.Cleanup() //nolint:errcheck
 
 	// Set permissions before writing data, in case the data is sensitive.
-	if !onWindows {
-		if err := t.Chmod(perm); err != nil {
-			return err
-		}
+	if onWindows {
+		err = acl.Chmod(filename, perm)
+	} else {
+		err = t.Chmod(perm)
+	}
+	if err != nil {
+		return err
 	}
 
 	if _, err := t.Write(data); err != nil {

base/updater/fetch.go

@@ -14,6 +14,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/hectane/go-acl"
 	"github.com/safing/jess/filesig"
 	"github.com/safing/jess/lhash"
 	"github.com/safing/portmaster/base/log"
@@ -136,7 +137,12 @@ func (reg *ResourceRegistry) fetchFile(ctx context.Context, client *http.Client,
 		return fmt.Errorf("%s: failed to finalize file %s: %w", reg.Name, rv.storagePath(), err)
 	}
 	// set permissions
-	if !onWindows {
+	if onWindows {
+		err = acl.Chmod(rv.storagePath(), 0o0755)
+		if err != nil {
+			log.Warningf("%s: failed to set permissions on downloaded file %s: %s", reg.Name, rv.storagePath(), err)
+		}
+	} else {
 		// TODO: only set executable files to 0755, set other to 0644
 		err = os.Chmod(rv.storagePath(), 0o0755) //nolint:gosec // See TODO above.
 		if err != nil {

base/utils/fs.go

@@ -6,6 +6,8 @@ import (
 	"io/fs"
 	"os"
 	"runtime"
+
+	"github.com/hectane/go-acl"
 )
 
 const isWindows = runtime.GOOS == "windows"
@@ -20,8 +22,9 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 		if f.IsDir() {
 			// directory exists, check permissions
 			if isWindows {
-				// TODO: set correct permission on windows
-				// acl.Chmod(path, perm)
+				// Ignore windows permission error. For none admin users it will always fail.
+				acl.Chmod(path, perm)
+				return nil
 			} else if f.Mode().Perm() != perm {
 				return os.Chmod(path, perm)
 			}
@@ -38,7 +41,13 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 		if err != nil {
 			return fmt.Errorf("could not create dir %s: %w", path, err)
 		}
-		return os.Chmod(path, perm)
+		if isWindows {
+			// Ignore windows permission error. For none admin users it will always fail.
+			acl.Chmod(path, perm)
+			return nil
+		} else {
+			return os.Chmod(path, perm)
+		}
 	}
 	// other error opening path
 	return fmt.Errorf("failed to access %s: %w", path, err)

base/utils/renameio/writefile.go

@@ -1,6 +1,11 @@
 package renameio
 
-import "os"
+import (
+	"os"
+	"runtime"
+
+	"github.com/hectane/go-acl"
+)
 
 // WriteFile mirrors os.WriteFile, replacing an existing file with the same
 // name atomically.
@@ -14,7 +19,12 @@ func WriteFile(filename string, data []byte, perm os.FileMode) error {
 	}()
 
 	// Set permissions before writing data, in case the data is sensitive.
-	if err := t.Chmod(perm); err != nil {
+	if runtime.GOOS == "windows" {
+		err = acl.Chmod(t.path, perm)
+	} else {
+		err = t.Chmod(perm)
+	}
+	if err != nil {
 		return err
 	}
 

cmds/portmaster-start/run.go

@@ -272,7 +272,7 @@ func fixExecPerm(path string) error {
 		return nil
 	}
 
-	if err := os.Chmod(path, 0o0755); err != nil { //nolint:gosec // Set execution rights.
+	if err := os.Chmod(path, 0o0755); err != nil { //nolint:gosec
 		return fmt.Errorf("failed to chmod %s: %w", path, err)
 	}