Skip to content

proposal: x/sys/windows: allow specifying Security Capabilities in SysProcAttr #65611

New issue
New issue
Open
Open
proposal: x/sys/windows: allow specifying Security Capabilities in SysProcAttr#65611
Labels
OS-WindowsProposal
Milestone
 
Proposal
@tgross

Description

@tgross
tgross
opened on Feb 8, 2024

Proposal Details

Allow adding Security Capabilities to SysProcAttr on Windows. Note this is separate from the existing SecurityAttributes struct which can be set as the ProcessAttributes or ThreadAttributes field.

Motivation

Recently as part of work to sandbox a subprocess, the Nomad team at HashiCorp needed to add a SECURITY_CAPABILITIES struct to the StartupInfoEx for a process. Because this is not exposed in SysProcAttr this involved writing an unfortunate amount of code, much of which had to be simply lifted from the os/exec stdlib. See helper/winexec/create.go

Implementation Notes

Previously a proposal was implemented to add a ParentProcess field to SysProcAttr for Windows #44011. This was discussed around the same time as a rejected proposal to add the full StartupInfoEx struct #44005.

One of the reasons why the StartupInfoEx proposal was rejected was because it resulted in ambiguity around how one would merge any default attributes with ones provided by the user. There are two options to work around this:

Option 1: Extensible

Our implementation referenced above adds a ProcThreadAttributes field to the forked os/exec.Cmd which is a slice of ProcThreadAttribute. This instead could be added to SysProcAttr as an extensible way of adding more attributes:

type SysProcAttr struct {
    // ...
    ProcThreadAttributes []ProcThreadAttribute
}

type ProcThreadAttribute struct {
	Attribute uintptr
	Value     unsafe.Pointer
	Size      uintptr
}

When the StartupInfoEx struct is built, we call newProcThreadAttributeList with a count of len(ProcThreadAttributes) + 2 (taking the default attributes from syscall/exec_windows.go). Any ProcThreadAttributes that come from the user override those defaults if using the same Attribute field, which makes for unambiguous behavior.

Option 2: SecurityAttributes only

An alternative would be to add a SecurityCapabilities field to SysProcAttr and

type SysProcAttr struct {
    // ...
    SecurityCapabilities SecurityCapabilities
}

type SecurityCapabilities struct {
	AppContainerSid uintptr // PSID *windows.SID
	Capabilities    uintptr // SID_AND_ATTRIBUTES *windows.SIDAndAttributes
	CapabilityCount uint32
	Reserved        uint32
}

It would then be up to syscall/exec_windows.go to create the appropriate attributes for StartupInfoEx, as we do already for the parent handle, etc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    OS-WindowsProposal

    Type

    No type

    Projects

    Proposals

    Status

    Incoming

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions