From c42e2a59586a1e756b65126eff5b3b173aca47e3 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Thu, 12 May 2016 15:31:35 -0700
Subject: [PATCH] launcher: security model improvements

---
 src/launcher/launcher.c |  5 +----
 src/launcher/launcher.h | 12 +++++++++---
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/launcher/launcher.c b/src/launcher/launcher.c
index 20dd4ff7..a2cfb58a 100644
--- a/src/launcher/launcher.c
+++ b/src/launcher/launcher.c
@@ -221,11 +221,8 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken,
     RegKey = 0;
 
     if (L'\0' == Security)
-    {
-        Security = SecurityBuf;
         lstrcpyW(Security, L"" SVC_INSTANCE_DEFAULT_SDDL);
-    }
-    else if (L'D' == Security[0] && L':' == Security[1])
+    if (L'D' == Security[0] && L':' == Security[1])
         Security = SecurityBuf;
 
     if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(Security, SDDL_REVISION_1,
diff --git a/src/launcher/launcher.h b/src/launcher/launcher.h
index b41744cf..919da6ad 100644
--- a/src/launcher/launcher.h
+++ b/src/launcher/launcher.h
@@ -22,19 +22,25 @@
 #include <shared/minimal.h>
 
 #define PIPE_NAME                       "\\\\.\\pipe\\WinFsp.{14E7137D-22B4-437A-B0C1-D21D1BDF3767}"
-#define PIPE_SDDL                       "O:SYG:SYD:P(A;;GA;;;WD)"
 #define PIPE_BUFFER_SIZE                2048
 #define PIPE_DEFAULT_TIMEOUT            3000
 
-/* RP:SERVICE_START, WP:SERVICE_STOP, SC:SERVICE_QUERY_STATUS */
 /*
+ * The launcher named pipe SDDL gives full access to LocalSystem and Administrators.
+ * It also gives generic read access and FILE_WRITE_DATA (SC) to Everyone. Note that
+ * we cannot give generic write access or equivalently FILE_GENERIC_WRITE (FW) because
+ * we would also grant the FILE_CREATE_PIPE_INSTANCE right.
+ */
+#define PIPE_SDDL                       "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRSC;;;WD)"
+
+ /*
  * The default service instance SDDL gives full access to LocalSystem and Administrators.
  * The only possible service instance rights are as follows:
  *     RP   SERVICE_START
  *     WP   SERVICE_STOP
  *     SC   SERVICE_QUERY_STATUS
  *
- * To create a service that can be started, stopped or queried by everyone, you can set
+ * To create a service that can be started, stopped or queried by Everyone, you can set
  * the following SDDL:
  *     D:P(A;;RPWPSC;;;WD)
  */