Downgrade system IL impersonation token to high#40447
Downgrade system IL impersonation token to high#40447Brian-Perkins wants to merge 1 commit intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adjusts duplicated user tokens so that when a duplicated token has System integrity level, it is downgraded to High integrity level to match the VM worker process and avoid access issues on created objects.
Changes:
- Adds
TOKEN_ADJUST_DEFAULTto the duplicated token’s access rights. - Detects System IL on the duplicated token and sets its integrity level to High via
SetTokenInformation(TokenIntegrityLevel).
| union | ||
| { | ||
| SID sid; | ||
| BYTE buffer[SECURITY_SID_SIZE(1)]; | ||
| } sidBuffer; | ||
| SID_IDENTIFIER_AUTHORITY micSidAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | ||
| THROW_IF_NTSTATUS_FAILED(::RtlInitializeSidEx(&sidBuffer.sid, &micSidAuthority, 1, SECURITY_MANDATORY_HIGH_RID)); | ||
|
|
||
| TOKEN_MANDATORY_LABEL tokenLabel{}; | ||
| tokenLabel.Label.Attributes = SE_GROUP_INTEGRITY; | ||
| tokenLabel.Label.Sid = &sidBuffer.sid; | ||
| THROW_IF_WIN32_BOOL_FALSE(::SetTokenInformation( | ||
| newToken.get(), TokenIntegrityLevel, &tokenLabel, (sizeof(tokenLabel) + ::GetLengthSid(&sidBuffer.sid)))); |
There was a problem hiding this comment.
I'm not sure if this is true or not...
There was a problem hiding this comment.
I don't think this is a true. I don't see any mention of that requirement in https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid_and_attributes or https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_label
| BYTE buffer[SECURITY_SID_SIZE(1)]; | ||
| } sidBuffer; | ||
| SID_IDENTIFIER_AUTHORITY micSidAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | ||
| THROW_IF_NTSTATUS_FAILED(::RtlInitializeSidEx(&sidBuffer.sid, &micSidAuthority, 1, SECURITY_MANDATORY_HIGH_RID)); |
There was a problem hiding this comment.
nit: We could simplify this a bit by using wsl::windows::common::security::CreateSid(SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_HIGH_RID)
| union | ||
| { | ||
| SID sid; | ||
| BYTE buffer[SECURITY_SID_SIZE(1)]; | ||
| } sidBuffer; | ||
| SID_IDENTIFIER_AUTHORITY micSidAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | ||
| THROW_IF_NTSTATUS_FAILED(::RtlInitializeSidEx(&sidBuffer.sid, &micSidAuthority, 1, SECURITY_MANDATORY_HIGH_RID)); | ||
|
|
||
| TOKEN_MANDATORY_LABEL tokenLabel{}; | ||
| tokenLabel.Label.Attributes = SE_GROUP_INTEGRITY; | ||
| tokenLabel.Label.Sid = &sidBuffer.sid; | ||
| THROW_IF_WIN32_BOOL_FALSE(::SetTokenInformation( | ||
| newToken.get(), TokenIntegrityLevel, &tokenLabel, (sizeof(tokenLabel) + ::GetLengthSid(&sidBuffer.sid)))); |
There was a problem hiding this comment.
I don't think this is a true. I don't see any mention of that requirement in https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid_and_attributes or https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_label
Summary of the Pull Request
Creating objects while impersonating service accounts with an integrity level of 'system' can cause problems because the VM worker process only runs at 'high' IL. Downgrade 'system' to 'high'.
Validation Steps Performed
Manually ran scenarios under NetworkService account.