Commit b10b1d4
authored
chore(profiling): Use SECURITY_ANONYMOUS when connecting to named pipe server (#2134)
# What does this PR do?
Disables named-pipe client impersonation in libdatadog's Windows named-pipe transport by opening the pipe with `SECURITY_ANONYMOUS` (the Rust/tokio equivalent of .NET's `TokenImpersonationLevel.Anonymous`).
Concretely, `libdd-common`'s hyper-based connector now sets `ClientOptions::security_qos_flags(SECURITY_ANONYMOUS)` when opening a named pipe in `ConnStream::from_named_pipe_uri`, instead of relying on tokio's default of `SECURITY_IDENTIFICATION`.
# Motivation
This mirrors the dd-trace-dotnet change [Set `TokenImpersonationLevel.Anonymous` in `NamedPipeClient` (#8676)] DataDog/dd-trace-dotnet#8676).
A Windows named pipe exposes the connecting client's security token to the server end, which can use it to identify or even impersonate the client. In our usage the pipe is just a dumb byte transport to the Datadog Agent, so the server end never needs any information about, or the ability to act as, the connecting (potentially privileged) process. Opening with `Anonymous` enforces least privilege and removes that capability, hardening against a malicious or pipe-squatting server reading the client's identity/privileges.
# Additional Notes
- libdatadog opens named-pipe clients through two transport stacks:
- **hyper connector** (`libdd-common`) — fixed in this PR. Used by the `libdd-http-client` hyper backend.
- **reqwest** — the path used by the profiling exporter, `libdd-agent-client`, and the default `libdd-http-client` backend. reqwest currently hardcodes `ClientOptions::new().open(pipe)` and exposes no API to set the QoS flags, so that path is **not** addressed here. A follow-up will upstream a security-flags option to reqwest and then consume it at those call sites.
- Severity note: tokio's default is already `Identification` (not `Impersonation`), so the server cannot *act* as the client today; it can only read the client's identity/privileges. This change is therefore a defense-in-depth / least-privilege hardening that aligns the Rust posture with the .NET fix, not a fix for an exploitable privilege escalation on the Rust side.
- A shared `ANONYMOUS_IMPERSONATION_QOS` constant was added in `libdd-common/src/connector/named_pipe.rs` so the same value can be reused by the future reqwest call sites.
# How to test the change?
The change is Windows-only (`#[cfg(windows)]`).
- Automated: a round-trip test `from_named_pipe_uri_connects_with_anonymous_qos` was added in `libdd-common/src/connector/conn_stream.rs`. It stands up a tokio `ServerOptions` named-pipe server and asserts the client connects successfully with the Anonymous QoS flags. On a Windows host:
Co-authored-by: gregory.leocadie <gregory.leocadie@datadoghq.com>1 parent 54bd386 commit b10b1d4
2 files changed
Lines changed: 57 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
67 | 69 | | |
68 | 70 | | |
69 | 71 | | |
| |||
190 | 192 | | |
191 | 193 | | |
192 | 194 | | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
6 | 20 | | |
7 | 21 | | |
8 | 22 | | |
| |||
0 commit comments