Downgrade system IL impersonation token to high (microsoft#40447)

Downgrade system IL in impersonated token to high IL

Author: Brian-Perkins

src/windows/common/WslSecurity.cpp

@@ -172,7 +172,23 @@ wil::unique_handle wsl::windows::common::security::GetUserToken(_In_ TOKEN_TYPE
 
     wil::unique_handle newToken;
     THROW_IF_WIN32_BOOL_FALSE(::DuplicateTokenEx(
-        contextToken.get(), TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, nullptr, SecurityImpersonation, tokenType, &newToken));
+        contextToken.get(),
+        TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_DEFAULT,
+        nullptr,
+        SecurityImpersonation,
+        tokenType,
+        &newToken));
+
+    // If the token integrity level is system, reduce it to high integrity level. The VM worker process runs at
+    // high integrity level and objects created with a higher integrity level token may be inaccessible.
+    if (GetUserBasicIntegrityLevel(newToken.get()) == SECURITY_MANDATORY_SYSTEM_RID)
+    {
+        auto [sid, sidBuffer] = wsl::windows::common::security::CreateSid(SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_HIGH_RID);
+        TOKEN_MANDATORY_LABEL tokenLabel{};
+        tokenLabel.Label.Attributes = SE_GROUP_INTEGRITY;
+        tokenLabel.Label.Sid = sid;
+        THROW_IF_WIN32_BOOL_FALSE(::SetTokenInformation(newToken.get(), TokenIntegrityLevel, &tokenLabel, sizeof(tokenLabel)));
+    }
 
     return newToken;
 }