From 29e34ce1c516e20f336faa7422c00b419e356679 Mon Sep 17 00:00:00 2001
From: Alin Balutoiu <abalutoiu@cloudbasesolutions.com>
Date: Wed, 23 Aug 2017 14:50:49 +0000
Subject: [PATCH] windows,python: Add restrictions to named pipes

Bump the security around named pipes to be more restrictive: disable network
access and allow only administrators and above to access the named pipes.

Acked-by: Anand Kumar <kumaranand@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Balutoiu <abalutoiu@cloudbasesolutions.com>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>
---
 python/ovs/winutils.py | 59 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/python/ovs/winutils.py b/python/ovs/winutils.py
index 89e28e10783..8f3151a361c 100644
--- a/python/ovs/winutils.py
+++ b/python/ovs/winutils.py
@@ -17,6 +17,7 @@
 if sys.platform != 'win32':
     raise Exception("Intended to use only on Windows")
 else:
+    import ntsecuritycon
     import pywintypes
     import win32con
     import win32event
@@ -139,7 +140,65 @@ def create_named_pipe(pipename, openMode=None, pipeMode=None,
     if saAttr == -1:
         # saAttr can be None
         saAttr = win32security.SECURITY_ATTRIBUTES()
+
+        # The identifier authority.
+        sia = ntsecuritycon.SECURITY_NT_AUTHORITY
+
+        # Initialize the SID.
+        remoteAccessSid = win32security.SID()
+        remoteAccessSid.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        # Disable access over network.
+        remoteAccessSid.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_NETWORK_RID)
+
+        allowedPsids = []
+        # Allow Windows Services to access the Named Pipe.
+        allowedPsid_0 = win32security.SID()
+        allowedPsid_0.Initialize(
+            sia,  # The identifier authority.
+            1)  # The number of sub authorities to allocate.
+        allowedPsid_0.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_LOCAL_SYSTEM_RID)
+        # Allow Administrators to access the Named Pipe.
+        allowedPsid_1 = win32security.SID()
+        allowedPsid_1.Initialize(
+            sia,  # The identifier authority.
+            2)  # The number of sub authorities to allocate.
+        allowedPsid_1.SetSubAuthority(
+            0,  # The index of the sub authority to set
+            ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID)
+        allowedPsid_1.SetSubAuthority(
+            1,  # The index of the sub authority to set
+            ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS)
+
+        allowedPsids.append(allowedPsid_0)
+        allowedPsids.append(allowedPsid_1)
+
+        # Initialize an ACL.
+        acl = win32security.ACL()
+        acl.Initialize()
+        # Add denied ACL.
+        acl.AddAccessDeniedAce(win32security.ACL_REVISION,
+                               ntsecuritycon.GENERIC_ALL,
+                               remoteAccessSid)
+        # Add allowed ACLs.
+        for allowedPsid in allowedPsids:
+            acl.AddAccessAllowedAce(win32security.ACL_REVISION,
+                                    ntsecuritycon.GENERIC_ALL,
+                                    allowedPsid)
+
+        # Initialize an SD.
+        sd = win32security.SECURITY_DESCRIPTOR()
+        sd.Initialize()
+        # Set DACL.
+        sd.SetSecurityDescriptorDacl(True, acl, False)
+
         saAttr.bInheritHandle = 1
+        saAttr.SECURITY_DESCRIPTOR = sd
 
     try:
         npipe = win32pipe.CreateNamedPipe(pipename,