Windows: Support named pipe hardening

olljanat · olljanat · commit e1209e5a6915 · 2025-08-14T16:42:58.000Z
In production plugins only NT AUTHORITY\SYSTEM which run Docker engine
should have access plugin named pipes.

Signed-off-by: Olli Janatuinen &lt;olli.janatuinen@gmail.com&gt;
diff --git a/sdk/windows_listener.go b/sdk/windows_listener.go
@@ -19,6 +19,9 @@ const (
 
 	// AllowServiceSystemAdmin grants full access permissions for Service, System, Administrator group and account.
 	AllowServiceSystemAdmin = "D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)(A;ID;FA;;;LS)"
+
+	// AllowSystemOnly limits access to named pipe for NT AUTHORITY\SYSTEM only
+	AllowSystemOnly = "D:(A;;GA;;;SY)"
 )
 
 func newWindowsListener(address, pluginName, daemonRoot string, pipeConfig *WindowsPipeConfig) (net.Listener, string, error) {

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,9 @@ const (`
`19`	`19`
`20`	`20`	`// AllowServiceSystemAdmin grants full access permissions for Service, System, Administrator group and account.`
`21`	`21`	`AllowServiceSystemAdmin = "D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)(A;ID;FA;;;LS)"`
	`22`	`+`
	`23`	`+ // AllowSystemOnly limits access to named pipe for NT AUTHORITY\SYSTEM only`
	`24`	`+ AllowSystemOnly = "D:(A;;GA;;;SY)"`
`22`	`25`	`)`
`23`	`26`
`24`	`27`	`func newWindowsListener(address, pluginName, daemonRoot string, pipeConfig *WindowsPipeConfig) (net.Listener, string, error) {`