Grant access to Discord RPC named pipes.

windows/Sources/FabricSandbox/DiscordPipeSupport.swift

@@ -0,0 +1,29 @@
+import WindowsUtils
+import WinSDK
+
+// https://github.com/discord/discord-rpc/blob/master/documentation/hard-mode.md
+// https://github.com/discord/discord-rpc/blob/963aa9f3e5ce81a4682c6ca3d136cddda614db33/src/connection_win.cpp#L35C26-L35C52
+fileprivate var PIPE_BASE_NAME = "\\\\?\\pipe\\discord-ipc-" // 0-9 suffix
+
+// Grant access to any of the running Discord pipes
+public func grantAccessToDiscordPipes(trustee: Trustee) throws {
+    for i in 0..<10 {
+        let pipe = try? NamedPipeClient(
+            pipeName: "\(PIPE_BASE_NAME)\(i)",
+            desiredAccess: DWORD(READ_CONTROL | WRITE_DAC), // We only need to open the pipe to set the DACL
+            mode: nil
+        )
+        guard let pipe = pipe else {
+            continue
+        }
+
+        logger.info("Granting access to Discord named pipe: \(pipe.path)")
+
+        // Remove any existing ACEs for the trustee and then grant full access
+        // Ensure we only modify the DACL if the trustee doesn't already have access, to avoid breaking an existing connection
+        var hasEntry = try hasAceEntry(pipe, trustee: trustee)
+        if !hasEntry {
+            try grantAccess(pipe, trustee: trustee, accessPermissions: [.genericAll])
+        }
+    }
+}

windows/Sources/FabricSandbox/FabricSandbox.swift

@@ -148,10 +148,11 @@ class FabricSandbox {
     let namedPipeServer = try SandboxNamedPipeServer(
       pipeName: "\\\\.\\pipe\\FabricSandbox" + randomString(length: 10))
 
-    // Grant access to the named pipe
-    try grantAccess(
-      namedPipeServer, trustee: container,
-      accessPermissions: [.genericRead, .genericWrite])
+    logger.debug("Named pipe: \(namedPipeServer.path)")
+
+    // Grant access to any of the active discord named pipes
+    // TODO we might want to run this every so often to handle new pipes
+    try grantAccessToDiscordPipes(trustee: container)
 
     let args = try commandLine.getSandboxArgs(
       dotMinecraftDir: dotMinecraft, sandboxRoot: sandboxRoot, namedPipePath: namedPipeServer.path)

windows/Sources/WindowsUtils/Acl.swift

@@ -75,6 +75,49 @@ public func clearAccess(_ object: SecurityObject, trustee: Trustee) throws {
   try object.setACL(acl: acl, accessMode: .grant)
 }
 
+// Do not use this as a security check
+public func hasAceEntry(_ object: SecurityObject, trustee: Trustee) throws -> Bool {
+  let acl = try object.getACL()
+  let sid = trustee.sid.value
+
+  var aclSize = ACL_SIZE_INFORMATION()
+  let success = GetAclInformation(acl, &aclSize, DWORD(MemoryLayout<ACL_SIZE_INFORMATION>.size), AclSizeInformation)
+  guard success else {
+    throw Win32Error("GetAclInformation")
+  }
+
+  for i: DWORD in 0..<aclSize.AceCount {
+    var ace: LPVOID? = nil
+    let success = GetAce(acl, DWORD(i), &ace)
+    guard success, let ace = ace else {
+      throw Win32Error("GetAce")
+    }
+
+    let aceHeader = ace.assumingMemoryBound(to: ACE_HEADER.self).pointee
+
+    switch Int32(aceHeader.AceType) {
+    case ACCESS_ALLOWED_ACE_TYPE:
+      let accessAllowedAce = ace.assumingMemoryBound(to: ACCESS_ALLOWED_ACE.self).pointee
+      let aceSid = SidFromAccessAllowedAce(ace, accessAllowedAce.SidStart)
+
+      if let aceSid = aceSid, EqualSid(aceSid, sid) {
+        return true
+      }
+    case ACCESS_DENIED_ACE_TYPE:
+      let accessDeniedAce = ace.assumingMemoryBound(to: ACCESS_DENIED_ACE.self).pointee
+      let aceSid = SidFromAccessDeniedAce(ace, accessDeniedAce.SidStart)
+
+      if let aceSid = aceSid, EqualSid(aceSid, sid) {
+        return true
+      }
+    default:
+      break
+    }
+  }
+
+  return false
+}
+
 public func getStringSecurityDescriptor(_ object: SecurityObject) throws -> String {
   let acl = try object.getACL()
 
@@ -228,7 +271,7 @@ extension File: SecurityObject {
       path.wide, SE_FILE_OBJECT, SECURITY_INFORMATION(DACL_SECURITY_INFORMATION), nil, nil, &acl, nil, nil)
 
     guard result == ERROR_SUCCESS, let acl = acl else {
-      throw Win32Error("GetNamedSecurityInfoW", errorCode: result)
+      throw Win32Error("GetNamedSecurityInfoW(\(path))", errorCode: result)
     }
     return acl
   }
@@ -240,29 +283,29 @@ extension File: SecurityObject {
     }
 
     guard result == ERROR_SUCCESS else {
-      throw Win32Error("SetNamedSecurityInfoW", errorCode: result)
+      throw Win32Error("SetNamedSecurityInfoW(\(self.path()))", errorCode: result)
     }
   }
 }
 
-extension NamedPipeServer: SecurityObject {
+extension NamedPipeClient: SecurityObject {
   public func getACL() throws -> PACL {
     var acl: PACL? = nil
     let result = GetSecurityInfo(
-      self.handle, SE_KERNEL_OBJECT, SECURITY_INFORMATION(DACL_SECURITY_INFORMATION), nil, nil, &acl, nil, nil)
+      self.pipe, SE_KERNEL_OBJECT, SECURITY_INFORMATION(DACL_SECURITY_INFORMATION), nil, nil, &acl, nil, nil)
 
     guard result == ERROR_SUCCESS, let acl = acl else {
-      throw Win32Error("GetSecurityInfo", errorCode: result)
+      throw Win32Error("GetSecurityInfo(\(self.path))", errorCode: result)
     }
     return acl
   }
 
   public func setACL(acl: PACL, accessMode: AccessMode) throws {
     let result = SetSecurityInfo(
-      self.handle, SE_KERNEL_OBJECT, SECURITY_INFORMATION(DACL_SECURITY_INFORMATION), nil, nil, acl, nil)
+      self.pipe, SE_KERNEL_OBJECT, SECURITY_INFORMATION(DACL_SECURITY_INFORMATION), nil, nil, acl, nil)
 
     guard result == ERROR_SUCCESS else {
-      throw Win32Error("SetSecurityInfo", errorCode: result)
+      throw Win32Error("SetSecurityInfo(\(self.path))", errorCode: result)
     }
   }
 }

windows/Sources/WindowsUtils/NamedPipe.swift

@@ -10,16 +10,22 @@ import WinSDK
 /// A write only named pipe client
 let bufferSize = DWORD(4096)
 let securityDescriptor = "S:(ML;;NW;;;LW)D:(A;;FA;;;SY)(A;;FA;;;WD)(A;;FA;;;AC)"
-open class NamedPipeServer: Thread {
-  let pipe: HANDLE
+
+protocol NamedPipe {
+  var pipe: HANDLE { get }
+  var path: String { get }
+}
+
+open class NamedPipeServer: Thread, NamedPipe {
+  public let pipe: HANDLE
   public let path: String
 
   public init(pipeName: String) throws {
     // Create a security descriptor
     var security: PSECURITY_DESCRIPTOR?
     let result = ConvertStringSecurityDescriptorToSecurityDescriptorW(
       securityDescriptor.wide,
-      DWORD(1),
+      DWORD(SDDL_REVISION_1),
       &security,
       nil
     )
@@ -28,7 +34,8 @@ open class NamedPipeServer: Thread {
     }
 
     var securityAttributesValue = SECURITY_ATTRIBUTES(
-      nLength: DWORD(MemoryLayout<SECURITY_ATTRIBUTES>.size), lpSecurityDescriptor: security,
+      nLength: DWORD(MemoryLayout<SECURITY_ATTRIBUTES>.size),
+      lpSecurityDescriptor: security,
       bInheritHandle: false)
 
     let pipe = CreateNamedPipeW(
@@ -87,32 +94,35 @@ open class NamedPipeServer: Thread {
     return false
   }
 }
-public class NamedPipeClient {
-  let pipe: HANDLE
 
-  public init(pipeName: String) throws {
+public class NamedPipeClient: NamedPipe {
+  public let pipe: HANDLE
+  public let path: String
+
+  public init(pipeName: String, desiredAccess: DWORD = DWORD(GENERIC_WRITE), mode: DWORD? = DWORD(PIPE_READMODE_MESSAGE)) throws {
     let pipe = CreateFileW(
       pipeName.wide,
-      DWORD(GENERIC_WRITE),
-      DWORD(0),
+      desiredAccess,
+      0,
       nil,
       DWORD(OPEN_EXISTING),
-      DWORD(0),
+      0,
       nil
     )
     guard pipe != INVALID_HANDLE_VALUE, let pipe = pipe else {
       throw Win32Error("CreateFileW")
     }
 
-    // Change to message mode
-    var mode = DWORD(PIPE_READMODE_MESSAGE)
-    let result = SetNamedPipeHandleState(pipe, &mode, nil, nil)
-    guard result else {
-      CloseHandle(pipe)
-      throw Win32Error("SetNamedPipeHandleState")
+    if var mode = mode  {
+      let result = SetNamedPipeHandleState(pipe, &mode, nil, nil)
+      guard result else {
+        CloseHandle(pipe)
+        throw Win32Error("SetNamedPipeHandleState")
+      }
     }
 
     self.pipe = pipe
+    self.path = pipeName
   }
 
   deinit {

windows/Tests/AclTests.swift

@@ -14,25 +14,30 @@ struct AclTests {
 
     var sddl = try getStringSecurityDescriptor(tempDir)
     #expect(!sddl.contains(";\(sid)"))
+    #expect(!(try hasAceEntry(tempDir, trustee: trustee)))
 
     try grantAccess(tempDir, trustee: trustee, accessPermissions: [.genericAll])
     sddl = try getStringSecurityDescriptor(tempDir)
     // Allow full access
     #expect(sddl.contains("A;;FA;;;\(sid)"))
+    #expect(try hasAceEntry(tempDir, trustee: trustee))
 
     try clearAccess(tempDir, trustee: trustee)
     sddl = try getStringSecurityDescriptor(tempDir)
     #expect(!sddl.contains(";\(sid)"))
+    #expect(!(try hasAceEntry(tempDir, trustee: trustee)))
 
     try denyAccess(tempDir, trustee: trustee, accessPermissions: [.genericExecute])
     sddl = try getStringSecurityDescriptor(tempDir)
     // Deny execute
     #expect(sddl.contains("D;;FX;;;\(sid)"))
+    #expect(try hasAceEntry(tempDir, trustee: trustee))
 
     // Test that we can remove mutlipe ACEs
     try grantAccess(tempDir, trustee: trustee, accessPermissions: [.genericRead])
     try clearAccess(tempDir, trustee: trustee)
     sddl = try getStringSecurityDescriptor(tempDir)
     #expect(!sddl.contains(";\(sid)"))
+    #expect(!(try hasAceEntry(tempDir, trustee: trustee)))
   }
 }

windows/Tests/IntergrationTests.swift

@@ -201,8 +201,6 @@ func runIntergration(
   var commandLine = [testExecutable.path()] + args
 
   if let namedPipe = namedPipe {
-    try grantAccess(
-      namedPipe, trustee: container, accessPermissions: [.genericRead, .genericWrite])
     if namedPipe is SandboxNamedPipeServer {
       commandLine.append("-Dsandbox.namedPipe=\(namedPipe.path)")
     }