From e1209e5a69157b6ea859f8db3e144e17a7eae3b8 Mon Sep 17 00:00:00 2001
From: Olli Janatuinen <olli.janatuinen@gmail.com>
Date: Fri, 16 May 2025 06:04:46 +0000
Subject: [PATCH] Windows: Support named pipe hardening

In production plugins only NT AUTHORITY\SYSTEM which run Docker engine
should have access plugin named pipes.

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
---
 sdk/windows_listener.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk/windows_listener.go b/sdk/windows_listener.go
index afb0f0b..6be6c70 100644
--- a/sdk/windows_listener.go
+++ b/sdk/windows_listener.go
@@ -19,6 +19,9 @@ const (
 
 	// AllowServiceSystemAdmin grants full access permissions for Service, System, Administrator group and account.
 	AllowServiceSystemAdmin = "D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LA)(A;ID;FA;;;LS)"
+
+	// AllowSystemOnly limits access to named pipe for NT AUTHORITY\SYSTEM only
+	AllowSystemOnly = "D:(A;;GA;;;SY)"
 )
 
 func newWindowsListener(address, pluginName, daemonRoot string, pipeConfig *WindowsPipeConfig) (net.Listener, string, error) {