From 6f0714efcb9ef07d1e5881e9f8eb032b5e5088ea Mon Sep 17 00:00:00 2001
From: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Date: Wed, 15 Mar 2023 05:30:46 -0700
Subject: [PATCH] Use RunWithPrivileges

RunWithPrivileges() will enable privileges will lock a thread, change
privileges, and run the function passed in, within that thread. This
allows us to limit the scope in which we enable privileges and avoids
accidentally enabling privileges in threads that should never have them.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
---
 archive/tar_opts_windows.go  | 13 ++++++-------
 snapshots/windows/windows.go | 10 ++++------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/archive/tar_opts_windows.go b/archive/tar_opts_windows.go
index fc51999bd..567a3c352 100644
--- a/archive/tar_opts_windows.go
+++ b/archive/tar_opts_windows.go
@@ -18,7 +18,6 @@ package archive
 
 import (
 	"context"
-	"fmt"
 	"io"
 
 	"github.com/Microsoft/go-winio"
@@ -31,12 +30,12 @@ func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options Ap
 	// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
 	// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
 	// in the base layer writer in hcsshim when adding a new file.
-	if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
-		return 0, fmt.Errorf("enabling privileges: %w", err)
-	}
-	defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
-
-	return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
+	err = winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
+		var innerErr error
+		size, innerErr = ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
+		return innerErr
+	})
+	return
 }
 
 // AsWindowsContainerLayer indicates that the tar stream to apply is that of
diff --git a/snapshots/windows/windows.go b/snapshots/windows/windows.go
index 0d90128db..b96041b1e 100644
--- a/snapshots/windows/windows.go
+++ b/snapshots/windows/windows.go
@@ -481,12 +481,10 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
 	// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
 	// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
 	// in the base layer writer in hcsshim when adding a new file.
-	if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
-		return fmt.Errorf("enabling privileges: %w", err)
-	}
-	defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
-
-	if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
+	if err := winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
+		_, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths)
+		return err
+	}); err != nil {
 		return fmt.Errorf("failed to reimport snapshot: %w", err)
 	}