From 7361b198751c11ddadc2bb76a08fd38ddce0f45f Mon Sep 17 00:00:00 2001
From: "Justin Terry (VM)" <juterry@microsoft.com>
Date: Thu, 21 Mar 2019 14:15:17 -0700
Subject: [PATCH] Update Windows lcow differ to set NT VIRTUAL MACHINE\Virtual
 Machines SID

For LCOW using the Virtual Machines SID for the shared read-only layers
improves overall performance avoiding the need to set per VM access at runtime.

Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
---
 diff/lcow/lcow.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/diff/lcow/lcow.go b/diff/lcow/lcow.go
index 2c336e1f8..6ac42ed6b 100644
--- a/diff/lcow/lcow.go
+++ b/diff/lcow/lcow.go
@@ -25,6 +25,7 @@ import (
 	"path"
 	"time"
 
+	"github.com/Microsoft/go-winio/pkg/security"
 	"github.com/Microsoft/hcsshim/ext4/tar2ext4"
 	"github.com/containerd/containerd/archive/compression"
 	"github.com/containerd/containerd/content"
@@ -142,7 +143,6 @@ func (s windowsLcowDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mou
 	if err != nil {
 		return emptyDesc, err
 	}
-	defer outFile.Close()
 	defer func() {
 		if err != nil {
 			outFile.Close()
@@ -154,6 +154,12 @@ func (s windowsLcowDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mou
 	if err != nil {
 		return emptyDesc, errors.Wrapf(err, "failed to convert tar to ext4 vhd")
 	}
+	outFile.Close()
+
+	err = security.GrantVmGroupAccess(layerPath)
+	if err != nil {
+		return emptyDesc, errors.Wrapf(err, "failed GrantVmGroupAccess on layer vhd: %v", layerPath)
+	}
 
 	return ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayer,