From b41ca11598b3e8402ccdf413679fa13021163497 Mon Sep 17 00:00:00 2001
From: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Date: Mon, 13 Mar 2023 01:52:03 -0700
Subject: [PATCH] Fix access denied on mounted vhdx root

It seems that in certain situations, like having the containerd root
and state on a file system hosted on a mounted VHDX, we need
SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY.
This happens in the base layer writer in hcsshim when adding a new file.

Enabling SeSecurityPrivilege allows the containerd root to be hosted on
a vhdx.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
---
 archive/tar_opts_windows.go  | 10 ++++++++++
 snapshots/windows/windows.go |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/archive/tar_opts_windows.go b/archive/tar_opts_windows.go
index 0ba3cd082..fc51999bd 100644
--- a/archive/tar_opts_windows.go
+++ b/archive/tar_opts_windows.go
@@ -18,14 +18,24 @@ package archive
 
 import (
 	"context"
+	"fmt"
 	"io"
 
+	"github.com/Microsoft/go-winio"
 	"github.com/Microsoft/hcsshim/pkg/ociwclayer"
 )
 
 // applyWindowsLayer applies a tar stream of an OCI style diff tar of a Windows layer
 // See https://github.com/opencontainers/image-spec/blob/main/layer.md#applying-changesets
 func applyWindowsLayer(ctx context.Context, root string, r io.Reader, options ApplyOptions) (size int64, err error) {
+	// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
+	// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
+	// in the base layer writer in hcsshim when adding a new file.
+	if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
+		return 0, fmt.Errorf("enabling privileges: %w", err)
+	}
+	defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
+
 	return ociwclayer.ImportLayerFromTar(ctx, r, root, options.Parents)
 }
 
diff --git a/snapshots/windows/windows.go b/snapshots/windows/windows.go
index 8e79f10e7..0d90128db 100644
--- a/snapshots/windows/windows.go
+++ b/snapshots/windows/windows.go
@@ -478,6 +478,14 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
 		writer.CloseWithError(err)
 	}()
 
+	// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
+	// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
+	// in the base layer writer in hcsshim when adding a new file.
+	if err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege}); err != nil {
+		return fmt.Errorf("enabling privileges: %w", err)
+	}
+	defer winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege})
+
 	if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
 		return fmt.Errorf("failed to reimport snapshot: %w", err)
 	}