[Windows] Use "LOCAL" pipe instead of globally available pipe

[partouf]

At Compiler-Explorer we're working on CMake support for Windows compilers under heavy sandboxing (using Windows AppContainer), and we encountered the issue not being able to Create a named pipe.

There seems to be no capability that we can give the AppContainer environment to enable the creation of named pipes

However at https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea I read that if you named the pipe \\.\pipe\LOCAL\... things should work fine.

And it actually does appear to work with \LOCAL\

The question is if this will remain compatible with the regular execution of ninja under Windows. I do not know, so if anyone has any ideas or ways to test this, please. Or perhaps if we need to limit this to certain versions of Windows, that seems plausible.

[SibiSiddharthan]

Hi there,

For AppContainer builds, I think we should check whether ninja is running in a sandbox or not. This can be checked using the GetTokenInformation function. Refer her for the docs https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-gettokeninformation.

This snippet might help (source https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications-#c-canonical)

#include <windows.h>
...
HANDLE tokenHandle{};
DWORD isAppContainer{};
DWORD tokenInformationLength{ sizeof(DWORD) };

if (!::OpenProcessToken(
    GetCurrentProcess(),
    TOKEN_QUERY,
    &tokenHandle))
{
    // Handle the error.
}

if (!::GetTokenInformation(
    tokenHandle,
    TOKEN_INFORMATION_CLASS::TokenIsAppContainer,
    &isAppContainer,
    tokenInformationLength,
    &tokenInformationLength
))
{
    // Handle the error.
}

For sandbox builds we can use the LOCAL namespace for pipes.

Hope this helps.
Thanks,
Sibi

[partouf]

Thanks, sounds like a good solution. I'll take a look at implementing this in a few days.