Skip to content

chore(profiling): Use SECURITY_ANONYMOUS when connecting to named pipe server#2134

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
gleocadie/fix-issue-named-pipe
Jun 18, 2026
Merged

chore(profiling): Use SECURITY_ANONYMOUS when connecting to named pipe server#2134
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
gleocadie/fix-issue-named-pipe

Conversation

@gleocadie

@gleocadie gleocadie commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Disables named-pipe client impersonation in libdatadog's Windows named-pipe transport by opening the pipe with SECURITY_ANONYMOUS (the Rust/tokio equivalent of .NET's TokenImpersonationLevel.Anonymous).

Concretely, libdd-common's hyper-based connector now sets ClientOptions::security_qos_flags(SECURITY_ANONYMOUS) when opening a named pipe in ConnStream::from_named_pipe_uri, instead of relying on tokio's default of SECURITY_IDENTIFICATION.

Motivation

This mirrors the dd-trace-dotnet change [Set TokenImpersonationLevel.Anonymous in NamedPipeClient (#8676)] DataDog/dd-trace-dotnet#8676).

A Windows named pipe exposes the connecting client's security token to the server end, which can use it to identify or even impersonate the client. In our usage the pipe is just a dumb byte transport to the Datadog Agent, so the server end never needs any information about, or the ability to act as, the connecting (potentially privileged) process. Opening with Anonymous enforces least privilege and removes that capability, hardening against a malicious or pipe-squatting server reading the client's identity/privileges.

Additional Notes

  • libdatadog opens named-pipe clients through two transport stacks:
    • hyper connector (libdd-common) — fixed in this PR. Used by the libdd-http-client hyper backend.
    • reqwest — the path used by the profiling exporter, libdd-agent-client, and the default libdd-http-client backend. reqwest currently hardcodes ClientOptions::new().open(pipe) and exposes no API to set the QoS flags, so that path is not addressed here. A follow-up will upstream a security-flags option to reqwest and then consume it at those call sites.
  • Severity note: tokio's default is already Identification (not Impersonation), so the server cannot act as the client today; it can only read the client's identity/privileges. This change is therefore a defense-in-depth / least-privilege hardening that aligns the Rust posture with the .NET fix, not a fix for an exploitable privilege escalation on the Rust side.
  • A shared ANONYMOUS_IMPERSONATION_QOS constant was added in libdd-common/src/connector/named_pipe.rs so the same value can be reused by the future reqwest call sites.

How to test the change?

The change is Windows-only (#[cfg(windows)]).

  • Automated: a round-trip test from_named_pipe_uri_connects_with_anonymous_qos was added in libdd-common/src/connector/conn_stream.rs. It stands up a tokio ServerOptions named-pipe server and asserts the client connects successfully with the Anonymous QoS flags. On a Windows host:

@gleocadie gleocadie requested a review from a team as a code owner June 18, 2026 14:52
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

  • Base Branch: origin/main
  • PR Branch: origin/gleocadie/fix-issue-named-pipe

Summary by Rule

Rule Base Branch PR Branch Change
unwrap_used 2 2 No change (0%)
Total 2 2 No change (0%)

Annotation Counts by File

File Base Branch PR Branch Change
libdd-common/src/connector/conn_stream.rs 1 1 No change (0%)
libdd-common/src/connector/named_pipe.rs 1 1 No change (0%)

Annotation Stats by Crate

Crate Base Branch PR Branch Change
clippy-annotation-reporter 5 5 No change (0%)
datadog-ffe-ffi 1 1 No change (0%)
datadog-ipc 22 22 No change (0%)
datadog-live-debugger 4 4 No change (0%)
datadog-live-debugger-ffi 10 10 No change (0%)
datadog-profiling-replayer 4 4 No change (0%)
datadog-sidecar 45 45 No change (0%)
libdd-common 13 13 No change (0%)
libdd-common-ffi 12 12 No change (0%)
libdd-data-pipeline 5 5 No change (0%)
libdd-ddsketch 2 2 No change (0%)
libdd-dogstatsd-client 1 1 No change (0%)
libdd-profiling 13 13 No change (0%)
libdd-remote-config 3 3 No change (0%)
libdd-telemetry 20 20 No change (0%)
libdd-tinybytes 4 4 No change (0%)
libdd-trace-normalization 2 2 No change (0%)
libdd-trace-obfuscation 3 3 No change (0%)
libdd-trace-stats 1 1 No change (0%)
libdd-trace-utils 11 11 No change (0%)
Total 181 181 No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

@datadog-prod-us1-3

datadog-prod-us1-3 Bot commented Jun 18, 2026
edited by datadog-datadog-prod-us1 Bot
Loading

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 73.78% (-0.04%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ff4adde | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Artifact Size Benchmark Report

aarch64-alpine-linux-musl
Artifact Baseline Commit Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so 7.76 MB 7.76 MB 0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a 83.99 MB 83.99 MB 0% (0 B) 👌
aarch64-unknown-linux-gnu
Artifact Baseline Commit Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.36 MB 10.36 MB 0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a 95.08 MB 95.08 MB 0% (0 B) 👌
libdatadog-x64-windows
Artifact Baseline Commit Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll 24.82 MB 24.82 MB 0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib 87.33 KB 87.33 KB 0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb 180.83 MB 180.83 MB 0% (0 B) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib 928.05 MB 928.05 MB +0% (+158 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll 8.10 MB 8.10 MB 0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib 87.33 KB 87.33 KB 0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb 23.96 MB 23.96 MB 0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib 47.83 MB 47.83 MB 0% (0 B) 👌
libdatadog-x86-windows
Artifact Baseline Commit Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll 21.51 MB 21.51 MB 0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib 88.71 KB 88.71 KB 0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb 184.81 MB 184.82 MB +0% (+8.00 KB) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib 916.26 MB 916.26 MB +0% (+158 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll 6.25 MB 6.25 MB 0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib 88.71 KB 88.71 KB 0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb 25.69 MB 25.69 MB 0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib 45.47 MB 45.47 MB 0% (0 B) 👌
x86_64-alpine-linux-musl
Artifact Baseline Commit Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a 74.87 MB 74.87 MB 0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so 8.61 MB 8.61 MB 0% (0 B) 👌
x86_64-unknown-linux-gnu
Artifact Baseline Commit Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a 90.29 MB 90.29 MB 0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.47 MB 10.47 MB 0% (0 B) 👌

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit b10b1d4 into main Jun 18, 2026
92 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the gleocadie/fix-issue-named-pipe branch June 18, 2026 17:16
@dd-octo-sts dd-octo-sts Bot mentioned this pull request Jun 19, 2026
Merged
iunanua added a commit that referenced this pull request Jun 19, 2026
@dd-octo-sts @github-actions @iunanua
chore(release): proposal for libdd-remote-config (#2138)
d3ac415 
# Release proposal for libdd-remote-config and its dependencies

This PR contains version bumps based on public API changes and commits
since last release.

## libdd-common
**Next version:** `5.0.0`
**Semver bump:** `major`
**Tag:** `libdd-common-v5.0.0`

### Commits

- chore(profiling): Use SECURITY_ANONYMOUS when connecting to named pipe
server (#2134)
- fix: Fix http PathAndQuery Uri Parsing (#2122)
- chore(common)!: replace native-certs with platform-verifier (#2078)
- feat(data-pipeline)!: CSS Trace Filters (#1985)
- fix(libdd-common): Add fallback logic for resolving Azure Functions
instance name [SVLS-8931] (#2077)
- test: fix timeouts on heavily contended scenarios (#2093)

## libdd-remote-config
**Next version:** `1.0.0`
**Semver bump:** `major`
**Tag:** `libdd-remote-config-v1.0.0`

**Warning:** this is an initial release. Please verify that the version
and commits included are correct.

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: iunanua <18325288+iunanua@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gyuheon0h gyuheon0h gyuheon0h approved these changes

Assignees

No one assigned

Labels

common mergequeue-status: done

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gleocadie @gyuheon0h