harden WSL2 security: pipe ACL + stdin data passing + TTY session scoping

- Restrict named pipe to current user via SECURITY_ATTRIBUTES with DACL
  (prevents other users from connecting to the daemon)
- Pass ciphertext and TTY ID via stdin JSON instead of CLI args
  (prevents exposure in process listings via tasklist/procfs)
- Forward TTY ID to daemon for per-terminal biometric session scoping
  (extracted from /proc/self/fd/0 symlink in WSL2)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: theoephraim

packages/encryption-binary-rust/Cargo.toml

@@ -42,6 +42,9 @@ windows = { version = "0.58", features = [
     "Win32_Storage_FileSystem",
     "Win32_Foundation",
     "Win32_System_IO",
+    # Pipe ACL (restrict to current user)
+    "Win32_Security",
+    "Win32_Security_Authorization",
     # Windows Hello (UserConsentVerifier)
     "Security_Credentials_UI",
     "Foundation",

packages/encryption-binary-rust/src/daemon_client.rs

@@ -19,10 +19,11 @@ const MAX_SPAWN_WAIT: std::time::Duration = std::time::Duration::from_secs(10);
 
 /// Send a decrypt request through the daemon, auto-spawning if needed.
 /// Returns the decrypted plaintext.
+/// `tty_id` is forwarded to the daemon for per-terminal session scoping.
 #[cfg(target_os = "windows")]
-pub fn decrypt_via_daemon(ciphertext: &str, key_id: &str) -> Result<String, String> {
+pub fn decrypt_via_daemon(ciphertext: &str, key_id: &str, tty_id: Option<&str>) -> Result<String, String> {
     // Try connecting to existing daemon first
-    match try_daemon_decrypt(ciphertext, key_id) {
+    match try_daemon_decrypt(ciphertext, key_id, tty_id) {
         Ok(result) => return Ok(result),
         Err(_) => {
             // Daemon not running, spawn one
@@ -32,12 +33,12 @@ pub fn decrypt_via_daemon(ciphertext: &str, key_id: &str) -> Result<String, Stri
     spawn_daemon()?;
 
     // Retry after spawn
-    try_daemon_decrypt(ciphertext, key_id)
+    try_daemon_decrypt(ciphertext, key_id, tty_id)
 }
 
 /// Try to connect to the daemon and send a decrypt request.
 #[cfg(target_os = "windows")]
-fn try_daemon_decrypt(ciphertext: &str, key_id: &str) -> Result<String, String> {
+fn try_daemon_decrypt(ciphertext: &str, key_id: &str, tty_id: Option<&str>) -> Result<String, String> {
     use windows::Win32::Storage::FileSystem::{
         CreateFileW, ReadFile, WriteFile, FlushFileBuffers,
         FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_SHARE_NONE,
@@ -64,15 +65,18 @@ fn try_daemon_decrypt(ciphertext: &str, key_id: &str) -> Result<String, String>
         return Err("Failed to open daemon pipe".into());
     }
 
-    // Build request
-    let request = json!({
+    // Build request — include ttyId for per-terminal session scoping
+    let mut request = json!({
         "id": "via-daemon-1",
         "action": "decrypt",
         "payload": {
             "ciphertext": ciphertext,
             "keyId": key_id,
         },
     });
+    if let Some(tty) = tty_id {
+        request.as_object_mut().unwrap().insert("ttyId".to_string(), json!(tty));
+    }
 
     let request_bytes = serde_json::to_vec(&request)
         .map_err(|e| format!("Serialization failed: {e}"))?;
@@ -228,6 +232,6 @@ fn pipe_exists() -> bool {
 // ── Stub for non-Windows platforms ──────────────────────────────
 
 #[cfg(not(target_os = "windows"))]
-pub fn decrypt_via_daemon(_ciphertext: &str, _key_id: &str) -> Result<String, String> {
+pub fn decrypt_via_daemon(_ciphertext: &str, _key_id: &str, _tty_id: Option<&str>) -> Result<String, String> {
     Err("--via-daemon is only supported on Windows".into())
 }

packages/encryption-binary-rust/src/ipc.rs

@@ -139,6 +139,11 @@ impl IpcServer {
 
         let pipe_name = HSTRING::from(&self.socket_path);
 
+        // Build a security descriptor that restricts pipe access to the current user only.
+        // This prevents other users/processes from connecting to the daemon pipe.
+        let sa = create_current_user_security_attributes()
+            .map_err(|e| format!("Failed to create pipe security attributes: {e}"))?;
+
         while self.running.load(Ordering::SeqCst) {
             // Create a new named pipe instance for each client
             let pipe_handle = unsafe {
@@ -150,7 +155,7 @@ impl IpcServer {
                     65536,       // out buffer
                     65536,       // in buffer
                     0,           // default timeout
-                    None,        // default security
+                    Some(&sa),   // restrict to current user
                 )
             };
 
@@ -355,6 +360,99 @@ fn get_peer_tty_id(_stream: &UnixStream) -> Option<String> {
     None
 }
 
+// ── Windows pipe security ───────────────────────────────────────
+
+/// Create a SECURITY_ATTRIBUTES that restricts access to the current user only.
+/// This prevents other users from connecting to the daemon's named pipe.
+#[cfg(windows)]
+fn create_current_user_security_attributes() -> Result<windows::Win32::Security::SECURITY_ATTRIBUTES, String> {
+    use windows::Win32::Security::{
+        SECURITY_ATTRIBUTES, SECURITY_DESCRIPTOR,
+        InitializeSecurityDescriptor, SetSecurityDescriptorDacl,
+        SECURITY_DESCRIPTOR_REVISION,
+    };
+    use windows::Win32::Security::Authorization::{
+        SetEntriesInAclW, EXPLICIT_ACCESS_W, SET_ACCESS,
+        TRUSTEE_W, TRUSTEE_IS_SID, TRUSTEE_TYPE,
+        NO_INHERITANCE, TRUSTEE_FORM,
+    };
+    use windows::Win32::Security::{
+        GetTokenInformation, TokenUser, TOKEN_USER, TOKEN_QUERY,
+    };
+    use windows::Win32::System::Threading::{GetCurrentProcess, OpenProcessToken};
+    use windows::Win32::Foundation::GENERIC_ALL;
+
+    unsafe {
+        // Get current process token
+        let mut token = windows::Win32::Foundation::HANDLE::default();
+        OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &mut token)
+            .map_err(|e| format!("OpenProcessToken failed: {e}"))?;
+
+        // Get token user (contains the SID)
+        let mut token_info_len = 0u32;
+        let _ = GetTokenInformation(token, TokenUser, None, 0, &mut token_info_len);
+        let mut token_info = vec![0u8; token_info_len as usize];
+        GetTokenInformation(
+            token,
+            TokenUser,
+            Some(token_info.as_mut_ptr() as *mut _),
+            token_info_len,
+            &mut token_info_len,
+        ).map_err(|e| format!("GetTokenInformation failed: {e}"))?;
+
+        let token_user = &*(token_info.as_ptr() as *const TOKEN_USER);
+        let user_sid = token_user.User.Sid;
+
+        // Build an ACL with a single entry: GENERIC_ALL for the current user
+        let mut ea = EXPLICIT_ACCESS_W {
+            grfAccessPermissions: GENERIC_ALL.0,
+            grfAccessMode: SET_ACCESS,
+            grfInheritance: NO_INHERITANCE,
+            Trustee: TRUSTEE_W {
+                TrusteeForm: TRUSTEE_IS_SID,
+                TrusteeType: TRUSTEE_TYPE(0), // TRUSTEE_IS_UNKNOWN
+                ptstrName: windows::core::PWSTR(user_sid.0 as *mut u16),
+                pMultipleTrustee: std::ptr::null_mut(),
+                MultipleTrusteeOperation: TRUSTEE_FORM(0),
+            },
+        };
+
+        let mut acl = std::ptr::null_mut();
+        let err = SetEntriesInAclW(Some(&[ea]), None, &mut acl);
+        if err.0 != 0 {
+            return Err(format!("SetEntriesInAclW failed: error {}", err.0));
+        }
+
+        // Create a security descriptor with this DACL
+        let sd_layout = std::alloc::Layout::new::<SECURITY_DESCRIPTOR>();
+        let sd_ptr = std::alloc::alloc_zeroed(sd_layout) as *mut SECURITY_DESCRIPTOR;
+        if sd_ptr.is_null() {
+            return Err("Failed to allocate security descriptor".into());
+        }
+
+        InitializeSecurityDescriptor(
+            sd_ptr as *mut _,
+            SECURITY_DESCRIPTOR_REVISION,
+        ).map_err(|e| format!("InitializeSecurityDescriptor failed: {e}"))?;
+
+        SetSecurityDescriptorDacl(
+            sd_ptr as *mut _,
+            true,
+            Some(acl as *const _),
+            false,
+        ).map_err(|e| format!("SetSecurityDescriptorDacl failed: {e}"))?;
+
+        // Note: sd_ptr and acl are intentionally leaked — they must live for the
+        // lifetime of the pipe server. The OS frees them on process exit.
+
+        Ok(SECURITY_ATTRIBUTES {
+            nLength: std::mem::size_of::<SECURITY_ATTRIBUTES>() as u32,
+            lpSecurityDescriptor: sd_ptr as *mut _,
+            bInheritHandle: false.into(),
+        })
+    }
+}
+
 // ── Windows named pipe client handling ───────────────────────────
 
 #[cfg(windows)]
@@ -417,8 +515,13 @@ fn handle_windows_client(
 
         let id = message.get("id").and_then(|v| v.as_str()).map(|s| s.to_string());
 
+        // On Windows, use client-reported ttyId from the message (set by --via-daemon callers)
+        let effective_tty_id = tty_id.clone().or_else(|| {
+            message.get("ttyId").and_then(|v| v.as_str()).map(|s| s.to_string())
+        });
+
         let response = if let Some(ref handler) = handler {
-            handler(message, tty_id.clone())
+            handler(message, effective_tty_id)
         } else {
             serde_json::json!({"error": "No handler"})
         };

packages/encryption-binary-rust/src/main.rs

@@ -137,15 +137,36 @@ fn cmd_encrypt(args: &[String]) {
 fn cmd_decrypt(args: &[String]) {
     let key_id = get_key_id(args);
 
-    let data_b64 = match get_arg(args, "--data") {
-        Some(d) => d,
-        None => json_error("Missing --data argument (base64-encoded ciphertext)"),
+    // --data-stdin reads a JSON payload from stdin: {"data":"...","ttyId":"..."}
+    // This prevents ciphertext and session identity from being visible in process listings.
+    let (data_b64, stdin_tty_id) = if args.contains(&"--data-stdin".to_string()) {
+        let mut input = String::new();
+        std::io::stdin().read_line(&mut input)
+            .unwrap_or_else(|e| json_error(&format!("Failed to read stdin: {e}")));
+        let input = input.trim();
+        // Try parsing as JSON (new format), fall back to plain string (backwards compat)
+        if let Ok(parsed) = serde_json::from_str::<serde_json::Value>(input) {
+            let data = parsed.get("data").and_then(|v| v.as_str())
+                .unwrap_or_else(|| json_error("Missing 'data' field in stdin JSON"))
+                .to_string();
+            let tty_id = parsed.get("ttyId").and_then(|v| v.as_str()).map(|s| s.to_string());
+            (data, tty_id)
+        } else {
+            (input.to_string(), None)
+        }
+    } else {
+        let data = match get_arg(args, "--data") {
+            Some(d) => d,
+            None => json_error("Missing --data or --data-stdin argument"),
+        };
+        (data, None)
     };
 
     // --via-daemon: route through the daemon for biometric + session caching.
     // Used by WSL2 where the TS side can't connect to Windows named pipes directly.
     if args.contains(&"--via-daemon".to_string()) {
-        match daemon_client::decrypt_via_daemon(&data_b64, &key_id) {
+        let tty_id = stdin_tty_id.as_deref();
+        match daemon_client::decrypt_via_daemon(&data_b64, &key_id, tty_id) {
             Ok(plaintext) => json_success(json!({"plaintext": plaintext})),
             Err(e) => json_error(&e),
         }
@@ -235,13 +256,15 @@ COMMANDS:
   list-keys                       List all Varlock encryption keys
   key-exists [--key-id <id>]      Check if a key exists
   encrypt --data <base64> [--key-id <id>]   Encrypt data (one-shot)
-  decrypt --data <base64> [--key-id <id>] [--via-daemon]   Decrypt data
+  decrypt --data <base64> [--key-id <id>] [--via-daemon]         Decrypt data
+  decrypt --data-stdin [--key-id <id>] [--via-daemon]           Decrypt (data from stdin)
   status                          Check platform capabilities
   daemon --socket-path <path> [--pid-path <path>]   Start IPC daemon
 
 OPTIONS:
   --key-id <id>       Key identifier (default: varlock-default)
   --data <base64>     Base64-encoded data
+  --data-stdin        Read data from stdin as JSON: {"data":"...","ttyId":"..."}
   --socket-path <path>  Unix socket path for daemon mode
   --pid-path <path>   PID file path for daemon mode
   --via-daemon        Route decrypt through daemon for biometric + session caching

packages/varlock/src/lib/local-encrypt/index.ts

@@ -10,7 +10,8 @@
  *   4. File-based (pure JS) — universal fallback, no native binary needed
  */
 
-import { execFileSync } from 'node:child_process';
+import { execFileSync, spawnSync } from 'node:child_process';
+import fs from 'node:fs';
 import { resolveNativeBinary } from './binary-resolver';
 import { DaemonClient } from './daemon-client';
 import * as fileBackend from './file-backend';
@@ -28,6 +29,26 @@ function debug(msg: string) {
   }
 }
 
+/**
+ * Get a TTY identifier for session scoping.
+ * Reads the controlling terminal from /proc/self/fd/0 or falls back to PID.
+ */
+let _cachedTtyId: string | undefined;
+function getSelfTtyId(): string {
+  if (_cachedTtyId) return _cachedTtyId;
+  try {
+    const ttyPath = fs.readlinkSync('/proc/self/fd/0');
+    if (ttyPath && ttyPath.startsWith('/dev/')) {
+      _cachedTtyId = ttyPath;
+      return ttyPath;
+    }
+  } catch {
+    // Not available
+  }
+  _cachedTtyId = `pid:${process.pid}`;
+  return _cachedTtyId;
+}
+
 // ── Native binary one-shot commands ────────────────────────────────────
 
 function runNativeBinary(args: Array<string>, opts?: { timeout?: number }): string {
@@ -212,11 +233,32 @@ export async function decryptValue(ciphertext: string, keyId: string = DEFAULT_K
   if (backend.biometricAvailable) {
     if (isWSL()) {
       debug('decryptValue: WSL2 biometric decrypt via --via-daemon');
-      // Longer timeout: includes daemon spawn + Windows Hello biometric prompt
-      const result = runNativeBinaryJson<{ plaintext: string }>(
-        ['decrypt', '--key-id', keyId, '--data', ciphertext, '--via-daemon'],
-        { timeout: 60_000 },
-      );
+      const binaryPath = resolveNativeBinary();
+      if (!binaryPath) throw new Error('Native binary not found');
+      // Use spawnSync with stdin to avoid exposing ciphertext or session
+      // identity in process listings (visible via tasklist/procfs).
+      // Stdin JSON includes both the data and the TTY ID for session scoping.
+      const stdinPayload = JSON.stringify({
+        data: ciphertext,
+        ttyId: getSelfTtyId(),
+      });
+      const proc = spawnSync(binaryPath, ['decrypt', '--key-id', keyId, '--data-stdin', '--via-daemon'], {
+        input: stdinPayload,
+        encoding: 'utf-8',
+        timeout: 60_000,
+      });
+      if (proc.error) throw proc.error;
+      if (proc.status !== 0) {
+        const output = (proc.stdout || proc.stderr || '').trim();
+        try {
+          const parsed = JSON.parse(output);
+          if (parsed.error) throw new Error(parsed.error);
+        } catch { /* not JSON */ }
+        throw new Error(`Decrypt failed (exit ${proc.status}): ${output}`);
+      }
+      const result = JSON.parse(proc.stdout.trim());
+      if (result.error) throw new Error(result.error);
+      debug(`decryptValue: WSL2 result: ${proc.stdout.trim().slice(0, 100)}`);
       return result.plaintext;
     }
     debug('decryptValue: biometric decrypt via daemon client');