Morph MORPH
SIGN IN SIGN UP
dhruvhead / cua UNCLAIMED
0 0 0 HTML

fix(cua-driver-rs)(#1646): check_permissions reads IL via PowerShell-shellout helper (#1653)

Third (and conclusive) attempt at the #1646 "check_permissions misreports
IL" bug. Direct verification on the cuademo dogfood VM: a daemon at
demonstrably IL=High (RID 0x3000 by external PowerShell+C# Win32 read
against the daemon's pid) still reported IL=Medium (RID 0x2000) via the
in-process Rust code.

PR #1647's defenses (RevertToSelf + OpenProcess(GetCurrentProcessId)
instead of GetCurrentProcess pseudo-handle) DID NOT fix the bug. Both
code paths used identical underlying Win32 APIs (OpenProcess +
OpenProcessToken + GetTokenInformation(TokenIntegrityLevel=25)) yet
disagreed when called from inside cua-driver vs from a sibling C#
helper. Root cause is still unclear — could be a windows-rs binding
subtlety, could be a Vec-buffer alignment issue that doesn't reproduce
in standalone testing, could be a named-pipe-server thread security
context interaction we don't fully understand.

## Pragmatic fix

Drop the in-process windows-rs implementation. Replace with a PowerShell
shellout that runs the exact C# P/Invoke helper we've already verified
works correctly. Cost is ~100-200ms (one powershell.exe spawn) per
`cua-driver call check_permissions` call. Acceptable — check_permissions
is a user-initiated, read-only diagnostic, not a hot path.

The PowerShell+C# code is byte-identical to the diagnostic snippet that
returned the correct High IL on cuademo's daemon. So we know it works.

## Verification

cuademo dogfood, daemon at actual High IL via AtLogon trigger of
RunLevel=Highest task:

Before this PR (v0.2.16):
  External C# read: IL=High (RID=12288)
  cua-driver call check_permissions: "integrity_level": "Medium" ✗

After this PR (v0.2.18):
  External C# read: IL=High (RID=12288)
  cua-driver call check_permissions: "integrity_level": "High" ✓
                                     "integrity_level_rid": 12288
                                     "elevated": true

Closes #1646.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
F
Francesco Bonacci committed
35501530ce4aa27cdc2980cfec6865e6fc01116a
Parent: abebf1f
Committed by GitHub <noreply@github.com> on 5/21/2026, 9:10:19 PM