sidecar-GCS changes to forward modifyServiceSettings

Manish Ranjan Mahanta · Manish Ranjan Mahanta · commit 94ccf277abc7 · 2026-03-12T14:39:53.000+05:30
Signed-off-by: Manish Ranjan Mahanta &lt;mmahanta@microsoft.com&gt;
diff --git a/internal/gcs-sidecar/bridge.go b/internal/gcs-sidecar/bridge.go
@@ -172,6 +172,7 @@ func (b *Bridge) AssignHandlers() {
 	b.HandleFunc(prot.RPCDeleteContainerState, b.deleteContainerState)
 	b.HandleFunc(prot.RPCUpdateContainer, b.updateContainer)
 	b.HandleFunc(prot.RPCLifecycleNotification, b.lifecycleNotification)
+	b.HandleFunc(prot.RPCModifyServiceSettings, b.modifyServiceSettings)
 }
 
 // readMessage reads the message from io.Reader
diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
@@ -23,6 +23,7 @@ import (
 	oci "github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
+	"github.com/Microsoft/hcsshim/internal/vm/vmutils/etw"
 	"github.com/Microsoft/hcsshim/internal/windevice"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/Microsoft/hcsshim/pkg/cimfs"
@@ -491,6 +492,67 @@ func (b *Bridge) lifecycleNotification(req *request) (err error) {
 	return nil
 }
 
+func (b *Bridge) modifyServiceSettings(req *request) (err error) {
+	_, span := oc.StartSpan(req.ctx, "sidecar::modifyServiceSettings")
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+
+	// Todo: Add policy enforcement for modifying service settings
+	modifyRequest, err := unmarshalModifyServiceSettings(req)
+	if err != nil {
+		return err
+	}
+
+	switch modifyRequest.PropertyType {
+	case string(prot.LogForwardService):
+		if modifyRequest.Settings != nil {
+			log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with RPCModifyServiceSettings, enforcing policy for log sources")
+			settings := modifyRequest.Settings.(*guestrequest.LogForwardServiceRPCRequest)
+
+			switch settings.RPCType {
+			case guestrequest.RPCModifyServiceSettings, guestrequest.RPCStartLogForwarding, guestrequest.RPCStopLogForwarding:
+				log.G(req.ctx).Tracef("%v request received for LogForwardService, proceeding with policy enforcement for log sources", settings.RPCType)
+				// Enforce the policy for log sources in the request and update the settings with allowed log sources.
+				// For cwcow, the sidecar-GCS will verify the allowed log sources against policy and append the necessary GUIDs to the ones allowed. Rest are dropped.
+				// The Enforcer will have to unmarshal the log sources, enforce the policy and then marshal it back to a Base64 encoded JSON string which is what inbox GCS expects.
+				// It can query etw.GetDefaultLogSources to get the default log sources if the policy allows, and allow providers matching the default list during policy enforcement.
+				// This is because the log sources can be a combination of default and user specified log sources for which GUIDs need to be appended based on the policy enforcement.
+				if settings.Settings != "" {
+					// <EXAMPLE CALL>
+					// allowedLogSources, err := b.hostState.securityOptions.PolicyEnforcer.EnforceLogForwardServiceSettingsPolicy(req.ctx, settings.LogSources)
+
+					// For now, we are skipping the policy enforcement and allowing all log sources as the policy enforcer implementation is in progress. We will add the enforcement back once it's implemented.
+					allowedLogSources := settings.Settings // This is Base64 encoded JSON string of log sources
+					log.G(req.ctx).Tracef("Allowed log sources after policy enforcement: %v", allowedLogSources)
+
+					// Update the allowed log sources in the settings. This will be forwarded to inbox GCS which expects the log sources in a JSON string format with GUIDs for providers included.
+					allowedLogSources = etw.UpdateEncodedLogSources(req.ctx, allowedLogSources, false, true)
+					settings.Settings = allowedLogSources
+				}
+			default:
+				log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with RPCType: %v, skipping policy enforcement", settings.RPCType)
+			}
+			modifyRequest.Settings = settings
+			buf, err := json.Marshal(modifyRequest)
+			if err != nil {
+				return fmt.Errorf("failed to marshal modifyServiceSettings request: %w", err)
+			}
+			var newRequest request
+			newRequest.ctx = req.ctx
+			newRequest.header = req.header
+			newRequest.header.Size = uint32(len(buf)) + prot.HdrSize
+			newRequest.message = buf
+			req = &newRequest
+		} else {
+			log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with empty settings, skipping policy enforcement")
+		}
+	default:
+		log.G(req.ctx).Tracef("modifyServiceSettings with PropertyType: %v, skipping policy enforcement", modifyRequest.PropertyType)
+	}
+	b.forwardRequestToGcs(req)
+	return nil
+}
+
 func volumeGUIDFromLayerPath(path string) (string, bool) {
 	if p, ok := strings.CutPrefix(path, `\\?\Volume{`); ok {
 		if q, ok := strings.CutSuffix(p, `}\Files`); ok {
diff --git a/internal/gcs-sidecar/uvm.go b/internal/gcs-sidecar/uvm.go
@@ -17,6 +17,37 @@ import (
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
 )
 
+func unmarshalModifyServiceSettings(req *request) (_ *prot.ServiceModificationRequest, err error) {
+	ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalModifyServiceSettings")
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+
+	var serviceModifyRequest prot.ServiceModificationRequest
+	var requestRawSettings json.RawMessage
+	serviceModifyRequest.Settings = &requestRawSettings
+	if err := commonutils.UnmarshalJSONWithHresult(req.message, &serviceModifyRequest); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal rpcModifySettings: %w", err)
+	}
+
+	if serviceModifyRequest.PropertyType != "" {
+		switch serviceModifyRequest.PropertyType {
+		case string(prot.LogForwardService):
+			log.G(ctx).Info("Unmarshalling log forward service modify settings")
+			settings := &guestrequest.LogForwardServiceRPCRequest{}
+			if err := commonutils.UnmarshalJSONWithHresult(requestRawSettings, settings); err != nil {
+				return nil, fmt.Errorf("invalid LogForwardService modify settings request: %w", err)
+			}
+			serviceModifyRequest.Settings = settings
+		default:
+			// Invalid request
+			log.G(ctx).Errorf("Invalid ServiceModificationRequest: %v", serviceModifyRequest.PropertyType)
+			return nil, fmt.Errorf("invalid ServiceModificationRequest")
+		}
+	}
+
+	return &serviceModifyRequest, nil
+}
+
 func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySettings, err error) {
 	ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalContainerModifySettings")
 	defer span.End()

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,7 @@ func (b *Bridge) AssignHandlers() {`
`172`	`172`	`b.HandleFunc(prot.RPCDeleteContainerState, b.deleteContainerState)`
`173`	`173`	`b.HandleFunc(prot.RPCUpdateContainer, b.updateContainer)`
`174`	`174`	`b.HandleFunc(prot.RPCLifecycleNotification, b.lifecycleNotification)`
	`175`	`+ b.HandleFunc(prot.RPCModifyServiceSettings, b.modifyServiceSettings)`
`175`	`176`	`}`
`176`	`177`
`177`	`178`	`// readMessage reads the message from io.Reader`