LCOW: Add SIDs to layer.vhd at creation

Signed-off-by: John Howard <jhoward@microsoft.com>

Some permissions corrections here. Also needs re-vendor of go-winio.

 - Create the layer folder directory as standard, not with SDDL. It will inherit permissions from the data-root correctly.
 - Apply the VM Group SID access to layer.vhd

Permissions after this changes

Data root:

```
PS C:\> icacls test
test BUILTIN\Administrators:(OI)(CI)(F)
     NT AUTHORITY\SYSTEM:(OI)(CI)(F)
```

lcow subdirectory under dataroot
```
PS C:\> icacls test\lcow
test\lcow BUILTIN\Administrators:(I)(OI)(CI)(F)
          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
```

layer.vhd in a layer folder for LCOW
```
.\test\lcow\c33923d21c9621fea2f990a8778f469ecdbdc57fd9ca682565d1fa86fadd5d95\layer.vhd NT VIRTUAL MACHINE\Virtual Machines:(R)
                                                                                       BUILTIN\Administrators:(I)(F)
                                                                                       NT AUTHORITY\SYSTEM:(I)(F)
```

And showing working

```
PS C:\> docker-ci-zap -folder=c:\test
INFO: Zapped successfully
PS C:\> docker run --rm alpine echo hello
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
8e402f1a9c57: Pull complete
Digest: sha256:644fcb1a676b5165371437feaa922943aaf7afcfa8bfee4472f6860aad1ef2a0
Status: Downloaded newer image for alpine:latest
hello
```

daemon/graphdriver/lcow/lcow.go

@@ -58,6 +58,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/Microsoft/go-winio/pkg/security"
 	"github.com/Microsoft/hcsshim"
 	"github.com/Microsoft/hcsshim/ext4/tar2ext4"
 	"github.com/Microsoft/opengcs/client"
@@ -67,7 +68,6 @@ import (
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/reexec"
-	"github.com/docker/docker/pkg/system"
 	"github.com/sirupsen/logrus"
 )
 
@@ -608,10 +608,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
 	}
 	layerChain = append(layerChain, parentChain...)
 
-	// Make sure layers are created with the correct ACL so that VMs can access them.
 	layerPath := d.dir(id)
 	logrus.Debugf("lcowdriver: create: id %s: creating %s", id, layerPath)
-	if err := system.MkdirAllWithACL(layerPath, 755, system.SddlNtvmAdministratorsLocalSystem); err != nil {
+	// Standard mkdir here, not with SDDL as the dataroot was created with
+	// inheritance to just local system and administrators.
+	if err := os.MkdirAll(layerPath, 0700); err != nil {
 		return err
 	}
 
@@ -868,14 +869,30 @@ func (d *Driver) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
 			logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
 			return 0, fmt.Errorf("re-exec error: %v: stderr: %s", err, stderr)
 		}
-		return strconv.ParseInt(stdout.String(), 10, 64)
+
+		size, err := strconv.ParseInt(stdout.String(), 10, 64)
+		if err != nil {
+			logrus.Warnf("lcowdriver: applydiff: id %s failed to parse output %s", id, err)
+			return 0, fmt.Errorf("re-exec error: %v: stdout: %s", err, stdout)
+		}
+		return applySID(id, size, dest)
+
 	}
 	// The inline case
 	size, err := tar2ext4Actual(dest, diff)
 	if err != nil {
 		logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
 	}
-	return size, err
+	return applySID(id, size, dest)
+}
+
+// applySID adds the VM Group SID read-only access.
+func applySID(id string, size int64, dest string) (int64, error) {
+	if err := security.GrantVmGroupAccess(dest); err != nil {
+		logrus.Warnf("lcowdriver: applySIDs: id %s failed %s", id, err)
+		return 0, err
+	}
+	return size, nil
 }
 
 // tar2ext4Reexec is the re-exec entry point for writing a layer from a tar file

pkg/system/filesys_windows.go

@@ -18,8 +18,6 @@ import (
 const (
 	// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
 	SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
-	// SddlNtvmAdministratorsLocalSystem is NT VIRTUAL MACHINE\Virtual Machines plus local administrators plus NT AUTHORITY\System
-	SddlNtvmAdministratorsLocalSystem = "D:P(A;OICI;GA;;;S-1-5-83-0)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
 )
 
 // MkdirAllWithACL is a wrapper for MkdirAll that creates a directory