wslc: prevent session name squatting for default WSLc sessions

[benhillis]

Summary

Prevents malicious users from squatting reserved WSLc session names (wslc-cli, wslc-cli-admin) by moving default session name and settings resolution to the server.

Changes

• Server-side default sessions: CreateSession(nullptr) and OpenSessionByName(nullptr) resolve the default session name from the caller's token and username (e.g. wslc-cli-alice, wslc-cli-admin-bob). The client no longer knows or sends session names for default sessions.
• Reserved name rejection: Explicit use of reserved names via CreateSession returns WSLC_E_SESSION_RESERVED. Invalid session names return WSLC_E_INVALID_SESSION_NAME.
• User impersonation: Settings.yaml is loaded under the caller's identity via wil::impersonate_token.
• Dedicated EnterSession API: Custom sessions (wslc session enter) use a separate API that reads settings.yaml server-side and sets NoCreate storage flags.
• wslcsettings shared library: Extracted UserSettings into a shared library used by both wslc.exe and wslservice.exe. SettingsCommand now calls UserSettings directly instead of duplicating file creation logic.
• Cleanup: Removed SessionOptions class, SessionModel.cpp, WslcSettingsTemplate.h. Moved EnumVariantMap.h to common. SessionSettings is NON_MOVABLE (uses unique_ptr to avoid c_str() pointer invalidation).

Testing

• E2E test verifies reserved names are rejected and default session creation still works.
• All E2E tests updated for username-qualified session names.

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 24 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (2)

src/windows/wslc/services/SessionService.cpp:45

• When attaching to the default session (empty sessionName -> nullptr passed to OpenSessionByName), failure paths still format errors using sessionName.c_str(), which is an empty string. This produces user-facing messages like "Session '' not found". Consider special-casing the empty-name/default-session case and emitting a clearer localized message (e.g., "Default session not found" / "Failed to open default session") instead of printing an empty name.

    HRESULT hr = manager->OpenSessionByName(sessionName.empty() ? nullptr : sessionName.c_str(), &session);
    if (FAILED(hr))
    {
        if (hr == HRESULT_FROM_WIN32(ERROR_NOT_FOUND))
        {
            wslutil::PrintMessage(Localization::MessageWslcSessionNotFound(sessionName.c_str()), stderr);
            return 1;
        }

        auto errorString = wsl::windows::common::wslutil::ErrorCodeToString(hr);
        wslutil::PrintMessage(
            Localization::MessageErrorCode(Localization::MessageWslcOpenSessionFailed(sessionName.c_str()), errorString), stderr);
        return 1;

src/windows/wslc/services/SessionService.cpp:186

• TerminateSession now treats an empty displayName as "default session" (nullptr passed to OpenSessionByName), but the "not found" / "terminate failed" messages still use displayName.c_str() and can end up printing an empty name. Please special-case the default-session call path so the error message is meaningful when no session name was provided.

    wil::com_ptr<IWSLCSession> session;
    HRESULT hr = sessionManager->OpenSessionByName(displayName.empty() ? nullptr : displayName.c_str(), &session);
    if (FAILED(hr))
    {
        if (hr == HRESULT_FROM_WIN32(ERROR_NOT_FOUND))
        {
            wslutil::PrintMessage(Localization::MessageWslcSessionNotFound(displayName.c_str()), stderr);
            return 1;
        }

[Copilot]

Pull request overview

Copilot reviewed 24 out of 25 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 25 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 25 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

src/windows/common/WSLCUserSettings.cpp:12

• File header comment still says Module Name: UserSettings.cpp, but the file is now WSLCUserSettings.cpp. Please update the module name to match the actual filename to avoid confusion when tracing build/log output and code ownership.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 25 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

src/windows/service/exe/WSLCSessionManager.h:80

• CreateSession and OpenSessionByName now accept nullptr for default-session resolution (per the updated IDL), but the corresponding declarations here still use _In_ for the pointer parameters. Please update the SAL annotations to _In_opt_ (and similarly mark WslcSessionSettings as optional) so static analysis and code readers match the new contract.

    void GetVersion(_Out_ WSLCVersion* Version);
    void CreateSession(const WSLCSessionSettings* WslcSessionSettings, WSLCSessionFlags Flags, IWSLCSession** WslcSession);
    void EnterSession(_In_ LPCWSTR DisplayName, _In_ LPCWSTR StoragePath, IWSLCSession** WslcSession);
    void ListSessions(_Out_ WSLCSessionInformation** Sessions, _Out_ ULONG* SessionsCount);
    void OpenSession(_In_ ULONG Id, _Out_ IWSLCSession** Session);
    void OpenSessionByName(_In_ LPCWSTR DisplayName, _Out_ IWSLCSession** Session);

[dkbennett]

All the session changes as they relate to the CLI look good to me. Minor comments about having more specific error codes for better diagnosability. We can always add this later but would be easier to pay as we go.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 4 comments.