I have a Virtual StorPort driver that handles custom IOCTL’s on it’s adapter device via HwProcessServiceRequest. I register a device interface on the adapter control device object. I would like to change the SDDL for the adapter to modify the device access. I have a few questions:
-
Can I change the SDDL from within the driver? I don’t create the device object, so I can’t specify the SDDL at device creation time. Is there a StorPort way to do this or is that just not intended with StorPort?
-
Can I change the device objects security descriptor on the existing adapter device object? If this is a viable route, I’m pretty weak an ACL’s, ACE’s and SID’s. I’d like some guidance on this. As a test, I put in a hack to clear the FILE_DEVICE_SECURE_OPEN flag from each device in the device stack and that didn’t help, but maybe StorPort’s create handler is blocking this still. I know this is not a viable solution anyway; it was just a test.
-
I set the SDDL string in the INF file for my driver. It didn’t seem to change the device access until I disabled and re-enabled the device. Then it took effect. After initial install and after a reboot, I can’t access it again without disable/enable. I was not able to configure the INF to that it would add a Security key with a binay Security value under my service key or software key. I did get it to add a Security string value under my service and software keys. Am I doing something wrong with the INF?
-
Would it just be easier to create a WDM control device object so I can specify my own SDDL using IoCreateDeviceSecure and handle ordinary IOCTL’s?
Thanks