Check in IRP_MJ_CREATE if allowed access

Hello,
In my disk filesystem in IRP_MJ_CREATE i’am a (PACL or PSECURITY_DESCRIPTOR) extracted from my fat ,How do i check if a ‘windows user logged’ is authorized access of the file ?

Solution : I capture PACCESS_TOKEN in SECURITY_SUBJECT_CONTEXT::client token from _IO_STACK_LOCATION::Create::SecurityContext::AccessState::SubjectSecurityContext::ClientToken;
AND i call SeQueryInformationToken with TokenOwner for get SID , and browse the PACL extracted from my fat for compare SID of each PACL by SID extracted from ClientToken.
I have not yet test this option.
It is good ?

if no then how ???

Thank.

See the Windows API SeAccessCheck which I believe will do a lot of the work for you in this case.

How do i capture PSECURITY_DESCRIPTOR in IRP_MJ_CREATE ?

Is it possible to check access in user-mode mode ?
For information i developpe a kernel virtual disk filesystem for manage a virtual disk since user-mode

Solution purpose :
i capture from my fat data PACL and data SID of owner and group , in my kernel driver
i create SECURITY_DESCRIPTOR with SIDs and PACE added.
i call SeAccessCheck.

It’s good ?
Thank.

I believe the general outline is that you’ll get the SECURITY_DESCRIPTOR from your file system and you’ll get the SECURITY_SUBJECT_CONTEXT from the parameters to the IRP_MJ_CREATE (Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext). That’s not be all the pieces you need but I believe that’s the major part of it. It would be best to point you to a Microsoft example like the FastFat code, but unfortunately that does not support ACLs. In general the FastFat and the “File System Algoritms” document from Microsoft are some of the best sources for info on file systems (and the old NT 4.0-based Nagar book which in spite of it’s age still has a lot of good info and you might still be able to order one from OSR – although I just looked at it and I didn’t see code for dealing with ACLs in their “Create” function).