I’m writing a file system mini-filter to control access to certain volumes and I would appreciate any feedback on my approach. Access is to be controlled as follows:
Block All:
I currently block all creates - is this safe? Should I allow some to keep the OS happy? I’ve tested on Windows 8 and haven’t noticed any issues.
No Execute:
I check desiredAccess for FILE_EXECUTE if FILE_DIRECTORY_FILE is not set in the options (to avoid clashes with FILE_TRAVERSE).
Read Only:
I check desiredAccess for WRITE_DAC, WRITE_OWNER, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA and DELETE. If any are set the create is blocked. This works fine except that I can create directories from a command prompt. Any ideas on how to fix this one.
It may cause some applications to misbehave, but if you aren’t doing this to the boot volume, you should be fine. Boot volume (the drive where the OS is installed) is trickier because if you block access from critical applications the system will die.
Note that FILE_DIRECTORY_FILE is an optional hint. I suspect at some point you’ll break something…
You would need to block requests to create a directory (IRP_MJ_CREATE). FILE_ADD_CHILD access is required to the containing directory, but that won’t be specified in the IRP_MJ_CREATE call - it’s an attribute of the directory. Actually, I’m surprised that you can only create directories.
You also need to check the create disposition. The desired access can ge just read but if the create disposition specifes create and the ACLs allow it the file will be created. MAXIMUM_ALLOWED also gets involved here.
Bill Wandel
on Jan 29, 2014, Tony Mason wrote:
It may cause some applications to misbehave, but if you aren’t doing this to the boot volume, you should be fine. Boot volume (the drive where the OS is installed) is trickier because if you block access from critical applications the system will die.
Note that FILE_DIRECTORY_FILE is an optional hint. I suspect at some point you’ll break something…
You would need to block requests to create a directory (IRP_MJ_CREATE). FILE_ADD_CHILD access is required to the containing directory, but that won’t be specified in the IRP_MJ_CREATE call - it’s an attribute of the directory. Actually, I’m surprised that you can only create directories.