My filter driver should block some IRP_MJ_READs and it does that
successfully. The problem is that applications like Notepad may use
file-mapping so the data requested by this applications might be cached. If
so, how should I prevent them to read the data from cache? Any ideas?
Thank you,
Razvan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Razvan Hobeanu
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READMy filter driver should block some IRP_MJ_READs and it does
that successfully. The problem is that applications like
Notepad may use file-mapping so the data requested by this
applications might be cached. If so, how should I prevent
them to read the data from cache? Any ideas?Thank you,
Razvan
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%
Even though file might be mapped, there will be initial IRP_MJ_READs (paged)
to get file’s content from
disk to the cache/image section. Is it not enough? What are you trying to
accomplish?
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro]
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READ
My filter driver should block some IRP_MJ_READs and it does that
successfully. The problem is that applications like Notepad may use
file-mapping so the data requested by this applications might be cached. If
so, how should I prevent them to read the data from cache? Any ideas?
Thank you,
Razvan
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%
RE: [ntfsd] FSFD Blocking IRP_MJ_READMy filter should block reads even if it didn’t catch the initial IRP_MJ_READ. Something like: “now you see it, now you dont!”
“Vladimir Chtchetkine” wrote in message news:xxxxx@ntfsd…
Even though file might be mapped, there will be initial IRP_MJ_READs (paged) to get file’s content from
disk to the cache/image section. Is it not enough? What are you trying to accomplish?
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro]
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READ
My filter driver should block some IRP_MJ_READs and it does that
successfully. The problem is that applications like Notepad may use
file-mapping so the data requested by this applications might be cached. If
so, how should I prevent them to read the data from cache? Any ideas?
Thank you,
Razvan
—
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%
The problem is, the intial paged reads may have been emitted by a
different application, one that did have privileges for the file. Once
they’re in the cache, they’re in there for all applications until it’s
purged.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Vladimir
Chtchetkine
Sent: Wednesday, October 02, 2002 12:38 PM
To: File Systems Developers
Subject: [ntfsd] RE: FSFD Blocking IRP_MJ_READ
Even though file might be mapped, there will be initial IRP_MJ_READs
(paged) to get file’s content from
disk to the cache/image section. Is it not enough? What are you trying
to accomplish?
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro]
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READ
My filter driver should block some IRP_MJ_READs and it does that
successfully. The problem is that applications like Notepad may use
file-mapping so the data requested by this applications might be cached.
If
so, how should I prevent them to read the data from cache? Any ideas?
Thank you,
Razvan
You are currently subscribed to ntfsd as:
xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%
Then, in general, there is no solution to this problem. Once file gets
memory mapped and its content has been read you have no way to detect when
corresponded pages are accessed. On case by case basis there could be
different methods achieving what you want. For example, you may force
purging cache/MM pages in IRP_MJ_CLEANUP handler (on “last handle close”
event). Or you may modify Create params in such a way that when last handle
gets closed FS itself will purge those pages (prior to XP
FILE_NO_INTERMEDIATE_BUFFERING does the trick but it’s a burden for
read/write handlers since there are restrictions associated with this flag)
But again, it depends on the real usecase scenario…
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro]
Sent: Wednesday, October 02, 2002 2:21 PM
To: File Systems Developers
Subject: [ntfsd] Re: FSFD Blocking IRP_MJ_READ
My filter should block reads even if it didn’t catch the initial
IRP_MJ_READ. Something like: “now you see it, now you dont!”
“Vladimir Chtchetkine” < xxxxx@starbase.com
mailto:xxxxx > wrote in message
news:xxxxx@ntfsd news:xxxxx …
Even though file might be mapped, there will be initial IRP_MJ_READs (paged)
to get file’s content from
disk to the cache/image section. Is it not enough? What are you trying to
accomplish?
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro mailto:xxxxx]
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READ
My filter driver should block some IRP_MJ_READs and it does that
successfully. The problem is that applications like Notepad may use
file-mapping so the data requested by this applications might be cached. If
so, how should I prevent them to read the data from cache? Any ideas?
Thank you,
Razvan
—
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%</mailto:xxxxx></news:xxxxx></mailto:xxxxx>
This is why Claude invented ACLs.
Windows has a file security model. It’s fundamentally based on checks at
Open. It doesn’t matter if it’s in the cache due to activity of process
A: process B can’t open it unless the token for the process is granted
access.
Trying to kludge in all sorts of other access control checks that aren’t
enforced (a) at open and (b) based on the current token is unlikely to
yield a reliable, useful solution. There’s not much point to an
unreliable security feature.
Access checks on READ are born to lose. It’s not how the system is
designed to work.
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Wednesday, October 02, 2002 4:23 PM
To: File Systems Developers
Subject: [ntfsd] RE: FSFD Blocking IRP_MJ_READ
The problem is, the intial paged reads may have been emitted by
a different application, one that did have privileges for the file. Once
they’re in the cache, they’re in there for all applications until it’s
purged.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Vladimir
Chtchetkine
Sent: Wednesday, October 02, 2002 12:38 PM
To: File Systems Developers
Subject: [ntfsd] RE: FSFD Blocking IRP_MJ_READ
Even though file might be mapped, there will be initial
IRP_MJ_READs (paged) to get file’s content from
disk to the cache/image section. Is it not enough? What
are you trying to accomplish?
-----Original Message-----
From: Razvan Hobeanu [mailto:xxxxx@xnet.ro]
Sent: Wednesday, October 02, 2002 12:59 PM
To: File Systems Developers
Subject: [ntfsd] FSFD Blocking IRP_MJ_READ
My filter driver should block some IRP_MJ_READs and it
does that
successfully. The problem is that applications like
Notepad may use
file-mapping so the data requested by this applications
might be cached. If
so, how should I prevent them to read the data from
cache? Any ideas?
Thank you,
Razvan
You are currently subscribed to ntfsd as:
xxxxx@Starbase.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as:
xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@basistech.com
To unsubscribe send a blank email to
%%email.unsub%%
This is why Claude invented ACLs.
Windows has a file security model. It’s fundamentally based on checks at
Open. It doesn’t matter if it’s in the cache due to activity of process
A: process B can’t open it unless the token for the process is granted
access.
Trying to kludge in all sorts of other access control checks that aren’t
enforced (a) at open and (b) based on the current token is unlikely to
yield a reliable, useful solution. There’s not much point to an
unreliable security feature.
Access checks on READ are born to lose. It’s not how the system is
designed to work.
> My filter driver should block some IRP_MJ_READs and it does that
successfully.
You must not. Block file open in this mode instead, all
security-related blocking is done there.
Max
> You must not. Block file open in this mode instead, all
security-related blocking is done there.
Max
I don’t get it. There is obviously a security check done for each user mode
operation, otherwise
one could open the file with , say, SYNCHRONIZE only and then issue
read/write to it, which
to me looks like a gaping security hole. The system clearly does not behaves
like that today.
Security checks are also performed when the file is mapped, so that a
readonly handle can’t be used to
write the file by simply mapping the file read/write. To my knowledge, the
only IO path for which security checks
are skipped is the paging IO path.
If the idea is to avoid reads while still letting the application do its
open with READ access,
why filtering the IRP_MJ_CREATE and removing the READ_CONTROL access right
in the
app’s create IRP would not work ?
That said, you may have problems with this approach since you will get
“access denied” error in unexpected
(but legitimate) places. So I agree with you, failing the create is cleaner.
Pascal Dameme.
Pascal,
Max is correct (as usual).
There is obviously a security check done for each
> user mode operation […]
No. The create operation checks the security context of the caller
against the security descriptor on the file and records which accesses
were granted. Afterwards, the FILE_READ_DATA bit in those granted
permissions is checked before a read operation is dispatched.
Security checks are also performed when the file is
> mapped, so that a readonly handle can’t be used to
> write the file by simply mapping the file read/write.
No. The common meaning of “security check” in the context of file
systems and FSFDs is what I described above; when you map a file, the
system doesn’t bother with security contexts or security descriptors, it
just verifies that the permissions your handle was granted are actually
sufficient for what the mapping requires.
If the idea is to avoid reads while still letting the
> application do its open with READ access, why filtering
> the IRP_MJ_CREATE and removing the READ_CONTROL access
> right in the app’s create IRP would not work ?
Because, for one, READ_CONTROL actually controls permission to read an
object’s security descriptor. Also, as I understood the original poster,
the goal was to deny some reads; if you strip FILE_READ_DATA off the
requested permissions for an open, no read will ever be dispatched for
the handle that this open returns to userland.
That said, I would like to know which product proposes to permit reads
on the basis of the weather forecast or phase of the moon, the better to
avoid it.
Cheers,
Felix.
>Max is correct (as usual).
Should have known better 
No. The create operation checks the security context of the caller
against the security descriptor on the file and records which accesses
were granted. Afterwards, the FILE_READ_DATA bit in those granted
permissions is checked before a read operation is dispatched.
Well, this was what I was (in my not so clear way) meant by “security
checks”. The granted permissions
ARE checked before doing any “real” thing. Should have written “Permission
checks”.
Thanks for the correction.
Because, for one, READ_CONTROL actually controls permission to read an
object’s security descriptor.
[blush] Of course you are right. Account that on the fact that I posted
before my cafeine fix …
Also, as I understood the original poster,
the goal was to deny some reads; if you strip FILE_READ_DATA off the
requested permissions for an open, no read will ever be dispatched for
the handle that this open returns to userland.
Ok, I missed this part. I thought the goal was to deny all reads.
That said, I would like to know which product proposes to permit reads
on the basis of the weather forecast or phase of the moon, the better to
avoid it.
I agree. I don’t get why anybody would want to deny the read access AFTER
the permissions are granted.
This would lead to weird semantics from the application point of view …
–
Pascal.
> I don’t get it. There is obviously a security check done for each
user mode
operation, otherwise
one could open the file with , say, SYNCHRONIZE only and then issue
read/write to it
…and read/write will be failed by IO manager.
to me looks like a gaping security hole. The system clearly does not
behaves
like that today.
Again - all security checks are done in CREATE, other operations just
get the handle’s DesiredAccess bits and check themselves against it.
only IO path for which security checks
are skipped is the paging IO path.
You cannot do security checks there, since the paging IO is used by
Cc. Other app can have good permissions to access the file, and Cc
does not differentiate processes - you do not know what process
requested this particular paging IO.
Max