Reparse and ShareAccess

Igor_Csa · December 20, 2012, 8:59am

Hello!

I am writing a redirection minifilter. In short, what it does is to reparse all CreateFiles from, let’s say, notepad.
The drawback of this approach is I loose the share access semantics for the opened files. That is, if any program opens file1 with exclusive access, and then the user opens file1 with notepad my filter would allow it, so my filter would not be transparent.

To solve that I have thought of calling FltCreateFile(file1, …) with the original create parameters before reparsing, keeping track of the opened handles.
That way if that call fails I can cancel the original write IRP. Of course that implies having to close all opened handles at, AFAIK, PostClose.

Do you think this is correct? Do you reccomend other approach?

Thank you in advance!

Igor_Csa · December 20, 2012, 10:44am

Sorry, I meant … if that call fails I can cancel the original CREATE IRP. …

Alex_Carp · December 20, 2012, 5:56pm

Well, since the actual files are different there are many ways in which your filter might not be transparent (file IDs, actual file data and so on). So I’m not sure I would be worried about sharing. I mean, if you need it to be undetectable then using STATUS_REPARSE is probably not the way to go?

Still, to me the approach of opening the file with the same sharing mode looks good strictly for sharing, but there are cases where sharing is involved that are not going to be very easy to replicate.
Here is a weird example: during processing IRP_MJ_CREATE the file system might detect a sharing violation and it might try to see if there are any oplocks on the file and if so it would break them and retry the open (since the sharing violation might now be gone if whoever had the oplocks closed their handle). In your scenario the oplocks would be taken against your “target” file and so breaking the oplocks won’t fix the sharing violation. This would be different behavior compared to running the same scenario on a machine where your filter isn’t present. Maybe this isn’t a concern but I’m afraid I can’t definitively say that the approach would work without better understanding your requirements? How similar to a file system do you need to be ?

Thanks,
Alex.

On Dec 20, 2012, at 7:44 AM, xxxxx@gmail.com wrote:

Sorry, I meant … if that call fails I can cancel the original CREATE IRP. …

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer