Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply access check when opening a previously pinned program #76

Closed
poornagmsft opened this issue Apr 25, 2021 · 4 comments
Closed

Apply access check when opening a previously pinned program #76

poornagmsft opened this issue Apr 25, 2021 · 4 comments
Assignees
@shankarseal
Labels
ebpf-km PR/Issues for kernel mode components
Milestone
2105

Comments

@poornagmsft
Copy link
Contributor

@shankarseal fyi
@poornagmsft poornagmsft added the ebpf-km PR/Issues for kernel mode components label Apr 25, 2021
@poornagmsft poornagmsft added this to the 2105 milestone Apr 25, 2021
@dthaler
Copy link
Collaborator

dthaler commented May 5, 2021

Program [will consume stubs/headers from PAL work]
Create - Alloc
Open - AccessCheck
ProgramInit
GetProperties

LoadMachineCode - allocating a read only executable page
CreateAndAttachToHook

Pin/Unpin
Uninit/Cleanup [ref count hits 0, the rundown logic]

@dthaler dthaler changed the title windows ebpf km support for program Apply access check when opening a previously pinned program May 5, 2021
@Alan-Jowett
Copy link
Member

Looks like the functions to convert SDDL -> SECURITY_DESCRIPTOR aren't in the DDK. Are we ok with passing a self-relative SECURITY_DESCIPTOR instead of an SDDL?

@Alan-Jowett
Copy link
Member

The EbpfIoDevice device object is restricted to:

//
// SDDL_DEVOBJ_SYS_ALL_ADM_ALL allows the kernel, system, and admin complete
// control over the device. No other users may access the device
//

So adding an additional access check here is redundant.

@Alan-Jowett
Copy link
Member

Closing this as an additional access check is pointless given that this API can only be called by admin, kernel or local system.

If we ever loosen the restrictions on the device object, revisit this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shankarseal shankarseal

Labels
ebpf-km PR/Issues for kernel mode components
Projects
None yet
Milestone
2105
Development

No branches or pull requests
4 participants
@dthaler @Alan-Jowett @poornagmsft @shankarseal