[ofw] partial review of mlx4 branch
Fab Tillier
ftillier at microsoft.com
Mon Oct 24 07:16:10 PDT 2011
I believe the sequence to detect elevated privileges in an IOCLT handler would be something like:
SeCaptureSubjectContext( &subjectContext )
SeLockSubjectContext( subjectContext )
token = SeQuerySubjectContextToken( subjectContext )
SeQueryInformationToken( token, TokenElevation, &tokenElevation )
SeUnlockSubjectContext( subjectContext )
SeReleaseSubjectContext( subjectContext )
return tokenElevation.TokenIsElevated != 0
The user-mode equivalent to SeQueryInformationToken is GetTokenInformation, in case the WDK docs are lacking.
Disclaimer: I have not verified that the above works yet.
-Fab
Tzachi Dar wrote on Sun, 23 Oct 2011 at 02:27:26
> From the "technical" perspective once one open a device we can define
> which users will have access to that device and what access (read/write
> control)
>
> You can see WdfControlDeviceInitAllocate.
>
> But I believe that before actually doing changes we should all agree on what
> we are doing.
>
> Thanks
> Tzachi
>
>> -----Original Message-----
>> From: ofw-bounces at lists.openfabrics.org [mailto:ofw-
>> bounces at lists.openfabrics.org] On Behalf Of Hefty, Sean
>> Sent: Tuesday, October 18, 2011 7:00 PM
>> To: Fab Tillier; Smith, Stan; Leonid Keller; ofw_list
>> Subject: Re: [ofw] partial review of mlx4 branch
>>
>>> Might be worth coming up with a list of verbs that should require
>>> elevated privileges, vs. those that are open to anyone? Something
>>> like "you must run with elevated privileges to register a MAD service".
>>
>> Just restricting access to the MAD layer would be a good start, and may be
>> sufficient. How do you make that check in the kernel?
>> _______________________________________________
>> ofw mailing list
>> ofw at lists.openfabrics.org
>> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
More information about the ofw
mailing list