I believe the sequence to detect elevated privileges in an IOCLT handler would be something like:
SeCaptureSubjectContext( &subjectContext ) SeLockSubjectContext( subjectContext ) token = SeQuerySubjectContextToken( subjectContext ) SeQueryInformationToken( token, TokenElevation, &tokenElevation ) SeUnlockSubjectContext( subjectContext ) SeReleaseSubjectContext( subjectContext ) return tokenElevation.TokenIsElevated != 0 The user-mode equivalent to SeQueryInformationToken is GetTokenInformation, in case the WDK docs are lacking. Disclaimer: I have not verified that the above works yet. -Fab Tzachi Dar wrote on Sun, 23 Oct 2011 at 02:27:26 > From the "technical" perspective once one open a device we can define > which users will have access to that device and what access (read/write > control) > > You can see WdfControlDeviceInitAllocate. > > But I believe that before actually doing changes we should all agree on what > we are doing. > > Thanks > Tzachi > >> -----Original Message----- >> From: [email protected] [mailto:ofw- >> [email protected]] On Behalf Of Hefty, Sean >> Sent: Tuesday, October 18, 2011 7:00 PM >> To: Fab Tillier; Smith, Stan; Leonid Keller; ofw_list >> Subject: Re: [ofw] partial review of mlx4 branch >> >>> Might be worth coming up with a list of verbs that should require >>> elevated privileges, vs. those that are open to anyone? Something >>> like "you must run with elevated privileges to register a MAD service". >> >> Just restricting access to the MAD layer would be a good start, and may be >> sufficient. How do you make that check in the kernel? >> _______________________________________________ >> ofw mailing list >> [email protected] >> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw _______________________________________________ ofw mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ofw
