sys: IoCreateDeviceSecure: tighten down who can open the device

build/VStudio/winfsp.vcxproj

@@ -98,21 +98,33 @@
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\inc;..\..\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <Link>
+      <AdditionalDependencies>wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\inc;..\..\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <Link>
+      <AdditionalDependencies>wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\inc;..\..\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <Link>
+      <AdditionalDependencies>wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <ClCompile>
       <AdditionalIncludeDirectories>..\..\inc;..\..\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <Link>
+      <AdditionalDependencies>wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
     <FilesToPackage Include="$(TargetPath)" />
@@ -139,7 +151,7 @@
     <ClCompile Include="..\..\src\sys\write.c" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="..\..\inc\fsctl.h" />
+    <ClInclude Include="..\..\inc\winfsp\fsctl.h" />
     <ClInclude Include="..\..\src\sys\driver.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

build/VStudio/winfsp.vcxproj.filters

@@ -9,6 +9,9 @@
       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
     </Filter>
+    <Filter Include="Include\winfsp">
+      <UniqueIdentifier>{904f0df1-2fb8-4f84-aa46-fa929488c39a}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\src\sys\cleanup.c">
@@ -73,8 +76,8 @@
     <ClInclude Include="..\..\src\sys\driver.h">
       <Filter>Source</Filter>
     </ClInclude>
-    <ClInclude Include="..\..\inc\fsctl.h">
-      <Filter>Include</Filter>
+    <ClInclude Include="..\..\inc\winfsp\fsctl.h">
+      <Filter>Include\winfsp</Filter>
     </ClInclude>
   </ItemGroup>
 </Project>

inc/winfsp/fsctl.h

@@ -1,5 +1,5 @@
 /**
- * @file sys/fsctl.h
+ * @file winfsp/fsctl.h
  *
  * @copyright 2015 Bill Zissimopoulos
  */
@@ -9,6 +9,10 @@
 
 #include <devioctl.h>
 
+// {6F9D25FA-6DEE-4A9D-80F5-E98E14F35E54}
+extern const __declspec(selectany) GUID FspDeviceClassGuid =
+    { 0x6f9d25fa, 0x6dee, 0x4a9d, { 0x80, 0xf5, 0xe9, 0x8e, 0x14, 0xf3, 0x5e, 0x54 } };
+
 #define FSP_FSCTL_DISK_DEVICE_NAME      "WinFsp.Disk"
 #define FSP_FSCTL_NET_DEVICE_NAME       "WinFsp.Net"
 

src/sys/driver.c

@@ -22,16 +22,20 @@ DriverEntry(
     FSP_ENTER();
 
     /* create the file system control device objects */
+    UNICODE_STRING DeviceSddl;
     UNICODE_STRING DeviceName;
+    RtlInitUnicodeString(&DeviceSddl, L"" DRIVER_SDDL);
     RtlInitUnicodeString(&DeviceName, L"\\Device\\" FSP_FSCTL_DISK_DEVICE_NAME);
-    Result = IoCreateDevice(DriverObject,
+    Result = IoCreateDeviceSecure(DriverObject,
         sizeof(FSP_FSCTL_DEVICE_EXTENSION), &DeviceName, FILE_DEVICE_DISK_FILE_SYSTEM, 0, FALSE,
+        &DeviceSddl, &FspDeviceClassGuid,
         &FspFsctlDiskDeviceObject);
     if (!NT_SUCCESS(Result))
         FSP_RETURN();
     RtlInitUnicodeString(&DeviceName, L"\\Device\\" FSP_FSCTL_NET_DEVICE_NAME);
-    Result = IoCreateDevice(DriverObject,
+    Result = IoCreateDeviceSecure(DriverObject,
         sizeof(FSP_FSCTL_DEVICE_EXTENSION), &DeviceName, FILE_DEVICE_NETWORK_FILE_SYSTEM, 0, FALSE,
+        &DeviceSddl, &FspDeviceClassGuid,
         &FspFsctlNetDeviceObject);
     if (!NT_SUCCESS(Result))
         FSP_RETURN(IoDeleteDevice(FspFsctlDiskDeviceObject));

src/sys/driver.h

@@ -8,9 +8,12 @@
 #define WINFSP_SYS_DRIVER_H_INCLUDED
 
 #include <ntifs.h>
-#include <fsctl.h>
+#include <wdmsec.h>
+#include <winfsp/fsctl.h>
 
 #define DRIVER_NAME                     "WinFsp"
+#define DRIVER_SDDL                     "D:P(A;;GA;;;SY)(A;;GA;;;BA)"
+    /* system and builtin administrators have full access */
 
 /* DEBUGLOG */
 #if DBG