Controlling Device Namespace Access

In the Windows Driver Model (WDM), every device object has an associated namespace. Names in the device's namespace are paths that begin with the device's name. For a device named "\Device\DeviceName", its namespace consists of any name of the form "\Device\DeviceName\FileName". (For a file system, FileName is an actual name of a file on the file system.)

A WDM driver receives open requests for all names in the device's namespace. The driver treats an open request for "\Device\DeviceName" as an open of the device object itself. If the driver implements support for open requests into the device's namespace, then it treats an open request for "\Device\DeviceName\FileName" as an open of a "file" within the device object's namespace (where the notion of "file" for the device is driver-determined).

Most drivers do not implement support for open operations into the device's namespace, but all drivers must provide security checks to prevent unauthorized access to the device's namespace. By default, security checks for file open requests within the device's namespace, (for example, "\Device\DeviceName\FileName") are left entirely up to the driver – the device object ACL is not checked by the operating system.

If a device object's FILE_DEVICE_SECURE_OPEN characteristic is set, the system applies the device object's security descriptor to all file open requests in the device's namespace. Drivers can set FILE_DEVICE_SECURE_OPEN when they create the device object with IoCreateDevice or IoCreateDeviceSecure. For WDM drivers, FILE_DEVICE_SECURE_OPEN can also be set in the registry. It can also be set in the registry for device objects of non-WDM drivers that are created by IoCreateDeviceSecure. For more information about setting device object properties, such as the device characteristics, in the registry, see Setting Device Object Properties in the Registry. For more information about device characteristics, see Specifying Device Characteristics.

Drivers for devices that do not support namespaces must use one of two methods to ensure that file open requests within the device's namespace are handled correctly:

• The driver's device objects have the FILE_DEVICE_SECURE_OPEN device characteristic set. The driver can then treat any open request into the device's namespace as an open request for the device object.
• The driver can fail any IRP_MJ_CREATE requests that specify an IrpSp->FileObject->FileName parameter whose length is nonzero. In this case, open requests for the device are subject to the system's ACL check, while all file open requests within the device's namespace are failed by the driver. (Drivers that support exclusive opens must use this option.)

Drivers for devices that do support namespaces can also use two methods to secure file open requests into the device's namespace:

• The driver's device objects have the FILE_DEVICE_SECURE_OPEN device characteristic set. This ensures that the security settings for the device apply uniformly to the device's namespace. (The driver is responsible for implementing support for the namespace in its DispatchCreate routine.)
• The driver checks any ACLs for the file name in its DispatchCreate routine. (Even in this case the driver should set the FILE_DEVICE_SECURE_OPEN characteristic unless opens into the device's namespace can have weaker security settings than the device object.)

The FILE_DEVICE_SECURE_OPEN characteristic is checked at the top of the stack, so filter device objects must copy the Characteristics member of the next-lower device object after attaching.