ECP_WCIFS_REDIRECTION context not getting acknowledged

BIJU_CP-2 · February 10, 2017, 12:39am

I am working on windows docker container where I need to figure out, from my filter driver (scanner sample application), whether the request is served from package layer or from scratch root (means new or modified file inside container). In order to do figure this I added an ECP (ECP_WCIFS_REDIRECTION) context in my pre-create hook and in post-create I look for whether the ECP is acknowledged or not. This works fine for the file which are already present in package layer. But when I create a new file inside container this ECP is not getting acknowledged

//
// Code for adding ECP inside pre-create hook
//
do {
status = FltGetEcpListFromCallbackData(ScannerData.Filter,
Data,
&pECPList);

if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltGetEcpListFromCallbackData retuned (0x%08x)\n”, status);
break;
}

if (NULL == pECPList) {
// There is no valid ECP list. Create one.
status = FltAllocateExtraCreateParameterList(ScannerData.Filter,
FSRTL_ALLOCATE_ECPLIST_FLAG_CHARGE_QUOTA,
&pECPList);

if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltAllocateExtraCreateParameterList retuned (0x%08x)\n”, status);
break;
}

//
// Set it into CBD.
//
status = FltSetEcpListIntoCallbackData(ScannerData.Filter,
Data,
pECPList);

if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltSetEcpListIntoCallbackData retuned (0x%08x)\n”, status);
break;
}
}
else {
//
// See if the ECP has already been added to the ECP list
// already.
//
status = FltFindExtraCreateParameter(ScannerData.Filter,
pECPList,
&GUID_ECP_WCIFS_REDIRECTION,
NULL,
NULL);

if (status != STATUS_NOT_FOUND) {
DbgPrint(“ScannerAddContainerRedirectionECP: redirection ECP is already present\n”);
break;
}
}

status = FltAllocateExtraCreateParameter(ScannerData.Filter,
&GUID_ECP_WCIFS_REDIRECTION,
sizeof(WCIFS_REDIRECTION_ECP_CONTEXT),
FSRTL_ALLOCATE_ECPLIST_FLAG_CHARGE_QUOTA,
NULL,
SCANNER_STRING_TAG,
&pECPContext);

if (!NT_SUCCESS(status)) {
DbgPrint(“FltAllocateExtraCreateParameter retuned (0x%08x)\n”, status);
break;
}

RtlZeroMemory(pECPContext, sizeof(WCIFS_REDIRECTION_ECP_CONTEXT));
status = FltInsertExtraCreateParameter(ScannerData.Filter,
pECPList, pECPContext);

if (!NT_SUCCESS(status)) {
DbgPrint(“FltInsertExtraCreateParameter retuned (0x%08x)\n”, status);
FltFreeExtraCreateParameter(ScannerData.Filter, pECPContext);
break;
}
} while (0);

//
// Code for checking ECP is acknowledged
//
do
{
status = FltGetEcpListFromCallbackData(ScannerData.Filter, Data, &pECPList);

if (NT_SUCCESS(status)) {
if (pECPList != NULL) {
status = FltFindExtraCreateParameter(ScannerData.Filter,
pECPList,
pEcpGuid,
&ecpContext,
NULL);

if (NT_SUCCESS(status)) {
if (FltIsEcpAcknowledged(ScannerData.Filter, ecpContext)) {
*Ecp = ecpContext;
*EcpSize = ecpContextSize;
} else {
status = STATUS_UNSUCCESSFUL;
}
}
} else {
status = STATUS_UNSUCCESSFUL;
}
}
} while (0);

Can someone please help to understand why the ECP context is not getting acknowledged for files which are newly created.

Scott_Brender · February 13, 2017, 4:48pm

Hello,

This is the expected behavior. The container filter will only acknowledge the ECP for successful opens of streams on its placeholder files. If the ECP is not acknowledged the stream is not redirected or the create failed.

When acknowledged, the flags in the ECP indicate if the stream’s data will be redirected from a layer file or if the data will come directly from the stream being opened.

Scott [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

BIJU_CP-2 · February 14, 2017, 1:11pm

Hi Scott,

Thanks for your answer. Could you please help me to understand the following.

Inside the container a file (c:\windows\win.ini) is accessed which is part of the image layer and looked for the redirection flags set. To my surprise redirection flags set was WCIFS_REDIRECTION_FLAGS_CREATE_SERVICED_FROM_LAYER and WCIFS_REDIRECTION_FLAGS_CREATE_SERVICED_FROM_SCRATCH. If I understand it correctly WCIFS_REDIRECTION_FLAGS_CREATE_SERVICED_FROM_SCRATCH flag will be set only for new or modified files inside the container. So why does this flag getting set while accessing a while which was part of the image layer ?
In my filter driver I am using the following logic to differentiate whether the file is coming from package layer or from the container layer.
a. In pre-create add an ECP context (WCIFS_REDIRECTION_ECP_CONTEXT) to the callbackdata
b. In post-create, if create succeeded, I verify whether the request is coming from container (using IoGetSiloParameters API) or not.
c. If the request is coming from container then verify whether the redirection flag is acknowledged. If the flag is acknowledged the file is coming from image layer otherwise this is new/modified file.

Is this a right approach to identify file coming from container layer ?