Skip to content

Commit

Permalink
PR feedback
Browse files Browse the repository at this point in the history
Signed-off-by: Alan Jowett (from Dev Box) <[email protected]>
  • Loading branch information
Alan-Jowett committed Mar 1, 2024
1 parent a9c8de6 commit c209373
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 13 deletions.
14 changes: 13 additions & 1 deletion include/ebpf_nethooks.h
Original file line number Diff line number Diff line change
Expand Up @@ -279,10 +279,22 @@ typedef struct _process_md
uint64_t parent_process_id; ///< Parent process ID.
uint64_t creating_process_id; ///< Creating process ID.
uint64_t creating_thread_id; ///< Creating thread ID.
int32_t creation_status; ///< The NTSTATUS value to return for the process-creation operation.
process_operation_t operation; ///< Operation to do.
} process_md_t;

/*
* @brief Handle process creation and deletion.
*
* Program type: \ref EBPF_PROGRAM_TYPE_PROCESS
*
* Attach type(s):
* \ref EBPF_ATTACH_TYPE_PROCESS
*
* @param[in] context \ref process_md_t
* @return STATUS_SUCCESS to permit the operation, or a failure NTSTATUS value to deny the operation.
* Value of STATUS_SUCCESS is 0x0.
* For PROCESS_OPERATION_DELETE operation, the return value is ignored.
*/
typedef int
process_hook_t(process_md_t* context);

Expand Down
13 changes: 4 additions & 9 deletions netebpfext/net_ebpf_ext_process.c
Original file line number Diff line number Diff line change
Expand Up @@ -326,8 +326,6 @@ _ebpf_process_create_process_notify_routine_ex(
process_notify_context.process_md.process_id = (uint64_t)process_id;
process_notify_context.process_md.parent_process_id =
(create_info != NULL) ? (uint64_t)create_info->ParentProcessId : 0;
process_notify_context.process_md.creation_status =
(create_info != NULL) ? (uint64_t)create_info->CreationStatus : 0;
process_notify_context.process_md.creating_process_id =
(create_info != NULL) ? (uint64_t)create_info->CreatingThreadId.UniqueProcess : 0;
process_notify_context.process_md.creating_thread_id =
Expand All @@ -338,19 +336,15 @@ _ebpf_process_create_process_notify_routine_ex(
net_ebpf_extension_hook_client_t* client_context =
net_ebpf_extension_hook_get_next_attached_client(_ebpf_process_hook_provider_context, NULL);
while (client_context != NULL) {
uint32_t return_value = 0;
NTSTATUS status = 0;
if (net_ebpf_extension_hook_client_enter_rundown(client_context)) {
result = net_ebpf_extension_hook_invoke_program(
client_context, &process_notify_context.process_md, &return_value);
client_context, &process_notify_context.process_md, (uint32_t*)&status);
if (result != EBPF_SUCCESS) {
NET_EBPF_EXT_LOG_MESSAGE(
NET_EBPF_EXT_TRACELOG_LEVEL_ERROR,
NET_EBPF_EXT_TRACELOG_KEYWORD_PROCESS,
"net_ebpf_extension_hook_invoke_program failed");
} else {
if (create_info != NULL) {
create_info->CreationStatus = process_notify_context.process_md.creation_status;
}
}
net_ebpf_extension_hook_client_leave_rundown(client_context);
} else {
Expand All @@ -360,7 +354,8 @@ _ebpf_process_create_process_notify_routine_ex(
"net_ebpf_extension_hook_client_enter_rundown failed");
}
// If the client returns a non-zero value, stop calling the other clients.
if (create_info && create_info->CreationStatus != STATUS_SUCCESS) {
if (!NT_SUCCESS(status) && create_info) {
create_info->CreationStatus = status;
break;
}

Expand Down
4 changes: 1 addition & 3 deletions tests/netebpfext_unit/netebpfext_unit.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -902,9 +902,7 @@ netebpfext_unit_invoke_process_program(
test_process_client_context_t* client_context = (test_process_client_context_t*)client_process_context;

client_context->process_context = *process_context;
process_context->creation_status = STATUS_ACCESS_DENIED;

*result = 0;
*result = STATUS_ACCESS_DENIED;
return EBPF_SUCCESS;
}

Expand Down

0 comments on commit c209373

Please sign in to comment.