From c209373cba2142df5f22bcbe44e745befb40ada0 Mon Sep 17 00:00:00 2001 From: "Alan Jowett (from Dev Box)" Date: Fri, 1 Mar 2024 14:16:54 -0800 Subject: [PATCH] PR feedback Signed-off-by: Alan Jowett (from Dev Box) --- include/ebpf_nethooks.h | 14 +++++++++++++- netebpfext/net_ebpf_ext_process.c | 13 ++++--------- tests/netebpfext_unit/netebpfext_unit.cpp | 4 +--- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/include/ebpf_nethooks.h b/include/ebpf_nethooks.h index e7196b8858..3f1ba7e83c 100644 --- a/include/ebpf_nethooks.h +++ b/include/ebpf_nethooks.h @@ -279,10 +279,22 @@ typedef struct _process_md uint64_t parent_process_id; ///< Parent process ID. uint64_t creating_process_id; ///< Creating process ID. uint64_t creating_thread_id; ///< Creating thread ID. - int32_t creation_status; ///< The NTSTATUS value to return for the process-creation operation. process_operation_t operation; ///< Operation to do. } process_md_t; +/* + * @brief Handle process creation and deletion. + * + * Program type: \ref EBPF_PROGRAM_TYPE_PROCESS + * + * Attach type(s): + * \ref EBPF_ATTACH_TYPE_PROCESS + * + * @param[in] context \ref process_md_t + * @return STATUS_SUCCESS to permit the operation, or a failure NTSTATUS value to deny the operation. + * Value of STATUS_SUCCESS is 0x0. + * For PROCESS_OPERATION_DELETE operation, the return value is ignored. + */ typedef int process_hook_t(process_md_t* context); diff --git a/netebpfext/net_ebpf_ext_process.c b/netebpfext/net_ebpf_ext_process.c index 1a3f5cfbab..57f0553978 100644 --- a/netebpfext/net_ebpf_ext_process.c +++ b/netebpfext/net_ebpf_ext_process.c @@ -326,8 +326,6 @@ _ebpf_process_create_process_notify_routine_ex( process_notify_context.process_md.process_id = (uint64_t)process_id; process_notify_context.process_md.parent_process_id = (create_info != NULL) ? (uint64_t)create_info->ParentProcessId : 0; - process_notify_context.process_md.creation_status = - (create_info != NULL) ? (uint64_t)create_info->CreationStatus : 0; process_notify_context.process_md.creating_process_id = (create_info != NULL) ? (uint64_t)create_info->CreatingThreadId.UniqueProcess : 0; process_notify_context.process_md.creating_thread_id = @@ -338,19 +336,15 @@ _ebpf_process_create_process_notify_routine_ex( net_ebpf_extension_hook_client_t* client_context = net_ebpf_extension_hook_get_next_attached_client(_ebpf_process_hook_provider_context, NULL); while (client_context != NULL) { - uint32_t return_value = 0; + NTSTATUS status = 0; if (net_ebpf_extension_hook_client_enter_rundown(client_context)) { result = net_ebpf_extension_hook_invoke_program( - client_context, &process_notify_context.process_md, &return_value); + client_context, &process_notify_context.process_md, (uint32_t*)&status); if (result != EBPF_SUCCESS) { NET_EBPF_EXT_LOG_MESSAGE( NET_EBPF_EXT_TRACELOG_LEVEL_ERROR, NET_EBPF_EXT_TRACELOG_KEYWORD_PROCESS, "net_ebpf_extension_hook_invoke_program failed"); - } else { - if (create_info != NULL) { - create_info->CreationStatus = process_notify_context.process_md.creation_status; - } } net_ebpf_extension_hook_client_leave_rundown(client_context); } else { @@ -360,7 +354,8 @@ _ebpf_process_create_process_notify_routine_ex( "net_ebpf_extension_hook_client_enter_rundown failed"); } // If the client returns a non-zero value, stop calling the other clients. - if (create_info && create_info->CreationStatus != STATUS_SUCCESS) { + if (!NT_SUCCESS(status) && create_info) { + create_info->CreationStatus = status; break; } diff --git a/tests/netebpfext_unit/netebpfext_unit.cpp b/tests/netebpfext_unit/netebpfext_unit.cpp index 19a8326971..61f54c5d1d 100644 --- a/tests/netebpfext_unit/netebpfext_unit.cpp +++ b/tests/netebpfext_unit/netebpfext_unit.cpp @@ -902,9 +902,7 @@ netebpfext_unit_invoke_process_program( test_process_client_context_t* client_context = (test_process_client_context_t*)client_process_context; client_context->process_context = *process_context; - process_context->creation_status = STATUS_ACCESS_DENIED; - - *result = 0; + *result = STATUS_ACCESS_DENIED; return EBPF_SUCCESS; }