EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Universal Apps (aka Metro, aka ModernUI) problem on CBFS devices

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35874
Posted: 02/11/2016 07:46:57
by David Ruzicka (Standard support level)
Joined: 02/05/2014
Posts: 4

Hi, some Universal Apps (aka ModernUI, aka Metro) running in AppContainer with Low Integrity Level (i.e. Microsoft.Reader or video player Microsoft.ZuneVideo) requires DO_SUPPORTS_PERSISTENT_ACLS flag enabled on CBFS device objects.
If DO_SUPPORTS_PERSISTENT_ACLS flag is not enabled, IO Manager refuses IRP creating on these device objects for these applications (AppContainer + +Low Integrity Level).

Please add optional support for persistent ACLs information flag on CBFS device objects.
#35875
Posted: 02/11/2016 08:24:25
by Volodymyr Zinin (EldoS Corp.)

Hello,

Thank you for the information. We will check it and modify CBFS. Could you please specify how to reproduce the problem?

Thanks.
#36376
Posted: 04/01/2016 06:55:38
by David Ruzicka (Standard support level)
Joined: 02/05/2014
Posts: 4

Hello, sorry for long delay (and for bad english), i was working on something else.

Well, things are little more complicated. :) DO_SUPPORTS_PERSISTENT_ACLS flag is required for FileSystem_DeviceObject->Flags and FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL characteristic is required for Volume_DeviceObject->Characteristics (see below).

First I must say that these problems with the CBFS device objects are happening during virtualization of user profiles, which is important thing for our government customers (whole user profile encryption).

The simplest way:

  • use Mapper for whole C:\ (mount it as e.g. Z:)
  • use e.g. CbFilter (i am using my own FsFilter for redirecting) and reparse e.g. C:\Users\%USERNAME%\AppData\Local\Packages directory to Z:\Users\%USERNAME%\AppData\Local\Packages (with exception for Mapper, of course); user real USERNAME, not environment variable
  • try to run e.g. Microsoft.Reader package or Microsoft.ZuneVideo package (open PDF or video file)


Applications crashes with messages like "The app didn't start in the required time" (or "RPC something something" sometimes), but real cause of this error after deep digging (you don't want it, trust me :) ) is STATUS_ACCESS_DENIED for virtualized package registry file "settings.dat" in I/O Manager after some AppContainer checks on FileSystemDO->Flags without DO_SUPPORTS_PERSISTENT_ACLS.
In WinDbg i enabled it manually with:
Code
1: kd> !object \Global??\Z:
Object: ffffc00003076570  Type: (ffffe00000088800) SymbolicLink
    ObjectHeader: ffffc00003076540 (new version)
    HandleCount: 0  PointerCount: 1
    Directory Object: ffffc0000000c680  Name: Z:
    Target String is '\Device\{CC78D9CA-F1A5-11E5-8257-000C293FDE75}#0#0'
    Drive Letter Index is 26 (Z:)

1: kd> !object \Device\{CC78D9CA-F1A5-11E5-8257-000C293FDE75}#0#0
Object: ffffc00006722bd0  Type: (ffffe00000088800) SymbolicLink
    ObjectHeader: ffffc00006722ba0 (new version)
    HandleCount: 0  PointerCount: 1
    Directory Object: ffffc000000163b0  Name: {CC78D9CA-F1A5-11E5-8257-000C293FDE75}#0#0
    Target String is '\Device\0000007e'

1: kd> !devobj \Device\0000007e
Device object (ffffe00002976080) is for:
0000007e \Driver\cbfs5 DriverObject ffffe00000db8970
Current Irp 00000000 RefCount 35 Type 00000007 Flags 00002050
Vpb ffffe000028c2e80 Dacl ffffc101028c1330 DevExt ffffe000029761d0 DevObjExt ffffe00002976610 Dope ffffe000028f5180
ExtensionFlags (0000000000)  
Characteristics (0x00000081)  FILE_REMOVABLE_MEDIA, FILE_AUTOGENERATED_DEVICE_NAME
Device queue is not busy.

1: kd> !vpb ffffe000028c2e80
Vpb at 0xffffe000028c2e80
Flags: 0x1 mounted
DeviceObject: 0xffffe0000297b150     <--- FileSystem DO
RealDevice:   0xffffe00002976080
RefCount: 34
Volume Label:          CbFs Test

1: kd> !devobj 0xffffe0000297b150
Device object (ffffe0000297b150) is for:
  \Driver\cbfs5 DriverObject ffffe00000db8970
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00000000     <--- missing DO flag
Dacl ffffc10106a87220 DevExt ffffe0000297b2a0 DevObjExt ffffe0000297baa0
ExtensionFlags (0x00000800)  DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)  
AttachedDevice (Upper) ffffe00002945a20 \FileSystem\FltMgr
Device queue is not busy.

0: kd> ed (ffffe0000297b150+0x30) 0x20000     <--- enable DO_SUPPORTS_PERSISTENT_ACLS flag

0: kd> !devobj 0xffffe0000297b150
Device object (ffffe0000297b150) is for:
  \Driver\cbfs5 DriverObject ffffe00000db8970
Current Irp 00000000 RefCount 0 Type 00000008 Flags 00020000     <--- flag enabled
Dacl ffffc10106a87220 DevExt ffffe0000297b2a0 DevObjExt ffffe0000297baa0
ExtensionFlags (0x00000800)  DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)  
AttachedDevice (Upper) ffffe00002945a20 \FileSystem\FltMgr
Device queue is not busy.


When you enable this flag in FileSystemDO->Flags, I/O Manager returns STATUS_ACCESS_DENIED on VolumeDO->Characteristics without FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL flag.
In WinDbg (object \Device\0000007e at ffffe00002976080, see above):
Code
0: kd> ed (0xffffe00002976080+0x34) 0x20000     <--- enable characteristic

0: kd> !devobj 0xffffe00002976080
Device object (ffffe00002976080) is for:
0000007e \Driver\cbfs5 DriverObject ffffe00000db8970
Current Irp 00000000 RefCount 37 Type 00000007 Flags 00002050
Vpb ffffe000028c2e80 Dacl ffffc101028c1330 DevExt ffffe000029761d0 DevObjExt ffffe00002976610 Dope ffffe000028f5180
ExtensionFlags (0000000000)  
Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL     <--- flag enabled
Device queue is not busy.


I enabled it and app don't crashes.

The best solution is IMHO permanent enabled characteristic FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL on VolumeDO->Characteristics and optional flag DO_SUPPORTS_PERSISTENT_ACLS in FsDO->Flags (consider more universal apps in future and more security requirements for them like isolation etc.).
#36377
Posted: 04/01/2016 09:15:33
by Volodymyr Zinin (EldoS Corp.)

Thank you so much for the detailed description. I will check it and correct the code. As soon as it is done I will write the result here. Hope it will be in a week or so.

Reply

Statistics

Topic viewed 2101 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!