Beispiel #1
0
        /// <summary>
        /// For an unexpected <see cref="ObservedFileAccess"/> (which is actually an aggregation of <see cref="ReportedFileAccess"/>es to
        /// a single path), reports each constituent access and computes an aggregate allowlist match type (the least permissive of any
        /// individual access).
        /// </summary>
        public FileAccessAllowlist.MatchType MatchAndReportUnexpectedObservedFileAccess(ObservedFileAccess unexpectedObservedFileAccess)
        {
            var aggregateMatch = FileAccessAllowlist.MatchType.MatchesAndCacheable;

            foreach (ReportedFileAccess reportedAccess in unexpectedObservedFileAccess.Accesses)
            {
                FileAccessAllowlist.MatchType thisMatch = MatchAndReportUnexpectedFileAccess(reportedAccess);

                switch (thisMatch)
                {
                case FileAccessAllowlist.MatchType.NoMatch:
                    aggregateMatch = FileAccessAllowlist.MatchType.NoMatch;
                    break;

                case FileAccessAllowlist.MatchType.MatchesButNotCacheable:
                    if (aggregateMatch == FileAccessAllowlist.MatchType.MatchesAndCacheable)
                    {
                        aggregateMatch = FileAccessAllowlist.MatchType.MatchesButNotCacheable;
                    }

                    break;

                default:
                    Contract.Assert(thisMatch == FileAccessAllowlist.MatchType.MatchesAndCacheable);
                    break;
                }
            }

            return(aggregateMatch);
        }
Beispiel #2
0
        /// <summary>
        /// Reports an access that - ignoring allowlisting - was unexpected. This can be due to a manifest-side or BuildXL-side denial decision.
        /// </summary>
        private FileAccessAllowlist.MatchType MatchAndReportUnexpectedFileAccess(ReportedFileAccess unexpectedFileAccess)
        {
            if (m_fileAccessAllowlist != null && m_fileAccessAllowlist.HasEntries)
            {
                Contract.Assert(
                    m_config.FailUnexpectedFileAccesses == false,
                    "Having a file-access allowlist requires that Detours failure injection is off.");

                FileAccessAllowlist.MatchType matchType = m_fileAccessAllowlist.Matches(m_loggingContext, unexpectedFileAccess, m_pip);
                switch (matchType)
                {
                case FileAccessAllowlist.MatchType.NoMatch:
                    AddUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess);
                    ReportUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess);
                    break;

                case FileAccessAllowlist.MatchType.MatchesButNotCacheable:
                    AddUnexpectedFileAccessAllowlisted(unexpectedFileAccess);
                    m_numAllowlistedButNotCacheableFileAccessViolations++;
                    ReportAllowlistedFileAccessNonCacheable(unexpectedFileAccess);
                    break;

                case FileAccessAllowlist.MatchType.MatchesAndCacheable:
                    AddUnexpectedFileAccessAllowlisted(unexpectedFileAccess);
                    m_numAllowlistedAndCacheableFileAccessViolations++;
                    ReportAllowlistedFileAccessCacheable(unexpectedFileAccess);
                    break;

                default:
                    throw Contract.AssertFailure("Unknown allowlist-match type.");
                }

                return(matchType);
            }
            else
            {
                AddUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess);
                ReportUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess);
                return(FileAccessAllowlist.MatchType.NoMatch);
            }
        }