/// <summary> /// For an unexpected <see cref="ObservedFileAccess"/> (which is actually an aggregation of <see cref="ReportedFileAccess"/>es to /// a single path), reports each constituent access and computes an aggregate allowlist match type (the least permissive of any /// individual access). /// </summary> public FileAccessAllowlist.MatchType MatchAndReportUnexpectedObservedFileAccess(ObservedFileAccess unexpectedObservedFileAccess) { var aggregateMatch = FileAccessAllowlist.MatchType.MatchesAndCacheable; foreach (ReportedFileAccess reportedAccess in unexpectedObservedFileAccess.Accesses) { FileAccessAllowlist.MatchType thisMatch = MatchAndReportUnexpectedFileAccess(reportedAccess); switch (thisMatch) { case FileAccessAllowlist.MatchType.NoMatch: aggregateMatch = FileAccessAllowlist.MatchType.NoMatch; break; case FileAccessAllowlist.MatchType.MatchesButNotCacheable: if (aggregateMatch == FileAccessAllowlist.MatchType.MatchesAndCacheable) { aggregateMatch = FileAccessAllowlist.MatchType.MatchesButNotCacheable; } break; default: Contract.Assert(thisMatch == FileAccessAllowlist.MatchType.MatchesAndCacheable); break; } } return(aggregateMatch); }
/// <summary> /// Reports an access that - ignoring allowlisting - was unexpected. This can be due to a manifest-side or BuildXL-side denial decision. /// </summary> private FileAccessAllowlist.MatchType MatchAndReportUnexpectedFileAccess(ReportedFileAccess unexpectedFileAccess) { if (m_fileAccessAllowlist != null && m_fileAccessAllowlist.HasEntries) { Contract.Assert( m_config.FailUnexpectedFileAccesses == false, "Having a file-access allowlist requires that Detours failure injection is off."); FileAccessAllowlist.MatchType matchType = m_fileAccessAllowlist.Matches(m_loggingContext, unexpectedFileAccess, m_pip); switch (matchType) { case FileAccessAllowlist.MatchType.NoMatch: AddUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess); ReportUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess); break; case FileAccessAllowlist.MatchType.MatchesButNotCacheable: AddUnexpectedFileAccessAllowlisted(unexpectedFileAccess); m_numAllowlistedButNotCacheableFileAccessViolations++; ReportAllowlistedFileAccessNonCacheable(unexpectedFileAccess); break; case FileAccessAllowlist.MatchType.MatchesAndCacheable: AddUnexpectedFileAccessAllowlisted(unexpectedFileAccess); m_numAllowlistedAndCacheableFileAccessViolations++; ReportAllowlistedFileAccessCacheable(unexpectedFileAccess); break; default: throw Contract.AssertFailure("Unknown allowlist-match type."); } return(matchType); } else { AddUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess); ReportUnexpectedFileAccessNotAllowlisted(unexpectedFileAccess); return(FileAccessAllowlist.MatchType.NoMatch); } }