The FE_POLICY_CONFIG structure specifies the selected configuration options and callbacks for the Policy DLL.
typedef struct _FE_POLICY_CONFIG {
DWORD VersionMajor;
DWORD VersionMinor;
DWORD Length;
struct {
bool ApproveRename;
bool ApproveCreateLink;
bool ApproveCorruptFileAccess;
bool RawDirSize;
bool AttachDisk;
bool mbf1;
bool mbf2;
bool mbf3;
} OfflineBehavior;
struct {
bool Enable;
bool mbf1;
bool mbf2;
bool mbf3;
} AccessCache;
struct {
bool Attach;
bool mbf1;
bool mbf2;
bool mbf3;
} NetworkBehavior;
POL_GET_POLICY_NEW_FILE *PolGetPolicyNewFile;
POL_GET_KEY_NEW_FILE_EX *PolGetKeyNewFile;
POL_GET_POLICY_EXISTING_FILE *PolGetPolicyExistingFile;
POL_GET_POLICY_DIRECTORY_LISTING
*PolGetPolicyDirectoryListing;
POL_GET_KEY_FROM_HEADER *PolGetKeyFromHeader;
//
// Optional. If not specified, OfflineBehavior.ApproveRename is
// returned
//
POL_APPROVE_RENAME *PolApproveRename;
//
// Optional. If not specified, OfflineBehavior.ApproveCreateLink
// is returned
//
POL_APPROVE_CREATE_LINK *PolApproveCreateLink;
//
// Optional. If not specified the default behavior is to allow
// the open.
//
POL_APPROVE_TRANSACTED_OPEN *PolApproveTransactedOpen;
//
// Optional. If not specified, no action is taken
//
POL_REPORT_FILE_INCONSISTENT *PolReportFileInconsistent;
//
// Optional. If not specified, no action is taken
//
POL_REPORT_LAST_HANDLE_CLOSED *PolReportLastHandleClosed;
//
// Optional. If not specified, volume is attached to
//
POL_ATTACH_VOLUME *PolAttachVolume;
//
// Optional. Network Locking
//
POL_GET_ROUNDING *PolGetLockRounding;
//
// Required
//
POL_FREE_HEADER *PolFreeHeader;
POL_FREE_KEY *PolFreeKey;
//
// Optional. If not specified, no action is taken
//
POL_UNINIT *PolUnInit;
//
// Virtualization Filters we need to ignore and their Virtualized Directories
//
DWORD VirtualizationFilterCount;
LPCWSTR *VirtualizationFilters;
LPCWSTR *VirtualizationDirs;
//
// The algorithm(s) we are going to use.
//
DWORD AlgorithmsCount;
FE_POLICY_ALGORITHM *Algorithms[1];
} FE_POLICY_CONFIG;
VersionMajor
The major version of the FESF Policy API supported by the Policy DLL. This must be FE_POLICY_VERSION_MAJOR.
VersionMinor
The minor version of the FESF Policy API supported by the Policy DLL. This must be FE_POLICY_VERSION_MINOR.
Length
The length in bytes of the FE_POLICY_CONFIG structure.
OfflineBehavior
The fields in this structure set the default values that FESF kernel mode components should use when the FESF Policy Service is not running (that is, FESF is running in Offline State). This state can occur
Ø after the kernel mode components have started and before FesfPolicy has started,
Ø FesfPolicy fails or/or is being restarted, or
Ø during system shutdown, after FesfPolicy has terminated but before the system has completed shutdown processing.
The behaviors specified in this section are saved in the Registry and used by FESF during subsequent reboot operations.
ApproveRename
If set to TRUE rename operations will be allowed if the FESF Policy Service is not running.
ApproveCreateLink
If set to TRUE create hard link operations will be allowed if the FESF Policy Service is not running.
ApproveCorruptFileAccess
If set to TRUE, access to files that are in FESF format but that are "inconsistent" will be allowed when the FESF Policy Service is not running. Files that are "inconsistent" are those which FESF identifies as having an internal structure issue. See the description of PolReportFileInconsistent for more details.
RawDirSize
If set to TRUE, the file sizes shown by directory enumeration will reflect what is consumed on disk (allowing for the Solution Header). The default is to show size of the data in the file. See PolGetPolicyDirectoryListing for how to control this behavior while the service is operating.
AttachDisk
If set to FALSE, then FESF will not attach to (and therefore call into the Policy DLL for files on) any local disk while FESFPolicy is inactive (i.e. during boot). This value is also used as the default if the PolAttachVolume callback is not supplied
AccessCache
Enable
Set to TRUE to enable FESF Policy Caching. Otherwise, set to FALSE.
NetworkBehavior
Attach
Set to TRUE to attach to (and therefore call into the Policy DLL for file on) the network. If you change this value, you have to reboot the machine for it to take effect.
PolGetPolicyNewFile
A pointer to the Client Solution Policy DLL's PolGetPolicyNewFile callback function.
PolGetKeyNewFile
A pointer to the Client Solution Policy DLL's PolGetKeyNewFile callback function.
PolGetPolicyExistingFile
A pointer to the Client Solution Policy DLL's PolGetPolicyExistingFile callback function.
PolGetPolicyDirectoryListing
A pointer to the Client Solution Policy DLL's PolGetPolicyDirectoryListing callback function
PolGetKeyFromHeader
A pointer to the Client Solution Policy DLL's PolGetKeyFromHeader callback function.
PolApproveRename
A pointer to the Client Solution Policy DLL's PolApproveRename callback function.
PolApproveCreateLink
A pointer to the Client Solution Policy DLL's PolApproveCreateLink callback function.
PolApproveTransactedOpen
A pointer to the Client Solution Policy DLL's PolApproveTransactedOpen callback function.
PolReportFileInconsistent
A pointer to the Client Solution Policy DLL's PolReportFileInconsistent callback function.
PolReportLastHandleClosed
A pointer to the Client Solution Policy DLL's PolReportLastHandleClosed callback function
PolAttachVolume
An optional pointer to the Client Solution Policy DLL's PolAttachVolume callback function
PolGetLockRounding
An optional pointer to the Client Solution Policy DLL's PolGetLockRounding callback function
PolFreeHeader
A pointer to the Client Solution Policy DLL's PolFreeHeader callback function.
PolFreeKey
A pointer to the Client Solution Policy DLL's PolFreeKey callback function.
PolUnInit
A pointer to the Client Solution Policy DLL's PolUnInit callback function.
VirtualizationFilterCount
A count of entries in the VIrtualizationFilters and VirtualizationDirs array members of this structure.
VirtualizationFilters
A single dimensional array of VirtualizationFilterCount strings describing the Virtualization Filters that FESF should ignore. See the Remarks section for more information.
VirtualizationDirs
A single dimensional array of VirtualizationFilterCount strings describing the starting directory paths surfaced by Virtualization Filters that FESF should ignore. See the Remarks section for more information.
AlgorithmsCount
A count of entries in the vector of the Algorithms member of this structure.
Algorithms
Pointer to a vector of FE_POLICY_ALGORITHM structures, each of which describes an encryption algorithm that the Policy DLL will use.
The VirtualizationFilter members allow FESF to interoperate with a subset of Minifilters which present a virtualized, but reduced function, file interface on specific volumes. In OSR’s testing we discovered that certain filters present files which may only be used by specific applications and/or with a small subset of ordinary file operations. FESF expects a fully functioning filesystem and so will not interoperate with these systems.
In order to allow these systems to function you can configure a list of filter names and the paths they present. FESF will then totally ignore file accesses within the specified name, so long as the filter is present on the volume.
For example, one filter we are aware of with this behavior is the RsFx0410 filter, which implements SQLServer’s FILESTREAM function. This feature presents a (virtualized) path on certain existing file system volumes starting with the directory name \RSFxName. A Solution Policy DLL that expects to encounter configurations in which FILESTREAM is in use would configure FESF to ignore this path on volumes supporting this feature, using code similar to the following:
LPCWSTR filters[] = { L"RsFx0410" , };
LPCWSTR dirs[] = { L"\\RSFxName" , };
config.VirtualizationFilters = filters;
config.VirtualizationDirs = dirs;
config.VirtualizationFilterCount = 1;
|
Software version |
FESF V1 (or later) |
|
Header |
PolDllApi.h |