More cleanup (#91)

Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
2021-04-26 11:43:13 -07:00 · 2021-04-26 11:43:13 -07:00 · 08c116b8d6
--- a/docs/GettingStarted.md
+++ b/docs/GettingStarted.md
@ -53,7 +53,7 @@ Set up 2 VMs, which we will refer to as the "attacker" machine and the "defender

 On the defender machine, do the following:
 1. Install and set up a DNS server
-2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternative-to-running-with-kernel-debugger-attached) is in place
+2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternatives-to-running-with-kernel-debugger-attached) is in place
 3. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
 4. Copy ebpfcore.sys to %windir%\system32\drivers
 5. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
--- a/docs/tutorial.md
+++ b/docs/tutorial.md
@ -289,7 +289,7 @@ Verification succeeded
 The verification command succeeded because there was only one
 non-empty TEXT section in bpf.o, so the verifier found it and used that
 as the eBPF program to verify.  If we try the same on an object file with
-multiple such sections, we instead get this:
+multiple such sections, we get this:

 ```
 > netsh ebpf show verification bpf2.o
@ -529,7 +529,7 @@ are safe to access start at offset 16.
 With the above, our sample program will pass verification:

 ```
-> >netsh ebpf show verification myxdp.o
+> netsh ebpf show verification myxdp.o

 Verification succeeded
 ```
@ -880,7 +880,7 @@ RELOCATION RECORDS FOR [.relmyprog]:
 0000000000000040 R_BPF_64_64 map
 ```

-This record means that the actual address of map should be inserted at
+This record means that the actual address of `map` should be inserted at
 offset 0x40, but where is that?  llvm-objdump and check both gave us
 instruction numbers not offsets, but we can see the raw bytes as follows:

--- a/src/ebpf/sys/ebpf_drv.c
+++ b/src/ebpf/sys/ebpf_drv.c
@ -8,7 +8,7 @@
 Abstract:
 WDF based driver that does the following:
 1. Registers as a WFP L2 Callout
-2. Opens a IOCTL surface
+2. Opens an IOCTL surface

 Environment:

@ -71,9 +71,9 @@ static VOID
 EbpfCoreEvtIoDeviceControl(
    _In_ WDFQUEUE queue,
    _In_ WDFREQUEST request,
-    _In_ size_t output_buffer_length,
-    _In_ size_t input_buffer_length,
-    _In_ ULONG io_control_code);
+    size_t output_buffer_length,
+    size_t input_buffer_length,
+    ULONG io_control_code);

 inline NTSTATUS
 ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
@ -88,8 +88,7 @@ ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
    case EBPF_ERROR_INVALID_PARAMETER:
        return STATUS_INVALID_PARAMETER;
    case EBPF_ERROR_BLOCKED_BY_POLICY:
-        // TODO: Find a better error code for this.
-        return STATUS_NOT_SUPPORTED;
+        return STATUS_CONTENT_BLOCKED;
    case EBPF_ERROR_NO_MORE_KEYS:
        return STATUS_NO_MORE_MATCHES;
    case EBPF_ERROR_INVALID_HANDLE:
@ -173,7 +172,7 @@ EbpfCoreInitDriverObjects(

    device_create_flag = TRUE;

-    // create symbolic link for control object for um
+    // Create symbolic link for control object for user mode.
    RtlInitUnicodeString(&ebpf_symbolic_device_name, EBPF_SYMBOLIC_DEVICE_NAME);
    status = WdfDeviceCreateSymbolicLink(*device, &ebpf_symbolic_device_name);

@ -220,9 +219,9 @@ static VOID
 EbpfCoreEvtIoDeviceControl(
    _In_ WDFQUEUE queue,
    _In_ WDFREQUEST request,
-    _In_ size_t output_buffer_length,
-    _In_ size_t input_buffer_length,
-    _In_ ULONG io_control_code)
+    size_t output_buffer_length,
+    size_t input_buffer_length,
+    ULONG io_control_code)
 {
    NTSTATUS status = STATUS_SUCCESS;
    WDFDEVICE device;
--- a/src/ebpf/sys/ebpf_l2_hook.c
+++ b/src/ebpf/sys/ebpf_l2_hook.c
@ -120,7 +120,7 @@ ebpf_hook_layer_2_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output);

 static void
@ -130,7 +130,7 @@ ebpf_hook_resource_allocation_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output);

 static void
@ -140,17 +140,15 @@ ebpf_hook_resource_release_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output);

 static void
-ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context);
+ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context);

 static NTSTATUS
 ebpf_hook_no_op_notify(
-    _In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
-    _In_ const GUID* filter_key,
-    _Inout_ const FWPS_FILTER* filter);
+    FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter);

 typedef struct _ebpf_wfp_callout_state
 {
@ -411,7 +409,7 @@ ebpf_hook_layer_2_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output)
 /* ++

@ -483,7 +481,7 @@ ebpf_hook_resource_allocation_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output)
 /* ++

@ -538,7 +536,7 @@ ebpf_hook_resource_release_classify(
    _Inout_opt_ void* layer_data,
    _In_opt_ const void* classify_context,
    _In_ const FWPS_FILTER* filter,
-    _In_ uint64_t flow_context,
+    uint64_t flow_context,
    _Inout_ FWPS_CLASSIFY_OUT* classify_output)
 /* ++

@ -580,9 +578,7 @@ ebpf_hook_resource_release_classify(

 static NTSTATUS
 ebpf_hook_no_op_notify(
-    _In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
-    _In_ const GUID* filter_key,
-    _Inout_ const FWPS_FILTER* filter)
+    FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter)
 {
    UNREFERENCED_PARAMETER(callout_notification_type);
    UNREFERENCED_PARAMETER(filter_key);
@ -592,7 +588,7 @@ ebpf_hook_no_op_notify(
 }

 static void
-ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context)
+ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context)
 /* ++

   This is the flowDeleteFn function of the L2 callout.