Skip to content

Permissive Learning Mode 2/6 filesystem extraction#585

Open
lilybarkley-msft wants to merge 1 commit into
user/lilybarkley/plm-pr1-audit-skeletonfrom
user/lilybarkley/plm-pr2-fs-extraction
Open

Permissive Learning Mode 2/6 filesystem extraction#585
lilybarkley-msft wants to merge 1 commit into
user/lilybarkley/plm-pr1-audit-skeletonfrom
user/lilybarkley/plm-pr2-fs-extraction

Conversation

@lilybarkley-msft

@lilybarkley-msft lilybarkley-msft commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown

📖 Description

PR 2 of 6 — stacked on PR1. Adds filesystem extraction to PLM.

  • EventID=14 (access-failure) decoder:
    • File-path normalization (NT-object / verbatim / DOS-device → DOS form)
    • Post-XPath filters: current-directory, drive-letter, self-access, invalid filename chars
    • Per-event accumulator that pushes LearningModeAccessEvent rows (file path + access mask)
  • ETW walker (for_each_event_xml / EvtQuery / EvtRender) with bounded peak memory
  • Shared ParseAccumulator + per-event dispatcher in event_parser
  • config.rs foundations: load/parse, filesystem.{readwritePaths,readonlyPaths} merge, deny_file_set
  • stop/log wired to the FS-extraction pipeline

Capability extraction, config-generation summaries, and UI policy land in PR3–PR5. requested_capabilities is exposed as an always-empty placeholder so call-sites stay stable across the split.

🔗 References

  • Base: PR1 (user/lilybarkley/plm-pr1-audit-skeleton)
  • Next: PR3 — config generation (Adjusted_<name>.json write + detection summaries)

🔍 Validation

  • cargo build -p plm --target x86_64-pc-windows-msvc — clean
  • cargo fmt --all -- --check — clean
  • cargo clippy -p plm --target x86_64-pc-windows-msvc --all-targets -- -D warnings — clean
  • cargo test -p plm --target x86_64-pc-windows-msvc37 passed (12 new over PR1; cover path-normalization, post-XPath filters, accumulator dispatch, ETW XML parsing).

✅ Checklist

📋 Issue Type

  • Bug fix
  • Feature
  • Task

GitHub Actions runs the PR validation build automatically. The ADO pipeline
(MXC-PR-Build) is the official build pipeline that signs the binaries; it
runs on merge to main and nightly, and Microsoft reviewers can trigger it
on a PR with /azp run. See docs/pull-requests.md.

Microsoft Reviewers: Open in CodeFlow

@lilybarkley-msft
PLM split PR2: filesystem extraction
393f66d 
Walks EventID=14 records from the captured .etl, decodes file paths
through normalization + post-XPath filters, and merges them into
ilesystem.readwritePaths / ilesystem.readonlyPaths on an
in-memory copy of the input config. The Adjusted_*.json writer arrives
in the next PR.

New modules:
- event_parser: EvtQuery/EvtRender walk + ParseAccumulator dispatch
- access_failure: EventID=14 decoder + path normalization
- access_event: LearningModeAccessEvent plain struct
- config: WRITE/READ masks, filesystem init, update_from_access_events

Wired stop.rs and log.rs to invoke the FS merge pipeline.

Capability ACE-blob extraction, EventID=27 UI relaxation, the
adjusted-config writer, and merge_capabilities arrive in subsequent
PRs.

37 tests pass; cargo fmt + clippy clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lilybarkley-msft lilybarkley-msft requested a review from a team as a code owner June 27, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lilybarkley-msft