Context Navigation

source: trunk/src/sh_fInotify.c@ 372

Last change on this file since 372 was 372, checked in by katerina, 13 years ago
One more patch for ticket #265 (inotify). Handle dirs that are only specified as files.
File size: 15.2 KB

Line
1	/* SAMHAIN file system integrity testing */
2	/* Copyright (C) 2011 Rainer Wichmann */
3	/* */
4	/* This program is free software; you can redistribute it */
5	/* and/or modify */
6	/* it under the terms of the GNU General Public License as */
7	/* published by */
8	/* the Free Software Foundation; either version 2 of the License, or */
9	/* (at your option) any later version. */
10	/* */
11	/* This program is distributed in the hope that it will be useful, */
12	/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13	/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14	/* GNU General Public License for more details. */
15	/* */
16	/* You should have received a copy of the GNU General Public License */
17	/* along with this program; if not, write to the Free Software */
18	/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20	/***************************************************************************
21	*
22	* This file provides a module for samhain to use inotify for file checking.
23	*
24	*/
25
26	#include "config_xor.h"
27
28	#if (defined(SH_WITH_CLIENT) \|\| defined(SH_STANDALONE))
29
30	#include "samhain.h"
31	#include "sh_utils.h"
32	#include "sh_modules.h"
33	#include "sh_pthread.h"
34	#include "sh_inotify.h"
35	#include "sh_unix.h"
36	#include "sh_hash.h"
37	#include "sh_files.h"
38	#include "sh_ignore.h"
39
40	#define FIL__ _("sh_fInotify.c")
41
42	sh_watches sh_file_watches = SH_INOTIFY_INITIALIZER;
43
44	static sh_watches sh_file_missing = SH_INOTIFY_INITIALIZER;
45
46	#if defined(HAVE_SYS_INOTIFY_H)
47
48	#include <sys/inotify.h>
49
50	/* --- Configuration ------- */
51
52	static int ShfInotifyActive = S_FALSE;
53
54	static unsigned long ShfInotifyWatches = 0;
55
56	static int sh_fInotify_active(const char *s)
57	{
58	int value;
59
60	SL_ENTER(_("sh_fInotify_active"));
61	value = sh_util_flagval(s, &ShfInotifyActive);
62	if (value == 0 && ShfInotifyActive != S_FALSE)
63	{
64	sh.flag.inotify \|= SH_INOTIFY_USE;
65	sh.flag.inotify \|= SH_INOTIFY_DOSCAN;
66	sh.flag.inotify \|= SH_INOTIFY_NEEDINIT;
67	}
68	if (value == 0 && ShfInotifyActive == S_FALSE)
69	{
70	sh.flag.inotify = 0;
71	}
72	SL_RETURN((value), _("sh_fInotify_active"));
73	}
74
75	static int sh_fInotify_watches(const char *s)
76	{
77	int retval = -1;
78	char * foo;
79	unsigned long value;
80
81	SL_ENTER(_("sh_fInotify_watches"));
82
83	value = strtoul(s, &foo, 0);
84	if (*foo == '\0')
85	{
86	ShfInotifyWatches = (value > 2147483647) ? 2147483647 /* MAX_INT_32 */: value;
87	retval = 0;
88	}
89	SL_RETURN((retval), _("sh_fInotify_watches"));
90	}
91
92
93	sh_rconf sh_fInotify_table[] = {
94	{
95	N_("inotifyactive"),
96	sh_fInotify_active,
97	},
98	{
99	N_("inotifywatches"),
100	sh_fInotify_watches,
101	},
102	{
103	NULL,
104	NULL
105	}
106	};
107
108	/* --- End Configuration --- */
109
110	static int sh_fInotify_init_internal(void);
111	static int sh_fInotify_process(struct inotify_event * event);
112	static int sh_fInotify_report(struct inotify_event * event, char * filename,
113	int class, unsigned long check_mask, int ftype);
114
115	int sh_fInotify_init(struct mod_type * arg)
116	{
117	#ifndef HAVE_PTHREAD
118	(void) arg;
119	return SH_MOD_FAILED;
120	#else
121
122	if (ShfInotifyActive == S_FALSE)
123	return SH_MOD_FAILED;
124
125	if (sh.flag.checkSum == SH_CHECK_INIT)
126	return SH_MOD_FAILED;
127
128	if (arg != NULL && arg->initval < 0 &&
129	(sh.flag.isdaemon == S_TRUE \|\| sh.flag.loop == S_TRUE))
130	{
131	/* Init from main thread */
132	sh.flag.inotify \|= SH_INOTIFY_DOSCAN;
133	sh.flag.inotify \|= SH_INOTIFY_NEEDINIT;
134
135	if (0 == sh_pthread_create(sh_threaded_module_run, (void *)arg))
136	{
137	return SH_MOD_THREAD;
138	}
139	else
140	{
141	sh.flag.inotify = 0;
142	return SH_MOD_FAILED;
143	}
144	}
145	else if (arg != NULL && arg->initval < 0 &&
146	(sh.flag.isdaemon != S_TRUE && sh.flag.loop != S_TRUE))
147	{
148	sh.flag.inotify = 0;
149	return SH_MOD_FAILED;
150	}
151	else if (arg != NULL && arg->initval == SH_MOD_THREAD &&
152	(sh.flag.isdaemon == S_TRUE \|\| sh.flag.loop == S_TRUE))
153	{
154	/* Reconfigure from main thread */
155	/* sh_fInotify_init_internal(); */
156	sh.flag.inotify \|= SH_INOTIFY_DOSCAN;
157	sh.flag.inotify \|= SH_INOTIFY_NEEDINIT;
158	return SH_MOD_THREAD;
159	}
160
161	/* Within thread, init */
162	return sh_fInotify_init_internal();
163	#endif
164	}
165
166	int sh_fInotify_run()
167	{
168	ssize_t len = -1;
169	char * buffer = SH_ALLOC(16384);
170	static int count = 0;
171	static int count2 = 0;
172
173	if (ShfInotifyActive == S_FALSE)
174	return SH_MOD_FAILED;
175
176	if ( (sh.flag.inotify & SH_INOTIFY_DOSCAN) \|\|
177	(sh.flag.inotify & SH_INOTIFY_NEEDINIT))
178	{
179	if (0 != sh_fInotify_init_internal())
180	return SH_MOD_FAILED;
181	}
182
183	/* Blocking read from inotify file descriptor.
184	*/
185	len = sh_inotify_read_timeout(buffer, 16384, 1);
186
187	if (len > 0)
188	{
189	struct inotify_event *event;
190	int i = 0;
191
192	while (i < len)
193	{
194	event = (struct inotify_event *) &(buffer[i]);
195
196	sh_fInotify_process(event);
197
198	i += sizeof (struct inotify_event) + event->len;
199	}
200
201	if ( (sh.flag.inotify & SH_INOTIFY_DOSCAN) \|\|
202	(sh.flag.inotify & SH_INOTIFY_NEEDINIT))
203	{
204	if (0 != sh_fInotify_init_internal())
205	return SH_MOD_FAILED;
206	}
207
208	}
209
210	/* Re-scan 'dormant' list of sh_file_missing.
211	*/
212	sh_inotify_recheck_watches (&sh_file_watches, &sh_file_missing);
213
214	++count;
215	++count2;
216
217	if (count >= 10)
218	{
219	count = 0; /* Re-expand glob patterns to discover added files. */
220	sh_files_check_globFilePatterns();
221	}
222
223	if (count2 >= 300)
224	{
225	count2 = 0; /* Update baseline database. */
226	if (sh.flag.checkSum == SH_CHECK_CHECK &&
227	sh.flag.update == S_TRUE)
228	sh_hash_writeout ();
229	}
230
231	return 0;
232	}
233
234	/* We block in the read() call on the inotify descriptor,
235	* so we always run.
236	*/
237	int sh_fInotify_timer(time_t tcurrent)
238	{
239	(void) tcurrent;
240	return 1;
241	}
242
243	int sh_fInotify_cleanup()
244	{
245	sh_inotify_purge_dormant(&sh_file_watches);
246	sh_inotify_remove(&sh_file_watches);
247	sh_inotify_init(&sh_file_watches);
248	return 0;
249	}
250
251	int sh_fInotify_reconf()
252	{
253	sh.flag.inotify = 0;
254
255	ShfInotifyWatches = 0;
256	ShfInotifyActive = 0;
257
258	return sh_fInotify_cleanup();
259	}
260
261	#define PROC_WATCHES_MAX _("/proc/sys/fs/inotify/max_user_watches")
262
263	static void sh_fInotify_set_nwatches()
264	{
265	if (ShfInotifyWatches == 0)
266	return;
267
268	if (0 == access(PROC_WATCHES_MAX, R_OK\|W_OK)) /* flawfinder: ignore */
269	{
270	FILE * fd;
271
272	if (NULL != (fd = fopen(PROC_WATCHES_MAX, "r+")))
273	{
274	char str[128];
275	char * ret;
276	char * ptr;
277	unsigned long wn;
278
279	str[0] = '\0';
280	ret = fgets(str, 128, fd);
281	if (ret && *str != '\0')
282	{
283	wn = strtoul(str, &ptr, 0);
284	if (ptr == '\0' \|\| ptr == '\n')
285	{
286	if (wn < ShfInotifyWatches)
287	{
288	sl_snprintf(str, sizeof(str), "%lu\n", ShfInotifyWatches);
289	(void) fseek(fd, 0L, SEEK_SET);
290	fputs(str, fd);
291	}
292	sl_fclose(FIL__, __LINE__, fd);
293	return;
294	}
295	}
296	sl_fclose(FIL__, __LINE__, fd);
297	}
298	}
299	SH_MUTEX_LOCK(mutex_thread_nolog);
300	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
301	_("Cannot set max_user_watches"),
302	_("sh_fInotify_set_nwatches"));
303	SH_MUTEX_UNLOCK(mutex_thread_nolog);
304	return;
305	}
306
307	/* The watch fd is thread specific. To have it in the fInotify thread,
308	* the main thread writes a list of files/dirs to watch, and here we
309	* now pop files from the list to add watches for them.
310	*/
311	static int sh_fInotify_init_internal()
312	{
313	char * filename;
314	int class;
315	int type;
316	unsigned long check_mask;
317	int retval;
318	int errnum;
319
320	if (ShfInotifyActive == S_FALSE)
321	return SH_MOD_FAILED;
322
323	/* Wait until file scan is finished.
324	*/
325	while((sh.flag.inotify & SH_INOTIFY_DOSCAN) != 0)
326	{
327	retry_msleep(1,0);
328
329	if (ShfInotifyActive == S_FALSE)
330	return SH_MOD_FAILED;
331	}
332
333	sh_fInotify_set_nwatches();
334
335	while (NULL != (filename = sh_inotify_pop_dormant(&sh_file_watches,
336	&class, &check_mask, &type)))
337	{
338	retval = sh_inotify_add_watch(filename, &sh_file_watches, &errnum,
339	class, check_mask, type);
340
341	if (retval < 0)
342	{
343	char errbuf[SH_ERRBUF_SIZE];
344
345	sh_error_message(errnum, errbuf, sizeof(errbuf));
346
347	if ((errnum == ENOENT) \|\| (errnum == EEXIST))
348	{
349	char * epath = sh_util_safe_name (filename);
350	SH_MUTEX_LOCK(mutex_thread_nolog);
351	sh_error_handle( (class == SH_LEVEL_ALLIGNORE) ?
352	ShDFLevel[class] :
353	ShDFLevel[SH_ERR_T_FILE],
354	FIL__, __LINE__, errnum, MSG_E_SUBGPATH,
355	errbuf, _("sh_fInotify_init_internal"), epath);
356	SH_MUTEX_UNLOCK(mutex_thread_nolog);
357	SH_FREE(epath);
358	}
359	else
360	{
361	SH_MUTEX_LOCK(mutex_thread_nolog);
362	sh_error_handle((-1), FIL__, __LINE__, errnum, MSG_E_SUBGEN,
363	errbuf, _("sh_fInotify_init_internal"));
364	SH_MUTEX_UNLOCK(mutex_thread_nolog);
365	}
366	}
367	}
368
369	/* Need this because mod_check() may run after
370	* DOSCAN is finished, hence wouldn't call init().
371	*/
372	sh.flag.inotify &= ~SH_INOTIFY_NEEDINIT;
373
374	return 0;
375	}
376
377	static int sh_fInotify_process(struct inotify_event * event)
378	{
379	int class;
380	int ftype;
381	unsigned long check_mask;
382	char * filename;
383	extern int flag_err_debug;
384
385	if (flag_err_debug == SL_TRUE)
386	{
387	char dbgbuf[256];
388
389	sl_strlcpy (dbgbuf, "inotify mask: ", sizeof(dbgbuf));
390
391	if (event->mask & IN_ACCESS) sl_strlcat(dbgbuf, "IN_ACCESS ", sizeof(dbgbuf));
392	if (event->mask & IN_ATTRIB) sl_strlcat(dbgbuf, "IN_ATTRIB ", sizeof(dbgbuf));
393	if (event->mask & IN_CLOSE_WRITE) sl_strlcat(dbgbuf, "IN_CLOSE_WRITE ", sizeof(dbgbuf));
394	if (event->mask & IN_CLOSE_NOWRITE) sl_strlcat(dbgbuf, "IN_CLOSE_NOWRITE ", sizeof(dbgbuf));
395	if (event->mask & IN_CREATE) sl_strlcat(dbgbuf, "IN_CREATE ", sizeof(dbgbuf));
396	if (event->mask & IN_DELETE) sl_strlcat(dbgbuf, "IN_DELETE ", sizeof(dbgbuf));
397	if (event->mask & IN_DELETE_SELF) sl_strlcat(dbgbuf, "IN_DELETE_SELF ", sizeof(dbgbuf));
398	if (event->mask & IN_MODIFY) sl_strlcat(dbgbuf, "IN_MODIFY ", sizeof(dbgbuf));
399	if (event->mask & IN_MOVE_SELF) sl_strlcat(dbgbuf, "IN_MOVE_SELF ", sizeof(dbgbuf));
400	if (event->mask & IN_MOVED_FROM) sl_strlcat(dbgbuf, "IN_MOVED_FROM ", sizeof(dbgbuf));
401	if (event->mask & IN_MOVED_TO) sl_strlcat(dbgbuf, "IN_MOVED_TO ", sizeof(dbgbuf));
402	if (event->mask & IN_OPEN) sl_strlcat(dbgbuf, "IN_OPEN ", sizeof(dbgbuf));
403	if (event->mask & IN_IGNORED) sl_strlcat(dbgbuf, "IN_IGNORED ", sizeof(dbgbuf));
404	if (event->mask & IN_ISDIR) sl_strlcat(dbgbuf, "IN_ISDIR ", sizeof(dbgbuf));
405	if (event->mask & IN_Q_OVERFLOW) sl_strlcat(dbgbuf, "IN_Q_OVERFLOW ", sizeof(dbgbuf));
406	if (event->mask & IN_UNMOUNT) sl_strlcat(dbgbuf, "IN_UNMOUNT ", sizeof(dbgbuf));
407
408	SH_MUTEX_LOCK(mutex_thread_nolog);
409	sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
410	dbgbuf, _("sh_fInotify_process"));
411	SH_MUTEX_UNLOCK(mutex_thread_nolog);
412	}
413
414
415	if (event->wd >= 0)
416	{
417	filename = sh_inotify_search_item(&sh_file_watches, event->wd,
418	&class, &check_mask, &ftype);
419
420	if (filename)
421	{
422	sh_fInotify_report(event, filename, class, check_mask, ftype);
423
424	SH_FREE(filename);
425	}
426	else if (sh.flag.inotify & SH_INOTIFY_NEEDINIT)
427	{
428	return 1;
429	}
430	else if ((event->mask & IN_UNMOUNT) == 0 && (event->mask & IN_IGNORED) == 0)
431	{
432	/* Remove watch ? Seems reasonable. */
433	sh_inotify_rm_watch(NULL, NULL, event->wd);
434
435	SH_MUTEX_LOCK(mutex_thread_nolog);
436	sh_error_handle((-1), FIL__, __LINE__, event->wd, MSG_E_SUBGEN,
437	_("Watch removed: internal error - file path unknown"),
438	_("sh_fInotify_process"));
439	SH_MUTEX_UNLOCK(mutex_thread_nolog);
440	}
441	}
442	else if ((event->mask & IN_Q_OVERFLOW) != 0)
443	{
444	sh.flag.inotify \|= SH_INOTIFY_DOSCAN;
445	sh.flag.inotify \|= SH_INOTIFY_NEEDINIT;
446	return 1;
447	}
448
449	return 0;
450	}
451
452	void sh_fInotify_report_add(char * path, int class, unsigned long check_mask)
453	{
454	if (S_FALSE == sh_ignore_chk_new(path))
455	{
456	int reported = 0;
457
458	sh_files_clear_file_reported(path);
459
460	sh_files_search_file(path, &class, &check_mask, &reported);
461
462	sh_files_filecheck (class, check_mask, path, NULL,
463	&reported, 0);
464	if (SH_FFLAG_REPORTED_SET(reported))
465	sh_files_set_file_reported(path);
466	}
467	return;
468	}
469
470
471	static void sh_fInotify_report_miss(char * name, int level)
472	{
473	char * tmp = sh_util_safe_name (name);
474
475	SH_MUTEX_LOCK(mutex_thread_nolog);
476	sh_error_handle (level, FIL__, __LINE__, 0, MSG_FI_MISS, tmp);
477	SH_MUTEX_UNLOCK(mutex_thread_nolog);
478
479	SH_FREE(tmp);
480	return;
481	}
482
483	static int sh_fInotify_report(struct inotify_event * event, char * filename,
484	int class, unsigned long check_mask, int ftype)
485	{
486	char * fullpath = NULL;
487	char * path;
488	int reported;
489
490	if (event->len > 0)
491	{
492	fullpath = sh_util_strconcat(filename, "/", event->name, NULL);
493	path = fullpath;
494	}
495	else
496	{
497	path = filename;
498	}
499
500	if ( (event->mask & (IN_ATTRIB\|IN_MODIFY)) != 0)
501	{
502	int ret = sh_files_search_file(path, &class, &check_mask, &reported);
503
504	if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE))
505	{
506	; /* do nothing */
507	}
508	else
509	{
510	sh_files_filecheck (class, check_mask, filename,
511	(event->len > 0) ? event->name : NULL,
512	&reported, 0);
513	}
514	}
515	else if ((event->mask & (IN_DELETE\|IN_DELETE_SELF\|IN_MOVE_SELF\|IN_MOVED_FROM)) != 0)
516	{
517	int isdir = (event->mask & IN_ISDIR);
518	int level = (class == SH_LEVEL_ALLIGNORE) ?
519	ShDFLevel[class] :
520	ShDFLevel[(isdir == 0) ? SH_ERR_T_FILE : SH_ERR_T_DIR];
521
522	if (S_FALSE == sh_ignore_chk_del(path))
523	{
524	if (0 != hashreport_missing(path, level))
525	{
526	int ret = sh_files_search_file(path, &class, &check_mask, &reported);
527
528	if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE))
529	{
530	; /* do nothing */
531	}
532	else
533	{
534	sh_fInotify_report_miss(path, level);
535	}
536	}
537	}
538
539	#ifndef REPLACE_OLD
540	sh_hash_set_visited_true(path);
541	#else
542	sh_hash_set_missing(path);
543	#endif
544	if (sh.flag.reportonce == S_TRUE)
545	sh_files_set_file_reported(path);
546
547	/* Move to 'dormant' list, if not file within directory.
548	*/
549	if (event->len == 0)
550	sh_inotify_rm_watch(&sh_file_watches, &sh_file_missing, event->wd);
551	}
552	else if((event->mask & (IN_CREATE\|IN_MOVED_TO)) != 0)
553	{
554	if (S_FALSE == sh_ignore_chk_new(path))
555	{
556	int ret;
557
558	sh_files_clear_file_reported(path);
559
560	ret = sh_files_search_file(path, &class, &check_mask, &reported);
561
562	if ((ret == 0) && (event->len > 0) && (ftype == SH_INOTIFY_FILE))
563	{
564	; /* do nothing */
565	}
566	else
567	{
568	sh_files_filecheck (class, check_mask, filename,
569	(event->len > 0) ? event->name : NULL,
570	&reported, 0);
571	}
572
573	if (SH_FFLAG_REPORTED_SET(reported))
574	sh_files_set_file_reported(path);
575
576	if (ret != 0)
577	{
578	sh_inotify_add_watch(path, &sh_file_watches, &ret,
579	class, check_mask, SH_INOTIFY_FILE);
580	}
581	}
582	}
583
584	return 0;
585	}
586
587
588	#endif
589
590	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: