Changeset 114

Timestamp:

Jul 30, 2007, 10:59:10 PM (17 years ago)

Author:

rainer

Message:

Revision of file flag code.

Location:

trunk

Files:

• docs/Changelog (modified) (1 diff)
• include/samhain.h (modified) (1 diff)
• include/sh_unix.h (modified) (1 diff)
• src/sh_files.c (modified) (13 diffs)
• src/sh_hash.c (modified) (18 diffs)
• src/sh_kern.c (modified) (1 diff)
• src/sh_suidchk.c (modified) (1 diff)
• src/sh_unix.c (modified) (1 diff)

trunk/docs/Changelog

@@ -1 +1 @@
 2.3.6:
+        * sh_hash.c: replace check for prefix 'K' with check for not prefix'/'
+          to allow for arbitrary module-specific store/lookup in db
+        * replace 'visited', 'reported', 'allignore' with generic 'fflags' field
         * sh_cat.c: reduce priority of MSG_TCP_RESET to avoid spamming if
           port checking is used on same host as server (reported by kadafax)

trunk/include/samhain.h

@@ -124 +124 @@
   SH_CHECK_CHECK   = 2
 };
+
+/* Flags for file status
+ */
+#define SH_FFLAG_ALLIGNORE (1<<0)
+#define SH_FFLAG_VISITED   (1<<1)
+#define SH_FFLAG_CHECKED   (1<<3)
+#define SH_FFLAG_REPORTED  (1<<3)
+
+#define SH_FFLAG_ALLIGNORE_SET(a)   (((a) & SH_FFLAG_ALLIGNORE) != 0)
+#define SET_SH_FFLAG_ALLIGNORE(a)   ((a) |= SH_FFLAG_ALLIGNORE)
+#define CLEAR_SH_FFLAG_ALLIGNORE(a) ((a) &= ~SH_FFLAG_ALLIGNORE)
+
+#define SH_FFLAG_VISITED_SET(a)     (((a) & SH_FFLAG_VISITED) != 0)
+#define SET_SH_FFLAG_VISITED(a)     ((a) |= SH_FFLAG_VISITED)
+#define CLEAR_SH_FFLAG_VISITED(a)   ((a) &= ~SH_FFLAG_VISITED)
+
+#define SH_FFLAG_CHECKED_SET(a)     (((a) & SH_FFLAG_VISITED) != 0)
+#define SET_SH_FFLAG_CHECKED(a)     ((a) |= SH_FFLAG_VISITED)
+#define CLEAR_SH_FFLAG_CHECKED(a)   ((a) &= ~SH_FFLAG_VISITED)
+
+#define SH_FFLAG_REPORTED_SET(a)    (((a) & SH_FFLAG_REPORTED) != 0)
+#define SET_SH_FFLAG_REPORTED(a)    ((a) |= SH_FFLAG_REPORTED)
+#define CLEAR_SH_FFLAG_REPORTED(a)  ((a) &= ~SH_FFLAG_REPORTED)
+
 
 

trunk/include/sh_unix.h

@@ -111 +111 @@
 typedef struct file_struct {
   unsigned long    check_mask;
-  int              reported;
+  int              file_reported;
   char             fullpath[PATH_MAX];
   ShFileType       type;

trunk/src/sh_files.c

@@ -116 +116 @@
   short                   checked;
   short                   childs_checked;
-  short                   reported;
+  short                   is_reported;
   /* struct dirstack_entry * next; */
 } dirstack_t;
@@ -234 +234 @@
 
           BREAKEXIT(sh_files_filecheck);
-          tmp_reported = ptr->reported; /* fix aliasing warning */ 
+          tmp_reported = ptr->is_reported; /* fix aliasing warning */ 
           status = sh_files_filecheck (ptr->class, dir, file, 
                                        &tmp_reported, 0);
-          ptr->reported = tmp_reported;
+          ptr->is_reported = tmp_reported;
           
           TPT(( 0, FIL__, __LINE__, 
                 _("msg=<filecheck complete: %s> status=<%d> reported=<%d>\n"), 
-                tmp, status, ptr->reported));
-
-          if (status == SH_FILE_UNKNOWN && ptr->reported == S_FALSE) 
+                tmp, status, ptr->is_reported));
+
+          if (status == SH_FILE_UNKNOWN && (!SH_FFLAG_REPORTED_SET(ptr->is_reported)))
             {
               TPT(( 0, FIL__, __LINE__, _("msg=<file: %s> status=<%d>\n"), 
@@ -288 +288 @@
 #endif
               if (sh.flag.reportonce == S_TRUE)
-                ptr->reported = S_TRUE;
+                SET_SH_FFLAG_REPORTED(ptr->is_reported);
             }
           else 
@@ -294 +294 @@
               /* exists (status >= 0), but was missing (reported == TRUE)
                */
-              if (status != SH_FILE_UNKNOWN && ptr->reported == S_TRUE)
+              if (status != SH_FILE_UNKNOWN && SH_FFLAG_REPORTED_SET(ptr->is_reported))
                 {
-                  ptr->reported = S_FALSE;
+                  CLEAR_SH_FFLAG_REPORTED(ptr->is_reported);
                 }
               /* Catchall
@@ -759 +759 @@
   new_item_ptr->rdepth         = 0;
   new_item_ptr->checked        = S_FALSE;
-  new_item_ptr->reported       = S_FALSE;
+  new_item_ptr->is_reported    = 0;
   new_item_ptr->childs_checked = S_FALSE;
 
@@ -1005 +1005 @@
                                       ptr->name);
 
-          if (status < 0 && ptr->reported == S_FALSE) 
+          if (status < 0 && (!SH_FFLAG_REPORTED_SET(ptr->is_reported))) 
             {
               /* directory is missing
@@ -1024 +1024 @@
                 }
               if (sh.flag.reportonce == S_TRUE)
-                ptr->reported = S_TRUE;
+                SET_SH_FFLAG_REPORTED(ptr->is_reported);
             } 
           else 
@@ -1030 +1030 @@
               /* exists (status >= 0), but was missing (reported == TRUE)
                */
-              if (status >= 0 && ptr->reported == S_TRUE)
+              if (status >= 0 && SH_FFLAG_REPORTED_SET(ptr->is_reported))
                 {
-                  ptr->reported = S_FALSE;
+                  CLEAR_SH_FFLAG_REPORTED(ptr->is_reported);
 #if 0
                   /* obsoleted (really?) by the mandatory sh_files_filecheck()
@@ -1163 +1163 @@
   new_item_ptr->rdepth         = rdepth;
   new_item_ptr->checked        = S_FALSE;
-  new_item_ptr->reported       = S_FALSE;
+  new_item_ptr->is_reported    = 0;
   new_item_ptr->childs_checked = S_FALSE;
 
@@ -1765 +1765 @@
          */
         if (dst_ptr && sh.flag.reportonce == S_TRUE)
-          dummy = dst_ptr->reported;
+          dummy = dst_ptr->is_reported;
 
         checkit = sh_files_filecheck (file_class_next, 
@@ -1777 +1777 @@
          */
         if (dst_ptr && sh.flag.reportonce == S_TRUE)
-          dst_ptr->reported = dummy;
+          dst_ptr->is_reported = dummy;
       }
     
@@ -1996 +1996 @@
    */
   sl_strlcpy (theFile.fullpath, fullpath, PATH_MAX);
-  theFile.check_mask  = sh_files_maskof(class);
-  theFile.reported    = (*reported);
-  theFile.attr_string = NULL;
+  theFile.check_mask    = sh_files_maskof(class);
+  theFile.file_reported = (*reported);
+  theFile.attr_string   = NULL;
 
   TPT(( 0, FIL__, __LINE__, _("msg=<checking file: %s>\n"),  fullpath));
@@ -2045 +2045 @@
     }
   
-  (*reported) = theFile.reported;
+  (*reported) = theFile.file_reported;
 
   /* reset the access time 

trunk/src/sh_hash.c

@@ -290 +290 @@
   char           * linkpath;
   char           * attr_string;
-  int              visited;
-  int              reported;
-  int              allignore;
+  int              fflags;
   unsigned long    modi_mask;
   struct           file_info * next;
@@ -487 +485 @@
     }
 
-  /* Kernel info
+  /* Not a fully qualified path, i.e. some info stored by some module
    */
-  if (p->fullpath[0] == 'K')
+  if (p->fullpath[0] != '/')
     {
       SL_RET0(_("hash_unvisited"));
     }
 
-  /* visited   = FALSE: not seen; 
-   * visited   = 99:    not seen, and already checked 
-   * reported  = FALSE: not reported yet
-   * allignore = FALSE: not under IgnoreAll
+  /* visited   flag not set: not seen; 
+   * checked   flag     set: not seen (i.e. missing), and already checked 
+   * reported  flag not set: not reported yet
+   * allignore flag not set: not under IgnoreAll
    *
    * Files/directories under IgnoreAll are noticed as missing already
    * during the file check.
    */
-  if ((p->visited == S_FALSE || p->visited == 99) && p->reported == S_FALSE 
-      && p->allignore == S_FALSE)
+  if (((!SH_FFLAG_VISITED_SET(p->fflags)) || SH_FFLAG_CHECKED_SET(p->fflags)) 
+      && (!SH_FFLAG_REPORTED_SET(p->fflags))
+      && (!SH_FFLAG_ALLIGNORE_SET(p->fflags)))
     {
       i = retry_lstat(FIL__, __LINE__, p->fullpath, &buf);
@@ -520 +519 @@
               SH_FREE(ptr);
             }
-          if (p->visited != 99)
+
+          /* Only report if !SH_FFLAG_CHECKED_SET
+           */
+          if (!SH_FFLAG_CHECKED_SET(p->fflags))
             {
               if (S_FALSE == sh_ignore_chk_del(p->fullpath))
@@ -572 +574 @@
               SL_RET0(_("hash_unvisited"));
 #else
-              p->reported = S_TRUE; 
+              SET_SH_FFLAG_REPORTED(p->fflags); 
 #endif
             }
@@ -578 +580 @@
     }
 
-  else if (p->visited == S_TRUE && p->reported == S_TRUE 
-           && p->allignore == S_FALSE)
+  else if (SH_FFLAG_VISITED_SET(p->fflags) && SH_FFLAG_REPORTED_SET(p->fflags) 
+           && (!SH_FFLAG_ALLIGNORE_SET(p->fflags)))
     {
       if (S_FALSE == sh_ignore_chk_new(p->fullpath))
@@ -597 +599 @@
         }
 
-      p->reported = S_FALSE;
+      CLEAR_SH_FFLAG_REPORTED(p->fflags);
     }
 
   if (sh.flag.reportonce == S_FALSE)
-    p->reported = S_FALSE;
-
-  p->visited = S_FALSE;
+    CLEAR_SH_FFLAG_REPORTED(p->fflags);
+
+  CLEAR_SH_FFLAG_VISITED(p->fflags);
+  CLEAR_SH_FFLAG_CHECKED(p->fflags);
+
   SL_RET0(_("hash_unvisited"));
 }
@@ -1049 +1053 @@
 
   memcpy( &(*p).theFile, &ft, sizeof(sh_filestore_t) );
-  p->visited   = S_FALSE;
-  p->reported  = S_FALSE;
-  p->allignore = S_FALSE;
+
+  p->fflags = 0;
+
   p->modi_mask = 0L;
   p->fullpath  = fullpath;
@@ -1835 +1839 @@
 
   if (!p) return (-1);
-  if (p->allignore == S_FALSE && 
+  if ((!SH_FFLAG_ALLIGNORE_SET(p->fflags)) && 
       (p->modi_mask & MODI_CHK) != 0 &&
       (p->modi_mask & MODI_MOD) != 0)
@@ -1883 +1887 @@
   if (p == NULL) 
     SL_RETURN((-1), _("sh_hash_set_visited_int"));
-  if (flag == 99)
-    {
-      p->visited  = 99;
-      p->reported = S_FALSE;
-    }
-  else
-    {
-      p->visited  = S_TRUE;
-      p->reported = flag;
+
+  if (flag == SH_FFLAG_CHECKED)
+    {
+      CLEAR_SH_FFLAG_REPORTED(p->fflags);
+      CLEAR_SH_FFLAG_VISITED(p->fflags);
+      SET_SH_FFLAG_CHECKED(p->fflags);
+    }
+  else
+    {
+      SET_SH_FFLAG_VISITED(p->fflags);
+      CLEAR_SH_FFLAG_CHECKED(p->fflags);
+      if (flag == SH_FFLAG_REPORTED)
+        SET_SH_FFLAG_REPORTED(p->fflags);
+      else
+        CLEAR_SH_FFLAG_REPORTED(p->fflags);
     }
   SL_RETURN((0), _("sh_hash_set_visited_int"));
@@ -1903 +1913 @@
   int i;
   SL_ENTER(_("sh_hash_set_visited"));
-  i = sh_hash_set_visited_int(newname, 99);
+  i = sh_hash_set_visited_int(newname, SH_FFLAG_CHECKED);
   SL_RETURN(i, _("sh_hash_set_visited"));
 }
 
+/* mark the file as visited and reported
+ */
 int sh_hash_set_visited (char * newname)
 {
   int i;
   SL_ENTER(_("sh_hash_set_visited"));
-  i = sh_hash_set_visited_int(newname, S_TRUE);
+  i = sh_hash_set_visited_int(newname, SH_FFLAG_REPORTED);
   SL_RETURN(i, _("sh_hash_set_visited"));
 }
 
+/* mark the file as visited and NOT reported
+ * used to avoid deletion of file from internal database
+ */
 int sh_hash_set_visited_true (char * newname)
 {
   int i;
   SL_ENTER(_("sh_hash_set_visited_true"));
-  i = sh_hash_set_visited_int(newname, S_FALSE);
+  i = sh_hash_set_visited_int(newname, 0);
   SL_RETURN(i, _("sh_hash_set_visited_true"));
 }
@@ -2091 +2106 @@
 
   memcpy( &(*fp).theFile, &p, sizeof(sh_filestore_t) );
-  fp->visited   = S_FALSE;
-  fp->reported  = S_FALSE;
-  fp->allignore = S_FALSE;
+  fp->fflags    = 0;
   fp->modi_mask = 0L;
 
@@ -2599 +2612 @@
 
       if (p)
-        p->visited   = S_TRUE;
+        {
+          SET_SH_FFLAG_VISITED(p->fflags);
+          CLEAR_SH_FFLAG_CHECKED(p->fflags);
+        }
+
       if (sh.flag.reportonce == S_TRUE)
-        theFile->reported = S_TRUE;
+        SET_SH_FFLAG_REPORTED(theFile->file_reported);
 
       if (sh.flag.reportonce == S_TRUE && sh.flag.update == S_FALSE)
@@ -2828 +2845 @@
   /* --- Report on modified files. ---
    */
-  if (modi_mask != 0 && p->reported == S_FALSE)
+  if (modi_mask != 0 && (!SH_FFLAG_REPORTED_SET(p->fflags)))
     { 
       tmp = SH_ALLOC(SH_BUFSIZE);
@@ -3188 +3205 @@
 
 #ifndef REPLACE_OLD
-      p->reported = S_TRUE;
+      SET_SH_FFLAG_REPORTED(p->fflags);
 #endif
 
@@ -3247 +3264 @@
               theFile->hardlinks = p->theFile.hardlinks;
               
-              p->visited = S_TRUE;
+              SET_SH_FFLAG_VISITED(p->fflags);
+              CLEAR_SH_FFLAG_CHECKED(p->fflags);
               SL_RETURN(1, _("sh_hash_compdata"));
             }
@@ -3316 +3334 @@
     }
 
-  p->visited = S_TRUE;
+  SET_SH_FFLAG_VISITED(p->fflags);
+  CLEAR_SH_FFLAG_CHECKED(p->fflags);
 
   SL_RETURN(0, _("sh_hash_compdata"));
@@ -3334 +3353 @@
     {
       for (p = tab[i]; p; p = p->next)
-        p->allignore  = S_FALSE;
+        CLEAR_SH_FFLAG_ALLIGNORE(p->fflags);
     }
   SL_RETURN (0, _("sh_hash_compdata"));
@@ -3362 +3381 @@
           if (p->fullpath && 0 == strncmp(s, p->fullpath, len))
             { 
-              p->allignore  = S_TRUE;
+              SET_SH_FFLAG_ALLIGNORE(p->fflags);
             }
         }

trunk/src/sh_kern.c

@@ -901 +901 @@
   (void) sl_strlcpy (theFile.fullpath, pcipath, PATH_MAX);
   theFile.check_mask  = sh_files_maskof(SH_LEVEL_READONLY);
-  theFile.reported    = S_FALSE;
+  CLEAR_SH_FFLAG_REPORTED(theFile.file_reported);
   theFile.attr_string = NULL;
   

trunk/src/sh_suidchk.c

@@ -976 +976 @@
               (void) sl_strlcpy (theFile.fullpath, tmpcat, PATH_MAX);
               theFile.check_mask  = sh_files_maskof(SH_LEVEL_READONLY);
-              theFile.reported    = S_FALSE;
+              CLEAR_SH_FFLAG_REPORTED(theFile.file_reported);
               theFile.attr_string = NULL;
 

trunk/src/sh_unix.c

@@ -3178 +3178 @@
       if (sh.flag.checkSum == SH_CHECK_INIT || 
           (sh_hash_have_it (theFile->fullpath) >= 0 && 
-           theFile->reported == S_FALSE))
+           (!SH_FFLAG_REPORTED_SET(theFile->file_reported))))
         {
           if (S_FALSE == sh_ignore_chk_del(theFile->fullpath)) {