Gecko [ www.thearyasamaj.org ]

Name	Size	Permission
common	[ DIR ]	drwxr-xr-x
ftrace_hooks	[ DIR ]	drwxr-xr-x
lsm_hooks	[ DIR ]	drwxr-xr-x
syscall_hooks	[ DIR ]	drwxr-xr-x
transport	[ DIR ]	drwxr-xr-x
Kbuild	8.38 KB	-rw-r--r--
Makefile	2.23 KB	-rw-r--r--
compat.c	6.35 KB	-rw-r--r--
compat.h	11.17 KB	-rw-r--r--
debug.h	3.56 KB	-rw-r--r--
dkms.conf	146 B	-rw-r--r--
file_contexts.c	41.54 KB	-rw-r--r--
file_contexts.h	3.8 KB	-rw-r--r--
file_contexts_priv.h	4.92 KB	-rw-r--r--
file_handle_tools.h	2.15 KB	-rw-r--r--
file_key_tools.h	869 B	-rw-r--r--
file_path_tools.h	2.09 KB	-rw-r--r--
hashtable_compat.h	2.45 KB	-rw-r--r--
hook_trampoline_common.h	4.2 KB	-rw-r--r--
interval_set.h	1.05 KB	-rw-r--r--
memory.h	1.37 KB	-rw-r--r--
module.c	1.86 KB	-rw-r--r--
module_ref.h	421 B	-rw-r--r--
module_rundown_protection.c	3.64 KB	-rw-r--r--
module_rundown_protection.h	743 B	-rw-r--r--
path_tools.h	4.25 KB	-rw-r--r--
rundown_protection.c	4.2 KB	-rw-r--r--
rundown_protection.h	2.83 KB	-rw-r--r--
si_common.h	4.37 KB	-rw-r--r--
si_fp_properties.h	858 B	-rw-r--r--
si_fp_properties_x.h	15.41 KB	-rw-r--r--
si_fp_value_types.h	515 B	-rw-r--r--
si_fp_value_types_x.h	1.25 KB	-rw-r--r--
si_size.h	4.15 KB	-rw-r--r--
si_templates.h	2.29 KB	-rw-r--r--
si_writer.h	6.36 KB	-rw-r--r--
si_writer_common.h	6.45 KB	-rw-r--r--
stringify.h	261 B	-rw-r--r--
task_info_map.c	14.33 KB	-rw-r--r--
task_info_map.h	6.27 KB	-rw-r--r--
task_tools.h	1.34 KB	-rw-r--r--
tracepoints.c	3.58 KB	-rw-r--r--
tracepoints.h	299 B	-rw-r--r--
write_protection.h	1.04 KB	-rw-r--r--

Code Editor : task_info_map.h

/**
@file
@brief    Process (aka task) info storage
@details  Copyright (c) 2017-2021 Acronis International GmbH
@author   Ivan Matveev (ivan.matveev@acronis.com)
@since    $Id: $
*/

#pragma once

#include "compat.h"
#include "transport_id.h"
#include "transport_protocol.h"

#include <linux/path.h>
#include <linux/rbtree.h>
#include <linux/spinlock.h>
#include <linux/types.h>  // bool

// Per transport context of the task
typedef struct {
	// If pid version of task is changing, MT_EXEC is expected to be sent to the client
	// Under transport spinlock this field is checked against the pid_version of the task_info_t
	uint64_t sent_pid_version;
	uint64_t listening_mask;
} task_context_t;

typedef struct {
	spinlock_t spinlock;
	transport_id_t transport_id;
	task_context_t data;
} transport_task_context_t;

typedef struct task_info_s {
	struct rb_node rb_node;

atomic_t ref_cnt;
	spinlock_t spinlock; // protecting exe_file_key, pid_version and artificial_start_time_us

// Used as a primary key in the map currently
	pid_t pid;

// 'pid' might be reused in the system, 'unique_pid' should be unique in the current session
	// generally composed to process start time for boot in seconds in high 32bit + 'pid' in low 32 bits
	uint64_t unique_pid;
	// Saved exe file key to check if exec occured. If it is changed, 'pid_version' should be raised
	file_key_t exe_file_key;
	// 'pid_version' that is raised every time 'exe_file_key' is changed.
	// 'pid_version' reading not requiring spinlock might cause some fuzzyness but it exe_file being updated during syscall
	// will cause the same amount of fuzzyness so it is not a big deal.
	uint64_t pid_version;
	uint64_t artificial_start_time_us;

transport_task_context_t contexts[MAX_TRANSPORT_SIZE];
} task_info_t;

typedef struct task_info_map_s {
	spinlock_t spinlock;
	struct rb_root root;
	atomic64_t next_pid_version;
} task_info_map_t;

#ifdef __cplusplus
extern "C" {
#endif

// on success return 0
int task_info_map_del(pid_t pid);

// init and deinit for module
void task_info_maps_init(void);
void task_info_maps_clear(void);

// invoked from hooks to get information about the current task group
// Avoid calling this too often, it is recommended to call it once at the start
task_info_t* task_info_map_get(struct task_struct* tsk);
task_info_t* task_info_map_get_by_pid(pid_t pid, uint64_t unique_pid);
task_info_t* task_info_map_get_with_exe(struct task_struct* tsk, const struct path* exe_path);
// nowait variant cannot use 'get_task_exe_file' so 'exe_path' is assumed to be always provided
// exe_path==NULL can be used, in this case file key will be empty on new or not updated
task_info_t* task_info_map_get_with_alloc_flags(struct task_struct* tsk, const struct path* exe_path, bool nowait);

task_info_t *task_info_map_add(pid_t pid, uint64_t unique_pid, const struct path* exe_path);
task_info_t *task_info_map_add_with_alloc_flags(pid_t pid, uint64_t unique_pid, const struct path* exe_path, bool nowait, bool force_advance_pv);

task_info_t *task_info_lookup(pid_t pid, uint64_t unique_pid);
task_info_t *task_info_get(task_info_t *task_info);
void task_info_put(task_info_t *task_info);
// invoked from exit tracepoint to trigger cleanup
void task_info_map_on_exit_event(struct task_struct* tsk);

// If pid_version==0, it will not be checked
int task_info_set_listening_mask(task_info_t *task_info, transport_id_t id, uint64_t listening_mask, uint64_t pid_version);

// The usual order of checking whether particular event needs to be sent:
// 1. Find task_info using 'task_info_map_get*' variants, refresh in userspace if needed using 'refresh_task'
// 2. Find all the transports that are currently registered and save them in 'transport_ids_t' using 'transport_global_get_ids'.
// 3. Call 'task_info_can_skip', if it returns true, the event can be skipped.
// 4. Compose the event and check for 'task_info_need_to_make_exec_event'. If 'exec' has occured, the EXEC event needs to be composed.
// 5. Under the spinlock for global transport contexts (that is important to ensure ordering), verify that EXEC event indeed needs to be called using 'task_info_wants_exec_event'
// 6. Send exec event that will be guaranteed the first event for the task.

// Checks if current hook can skip the event because it is whitelisted/ignored
// If pid version mismatch occurs for any transport ('task_info_need_to_make_exec_event' path), the event will not be skipped
bool task_info_can_skip(task_info_t *task_info, const transport_ids_t *ids, uint64_t mask);

// Checks if the task_info needs to make an exec event. This happens when at least one transport pid version is mismatched
bool task_info_need_to_make_exec_event(task_info_t *task_info, const transport_ids_t *ids);

// Check if given transport id wants to receive exec event. Will update the pidversion and expected to be called under global transport spinlock
bool task_info_wants_exec_event(task_info_t *task_info, transport_id_t id, uint64_t pid_version_to_be_sent);

static inline uint64_t make_unique_pid(struct task_struct* tsk) {
	// Main goal of this unique pid is to ensure it can be acquired from the userspace in a similar manner
	// This is needed because it is nice to be able to match processes acquired from fanotify and from fileprotector
	// Ideally pidversion should match too but currently there is no good way to do it...
	// Notice that userspace gets the values based on
	uint64_t start_time_10ms;
	if (tsk->group_leader)
		tsk = tsk->group_leader;

// !!! Userspace sees this time in ticks so to have matching upids, it will need to convert ticks to seconds
#ifdef HAVE_TIMESPEC_REAL_START_TIME
	// From ancient times to 3.16
	start_time_10ms = tsk->real_start_time.tv_sec * 100 + tsk->real_start_time.tv_nsec / 10000000;
#else
#ifdef HAVE_REAL_START_TIME
	// From 3.17 to 5.5
	start_time_10ms = tsk->real_start_time / 10000000;
#else
	// From 5.6 to 5.10; from 5.11 to now is using time namespace (timens_add_boottime_ns)
	// but I do not care about it so I use the same code as in 5.6+.
	// Even if 'current' is in a namespace, client service should be
	// still outside of the time ns so it matches the requirement of
	// unique pid being generated the same way from fileprotector and userspace.
	start_time_10ms = tsk->start_boottime / 10000000;
#endif
#endif

return ((uint64_t)(start_time_10ms << 22)) | ((uint64_t) tsk->tgid);
}

#ifdef __cplusplus
}
#endif

${this.title}

Code Editor : task_info_map.h