Detect when rpath is present so that pattern is more accurate.

RH-steve-grubb · RH-steve-grubb · commit 9082d35cbb66 · 2016-09-28T15:51:54.000-04:00
diff --git a/src/event.c b/src/event.c
@@ -153,6 +153,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
 			const char *file = on->o;
 			if (pinfo->path1 == NULL) {
 				pinfo->path1 = strdup(file);
+				pinfo->elf_info = gather_elf(e->fd);
 			} else if (pinfo->path2 == NULL) {
 				pinfo->path2 = strdup(file);
 				pinfo->state = STATE_PARTIAL;
diff --git a/src/file.c b/src/file.c
@@ -38,8 +38,10 @@
 #include <rpm/rpmlog.h>
 #include <magic.h>
 #include <libudev.h>
+#include <elf.h>
 #include "file.h"
 #include "message.h"
+#include "process.h" // For elf info bit mask
 
 // Local variables
 static struct udev *udev;
@@ -351,3 +353,194 @@ char *get_hash_from_fd(int fd)
 	return digest;
 }
 
+static unsigned char e_ident[EI_NIDENT];
+
+static int read_preliminary_header(int fd)
+{
+	ssize_t rc = safe_read(fd, (char *)e_ident, EI_NIDENT);
+	if (rc == EI_NIDENT)
+		return 0;
+	return 1;
+}
+
+static Elf32_Ehdr *read_header32(int fd)
+{
+	Elf32_Ehdr *ptr = malloc(sizeof(Elf32_Ehdr));
+	strcpy(ptr->e_ident, e_ident);
+	ssize_t rc = safe_read(fd, (char *)&(ptr->e_type), sizeof(Elf32_Ehdr) - EI_NIDENT);
+	if (rc == (sizeof(Elf32_Ehdr) - EI_NIDENT))
+		return ptr;
+	free(ptr);
+	return NULL;
+}
+
+static Elf64_Ehdr *read_header64(int fd)
+{
+	Elf64_Ehdr *ptr = malloc(sizeof(Elf64_Ehdr));
+	strcpy(ptr->e_ident, e_ident);
+	ssize_t rc = safe_read(fd, (char *)&(ptr->e_type),
+				sizeof(Elf64_Ehdr) - EI_NIDENT);
+	if (rc == (sizeof(Elf64_Ehdr) - EI_NIDENT))
+		return ptr;
+	free(ptr);
+	return NULL;
+}
+
+uint32_t gather_elf(int fd)
+{
+	//struct elf_info *e;
+	uint32_t info = 0;
+	if (read_preliminary_header(fd))
+		return 0;
+
+	if (strncmp((char *)e_ident, ELFMAG, 4))
+		return 0;
+
+	/* e = malloc(sizeof(struct elf_info));
+	if (e == NULL)
+		return 0;
+	e->first_lib = NULL; */
+	info |= IS_ELF;
+	if (e_ident[4] == 1) {
+		unsigned i;
+		Elf32_Phdr *ph_tbl = NULL;
+		
+		Elf32_Ehdr *hdr = read_header32(fd);
+		if (hdr == NULL)
+			return 0;
+
+		// Look for program header information
+		// FIXME: Should there be a size check?
+		ph_tbl = malloc(hdr->e_phentsize * hdr->e_phnum);
+		if ((unsigned int)lseek(fd, (off_t)hdr->e_phoff, SEEK_SET) !=
+					hdr->e_phoff)
+			goto err_out32;
+
+		// Read in complete table
+		if ((unsigned int)safe_read(fd, (char *)ph_tbl,
+					hdr->e_phentsize * hdr->e_phnum) !=
+					hdr->e_phentsize * hdr->e_phnum)
+			goto err_out32;
+
+		// Check for rpath record
+		for (i = 0; i < hdr->e_phnum; i++) {
+			if (ph_tbl[i].p_type == PT_LOAD)
+				info |= HAS_LOAD;
+			else if (ph_tbl[i].p_type == PT_DYNAMIC) {
+				unsigned int j = 0;
+				unsigned int num;
+
+				info |= HAS_DYNAMIC;
+				Elf64_Dyn *dyn_tbl = malloc(ph_tbl[i].p_filesz);
+				if((unsigned int)lseek(fd, ph_tbl[i].p_offset,
+							SEEK_SET) !=
+						ph_tbl[i].p_offset)
+					goto err_out32;
+
+				num = ph_tbl[i].p_filesz / sizeof(Elf64_Dyn);
+				if (num > 1000)
+					goto err_out32;
+
+				if ((unsigned int)safe_read(fd, (char *)dyn_tbl,
+						ph_tbl[i].p_filesz) !=
+						ph_tbl[i].p_filesz)
+					goto err_out32;
+
+				while (j < num) {
+					if (dyn_tbl[j].d_tag == DT_NEEDED) {
+					} else if (dyn_tbl[j].d_tag == DT_RUNPATH)
+						info |= HAS_RPATH;
+					else if (dyn_tbl[j].d_tag == DT_RPATH) {
+						info |= HAS_RPATH;
+						break;
+					}
+					j++;
+				} 
+				free(dyn_tbl); 
+			}
+			if (info & HAS_RPATH)
+				break;
+		}
+		goto done32;
+err_out32:
+//		free(e->first_lib);
+//		free(e);
+//		e = NULL;
+		info |= HAS_ERROR;
+done32:
+		free(ph_tbl);
+		free(hdr);
+	} else if (e_ident[4] == 2) {
+		unsigned i;
+		Elf64_Phdr *ph_tbl;
+		
+		Elf64_Ehdr *hdr = read_header64(fd);
+		if (hdr == NULL)
+			return 0;
+
+		// Look for program header information
+		// FIXME: Should there be a size check?
+		ph_tbl = malloc(hdr->e_phentsize * hdr->e_phnum);
+		if ((unsigned int)lseek(fd, (off_t)hdr->e_phoff, SEEK_SET) !=
+					hdr->e_phoff)
+			goto err_out64;
+
+		// Read in complete table
+		if ((unsigned int)safe_read(fd, (char *)ph_tbl,
+					hdr->e_phentsize * hdr->e_phnum) !=
+					hdr->e_phentsize * hdr->e_phnum)
+			goto err_out64;
+
+		// Check for rpath record
+		for (i = 0; i < hdr->e_phnum; i++) {
+			if (ph_tbl[i].p_type == PT_LOAD)
+				info |= HAS_LOAD;
+			if (ph_tbl[i].p_type == PT_DYNAMIC) {
+				unsigned int j = 0;
+				unsigned int num;
+
+				info |= HAS_DYNAMIC;
+				Elf64_Dyn *dyn_tbl = malloc(ph_tbl[i].p_filesz);
+				if ((unsigned int)lseek(fd, ph_tbl[i].p_offset,
+							SEEK_SET) !=
+						ph_tbl[i].p_offset)
+					goto err_out64;
+
+				num = ph_tbl[i].p_filesz / sizeof(Elf64_Dyn);
+				if (num > 1000)
+					goto err_out64;
+
+				if ((unsigned int)safe_read(fd, (char *)dyn_tbl,
+						ph_tbl[i].p_filesz) !=
+						ph_tbl[i].p_filesz)
+					goto err_out64;
+
+				while (j < num) {
+					if (dyn_tbl[j].d_tag == DT_NEEDED) {
+					} else if (dyn_tbl[j].d_tag == DT_RUNPATH)
+						info |= HAS_RPATH;
+					else if (dyn_tbl[j].d_tag == DT_RPATH) {
+						info |= HAS_RPATH;
+						break;
+					}
+					j++;
+				}
+				free(dyn_tbl); 
+			}
+			if (info & HAS_RPATH)
+				break;
+		}
+		goto done64;
+err_out64:
+//		free(e->first_lib);
+//		free(e);
+//		e = NULL;
+		info |= HAS_ERROR;
+done64:
+		free(ph_tbl);
+		free(hdr);
+	}
+	lseek(fd, 0, SEEK_SET);
+	return info;
+}
+
diff --git a/src/file.h b/src/file.h
@@ -25,6 +25,7 @@
 #define FILE_HEADER
 
 #include <sys/types.h>
+#include <stdint.h>
 
 // Information we will cache to identify the same executable
 struct file_info
@@ -46,5 +47,6 @@ char *get_device_from_stat(unsigned int device, size_t blen, char *buf);
 char *get_file_type_from_fd(int fd, size_t blen, char *buf);
 int  check_packaged_from_file(const char *filename);
 char *get_hash_from_fd(int fd);
+uint32_t gather_elf(int fd);
 
 #endif
diff --git a/src/process.c b/src/process.c
@@ -57,6 +57,7 @@ struct proc_info *stat_proc_entry(pid_t pid)
 		info->path2 = NULL;
 		info->path3 = NULL;
 		info->state = STATE_COLLECTING;
+		info->elf_info = 0;
 
 		return info;
 	}
diff --git a/src/process.h b/src/process.h
@@ -25,9 +25,19 @@
 #define PROCESS_HEADER
 
 #include <sys/types.h>
+#include <stdint.h>
 
 typedef enum { STATE_COLLECTING=0, STATE_PARTIAL, STATE_FULL, STATE_NORMAL,
-	STATE_LD_PRELOAD, STATE_BAD_INTERPRETER, STATE_LD_SO } state_t;
+	STATE_NOT_ELF, STATE_LD_PRELOAD, STATE_BAD_INTERPRETER,
+	STATE_LD_SO } state_t;
+
+// This is used to determine what kind of elf file we are looking at.
+// HAS_LOAD but no HAS_DYNAMIC is staticly linked app. Normally you see both.
+#define IS_ELF		0x01
+#define HAS_ERROR	0x02
+#define HAS_RPATH	0x04
+#define HAS_DYNAMIC	0x08
+#define HAS_LOAD	0x10
 
 // Information we will cache to identify the same executable
 struct proc_info
@@ -36,11 +46,11 @@ struct proc_info
 	dev_t	device;
 	ino_t	inode;
 	struct timespec time;
-	// FIXME: We can jettison paths when state reaches > Full
 	state_t state;
 	char *path1;
 	char *path2;
 	char *path3;
+	uint32_t elf_info;
 };
 
 struct proc_info *stat_proc_entry(pid_t pid);
diff --git a/src/rules.c b/src/rules.c
@@ -441,9 +441,14 @@ static int subj_pattern_test(subject_attr_t *s, event_t *e)
 	int rc = 0;
 	struct proc_info *pinfo = e->s->info;
 
-	// If still collecting, we can't decide yet.
-	if (pinfo->state == STATE_COLLECTING)
+	// If still collecting, and its an elf file, we can't decide yet.
+	if (pinfo->state == STATE_COLLECTING) {
+		if (pinfo->elf_info == 0) {
+			pinfo->state = STATE_NOT_ELF;
+			clear_proc_info(pinfo);
+		}
 		return rc;
+	}
 
 	// Do the analysis
 #ifdef NEW_WAY
@@ -498,10 +503,11 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2);
 			// To get here, pgm matched path1
 			if (strcmp(pinfo->path2, SYSTEM_LD_SO) == 0) {
 				// To get here interp is ld.so
-				if (strcmp(pinfo->path3, SYSTEM_LD_CACHE) == 0)
+				if (strcmp(pinfo->path3, SYSTEM_LD_CACHE) == 0
+				   || (pinfo->elf_info & HAS_RPATH))
 					// ld.so normally checks cache first
 					pinfo->state = STATE_NORMAL;
-				else
+				else 
 					// but preload does the preload
 					pinfo->state = STATE_LD_PRELOAD;
 			} else
@@ -514,9 +520,6 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2);
 	if (pinfo->state == STATE_PARTIAL)
 		return rc;
 
-	// Done with the paths
-	clear_proc_info(pinfo);
-
 	// Make a decision
 	switch (s->val)
 	{
@@ -525,8 +528,12 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2);
 				rc = 1;
 			break;
 		case PATTERN_LD_PRELOAD_VAL:
-			if (pinfo->state == STATE_LD_PRELOAD)
+			if (pinfo->state == STATE_LD_PRELOAD) {
 				rc = 1;
+				//msg(LOG_DEBUG, "path1: %s", pinfo->path1);
+				//msg(LOG_DEBUG, "path2: %s", pinfo->path2);
+				//msg(LOG_DEBUG, "path3: %s", pinfo->path3);
+			}
 			break;
 		case PATTERN_BAD_INTERPRETER_VAL:
 			if (pinfo->state == STATE_BAD_INTERPRETER)
@@ -538,6 +545,9 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2);
 			break;
 	}
 
+	// Done with the paths
+	clear_proc_info(pinfo);
+
 	return rc;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@ struct proc_info *stat_proc_entry(pid_t pid)`
`57`	`57`	`info->path2 = NULL;`
`58`	`58`	`info->path3 = NULL;`
`59`	`59`	`info->state = STATE_COLLECTING;`
	`60`	`+ info->elf_info = 0;`
`60`	`61`
`61`	`62`	`return info;`
`62`	`63`	`}`