[Libguestfs] [PATCH v7 6/7] New API: yara_scan
Richard W.M. Jones
rjones at redhat.com
Mon Apr 24 09:03:15 UTC 2017
On Sun, Apr 23, 2017 at 07:50:01PM +0300, Matteo Cafasso wrote:
> The yara_scan API parses the file generated by the daemon counterpart
> function and returns the list of yara_detection structs to the user.
>
> It writes the daemon's command output on a temporary file and parses it,
> deserialising the XDR formatted yara_detection structs.
>
> It returns to the caller the list of yara_detection structs generated by
> the internal_yara_scan command.
>
> Signed-off-by: Matteo Cafasso <noxdafox at gmail.com>
> ---
> generator/actions.ml | 3 +-
> generator/actions_yara.ml | 28 ++++++++++
> generator/actions_yara.mli | 1 +
> lib/Makefile.am | 1 +
> lib/yara.c | 130 +++++++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 162 insertions(+), 1 deletion(-)
> create mode 100644 lib/yara.c
>
> diff --git a/generator/actions.ml b/generator/actions.ml
> index 6e11d99c3..2722f3dcd 100644
> --- a/generator/actions.ml
> +++ b/generator/actions.ml
> @@ -38,7 +38,8 @@ let non_daemon_functions =
> Actions_inspection_deprecated.non_daemon_functions @
> Actions_properties.non_daemon_functions @
> Actions_properties_deprecated.non_daemon_functions @
> - Actions_tsk.non_daemon_functions
> + Actions_tsk.non_daemon_functions @
> + Actions_yara.non_daemon_functions
>
> (* daemon_functions are any functions which cause some action
> * to take place in the daemon.
> diff --git a/generator/actions_yara.ml b/generator/actions_yara.ml
> index 1f7decdd4..5afbd47e9 100644
> --- a/generator/actions_yara.ml
> +++ b/generator/actions_yara.ml
> @@ -22,6 +22,34 @@ open Types
>
> (* Yara APIs. *)
>
> +let non_daemon_functions = [
> + { defaults with
> + name = "yara_scan"; added = (1, 37, 12);
> + style = RStructList ("detections", "yara_detection"), [Pathname "path"], [];
> + optional = Some "libyara";
> + progress = true; cancellable = true;
> + shortdesc = "scan a file with the loaded yara rules";
> + longdesc = "\
> +Scan a file with the previously loaded Yara rules.
> +
> +For each matching rule, a C<yara_detection> structure is returned.
> +
> +The C<yara_detection> structure contains the following fields.
> +
> +=over 4
> +
> +=item C<yara_name>
> +
> +Path of the file matching a Yara rule.
> +
> +=item C<yara_rule>
> +
> +Identifier of the Yara rule which matched against the given file.
> +
> +=back" };
> +
> +]
> +
> let daemon_functions = [
> { defaults with
> name = "yara_load"; added = (1, 37, 12);
> diff --git a/generator/actions_yara.mli b/generator/actions_yara.mli
> index 23eefe068..06b8116c4 100644
> --- a/generator/actions_yara.mli
> +++ b/generator/actions_yara.mli
> @@ -18,4 +18,5 @@
>
> (* Please read generator/README first. *)
>
> +val non_daemon_functions : Types.action list
> val daemon_functions : Types.action list
> diff --git a/lib/Makefile.am b/lib/Makefile.am
> index 063706f8f..fc55c2dcf 100644
> --- a/lib/Makefile.am
> +++ b/lib/Makefile.am
> @@ -127,6 +127,7 @@ libguestfs_la_SOURCES = \
> wait.c \
> whole-file.c \
> version.c \
> + yara.c \
> libguestfs.syms
>
> libguestfs_la_CPPFLAGS = \
> diff --git a/lib/yara.c b/lib/yara.c
> new file mode 100644
> index 000000000..4e0dc3fe0
> --- /dev/null
> +++ b/lib/yara.c
> @@ -0,0 +1,130 @@
> +/* libguestfs
> + * Copyright (C) 2016 Red Hat Inc.
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + */
> +
> +#include <config.h>
> +
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <fcntl.h>
> +#include <unistd.h>
> +#include <sys/stat.h>
> +#include <sys/types.h>
> +#include <string.h>
> +#include <rpc/xdr.h>
> +#include <rpc/types.h>
> +
> +#include "guestfs.h"
> +#include "guestfs_protocol.h"
> +#include "guestfs-internal.h"
> +#include "guestfs-internal-all.h"
> +#include "guestfs-internal-actions.h"
> +
> +static struct guestfs_yara_detection_list *parse_yara_detection_file (guestfs_h *, const char *);
> +static int deserialise_yara_detection_list (guestfs_h *, FILE *, struct guestfs_yara_detection_list *);
> +
> +struct guestfs_yara_detection_list *
> +guestfs_impl_yara_scan (guestfs_h *g, const char *path)
> +{
> + int r = 0;
> + CLEANUP_UNLINK_FREE char *tmpfile = NULL;
> +
> + tmpfile = guestfs_int_make_temp_path (g, "yara_scan");
> + if (tmpfile == NULL)
> + return NULL;
> +
> + r = guestfs_internal_yara_scan (g, path, tmpfile);
> + if (r == -1)
> + return NULL;
> +
> + return parse_yara_detection_file (g, tmpfile); /* caller frees */
> +}
> +
> +/* Parse the file content and return detections list.
> + * Return a list of yara_detection on success, NULL on error.
> + */
> +static struct guestfs_yara_detection_list *
> +parse_yara_detection_file (guestfs_h *g, const char *tmpfile)
> +{
> + int r = 0;
> + CLEANUP_FCLOSE FILE *fp = NULL;
> + struct guestfs_yara_detection_list *detections = NULL;
> +
> + fp = fopen (tmpfile, "r");
> + if (fp == NULL) {
> + perrorf (g, "fopen: %s", tmpfile);
> + return NULL;
> + }
> +
> + /* Initialise results array. */
> + detections = safe_malloc (g, sizeof (*detections));
> + detections->len = 8;
> + detections->val = safe_malloc (g, detections->len *
> + sizeof (*detections->val));
> +
> + /* Deserialise buffer into detection list. */
> + r = deserialise_yara_detection_list (g, fp, detections);
> + if (r == -1) {
> + guestfs_free_yara_detection_list (detections);
> + perrorf (g, "guestfs_free_yara_detection_list");
> + return NULL;
> + }
> +
> + return detections;
> +}
> +
> +/* Deserialise the file content and populate the detection list.
> + * Return the number of deserialised detections, -1 on error.
> + */
> +static int
> +deserialise_yara_detection_list (guestfs_h *g, FILE *fp,
> + struct guestfs_yara_detection_list *detections)
> +{
> + XDR xdr;
> + int r = 0;
> + uint32_t index = 0;
> + struct stat statbuf;
> +
> + r = fstat (fileno(fp), &statbuf);
> + if (r == -1) {
> + perrorf (g, "fstat");
> + return -1;
> + }
> +
> + xdrstdio_create (&xdr, fp, XDR_DECODE);
> +
> + for (index = 0; xdr_getpos (&xdr) < statbuf.st_size; index++) {
> + if (index == detections->len) {
> + detections->len = 2 * detections->len;
> + detections->val = safe_realloc (g, detections->val,
> + detections->len *
> + sizeof (*detections->val));
> + }
> +
> + /* Clear the entry so xdr logic will allocate necessary memory. */
> + memset (&detections->val[index], 0, sizeof (*detections->val));
> + r = xdr_guestfs_int_yara_detection (&xdr, (guestfs_int_yara_detection *)
> + &detections->val[index]);
> + if (r == 0)
> + break;
> + }
> +
> + xdr_destroy (&xdr);
> + detections->len = index;
> +
> + return r ? 0 : -1;
Still missing a call to error/perrorf along the error path.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list