-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocesses.h
116 lines (94 loc) · 3.54 KB
/
processes.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// Copyright 2021 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SECANOMALYD_PROCESSES_H_
#define SECANOMALYD_PROCESSES_H_
#include <sys/types.h>
#include <bitset>
#include <optional>
#include <set>
#include <string>
#include <vector>
#include <base/files/file_path.h>
#include <base/strings/string_piece.h>
#include <brillo/process/process.h>
namespace secanomalyd {
using FilePaths = std::set<base::FilePath>;
const base::FilePath kProcPathBase("/proc");
namespace testing {
class ProcessesTestFixture;
}
class ProcEntry {
public:
// A given process can be sandboxed using zero or more mechanisms.
using SandboxStatus = std::bitset<6>;
static constexpr size_t kLandlockBit = 0; // Least Significant Bit
static constexpr size_t kSecCompBit = 1;
static constexpr size_t kSELinuxBit = 2;
static constexpr size_t kNoNewPrivsBit = 3;
static constexpr size_t kNonRootBit = 4;
static constexpr size_t kNoCapSysAdminBit = 5;
static std::optional<ProcEntry> CreateFromPath(
const base::FilePath& pid_path);
// Copying the private fields is fine.
ProcEntry(const ProcEntry& other) = default;
ProcEntry& operator=(const ProcEntry& other) = default;
pid_t pid() const { return pid_; }
pid_t ppid() const { return ppid_; }
ino_t pidns() const { return pidns_; }
ino_t mntns() const { return mntns_; }
ino_t userns() const { return userns_; }
std::string comm() const { return comm_; }
std::string args() const { return args_; }
SandboxStatus sandbox_status() const { return sandbox_status_; }
std::string FullDescription() const;
private:
friend class testing::ProcessesTestFixture;
FRIEND_TEST(SignatureTest, SignatureForOneProc);
FRIEND_TEST(SignatureTest, SignatureForMultipleProcs);
FRIEND_TEST(ReporterTest, SimpleForbiddenIntersectionReport);
FRIEND_TEST(ReporterTest, MountAndProcessAnomalyReport);
FRIEND_TEST(ReporterTest, FullReport);
ProcEntry(pid_t pid,
pid_t ppid,
ino_t pidns,
ino_t mntns,
ino_t userns,
std::string comm,
std::string args,
SandboxStatus sandbox_status)
: pid_(pid),
ppid_(ppid),
pidns_(pidns),
mntns_(mntns),
userns_(userns),
comm_(comm),
args_(args),
sandbox_status_(sandbox_status) {}
pid_t pid_;
pid_t ppid_;
ino_t pidns_;
ino_t mntns_;
ino_t userns_;
std::string comm_;
std::string args_;
SandboxStatus sandbox_status_;
};
using MaybeProcEntry = std::optional<ProcEntry>;
using ProcEntries = std::vector<ProcEntry>;
using MaybeProcEntries = std::optional<ProcEntries>;
enum class ProcessFilter { kAll = 0, kInitPidNamespaceOnly, kNoKernelTasks };
MaybeProcEntries ReadProcesses(ProcessFilter filter,
const base::FilePath& proc = kProcPathBase);
// These functions filter processes by copying the appropriate entries from
// |all_procs| into |filtered_procs|. |FilterNinInitPidNsProcesses()| returns
// false if the init process is not found.
void FilterKernelProcesses(const ProcEntries& all_procs,
ProcEntries& filtered_procs);
bool FilterNonInitPidNsProcesses(const ProcEntries& all_procs,
ProcEntries& filtered_procs);
bool IsProcInForbiddenIntersection(const ProcEntry& process,
const ProcEntry& init_proc);
MaybeProcEntry GetInitProcEntry(const ProcEntries& proc_entries);
} // namespace secanomalyd
#endif // SECANOMALYD_PROCESSES_H_