import logging
import tempfile
import syscalls
import execute
import fcntl
syscalls.declare_syscall_sets({
"Check" : ["stat", "stat64", "access"],
"FileCreate" : ["creat", "link", "mknod", "open", "rename"],
"LinkCreate" : ["link", "symlink", "rename"],
"DirCreate" : ["mkdir", "rename"],
"FileRemove" : ["unlink", "rename", "mknod", "rename"],
"LinkRemove" : ["unlink", "rename"],
"DirRemove" : ["rmdir", "rename"],
"FileWrite" : ["chmod", "chown", "truncate", "open"],
"FileRead" : ["open", "execve"],
"LinkWrite" : ["link", "symlink"],
"LinkRead" : ["readlink"],
"DirWrite" : ["chmod", "chown", "open"],
"DirRead" : ["mount", "chdir", "chroot", "open", "execve"],
"ProcCreat" : ["fork", "vfork", "clone"],
"DirChange" : ["chdir", "chroot"],
})
##################################################################
patterns = list()
attackers = list()
queriers = list()
class PredetectBookmarks:
def need_bookmark(self, event, before=False, after=False):
return False
def upon_bookmark(self, event, exe, before=False, after=False):
assert False
def after_replay(self, graph, event):
pass
def __init__(self):
pass
syscalls.declare_syscall_sets({
"ChangePath" : ["chroot", "chdir", "fchdir"],
})
class BookmarksForPaths(PredetectBookmarks):
def need_bookmark(self, event, before=False, after=False):
return (before and event == event.proc.syscalls[0]) or \
(after and event.nr in SYS_ChangePath)
def upon_bookmark(self, event, exe, before=False, after=False):
pid = exe.pids[event.proc.pid]
proc = exe.chroot + '/proc'
cwd = os.readlink('%s/%d/cwd' % (proc, pid))
root = os.readlink('%s/%d/root' % (proc, pid))
event.proc.cwd = \
os.path.normpath('/' + os.path.relpath(cwd, root))
event.proc.root = \
