|
 |
241c65 |
diff -up ./src/library/event.c.event ./src/library/event.c
|
|
|
241c65 |
--- ./src/library/event.c.event 2022-06-21 16:55:47.000000000 +0200
|
|
|
241c65 |
+++ ./src/library/event.c 2022-12-22 13:12:58.226816235 +0100
|
|
|
241c65 |
@@ -132,7 +132,15 @@ int new_event(const struct fanotify_even
|
|
|
241c65 |
if ((s->info->state == STATE_COLLECTING) &&
|
|
|
241c65 |
(e->type & FAN_OPEN_PERM) && !rc) {
|
|
|
241c65 |
skip_path = 1;
|
|
|
241c65 |
+
|
|
|
241c65 |
s->info->state = STATE_REOPEN;
|
|
|
241c65 |
+
|
|
|
241c65 |
+ // special branch after ld_so exec
|
|
|
241c65 |
+ // next opens will go fall trough
|
|
|
241c65 |
+ if (s->info->path1 &&
|
|
|
241c65 |
+ (strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
|
|
|
241c65 |
+ s->info->state = STATE_DEFAULT_REOPEN;
|
|
|
241c65 |
+
|
|
|
241c65 |
}
|
|
|
241c65 |
|
|
|
241c65 |
// If not same proc or we detect execution, evict
|
|
|
241c65 |
@@ -149,7 +157,6 @@ int new_event(const struct fanotify_even
|
|
|
241c65 |
skip_path = 1;
|
|
|
241c65 |
}
|
|
|
241c65 |
evict = 0;
|
|
|
241c65 |
- skip_path = 1;
|
|
|
241c65 |
subject_reset(s, EXE);
|
|
|
241c65 |
subject_reset(s, COMM);
|
|
|
241c65 |
subject_reset(s, EXE_TYPE);
|
|
|
241c65 |
@@ -165,6 +172,7 @@ int new_event(const struct fanotify_even
|
|
|
241c65 |
skip_path = 1;
|
|
|
241c65 |
}
|
|
|
241c65 |
|
|
|
241c65 |
+
|
|
|
241c65 |
// If we've seen the reopen and its an execute and process
|
|
|
241c65 |
// has an interpreter and we're the same process, don't evict
|
|
|
241c65 |
// and don't collect the path since reopen interp will. The
|
|
|
241c65 |
@@ -173,14 +181,25 @@ int new_event(const struct fanotify_even
|
|
|
241c65 |
if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
|
|
241c65 |
(e->type & FAN_OPEN_EXEC_PERM) &&
|
|
|
241c65 |
(s->info->elf_info & HAS_INTERP) && !rc) {
|
|
|
241c65 |
+ s->info->state = STATE_DEFAULT_REOPEN;
|
|
|
241c65 |
evict = 0;
|
|
|
241c65 |
skip_path = 1;
|
|
|
241c65 |
}
|
|
|
241c65 |
|
|
|
241c65 |
+
|
|
|
241c65 |
+ // this is what differs between STATE_REOPEN and
|
|
|
241c65 |
+ // STATE_DEFAULT_REOPEN
|
|
|
241c65 |
+ // in STATE_REOPEN path is always skipped
|
|
|
241c65 |
+ if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
|
|
241c65 |
+ (e->type & FAN_OPEN_PERM) && !rc) {
|
|
|
241c65 |
+ skip_path = 1;
|
|
|
241c65 |
+ }
|
|
|
241c65 |
+
|
|
|
241c65 |
if (evict) {
|
|
|
241c65 |
lru_evict(subj_cache, key);
|
|
|
241c65 |
q_node = check_lru_cache(subj_cache, key);
|
|
|
241c65 |
s = (s_array *)q_node->item;
|
|
|
241c65 |
+
|
|
|
241c65 |
} else if (s->cnt == 0)
|
|
|
241c65 |
msg(LOG_DEBUG, "cached subject has cnt of 0");
|
|
|
241c65 |
}
|
|
|
241c65 |
diff -up ./src/library/process.h.event ./src/library/process.h
|
|
|
241c65 |
--- ./src/library/process.h.event 2022-06-21 16:55:47.000000000 +0200
|
|
|
241c65 |
+++ ./src/library/process.h 2022-12-22 13:10:23.260996771 +0100
|
|
|
241c65 |
@@ -31,7 +31,8 @@
|
|
|
241c65 |
#include "gcc-attributes.h"
|
|
|
241c65 |
|
|
|
241c65 |
typedef enum { STATE_COLLECTING=0, // initial state - execute
|
|
|
241c65 |
- STATE_REOPEN, // anticipating open perm next
|
|
|
241c65 |
+ STATE_REOPEN, // anticipating open perm next, always skips the path
|
|
|
241c65 |
+ STATE_DEFAULT_REOPEN, // reopen after dyn. linker exec, never skips the path
|
|
|
241c65 |
STATE_STATIC_REOPEN, // static app aniticipating
|
|
|
241c65 |
STATE_PARTIAL, // second path collected
|
|
|
241c65 |
STATE_STATIC_PARTIAL, // second path collected
|