MCPcopy
hub / github.com/slimtoolkit/slim / processFileActivity

Method processFileActivity

pkg/monitor/ptrace/ptrace.go:264–382  ·  view source on GitHub ↗
(e *syscallEvent)

Source from the content-addressed store, hash-verified

262}
263
264func (app *App) processFileActivity(e *syscallEvent) {
265 if e.pathParam != "" {
266 logger := app.logger.WithField("op", "processFileActivity")
267 p, found := syscallProcessors[int(e.callNum)]
268 if !found {
269 logger.Debugf("no syscall processor - %#v", e)
270 //shouldn't happen
271 return
272 }
273
274 if (p.SyscallType() == CheckFileType ||
275 p.SyscallType() == OpenFileType) &&
276 p.OKReturnStatus(e.retVal) {
277 //todo: filter "/proc/", "/sys/", "/dev/" externally
278 if e.pathParam != "." &&
279 e.pathParam != "/proc" &&
280 !strings.HasPrefix(e.pathParam, "/proc/") &&
281 !strings.HasPrefix(e.pathParam, "/sys/") &&
282 !strings.HasPrefix(e.pathParam, "/dev/") {
283 if fsa, ok := app.fsActivity[e.pathParam]; ok {
284 fsa.OpsAll++
285 fsa.Pids[e.pid] = struct{}{}
286 fsa.Syscalls[int(e.callNum)] = struct{}{}
287
288 if processor, found := syscallProcessors[int(e.callNum)]; found {
289 switch processor.SyscallType() {
290 case CheckFileType:
291 fsa.OpsCheckFile++
292 }
293 }
294 } else {
295 fsa := &report.FSActivityInfo{
296 OpsAll: 1,
297 OpsCheckFile: 1,
298 Pids: map[int]struct{}{},
299 Syscalls: map[int]struct{}{},
300 }
301
302 fsa.Pids[e.pid] = struct{}{}
303 fsa.Syscalls[int(e.callNum)] = struct{}{}
304
305 app.fsActivity[e.pathParam] = fsa
306 }
307
308 if app.del != nil {
309 //NOTE:
310 //not capturing the 'dirfd' syscall params necessary
311 //to reconstruct relative paths for some syscalls (todo: improve later)
312 delEvent := &report.MonitorDataEvent{
313 Source: report.MDESourcePT,
314 Type: report.MDETypeArtifact,
315 Pid: int32(e.pid),
316 Artifact: e.pathParam, //note: might not be full path
317 OpNum: e.callNum,
318 Op: p.SyscallName(),
319 }
320
321 switch p.SyscallType() {

Callers 1

processMethod · 0.95

Calls 4

SyscallTypeMethod · 0.65
OKReturnStatusMethod · 0.65
SyscallNameMethod · 0.65
PublishMethod · 0.65

Tested by

no test coverage detected