(e *syscallEvent)
| 262 | } |
| 263 | |
| 264 | func (app *App) processFileActivity(e *syscallEvent) { |
| 265 | if e.pathParam != "" { |
| 266 | logger := app.logger.WithField("op", "processFileActivity") |
| 267 | p, found := syscallProcessors[int(e.callNum)] |
| 268 | if !found { |
| 269 | logger.Debugf("no syscall processor - %#v", e) |
| 270 | //shouldn't happen |
| 271 | return |
| 272 | } |
| 273 | |
| 274 | if (p.SyscallType() == CheckFileType || |
| 275 | p.SyscallType() == OpenFileType) && |
| 276 | p.OKReturnStatus(e.retVal) { |
| 277 | //todo: filter "/proc/", "/sys/", "/dev/" externally |
| 278 | if e.pathParam != "." && |
| 279 | e.pathParam != "/proc" && |
| 280 | !strings.HasPrefix(e.pathParam, "/proc/") && |
| 281 | !strings.HasPrefix(e.pathParam, "/sys/") && |
| 282 | !strings.HasPrefix(e.pathParam, "/dev/") { |
| 283 | if fsa, ok := app.fsActivity[e.pathParam]; ok { |
| 284 | fsa.OpsAll++ |
| 285 | fsa.Pids[e.pid] = struct{}{} |
| 286 | fsa.Syscalls[int(e.callNum)] = struct{}{} |
| 287 | |
| 288 | if processor, found := syscallProcessors[int(e.callNum)]; found { |
| 289 | switch processor.SyscallType() { |
| 290 | case CheckFileType: |
| 291 | fsa.OpsCheckFile++ |
| 292 | } |
| 293 | } |
| 294 | } else { |
| 295 | fsa := &report.FSActivityInfo{ |
| 296 | OpsAll: 1, |
| 297 | OpsCheckFile: 1, |
| 298 | Pids: map[int]struct{}{}, |
| 299 | Syscalls: map[int]struct{}{}, |
| 300 | } |
| 301 | |
| 302 | fsa.Pids[e.pid] = struct{}{} |
| 303 | fsa.Syscalls[int(e.callNum)] = struct{}{} |
| 304 | |
| 305 | app.fsActivity[e.pathParam] = fsa |
| 306 | } |
| 307 | |
| 308 | if app.del != nil { |
| 309 | //NOTE: |
| 310 | //not capturing the 'dirfd' syscall params necessary |
| 311 | //to reconstruct relative paths for some syscalls (todo: improve later) |
| 312 | delEvent := &report.MonitorDataEvent{ |
| 313 | Source: report.MDESourcePT, |
| 314 | Type: report.MDETypeArtifact, |
| 315 | Pid: int32(e.pid), |
| 316 | Artifact: e.pathParam, //note: might not be full path |
| 317 | OpNum: e.callNum, |
| 318 | Op: p.SyscallName(), |
| 319 | } |
| 320 | |
| 321 | switch p.SyscallType() { |
no test coverage detected