static SEXP_t *oval_entity_to_sexp(struct oval_entity *ent) { SEXP_t *elm, *elm_name; SEXP_t *r0, *r1, *r2; oval_datatype_t datatype; oval_entity_varref_type_t vr_type; elm_name = SEXP_list_new(r0 = SEXP_string_newf("%s", oval_entity_get_name(ent)), /* operation */ r1 = SEXP_string_new(":operation", 10), r2 = SEXP_number_newu_32(oval_entity_get_operation(ent)), NULL); SEXP_vfree(r0, r1, r2, NULL); if (oval_entity_get_mask(ent)) { SEXP_list_add(elm_name, r0 = SEXP_string_new("mask", 4)); SEXP_free(r0); } elm = SEXP_list_new(NULL); datatype = oval_entity_get_datatype(ent); probe_ent_setdatatype(elm, datatype); vr_type = oval_entity_get_varref_type(ent); if (vr_type == OVAL_ENTITY_VARREF_ATTRIBUTE || vr_type == OVAL_ENTITY_VARREF_ELEMENT) { /* var_ref */ struct oval_variable *var; var = oval_entity_get_variable(ent); SEXP_list_add(elm_name, r0 = SEXP_string_new(":var_ref", 8)); SEXP_list_add(elm_name, r1 = SEXP_string_newf("%s", oval_variable_get_id(var))); SEXP_list_add(elm, elm_name); SEXP_vfree(r0, r1, elm_name, NULL); } else { /* value */ struct oval_value *val; SEXP_list_add(elm, elm_name); SEXP_free(elm_name); val = oval_entity_get_value(ent); if (datatype != OVAL_DATATYPE_RECORD && val != NULL) { SEXP_t *val_sexp; val_sexp = oval_value_to_sexp(val, datatype); if (val_sexp != NULL) { SEXP_list_add(elm, val_sexp); SEXP_free(val_sexp); } } } return (elm); }
/* temporary workaround to generate ids */ static void _gen_item_id(SEXP_t *item) { static uint32_t id = 0; SEXP_t sid, *name_ref, *tmp; SEXP_string_newf_r(&sid, "1%05u%u", getpid(), ++id); name_ref = SEXP_listref_first(item); tmp = SEXP_list_replace(name_ref, 3, &sid); SEXP_vfree(name_ref, tmp, NULL); SEXP_free_r(&sid); }
static SEXP_t *oval_filter_to_sexp(struct oval_filter *filter) { SEXP_t *elm, *attr, *r0, *r1; oval_filter_action_t act; struct oval_state *ste; char *ste_id; act = oval_filter_get_filter_action(filter); ste = oval_filter_get_state(filter); ste_id = oval_state_get_id(ste); attr = probe_attr_creat("action", r0 = SEXP_number_newu(act), NULL); elm = probe_ent_creat1("filter", attr, r1 = SEXP_string_newf("%s", ste_id)); SEXP_vfree(attr, r0, r1, NULL); return (elm); }
int probe_main(probe_ctx *ctx, void *arg) { SEXP_t *object; int err; llist ll; oval_schema_version_t over; object = probe_ctx_getobject(ctx); over = probe_obj_get_platform_schema_version(object); interface_name_ent = probe_obj_getent(object, "interface_name", 1); if (interface_name_ent == NULL) { err = PROBE_ENOVAL; goto cleanup; } // Now start collecting the info list_create(&ll); if (collect_process_info(&ll) || perm_warn) { SEXP_t *msg; msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_ERROR, "Permission error."); probe_cobj_add_msg(probe_ctx_getresult(ctx), msg); SEXP_free(msg); probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR); err = 0; goto cleanup; } read_packet(&ll, ctx, over); list_clear(&ll); err = 0; cleanup: SEXP_vfree(interface_name_ent, NULL); return err; }
int probe_main(probe_ctx *ctx, void *arg) { SEXP_t *path_ent, *file_ent, *inst_ent, *bh_ent, *patt_ent, *filepath_ent, *probe_in; SEXP_t *r0; /* char *i_val, *m_val, *s_val; */ bool val; struct pfdata pfd; int ret = 0; #if defined USE_REGEX_PCRE int errorffset = -1; const char *error; #elif defined USE_REGEX_POSIX regex_t _re; pfd.compiled_regex = &_re; int err; #endif OVAL_FTS *ofts; OVAL_FTSENT *ofts_ent; (void)arg; memset(&pfd, 0, sizeof(pfd)); probe_in = probe_ctx_getobject(ctx); over = probe_obj_get_platform_schema_version(probe_in); path_ent = probe_obj_getent(probe_in, "path", 1); file_ent = probe_obj_getent(probe_in, "filename", 1); inst_ent = probe_obj_getent(probe_in, "instance", 1); patt_ent = probe_obj_getent(probe_in, "pattern", 1); filepath_ent = probe_obj_getent(probe_in, "filepath", 1); bh_ent = probe_obj_getent(probe_in, "behaviors", 1); /* we want (path+filename or filepath) + instance + pattern*/ if ( ((path_ent == NULL || file_ent == NULL) && filepath_ent==NULL) || inst_ent==NULL || patt_ent==NULL) { SEXP_free (patt_ent); ret = PROBE_ENOELM; goto cleanup; } /* get pattern from SEXP */ SEXP_t *ent_val; ent_val = probe_ent_getval(patt_ent); pfd.pattern = SEXP_string_cstr(ent_val); assume_d(pfd.pattern != NULL, -1); SEXP_free(patt_ent); SEXP_free(ent_val); /* wtf? i_val = s_val = "0"; m_val = "1"; */ /* reset filebehavior attributes if 'filepath' entity is used */ if (filepath_ent != NULL && bh_ent != NULL) { SEXP_t *r1, *r2, *r3; r1 = probe_ent_getattrval(bh_ent, "ignore_case"); r2 = probe_ent_getattrval(bh_ent, "multiline"); r3 = probe_ent_getattrval(bh_ent, "singleline"); r0 = probe_attr_creat("ignore_case", r1, "multiline", r2, "singleline", r3, NULL); SEXP_free(bh_ent); bh_ent = probe_ent_creat1("behaviors", r0, NULL); SEXP_vfree(r0, r1, r2, r3, NULL); } probe_tfc54behaviors_canonicalize(&bh_ent); pfd.instance_ent = inst_ent; pfd.ctx = ctx; #if defined USE_REGEX_PCRE pfd.re_opts = PCRE_UTF8; r0 = probe_ent_getattrval(bh_ent, "ignore_case"); if (r0) { val = SEXP_string_getb(r0); SEXP_free(r0); if (val) pfd.re_opts |= PCRE_CASELESS; } r0 = probe_ent_getattrval(bh_ent, "multiline"); if (r0) { val = SEXP_string_getb(r0); SEXP_free(r0); if (val) pfd.re_opts |= PCRE_MULTILINE; } r0 = probe_ent_getattrval(bh_ent, "singleline"); if (r0) { val = SEXP_string_getb(r0); SEXP_free(r0); if (val) pfd.re_opts |= PCRE_DOTALL; } pfd.compiled_regex = pcre_compile(pfd.pattern, pfd.re_opts, &error, &errorffset, NULL); if (pfd.compiled_regex == NULL) { SEXP_t *msg; msg = probe_msg_creatf(OVAL_MESSAGE_LEVEL_ERROR, "pcre_compile() '%s' %s.", pfd.pattern, error); probe_cobj_add_msg(probe_ctx_getresult(pfd.ctx), msg); SEXP_free(msg); probe_cobj_set_flag(probe_ctx_getresult(pfd.ctx), SYSCHAR_FLAG_ERROR); goto cleanup; } #elif defined USE_REGEX_POSIX pfd.re_opts = REG_EXTENDED | REG_NEWLINE; r0 = probe_ent_getattrval(bh_ent, "ignore_case"); if (r0) { val = SEXP_string_getb(r0); SEXP_free(r0); if (val) pfd.re_opts |= REG_ICASE; } if ((err = regcomp(pfd.compiled_regex, pfd.pattern, pfd.re_opts)) != 0) { SEXP_t *msg; msg = probe_msg_creatf(OVAL_MESSAGE_LEVEL_ERROR, "regcomp() '%s' returned %d.", pfd.pattern, err); probe_cobj_add_msg(probe_ctx_getresult(pfd.ctx), msg); SEXP_free(msg); probe_cobj_set_flag(probe_ctx_getresult(pfd.ctx), SYSCHAR_FLAG_ERROR); goto cleanup; } #endif if ((ofts = oval_fts_open(path_ent, file_ent, filepath_ent, bh_ent)) != NULL) { while ((ofts_ent = oval_fts_read(ofts)) != NULL) { if (ofts_ent->fts_info == FTS_F || ofts_ent->fts_info == FTS_SL) { // todo: handle return code process_file(ofts_ent->path, ofts_ent->file, &pfd); } oval_ftsent_free(ofts_ent); } oval_fts_close(ofts); } cleanup: SEXP_free(file_ent); SEXP_free(path_ent); SEXP_free(inst_ent); SEXP_free(bh_ent); SEXP_free(filepath_ent); if (pfd.pattern != NULL) oscap_free(pfd.pattern); #if defined USE_REGEX_PCRE if (pfd.compiled_regex != NULL) pcre_free(pfd.compiled_regex); #elif defined USE_REGEX_POSIX regfree(&_re); #endif return ret; }
void *probe_worker_runfn(void *arg) { probe_pwpair_t *pair = (probe_pwpair_t *)arg; SEXP_t *probe_res, *obj, *oid; int probe_ret; #if defined(HAVE_PTHREAD_SETNAME_NP) pthread_setname_np(pthread_self(), "probe_worker"); #endif dD("handling SEAP message ID %u", pair->pth->sid); // probe_ret = -1; probe_res = pair->pth->msg_handler(pair->probe, pair->pth->msg, &probe_ret); // dD("handler result = %p, return code = %d", probe_res, probe_ret); /* Assuming that the red-black tree API is doing locking for us... */ if (rbt_i32_del(pair->probe->workers, pair->pth->sid, NULL) != 0) { dW("thread not found in the probe thread tree, probably canceled by an external signal"); /* * XXX: this is a possible deadlock; we can't send anything from * here because the signal handler replied to the message */ arg = NULL; SEAP_msg_free(pair->pth->msg); SEXP_free(probe_res); oscap_free(pair); return (NULL); } else { SEXP_t *items; dD("probe thread deleted"); obj = SEAP_msg_get(pair->pth->msg); oid = probe_obj_getattrval(obj, "id"); items = probe_cobj_get_items(probe_res); if (items != NULL) { SEXP_list_sort(items, SEXP_refcmp); SEXP_free(items); } if (probe_rcache_sexp_add(pair->probe->rcache, oid, probe_res) != 0) { /* TODO */ abort(); } SEXP_vfree(obj, oid, NULL); } if (probe_ret != 0) { /* * Something bad happened. A hint of the cause is stored as a error code in * probe_ret (should be). We'll send it to the library using a SEAP error packet. */ if (SEAP_replyerr(pair->probe->SEAP_ctx, pair->probe->sd, pair->pth->msg, probe_ret) == -1) { int ret = errno; dE("An error ocured while sending error status. errno=%u, %s.", errno, strerror(errno)); SEXP_free(probe_res); /* FIXME */ exit(ret); } SEXP_free(probe_res); } else { SEAP_msg_t *seap_reply; /* * OK, the probe actually returned something, let's send it to the library. */ seap_reply = SEAP_msg_new(); SEAP_msg_set(seap_reply, probe_res); if (SEAP_reply(pair->probe->SEAP_ctx, pair->probe->sd, seap_reply, pair->pth->msg) == -1) { int ret = errno; SEAP_msg_free(seap_reply); SEXP_free(probe_res); exit(ret); } SEAP_msg_free(seap_reply); SEXP_free(probe_res); } SEAP_msg_free(pair->pth->msg); oscap_free(pair->pth); oscap_free(pair); pthread_detach(pthread_self()); return (NULL); }
static struct oval_sysent *oval_sexp_to_sysent(struct oval_syschar_model *model, struct oval_sysitem *item, SEXP_t * sexp, struct oval_string_map *mask_map) { char *key; oval_syschar_status_t status; oval_datatype_t dt; struct oval_sysent *ent; key = probe_ent_getname(sexp); if (!key) return NULL; if (strcmp("message", key) == 0 && item != NULL) { struct oval_message *msg; oval_message_level_t lvl; SEXP_t *lvl_sexp, *txt_sexp; char txt[1024]; lvl_sexp = probe_obj_getattrval(sexp, "level"); lvl = SEXP_number_getu_32(lvl_sexp); txt_sexp = probe_ent_getval(sexp); SEXP_string_cstr_r(txt_sexp, txt, sizeof txt); SEXP_vfree(lvl_sexp, txt_sexp); /* TODO: sanity checks */ msg = oval_message_new(); oval_message_set_level(msg, lvl); oval_message_set_text(msg, txt); oval_sysitem_add_message(item, msg); return (NULL); } status = probe_ent_getstatus(sexp); dt = probe_ent_getdatatype(sexp); ent = oval_sysent_new(model); oval_sysent_set_name(ent, key); oval_sysent_set_status(ent, status); oval_sysent_set_datatype(ent, dt); if (mask_map == NULL || oval_string_map_get_value(mask_map, key) == NULL) oval_sysent_set_mask(ent, 0); else oval_sysent_set_mask(ent, 1); if (status != SYSCHAR_STATUS_EXISTS) return ent; if (dt == OVAL_DATATYPE_RECORD) { SEXP_t *srf, *srfs; probe_ent_getvals(sexp, &srfs); SEXP_list_foreach(srf, srfs) { struct oval_record_field *rf; rf = oval_record_field_ITEM_from_sexp(srf); oval_sysent_add_record_field(ent, rf); } SEXP_free(srfs); } else {
int oval_state_to_sexp(void *sess, struct oval_state *state, SEXP_t **out_sexp) { SEXP_t *ste, *ste_name, *ste_ent; SEXP_t *r0, *r1, *r2, *r3, *r4; char buffer[128]; size_t buflen; const char *subtype_name; struct oval_state_content_iterator *contents; subtype_name = oval_subtype_to_str(oval_state_get_subtype(state)); if (subtype_name == NULL) { dI("FAIL: unknown subtype: %d", oval_state_get_subtype(state)); return (-1); } buflen = snprintf(buffer, sizeof buffer, "%s_state", subtype_name); _A(buflen < sizeof buffer); ste_name = SEXP_list_new(r0 = SEXP_string_new(buffer, buflen), r1 = SEXP_string_new(":id", 3), r2 = SEXP_string_newf("%s", oval_state_get_id(state)), r3 = SEXP_string_new(":operator", 9), r4 = SEXP_number_newu(oval_state_get_operator(state)), NULL); ste = SEXP_list_new(ste_name, NULL); SEXP_vfree(r0, r1, r2, r3, r4, ste_name, NULL); contents = oval_state_get_contents(state); while (oval_state_content_iterator_has_more(contents)) { oval_check_t ochk; oval_existence_t oext; oval_entity_varref_type_t vr_type; struct oval_entity *ent; struct oval_state_content *content = oval_state_content_iterator_next(contents); struct oval_record_field_iterator *rf_itr; ent = oval_state_content_get_entity(content); ste_ent = oval_entity_to_sexp(ent); if (ste_ent == NULL) { goto fail; } rf_itr = oval_state_content_get_record_fields(content); while (oval_record_field_iterator_has_more(rf_itr)) { struct oval_record_field *rf; SEXP_t *rf_sexp; rf = oval_record_field_iterator_next(rf_itr); rf_sexp = oval_record_field_STATE_to_sexp(rf); SEXP_list_add(ste_ent, rf_sexp); SEXP_free(rf_sexp); } oval_record_field_iterator_free(rf_itr); ochk = oval_state_content_get_var_check(content); if (ochk != OVAL_CHECK_UNKNOWN) { probe_ent_attr_add(ste_ent, "var_check", r0 = SEXP_number_newu_32(ochk)); SEXP_free(r0); } ochk = oval_state_content_get_ent_check(content); if (ochk != OVAL_CHECK_UNKNOWN) { probe_ent_attr_add(ste_ent, "entity_check", r0 = SEXP_number_newu_32(ochk)); SEXP_free(r0); } oext = oval_state_content_get_check_existence(content); if (oext != OVAL_EXISTENCE_UNKNOWN) { probe_ent_attr_add(ste_ent, "check_existence", r0 = SEXP_number_newu_32(oext)); SEXP_free(r0); } vr_type = oval_entity_get_varref_type(ent); if (vr_type == OVAL_ENTITY_VARREF_ATTRIBUTE || vr_type == OVAL_ENTITY_VARREF_ELEMENT) { SEXP_t *val_lst; struct oval_variable *var; oval_datatype_t dt; var = oval_entity_get_variable(ent); dt = oval_entity_get_datatype(ent); if (oval_varref_elm_to_sexp(sess, var, dt, &val_lst, NULL) != 0) goto fail; SEXP_list_add(ste_ent, val_lst); SEXP_free(val_lst); } SEXP_list_add(ste, ste_ent); SEXP_free(ste_ent); } oval_state_content_iterator_free(contents); *out_sexp = ste; return (0); fail: oval_state_content_iterator_free(contents); SEXP_vfree(ste, ste_ent, NULL); return (-1); }
int oval_object_to_sexp(void *sess, const char *typestr, struct oval_syschar *syschar, SEXP_t **out_sexp) { unsigned int ent_cnt, varref_cnt; int ret; SEXP_t *obj_sexp, *elm, *varrefs, *ent_lst, *lst, *stmp; SEXP_t *r0, *r1, *r2, *obj_attr, sm0, sm1; struct oval_object *object; struct oval_object_content_iterator *cit; struct oval_behavior_iterator *bit; struct oval_object_content *content; struct oval_entity *entity; char obj_name[128]; const char *obj_id; object = oval_syschar_get_object(syschar); /* * Object name & attributes (id) */ ret = snprintf(obj_name, sizeof obj_name, "%s_object", typestr); if (ret<0 || (unsigned int) ret > sizeof obj_name) { dE("obj_name length too short"); return -1; } // even though it returns const char* it has to be freed :-( char *obj_over = (char*)oval_schema_version_to_cstr(oval_object_get_platform_schema_version(object)); obj_id = oval_object_get_id(object); obj_attr = probe_attr_creat("id", SEXP_string_new_r(&sm0, obj_id, strlen(obj_id)), "oval_version", SEXP_string_new_r(&sm1, obj_over, strlen(obj_over)), NULL); free(obj_over); obj_sexp = probe_obj_new(obj_name, obj_attr); SEXP_free_r(&sm0); SEXP_free_r(&sm1); SEXP_free(obj_attr); /* * Object content */ ent_lst = SEXP_list_new(NULL); varrefs = NULL; ent_cnt = varref_cnt = 0; cit = oval_object_get_object_contents(object); while (oval_object_content_iterator_has_more(cit)) { oval_check_t ochk; oval_entity_varref_type_t vr_type; content = oval_object_content_iterator_next(cit); elm = NULL; lst = ent_lst; switch (oval_object_content_get_type(content)) { case OVAL_OBJECTCONTENT_ENTITY: entity = oval_object_content_get_entity(content); elm = oval_entity_to_sexp(entity); if (elm == NULL) break; ochk = oval_object_content_get_varCheck(content); if (ochk != OVAL_CHECK_UNKNOWN) { probe_ent_attr_add(elm, "var_check", r0 = SEXP_number_newu_32(ochk)); SEXP_free(r0); } ret = 0; vr_type = oval_entity_get_varref_type(entity); if (vr_type == OVAL_ENTITY_VARREF_ATTRIBUTE) { const char *var_id = oval_variable_get_id(oval_entity_get_variable(entity)); const char *field_name = oval_object_content_get_field_name(content); dI("Object '%s' references variable '%s' in '%s' field.", obj_id, var_id, field_name); ret = oval_varref_attr_to_sexp(sess, entity, syschar, &stmp); if (ret == 0) { if (varrefs == NULL) varrefs = SEXP_list_new(NULL); SEXP_list_add(varrefs, stmp); SEXP_free(stmp); // todo: don't add duplicates ++varref_cnt; lst = obj_sexp; ++ent_cnt; } } else if (vr_type == OVAL_ENTITY_VARREF_ELEMENT) { SEXP_t *val_lst; struct oval_variable *var; oval_datatype_t dt; var = oval_entity_get_variable(entity); dt = oval_entity_get_datatype(entity); ret = oval_varref_elm_to_sexp(sess, var, dt, &val_lst, syschar); if (ret == 0) { SEXP_list_add(elm, val_lst); SEXP_free(val_lst); } } if (ret != 0) { SEXP_t s_flag; SEXP_number_newi_32_r(&s_flag, SYSCHAR_FLAG_DOES_NOT_EXIST); probe_item_attr_add(obj_sexp, "skip_eval", &s_flag); SEXP_free_r(&s_flag); SEXP_free(elm); SEXP_free(ent_lst); if (varrefs != NULL) SEXP_free(varrefs); oval_object_content_iterator_free(cit); *out_sexp = obj_sexp; return (0); } break; case OVAL_OBJECTCONTENT_SET: elm = oval_set_to_sexp(oval_object_content_get_setobject(content)); break; case OVAL_OBJECTCONTENT_FILTER: { struct oval_filter *filter = oval_object_content_get_filter(content); struct oval_state *ste = oval_filter_get_state(filter); const char *ste_id = oval_state_get_id(ste); oval_filter_action_t action = oval_filter_get_filter_action(filter); const char *action_text = oval_filter_action_get_text(action); dI("Object '%s' has a filter that %ss items conforming to state '%s'.", obj_id, action_text, ste_id); elm = oval_filter_to_sexp(filter); } break; case OVAL_OBJECTCONTENT_UNKNOWN: break; } if (elm == NULL) { SEXP_free(obj_sexp); SEXP_free(ent_lst); if (varrefs != NULL) SEXP_free(varrefs); oval_object_content_iterator_free(cit); return -1; } SEXP_list_add(lst, elm); SEXP_free(elm); } if (varrefs != NULL) { // todo: SEXP_list_push() stmp = SEXP_list_new(r0 = SEXP_string_new("varrefs", 7), r1 = SEXP_number_newu(varref_cnt), r2 = SEXP_number_newu(ent_cnt), NULL); SEXP_vfree(r0, r1, r2, NULL); r0 = SEXP_list_join(stmp, varrefs); SEXP_list_add(obj_sexp, r0); SEXP_vfree(stmp, varrefs, r0, NULL); } stmp = SEXP_list_join(obj_sexp, ent_lst); SEXP_free(obj_sexp); SEXP_free(ent_lst); obj_sexp = stmp; oval_object_content_iterator_free(cit); /* * Object behaviors */ bit = oval_object_get_behaviors(object); if (oval_behavior_iterator_has_more(bit)) { elm = oval_behaviors_to_sexp(bit); SEXP_list_add(obj_sexp, elm); SEXP_free(elm); } oval_behavior_iterator_free(bit); *out_sexp = obj_sexp; return (0); }
static int oval_probe_variable_eval(oval_probe_session_t *sess, struct oval_syschar *syschar) { struct oval_value_iterator *vit; struct oval_variable *var; struct oval_object *obj; oval_syschar_collection_flag_t flag = SYSCHAR_FLAG_ERROR; int ret = 0; obj = oval_syschar_get_object(syschar); var = oval_probe_variable_objgetvar(obj); if (var == NULL) { oval_syschar_set_flag(syschar, SYSCHAR_FLAG_ERROR); return(-1); } if (oval_probe_query_variable(sess, var) != 0) { oval_syschar_set_flag(syschar, SYSCHAR_FLAG_ERROR); return(-1); } flag = oval_variable_get_collection_flag(var); switch (flag) { case SYSCHAR_FLAG_COMPLETE: case SYSCHAR_FLAG_INCOMPLETE: break; default: { char msg[100]; snprintf(msg, sizeof(msg), "There was a problem processing referenced variable (%s).", oval_variable_get_id(var)); dW("%s\n", msg); oval_syschar_add_new_message(syschar, msg, OVAL_MESSAGE_LEVEL_WARNING); oval_syschar_set_flag(syschar, SYSCHAR_FLAG_ERROR); return(1); } } vit = oval_variable_get_values(var); if (vit == NULL) { flag = SYSCHAR_FLAG_ERROR; oval_syschar_set_flag(syschar, SYSCHAR_FLAG_ERROR); return(1); } else { SEXP_t *r0, *item, *cobj, *vrent, *val_sexp, *valent; char *var_ref; cobj = probe_cobj_new(SYSCHAR_FLAG_UNKNOWN, NULL, NULL); /* Create shared entity */ var_ref = oval_variable_get_id(var); vrent = probe_ent_creat1("var_ref", NULL, r0 = SEXP_string_new(var_ref, strlen(var_ref))); SEXP_free(r0); while (oval_value_iterator_has_more(vit)) { oval_datatype_t dtype; struct oval_value *val; val = oval_value_iterator_next(vit); oval_value_cast(val, OVAL_DATATYPE_STRING); dtype = oval_value_get_datatype(val); val_sexp = oval_value_to_sexp(val, dtype); assume_d(val_sexp != NULL, -1); valent = probe_ent_creat1("value", NULL, val_sexp); item = probe_item_creat("variable_item", NULL, NULL); /* temporary workaround to generate ids */ _gen_item_id(item); /* Add shared var_ref entity */ SEXP_list_add(item, vrent); /* Add value entity */ SEXP_list_add(item, valent); /* Add item to the item list */ probe_cobj_add_item(cobj, item); SEXP_vfree(item, valent, val_sexp, NULL); } oval_value_iterator_free(vit); probe_cobj_compute_flag(cobj); ret = oval_sexp2sysch(cobj, syschar); SEXP_vfree(cobj, vrent, NULL); } return(ret); }
int probe_main(probe_ctx *ctx, void *arg) { SEXP_t *object; int err; llist ll; object = probe_ctx_getobject(ctx); req.protocol_ent = probe_obj_getent(object, "protocol", 1); if (req.protocol_ent == NULL) { err = PROBE_ENOVAL; goto cleanup; } req.local_address_ent = probe_obj_getent(object, "local_address", 1); if (req.local_address_ent == NULL) { err = PROBE_ENOVAL; goto cleanup; } req.local_port_ent = probe_obj_getent(object, "local_port", 1); if (req.local_port_ent == NULL) { err = PROBE_ENOVAL; goto cleanup; } // Now start collecting the info list_create(&ll); if (collect_process_info(&ll)) { SEXP_t *msg; msg = probe_msg_creat(OVAL_MESSAGE_LEVEL_ERROR, "Permission error."); probe_cobj_add_msg(probe_ctx_getresult(ctx), msg); SEXP_free(msg); probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR); err = 0; goto cleanup; } // Now we check the tcp socket list... read_tcp("/proc/net/tcp", "tcp", &ll, ctx); read_tcp("/proc/net/tcp6", "tcp", &ll, ctx); // Next udp sockets... read_udp("/proc/net/udp", "udp", &ll, ctx); read_udp("/proc/net/udp6", "udp", &ll, ctx); // Next, raw sockets...not exactly part of standard yet. They // can be used to send datagrams, so we will pretend they are udp read_raw("/proc/net/raw", "udp", &ll, ctx); read_raw("/proc/net/raw6", "udp", &ll, ctx); list_clear(&ll); err = 0; cleanup: SEXP_vfree(req.protocol_ent, req.local_address_ent, req.local_port_ent, NULL); return err; }
int probe_main(probe_ctx *ctx, void *arg) { SEXP_t *path_ent, *filename_ent, *line_ent, *behaviors_ent, *filepath_ent, *probe_in; char *pattern; OVAL_FTS *ofts; OVAL_FTSENT *ofts_ent; (void)arg; probe_in = probe_ctx_getobject(ctx); over = probe_obj_get_platform_schema_version(probe_in); path_ent = probe_obj_getent(probe_in, "path", 1); filename_ent = probe_obj_getent(probe_in, "filename", 1); line_ent = probe_obj_getent(probe_in, "line", 1); filepath_ent = probe_obj_getent(probe_in, "filepath", 1); behaviors_ent = probe_obj_getent(probe_in, "behaviors", 1); if ( ((path_ent == NULL || filename_ent == NULL) && filepath_ent==NULL) || line_ent==NULL ) { SEXP_free (path_ent); SEXP_free (filename_ent); SEXP_free (line_ent); SEXP_free (filepath_ent); SEXP_free (behaviors_ent); return PROBE_ENOELM; } /* get pattern from SEXP */ SEXP_t *ent_val; ent_val = probe_ent_getval(line_ent); pattern = SEXP_string_cstr(ent_val); assume_d(pattern != NULL, -1); SEXP_vfree(line_ent, ent_val, NULL); /* behaviours are not important if filepath is used */ if(filepath_ent != NULL && behaviors_ent != NULL) { SEXP_free (behaviors_ent); behaviors_ent = NULL; } probe_filebehaviors_canonicalize(&behaviors_ent); struct pfdata pfd; pfd.pattern = pattern; pfd.filename_ent = filename_ent; pfd.ctx = ctx; if ((ofts = oval_fts_open(path_ent, filename_ent, filepath_ent, behaviors_ent, probe_ctx_getresult(ctx))) != NULL) { while ((ofts_ent = oval_fts_read(ofts)) != NULL) { if (ofts_ent->fts_info == FTS_F || ofts_ent->fts_info == FTS_SL) { // todo: handle return code process_file(ofts_ent->path, ofts_ent->file, &pfd); } oval_ftsent_free(ofts_ent); } oval_fts_close(ofts); } SEXP_free(path_ent); SEXP_free(filename_ent); SEXP_free(behaviors_ent); SEXP_free(filepath_ent); oscap_free(pattern); return 0; }