std::vector<std::string>
ZDvidVersionDag::getParentList(const std::string &uuid) const
{
std::vector<std::string> uuidList;
if (getParentMap().count(uuid) > 0) {
std::list<std::string> parentList = getParentMap().at(uuid);
uuidList.insert(uuidList.begin(), parentList.begin(), parentList.end());
}
return uuidList;
}
bool ZDvidVersionDag::isParent(
const std::string &uuid, const std::string &parentUuid) const
{
if (!uuid.empty() && !parentUuid.empty()) {
if (getParentMap().count(uuid) > 0) {
const std::list<std::string> &parentList = getParentMap().at(uuid);
if (!parentList.empty()) {
return std::find(parentList.begin(), parentList.end(), parentUuid) !=
parentList.end();
}
}
}
return false;
}
/**
* Frees the memory associated with the parent map
*/
void fatfs_dir_buf_free(FATFS_INFO *fatfs) {
tsk_take_lock(&fatfs->dir_lock);
if (fatfs->inum2par != NULL) {
std::map<TSK_INUM_T, TSK_INUM_T> *tmpMap = getParentMap(fatfs);
delete tmpMap;
fatfs->inum2par = NULL;
}
tsk_release_lock(&fatfs->dir_lock);
}
/**
* Frees the memory associated with the parent map
*/
void xtaffs_dir_buf_free(XTAFFS_INFO *xtaffs) {
tsk_take_lock(&xtaffs->dir_lock);
if (xtaffs->inum2par != NULL) {
std::map<TSK_INUM_T, TSK_INUM_T> *tmpMap = getParentMap(xtaffs);
delete tmpMap;
xtaffs->inum2par = NULL;
}
tsk_release_lock(&xtaffs->dir_lock);
}
/**
* Adds an entry to the parent directory map. Used to make further processing
* faster.
* @param fatfs File system
* @param par_inum Parent folder meta data address.
* @param dir_inum Sub-folder meta data address.
* @returns 0
*/
uint8_t
fatfs_dir_buf_add(FATFS_INFO * fatfs, TSK_INUM_T par_inum,
TSK_INUM_T dir_inum)
{
tsk_take_lock(&fatfs->dir_lock);
std::map<TSK_INUM_T, TSK_INUM_T> *tmpMap = getParentMap(fatfs);
(*tmpMap)[dir_inum] = par_inum;
tsk_release_lock(&fatfs->dir_lock);
return 0;
}
/**
* Looks up the parent meta address for a child from the cached list.
* @param fatfs File system
* @param dir_inum Inode of sub-directory to look up
* @param par_inum [out] Result of lookup
* @returns 0 if found and 1 if not.
*/
static uint8_t
fatfs_dir_buf_get(FATFS_INFO * fatfs, TSK_INUM_T dir_inum,
TSK_INUM_T *par_inum)
{
uint8_t retval = 1;
tsk_take_lock(&fatfs->dir_lock);
std::map<TSK_INUM_T, TSK_INUM_T> *tmpMap = getParentMap(fatfs);
if (tmpMap->count( dir_inum) > 0) {
*par_inum = (*tmpMap)[dir_inum];
retval = 0;
}
tsk_release_lock(&fatfs->dir_lock);
return retval;
}
void ZDvidVersionDag::print() const
{
const std::map<std::string, std::list<std::string> > &parentMap =
getParentMap();
for (std::map<std::string, std::list<std::string> >::const_iterator
iter = parentMap.begin(); iter != parentMap.end(); ++iter) {
const std::string &uuid = iter->first;
const std::list<std::string> &parentList = iter->second;
std::cout << uuid << ":";
for (std::list<std::string>::const_iterator iter = parentList.begin();
iter != parentList.end(); ++iter) {
std::cout << *iter << " ";
}
std::cout << std::endl;
}
}
QueryData genProcesses(QueryContext &context) {
QueryData results;
auto pidlist = getProcList(context);
auto parent_pid = getParentMap(pidlist);
int argmax = genMaxArgs();
for (auto &pid : pidlist) {
if (!context.constraints["pid"].matches<int>(pid)) {
// Optimize by not searching when a pid is a constraint.
continue;
}
Row r;
r["pid"] = INTEGER(pid);
r["path"] = getProcPath(pid);
// OS X proc_name only returns 16 bytes, use the basename of the path.
r["name"] = boost::filesystem::path(r["path"]).filename().string();
// The command line invocation including arguments.
std::string cmdline = boost::algorithm::join(getProcArgs(pid, argmax), " ");
boost::algorithm::trim(cmdline);
r["cmdline"] = cmdline;
genProcRootAndCWD(pid, r);
proc_cred cred;
if (getProcCred(pid, cred)) {
r["uid"] = BIGINT(cred.real.uid);
r["gid"] = BIGINT(cred.real.gid);
r["euid"] = BIGINT(cred.effective.uid);
r["egid"] = BIGINT(cred.effective.gid);
} else {
r["uid"] = "-1";
r["gid"] = "-1";
r["euid"] = "-1";
r["egid"] = "-1";
}
// Find the parent process.
const auto parent_it = parent_pid.find(pid);
if (parent_it != parent_pid.end()) {
r["parent"] = INTEGER(parent_it->second);
} else {
r["parent"] = "-1";
}
// If the path of the executable that started the process is available and
// the path exists on disk, set on_disk to 1. If the path is not
// available, set on_disk to -1. If, and only if, the path of the
// executable is available and the file does NOT exist on disk, set on_disk
// to 0.
r["on_disk"] = osquery::pathExists(r["path"]).toString();
// systems usage and time information
struct rusage_info_v2 rusage_info_data;
int rusage_status = proc_pid_rusage(
pid, RUSAGE_INFO_V2, (rusage_info_t *)&rusage_info_data);
// proc_pid_rusage returns -1 if it was unable to gather information
if (rusage_status == 0) {
// size/memory information
r["wired_size"] = TEXT(rusage_info_data.ri_wired_size);
r["resident_size"] = TEXT(rusage_info_data.ri_resident_size);
r["phys_footprint"] = TEXT(rusage_info_data.ri_phys_footprint);
// time information
r["user_time"] = TEXT(rusage_info_data.ri_user_time / 1000000);
r["system_time"] = TEXT(rusage_info_data.ri_system_time / 1000000);
r["start_time"] = TEXT(rusage_info_data.ri_proc_start_abstime);
} else {
r["wired_size"] = "-1";
r["resident_size"] = "-1";
r["phys_footprint"] = "-1";
r["user_time"] = "-1";
r["system_time"] = "-1";
r["start_time"] = "-1";
}
results.push_back(r);
}
return results;
}
