static
RVOID
processTerminateProcesses
(
rpcm_tag notifType,
rSequence event
)
{
RPU8 atomId = NULL;
RU32 index = 0;
UNREFERENCED_PARAMETER( notifType );
if( rMutex_lock( g_mutex ) )
{
if( HbsGetParentAtom( event, &atomId ) )
{
if( (RU32)-1 != ( index = rpal_binsearch_array( g_procContexts->elements,
g_procContexts->nElements,
sizeof( ProcExtInfo* ),
&atomId,
(rpal_ordering_func)_cmpContext ) ) )
{
rpal_memory_free( ( (ProcExtInfo*)g_procContexts->elements[ index ] )->processPath );
rpal_memory_free( g_procContexts->elements[ index ] );
rpal_vector_remove( g_procContexts, index );
}
}
rMutex_unlock( g_mutex );
}
}
// Receives new process notifications and check if they're on our
// deny list, if so, kill.
RPRIVATE
RVOID
denyNewProcesses
(
rpcm_tag notifType,
rSequence event
)
{
RPU8 atomId = NULL;
RU32 pid = 0;
UNREFERENCED_PARAMETER( notifType );
// We use the lastActivity check here as a cheap way of seeing if there is
// anything at all in the denied tree.
if( 0 != g_lastDenyActivity &&
HbsGetParentAtom( event, &atomId ) &&
isAtomDenied( atomId ) )
{
// This atom is part of a tree that needs to be denied, so we do two things:
// 1- Add its atom to the list of denied atoms.
if( HbsGetThisAtom( event, &atomId ) )
{
addAtomToDeny( atomId );
}
// 2- As this is a process, we deny by killing it.
if( rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) )
{
if( processLib_killProcess( pid ) )
{
rpal_debug_info( "denied process id " RF_U32, pid );
}
else
{
rpal_debug_warning( "failed to deny process id " RF_U32, pid );
}
}
}
else if( 0 != g_lastDenyActivity &&
g_lastDenyActivity + DENY_TREE_CLEANUP_TIMEOUT < rpal_time_getGlobal() )
{
// There has not been any positive activity on any denied trees, for the sake
// of performance we'll reset the denied trees.
if( rMutex_lock( g_deniedMutex ) )
{
g_lastDenyActivity = 0;
rpal_blob_free( g_denied );
g_denied = rpal_blob_create( 0, HBS_ATOM_ID_SIZE * 10 );
rMutex_unlock( g_deniedMutex );
}
}
}
static
RVOID
processFileIo
(
rpcm_tag notifType,
rSequence event
)
{
ProcExtInfo* ctx = NULL;
RPNCHAR path = NULL;
RPVOID patternCtx = 0;
RU8 patternId = 0;
RPU8 atomId = NULL;
RU32 pid = 0;
rSequence newEvent = NULL;
UNREFERENCED_PARAMETER( notifType );
if( rSequence_getSTRINGN( event, RP_TAGS_FILE_PATH, &path ) &&
HbsGetParentAtom( event, &atomId ) &&
rSequence_getRU32( event, RP_TAGS_PROCESS_ID, &pid ) )
{
if( rMutex_lock( g_mutex ) )
{
obsLib_resetSearchState( g_extensions );
if( obsLib_setTargetBuffer( g_extensions,
path,
rpal_string_strsize( path ) ) )
{
while( obsLib_nextHit( g_extensions, &patternCtx, NULL ) )
{
if( NULL != ctx ||
NULL != ( ctx = getProcContext( atomId ) ) )
{
patternId = (RU8)PTR_TO_NUMBER( patternCtx );
if( !IS_FLAG_ENABLED( ctx->extBitMask, (RU64)1 << patternId ) )
{
rpal_debug_info( "process " RF_U32 " observed file io " RF_U64,
pid, patternId + 1 );
ENABLE_FLAG( ctx->extBitMask, (RU64)1 << patternId );
if( NULL != ( newEvent = rSequence_new() ) )
{
HbsSetParentAtom( newEvent, atomId );
rSequence_addRU32( newEvent, RP_TAGS_PROCESS_ID, pid );
rSequence_addRU8( newEvent, RP_TAGS_RULE_NAME, patternId + 1 );
rSequence_addSTRINGN( newEvent, RP_TAGS_FILE_PATH, ctx->processPath );
hbs_publish( RP_TAGS_NOTIFICATION_FILE_TYPE_ACCESSED, newEvent );
rSequence_free( newEvent );
}
}
}
else
{
rpal_debug_error( "error getting process context" );
break;
}
}
}
rMutex_unlock( g_mutex );
}
}
}