Merge branch 'develop' into linux_fix_mnt_namespace_issue_1187

Author: gcmoreira

.github/workflows/test.yaml

@@ -46,7 +46,7 @@ jobs:
 
     - name: Clean up post-test
       run: |
-        rm -rf *.lime
+        rm -rf *.bin
         rm -rf *.img
         cd volatility3/symbols
         rm -rf linux

volatility3/framework/constants/_version.py

@@ -1,7 +1,7 @@
 # We use the SemVer 2.0.0 versioning scheme
 VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
 VERSION_MINOR = 8  # Number of changes that only add to the interface
-VERSION_PATCH = 0  # Number of changes that do not change the interface
+VERSION_PATCH = 1  # Number of changes that do not change the interface
 VERSION_SUFFIX = ""
 
 PACKAGE_VERSION = (

volatility3/framework/plugins/linux/ebpf.py

@@ -0,0 +1,73 @@
+# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0
+# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
+#
+import logging
+from typing import List
+
+from volatility3.framework import renderers, interfaces, exceptions
+from volatility3.framework.renderers import format_hints
+from volatility3.framework.interfaces import plugins
+from volatility3.framework.configuration import requirements
+
+vollog = logging.getLogger(__name__)
+
+
+class EBPF(plugins.PluginInterface):
+    """Enumerate eBPF programs"""
+
+    _required_framework_version = (2, 0, 0)
+
+    _version = (1, 0, 0)
+
+    @classmethod
+    def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
+        return [
+            requirements.ModuleRequirement(
+                name="kernel",
+                description="Linux kernel",
+                architectures=["Intel32", "Intel64"],
+            ),
+        ]
+
+    def get_ebpf_programs(
+        self,
+        context: interfaces.context.ContextInterface,
+        vmlinux_module_name: str,
+    ) -> interfaces.objects.ObjectInterface:
+        """Enumerate eBPF programs walking its IDR.
+
+        Args:
+            context: The context to retrieve required elements (layers, symbol tables) from
+            vmlinux_module_name: The name of the kernel module on which to operate
+        Yields:
+            eBPF program objects
+        """
+        vmlinux = context.modules[vmlinux_module_name]
+
+        if not vmlinux.has_symbol("prog_idr"):
+            raise exceptions.VolatilityException(
+                "Cannot find the eBPF prog idr. Unsupported kernel"
+            )
+
+        prog_idr = vmlinux.object_from_symbol("prog_idr")
+        for page_addr in prog_idr.get_entries():
+            bpf_prog = vmlinux.object("bpf_prog", offset=page_addr, absolute=True)
+            yield bpf_prog
+
+    def _generator(self):
+        for prog in self.get_ebpf_programs(self.context, self.config["kernel"]):
+            prog_addr = prog.vol.offset
+            prog_type = prog.get_type() or renderers.NotAvailableValue()
+            prog_tag = prog.get_tag() or renderers.NotAvailableValue()
+            prog_name = prog.get_name() or renderers.NotAvailableValue()
+            fields = (format_hints.Hex(prog_addr), prog_name, prog_tag, prog_type)
+            yield (0, fields)
+
+    def run(self):
+        headers = [
+            ("Address", format_hints.Hex),
+            ("Name", str),
+            ("Tag", str),
+            ("Type", str),
+        ]
+        return renderers.TreeGrid(headers, self._generator())

volatility3/framework/plugins/linux/lsof.py

@@ -1,27 +1,27 @@
-# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
+# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0
 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
 #
 """A module containing a collection of plugins that produce data typically
 found in Linux's /proc file system."""
-import logging
+import logging, datetime
 from typing import List, Callable
 
-from volatility3.framework import renderers, interfaces, constants
+from volatility3.framework import renderers, interfaces, constants, exceptions
 from volatility3.framework.configuration import requirements
 from volatility3.framework.interfaces import plugins
 from volatility3.framework.objects import utility
 from volatility3.framework.symbols import linux
 from volatility3.plugins.linux import pslist
+from volatility3.plugins import timeliner
 
 vollog = logging.getLogger(__name__)
 
 
-class Lsof(plugins.PluginInterface):
-    """Lists all memory maps for all processes."""
+class Lsof(plugins.PluginInterface, timeliner.TimeLinerInterface):
+    """Lists open files for each processes."""
 
     _required_framework_version = (2, 0, 0)
-
-    _version = (1, 1, 0)
+    _version = (1, 2, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -45,14 +45,37 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
+    @classmethod
+    def get_inode_metadata(cls, filp: interfaces.objects.ObjectInterface):
+        try:
+            dentry = filp.get_dentry()
+            if dentry:
+                inode_object = dentry.d_inode
+                if inode_object and inode_object.is_valid():
+                    itype = (
+                        inode_object.get_inode_type() or renderers.NotAvailableValue()
+                    )
+                    return (
+                        inode_object.i_ino,
+                        itype,
+                        inode_object.i_size,
+                        inode_object.get_file_mode(),
+                        inode_object.get_change_time(),
+                        inode_object.get_modification_time(),
+                        inode_object.get_access_time(),
+                    )
+        except (exceptions.InvalidAddressException, AttributeError) as e:
+            vollog.warning(f"Can't get inode metadata: {e}")
+        return None
+
     @classmethod
     def list_fds(
         cls,
         context: interfaces.context.ContextInterface,
         symbol_table: str,
         filter_func: Callable[[int], bool] = lambda _: False,
     ):
-        linuxutils_symbol_table = None  # type: ignore
+        linuxutils_symbol_table = None
         for task in pslist.PsList.list_tasks(context, symbol_table, filter_func):
             if linuxutils_symbol_table is None:
                 if constants.BANG not in task.vol.type_name:
@@ -69,21 +92,79 @@ def list_fds(
             for fd_fields in fd_generator:
                 yield pid, task_comm, task, fd_fields
 
+    @classmethod
+    def list_fds_and_inodes(
+        cls,
+        context: interfaces.context.ContextInterface,
+        symbol_table: str,
+        filter_func: Callable[[int], bool] = lambda _: False,
+    ):
+        for pid, task_comm, task, (fd_num, filp, full_path) in cls.list_fds(
+            context, symbol_table, filter_func
+        ):
+            inode_metadata = cls.get_inode_metadata(filp)
+            if inode_metadata is None:
+                inode_metadata = tuple(
+                    interfaces.renderers.BaseAbsentValue() for _ in range(7)
+                )
+            yield pid, task_comm, task, fd_num, filp, full_path, inode_metadata
+
     def _generator(self, pids, symbol_table):
         filter_func = pslist.PsList.create_pid_filter(pids)
-        fds_generator = self.list_fds(
+        fds_generator = self.list_fds_and_inodes(
             self.context, symbol_table, filter_func=filter_func
         )
 
-        for pid, task_comm, _task, fd_fields in fds_generator:
-            fd_num, _filp, full_path = fd_fields
-
-            fields = (pid, task_comm, fd_num, full_path)
+        for (
+            pid,
+            task_comm,
+            task,
+            fd_num,
+            filp,
+            full_path,
+            inode_metadata,
+        ) in fds_generator:
+            inode_num, itype, file_size, imode, ctime, mtime, atime = inode_metadata
+            fields = (
+                pid,
+                task_comm,
+                fd_num,
+                full_path,
+                inode_num,
+                itype,
+                imode,
+                ctime,
+                mtime,
+                atime,
+                file_size,
+            )
             yield (0, fields)
 
     def run(self):
         pids = self.config.get("pid", None)
         symbol_table = self.config["kernel"]
 
-        tree_grid_args = [("PID", int), ("Process", str), ("FD", int), ("Path", str)]
+        tree_grid_args = [
+            ("PID", int),
+            ("Process", str),
+            ("FD", int),
+            ("Path", str),
+            ("Inode", int),
+            ("Type", str),
+            ("Mode", str),
+            ("Changed", datetime.datetime),
+            ("Modified", datetime.datetime),
+            ("Accessed", datetime.datetime),
+            ("Size", int),
+        ]
         return renderers.TreeGrid(tree_grid_args, self._generator(pids, symbol_table))
+
+    def generate_timeline(self):
+        pids = self.config.get("pid", None)
+        symbol_table = self.config["kernel"]
+        for row in self._generator(pids, symbol_table):
+            _depth, row_data = row
+            description = f'Process {row_data[1]} ({row_data[0]}) Open "{row_data[3]}"'
+            yield description, timeliner.TimeLinerType.CHANGED, row_data[7]
+            yield description, timeliner.TimeLinerType.MODIFIED, row_data[8]
+            yield description, timeliner.TimeLinerType.ACCESSED, row_data[9]

volatility3/framework/plugins/linux/mountinfo.py

@@ -37,7 +37,7 @@ class MountInfo(plugins.PluginInterface):
 
     _required_framework_version = (2, 2, 0)
 
-    _version = (1, 0, 0)
+    _version = (1, 2, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -143,10 +143,10 @@ def get_mountinfo(
             sb_opts,
         )
 
+    @staticmethod
     def _get_tasks_mountpoints(
-        self,
         tasks: Iterable[interfaces.objects.ObjectInterface],
-        filtered_by_pids: bool,
+        filtered_by_pids: bool = False,
     ):
         seen_mountpoints = set()
         for task in tasks:
@@ -184,8 +184,8 @@ def _generator(
         self,
         tasks: Iterable[interfaces.objects.ObjectInterface],
         mnt_ns_ids: List[int],
-        mount_format: bool,
-        filtered_by_pids: bool,
+        mount_format: bool = False,
+        filtered_by_pids: bool = False,
     ) -> Iterable[Tuple[int, Tuple]]:
         show_filter_warning = False
         for task, mnt, mnt_ns_id in self._get_tasks_mountpoints(
@@ -247,6 +247,37 @@ def _generator(
                 "Could not filter by mount namespace id. This field is not available in this kernel."
             )
 
+    @classmethod
+    def get_superblocks(
+        cls,
+        context: interfaces.context.ContextInterface,
+        vmlinux_module_name: str,
+    ) -> Iterable[interfaces.objects.ObjectInterface]:
+        """Yield file system superblocks based on the task's mounted filesystems.
+
+        Args:
+            context: The context to retrieve required elements (layers, symbol tables) from
+            vmlinux_module_name: The name of the kernel module on which to operate
+
+        Yields:
+            super_block: Kernel's struct super_block object
+        """
+        # No filter so that we get all the mount namespaces from all tasks
+        tasks = pslist.PsList.list_tasks(context, vmlinux_module_name)
+
+        seen_sb_ptr = set()
+        for task, mnt, _mnt_ns_id in cls._get_tasks_mountpoints(tasks):
+            path_root = linux.LinuxUtilities.get_path_mnt(task, mnt)
+            if not path_root:
+                continue
+
+            sb_ptr = mnt.get_mnt_sb()
+            if not sb_ptr or sb_ptr in seen_sb_ptr:
+                continue
+            seen_sb_ptr.add(sb_ptr)
+
+            yield sb_ptr.dereference(), path_root
+
     def run(self):
         pids = self.config.get("pids")
         mount_ns_ids = self.config.get("mntns")