Merge pull request #942 from gcmoreira/mountinfo_fixes

Mountinfo fixes

Author: ikelos

volatility3/framework/plugins/linux/iomem.py

@@ -66,7 +66,7 @@ def parse_resource(
             name = utility.pointer_to_string(resource.name, 128)
         except exceptions.InvalidAddressException:
             vollog.warning(
-                "Unable to follow pointer to name for resource object at {resource_offset:#x}, "
+                f"Unable to follow pointer to name for resource object at {resource_offset:#x}, "
                 "replaced with UnreadableValue"
             )
             name = renderers.UnreadableValue()

volatility3/framework/plugins/linux/mountinfo.py

@@ -9,8 +9,10 @@
 from volatility3.framework import renderers, interfaces
 from volatility3.framework.configuration import requirements
 from volatility3.framework.interfaces import plugins
+from volatility3.framework.symbols import linux
 from volatility3.plugins.linux import pslist
 
+
 vollog = logging.getLogger(__name__)
 
 MountInfoData = namedtuple(
@@ -48,6 +50,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             requirements.PluginRequirement(
                 name="pslist", plugin=pslist.PsList, version=(2, 0, 0)
             ),
+            requirements.VersionRequirement(
+                name="linuxutils", component=linux.LinuxUtilities, version=(2, 1, 0)
+            ),
             requirements.ListRequirement(
                 name="pids",
                 description="Filter on specific process IDs.",
@@ -71,37 +76,6 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
-    @classmethod
-    def _do_get_path(cls, mnt, fs_root) -> Union[None, str]:
-        """It mimics the Linux kernel prepend_path function."""
-        vfsmnt = mnt.mnt
-        dentry = vfsmnt.get_mnt_root()
-
-        path_reversed = []
-        while dentry != fs_root.dentry or vfsmnt.vol.offset != fs_root.mnt:
-            if dentry == vfsmnt.get_mnt_root() or dentry.is_root():
-                parent = mnt.get_mnt_parent().dereference()
-                # Escaped?
-                if dentry != vfsmnt.get_mnt_root():
-                    return None
-
-                # Global root?
-                if mnt.vol.offset != parent.vol.offset:
-                    dentry = mnt.get_mnt_mountpoint()
-                    mnt = parent
-                    vfsmnt = mnt.mnt
-                    continue
-
-                return None
-
-            parent = dentry.d_parent
-            dname = dentry.d_name.name_as_str()
-            path_reversed.append(dname.strip("/"))
-            dentry = parent
-
-        path = "/" + "/".join(reversed(path_reversed))
-        return path
-
     @classmethod
     def get_mountinfo(
         cls, mnt, task
@@ -115,8 +89,8 @@ def get_mountinfo(
         if not mnt_root:
             return None
 
-        path_root = cls._do_get_path(mnt, task.fs.root)
-        if path_root is None:
+        path_root = linux.LinuxUtilities.get_path_mnt(task, mnt)
+        if not path_root:
             return None
 
         mnt_root_path = mnt_root.path()
@@ -170,9 +144,11 @@ def get_mountinfo(
         )
 
     def _get_tasks_mountpoints(
-        self, tasks: Iterable[interfaces.objects.ObjectInterface], per_namespace: bool
+        self,
+        tasks: Iterable[interfaces.objects.ObjectInterface],
+        filtered_by_pids: bool,
     ):
-        seen_namespaces = set()
+        seen_mountpoints = set()
         for task in tasks:
             if not (
                 task
@@ -181,30 +157,48 @@ def _get_tasks_mountpoints(
                 and task.nsproxy
                 and task.nsproxy.mnt_ns
             ):
-                # This task doesn't have all the information required
+                # This task doesn't have all the information required.
+                # It should be a kernel < 2.6.30
                 continue
 
             mnt_namespace = task.nsproxy.mnt_ns
-            mnt_ns_id = mnt_namespace.get_inode()
-
-            if per_namespace:
-                if mnt_ns_id in seen_namespaces:
-                    continue
-                else:
-                    seen_namespaces.add(mnt_ns_id)
+            try:
+                mnt_ns_id = mnt_namespace.get_inode()
+            except AttributeError:
+                mnt_ns_id = renderers.NotAvailableValue()
 
             for mount in mnt_namespace.get_mount_points():
+                # When PIDs are filtered, it makes sense that the user want to
+                # see each of those processes mount points. So we don't filter
+                # by mount id in this case.
+                if not filtered_by_pids:
+                    mnt_id = int(mount.mnt_id)
+                    if mnt_id in seen_mountpoints:
+                        continue
+                    else:
+                        seen_mountpoints.add(mnt_id)
+
                 yield task, mount, mnt_ns_id
 
     def _generator(
         self,
         tasks: Iterable[interfaces.objects.ObjectInterface],
         mnt_ns_ids: List[int],
         mount_format: bool,
-        per_namespace: bool,
+        filtered_by_pids: bool,
     ) -> Iterable[Tuple[int, Tuple]]:
-        for task, mnt, mnt_ns_id in self._get_tasks_mountpoints(tasks, per_namespace):
-            if mnt_ns_ids and mnt_ns_id not in mnt_ns_ids:
+        show_filter_warning = False
+        for task, mnt, mnt_ns_id in self._get_tasks_mountpoints(
+            tasks, filtered_by_pids
+        ):
+            if mnt_ns_ids and isinstance(mnt_ns_id, renderers.NotAvailableValue):
+                show_filter_warning = True
+
+            if (
+                not isinstance(mnt_ns_id, renderers.NotAvailableValue)
+                and mnt_ns_ids
+                and mnt_ns_id not in mnt_ns_ids
+            ):
                 continue
 
             mnt_info = self.get_mountinfo(mnt, task)
@@ -242,12 +236,17 @@ def _generator(
                 ]
 
             fields_values = [mnt_ns_id]
-            if not per_namespace:
+            if filtered_by_pids:
                 fields_values.append(task.pid)
             fields_values.extend(extra_fields_values)
 
             yield (0, fields_values)
 
+        if show_filter_warning:
+            vollog.warning(
+                "Could not filter by mount namespace id. This field is not available in this kernel."
+            )
+
     def run(self):
         pids = self.config.get("pids")
         mount_ns_ids = self.config.get("mntns")
@@ -263,9 +262,9 @@ def run(self):
         # to displays the mountpoints per namespace.
         if pids:
             columns.append(("PID", int))
-            per_namespace = False
+            filtered_by_pids = True
         else:
-            per_namespace = True
+            filtered_by_pids = False
 
         if self.config.get("mount-format"):
             extra_columns = [
@@ -292,5 +291,6 @@ def run(self):
         columns.extend(extra_columns)
 
         return renderers.TreeGrid(
-            columns, self._generator(tasks, mount_ns_ids, mount_format, per_namespace)
+            columns,
+            self._generator(tasks, mount_ns_ids, mount_format, filtered_by_pids),
         )

volatility3/framework/plugins/linux/sockstat.py

@@ -28,7 +28,11 @@ def __init__(self, vmlinux, task):
         self._vmlinux = vmlinux
         self._task = task
 
-        netns_id = task.nsproxy.net_ns.get_inode()
+        try:
+            netns_id = task.nsproxy.net_ns.get_inode()
+        except AttributeError:
+            netns_id = NotAvailableValue()
+
         self._netdevices = self._build_network_devices_map(netns_id)
 
         self._sock_family_handlers = {
@@ -61,7 +65,10 @@ def _build_network_devices_map(self, netns_id: int) -> Dict:
                 self._vmlinux.symbol_table_name + constants.BANG + "net_device"
             )
             for net_dev in net.dev_base_head.to_list(net_device_symname, "dev_list"):
-                if net.get_inode() != netns_id:
+                if (
+                    isinstance(netns_id, NotAvailableValue)
+                    or net.get_inode() != netns_id
+                ):
                     continue
                 dev_name = utility.array_to_string(net_dev.name)
                 netdevices_map[net_dev.ifindex] = dev_name
@@ -143,19 +150,32 @@ def _extract_socket_filter_info(
             return
 
         bpfprog = sock_filter.prog
-        if bpfprog.type == 0:
-            # BPF_PROG_TYPE_UNSPEC = 0
+
+        BPF_PROG_TYPE_UNSPEC = 0  # cBPF filter
+        try:
+            bpfprog_type = bpfprog.get_type()
+            if bpfprog_type == BPF_PROG_TYPE_UNSPEC:
+                return  # cBPF filter
+        except AttributeError:
+            # kernel < 3.18.140, it's a cBPF filter
+            return
+
+        BPF_PROG_TYPE_SOCKET_FILTER = 1  # eBPF filter
+        if bpfprog_type != BPF_PROG_TYPE_SOCKET_FILTER:
+            socket_filter["bpf_filter_type"] = f"UNK({bpfprog_type})"
+            vollog.warning(f"Unexpected BPF type {bpfprog_type} for a socket")
             return
 
         socket_filter["bpf_filter_type"] = "eBPF"
         if not bpfprog.has_member("aux") or not bpfprog.aux:
-            return
+            return  # kernel < 3.18.140
         bpfprog_aux = bpfprog.aux
+
         if bpfprog_aux.has_member("id"):
-            # `id` member was added to `bpf_prog_aux` in kernels 4.13
+            # `id` member was added to `bpf_prog_aux` in kernels 4.13.16
             socket_filter["bpf_filter_id"] = str(bpfprog_aux.id)
         if bpfprog_aux.has_member("name"):
-            # `name` was added to `bpf_prog_aux` in kernels 4.15
+            # `name` was added to `bpf_prog_aux` in kernels 4.15.18
             bpfprog_name = utility.array_to_string(bpfprog_aux.name)
             if bpfprog_name:
                 socket_filter["bpf_filter_name"] = bpfprog_name
@@ -227,14 +247,22 @@ def _netlink_sock(
         if netlink_sock.groups:
             groups_bitmap = netlink_sock.groups.dereference()
             src_addr = f"groups:0x{groups_bitmap:08x}"
-        src_port = netlink_sock.portid
+
+        try:
+            # Kernel >= 3.7.10
+            src_port = netlink_sock.get_portid()
+        except AttributeError:
+            src_port = NotAvailableValue()
 
         dst_addr = f"group:0x{netlink_sock.dst_group:08x}"
         module = netlink_sock.module
         if module and module.name:
             module_name_str = utility.array_to_string(module.name)
             dst_addr = f"{dst_addr},lkm:{module_name_str}"
-        dst_port = netlink_sock.dst_portid
+        try:
+            dst_port = netlink_sock.get_dst_portid()
+        except AttributeError:
+            dst_port = NotAvailableValue()
 
         state = netlink_sock.get_state()
 
@@ -518,7 +546,11 @@ def list_sockets(
             protocol = child_sock.get_protocol()
 
             net = task.nsproxy.net_ns
-            netns_id = net.get_inode()
+            try:
+                netns_id = net.get_inode()
+            except AttributeError:
+                netns_id = NotAvailableValue()
+
             yield task, netns_id, fd_num, family, sock_type, protocol, sock_fields
 
     def _format_fields(self, sock_stat, protocol):