The yara_scan API parses the file generated by the daemon counterpart
function and returns the list of yara_detection structs to the user.
It writes the daemon's command output on a temporary file and parses it,
deserialising the XDR formatted yara_detection structs.
It returns to the caller the list of yara_detection structs generated by
the internal_yara_scan command.
Signed-off-by: Matteo Cafasso <noxdafox(a)gmail.com>
---
generator/actions.ml | 3 +-
generator/actions_yara.ml | 28 ++++++++++
generator/actions_yara.mli | 1 +
lib/Makefile.am | 1 +
lib/yara.c | 132 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 164 insertions(+), 1 deletion(-)
create mode 100644 lib/yara.c
diff --git a/generator/actions.ml b/generator/actions.ml
index 6e11d99c3..2722f3dcd 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -38,7 +38,8 @@ let non_daemon_functions =
Actions_inspection_deprecated.non_daemon_functions @
Actions_properties.non_daemon_functions @
Actions_properties_deprecated.non_daemon_functions @
- Actions_tsk.non_daemon_functions
+ Actions_tsk.non_daemon_functions @
+ Actions_yara.non_daemon_functions
(* daemon_functions are any functions which cause some action
* to take place in the daemon.
diff --git a/generator/actions_yara.ml b/generator/actions_yara.ml
index 1f7decdd4..5afbd47e9 100644
--- a/generator/actions_yara.ml
+++ b/generator/actions_yara.ml
@@ -22,6 +22,34 @@ open Types
(* Yara APIs. *)
+let non_daemon_functions = [
+ { defaults with
+ name = "yara_scan"; added = (1, 37, 12);
+ style = RStructList ("detections", "yara_detection"), [Pathname
"path"], [];
+ optional = Some "libyara";
+ progress = true; cancellable = true;
+ shortdesc = "scan a file with the loaded yara rules";
+ longdesc = "\
+Scan a file with the previously loaded Yara rules.
+
+For each matching rule, a C<yara_detection> structure is returned.
+
+The C<yara_detection> structure contains the following fields.
+
+=over 4
+
+=item C<yara_name>
+
+Path of the file matching a Yara rule.
+
+=item C<yara_rule>
+
+Identifier of the Yara rule which matched against the given file.
+
+=back" };
+
+]
+
let daemon_functions = [
{ defaults with
name = "yara_load"; added = (1, 37, 12);
diff --git a/generator/actions_yara.mli b/generator/actions_yara.mli
index 23eefe068..06b8116c4 100644
--- a/generator/actions_yara.mli
+++ b/generator/actions_yara.mli
@@ -18,4 +18,5 @@
(* Please read generator/README first. *)
+val non_daemon_functions : Types.action list
val daemon_functions : Types.action list
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 063706f8f..fc55c2dcf 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -127,6 +127,7 @@ libguestfs_la_SOURCES = \
wait.c \
whole-file.c \
version.c \
+ yara.c \
libguestfs.syms
libguestfs_la_CPPFLAGS = \
diff --git a/lib/yara.c b/lib/yara.c
new file mode 100644
index 000000000..7e4683101
--- /dev/null
+++ b/lib/yara.c
@@ -0,0 +1,132 @@
+/* libguestfs
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <rpc/xdr.h>
+#include <rpc/types.h>
+
+#include "guestfs.h"
+#include "guestfs_protocol.h"
+#include "guestfs-internal.h"
+#include "guestfs-internal-all.h"
+#include "guestfs-internal-actions.h"
+
+static struct guestfs_yara_detection_list *parse_yara_detection_file (guestfs_h *, const
char *);
+static int deserialise_yara_detection_list (guestfs_h *, FILE *, struct
guestfs_yara_detection_list *);
+
+struct guestfs_yara_detection_list *
+guestfs_impl_yara_scan (guestfs_h *g, const char *path)
+{
+ int r;
+ CLEANUP_UNLINK_FREE char *tmpfile = NULL;
+
+ tmpfile = guestfs_int_make_temp_path (g, "yara_scan");
+ if (tmpfile == NULL)
+ return NULL;
+
+ r = guestfs_internal_yara_scan (g, path, tmpfile);
+ if (r == -1)
+ return NULL;
+
+ return parse_yara_detection_file (g, tmpfile); /* caller frees */
+}
+
+/* Parse the file content and return detections list.
+ * Return a list of yara_detection on success, NULL on error.
+ */
+static struct guestfs_yara_detection_list *
+parse_yara_detection_file (guestfs_h *g, const char *tmpfile)
+{
+ int r;
+ CLEANUP_FCLOSE FILE *fp = NULL;
+ struct guestfs_yara_detection_list *detections = NULL;
+
+ fp = fopen (tmpfile, "r");
+ if (fp == NULL) {
+ perrorf (g, "fopen: %s", tmpfile);
+ return NULL;
+ }
+
+ /* Initialise results array. */
+ detections = safe_malloc (g, sizeof (*detections));
+ detections->len = 8;
+ detections->val = safe_malloc (g, detections->len *
+ sizeof (*detections->val));
+
+ /* Deserialise buffer into detection list. */
+ r = deserialise_yara_detection_list (g, fp, detections);
+ if (r == -1) {
+ guestfs_free_yara_detection_list (detections);
+ perrorf (g, "deserialise_yara_detection_list");
+ return NULL;
+ }
+
+ return detections;
+}
+
+/* Deserialise the file content and populate the detection list.
+ * Return the number of deserialised detections, -1 on error.
+ */
+static int
+deserialise_yara_detection_list (guestfs_h *g, FILE *fp,
+ struct guestfs_yara_detection_list *detections)
+{
+ int r;
+ XDR xdr;
+ uint32_t index;
+ struct stat statbuf;
+
+ r = fstat (fileno(fp), &statbuf);
+ if (r == -1) {
+ perrorf (g, "fstat");
+ return -1;
+ }
+
+ xdrstdio_create (&xdr, fp, XDR_DECODE);
+
+ for (index = 0; xdr_getpos (&xdr) < statbuf.st_size; index++) {
+ if (index == detections->len) {
+ detections->len = 2 * detections->len;
+ detections->val = safe_realloc (g, detections->val,
+ detections->len *
+ sizeof (*detections->val));
+ }
+
+ /* Clear the entry so xdr logic will allocate necessary memory. */
+ memset (&detections->val[index], 0, sizeof (*detections->val));
+ r = xdr_guestfs_int_yara_detection (&xdr, (guestfs_int_yara_detection *)
+ &detections->val[index]);
+ if (r == 0) {
+ perrorf (g, "xdr_guestfs_int_yara_detection");
+ break;
+ }
+ }
+
+ xdr_destroy (&xdr);
+ detections->len = index;
+
+ return r ? 0 : -1;
+}
--
2.11.0