The internal_find_inode command searches all entries referring to the
given inode and returns a tsk_dirent structure for each of them.
The command is able to retrieve information regarding deleted
or unaccessible files where other commands such as stat or find
would fail.
The gathered list of tsk_dirent structs is serialised into XDR format
and written to a file by the appliance.
Signed-off-by: Matteo Cafasso <noxdafox(a)gmail.com>
---
daemon/tsk.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++
generator/actions.ml | 9 +++++++
src/MAX_PROC_NR | 2 +-
3 files changed, 85 insertions(+), 1 deletion(-)
diff --git a/daemon/tsk.c b/daemon/tsk.c
index dd368d7..beb92a3 100644
--- a/daemon/tsk.c
+++ b/daemon/tsk.c
@@ -44,6 +44,7 @@ enum tsk_dirent_flags {
static int open_filesystem (const char *, TSK_IMG_INFO **, TSK_FS_INFO **);
static TSK_WALK_RET_ENUM fswalk_callback (TSK_FS_FILE *, const char *, void *);
+static TSK_WALK_RET_ENUM ifind_callback (TSK_FS_FILE *, const char *, void *);
static char file_type (TSK_FS_FILE *);
static int file_flags (TSK_FS_FILE *fsfile);
static void file_metadata (TSK_FS_META *, guestfs_int_tsk_dirent *);
@@ -78,6 +79,35 @@ do_internal_filesystem_walk (const mountable_t *mountable)
return ret;
}
+int
+do_internal_find_inode (const mountable_t *mountable, int64_t inode)
+{
+ int ret = -1;
+ TSK_FS_INFO *fs = NULL;
+ TSK_IMG_INFO *img = NULL; /* Used internally by tsk_fs_dir_walk */
+ const int flags =
+ TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC |
+ TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_NOORPHAN;
+
+ ret = open_filesystem (mountable->device, &img, &fs);
+ if (ret < 0)
+ return ret;
+
+ reply (NULL, NULL); /* Reply message. */
+
+ ret = tsk_fs_dir_walk (fs, fs->root_inum, flags, ifind_callback,
+ (void *) &inode);
+ if (ret == 0)
+ ret = send_file_end (0); /* File transfer end. */
+ else
+ send_file_end (1); /* Cancel file transfer. */
+
+ fs->close (fs);
+ img->close (img);
+
+ return ret;
+}
+
/* Inspect the device and initialises the img and fs structures.
* Return 0 on success, -1 on error.
*/
@@ -141,6 +171,51 @@ fswalk_callback (TSK_FS_FILE *fsfile, const char *path, void *data)
return ret;
}
+/* Find inode callback, it gets called on every FS node.
+ * Parse the node, encode it into an XDR structure and send it to the appliance.
+ * Return TSK_WALK_CONT on success, TSK_WALK_ERROR on error.
+ */
+static TSK_WALK_RET_ENUM
+ifind_callback (TSK_FS_FILE *fsfile, const char *path, void *data)
+{
+ int ret = 0;
+ CLEANUP_FREE char *fname = NULL;
+ uint64_t *inode = (uint64_t *) data;
+ struct guestfs_int_tsk_dirent dirent;
+
+ if (*inode != fsfile->name->meta_addr)
+ return TSK_WALK_CONT;
+
+ /* Ignore ./ and ../ */
+ if (TSK_FS_ISDOT (fsfile->name->name)) {
+ /* Root is represented as . */
+ if (fsfile->fs_info->root_inum != fsfile->name->meta_addr ||
+ strcmp (fsfile->name->name, "."))
+ return TSK_WALK_CONT;
+ }
+
+ /* Build the full relative path of the entry */
+ ret = asprintf (&fname, "%s%s", path, fsfile->name->name);
+ if (ret < 0) {
+ perror ("asprintf");
+ return TSK_WALK_ERROR;
+ }
+
+ /* Set dirent fields */
+ memset (&dirent, 0, sizeof dirent);
+
+ dirent.tsk_inode = fsfile->name->meta_addr;
+ dirent.tsk_type = file_type (fsfile);
+ dirent.tsk_name = fname;
+ dirent.tsk_flags = file_flags (fsfile);
+
+ file_metadata (fsfile->meta, &dirent);
+
+ ret = send_dirent_info (&dirent);
+
+ return (ret == 0) ? TSK_WALK_CONT : TSK_WALK_ERROR;;
+}
+
/* Inspect fsfile to identify its type. */
static char
file_type (TSK_FS_FILE *fsfile)
diff --git a/generator/actions.ml b/generator/actions.ml
index eccef00..449443f 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -13205,6 +13205,15 @@ only the unallocated blocks will be extracted.
This is useful to detect hidden data or to retrieve deleted files
which data units have not been overwritten yet." };
+ { defaults with
+ name = "internal_find_inode"; added = (1, 35, 2);
+ style = RErr, [Mountable "device"; Int64 "inode"; FileOut
"filename";], [];
+ proc_nr = Some 469;
+ visibility = VInternal;
+ optional = Some "libtsk";
+ shortdesc = "search the entries associated to the given inode";
+ longdesc = "Internal function for find_inode." };
+
]
(* Non-API meta-commands available only in guestfish.
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index 1023289..5ef9d24 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-468
+469
--
2.9.3