Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ScannedFile: Identify already scanned files by device and inode

Browse source 
Zeek scripts located on separate filesystems, but sharing the same inode
number leads to scripts not being loaded. The reason is that a `ScannedFile`
is only identified by `st_ino` which is not enough to uniquely identify a
file in a system.

This problem may be hit when `ZEEKPATH` points to separate filesystems and
two script files happen have the same `st_ino` value - definitely not very
likely, but possibly very confusing when it happens.

The following test case creates two zeek scripts on separate filesystems.
As the filesystems are freshly created and of the same type, the files will
(tested a few times with xfs/ext4) have the same `st_ino` values.

    #!/bin/bash
    ZEEKDIR=${ZEEKDIR:-/home/awelzel/projects/zeek}
    export ZEEKPATH=.:${ZEEKDIR}/build/scripts:${ZEEKDIR}/scripts

    cat << EOF > hello.zeek
    event zeek_init() {
        print("Hello, once or twice?");
    }
    EOF

    for i in 1 2 ; do
        dd if=/dev/urandom of=img${i} count=16 bs=1M 2>/dev/null
        sudo mkfs.xfs -q ./img${i}
        mkdir -p mount${i}
        sudo mount ./img${i} ./mount${i}
        sudo cp hello.zeek ./mount${i}/hello.zeek
    done

    ls ./mount*/*zeek
    stat -c "%n: device=%d inode=%i" ./mount*/hello.zeek

    ${ZEEKDIR}/build/src/zeek -b ./mount1/hello.zeek ./mount2/hello.zeek

    # Cleanup
    for i in 1 2 ; do
        sudo umount ./mount${i}
        rm -rfv ./img${i} ./mount${i}
        rm -rfv hello.zeek
    done

Before this patch, `Hello, once or twice?` is printed only once,
afterwards twice:

    $ sh testcase.sh
    [sudo] password for awelzel:
    ./mount1/hello.zeek  ./mount2/hello.zeek
    ./mount1/hello.zeek: device=1794 inode=6915
    ./mount2/hello.zeek: device=1795 inode=6915
    Hello, once or twice?
    Hello, once or twice?
This commit is contained in:
Arne Welzel 2020-02-23 17:06:52 +01:00
parent 48fba11c51
commit 4b4595f5db
2 changed files with 19 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/Net.h
View file

@ -88,18 +88,20 @@ extern iosource::IOSource* current_iosrc;
extern iosource::PktDumper* pkt_dumper; // where to save packets
// Script file we have already scanned (or are in the process of scanning).
// They are identified by inode number.
// They are identified by device and inode number.
struct ScannedFile {
dev_t dev;
ino_t inode;
int include_level;
string name;
bool skipped; // This ScannedFile was @unload'd.
bool prefixes_checked; // If loading prefixes for this file has been tried.
ScannedFile(ino_t arg_inode, int arg_include_level, const string& arg_name,
bool arg_skipped = false,
ScannedFile(dev_t arg_dev, ino_t arg_inode, int arg_include_level,
const string& arg_name, bool arg_skipped = false,
bool arg_prefixes_checked = false)
: inode(arg_inode), include_level(arg_include_level),
: dev(arg_dev), inode(arg_inode),
include_level(arg_include_level),
name(arg_name), skipped(arg_skipped),
prefixes_checked(arg_prefixes_checked)
{ }