File: cache.go

package info (click to toggle)
opensnitch 1.6.9-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,980 kB
  • sloc: python: 12,604; ansic: 1,965; sh: 435; makefile: 239; xml: 50; sql: 3
file content (339 lines) | stat: -rw-r--r-- 7,477 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
 
package procmon

import (
	"os"
	"sort"
	"strconv"
	"sync"
	"time"

	"github.com/evilsocket/opensnitch/daemon/core"
)

// InodeItem represents an item of the InodesCache.
type InodeItem struct {
	FdPath   string
	LastSeen int64
	Pid      int

	sync.RWMutex
}

// ProcItem represents an item of the pidsCache
type ProcItem struct {
	FdPath      string
	Descriptors []string
	LastSeen    int64
	Pid         int

	sync.RWMutex
}

// CacheProcs holds the cache of processes that have established connections.
type CacheProcs struct {
	items []*ProcItem
	sync.RWMutex
}

// CacheInodes holds the cache of Inodes.
// The key is formed as follow:
// inode+srcip+srcport+dstip+dstport
type CacheInodes struct {
	items map[string]*InodeItem
	sync.RWMutex
}

var (
	// cache of inodes, which help to not iterate over all the pidsCache and
	// descriptors of /proc/<pid>/fd/
	// 15-50us vs 50-80ms
	// we hit this cache when:
	// - we've blocked a connection and the process retries it several times until it gives up,
	// - or when a process timeouts connecting to an IP/domain and it retries it again,
	// - or when a process resolves a domain and then connects to the IP.
	inodesCache = NewCacheOfInodes()
	maxTTL      = 3 // maximum 3 minutes of inactivity in cache. Really rare, usually they lasts less than a minute.

	// 2nd cache of already known running pids, which also saves time by
	// iterating only over a few pids' descriptors, (30us-20ms vs. 50-80ms)
	// since it's more likely that most of the connections will be made by the
	// same (running) processes.
	// The cache is ordered by time, placing in the first places those PIDs with
	// active connections.
	pidsCache            CacheProcs
	pidsDescriptorsCache = make(map[int][]string)

	cacheTicker = time.NewTicker(2 * time.Minute)
)

// CacheCleanerTask checks periodically if the inodes in the cache must be removed.
func CacheCleanerTask() {
	for {
		select {
		case <-cacheTicker.C:
			inodesCache.cleanup()
		}
	}
}

// NewCacheOfInodes returns a new cache for inodes.
func NewCacheOfInodes() *CacheInodes {
	return &CacheInodes{
		items: make(map[string]*InodeItem),
	}
}

//******************************************************************************
// items of the caches.

func (i *InodeItem) updateTime() {
	i.Lock()
	i.LastSeen = time.Now().UnixNano()
	i.Unlock()
}

func (i *InodeItem) getTime() int64 {
	i.RLock()
	defer i.RUnlock()
	return i.LastSeen
}

func (p *ProcItem) updateTime() {
	p.Lock()
	p.LastSeen = time.Now().UnixNano()
	p.Unlock()
}

func (p *ProcItem) updateDescriptors(descriptors []string) {
	p.Lock()
	p.Descriptors = descriptors
	p.Unlock()
}

//******************************************************************************
// cache of processes

func (c *CacheProcs) add(fdPath string, fdList []string, pid int) {
	c.Lock()
	defer c.Unlock()
	for n := range c.items {
		item := c.items[n]
		if item == nil {
			continue
		}
		if item.Pid == pid {
			item.updateTime()
			return
		}
	}

	procItem := &ProcItem{
		Pid:         pid,
		FdPath:      fdPath,
		Descriptors: fdList,
		LastSeen:    time.Now().UnixNano(),
	}

	c.setItems([]*ProcItem{procItem}, c.items)
}

func (c *CacheProcs) sort(pid int) {
	item := c.getItem(0)
	if item != nil && item.Pid == pid {
		return
	}
	c.RLock()
	defer c.RUnlock()

	sort.Slice(c.items, func(i, j int) bool {
		t := c.items[i].LastSeen
		u := c.items[j].LastSeen
		return t > u || t == u
	})
}

func (c *CacheProcs) delete(pid int) {
	c.Lock()
	defer c.Unlock()

	for n, procItem := range c.items {
		if procItem.Pid == pid {
			c.deleteItem(n)
			inodesCache.delete(pid)
			break
		}
	}
}

func (c *CacheProcs) deleteItem(pos int) {
	nItems := len(c.items)
	if pos < nItems {
		c.setItems(c.items[:pos], c.items[pos+1:])
	}
}

func (c *CacheProcs) setItems(newItems []*ProcItem, oldItems []*ProcItem) {
	c.items = append(newItems, oldItems...)
}

func (c *CacheProcs) getItem(index int) *ProcItem {
	c.RLock()
	defer c.RUnlock()

	if index >= len(c.items) {
		return nil
	}

	return c.items[index]
}

func (c *CacheProcs) getItems() []*ProcItem {
	return c.items
}

func (c *CacheProcs) countItems() int {
	c.RLock()
	defer c.RUnlock()

	return len(c.items)
}

// loop over the processes that have generated connections
func (c *CacheProcs) getPid(inode int, inodeKey string, expect string) (int, int) {
	c.Lock()
	defer c.Unlock()

	for n, procItem := range c.items {
		if procItem == nil {
			continue
		}

		if idxDesc, _ := getPidDescriptorsFromCache(procItem.FdPath, inodeKey, expect, &procItem.Descriptors, procItem.Pid); idxDesc != -1 {
			procItem.updateTime()
			return procItem.Pid, n
		}

		descriptors := lookupPidDescriptors(procItem.FdPath, procItem.Pid)
		if descriptors == nil {
			c.deleteItem(n)
			continue
		}

		procItem.updateDescriptors(descriptors)
		if idxDesc, _ := getPidDescriptorsFromCache(procItem.FdPath, inodeKey, expect, &descriptors, procItem.Pid); idxDesc != -1 {
			procItem.updateTime()
			return procItem.Pid, n
		}
	}

	return -1, -1
}

//******************************************************************************
// cache of inodes

func (i *CacheInodes) add(key, descLink string, pid int) {
	i.Lock()
	defer i.Unlock()

	if descLink == "" {
		descLink = core.ConcatStrings("/proc/", strconv.Itoa(pid), "/exe")
	}
	i.items[key] = &InodeItem{
		FdPath:   descLink,
		Pid:      pid,
		LastSeen: time.Now().UnixNano(),
	}
}

func (i *CacheInodes) delete(pid int) {
	i.Lock()
	defer i.Unlock()

	for k, inodeItem := range i.items {
		if inodeItem.Pid == pid {
			delete(i.items, k)
		}
	}
}

func (i *CacheInodes) getPid(inodeKey string) int {
	if item, ok := i.isInCache(inodeKey); ok {
		// sometimes the process may have disappeared at this point
		if _, err := os.Lstat(item.FdPath); err == nil {
			item.updateTime()
			return item.Pid
		}
		pidsCache.delete(item.Pid)
		i.delItem(inodeKey)
	}

	return -1
}

func (i *CacheInodes) delItem(inodeKey string) {
	i.Lock()
	defer i.Unlock()
	delete(i.items, inodeKey)
}

func (i *CacheInodes) getItem(inodeKey string) *InodeItem {
	i.RLock()
	defer i.RUnlock()

	return i.items[inodeKey]
}

func (i *CacheInodes) getItems() map[string]*InodeItem {
	i.RLock()
	defer i.RUnlock()

	return i.items
}

func (i *CacheInodes) isInCache(inodeKey string) (*InodeItem, bool) {
	i.RLock()
	defer i.RUnlock()

	if item, found := i.items[inodeKey]; found {
		return item, true
	}
	return nil, false
}

func (i *CacheInodes) cleanup() {
	now := time.Now()
	i.Lock()
	defer i.Unlock()
	for k := range i.items {
		if i.items[k] == nil {
			continue
		}
		lastSeen := now.Sub(
			time.Unix(0, i.items[k].getTime()),
		)
		if core.Exists(i.items[k].FdPath) == false || int(lastSeen.Minutes()) > maxTTL {
			delete(i.items, k)
		}
	}
}

func getPidDescriptorsFromCache(fdPath, inodeKey, expect string, descriptors *[]string, pid int) (int, *[]string) {
	for fdIdx := 0; fdIdx < len(*descriptors); fdIdx++ {
		descLink := core.ConcatStrings(fdPath, (*descriptors)[fdIdx])
		if link, err := os.Readlink(descLink); err == nil && link == expect {
			if fdIdx > 0 {
				// reordering helps to reduce look up times by a factor of 10.
				fd := (*descriptors)[fdIdx]
				*descriptors = append((*descriptors)[:fdIdx], (*descriptors)[fdIdx+1:]...)
				*descriptors = append([]string{fd}, *descriptors...)
			}
			if _, ok := inodesCache.isInCache(inodeKey); ok {
				inodesCache.add(inodeKey, descLink, pid)
			}
			return fdIdx, descriptors
		}
	}

	return -1, descriptors
}