New API: yara_scan

The yara_scan API parses the file generated by the daemon counterpart
function and returns the list of yara_detection structs to the user.

It writes the daemon's command output on a temporary file and parses it,
deserialising the XDR formatted yara_detection structs.

It returns to the caller the list of yara_detection structs generated by
the internal_yara_scan command.

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com>

docs/C_SOURCE_FILES

@@ -327,6 +327,7 @@ lib/unit-tests.c
 lib/version.c
 lib/wait.c
 lib/whole-file.c
+lib/yara.c
 lua/lua-guestfs.c
 make-fs/make-fs.c
 mllib/common_utils-c.c

generator/actions.ml

@@ -38,7 +38,8 @@ let non_daemon_functions =
   Actions_inspection_deprecated.non_daemon_functions @
   Actions_properties.non_daemon_functions @
   Actions_properties_deprecated.non_daemon_functions @
-  Actions_tsk.non_daemon_functions
+  Actions_tsk.non_daemon_functions @
+  Actions_yara.non_daemon_functions
 
 (* daemon_functions are any functions which cause some action
  * to take place in the daemon.

generator/actions_yara.ml

@@ -22,6 +22,34 @@ open Types
 
 (* Yara APIs. *)
 
+let non_daemon_functions = [
+  { defaults with
+    name = "yara_scan"; added = (1, 37, 13);
+    style = RStructList ("detections", "yara_detection"), [Pathname "path"], [];
+    optional = Some "libyara";
+    progress = true; cancellable = true;
+    shortdesc = "scan a file with the loaded yara rules";
+    longdesc = "\
+Scan a file with the previously loaded Yara rules.
+
+For each matching rule, a C<yara_detection> structure is returned.
+
+The C<yara_detection> structure contains the following fields.
+
+=over 4
+
+=item C<yara_name>
+
+Path of the file matching a Yara rule.
+
+=item C<yara_rule>
+
+Identifier of the Yara rule which matched against the given file.
+
+=back" };
+
+]
+
 let daemon_functions = [
   { defaults with
       name = "yara_load"; added = (1, 37, 13);

generator/actions_yara.mli

@@ -18,4 +18,5 @@
 
 (* Please read generator/README first. *)
 
+val non_daemon_functions : Types.action list
 val daemon_functions : Types.action list

lib/Makefile.am

@@ -127,6 +127,7 @@ libguestfs_la_SOURCES = \
 	wait.c \
 	whole-file.c \
 	version.c \
+	yara.c \
 	libguestfs.syms
 
 libguestfs_la_CPPFLAGS = \

lib/yara.c

@@ -0,0 +1,132 @@
+/* libguestfs
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <rpc/xdr.h>
+#include <rpc/types.h>
+
+#include "guestfs.h"
+#include "guestfs_protocol.h"
+#include "guestfs-internal.h"
+#include "guestfs-internal-all.h"
+#include "guestfs-internal-actions.h"
+
+static struct guestfs_yara_detection_list *parse_yara_detection_file (guestfs_h *, const char *);
+static int deserialise_yara_detection_list (guestfs_h *, FILE *, struct guestfs_yara_detection_list *);
+
+struct guestfs_yara_detection_list *
+guestfs_impl_yara_scan (guestfs_h *g, const char *path)
+{
+  int r;
+  CLEANUP_UNLINK_FREE char *tmpfile = NULL;
+
+  tmpfile = guestfs_int_make_temp_path (g, "yara_scan");
+  if (tmpfile == NULL)
+    return NULL;
+
+  r = guestfs_internal_yara_scan (g, path, tmpfile);
+  if (r == -1)
+    return NULL;
+
+  return parse_yara_detection_file (g, tmpfile);  /* caller frees */
+}
+
+/* Parse the file content and return detections list.
+ * Return a list of yara_detection on success, NULL on error.
+ */
+static struct guestfs_yara_detection_list *
+parse_yara_detection_file (guestfs_h *g, const char *tmpfile)
+{
+  int r;
+  CLEANUP_FCLOSE FILE *fp = NULL;
+  struct guestfs_yara_detection_list *detections = NULL;
+
+  fp = fopen (tmpfile, "r");
+  if (fp == NULL) {
+    perrorf (g, "fopen: %s", tmpfile);
+    return NULL;
+  }
+
+  /* Initialise results array. */
+  detections = safe_malloc (g, sizeof (*detections));
+  detections->len = 8;
+  detections->val = safe_malloc (g, detections->len *
+                                 sizeof (*detections->val));
+
+  /* Deserialise buffer into detection list. */
+  r = deserialise_yara_detection_list (g, fp, detections);
+  if (r == -1) {
+    guestfs_free_yara_detection_list (detections);
+    perrorf (g, "deserialise_yara_detection_list");
+    return NULL;
+  }
+
+  return detections;
+}
+
+/* Deserialise the file content and populate the detection list.
+ * Return the number of deserialised detections, -1 on error.
+ */
+static int
+deserialise_yara_detection_list (guestfs_h *g, FILE *fp,
+                                 struct guestfs_yara_detection_list *detections)
+{
+  int r;
+  XDR xdr;
+  uint32_t index;
+  struct stat statbuf;
+
+  r = fstat (fileno(fp), &statbuf);
+  if (r == -1) {
+    perrorf (g, "fstat");
+    return -1;
+  }
+
+  xdrstdio_create (&xdr, fp, XDR_DECODE);
+
+  for (index = 0; xdr_getpos (&xdr) < statbuf.st_size; index++) {
+    if (index == detections->len) {
+      detections->len = 2 * detections->len;
+      detections->val = safe_realloc (g, detections->val,
+                                      detections->len *
+                                      sizeof (*detections->val));
+    }
+
+    /* Clear the entry so xdr logic will allocate necessary memory. */
+    memset (&detections->val[index], 0, sizeof (*detections->val));
+    r = xdr_guestfs_int_yara_detection (&xdr, (guestfs_int_yara_detection *)
+                                        &detections->val[index]);
+    if (r == 0) {
+      perrorf (g, "xdr_guestfs_int_yara_detection");
+      break;
+    }
+  }
+
+  xdr_destroy (&xdr);
+  detections->len = index;
+
+  return r ? 0 : -1;
+}

po/POTFILES

@@ -392,6 +392,7 @@ lib/unit-tests.c
 lib/version.c
 lib/wait.c
 lib/whole-file.c
+lib/yara.c
 lua/lua-guestfs.c
 make-fs/make-fs.c
 mllib/common_utils-c.c