Use gather_elf to identify ELF subjects

linux-application-whitelisting · Jun 15, 2022 · 2d1a12b · 2d1a12b
1 parent 4133dc7
commit 2d1a12b
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/src/library/process.c b/src/library/process.c
@@ -1,6 +1,6 @@
 /*
  * process.c - functions to access attributes of processes
- * Copyright (c) 2016,2020 Red Hat Inc.
+ * Copyright (c) 2016,2020-22 Red Hat Inc.
  * All Rights Reserved.
  *
  * This software may be freely redistributed and/or modified under the
@@ -36,6 +36,7 @@
 #include <sys/stat.h>
 #include <magic.h>
 #include "process.h"
+#include "file.h"
 
 #define BUFSZ 12  // Largest unsigned int is 10 characters long
 /*
@@ -208,6 +209,20 @@ char *get_type_from_pid(pid_t pid, size_t blen, char *buf)
 	if (fd >= 0) {
 		const char *ptr;
 		extern magic_t magic_cookie;
+		struct stat sb;
+
+		// Most of the time, the process will be ELF.
+		// We can identify it much faster than libmagic.
+		if (fstat(fd, &sb) == 0) {
+			uint32_t elf = gather_elf(fd, sb.st_size);
+			if (elf) {
+				ptr = classify_elf_info(elf, path);
+				close(fd);
+				if (ptr == NULL)
+					return (char *)ptr;
+				return strncpy(buf, ptr, blen-1);
+			}
+		}
 
 		ptr = magic_descriptor(magic_cookie, fd);
 		close(fd);