memf-linux 0.2.1

Linux kernel memory forensic walkers (processes, connections, modules)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

//! FUSE filesystem abuse detection.

use memf_core::object_reader::ObjectReader;
use memf_format::PhysicalMemoryProvider;

use crate::types::FuseAbuseInfo;
use crate::Result;

/// Classify whether a FUSE mount is suspicious based on the daemon's UID and
/// whether the mounted filesystem has the setuid bit honoured.
///
/// Returns `true` if the daemon is a non-root user (`uid != 0`) but the mount
/// allows setuid execution — a privilege-escalation path.
pub fn is_suspicious_fuse_mount(uid: u32, is_setuid: bool) -> bool {
    uid != 0 && is_setuid
}

/// Scan for FUSE filesystem abuse (mounted over sensitive paths, root daemon with allow_other).
///
/// Returns `Ok(vec![])` as a stub until full implementation is added.
pub fn scan_fuse_abuse<P: PhysicalMemoryProvider>(
    reader: &ObjectReader<P>,
) -> Result<Vec<FuseAbuseInfo>> {
    let _ = reader;
    Ok(vec![])
}

#[cfg(test)]
mod tests {
    use super::*;
    use memf_core::test_builders::PageTableBuilder;
    use memf_core::vas::{TranslationMode, VirtualAddressSpace};
    use memf_symbols::isf::IsfResolver;
    use memf_symbols::test_builders::IsfBuilder;

    fn make_minimal_reader() -> ObjectReader<memf_core::test_builders::SyntheticPhysMem> {
        let isf = IsfBuilder::new().build_json();
        let resolver = IsfResolver::from_value(&isf).unwrap();
        let (cr3, mem) = PageTableBuilder::new().build();
        let vas = VirtualAddressSpace::new(mem, cr3, TranslationMode::X86_64FourLevel);
        ObjectReader::new(vas, Box::new(resolver))
    }

    #[test]
    fn empty_memory_returns_ok_empty() {
        let reader = make_minimal_reader();
        let result = scan_fuse_abuse(&reader);
        assert!(result.is_ok(), "should succeed with minimal reader");
        assert!(
            result.unwrap().is_empty(),
            "empty memory → no FUSE abuse hits"
        );
    }

    #[test]
    fn result_is_vec_of_fuse_abuse_info() {
        let reader = make_minimal_reader();
        let result: Result<Vec<FuseAbuseInfo>> = scan_fuse_abuse(&reader);
        assert!(result.is_ok());
    }

    #[test]
    fn fuse_abuse_info_fields_constructible() {
        let info = FuseAbuseInfo {
            pid: 333,
            comm: "sshfs".to_string(),
            mount_point: "/proc".to_string(),
            is_over_sensitive_path: true,
            daemon_is_root: true,
            allow_other: true,
        };
        assert_eq!(info.pid, 333);
        assert_eq!(info.mount_point, "/proc");
        assert!(info.is_over_sensitive_path);
        assert!(info.allow_other);
    }

    #[test]
    fn fuse_abuse_info_serializes() {
        let info = FuseAbuseInfo {
            pid: 1,
            comm: "fusermount".to_string(),
            mount_point: "/etc".to_string(),
            is_over_sensitive_path: true,
            daemon_is_root: false,
            allow_other: false,
        };
        let json = serde_json::to_string(&info).unwrap();
        assert!(json.contains("\"pid\":1"));
        assert!(json.contains("/etc"));
        assert!(json.contains("\"is_over_sensitive_path\":true"));
    }

    // --- classifier helper tests (genuine RED: function does not exist yet) ---

    #[test]
    fn non_root_uid_with_setuid_is_suspicious_fuse_mount() {
        // Non-root daemon with setuid flag → privilege escalation path
        assert!(is_suspicious_fuse_mount(1000, true));
    }

    #[test]
    fn root_uid_with_setuid_is_not_suspicious() {
        assert!(!is_suspicious_fuse_mount(0, true));
    }

    #[test]
    fn non_root_uid_without_setuid_is_not_suspicious() {
        assert!(!is_suspicious_fuse_mount(1000, false));
    }
}