From f1cd3e1d86872e1d80d154c550aca511dbcbedc3 Mon Sep 17 00:00:00 2001 From: "@emptymonkey" Date: Mon, 5 Aug 2019 19:23:34 -0700 Subject: [PATCH] Fix for mount table interacting with direct autofs. (#5635) --- osquery/tables/system/linux/mounts.cpp | 27 +++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/osquery/tables/system/linux/mounts.cpp b/osquery/tables/system/linux/mounts.cpp index f810082c..5f471907 100644 --- a/osquery/tables/system/linux/mounts.cpp +++ b/osquery/tables/system/linux/mounts.cpp @@ -9,6 +9,8 @@ #include #include +#include + #include #include #include @@ -17,6 +19,10 @@ namespace osquery { namespace tables { +std::set kMountStatBlacklist = { + "autofs", +}; + QueryData genMounts(QueryContext& context) { QueryData results; @@ -29,20 +35,23 @@ QueryData genMounts(QueryContext& context) { while ((ent = getmntent(mounts))) { Row r; + r["type"] = std::string(ent->mnt_type); r["device"] = std::string(ent->mnt_fsname); r["device_alias"] = canonicalize_file_name(ent->mnt_fsname); r["path"] = std::string(ent->mnt_dir); - r["type"] = std::string(ent->mnt_type); r["flags"] = std::string(ent->mnt_opts); - struct statfs st; - if (!statfs(ent->mnt_dir, &st)) { - r["blocks_size"] = BIGINT(st.f_bsize); - r["blocks"] = BIGINT(st.f_blocks); - r["blocks_free"] = BIGINT(st.f_bfree); - r["blocks_available"] = BIGINT(st.f_bavail); - r["inodes"] = BIGINT(st.f_files); - r["inodes_free"] = BIGINT(st.f_ffree); + // Check type against blacklist before running statfs. + if (kMountStatBlacklist.find(r["type"]) == kMountStatBlacklist.end()) { + struct statfs st; + if (!statfs(ent->mnt_dir, &st)) { + r["blocks_size"] = BIGINT(st.f_bsize); + r["blocks"] = BIGINT(st.f_blocks); + r["blocks_free"] = BIGINT(st.f_bfree); + r["blocks_available"] = BIGINT(st.f_bavail); + r["inodes"] = BIGINT(st.f_files); + r["inodes_free"] = BIGINT(st.f_ffree); + } } results.push_back(std::move(r));