Linux: Add lsblk plugin

[dalonjon]

This pull request adds a plugin that mimics the linux lsblk utility. It loops through the block devices on the machine and prints out the device name, major, minor, removability, if the device is read only, type and mountpoint.

Tested on linux versions 3.13-6.8 with Ubuntu, Rhel, Centos, Debian, sles, and Oracle Linux distros. Worked with the latest version for each distro.

Here is an example invocation of this plugin:
`% ./vol.py -f data6.5-RaidTest.lime lsblk
Volatility 3 Framework 2.6.1
Progress: 100.00 Stacking attempts finished
NAME MAJOR MINOR RM RO SIZE TYPE MOUNTPOINT

loop0 7 0 0 1 4.0K loop /snap/bare/5
loop1 7 1 0 1 74.2M loop /snap/core22/1122
loop2 7 2 0 1 266.6M loop /snap/firefox/3836
loop3 7 3 0 1 497.0M loop /snap/gnome-42-2204/141
loop4 7 4 0 1 74.2M loop /snap/core22/1439
loop5 7 5 0 1 268.4M loop /snap/firefox/4650
loop6 7 6 0 1 12.3M loop /snap/snap-store/959
loop7 7 7 0 1 40.4M loop /snap/snapd/20671
sdb 8 16 0 0 32.0G disk
sda 8 0 0 0 32.0G disk
sdc 8 32 0 0 25.0G disk
sdb1 8 17 0 0 32.0G part
sdc1 8 33 0 0 25.0G part
sda1 8 1 0 0 1.0M part
sda2 8 2 0 0 513.0M part /boot/efi
sda3 8 3 0 0 31.5G part /
md0 9 0 0 0 25.0G raid1
sr0 11 0 1 0 1024.0M rom
loop8 7 8 0 1 91.7M loop /snap/gtk-common-themes/1535
loop10 7 10 0 1 452.0K loop /snap/snapd-desktop-integration/83
loop9 7 9 0 1 38.8M loop /snap/snapd/21759`

[ikelos]

Thanks very much for your submission, there's quite a lot going on so I can't guarantee these are all the comments to be made, but it should be enough to be getting on with. There is at least one show stopper, where some results are converted to strings before being returned from the plugin, which is bad from the perspective of allowing other tools to use the data this plugin returns. That will need to change before this is accepted, but most everything else looks pretty good. There's a lot of backtracking from a subtype to a parent type, which ok, but could do with a lot of documentation so people can see/verify what's going on.

[ikelos]

Feels like this could be used for more than just the linux.lsblk function, consider adding it as a staticmethod somewhere more common across plugins. As mentioned above, this is really a UI function rather than a plugin function. The plugin should return the raw data, and let the UI decide what needs to happen to display it properly (using a type hint to say how you'd expect it to be displayed).

[ikelos]

Again, type information and ideally context first and simpler parameters where possible afterwards.

[ikelos]

This is kinda ok here, but if anything else ever would be able to make use of it, it should be lifted out into constants.linux somewhere (if it doesn't already exist as an enumeration in linux symbol tables).

[ikelos]

Looking much better and the code is much easier to read through now, thanks! Just a few more points but looking really close to the finish line. 5:)

[ikelos]

Generally we import modules, rather than specific values, so that if people find it in this code and are lazy, they can't import this plugin more easily than importing the module they need. So please import either constants or linux and then use either constants.linux.GOLDEN... or linux.GOLDEN... respectively (I think I'd prefer constants).

[ikelos]

Rather than limiting this function to being usable during a run of this plugin, could we add a parameter for kernel_module_name please? This would then allow a lot of these to become classmethods, and make then usable by other plugins in the future.

[ikelos]

Please could we parameterize this on kernel_module_name rather than going to the config? It'll make the function more usable outside of the bounds of just this plugin.

[ikelos]

Also, rather than passing in vmlinux, the convention for volatility plugins is to pass in the context as the first parameter and then the module name as the second, and then lookup the module in context.modules. Sticking to the convention should make it easier if/when we come to parallelize things rather than passing around lots of objects, it's just the context and then a reference for something inside the context.

[ikelos]

Would it be possible to provide basic docstring describing what these functions do and what their input arguments are and what output they produce please?

[Abyss-W4tcher]

Could this helper make it in the core API please ? This can definitely be useful for any kind of device parser plugin 👍

[gcmoreira]

Please use vmlinux.has_symbol() instead of all these

[gcmoreira]

It seems like you could refactor this into an internal helper function, such as _get_block_device(), which would return either the block_device or None. This would help make the large for statement more readable and maintainable.

[gcmoreira]

Oops, I just noticed you already have a _get_block_device() method, but it seems to only work for kernels 5.11 and up, which adds to the confusion. You'll need to rethink how to refactor this.
Ideally, there should be a single _get_block_device() method, and based on the kernel version (the type checks you are doing in the above lines), it can either call the method for kernels >= 5.11 or the one for < 5.11. This would make the logic much clearer.