# This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # osquery # osquery/distinfo # osquery/Makefile # osquery/pkg-message # osquery/pkg-descr # osquery/pkg-plist # osquery/files # osquery/files/patch-third-party_glog_src_stl__logging__unittest.cc # osquery/files/patch-third-party_glog_src_stacktrace__unittest.cc # osquery/files/patch-third-party_glog_src_logging__unittest.cc # osquery/files/patch-third-party_glog_src_googletest.h # osquery/files/patch-third-party_glog_src_glog_stl__logging.h.in # osquery/files/patch-CMake_FindGlog.cmake # osquery/files/patch-CMakeLists.txt # osquery/files/patch-Makefile # osquery/files/patch-include_osquery_core.h # osquery/files/patch-include_osquery_events.h # osquery/files/patch-include_osquery_flags.h # osquery/files/patch-include_osquery_registry.h # osquery/files/patch-kernel_linux_.gitignore # osquery/files/patch-kernel_linux_Makefile # osquery/files/patch-kernel_linux_hash.c # osquery/files/patch-kernel_linux_hash.h # osquery/files/patch-kernel_linux_hide.c # osquery/files/patch-kernel_linux_hide.h # osquery/files/patch-kernel_linux_main.c # osquery/files/patch-kernel_linux_sysfs.c # osquery/files/patch-kernel_linux_sysfs.h # osquery/files/patch-osquery_CMakeLists.txt # osquery/files/patch-osquery_config_config.cpp # osquery/files/osqueryd.in # osquery/files/patch-osquery_config_plugins_http.cpp # osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp # osquery/files/patch-osquery_core_watcher.cpp # osquery/files/patch-osquery_core_watcher.h # osquery/files/patch-osquery_database_db__handle.cpp # osquery/files/patch-osquery_dispatcher_dispatcher.cpp # osquery/files/patch-osquery_dispatcher_dispatcher.h # osquery/files/patch-osquery_dispatcher_scheduler.cpp # osquery/files/patch-osquery_dispatcher_scheduler.h # osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp # osquery/files/patch-osquery_events_darwin_fsevents.cpp # osquery/files/patch-osquery_events_darwin_fsevents.h # osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp # osquery/files/patch-osquery_events_events.cpp # osquery/files/patch-osquery_extensions_extensions.cpp # osquery/files/patch-osquery_extensions_interface.cpp # osquery/files/patch-osquery_extensions_interface.h # osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp # osquery/files/patch-osquery_filesystem_CMakeLists.txt # osquery/files/patch-osquery_main_run.cpp # osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp # osquery/files/patch-osquery_remote_requests.h # osquery/files/patch-osquery_remote_transports_http.cpp # osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp # osquery/files/patch-osquery_tables_CMakeLists.txt # osquery/files/patch-osquery_tables_networking_interfaces.cpp # osquery/files/patch-osquery_tables_networking_utils.h # osquery/files/patch-osquery_tables_specs_blacklist # osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp # osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp # osquery/files/patch-osquery_tables_system_linux_os__version.cpp # osquery/files/patch-tools_codegen_gentable.py # osquery/files/patch-tools_provision_freebsd.sh # osquery/files/patch-tools_provision_lib.sh # osquery/files/patch-tools_tests_test__extensions.py # osquery/files/patch-CMake_CMakeLibs.cmake # osquery/files/patch-tools_deployment_osquery.example.conf # osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt # osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt # osquery/files/patch-third-party_glog_src_utilities.h # echo c - osquery mkdir -p osquery > /dev/null 2>&1 echo x - osquery/distinfo sed 's/^X//' >osquery/distinfo << 'cf235c2f30761c39bf4951e3d491c3ce' XSHA256 (osquery-1.4.5.tar.gz) = b0812eec4ca53eb6ada4692330caaed00ed1e50ead43b99486b3d15139369738 XSIZE (osquery-1.4.5.tar.gz) = 412622 XSHA256 (third-party-1.4.5.tar.gz) = 06897b9ddf637c61f5c9e90f640b9f8c50c124d6276058a71f7d952439c8e58f XSIZE (third-party-1.4.5.tar.gz) = 6073986 cf235c2f30761c39bf4951e3d491c3ce echo x - osquery/Makefile sed 's/^X//' >osquery/Makefile << '666a75fa0f962ca6478b9a30b86e0916' X# Created by: Ryan Steinmetz X# $FreeBSD$ X XPORTNAME= osquery XPORTVERSION= 1.4.5 XCATEGORIES= sysutils XMASTER_SITES= GH:ghc \ X https://codeload.github.com/${PORTNAME}/third-party/tar.gz/${PORTVERSION}?dummy=/:gh XDISTFILES= ${PORTNAME}-${PORTVERSION}.tar.gz:ghc \ X third-party-${PORTVERSION}.tar.gz:gh X XMAINTAINER= zi@FreeBSD.org XCOMMENT= SQL powered OS instrumentation, monitoring, and analytics X XLICENSE= BSD3CLAUSE X XBUILD_DEPENDS= snappy>0:${PORTSDIR}/archivers/snappy \ X rocksdb>0:${PORTSDIR}/databases/rocksdb \ X thrift>0:${PORTSDIR}/devel/thrift \ X thrift-cpp>0:${PORTSDIR}/devel/thrift-cpp \ X bash>0:${PORTSDIR}/shells/bash \ X yara>0:${PORTSDIR}/security/yara \ X doxygen:${PORTSDIR}/devel/doxygen \ X ${PYTHON_PKGNAMEPREFIX}MarkupSafe>0:${PORTSDIR}/textproc/py-MarkupSafe \ X ${PYTHON_PKGNAMEPREFIX}psutil>0:${PORTSDIR}/sysutils/py-psutil \ X ${PYTHON_PKGNAMEPREFIX}argparse>0:${PORTSDIR}/devel/py-argparse \ X ${PYTHON_PKGNAMEPREFIX}pexpect>0:${PORTSDIR}/misc/py-pexpect \ X ${PYTHON_PKGNAMEPREFIX}Jinja2>0:${PORTSDIR}/devel/py-Jinja2 \ X ${PYTHON_PKGNAMEPREFIX}thrift>0:${PORTSDIR}/devel/py-thrift \ X ${PYTHON_PKGNAMEPREFIX}pip>0:${PORTSDIR}/devel/py-pip XLIB_DEPENDS= libboost_regex.so:${PORTSDIR}/devel/boost-libs \ X libgflags.so:${PORTSDIR}/devel/gflags \ X libicuuc.so:${PORTSDIR}/devel/icu X XUSES= cmake:outsource gmake libtool python:build compiler:c++11-lib XCMAKE_ENV+= OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" SKIP_TESTS="yes" XCMAKE_ARGS+= -DFREEBSD=awesome -DCMAKE_SYSTEM_NAME="FreeBSD" XBLDDIR= ${WRKDIR}/.build/${PORTNAME} XUSE_RC_SUBR= ${PORTNAME}d XUSE_GITHUB= yes XGH_ACCOUNT= facebook XGH_TAGNAME= ${PORTVERSION} XMAKE_JOBS_UNSAFE= yes X X.include X X.if ${OSVERSION} <= 1000000 XCFLAGS+= -D_GLIBCXX_USE_C99 X.endif X Xpost-extract: X ${RMDIR} ${WRKSRC}/third-party X ${LN} -sf ${WRKDIR}/third-party-${PORTVERSION} ${WRKSRC}/third-party X Xpost-patch: X ${REINPLACE_CMD} -e 's|/var/osquery/|/var/db/osquery/|g' \ X ${WRKSRC}/tools/deployment/osquery.example.conf X ${REINPLACE_CMD} -e 's|python |${PYTHON_CMD} |g' \ X ${WRKSRC}/CMake/CMakeLibs.cmake \ X ${WRKSRC}/CMakeLists.txt X Xdo-install: X ${INSTALL_PROGRAM} ${BLDDIR}/osqueryi ${STAGEDIR}${PREFIX}/bin X ${INSTALL_PROGRAM} ${BLDDIR}/osqueryd ${STAGEDIR}${PREFIX}/sbin X ${INSTALL_DATA} ${BLDDIR}/libosquery.a ${STAGEDIR}${PREFIX}/lib X (cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include) X ${INSTALL_DATA} ${WRKSRC}/tools/deployment/osquery.example.conf \ X ${STAGEDIR}${PREFIX}/etc/osqueryd.conf.sample X X.include 666a75fa0f962ca6478b9a30b86e0916 echo x - osquery/pkg-message sed 's/^X//' >osquery/pkg-message << '55633a3afa675d2976df69710538594e' XThis is the initial release of the FreeBSD port for osquery. X XWe do not currently have 100% feature parity while running under XFreeBSD, however, are actively working to get there. X Xosqueryd does not yet have the required functionality to run, Xhowever, osqueryi (the interactive CLI version) can perform Xbasic tasks. X XPlease submit patches as pull requests here: Xhttps://github.com/facebook/osquery 55633a3afa675d2976df69710538594e echo x - osquery/pkg-descr sed 's/^X//' >osquery/pkg-descr << '844321c56fc1989e6157d2a1aa31e993' Xosquery exposes an operating system as a high-performance relational database. XThis allows you to write SQL-based queries to explore operating system data. XWith osquery, SQL tables represent abstract concepts such as running Xprocesses, loaded kernel modules, open network connections, browser plugins, Xhardware events or file hashes. X XWWW: https://osquery.io/ 844321c56fc1989e6157d2a1aa31e993 echo x - osquery/pkg-plist sed 's/^X//' >osquery/pkg-plist << 'd277d2a6be6bb1c00593c75964e17f73' Xbin/osqueryi Xinclude/osquery/config.h Xinclude/osquery/core.h Xinclude/osquery/database.h Xinclude/osquery/database/db_handle.h Xinclude/osquery/database/query.h Xinclude/osquery/database/results.h Xinclude/osquery/enrollment.h Xinclude/osquery/events.h Xinclude/osquery/extensions.h Xinclude/osquery/filesystem.h Xinclude/osquery/flags.h Xinclude/osquery/hash.h Xinclude/osquery/logger.h Xinclude/osquery/registry.h Xinclude/osquery/sdk.h Xinclude/osquery/sql.h Xinclude/osquery/status.h Xinclude/osquery/tables.h Xlib/libosquery.a Xsbin/osqueryd X@sample etc/osqueryd.conf.sample d277d2a6be6bb1c00593c75964e17f73 echo c - osquery/files mkdir -p osquery/files > /dev/null 2>&1 echo x - osquery/files/patch-third-party_glog_src_stl__logging__unittest.cc sed 's/^X//' >osquery/files/patch-third-party_glog_src_stl__logging__unittest.cc << 'c2a5c3e56b1580610245d018502a0a2f' X--- third-party/glog/src/stl_logging_unittest.cc.orig 2015-04-16 17:06:51 UTC X+++ third-party/glog/src/stl_logging_unittest.cc X@@ -41,6 +41,7 @@ X // C++0x isn't enabled by default in GCC and libc++ does not have X // non-standard ext/* and tr1/unordered_*. X # if defined(_LIBCPP_VERSION) X+# define GLOG_STL_LOGGING_FOR_FORWARD_LIST X # define GLOG_STL_LOGGING_FOR_UNORDERED X # else X # define GLOG_STL_LOGGING_FOR_EXT_HASH c2a5c3e56b1580610245d018502a0a2f echo x - osquery/files/patch-third-party_glog_src_stacktrace__unittest.cc sed 's/^X//' >osquery/files/patch-third-party_glog_src_stacktrace__unittest.cc << 'baa70f1727a4c681bc571c22256d8d06' X--- third-party/glog/src/stacktrace_unittest.cc.orig 2015-05-05 12:29:29 UTC X+++ third-party/glog/src/stacktrace_unittest.cc X@@ -125,16 +125,6 @@ void ATTRIBUTE_NOINLINE CheckStackTraceL X CHECK_GE(size, 1); X CHECK_LE(size, STACK_LEN); X X- if (1) { X-#ifdef HAVE_EXECINFO_H X- char **strings = backtrace_symbols(stack, size); X- printf("Obtained %d stack frames.\n", size); X- for (int i = 0; i < size; i++) X- printf("%s %p\n", strings[i], stack[i]); X- printf("CheckStackTrace() addr: %p\n", &CheckStackTrace); X- free(strings); X-#endif X- } X for (int i = 0; i < BACKTRACE_STEPS; i++) { X printf("Backtrace %d: expected: %p..%p actual: %p ... ", X i, expected_range[i].start, expected_range[i].end, stack[i]); baa70f1727a4c681bc571c22256d8d06 echo x - osquery/files/patch-third-party_glog_src_logging__unittest.cc sed 's/^X//' >osquery/files/patch-third-party_glog_src_logging__unittest.cc << 'b45df0fcb370d86713257876a6aef431' X--- third-party/glog/src/logging_unittest.cc.orig 2015-04-16 17:06:51 UTC X+++ third-party/glog/src/logging_unittest.cc X@@ -78,6 +78,7 @@ using GOOGLE_NAMESPACE::glog_testing::Sc X #endif X X using namespace std; X+using namespace gflags; X using namespace GOOGLE_NAMESPACE; X X // Some non-advertised functions that we want to test or use. X@@ -239,9 +240,9 @@ int main(int argc, char **argv) { X } X X void TestLogging(bool check_counts) { X- int64 base_num_infos = LogMessage::num_messages(GLOG_INFO); X- int64 base_num_warning = LogMessage::num_messages(GLOG_WARNING); X- int64 base_num_errors = LogMessage::num_messages(GLOG_ERROR); X+ gflags::int64 base_num_infos = LogMessage::num_messages(GLOG_INFO); X+ gflags::int64 base_num_warning = LogMessage::num_messages(GLOG_WARNING); X+ gflags::int64 base_num_errors = LogMessage::num_messages(GLOG_ERROR); X X LOG(INFO) << string("foo ") << "bar " << 10 << ' ' << 3.4; X for ( int i = 0; i < 10; ++i ) { X@@ -564,8 +565,8 @@ void TestDCHECK() { X DCHECK_GT(2, 1); X DCHECK_LT(1, 2); X X- auto_ptr sptr(new int64); X- int64* ptr = DCHECK_NOTNULL(sptr.get()); X+ auto_ptr sptr(new gflags::int64); X+ gflags::int64* ptr = DCHECK_NOTNULL(sptr.get()); X CHECK_EQ(ptr, sptr.get()); X } X X@@ -594,14 +595,14 @@ TEST(DeathSTREQ, logging) { X } X X TEST(CheckNOTNULL, Simple) { X- int64 t; X+ gflags::int64 t; X void *ptr = static_cast(&t); X void *ref = CHECK_NOTNULL(ptr); X EXPECT_EQ(ptr, ref); X CHECK_NOTNULL(reinterpret_cast(ptr)); X CHECK_NOTNULL(reinterpret_cast(ptr)); X CHECK_NOTNULL(reinterpret_cast(ptr)); X- CHECK_NOTNULL(reinterpret_cast(ptr)); X+ CHECK_NOTNULL(reinterpret_cast(ptr)); X } X X TEST(DeathCheckNN, Simple) { X@@ -736,7 +737,7 @@ struct MyLogger : public base::Logger { X X virtual void Flush() { } X X- virtual uint32 LogSize() { return data.length(); } X+ virtual gflags::uint32 LogSize() { return data.length(); } X }; X X static void TestWrapper() { X@@ -760,23 +761,23 @@ static void TestErrno() { X CHECK_EQ(errno, ENOENT); X } X X-static void TestOneTruncate(const char *path, int64 limit, int64 keep, X- int64 dsize, int64 ksize, int64 expect) { X+static void TestOneTruncate(const char *path, gflags::int64 limit, gflags::int64 keep, X+ gflags::int64 dsize, gflags::int64 ksize, gflags::int64 expect) { X int fd; X CHECK_ERR(fd = open(path, O_RDWR | O_CREAT | O_TRUNC, 0600)); X X const char *discardstr = "DISCARDME!", *keepstr = "KEEPME!"; X X // Fill the file with the requested data; first discard data, then kept data X- int64 written = 0; X+ gflags::int64 written = 0; X while (written < dsize) { X- int bytes = min(dsize - written, strlen(discardstr)); X+ int bytes = min(dsize - written, strlen(discardstr)); X CHECK_ERR(write(fd, discardstr, bytes)); X written += bytes; X } X written = 0; X while (written < ksize) { X- int bytes = min(ksize - written, strlen(keepstr)); X+ int bytes = min(ksize - written, strlen(keepstr)); X CHECK_ERR(write(fd, keepstr, bytes)); X written += bytes; X } X@@ -796,9 +797,9 @@ static void TestOneTruncate(const char * X CHECK_ERR(read(fd, buf, buf_size)); X X const char *p = buf; X- int64 checked = 0; X+ gflags::int64 checked = 0; X while (checked < expect) { X- int bytes = min(expect - checked, strlen(keepstr)); X+ int bytes = min(expect - checked, strlen(keepstr)); X CHECK(!memcmp(p, keepstr, bytes)); X checked += bytes; X } b45df0fcb370d86713257876a6aef431 echo x - osquery/files/patch-third-party_glog_src_googletest.h sed 's/^X//' >osquery/files/patch-third-party_glog_src_googletest.h << '06232f52b6ebd238d4d2842d2bd2192c' X--- third-party/glog/src/googletest.h.orig 2015-04-16 17:06:51 UTC X+++ third-party/glog/src/googletest.h X@@ -58,6 +58,7 @@ X X #include "base/commandlineflags.h" X X+using namespace gflags; X using std::map; X using std::string; X using std::vector; 06232f52b6ebd238d4d2842d2bd2192c echo x - osquery/files/patch-third-party_glog_src_glog_stl__logging.h.in sed 's/^X//' >osquery/files/patch-third-party_glog_src_glog_stl__logging.h.in << '434714c67ce45b945e43e8dc4a684eaf' X--- third-party/glog/src/glog/stl_logging.h.in.orig 2015-04-16 17:06:51 UTC X+++ third-party/glog/src/glog/stl_logging.h.in X@@ -76,6 +76,9 @@ X #ifdef GLOG_STL_LOGGING_FOR_EXT_SLIST X # include X #endif X+#ifdef GLOG_STL_LOGGING_FOR_FORWARD_LIST X+# include X+#endif X X // Forward declare these two, and define them after all the container streams X // operators so that we can recurse from pair -> container -> container -> pair X@@ -101,9 +104,13 @@ inline std::ostream& operator<<(std::ost X OUTPUT_TWO_ARG_CONTAINER(std::vector) X OUTPUT_TWO_ARG_CONTAINER(std::deque) X OUTPUT_TWO_ARG_CONTAINER(std::list) X+ X #ifdef GLOG_STL_LOGGING_FOR_EXT_SLIST X OUTPUT_TWO_ARG_CONTAINER(__gnu_cxx::slist) X #endif X+#ifdef GLOG_STL_LOGGING_FOR_FORWARD_LIST X+OUTPUT_TWO_ARG_CONTAINER(std::forward_list) X+#endif X X #undef OUTPUT_TWO_ARG_CONTAINER X 434714c67ce45b945e43e8dc4a684eaf echo x - osquery/files/patch-CMake_FindGlog.cmake sed 's/^X//' >osquery/files/patch-CMake_FindGlog.cmake << 'd3e3637c883f11b92aa37810c4ea56ea' X--- CMake/FindGlog.cmake.orig 2015-05-05 00:16:41 UTC X+++ CMake/FindGlog.cmake X@@ -6,20 +6,6 @@ endif() X set(GLOG_ROOT_DIR "${CMAKE_BINARY_DIR}/third-party/glog") X set(GLOG_SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/glog") X X-if(NOT APPLE) X- include(CheckIncludeFiles) X- unset(LIBUNWIND_FOUND CACHE) X- check_include_files("libunwind.h;unwind.h" LIBUNWIND_FOUND) X- if(LIBUNWIND_FOUND) X- unset(libglog_FOUND CACHE) X- execute_process( X- COMMAND rm -rf "${GLOG_ROOT_DIR}" "${CMAKE_BINARY_DIR}/libglog-prefix" X- ERROR_QUIET X- ) X- message(WARNING "${Esc}[31mWarning: libunwind headers found [Issue #596], please: make deps\n${Esc}[m") X- endif() X-endif() X- X set(GLOG_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-register -Wno-unnamed-type-template-args -Wno-deprecated -Wno-error") X X INCLUDE(ExternalProject) X@@ -31,8 +17,8 @@ ExternalProject_Add( X CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER} X CXXFLAGS=${GLOG_CXX_FLAGS} X --enable-frame-pointers --enable-shared=no --prefix=${GLOG_ROOT_DIR} X- BUILD_COMMAND make X- INSTALL_COMMAND make install X+ BUILD_COMMAND ${CMAKE_MAKE_PROGRAM} X+ INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install X LOG_CONFIGURE ON X LOG_INSTALL ON X LOG_BUILD ON d3e3637c883f11b92aa37810c4ea56ea echo x - osquery/files/patch-CMakeLists.txt sed 's/^X//' >osquery/files/patch-CMakeLists.txt << '0a640a34d6d34ee5d9abacdff821e3b3' X--- CMakeLists.txt.orig 2015-05-05 00:16:41 UTC X+++ CMakeLists.txt X@@ -1,7 +1,18 @@ X cmake_minimum_required(VERSION 2.8.12) X X-set(CMAKE_C_COMPILER "clang") X-set(CMAKE_CXX_COMPILER "clang++") X+#if(NOT DEFINED ENV{CC}) X+# set(CMAKE_C_COMPILER "clang") X+#else() X+# set(CMAKE_C_COMPILER "$ENV{CC}") X+# message("-- Overriding C compiler from clang to $ENV{CC}") X+#endif() X+#if(NOT DEFINED ENV{CXX}) X+# set(CMAKE_CXX_COMPILER "clang++") X+#else() X+# set(CMAKE_CXX_COMPILER "$ENV{CXX}") X+# message("-- Overriding CXX compiler from clang++ to $ENV{CXX}") X+#endif() X+ X add_compile_options( X -Wall X -Wextra X@@ -22,6 +33,21 @@ add_compile_options( X ) X set(CXX_COMPILE_FLAGS "") X X+# Use osquery language to set platform/os X+execute_process( X+ COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform X+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X+ OUTPUT_VARIABLE PLATFORM X+ OUTPUT_STRIP_TRAILING_WHITESPACE X+) X+ X+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM) X+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO) X+string(REPLACE "." "_" PLATFORM "${PLATFORM}") X+string(TOUPPER "${PLATFORM}" PLATFORM) X+list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE) X+list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE) X+ X # Set non-C compile flags and whole-loading linker flags. X # osquery needs ALL symbols in the libraries it includes for relaxed ctors X # late-loading modules and SQLite introspection utilities. X@@ -34,34 +60,21 @@ if(APPLE) X # Special compile flags for Objective-C++ X set(OBJCXX_COMPILE_FLAGS X "-x objective-c++ -fobjc-arc -Wno-c++11-extensions -mmacosx-version-min=${APPLE_MIN_ABI}") X-elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") X- set(FREEBSD TRUE) X- set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++") X- set(OS_WHOLELINK_PRE "") X- set(OS_WHOLELINK_POST "") X else() X- set(LINUX TRUE) X- # Do not use the shared linker flags for modules. X set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11") X set(OS_WHOLELINK_PRE "-Wl,-whole-archive") X set(OS_WHOLELINK_POST "-Wl,-no-whole-archive") X+ # Set CMAKE variables depending on platform, to know which tables and what X+ # component-specific globbing is needed. X+ if(${OSQUERY_BUILD_PLATFORM} STREQUAL "freebsd") X+ set(FREEBSD TRUE) X+ set(LINUX FALSE) X+ else() X+ set(LINUX TRUE) X+ set(FREEBSD FALSE) X+ endif() X endif() X X-# Use osquery language to set platform/os X-execute_process( X- COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform X- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X- OUTPUT_VARIABLE PLATFORM X- OUTPUT_STRIP_TRAILING_WHITESPACE X-) X- X-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM) X-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO) X-string(REPLACE "." "_" PLATFORM "${PLATFORM}") X-string(TOUPPER "${PLATFORM}" PLATFORM) X-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE) X-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE) X- X # RHEL6 uses a different gcc 4.9 runtime X if(${OSQUERY_BUILD_DISTRO} STREQUAL "rhel6") X set(GCC_RUNTIME "/opt/rh/devtoolset-3/root/usr/") X@@ -73,7 +86,7 @@ endif() X if(DEFINED ENV{DEBUG}) X set(DEBUG TRUE) X set(CMAKE_BUILD_TYPE "Debug") X- add_compile_options(-g -O0 -pg) X+ add_compile_options(-g -O0) X add_definitions(-DDEBUG) X message("-- Setting DEBUG build") X elseif(DEFINED ENV{SANITIZE}) X@@ -116,7 +129,7 @@ endif() X # Finished setting compiler/compiler flags. X project(OSQUERY) X X-# Make sure deps were built before compiling (else show warning) X+# Make sure deps were built before compiling (else show warning). X execute_process( X COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" check "${CMAKE_BINARY_DIR}" X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X@@ -126,16 +139,23 @@ execute_process( X ) X string(ASCII 27 Esc) X if(OSQUERY_DEPS_CHECK) X- message(WARNING "${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m") X+ message("-- ${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m") X endif() X X-# Generate version from git X-execute_process( X- COMMAND git describe --tags HEAD --always X- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X- OUTPUT_VARIABLE OSQUERY_BUILD_VERSION X- OUTPUT_STRIP_TRAILING_WHITESPACE X-) X+# Discover build version from an environment variable or from the git checkout. X+if(DEFINED ENV{OSQUERY_BUILD_VERSION}) X+ set(OSQUERY_BUILD_VERSION "$ENV{OSQUERY_BUILD_VERSION}") X+else() X+ # Generate version from git X+ execute_process( X+ COMMAND git describe --tags HEAD --always X+ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X+ OUTPUT_VARIABLE OSQUERY_BUILD_VERSION X+ OUTPUT_STRIP_TRAILING_WHITESPACE X+ ) X+endif() X+ X+# Discover the SDK version from an environment variable or the build version. X if(DEFINED ENV{SDK_VERSION}) X set(OSQUERY_BUILD_SDK_VERSION "${ENV{SDK_VERSION}}") X else() X@@ -164,7 +184,8 @@ elseif(OSQUERY_BUILD_PLATFORM STREQUAL " X elseif(OSQUERY_BUILD_PLATFORM STREQUAL "rhel") X set(RHEL TRUE) X message("-- Building for RHEL") X-elseif(FREEBSD) X+elseif(OSQUERY_BUILD_PLATFORM STREQUAL "freebsd") X+ set(FREEBSD TRUE) X message("-- Building for FreeBSD") X endif() X X@@ -233,7 +254,7 @@ add_custom_target( X # make format X add_custom_target( X format X- python "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py" X+ python2 "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py" X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X COMMENT "Formatting code staged code changes with clang-format" VERBATIM X ) X@@ -244,4 +265,5 @@ add_custom_target( X "${CMAKE_SOURCE_DIR}/tools/sync.sh" "${CMAKE_BINARY_DIR}" X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X COMMENT "Generating sdk sync: ${CMAKE_BINARY_DIR}/sync" X+ DEPENDS osquery_extensions osquery_amalgamation X ) 0a640a34d6d34ee5d9abacdff821e3b3 echo x - osquery/files/patch-Makefile sed 's/^X//' >osquery/files/patch-Makefile << '43037df2b18393f71187ec3f91a26e39' X--- Makefile.orig 2015-05-05 00:16:41 UTC X+++ Makefile X@@ -1,8 +1,11 @@ X PLATFORM := $(shell uname -s) X VERSION := $(shell git describe --tags HEAD --always) X-MAKE = make X+SHELL := $(shell which bash) X X-SHELL := /bin/bash X+MAKE = make X+ifeq ($(PLATFORM),FreeBSD) X+ MAKE = gmake X+endif X X DISTRO := $(shell . ./tools/lib.sh; _platform) X DISTRO_VERSION := $(shell . ./tools/lib.sh; _distro $(DISTRO)) X@@ -16,11 +19,11 @@ DEFINES := CTEST_OUTPUT_ON_FAILURE=1 X .PHONY: docs build X X all: .setup X- cd build/$(BUILD_DIR) && cmake ../.. && \ X+ cd build/$(BUILD_DIR) && cmake ../../ && \ X $(DEFINES) $(MAKE) --no-print-directory $(MAKEFLAGS) X X docs: .setup X- cd build && cmake .. && \ X+ cd build && cmake ../ && \ X $(DEFINES) $(MAKE) docs --no-print-directory $(MAKEFLAGS) X X debug: .setup X@@ -74,6 +77,10 @@ test_debug_build: X deps: .setup X ./tools/provision.sh build build/$(BUILD_DIR) X X+clean: .setup X+ cd build/$(BUILD_DIR) && cmake ../../ && \ X+ $(DEFINES) $(MAKE) clean --no-print-directory $(MAKEFLAGS) X+ X distclean: X rm -rf .sources build/$(BUILD_DIR) build/debug_$(BUILD_DIR) build/docs X ifeq ($(PLATFORM),Linux) X@@ -101,6 +108,10 @@ packages: .setup X cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \ X $(DEFINES) $(MAKE) packages --no-print-directory $(MAKEFLAGS) X X+sync: .setup X+ cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \ X+ $(DEFINES) $(MAKE) sync --no-print-directory $(MAKEFLAGS) X+ X %:: X- cd build/$(BUILD_DIR) && cmake ../.. && \ X+ cd build/$(BUILD_DIR) && cmake ../../ && \ X $(DEFINES) $(MAKE) --no-print-directory $@ 43037df2b18393f71187ec3f91a26e39 echo x - osquery/files/patch-include_osquery_core.h sed 's/^X//' >osquery/files/patch-include_osquery_core.h << '3e7318d4a97cd0d722dd64d2e6da45d3' X--- include/osquery/core.h.orig 2015-05-05 00:16:41 UTC X+++ include/osquery/core.h X@@ -30,7 +30,11 @@ X // clang-format on X X #ifndef __constructor__ X-#define __constructor__ __attribute__((constructor)) X+#define __registry_constructor__ __attribute__((constructor(101))) X+#define __plugin_constructor__ __attribute__((constructor(102))) X+#else X+#define __registry_constructor__ __attribute__((__constructor__(101))) X+#define __plugin_constructor__ __attribute__((__constructor__(102))) X #endif X X /// A configuration error is catastrophic and should exit the watcher. 3e7318d4a97cd0d722dd64d2e6da45d3 echo x - osquery/files/patch-include_osquery_events.h sed 's/^X//' >osquery/files/patch-include_osquery_events.h << '96b241dd822e82cc2c65a1cc4116faad' X--- include/osquery/events.h.orig 2015-05-05 00:16:41 UTC X+++ include/osquery/events.h X@@ -197,8 +197,8 @@ class EventPublisherPlugin : public Plug X * @brief Perform handle opening, OS API callback registration. X * X * `setUp` is the event framework's EventPublisher constructor equivalent. X- * When `setUp` is called the EventPublisher is running in a dedicated thread X- * and may manage/allocate/wait for resources. X+ * This is called in the main thread before the publisher's run loop has X+ * started, immediately following registration. X */ X virtual Status setUp() { return Status(0, "Not used"); } X X@@ -206,17 +206,28 @@ class EventPublisherPlugin : public Plug X * @brief Perform handle closing, resource cleanup. X * X * osquery is about to end, the EventPublisher should close handle descriptors X- * unblock resources, and prepare to exit. X+ * unblock resources, and prepare to exit. This will be called from the main X+ * thread after the run loop thread has exited. X */ X virtual void tearDown() {} X X /** X- * @brief Implement a step of an optional run loop. X+ * @brief Implement a "step" of an optional run loop. X * X * @return A SUCCESS status will immediately call `run` again. A FAILED status X * will exit the run loop and the thread. X */ X- virtual Status run() { return Status(1, "No runloop required"); } X+ virtual Status run() { return Status(1, "No run loop required"); } X+ X+ /** X+ * @brief Allow the EventFactory to interrupt the run loop. X+ * X+ * Assume the main thread may ask the run loop to stop at anytime. X+ * Before end is called the publisher's `isEnding` is set and the EventFactory X+ * run loop manager will exit the stepping loop and fall through to a call X+ * to tearDown followed by a removal of the publisher. X+ */ X+ virtual void end() {} X X /** X * @brief A new EventSubscriber is subscriptioning events of this X@@ -260,9 +271,16 @@ class EventPublisherPlugin : public Plug X /// Return a string identifier associated with this EventPublisher. X virtual EventPublisherID type() const { return "publisher"; } X X+ /// Check if the EventFactory is ending all publisher threads. X bool isEnding() const { return ending_; } X+ X+ /// Set the ending status for this publisher. X void isEnding(bool ending) { ending_ = ending; } X+ X+ /// Check if the publisher's run loop has started. X bool hasStarted() const { return started_; } X+ X+ /// Set the run or started status for this publisher. X void hasStarted(bool started) { started_ = started; } X X protected: X@@ -284,6 +302,7 @@ class EventPublisherPlugin : public Plug X private: X /// Set ending to True to cause event type run loops to finish. X bool ending_; X+ X /// Set to indicate whether the event run loop ever started. X bool started_; X X@@ -661,11 +680,14 @@ class EventFactory : private boost::nonc X } X X /** X- * @brief Halt the EventPublisher run loop and call its `tearDown`. X+ * @brief Halt the EventPublisher run loop. X * X * Any EventSubscriber%s with Subscription%s for this EventPublisher will X * become useless. osquery callers MUST deregister events. X * EventPublisher%s assume they can hook/trampoline, which requires cleanup. X+ * This will tear down and remove the publisher if the run loop did not start. X+ * Otherwise it will call end on the publisher and assume the run loop will X+ * tear down and remove. X * X * @param event_pub The string label for the EventPublisher. X * X@@ -681,6 +703,8 @@ class EventFactory : private boost::nonc X X /// Return an instance to a registered EventSubscriber. X static EventSubscriberRef getEventSubscriber(EventSubscriberID& sub); X+ X+ /// Check if an event subscriber exists. X static bool exists(EventSubscriberID& sub); X X static std::vector publisherTypes(); X@@ -701,9 +725,12 @@ class EventFactory : private boost::nonc X } X X /** X- * @brief End all EventPublisher run loops and call their `tearDown` methods. X+ * @brief End all EventPublisher run loops and deregister. X * X- * End is NOT the same as deregistration. X+ * End is NOT the same as deregistration. End will call deregister on all X+ * publishers then either join or detach their run loop threads. X+ * See EventFactory::deregisterEventPublisher for actions taken during X+ * deregistration. X * X * @param should_end Reset the "is ending" state if False. X */ 96b241dd822e82cc2c65a1cc4116faad echo x - osquery/files/patch-include_osquery_flags.h sed 's/^X//' >osquery/files/patch-include_osquery_flags.h << 'b424284643cb25100e6f59ee29e013f9' X--- include/osquery/flags.h.orig 2015-05-05 00:16:41 UTC X+++ include/osquery/flags.h X@@ -19,7 +19,11 @@ X X #include X X+#ifdef FREEBSD X+#define GFLAGS_NAMESPACE gflags X+#elif !defined(GFLAGS_NAMESPACE) X #define GFLAGS_NAMESPACE google X+#endif X X namespace boost { X /// We define a lexical_cast template for boolean for Gflags boolean string b424284643cb25100e6f59ee29e013f9 echo x - osquery/files/patch-include_osquery_registry.h sed 's/^X//' >osquery/files/patch-include_osquery_registry.h << 'c5601d30d5676c882122363c6c957266' X--- include/osquery/registry.h.orig 2015-05-05 00:16:41 UTC X+++ include/osquery/registry.h X@@ -41,11 +41,11 @@ namespace osquery { X * @param type A typename that derives from Plugin. X * @param name A string identifier for the registry. X */ X-#define CREATE_REGISTRY(type, name) \ X- namespace registry { \ X- __constructor__ static void type##Registry() { \ X- Registry::create(name); \ X- } \ X+#define CREATE_REGISTRY(type, name) \ X+ namespace registry { \ X+ __registry_constructor__ static void type##Registry() { \ X+ Registry::create(name); \ X+ } \ X } X X /** X@@ -56,11 +56,11 @@ namespace osquery { X * @param type A typename that derives from Plugin. X * @param name A string identifier for the registry. X */ X-#define CREATE_LAZY_REGISTRY(type, name) \ X- namespace registry { \ X- __constructor__ static void type##Registry() { \ X- Registry::create(name, true); \ X- } \ X+#define CREATE_LAZY_REGISTRY(type, name) \ X+ namespace registry { \ X+ __registry_constructor__ static void type##Registry() { \ X+ Registry::create(name, true); \ X+ } \ X } X X /** X@@ -75,15 +75,15 @@ namespace osquery { X * @param registry The string name for the registry. X * @param name A string identifier for this registry item. X */ X-#define REGISTER(type, registry, name) \ X- __constructor__ static void type##RegistryItem() { \ X- Registry::add(registry, name); \ X+#define REGISTER(type, registry, name) \ X+ __plugin_constructor__ static void type##RegistryItem() { \ X+ Registry::add(registry, name); \ X } X X /// The same as REGISTER but prevents the plugin item from being broadcasted. X-#define REGISTER_INTERNAL(type, registry, name) \ X- __constructor__ static void type##RegistryItem() { \ X- Registry::add(registry, name, true); \ X+#define REGISTER_INTERNAL(type, registry, name) \ X+ __plugin_constructor__ static void type##RegistryItem() { \ X+ Registry::add(registry, name, true); \ X } X X /** c5601d30d5676c882122363c6c957266 echo x - osquery/files/patch-kernel_linux_.gitignore sed 's/^X//' >osquery/files/patch-kernel_linux_.gitignore << '69eb60f540bd8082384796b0268189ed' X--- kernel/linux/.gitignore.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/.gitignore X@@ -1,6 +0,0 @@ X-Module.symvers X-modules.order X-.tmp_versions* X-*.cmd X-*.mod.c X-*.ko 69eb60f540bd8082384796b0268189ed echo x - osquery/files/patch-kernel_linux_Makefile sed 's/^X//' >osquery/files/patch-kernel_linux_Makefile << '40abf58705c73be2e87162583f13d61a' X--- kernel/linux/Makefile.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/Makefile X@@ -1,47 +0,0 @@ X-obj-m += camb.o X-camb-objs += main.o sysfs.o hash.o X- X-# We need headers to build against a specific kernel version X-ifndef KDIR X- KDIR = /lib/modules/$(shell uname -r)/build X-# @echo "Using default kernel directory: ${KDIR}" X-endif X- X-# If user specifies a System.map, get addresses from there X-ifdef SMAP X- OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')" X- OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')" X- OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')" X- X-# Otherwise, they must be present on the build line X-else X- OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}" X- OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}" X- OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}" X-endif X- X-ifdef HIDE_ME X- OPTS += -DHIDE_ME X- camb-objs += hide.o X-endif X- X-all: X- X-ifndef SMAP X- ifndef TEXT_SEGMENT_START X- @echo "Missing parameter: TEXT_SEGMENT_START" X- @exit 1 X- endif X- X- ifndef TEXT_SEGMENT_END X- @echo "Missing parameter: TEXT_SEGMENT_END" X- @exit 1 X- endif X- X- ifndef SYSCALL_BASE_ADDR X- @echo "Missing parameter: SYSCALL_BASE_ADDR" X- @exit 1 X- endif X-endif X- X- $(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules 40abf58705c73be2e87162583f13d61a echo x - osquery/files/patch-kernel_linux_hash.c sed 's/^X//' >osquery/files/patch-kernel_linux_hash.c << '3b8cabfca6483d5260d8bbcb06355345' X--- kernel/linux/hash.c.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/hash.c X@@ -1,91 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-#include X-#include X-#include X- X-/* Crypto */ X-#include X-#include X-#include X-#include X- X-#include "hash.h" X- X-unsigned char *kernel_text_hash(void) { X- return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START, X- TEXT_SEGMENT_END - TEXT_SEGMENT_START); X-} X- X-/** X- * @brief Generic function for performing a SHA-1 hash of a memory range X- * X- * @param data - Beginning memory address to perform hash X- * @param len - size in bytes of the address range to hash X- * X- * @return allocated buffer containing the hash string; or NULL upon error. X- */ X-unsigned char *hash_data(const void *data, size_t len) { X- struct scatterlist sg; X- struct hash_desc desc; X- size_t out_len = SHA1_DIGEST_SIZE * 2 + 1; X- unsigned char hashtext[SHA1_DIGEST_SIZE]; X- unsigned char *hashtext_out = kmalloc(out_len, GFP_KERNEL); X- X- if (!hashtext_out) { X- printk(KERN_INFO "Could not allocate space for hash\n"); X- return NULL; X- } X- X- sg_init_one(&sg, data, len); X- desc.flags = 0; X- desc.tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC); X- X- crypto_hash_init(&desc); X- crypto_hash_update(&desc, &sg, sg.length); X- crypto_hash_final(&desc, hashtext); X- X- snprintf(hashtext_out, X- out_len, X- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" X- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", X- hashtext[0], hashtext[1], hashtext[2], hashtext[3], X- hashtext[4], hashtext[5], hashtext[6], hashtext[7], X- hashtext[8], hashtext[9], hashtext[10], hashtext[11], X- hashtext[12], hashtext[13], hashtext[14], hashtext[15], X- hashtext[16], hashtext[17], hashtext[18], hashtext[19] X- ); X- X- if (desc.tfm) { X- crypto_free_hash(desc.tfm); X- } X- X- return hashtext_out; X-} X- X-/** X- * @brief Callback for the sysfs object read. This happens when a file is X- * read(2) (or equivalent) from within sysfs. E.g. cat /sys/foo/bar will X- * call bar's *_show callback method. X- * X- * @param obj - reference to a kernel object within the sysfs filesystem X- * @param attr - attribute of said kernel object X- * @param buf - buffer that will be allocated and filled with the hash X- * X- * @return size in bytes of the hash string; or -1 upon error. X- */ X-ssize_t text_segment_hash_show(struct kobject *obj, X- struct attribute *attr, X- char *buf) { X- ssize_t ret; X- char *hash = kernel_text_hash(); X- X- if (hash) { X- ret = scnprintf(buf, PAGE_SIZE, "%s\n", hash); X- kfree(hash); X- } else { X- ret = -1; X- } X- X- return ret; X-} 3b8cabfca6483d5260d8bbcb06355345 echo x - osquery/files/patch-kernel_linux_hash.h sed 's/^X//' >osquery/files/patch-kernel_linux_hash.h << '8676c7646fe31768d35d3014e0ed40f0' X--- kernel/linux/hash.h.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/hash.h X@@ -1,4 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-unsigned char *kernel_text_hash(void); X-unsigned char *hash_data(const void *, size_t); 8676c7646fe31768d35d3014e0ed40f0 echo x - osquery/files/patch-kernel_linux_hide.c sed 's/^X//' >osquery/files/patch-kernel_linux_hide.c << '1ec27e8ac00ab523232c25be295ed785' X--- kernel/linux/hide.c.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/hide.c X@@ -1,26 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-#include X- X-#include "hide.h" X- X-extern char *module_str; X- X-void rm_mod_from_list(void) { X- THIS_MODULE->list.next->prev = THIS_MODULE->list.prev; X- THIS_MODULE->list.prev->next = THIS_MODULE->list.next; X-} X- X-void rm_mod_from_sysfs(void) { X- kobject_del(THIS_MODULE->holders_dir->parent); X-} X- X-void rm_mod_from_ddebug_tables(void) { X- ddebug_remove_module(module_str); X-} X- X-void hide_me(void) { X- rm_mod_from_list(); X- rm_mod_from_sysfs(); X- rm_mod_from_ddebug_tables(); X-} 1ec27e8ac00ab523232c25be295ed785 echo x - osquery/files/patch-kernel_linux_hide.h sed 's/^X//' >osquery/files/patch-kernel_linux_hide.h << '733b6423bc26a590bd6efd99905fb0fd' X--- kernel/linux/hide.h.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/hide.h X@@ -1,6 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-void rm_mod_from_list(void); X-void rm_mod_from_sysfs(void); X-void rm_mod_from_ddebug_tables(void); X-void hide_me(void); 733b6423bc26a590bd6efd99905fb0fd echo x - osquery/files/patch-kernel_linux_main.c sed 's/^X//' >osquery/files/patch-kernel_linux_main.c << '850f81bebb0e993e7ea97e2c7c439990' X--- kernel/linux/main.c.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/main.c X@@ -1,96 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X-#include X- X-#include "sysfs.h" X-#include "hash.h" X-#ifdef HIDE_ME X- #include "hide.h" X-#endif X- X-extern struct kobject *camb_kobj; X-char *module_str = "camb"; X- X-static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR; X-static unsigned long *syscall_table_copy[NR_syscalls]; X- X-/* Allow writes to executable memory pages */ X-void en_mem_wr(void) { X- write_cr0(read_cr0() & (~0x10000)); X-} X- X-/* Disallow writes to executable memory pages */ X-void dis_mem_wr(void) { X- write_cr0(read_cr0() | 0x10000); X-} X- X-int syscall_addr_modified_show(struct kobject *obj, X- struct attribute *attr, X- char *buf) { X- unsigned int i = -1, mod = 0, ret; X- X- while(++i < NR_syscalls) X- if (syscall_table[i] != syscall_table_copy[i]) X- mod = 1; X- ret = scnprintf(buf, PAGE_SIZE, "%d\n", mod); X- X- return ret; X-} X- X-/* Copy the system call pointer table */ X-void grab_syscall_table(void) { X- unsigned int i; X- for (i = 0; i < NR_syscalls; i++) X- syscall_table_copy[i] = syscall_table[i]; X-} X- X-static int __init camb_init(void) { X- printk(KERN_INFO "[%s] init\n", module_str); X- X- if (expose_sysfs()) { X- printk(KERN_ERR "Cannot expose self to sysfs\n"); X- return -1; X- } X- X- /* Hide the fact that we're monitoring the system for tampering */ X-#ifdef HIDE_ME X- hide_me(); X-#endif X- X- grab_syscall_table(); X- X- return 0; X-} X- X-static void __exit camb_exit(void) { X- printk(KERN_INFO "[%s] exit\n", module_str); X- X- if (camb_kobj) { X- kobject_put(camb_kobj); X- } X- X-} X- X-module_init(camb_init); X-module_exit(camb_exit); X- X-MODULE_LICENSE("GPL"); X-MODULE_AUTHOR("@unixist"); X-MODULE_DESCRIPTION("Detect kernel tampering"); 850f81bebb0e993e7ea97e2c7c439990 echo x - osquery/files/patch-kernel_linux_sysfs.c sed 's/^X//' >osquery/files/patch-kernel_linux_sysfs.c << '2495bf748c12d2a28c16c3baed5a2032' X--- kernel/linux/sysfs.c.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/sysfs.c X@@ -1,49 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-#include X-#include X-#include X-#include X- X-#include "hash.h" X-#include "sysfs.h" X- X-struct kobject *camb_kobj; X- X-extern ssize_t syscall_addr_modified_show(struct kobject *obj, X- struct attribute *attr, X- char *buf); X-extern ssize_t text_segment_hash_show(struct kobject *obj, X- struct attribute *attr, X- char *buf); X- X-struct kobj_attribute attr_syscall_addr_modified = X- __ATTR(syscall_addr_modified, 0444, syscall_addr_modified_show, NULL); X- X-struct kobj_attribute attr_text_segment_hash = X- __ATTR(text_segment_hash, 0444, text_segment_hash_show, NULL); X- X-struct attribute *camb_attrs[] = { X- &attr_text_segment_hash.attr, X- &attr_syscall_addr_modified.attr, X- NULL, X-}; X- X-struct attribute_group attr_group = { X- .attrs = camb_attrs X-}; X- X-int expose_sysfs(void) { X- int err = 0; X- camb_kobj = kobject_create_and_add("camb", kernel_kobj); X- if (camb_kobj) { X- if ((err = sysfs_create_group(camb_kobj, &attr_group)) != 0) { X- kobject_put(camb_kobj); X- } X- } X- return err; X-} X- X-MODULE_LICENSE("GPL"); X-MODULE_AUTHOR("@unixist"); X-MODULE_DESCRIPTION("Detect kernel tampering"); 2495bf748c12d2a28c16c3baed5a2032 echo x - osquery/files/patch-kernel_linux_sysfs.h sed 's/^X//' >osquery/files/patch-kernel_linux_sysfs.h << '7f272528b437fd0ba97b4afaa42c2df0' X--- kernel/linux/sysfs.h.orig 2015-05-05 00:16:41 UTC X+++ kernel/linux/sysfs.h X@@ -1,3 +0,0 @@ X-// Copyright 2004-present Facebook. All Rights Reserved. X- X-int expose_sysfs(void); 7f272528b437fd0ba97b4afaa42c2df0 echo x - osquery/files/patch-osquery_CMakeLists.txt sed 's/^X//' >osquery/files/patch-osquery_CMakeLists.txt << 'e74c600e99dff7229e6701ca50151482' X--- osquery/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC X+++ osquery/CMakeLists.txt X@@ -22,11 +22,14 @@ set(OSQUERY_LIBS X X readline X pthread X- dl X bz2 X z X ) X X+if(NOT FREEBSD) X+ set(OSQUERY_LIBS ${OSQUERY_LIBS} dl) X+endif() X+ X # Add default linking details (the first argument means SDK + core). X ADD_OSQUERY_LINK(TRUE "-rdynamic") X X@@ -44,7 +47,7 @@ endif() X # The remaining boost libraries are discovered with find_library. X ADD_OSQUERY_LINK(TRUE "boost_system") X ADD_OSQUERY_LINK(TRUE "boost_filesystem") X-ADD_OSQUERY_LINK(TRUE "boost_regex") X+ADD_OSQUERY_LINK(TRUE "-lboost_regex") X ADD_OSQUERY_LINK(TRUE "yara") X X if(DEFINED ENV{SANITIZE}) X@@ -133,7 +136,11 @@ if(NOT OSQUERY_BUILD_SDK_ONLY) X X # Include the public API includes if make devel. X install(TARGETS libosquery ARCHIVE DESTINATION lib COMPONENT devel OPTIONAL) X- install(DIRECTORY "${CMAKE_SOURCE_DIR}/include/" DESTINATION include COMPONENT devel OPTIONAL) X+ install(DIRECTORY "${CMAKE_SOURCE_DIR}/include" X+ DESTINATION include X+ COMPONENT devel OPTIONAL X+ PATTERN ".*" EXCLUDE X+ ) X X # make install (executables) X install(TARGETS shell RUNTIME DESTINATION bin COMPONENT main) e74c600e99dff7229e6701ca50151482 echo x - osquery/files/patch-osquery_config_config.cpp sed 's/^X//' >osquery/files/patch-osquery_config_config.cpp << '541bb916dae49a24d06e144fe3ef2786' X--- osquery/config/config.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/config/config.cpp X@@ -167,7 +167,15 @@ inline void mergeExtraKey(const std::str X if (node.second.count("") == 0 && conf.all_data.count(name) > 0) { X conf.all_data.get_child(name).erase(subitem.first); X } X- conf.all_data.add_child(name + "." + subitem.first, subitem.second); X+ X+ if (subitem.first.size() == 0) { X+ if (conf.all_data.count(name) == 0) { X+ conf.all_data.add_child(name, subitem.second); X+ } X+ conf.all_data.get_child(name).push_back(subitem); X+ } else { X+ conf.all_data.add_child(name + "." + subitem.first, subitem.second); X+ } X } X } X 541bb916dae49a24d06e144fe3ef2786 echo x - osquery/files/osqueryd.in sed 's/^X//' >osquery/files/osqueryd.in << '5e11992c8c196a353b492c079754432d' X#!/bin/sh X# X# $FreeBSD$ X# X# PROVIDE: osqueryd X# REQUIRE: %%REQUIRE%% X# KEYWORD: shutdown X# X# Add the following lines to /etc/rc.conf to enable osqueryd: X# X# osqueryd_enable="YES" X# X X. /etc/rc.subr X Xname=osqueryd Xrcvar=osqueryd_enable Xload_rc_config $name X Xcommand=%%PREFIX%%/sbin/osqueryd X Xrequired_files="%%PREFIX%%/etc/osqueryd.conf" Xosqueryd_enable=${osqueryd_enable-"NO"} Xosqueryd_flags=${osqueryd_flags-""} Xosqueryd_config=${osqueryd_config-"%%PREFIX%%/etc/osqueryd.conf"} Xcommand_args="--pidfile /var/run/osqueryd.pid --disable_watchdog --daemonize=true --config_path=${osqueryd_config}" Xextra_commands="configtest" Xconfigtest_cmd="configtest" Xpidfile="/var/run/osqueryd.pid" X Xstart_precmd=prestart X Xconfigtest() { X ${command} ${osqueryd_flags} --config_check --config_path=${osqueryd_config} --verbose X} X Xprestart() { X install -d /var/db/osquery X} X Xrun_rc_command "$1" 5e11992c8c196a353b492c079754432d echo x - osquery/files/patch-osquery_config_plugins_http.cpp sed 's/^X//' >osquery/files/patch-osquery_config_plugins_http.cpp << 'f871891bd2f1f4c4bbeeaa04c843889d' X--- osquery/config/plugins/http.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/config/plugins/http.cpp X@@ -14,10 +14,10 @@ X #include X X #include X+#include X #include X-#include X-#include X #include X+ X #include "osquery/remote/requests.h" X #include "osquery/remote/transports/http.h" X #include "osquery/remote/serializers/json.h" X@@ -30,7 +30,7 @@ DECLARE_string(enrollment_app_id); X X FLAG(string, X config_enrollment_uri, X- "Not Specified", X+ "", X "The endpoint for server side client enrollment"); X X class HTTPConfigPlugin : public ConfigPlugin { X@@ -40,49 +40,45 @@ class HTTPConfigPlugin : public ConfigPl X X REGISTER(HTTPConfigPlugin, "config", "http"); X X-Status runEnrollment(const bool force = false) { X- PluginResponse resp; X- PluginRequest req; X- if (force) { X- req = {{"enroll", "1"}}; X- } else { X- req = {{"enroll", "0"}}; X+Status runEnrollment(bool force = false) { X+ PluginResponse response; X+ PluginRequest request = {{"enroll", (force) ? "1" : "0"}}; X+ auto status = Registry::call("enrollment", "get_key", request, response); X+ if (!status.ok()) { X+ return status; X } X- Status stat = Registry::call("enrollment", "get_key", req, resp); X X- if (!stat.ok()) { X- return stat; X- } X- if (resp.size() > 0 && resp[0]["key"].length() == 0) { X+ if (response.size() > 0 && response[0]["key"].size() == 0) { X return Status(1, "Enrollment Error: No Key"); X } X return Status(0, "OK"); X } X X-Status getConfig(boost::property_tree::ptree& recv) { X- // Make request to endpoint with secrets X+Status getConfig(boost::property_tree::ptree& output) { X+ // Make request to endpoint with secrets. X auto r = Request(FLAGS_config_enrollment_uri); X boost::property_tree::ptree params; X X- PluginResponse resp; X- Status stat = X- Registry::call("enrollment", "get_key", {{"enroll", "0"}}, resp); X- params.put("enrollment_key", resp[0]["key"]); X+ PluginResponse response; X+ Registry::call("enrollment", "get_key", {{"enroll", "0"}}, response); X+ params.put("enrollment_key", response[0]["key"]); X params.put("app_id", FLAGS_enrollment_app_id); X- stat = r.call(params); X X- if (!stat.ok()) { X- return stat; X+ auto status = r.call(params); X+ if (!status.ok()) { X+ return status; X } X- // The call was ok, so store the enrolled key X- stat = r.getResponse(recv); X- if (!stat.ok()) { X- return stat; X+ X+ // The call succeeded, store the enrolled key. X+ status = r.getResponse(output); X+ if (!status.ok()) { X+ return status; X } X+ X // Receive config or key rejection X- if (recv.count("enrollment_invalid") > 0 && X- recv.get("enrollment_invalid", "") == "1") { X- return stat; X+ if (output.count("enrollment_invalid") > 0 && X+ output.get("enrollment_invalid", "") == "1") { X+ return status; X } X return Status(0, "OK"); X } X@@ -97,6 +93,7 @@ Status HTTPConfigPlugin::genConfig(std:: X break; X } X } X+ X std::stringstream ss; X write_json(ss, recv); X config[FLAGS_enrollment_app_id] = ss.str(); f871891bd2f1f4c4bbeeaa04c843889d echo x - osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp << 'e799e8578b41205950dc18500cab3300' X--- osquery/config/plugins/tests/http_config_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/config/plugins/tests/http_config_tests.cpp X@@ -1,120 +0,0 @@ X-/* X- * Copyright (c) 2014, Facebook, Inc. X- * All rights reserved. X- * X- * This source code is licensed under the BSD-style license found in the X- * LICENSE file in the root directory of this source tree. An additional grant X- * of patent rights can be found in the PATENTS file in the same directory. X- * X- */ X- X-#include X-#include X-#include X-#include X- X-#include X-#include X- X-#include X- X-#include X-#include X- X-#include "osquery/remote/requests.h" X-#include "osquery/remote/transports/http.h" X-#include "osquery/remote/serializers/json.h" X- X-namespace http = boost::network::http; X- X-namespace osquery { X- X-DECLARE_string(enrollment_uri); X-DECLARE_string(config_enrollment_uri); X-DECLARE_string(enrollment_app_id); X- X-struct EnrollHTTPHandler; X-struct ConfigHTTPHandler; X-typedef http::server EnrollServer; X-typedef http::server ConfigServer; X- X-struct EnrollHTTPHandler { X- void operator()(EnrollServer::request const &request, X- EnrollServer::response &response) { X- response = EnrollServer::response::stock_reply( X- EnrollServer::response::ok, X- std::string("{\"enrollment_key\":\"potatoes\"}")); X- } X- void log(...) {} X-}; X- X-struct ConfigHTTPHandler { X- void operator()(ConfigServer::request const &request, X- ConfigServer::response &response) { X- response = ConfigServer::response::stock_reply( X- ConfigServer::response::ok, X- std::string( X- "{ \"schedule\": {\"config_server_launchd\": {\"query\": \"select " X- "* from launchd;\", \"interval\": 3600 }}}")); X- } X- void log(...) {} X-}; X- X-class HttpConfigTests : public testing::Test { X- public: X- HttpConfigTests() { X- // Create an enrollment endpoint and configuration retrieval endpoint. X- auto enroll_port = rand() % 10000 + 10000; X- auto config_port = enroll_port + 1; X- // Set the URIs. X- FLAGS_enrollment_uri = "http://localhost:" + std::to_string(enroll_port); X- FLAGS_config_enrollment_uri = X- "http://localhost:" + std::to_string(config_port); X- FLAGS_enrollment_app_id = "just_a_test_id"; X- X- // Create two servers + handlers with default options. X- EnrollHTTPHandler enrollment; X- ConfigHTTPHandler config; X- EnrollServer::options opt_enroll(enrollment); X- ConfigServer::options opt_config(config); X- enrollment_server_ = std::make_shared( X- opt_enroll.address("127.0.0.1").port(std::to_string(enroll_port))); X- config_server_ = std::make_shared( X- opt_config.address("127.0.0.1").port(std::to_string(config_port))); X- X- // Start each server in a separate service thread. X- config_thread_ = std::make_shared( X- boost::bind(&ConfigServer::run, &*config_server_)); X- enroll_thread_ = std::make_shared( X- boost::bind(&EnrollServer::run, &*enrollment_server_)); X- } X- X- ~HttpConfigTests() { X- enrollment_server_->stop(); X- config_server_->stop(); X- enroll_thread_->join(); X- config_thread_->join(); X- } X- X- protected: X- std::shared_ptr enrollment_server_; X- std::shared_ptr config_server_; X- std::shared_ptr enroll_thread_; X- std::shared_ptr config_thread_; X-}; X- X-TEST_F(HttpConfigTests, test_enroll_config) { X- // Change the active config plugin. X- EXPECT_TRUE(Registry::setActive("config", "http").ok()); X- X- // Request the config server to generate a config data. X- PluginResponse response; X- auto stat = Registry::call("config", {{"action", "genConfig"}}, response); X- EXPECT_TRUE(stat.ok()); X- X- // Update the config instance with the content from the server. X- Config::update(response[0]); X- ConfigDataInstance config; X- EXPECT_EQ(config.schedule().count("config_server_launchd"), 1); X-} X-} e799e8578b41205950dc18500cab3300 echo x - osquery/files/patch-osquery_core_watcher.cpp sed 's/^X//' >osquery/files/patch-osquery_core_watcher.cpp << 'ab7e7770da9400f76af5d7bddf699c83' X--- osquery/core/watcher.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/core/watcher.cpp X@@ -171,7 +171,7 @@ bool WatcherRunner::ok() { X return (Watcher::getWorker() >= 0 || Watcher::hasManagedExtensions()); X } X X-void WatcherRunner::enter() { X+void WatcherRunner::start() { X // Set worker performance counters to an initial state. X Watcher::resetWorkerCounters(0); X signal(SIGCHLD, childHandler); X@@ -327,6 +327,15 @@ void WatcherRunner::createWorker() { X setenv("OSQUERY_EXTENSIONS", "true", 1); X } X X+ // Get the complete path of the osquery process binary. X+ auto exec_path = fs::system_complete(fs::path(qd[0]["path"])); X+ if (!safePermissions( X+ exec_path.parent_path().string(), exec_path.string(), true)) { X+ // osqueryd binary has become unsafe. X+ LOG(ERROR) << "osqueryd has unsafe permissions: " << exec_path.string(); X+ ::exit(EXIT_FAILURE); X+ } X+ X auto worker_pid = fork(); X if (worker_pid < 0) { X // Unrecoverable error, cannot create a worker process. X@@ -335,8 +344,6 @@ void WatcherRunner::createWorker() { X } else if (worker_pid == 0) { X // This is the new worker process, no watching needed. X setenv("OSQUERY_WORKER", std::to_string(getpid()).c_str(), 1); X- // Get the complete path of the osquery process binary. X- auto exec_path = fs::system_complete(fs::path(qd[0]["path"])); X execve(exec_path.string().c_str(), argv_, environ); X // Code should never reach this point. X LOG(ERROR) << "osqueryd could not start worker process"; X@@ -401,13 +408,13 @@ bool WatcherRunner::createExtension(cons X return true; X } X X-void WatcherWatcherRunner::enter() { X+void WatcherWatcherRunner::start() { X while (true) { X if (getppid() != watcher_) { X // Watcher died, the worker must follow. X VLOG(1) << "osqueryd worker (" << getpid() X << ") detected killed watcher (" << watcher_ << ")"; X- Dispatcher::removeServices(); X+ Dispatcher::stopServices(); X Dispatcher::joinServices(); X ::exit(EXIT_SUCCESS); X } ab7e7770da9400f76af5d7bddf699c83 echo x - osquery/files/patch-osquery_core_watcher.h sed 's/^X//' >osquery/files/patch-osquery_core_watcher.h << 'bd8b03c24fb94f744597bb12c4dbf254' X--- osquery/core/watcher.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/core/watcher.h X@@ -210,7 +210,7 @@ class WatcherRunner : public InternalRun X X private: X /// Dispatcher (this service thread's) entry point. X- void enter(); X+ void start(); X /// Boilerplate function to sleep for some configured latency X bool ok(); X /// Begin the worker-watcher process. X@@ -239,7 +239,7 @@ class WatcherRunner : public InternalRun X class WatcherWatcherRunner : public InternalRunnable { X public: X explicit WatcherWatcherRunner(pid_t watcher) : watcher_(watcher) {} X- void enter(); X+ void start(); X X private: X pid_t watcher_; bd8b03c24fb94f744597bb12c4dbf254 echo x - osquery/files/patch-osquery_database_db__handle.cpp sed 's/^X//' >osquery/files/patch-osquery_database_db__handle.cpp << '545328320ea5ab4edd64194132c0f32d' X--- osquery/database/db_handle.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/database/db_handle.cpp X@@ -50,6 +50,10 @@ FLAG_ALIAS(bool, use_in_memory_database, X DBHandle::DBHandle(const std::string& path, bool in_memory) { X options_.create_if_missing = true; X options_.create_missing_column_families = true; X+ options_.info_log_level = rocksdb::WARN_LEVEL; X+ options_.log_file_time_to_roll = 0; X+ options_.keep_log_file_num = 10; X+ options_.max_log_file_size = 1024 * 1024 * 1; X X if (in_memory) { X // Remove when MemEnv is included in librocksdb 545328320ea5ab4edd64194132c0f32d echo x - osquery/files/patch-osquery_dispatcher_dispatcher.cpp sed 's/^X//' >osquery/files/patch-osquery_dispatcher_dispatcher.cpp << '7296b9e387a080e2fe9c61a04ce2db41' X--- osquery/dispatcher/dispatcher.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/dispatcher/dispatcher.cpp X@@ -30,13 +30,19 @@ void interruptableSleep(size_t milli) { X Dispatcher::Dispatcher() { X thread_manager_ = InternalThreadManager::newSimpleThreadManager( X (size_t)FLAGS_worker_threads, 0); X- auto threadFactory = ThriftThreadFactory(new PosixThreadFactory()); X- thread_manager_->threadFactory(threadFactory); X+ auto thread_factory = ThriftThreadFactory(new PosixThreadFactory()); X+ thread_manager_->threadFactory(thread_factory); X thread_manager_->start(); X } X X+Dispatcher::~Dispatcher() { join(); } X+ X Status Dispatcher::add(ThriftInternalRunnableRef task) { X+ auto& self = instance(); X try { X+ if (self.state() != InternalThreadManager::STARTED) { X+ self.thread_manager_->start(); X+ } X instance().thread_manager_->add(task, 0, 0); X } catch (std::exception& e) { X return Status(1, e.what()); X@@ -61,7 +67,12 @@ InternalThreadManagerRef Dispatcher::get X return instance().thread_manager_; X } X X-void Dispatcher::join() { instance().thread_manager_->join(); } X+void Dispatcher::join() { X+ if (instance().thread_manager_ != nullptr) { X+ instance().thread_manager_->stop(); X+ instance().thread_manager_->join(); X+ } X+} X X void Dispatcher::joinServices() { X for (auto& thread : instance().service_threads_) { X@@ -69,11 +80,11 @@ void Dispatcher::joinServices() { X } X } X X-void Dispatcher::removeServices() { X+void Dispatcher::stopServices() { X auto& self = instance(); X for (const auto& service : self.services_) { X while (true) { X- // Wait for each thread's entry point (enter) meaning the thread context X+ // Wait for each thread's entry point (start) meaning the thread context X // was allocated and (run) was called by boost::thread started. X if (service->hasRun()) { X break; X@@ -82,15 +93,12 @@ void Dispatcher::removeServices() { X // the boost::thread is created. X ::usleep(200); X } X+ service->stop(); X } X X for (auto& thread : self.service_threads_) { X thread->interrupt(); X } X- X- // Deallocate services. X- self.service_threads_.clear(); X- self.services_.clear(); X } X X InternalThreadManager::STATE Dispatcher::state() const { 7296b9e387a080e2fe9c61a04ce2db41 echo x - osquery/files/patch-osquery_dispatcher_dispatcher.h sed 's/^X//' >osquery/files/patch-osquery_dispatcher_dispatcher.h << '41a854968b0eaff3938d206673cfc3a1' X--- osquery/dispatcher/dispatcher.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/dispatcher/dispatcher.h X@@ -31,8 +31,12 @@ X X namespace osquery { X X+using namespace apache::thrift::concurrency; X+ X+/// Create easier to reference typedefs for Thrift layer implementations. X+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr X typedef apache::thrift::concurrency::ThreadManager InternalThreadManager; X-typedef OSQUERY_THRIFT_POINTER::shared_ptr InternalThreadManagerRef; X+typedef SHARED_PTR_IMPL InternalThreadManagerRef; X X /** X * @brief Default number of threads in the thread pool. X@@ -42,7 +46,7 @@ typedef OSQUERY_THRIFT_POINTER::shared_p X */ X extern const int kDefaultThreadPoolSize; X X-class InternalRunnable : public apache::thrift::concurrency::Runnable { X+class InternalRunnable : public Runnable { X public: X virtual ~InternalRunnable() {} X InternalRunnable() : run_(false) {} X@@ -51,16 +55,20 @@ class InternalRunnable : public apache:: X /// The boost::thread entrypoint. X void run() { X run_ = true; X- enter(); X+ start(); X } X X /// Check if the thread's entrypoint (run) executed, meaning thread context X /// was allocated. X bool hasRun() { return run_; } X X+ /// The runnable may also tear down services before the thread context X+ /// is removed. X+ virtual void stop() {} X+ X protected: X /// Require the runnable thread define an entrypoint. X- virtual void enter() = 0; X+ virtual void start() = 0; X X private: X bool run_; X@@ -70,9 +78,8 @@ class InternalRunnable : public apache:: X typedef std::shared_ptr InternalRunnableRef; X typedef std::shared_ptr InternalThreadRef; X /// A thrift internal runnable with variable pointer wrapping. X-typedef OSQUERY_THRIFT_POINTER::shared_ptr ThriftInternalRunnableRef; X-typedef OSQUERY_THRIFT_POINTER::shared_ptr< X- apache::thrift::concurrency::PosixThreadFactory> ThriftThreadFactory; X+typedef SHARED_PTR_IMPL ThriftInternalRunnableRef; X+typedef SHARED_PTR_IMPL ThriftThreadFactory; X X /** X * @brief Singleton for queueing asynchronous tasks to be executed in parallel X@@ -160,7 +167,7 @@ class Dispatcher : private boost::noncop X static void joinServices(); X X /// Destroy and stop all osquery service threads and service objects. X- static void removeServices(); X+ static void stopServices(); X X /** X * @brief Get the current state of the thread manager. X@@ -248,7 +255,7 @@ class Dispatcher : private boost::noncop X Dispatcher(); X Dispatcher(Dispatcher const&); X void operator=(Dispatcher const&); X- virtual ~Dispatcher() {} X+ virtual ~Dispatcher(); X X private: X /** X@@ -262,10 +269,15 @@ class Dispatcher : private boost::noncop X * @see getThreadManager X */ X InternalThreadManagerRef thread_manager_; X+ X /// The set of shared osquery service threads. X std::vector service_threads_; X- /// THe set of shared osquery services. X+ X+ /// The set of shared osquery services. X std::vector services_; X+ X+ private: X+ friend class ExtensionsTest; X }; X X /// Allow a dispatched thread to wait while processing or to prevent thrashing. 41a854968b0eaff3938d206673cfc3a1 echo x - osquery/files/patch-osquery_dispatcher_scheduler.cpp sed 's/^X//' >osquery/files/patch-osquery_dispatcher_scheduler.cpp << 'c40813848b970d852aa21fb81f154d35' X--- osquery/dispatcher/scheduler.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/dispatcher/scheduler.cpp X@@ -150,7 +150,7 @@ void launchQuery(const std::string& name X } X } X X-void SchedulerRunner::enter() { X+void SchedulerRunner::start() { X time_t t = std::time(nullptr); X struct tm* local = std::localtime(&t); X unsigned long int i = local->tm_sec; c40813848b970d852aa21fb81f154d35 echo x - osquery/files/patch-osquery_dispatcher_scheduler.h sed 's/^X//' >osquery/files/patch-osquery_dispatcher_scheduler.h << 'a00db47d5b805e3123dd2e7cd028e15f' X--- osquery/dispatcher/scheduler.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/dispatcher/scheduler.h X@@ -23,7 +23,7 @@ class SchedulerRunner : public InternalR X X public: X /// The Dispatcher thread entry point. X- void enter(); X+ void start(); X X protected: X /// The UNIX domain socket path for the ExtensionManager. a00db47d5b805e3123dd2e7cd028e15f echo x - osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp << '96f5b0942faeb6610ffecfceb7a76ab2' X--- osquery/dispatcher/tests/dispatcher_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/dispatcher/tests/dispatcher_tests.cpp X@@ -28,7 +28,7 @@ class TestRunnable : public InternalRunn X public: X int* i; X explicit TestRunnable(int* i) : i(i) {} X- virtual void enter() { ++*i; } X+ virtual void start() { ++*i; } X }; X X TEST_F(DispatcherTests, test_add_work) { 96f5b0942faeb6610ffecfceb7a76ab2 echo x - osquery/files/patch-osquery_events_darwin_fsevents.cpp sed 's/^X//' >osquery/files/patch-osquery_events_darwin_fsevents.cpp << '9eda5f7a4fb932dfd5888f420d895c60' X--- osquery/events/darwin/fsevents.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/events/darwin/fsevents.cpp X@@ -137,6 +137,8 @@ Status FSEventsEventPublisher::run() { X return Status(0, "OK"); X } X X+void FSEventsEventPublisher::end() { stop(); } X+ X void FSEventsEventPublisher::Callback( X ConstFSEventStreamRef stream, X void* callback_info, 9eda5f7a4fb932dfd5888f420d895c60 echo x - osquery/files/patch-osquery_events_darwin_fsevents.h sed 's/^X//' >osquery/files/patch-osquery_events_darwin_fsevents.h << '7cdbb838dfb59138e2e2681221b837e1' X--- osquery/events/darwin/fsevents.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/events/darwin/fsevents.h X@@ -76,6 +76,8 @@ class FSEventsEventPublisher X X // Entrypoint to the run loop X Status run(); X+ // Callin for stopping the streams/run loop. X+ void end(); X X public: X /// FSEvents registers a client callback instead of using a select/poll loop. 7cdbb838dfb59138e2e2681221b837e1 echo x - osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp << '3fcb4c23d60d13b8d312b3e23fdb11be' X--- osquery/events/darwin/tests/fsevents_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/events/darwin/tests/fsevents_tests.cpp X@@ -25,27 +25,33 @@ X X namespace osquery { X X-const std::string kRealTestPath = kTestWorkingDirectory + "fsevents_trigger"; X int kMaxEventLatency = 3000; X X class FSEventsTests : public testing::Test { X protected: X- void TearDown() { boost::filesystem::remove_all(kRealTestPath); } X+ void SetUp() { X+ trigger_path = kTestWorkingDirectory + "fsevents" + X+ std::to_string(rand() % 10000 + 10000); X+ } X+ X+ void TearDown() { remove(trigger_path); } X X void StartEventLoop() { X event_pub_ = std::make_shared(); X EventFactory::registerEventPublisher(event_pub_); X- FILE* fd = fopen(kRealTestPath.c_str(), "w"); X+ FILE* fd = fopen(trigger_path.c_str(), "w"); X fclose(fd); X X temp_thread_ = boost::thread(EventFactory::run, "fsevents"); X+ // Wait for the publisher thread and FSEvent run loop to start. X } X X void EndEventLoop() { X while (!event_pub_->hasStarted()) { X ::usleep(20); X } X- EventFactory::end(); X+ EventFactory::end(false); X+ temp_thread_.join(); X } X X void WaitForStream(int max) { X@@ -76,7 +82,7 @@ class FSEventsTests : public testing::Te X void CreateEvents(int num = 1) { X WaitForStream(kMaxEventLatency); X for (int i = 0; i < num; ++i) { X- FILE* fd = fopen(kRealTestPath.c_str(), "w"); X+ FILE* fd = fopen(trigger_path.c_str(), "a"); X fputs("fsevents", fd); X fclose(fd); X } X@@ -84,8 +90,14 @@ class FSEventsTests : public testing::Te X X std::shared_ptr event_pub_; X boost::thread temp_thread_; X+ X+ public: X+ /// Trigger path is the current test's eventing sink (accessed anywhere). X+ static std::string trigger_path; X }; X X+std::string FSEventsTests::trigger_path = kTestWorkingDirectory + "fsevents"; X+ X TEST_F(FSEventsTests, test_register_event_pub) { X auto pub = std::make_shared(); X auto status = EventFactory::registerEventPublisher(pub); X@@ -159,7 +171,7 @@ class TestFSEventsEventSubscriber X X SCRef GetSubscription(uint32_t mask = 0) { X auto sc = createSubscriptionContext(); X- sc->path = kRealTestPath; X+ sc->path = FSEventsTests::trigger_path; X sc->mask = mask; X return sc; X } X@@ -176,10 +188,10 @@ class TestFSEventsEventSubscriber X return Status(0, "OK"); X } X X- void WaitForEvents(int max) { X+ void WaitForEvents(int max, int initial = 0) { X int delay = 0; X while (delay < max * 1000) { X- if (callback_count_ > 0) { X+ if (callback_count_ > initial) { X return; X } X ::usleep(50); X@@ -203,14 +215,17 @@ TEST_F(FSEventsTests, test_fsevents_run) X X // Create a subscriptioning context X auto mc = std::make_shared(); X- mc->path = kRealTestPath; X+ mc->path = trigger_path; X EventFactory::addSubscription( X "fsevents", Subscription::create("TestFSEventsEventSubscriber", mc)); X X // Create an event loop thread (similar to main) X- boost::thread temp_thread(EventFactory::run, "fsevents"); X+ temp_thread_ = boost::thread(EventFactory::run, "fsevents"); X EXPECT_TRUE(event_pub_->numEvents() == 0); X X+ // Wait for the thread to start and the FSEvents stream to turn on. X+ WaitForStream(kMaxEventLatency); X+ X // Cause an fsevents event(s) by writing to the watched path. X CreateEvents(); X X@@ -218,7 +233,10 @@ TEST_F(FSEventsTests, test_fsevents_run) X WaitForEvents(kMaxEventLatency); X X EXPECT_TRUE(event_pub_->numEvents() > 0); X- EventFactory::end(); X+ X+ // We are managing the thread ourselves, so no join needed. X+ EventFactory::end(false); X+ temp_thread_.join(); X } X X TEST_F(FSEventsTests, test_fsevents_fire_event) { X@@ -257,10 +275,9 @@ TEST_F(FSEventsTests, test_fsevents_even X sub->WaitForEvents(kMaxEventLatency); X X // Make sure the fsevents action was expected. X- EXPECT_TRUE(sub->actions_.size() > 0); X- if (sub->actions_.size() > 1) { X- EXPECT_EQ(sub->actions_[0], "UPDATED"); X- } X+ ASSERT_TRUE(sub->actions_.size() > 0); X+ EXPECT_EQ(sub->actions_[0], "CREATED"); X+ X EndEventLoop(); X } X } 3fcb4c23d60d13b8d312b3e23fdb11be echo x - osquery/files/patch-osquery_events_events.cpp sed 's/^X//' >osquery/files/patch-osquery_events_events.cpp << 'efcd8b0759089a18484ea675d2bc4395' X--- osquery/events/events.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/events/events.cpp X@@ -407,6 +407,8 @@ void EventFactory::delay() { X } X X Status EventFactory::run(EventPublisherID& type_id) { X+ auto& ef = EventFactory::getInstance(); X+ X // An interesting take on an event dispatched entrypoint. X // There is little introspection into the event type. X // Assume it can either make use of an entrypoint poller/selector or X@@ -414,12 +416,17 @@ Status EventFactory::run(EventPublisherI X // only once and handle event queueing/firing in callbacks. X EventPublisherRef publisher; X try { X- publisher = EventFactory::getInstance().getEventPublisher(type_id); X+ publisher = ef.getEventPublisher(type_id); X } catch (std::out_of_range& e) { X return Status(1, "No event type found"); X } X X- VLOG(1) << "Starting event publisher runloop: " + type_id; X+ if (publisher == nullptr) { X+ return Status(1, "Event publisher is missing"); X+ } else if (publisher->hasStarted()) { X+ return Status(1, "Cannot restart an event publisher"); X+ } X+ VLOG(1) << "Starting event publisher run loop: " + type_id; X publisher->hasStarted(true); X X auto status = Status(0, "OK"); X@@ -428,11 +435,12 @@ Status EventFactory::run(EventPublisherI X status = publisher->run(); X osquery::publisherSleep(EVENTS_COOLOFF); X } X- X // The runloop status is not reflective of the event type's. X- publisher->tearDown(); X VLOG(1) << "Event publisher " << publisher->type() X- << " runloop terminated for reason: " << status.getMessage(); X+ << " run loop terminated for reason: " << status.getMessage(); X+ // Publishers auto tear down when their run loop stops. X+ publisher->tearDown(); X+ ef.event_pubs_.erase(type_id); X return Status(0, "OK"); X } X X@@ -573,9 +581,12 @@ Status EventFactory::deregisterEventPubl X // If a publisher's run loop was not started, call tearDown since X // the setUp happened at publisher registration time. X publisher->tearDown(); X+ // If the run loop did run the tear down and erase will happen in the event X+ // thread wrapper when isEnding is next checked. X+ ef.event_pubs_.erase(type_id); X+ } else { X+ publisher->end(); X } X- X- ef.event_pubs_.erase(type_id); X return Status(0, "OK"); X } X X@@ -612,6 +623,7 @@ void EventFactory::end(bool join) { X } X } X X+ // A small cool off helps OS API event publisher flushing. X ::usleep(400); X ef.threads_.clear(); X } efcd8b0759089a18484ea675d2bc4395 echo x - osquery/files/patch-osquery_extensions_extensions.cpp sed 's/^X//' >osquery/files/patch-osquery_extensions_extensions.cpp << 'b28b4b20ecf828d652dfb0e4fdf40d66' X--- osquery/extensions/extensions.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/extensions/extensions.cpp X@@ -76,7 +76,7 @@ EXTENSION_FLAG_ALIAS(socket, extensions_ X EXTENSION_FLAG_ALIAS(timeout, extensions_timeout); X EXTENSION_FLAG_ALIAS(interval, extensions_interval); X X-void ExtensionWatcher::enter() { X+void ExtensionWatcher::start() { X // Watch the manager, if the socket is removed then the extension will die. X while (true) { X watch(); b28b4b20ecf828d652dfb0e4fdf40d66 echo x - osquery/files/patch-osquery_extensions_interface.cpp sed 's/^X//' >osquery/files/patch-osquery_extensions_interface.cpp << '4ffde5948f00141e8acabdb2f3c94bf5' X--- osquery/extensions/interface.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/extensions/interface.cpp X@@ -173,89 +173,56 @@ bool ExtensionManagerHandler::exists(con X } X } X X-ExtensionRunner::~ExtensionRunner() { remove(path_); } X+ExtensionRunnerCore::~ExtensionRunnerCore() { remove(path_); } X X-void ExtensionRunner::enter() { X- // Set the socket information for the extension manager. X- auto socket_path = path_; X+void ExtensionRunnerCore::stop() { X+ if (server_ != nullptr) { X+ server_->stop(); X+ } X+} X X- // Create the thrift instances. X- OSQUERY_THRIFT_POINTER::shared_ptr handler( X- new ExtensionHandler(uuid_)); X- OSQUERY_THRIFT_POINTER::shared_ptr processor( X- new ExtensionProcessor(handler)); X- OSQUERY_THRIFT_POINTER::shared_ptr serverTransport( X- new TServerSocket(socket_path)); X- OSQUERY_THRIFT_POINTER::shared_ptr transportFactory( X- new TBufferedTransportFactory()); X- OSQUERY_THRIFT_POINTER::shared_ptr protocolFactory( X- new TBinaryProtocolFactory()); X+void ExtensionRunnerCore::startServer(TProcessorRef processor) { X+ auto transport = TServerTransportRef(new TServerSocket(path_)); X+ auto transport_fac = TTransportFactoryRef(new TBufferedTransportFactory()); X+ auto protocol_fac = TProtocolFactoryRef(new TBinaryProtocolFactory()); X X- OSQUERY_THRIFT_POINTER::shared_ptr threadManager = X- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads); X- OSQUERY_THRIFT_POINTER::shared_ptr threadFactory = X- OSQUERY_THRIFT_POINTER::shared_ptr( X- new PosixThreadFactory()); X- threadManager->threadFactory(threadFactory); X- threadManager->start(); X+ auto thread_manager_ = X+ ThreadManager::newSimpleThreadManager((size_t)FLAGS_worker_threads, 0); X+ auto thread_fac = ThriftThreadFactory(new PosixThreadFactory()); X+ thread_manager_->threadFactory(thread_fac); X+ thread_manager_->start(); X X // Start the Thrift server's run loop. X+ server_ = TThreadPoolServerRef(new TThreadPoolServer( X+ processor, transport, transport_fac, protocol_fac, thread_manager_)); X+ server_->serve(); X+} X+ X+void ExtensionRunner::start() { X+ // Create the thrift instances. X+ auto handler = ExtensionHandlerRef(new ExtensionHandler(uuid_)); X+ auto processor = TProcessorRef(new ExtensionProcessor(handler)); X+ X+ VLOG(1) << "Extension service starting: " << path_; X try { X- VLOG(1) << "Extension service starting: " << socket_path; X- TThreadPoolServer server(processor, X- serverTransport, X- transportFactory, X- protocolFactory, X- threadManager); X- server.serve(); X+ startServer(processor); X } catch (const std::exception& e) { X- LOG(ERROR) << "Cannot start extension handler: " << socket_path << " (" X+ LOG(ERROR) << "Cannot start extension handler: " << path_ << " (" X << e.what() << ")"; X- return; X } X } X X-ExtensionManagerRunner::~ExtensionManagerRunner() { X- // Remove the socket path. X- remove(path_); X-} X- X-void ExtensionManagerRunner::enter() { X- // Set the socket information for the extension manager. X- auto socket_path = path_; X- X+void ExtensionManagerRunner::start() { X // Create the thrift instances. X- OSQUERY_THRIFT_POINTER::shared_ptr handler( X- new ExtensionManagerHandler()); X- OSQUERY_THRIFT_POINTER::shared_ptr processor( X- new ExtensionManagerProcessor(handler)); X- OSQUERY_THRIFT_POINTER::shared_ptr serverTransport( X- new TServerSocket(socket_path)); X- OSQUERY_THRIFT_POINTER::shared_ptr transportFactory( X- new TBufferedTransportFactory()); X- OSQUERY_THRIFT_POINTER::shared_ptr protocolFactory( X- new TBinaryProtocolFactory()); X- X- OSQUERY_THRIFT_POINTER::shared_ptr threadManager = X- ThreadManager::newSimpleThreadManager(FLAGS_worker_threads); X- OSQUERY_THRIFT_POINTER::shared_ptr threadFactory = X- OSQUERY_THRIFT_POINTER::shared_ptr( X- new PosixThreadFactory()); X- threadManager->threadFactory(threadFactory); X- threadManager->start(); X+ auto handler = ExtensionManagerHandlerRef(new ExtensionManagerHandler()); X+ auto processor = TProcessorRef(new ExtensionManagerProcessor(handler)); X X- // Start the Thrift server's run loop. X+ VLOG(1) << "Extension manager service starting: " << path_; X try { X- VLOG(1) << "Extension manager service starting: " << socket_path; X- TThreadPoolServer server(processor, X- serverTransport, X- transportFactory, X- protocolFactory, X- threadManager); X- server.serve(); X+ startServer(processor); X } catch (const std::exception& e) { X LOG(WARNING) << "Extensions disabled: cannot start extension manager (" X- << socket_path << ") (" << e.what() << ")"; X+ << path_ << ") (" << e.what() << ")"; X } X } X } 4ffde5948f00141e8acabdb2f3c94bf5 echo x - osquery/files/patch-osquery_extensions_interface.h sed 's/^X//' >osquery/files/patch-osquery_extensions_interface.h << '1546b3db584d914b4b40fb2e94018c1d' X--- osquery/extensions/interface.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/extensions/interface.h X@@ -30,7 +30,6 @@ X // clang-format on X X namespace osquery { X-namespace extensions { X X using namespace apache::thrift; X using namespace apache::thrift::protocol; X@@ -38,6 +37,21 @@ using namespace apache::thrift::transpor X using namespace apache::thrift::server; X using namespace apache::thrift::concurrency; X X+/// Create easier to reference typedefs for Thrift layer implementations. X+#define SHARED_PTR_IMPL OSQUERY_THRIFT_POINTER::shared_ptr X+typedef SHARED_PTR_IMPL TSocketRef; X+typedef SHARED_PTR_IMPL TTransportRef; X+typedef SHARED_PTR_IMPL TProtocolRef; X+ X+typedef SHARED_PTR_IMPL TProcessorRef; X+typedef SHARED_PTR_IMPL TServerTransportRef; X+typedef SHARED_PTR_IMPL TTransportFactoryRef; X+typedef SHARED_PTR_IMPL TProtocolFactoryRef; X+typedef SHARED_PTR_IMPL PosixThreadFactoryRef; X+typedef std::shared_ptr TThreadPoolServerRef; X+ X+namespace extensions { X+ X /** X * @brief The Thrift API server used by an osquery Extension process. X * X@@ -68,6 +82,7 @@ class ExtensionHandler : virtual public X const ExtensionPluginRequest& request); X X protected: X+ /// Transient UUID assigned to the extension after registering. X RouteUUID uuid_; X }; X X@@ -163,6 +178,7 @@ class ExtensionManagerHandler : virtual X private: X /// Check if an extension exists by the name it registered. X bool exists(const std::string& name); X+ X /// Introspect into the registry, checking if any extension routes have been X /// removed. X void refresh(); X@@ -170,6 +186,9 @@ class ExtensionManagerHandler : virtual X /// Maintain a map of extension UUID to metadata for tracking deregistration. X InternalExtensionList extensions_; X }; X+ X+typedef SHARED_PTR_IMPL ExtensionHandlerRef; X+typedef SHARED_PTR_IMPL ExtensionManagerHandlerRef; X } X X /// A Dispatcher service thread that watches an ExtensionManagerHandler. X@@ -183,7 +202,8 @@ class ExtensionWatcher : public Internal X X public: X /// The Dispatcher thread entry point. X- void enter(); X+ void start(); X+ X /// Perform health checks. X virtual void watch(); X X@@ -194,8 +214,10 @@ class ExtensionWatcher : public Internal X protected: X /// The UNIX domain socket path for the ExtensionManager. X std::string path_; X+ X /// The internal in milliseconds to ping the ExtensionManager. X size_t interval_; X+ X /// If the ExtensionManager socket is closed, should the extension exit. X bool fatal_; X }; X@@ -205,60 +227,87 @@ class ExtensionManagerWatcher : public E X ExtensionManagerWatcher(const std::string& path, size_t interval) X : ExtensionWatcher(path, interval, false) {} X X+ /// Start a specialized health check for an ExtensionManager. X void watch(); X }; X X-/// A Dispatcher service thread that starts ExtensionHandler. X-class ExtensionRunner : public InternalRunnable { X+class ExtensionRunnerCore : public InternalRunnable { X+ public: X+ virtual ~ExtensionRunnerCore(); X+ ExtensionRunnerCore(const std::string& path) X+ : path_(path), server_(nullptr) {} X+ X+ public: X+ /// Given a handler transport and protocol start a thrift threaded server. X+ void startServer(TProcessorRef processor); X+ X+ // The Dispatcher thread service stop point. X+ void stop(); X+ X+ protected: X+ /// The UNIX domain socket used for requests from the ExtensionManager. X+ std::string path_; X+ X+ /// Server instance, will be stopped if thread service is removed. X+ TThreadPoolServerRef server_; X+}; X+ X+/** X+ * @brief A Dispatcher service thread that starts ExtensionHandler. X+ * X+ * This runner will start a Thrift Extension server, call serve, and wait X+ * until the extension exists or the ExtensionManager (core) terminates or X+ * deregisters the extension. X+ * X+ */ X+class ExtensionRunner : public ExtensionRunnerCore { X public: X- virtual ~ExtensionRunner(); X ExtensionRunner(const std::string& manager_path, RouteUUID uuid) X- : uuid_(uuid) { X+ : ExtensionRunnerCore(""), uuid_(uuid) { X path_ = getExtensionSocket(uuid, manager_path); X } X X public: X- /// The Dispatcher thread entry point. X- void enter(); X+ void start(); X X /// Access the UUID provided by the ExtensionManager. X RouteUUID getUUID() { return uuid_; } X X private: X- /// The UNIX domain socket used for requests from the ExtensionManager. X- std::string path_; X /// The unique and transient Extension UUID assigned by the ExtensionManager. X RouteUUID uuid_; X }; X X-/// A Dispatcher service thread that starts ExtensionManagerHandler. X-class ExtensionManagerRunner : public InternalRunnable { X+/** X+ * @brief A Dispatcher service thread that starts ExtensionManagerHandler. X+ * X+ * This runner will start a Thrift ExtensionManager server, call serve, and wait X+ * until for extensions to register, or thrift API calls. X+ * X+ */ X+class ExtensionManagerRunner : public ExtensionRunnerCore { X public: X- virtual ~ExtensionManagerRunner(); X explicit ExtensionManagerRunner(const std::string& manager_path) X- : path_(manager_path) {} X+ : ExtensionRunnerCore(manager_path) {} X X public: X- void enter(); X- X- private: X- std::string path_; X+ void start(); X }; X X /// Internal accessor for extension clients. X class EXInternal { X public: X explicit EXInternal(const std::string& path) X- : socket_(new extensions::TSocket(path)), X- transport_(new extensions::TBufferedTransport(socket_)), X- protocol_(new extensions::TBinaryProtocol(transport_)) {} X+ : socket_(new TSocket(path)), X+ transport_(new TBufferedTransport(socket_)), X+ protocol_(new TBinaryProtocol(transport_)) {} X X virtual ~EXInternal() { transport_->close(); } X X protected: X- OSQUERY_THRIFT_POINTER::shared_ptr socket_; X- OSQUERY_THRIFT_POINTER::shared_ptr transport_; X- OSQUERY_THRIFT_POINTER::shared_ptr protocol_; X+ TSocketRef socket_; X+ TTransportRef transport_; X+ TProtocolRef protocol_; X }; X X /// Internal accessor for a client to an extension (from an extension manager). 1546b3db584d914b4b40fb2e94018c1d echo x - osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp << 'c590c731ecab7ce429e7ec758dc8bdf7' X--- osquery/extensions/tests/extensions_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/extensions/tests/extensions_tests.cpp X@@ -30,16 +30,17 @@ const std::string kTestManagerSocket = k X class ExtensionsTest : public testing::Test { X protected: X void SetUp() { X- remove(kTestManagerSocket); X- if (pathExists(kTestManagerSocket).ok()) { X- throw std::domain_error("Cannot test sockets: " + kTestManagerSocket); X+ socket_path = kTestManagerSocket + std::to_string(rand()); X+ remove(socket_path); X+ if (pathExists(socket_path).ok()) { X+ throw std::domain_error("Cannot test sockets: " + socket_path); X } X } X X void TearDown() { X- Dispatcher::removeServices(); X+ Dispatcher::stopServices(); X Dispatcher::joinServices(); X- remove(kTestManagerSocket); X+ remove(socket_path); X } X X bool ping(int attempts = 3) { X@@ -47,7 +48,7 @@ class ExtensionsTest : public testing::T X ExtensionStatus status; X for (int i = 0; i < attempts; ++i) { X try { X- EXManagerClient client(kTestManagerSocket); X+ EXManagerClient client(socket_path); X client.get()->ping(status); X return (status.code == ExtensionCode::EXT_SUCCESS); X } catch (const std::exception& e) { X@@ -63,7 +64,7 @@ class ExtensionsTest : public testing::T X ExtensionResponse response; X for (int i = 0; i < attempts; ++i) { X try { X- EXManagerClient client(kTestManagerSocket); X+ EXManagerClient client(socket_path); X client.get()->query(response, sql); X } catch (const std::exception& e) { X ::usleep(kDelayUS); X@@ -81,7 +82,7 @@ class ExtensionsTest : public testing::T X ExtensionList registeredExtensions(int attempts = 3) { X ExtensionList extensions; X for (int i = 0; i < attempts; ++i) { X- if (getExtensions(kTestManagerSocket, extensions).ok()) { X+ if (getExtensions(socket_path, extensions).ok()) { X break; X } X } X@@ -101,34 +102,37 @@ class ExtensionsTest : public testing::T X } X return false; X } X+ X+ public: X+ std::string socket_path; X }; X X TEST_F(ExtensionsTest, test_manager_runnable) { X // Start a testing extension manager. X- auto status = startExtensionManager(kTestManagerSocket); X+ auto status = startExtensionManager(socket_path); X EXPECT_TRUE(status.ok()); X // Call success if the Unix socket was created. X- EXPECT_TRUE(socketExists(kTestManagerSocket)); X+ EXPECT_TRUE(socketExists(socket_path)); X } X X TEST_F(ExtensionsTest, test_extension_runnable) { X- auto status = startExtensionManager(kTestManagerSocket); X+ auto status = startExtensionManager(socket_path); X EXPECT_TRUE(status.ok()); X // Wait for the extension manager to start. X- EXPECT_TRUE(socketExists(kTestManagerSocket)); X+ EXPECT_TRUE(socketExists(socket_path)); X X // Test the extension manager API 'ping' call. X EXPECT_TRUE(ping()); X } X X TEST_F(ExtensionsTest, test_extension_start) { X- auto status = startExtensionManager(kTestManagerSocket); X+ auto status = startExtensionManager(socket_path); X EXPECT_TRUE(status.ok()); X- EXPECT_TRUE(socketExists(kTestManagerSocket)); X+ EXPECT_TRUE(socketExists(socket_path)); X X // Now allow duplicates (for testing, since EM/E are the same). X Registry::allowDuplicates(true); X- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1"); X+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1"); X // This will not be false since we are allowing deplicate items. X // Otherwise, starting an extension and extensionManager would fatal. X ASSERT_TRUE(status.ok()); X@@ -138,7 +142,7 @@ TEST_F(ExtensionsTest, test_extension_st X RouteUUID uuid = (RouteUUID)stoi(status.getMessage(), nullptr, 0); X X // We can test-wait for the extensions's socket to open. X- EXPECT_TRUE(socketExists(kTestManagerSocket + "." + std::to_string(uuid))); X+ EXPECT_TRUE(socketExists(socket_path + "." + std::to_string(uuid))); X X // Then clean up the registry modifications. X Registry::removeBroadcast(uuid); X@@ -160,9 +164,9 @@ class TestExtensionPlugin : public Exten X CREATE_REGISTRY(ExtensionPlugin, "extension_test"); X X TEST_F(ExtensionsTest, test_extension_broadcast) { X- auto status = startExtensionManager(kTestManagerSocket); X+ auto status = startExtensionManager(socket_path); X EXPECT_TRUE(status.ok()); X- EXPECT_TRUE(socketExists(kTestManagerSocket)); X+ EXPECT_TRUE(socketExists(socket_path)); X X // This time we're going to add a plugin to the extension_test registry. X Registry::add("extension_test", "test_item"); X@@ -180,7 +184,7 @@ TEST_F(ExtensionsTest, test_extension_br X EXPECT_TRUE(Registry::exists("extension_test", "test_item")); X EXPECT_FALSE(Registry::exists("extension_test", "test_alias")); X X- status = startExtension(kTestManagerSocket, "test", "0.1", "0.0.0", "0.0.1"); X+ status = startExtension(socket_path, "test", "0.1", "0.0.0", "0.0.1"); X EXPECT_TRUE(status.ok()); X X RouteUUID uuid; X@@ -191,7 +195,7 @@ TEST_F(ExtensionsTest, test_extension_br X return; X } X X- auto ext_socket = kTestManagerSocket + "." + std::to_string(uuid); X+ auto ext_socket = socket_path + "." + std::to_string(uuid); X EXPECT_TRUE(socketExists(ext_socket)); X X // Make sure the EM registered the extension (called in start extension). c590c731ecab7ce429e7ec758dc8bdf7 echo x - osquery/files/patch-osquery_filesystem_CMakeLists.txt sed 's/^X//' >osquery/files/patch-osquery_filesystem_CMakeLists.txt << '77faa22acda51aab4d4429b6568eee07' X--- osquery/filesystem/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC X+++ osquery/filesystem/CMakeLists.txt X@@ -4,6 +4,7 @@ if(APPLE) X ) X X ADD_OSQUERY_LINK(TRUE "-framework Foundation") X+elseif(FREEBSD) X elseif(LINUX) X ADD_OSQUERY_LIBRARY(TRUE osquery_filesystem_linux X linux/mem.cpp 77faa22acda51aab4d4429b6568eee07 echo x - osquery/files/patch-osquery_main_run.cpp sed 's/^X//' >osquery/files/patch-osquery_main_run.cpp << '4fe532d653d486e604fdbbd7e5339bbb' X--- osquery/main/run.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/main/run.cpp X@@ -10,10 +10,9 @@ X X #include X X-#include X- X #include X #include X+#include X #include X #include X X@@ -27,7 +26,7 @@ int main(int argc, char* argv[]) { X X // Let gflags parse the non-help options/flags. X GFLAGS_NAMESPACE::ParseCommandLineFlags(&argc, &argv, false); X- GFLAGS_NAMESPACE::InitGoogleLogging(argv[0]); X+ google::InitGoogleLogging(argv[0]); X X if (FLAGS_query == "") { X fprintf(stderr, "Usage: %s --query=\"query\"\n", argv[0]); 4fe532d653d486e604fdbbd7e5339bbb echo x - osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp << '29555b3aaf66344dc913bf25fa402e4f' X--- osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/remote/enrollment/plugins/tests/http_enrollment_tests.cpp X@@ -16,6 +16,8 @@ X #include X X #include X+ X+#include "osquery/dispatcher/dispatcher.h" X #include "osquery/remote/requests.h" X #include "osquery/remote/transports/http.h" X #include "osquery/remote/serializers/json.h" X@@ -35,48 +37,78 @@ struct TestHTTPEnrollmentHandler { X response = Server::response::stock_reply( X Server::response::ok, std::string("{\"enrollment_key\":\"potatoes\"}")); X } X- void log(...) {} X+ X+ void log(Server::string_type const &info) { X+ VLOG(1) << "TestHTTPEnrollmentHandler logging"; X+ } X+}; X+ X+class HTTPEnrollServerRunner : public InternalRunnable { X+ public: X+ explicit HTTPEnrollServerRunner(std::shared_ptr server) X+ : server_(server) {} X+ X+ void start() { X+ // Using a dispatcher and runnable allows us to catch and pretty print X+ // any socket/service exceptions. X+ try { X+ server_->run(); X+ } catch (const std::exception &e) { X+ LOG(ERROR) << "Testing HTTP server failed: " << e.what(); X+ } X+ } X+ X+ private: X+ std::shared_ptr server_; X }; X X class RemoteEnrollmentTests : public testing::Test { X public: X- RemoteEnrollmentTests() { X- auto enroll_port = std::to_string(rand() % 10000 + 10000); X- FLAGS_enrollment_uri = "http://localhost:" + enroll_port; X- FLAGS_enrollment_app_id = "just_a_test_id"; X+ void SetUp() { X+ port_ = std::to_string(rand() % 10000 + 20000); X TestHTTPEnrollmentHandler handler; X- Server::options options(handler); X- server_ = std::make_shared( X- options.address("127.0.0.1").port(enroll_port)); X- t_ = X- std::make_shared(boost::bind(&Server::run, &(*server_))); X+ Server::options opts(handler); X+ X+ // Create an HTTP server instance. X+ server_ = std::make_shared(opts.address("127.0.0.1").port(port_)); X+ X+ // Create a runnable and add it to the dispatcher. X+ Dispatcher::addService(std::make_shared(server_)); X } X X ~RemoteEnrollmentTests() { X server_->stop(); X- t_->join(); X+ Dispatcher::joinServices(); X } X X- private: X+ protected: X std::shared_ptr server_; X- std::shared_ptr t_; X+ std::string port_; X }; X X-/* X TEST_F(RemoteEnrollmentTests, test_enroll) { X+ // Set the enrollment URI to the server we created. X+ FLAGS_enrollment_uri = "http://127.0.0.1:" + port_; X+ FLAGS_enrollment_app_id = "just_a_test_id"; X+ X // Call enroll X PluginRequest request = { X- {"enroll", "1"}, // 0 enroll if needed, 1 force re-enroll X+ {"enroll", "1"}, X+ // 0 enroll if needed, 1 force re-enroll X }; X PluginResponse resp; X Status stat = Registry::call("enrollment", "get_key", request, resp); X- EXPECT_TRUE(stat.ok()); X- // Verify get key contains the string X- if (resp.size() == 1) { X- EXPECT_EQ(resp[0]["key"], "potatoes"); X- } else { X- EXPECT_EQ(resp.size(), 1); X+ X+ // The enrollment server test mostly stresses workflow and code coverage. X+ // Occasionally, like with the transports testing, the non-mocked netlib X+ // server failed to bind. X+ if (stat.ok()) { X+ // Verify get key contains the string X+ if (resp.size() == 1) { X+ EXPECT_EQ(resp[0]["key"], "potatoes"); X+ } else { X+ EXPECT_EQ(resp.size(), 1); X+ } X } X } X-*/ X } 29555b3aaf66344dc913bf25fa402e4f echo x - osquery/files/patch-osquery_remote_requests.h sed 's/^X//' >osquery/files/patch-osquery_remote_requests.h << 'c31999fa9a7bc3bcc82df55f03d8a6c6' X--- osquery/remote/requests.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/remote/requests.h X@@ -152,7 +152,7 @@ class Serializer { X std::string& serialized) = 0; X X /** X- * @brief Deerialize a property tree into a property tree X+ * @brief Deserialize a property tree into a property tree X * X * @param params A string of serialized parameters X * c31999fa9a7bc3bcc82df55f03d8a6c6 echo x - osquery/files/patch-osquery_remote_transports_http.cpp sed 's/^X//' >osquery/files/patch-osquery_remote_transports_http.cpp << '52f31b0c09109b2d401fde424de52b5c' X--- osquery/remote/transports/http.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/remote/transports/http.cpp X@@ -25,9 +25,14 @@ Status HTTPTransport::sendRequest() { X http::client client; X http::client::request r(destination_); X decorateRequest(r); X- response_ = client.get(r); X- response_status_ = X- serializer_->deserialize(body(response_), response_params_); X+ X+ try { X+ response_ = client.get(r); X+ response_status_ = X+ serializer_->deserialize(body(response_), response_params_); X+ } catch (const std::exception& e) { X+ return Status(1, std::string("Request error: ") + e.what()); X+ } X return response_status_; X } X X@@ -35,9 +40,14 @@ Status HTTPTransport::sendRequest(const X http::client client; X http::client::request r(destination_); X decorateRequest(r); X- response_ = client.post(r, params); X- response_status_ = X- serializer_->deserialize(body(response_), response_params_); X+ X+ try { X+ response_ = client.post(r, params); X+ response_status_ = X+ serializer_->deserialize(body(response_), response_params_); X+ } catch (const std::exception& e) { X+ return Status(1, std::string("Request error: ") + e.what()); X+ } X return response_status_; X } X } 52f31b0c09109b2d401fde424de52b5c echo x - osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp sed 's/^X//' >osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp << '7a28de3275002c82fbd05bb474cc836d' X--- osquery/remote/transports/tests/http_transports_tests.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/remote/transports/tests/http_transports_tests.cpp X@@ -15,6 +15,7 @@ X X #include X X+#include "osquery/dispatcher/dispatcher.h" X #include "osquery/remote/requests.h" X #include "osquery/remote/serializers/json.h" X #include "osquery/remote/transports/http.h" X@@ -32,51 +33,83 @@ struct TestHTTPTransportHandler { X std::string("{\"foo\":\"bar\"}")); X } X X- void log(...) {} X+ void log(Server::string_type const &info) { X+ VLOG(1) << "TestHTTPTransportHandler logging"; X+ } X+}; X+ X+class HTTPServerRunner : public InternalRunnable { X+ public: X+ explicit HTTPServerRunner(std::shared_ptr server) : server_(server) {} X+ X+ void start() { X+ // Using a dispatcher and runnable allows us to catch and pretty print X+ // any socket/service exceptions. X+ try { X+ server_->run(); X+ } catch (const std::exception &e) { X+ LOG(ERROR) << "Testing HTTP server failed: " << e.what(); X+ } X+ } X+ X+ private: X+ std::shared_ptr server_; X }; X X class HTTPTransportsTests : public testing::Test { X public: X- HTTPTransportsTests() { X- port_ = std::to_string(rand() % 10000 + 10000); X+ void SetUp() { X+ port_ = std::to_string(rand() % 10000 + 20000); X TestHTTPTransportHandler handler; X- Server::options options(handler); X- server_ = X- std::make_shared(options.address("127.0.0.1").port(port_)); X- t_ = X- std::make_shared(boost::bind(&Server::run, &(*server_))); X+ Server::options opts(handler); X+ X+ // Create an HTTP server instance. X+ server_ = std::make_shared(opts.address("127.0.0.1").port(port_)); X+ X+ // Create a runnable and add it to the dispatcher. X+ Dispatcher::addService(std::make_shared(server_)); X } X X- ~HTTPTransportsTests() { X+ void TearDown() { X server_->stop(); X- t_->join(); X+ Dispatcher::joinServices(); X } X X protected: X std::shared_ptr server_; X- std::shared_ptr t_; X std::string port_; X }; X X TEST_F(HTTPTransportsTests, test_call) { X auto r = Request("http://127.0.0.1:" + port_); X- auto s1 = r.call(); X- EXPECT_TRUE(s1.ok()); X- boost::property_tree::ptree params; X- auto s2 = r.getResponse(params); X- EXPECT_TRUE(s2.ok()); X+ Status status; X+ ASSERT_NO_THROW(status = r.call()); X+ X+ // Sometimes the best we can test is the call workflow. X+ if (status.ok()) { X+ boost::property_tree::ptree params; X+ status = r.getResponse(params); X+ EXPECT_TRUE(status.ok()); X+ } else { X+ // The socket bind failed. X+ } X } X X TEST_F(HTTPTransportsTests, test_call_with_params) { X auto r = Request("http://127.0.0.1:" + port_); X boost::property_tree::ptree params; X params.put("foo", "bar"); X- auto s1 = r.call(params); X- EXPECT_TRUE(s1.ok()); X X- boost::property_tree::ptree recv; X- auto s2 = r.getResponse(recv); X- EXPECT_TRUE(s2.ok()); X- EXPECT_EQ(params, recv); X+ Status status; X+ ASSERT_NO_THROW(status = r.call(params)); X+ X+ if (status.ok()) { X+ boost::property_tree::ptree recv; X+ auto s2 = r.getResponse(recv); X+ EXPECT_TRUE(s2.ok()); X+ EXPECT_EQ(params, recv); X+ } else { X+ // The socket bind failed. X+ } X } X } 7a28de3275002c82fbd05bb474cc836d echo x - osquery/files/patch-osquery_tables_CMakeLists.txt sed 's/^X//' >osquery/files/patch-osquery_tables_CMakeLists.txt << 'aef4b5115a7401294f3fa7ef3c9346c6' X--- osquery/tables/CMakeLists.txt.orig 2015-05-05 00:16:41 UTC X+++ osquery/tables/CMakeLists.txt X@@ -33,7 +33,7 @@ else() X file(GLOB OSQUERY_LINUX_TABLES_TESTS "*/linux/tests/*.cpp") X ADD_OSQUERY_TABLE_TEST(${OSQUERY_LINUX_TABLES_TESTS}) X X- if(CENTOS) X+ if(CENTOS OR RHEL) X # CentOS specific tables X file(GLOB OSQUERY_REDHAT_TABLES "*/centos/*.cpp") X ADD_OSQUERY_LIBRARY(FALSE osquery_tables_redhat X@@ -59,7 +59,7 @@ else() X ADD_OSQUERY_LINK(FALSE "uuid") X endif() X X-file(GLOB OSQUERY_CROSS_TABLES "[!u]*/*.cpp") X+file(GLOB OSQUERY_CROSS_TABLES "[!ue]*/*.cpp") X ADD_OSQUERY_LIBRARY(FALSE osquery_tables X ${OSQUERY_CROSS_TABLES} X ) X@@ -72,10 +72,12 @@ ADD_OSQUERY_LIBRARY(TRUE osquery_tables_ X ${OSQUERY_UTILITY_TABLES} X ) X X-file(GLOB OSQUERY_UTILS "utils/*.cpp") X-ADD_OSQUERY_LIBRARY(FALSE osquery_utils X- ${OSQUERY_UTILS} X-) X+if(NOT FREEBSD) X+ file(GLOB OSQUERY_UTILS "utils/*.cpp") X+ ADD_OSQUERY_LIBRARY(FALSE osquery_utils X+ ${OSQUERY_UTILS} X+ ) X X-file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp") X-ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS}) X+ file(GLOB OSQUERY_UTILS_TESTS "utils/tests/*.cpp") X+ ADD_OSQUERY_TEST(FALSE ${OSQUERY_UTILS_TESTS}) X+endif() aef4b5115a7401294f3fa7ef3c9346c6 echo x - osquery/files/patch-osquery_tables_networking_interfaces.cpp sed 's/^X//' >osquery/files/patch-osquery_tables_networking_interfaces.cpp << '8b3d09cb4ca837834ac7d0b065b729ea' X--- osquery/tables/networking/interfaces.cpp.orig 2015-05-08 22:48:42 UTC X+++ osquery/tables/networking/interfaces.cpp X@@ -11,8 +11,8 @@ X #include X #include X X-#include X #include X+#include X #include X X #ifdef __linux__ 8b3d09cb4ca837834ac7d0b065b729ea echo x - osquery/files/patch-osquery_tables_networking_utils.h sed 's/^X//' >osquery/files/patch-osquery_tables_networking_utils.h << '1af4b7ef6a0970468606b61d01c402d9' X--- osquery/tables/networking/utils.h.orig 2015-05-05 00:16:41 UTC X+++ osquery/tables/networking/utils.h X@@ -19,10 +19,10 @@ namespace osquery { X namespace tables { X X // Define AF_INTERFACE as the alias for interface details. X-#ifdef __APPLE__ X-#define AF_INTERFACE AF_LINK X-#else X+#ifdef __linux__ X #define AF_INTERFACE AF_PACKET X+#else X+#define AF_INTERFACE AF_LINK X #endif X X // Return a string representation for an IPv4/IPv6 struct. 1af4b7ef6a0970468606b61d01c402d9 echo x - osquery/files/patch-osquery_tables_specs_blacklist sed 's/^X//' >osquery/files/patch-osquery_tables_specs_blacklist << '528e3ab93ae610b2586d10f8395e6cc2' X--- osquery/tables/specs/blacklist.orig 2015-05-05 00:16:41 UTC X+++ osquery/tables/specs/blacklist X@@ -1,4 +1,36 @@ X # osquery/tables/specs/blacklist X # Usage: add table spec names to this list to prevent table generation X # Example: add tables that are not yet ready for release X- X+# Example: add a platform:table_name, which is not yet ready X+freebsd:acpi_tables X+freebsd:arp_cache X+freebsd:block_devices X+freebsd:chrome_extensions X+freebsd:disk_encryption X+freebsd:file_events X+freebsd:firefox_addons X+#freebsd:groups X+freebsd:hardware_events X+#freebsd:interface_addresses X+#freebsd:interface_details X+freebsd:kernel_info X+freebsd:last X+#freebsd:listening_ports X+freebsd:mounts X+freebsd:opera_extensions X+freebsd:os_version X+freebsd:passwd_changes X+freebsd:pci_devices X+freebsd:process_envs X+freebsd:process_memory_map X+freebsd:process_open_files X+freebsd:process_open_sockets X+freebsd:processes X+freebsd:routes X+freebsd:system_controls X+freebsd:usb_devices X+freebsd:users X+freebsd:yara_events X+freebsd:yara X+freebsd:system_controls X+freebsd:smbios_tables 528e3ab93ae610b2586d10f8395e6cc2 echo x - osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp sed 's/^X//' >osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp << 'f968a432eb16f387d7033e15a9922b4c' X--- osquery/tables/system/centos/rpm_packages.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/tables/system/centos/rpm_packages.cpp X@@ -147,7 +147,7 @@ QueryData genRpmPackageFiles(QueryContex X r["mode"] = lsperms(rpmfiFMode(fi)); X r["size"] = BIGINT(rpmfiFSize(fi)); X X-#ifdef CENTOS_CENTOS6 X+#if defined(CENTOS_CENTOS6) || defined(RHEL_RHEL6) X // Older versions of rpmlib/rpmip use a hash algorithm enum. X pgpHashAlgo digest_algo; X #else f968a432eb16f387d7033e15a9922b4c echo x - osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp sed 's/^X//' >osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp << '7abb8685dd349eeb069cbe75bc64521a' X--- osquery/tables/system/freebsd/sysctl_utils.cpp.orig 2015-05-08 22:20:24 UTC X+++ osquery/tables/system/freebsd/sysctl_utils.cpp X@@ -0,0 +1,36 @@ X+/* X+ * Copyright (c) 2014, Facebook, Inc. X+ * All rights reserved. X+ * X+ * This source code is licensed under the BSD-style license found in the X+ * LICENSE file in the root directory of this source tree. An additional grant X+ * of patent rights can be found in the PATENTS file in the same directory. X+ * X+ */ X+ X+//#include X+ X+#include X+#include X+ X+#include "osquery/tables/system/sysctl_utils.h" X+ X+namespace osquery { X+namespace tables { X+ X+void genControlInfo(int* oid, X+ size_t oid_size, X+ QueryData& results, X+ const std::map& config) { X+} X+ X+void genControlInfoFromName(const std::string& name, QueryData& results, X+ const std::map& config) { X+} X+ X+void genAllControls(QueryData& results, X+ const std::map& config, X+ const std::string& subsystem) { X+} X+} X+} 7abb8685dd349eeb069cbe75bc64521a echo x - osquery/files/patch-osquery_tables_system_linux_os__version.cpp sed 's/^X//' >osquery/files/patch-osquery_tables_system_linux_os__version.cpp << 'b8f68c57a400a9b81675925aa0fe0502' X--- osquery/tables/system/linux/os_version.cpp.orig 2015-05-05 00:16:41 UTC X+++ osquery/tables/system/linux/os_version.cpp X@@ -22,7 +22,7 @@ namespace xp = boost::xpressive; X namespace osquery { X namespace tables { X X-#ifdef CENTOS X+#if defined(CENTOS) || defined(RHEL) X const std::string kLinuxOSRelease = "/etc/redhat-release"; X const std::string kLinuxOSRegex = X "(?P\\w+) .* " b8f68c57a400a9b81675925aa0fe0502 echo x - osquery/files/patch-tools_codegen_gentable.py sed 's/^X//' >osquery/files/patch-tools_codegen_gentable.py << '9ef8da11e644aa2a24dc8181016f6394' X--- tools/codegen/gentable.py.orig 2015-05-05 00:16:41 UTC X+++ tools/codegen/gentable.py X@@ -30,9 +30,15 @@ TEMPLATES = {} X # Temporary reserved column names X RESERVED = ["n", "index"] X X-# Supported SQL types for spec X- X+# Set the platform in osquery-language X+if sys.platform.find("freebsd") == 0: X+ PLATFORM = "freebsd" X+elif sys.platform in ["linux", "linux2"]: X+ PLATFORM = "linux" X+else: X+ PLATFORM = sys.platform X X+# Supported SQL types for spec X class DataType(object): X X def __init__(self, affinity, cpp_type="std::string"): X@@ -79,6 +85,8 @@ def is_blacklisted(table_name, path=None X """Allow blacklisting by tablename.""" X if blacklist is None: X specs_path = os.path.dirname(os.path.dirname(path)) X+ if os.path.basename(specs_path) == "tables": X+ specs_path += "/specs" X blacklist_path = os.path.join(specs_path, "blacklist") X if not os.path.exists(blacklist_path): X return False X@@ -91,9 +99,19 @@ def is_blacklisted(table_name, path=None X except: X # Blacklist is not readable. X return False X- # table_name based blacklisting! X- return table_name in blacklist if blacklist else False X+ if not blacklist: X+ return False X X+ # table_name based blacklisting! X+ for item in blacklist: X+ item = item.split(":") X+ # If this item is restricted to a platform and the platform X+ # and table name match X+ if len(item) > 1 and PLATFORM == item[0] and table_name == item[1]: X+ return True X+ elif len(item) == 1 and table_name == item[0]: X+ return True X+ return False X X def setup_templates(path): X tables_path = os.path.dirname(os.path.dirname(path)) 9ef8da11e644aa2a24dc8181016f6394 echo x - osquery/files/patch-tools_provision_freebsd.sh sed 's/^X//' >osquery/files/patch-tools_provision_freebsd.sh << '9a0473a2364e700c6666b04f4cb9268d' X--- tools/provision/freebsd.sh.orig 2015-05-05 00:16:41 UTC X+++ tools/provision/freebsd.sh X@@ -12,6 +12,9 @@ function main_freebsd() { X package git X package python X package py27-pip X+ package snappy X package rocksdb X+ package thrift X package thrift-cpp X+ package yara X } 9a0473a2364e700c6666b04f4cb9268d echo x - osquery/files/patch-tools_provision_lib.sh sed 's/^X//' >osquery/files/patch-tools_provision_lib.sh << 'd9891c7d84790914e1b4e932e6637893' X--- tools/provision/lib.sh.orig 2015-05-05 00:16:41 UTC X+++ tools/provision/lib.sh X@@ -57,27 +57,31 @@ function install_thrift() { X X function install_rocksdb() { X if [[ ! -f /usr/local/lib/librocksdb.a ]]; then X- if [[ ! -f rocksdb-3.5.tar.gz ]]; then X- wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.5.tar.gz X+ if [[ ! -f rocksdb-3.10.2.tar.gz ]]; then X+ wget https://osquery-packages.s3.amazonaws.com/deps/rocksdb-3.10.2.tar.gz X else X log "rocksdb source is already downloaded. skipping." X fi X- if [[ ! -d rocksdb-rocksdb-3.5 ]]; then X- tar -xf rocksdb-3.5.tar.gz X+ if [[ ! -d rocksdb-rocksdb-3.10.2 ]]; then X+ tar -xf rocksdb-3.10.2.tar.gz X fi X- if [[ ! -f rocksdb-rocksdb-3.5/librocksdb.a ]]; then X+ if [[ ! -f rocksdb-rocksdb-3.10.2/librocksdb.a ]]; then X if [[ $OS = "ubuntu" ]]; then X CLANG_INCLUDE="-I/usr/include/clang/3.4/include" X elif [ $OS = "centos" ] || [ $OS = "rhel" ]; then X CLANG_VERSION=`clang --version | grep version | cut -d" " -f3` X CLANG_INCLUDE="-I/usr/lib/clang/$CLANG_VERSION/include" X fi X- pushd rocksdb-rocksdb-3.5 X- make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS" X+ pushd rocksdb-rocksdb-3.10.2 X+ if [[ $OS = "freebsd" ]]; then X+ CC=cc CXX=c++ gmake static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS" X+ else X+ make static_lib CFLAGS="$CLANG_INCLUDE $CFLAGS" X+ fi X popd X fi X- sudo cp rocksdb-rocksdb-3.5/librocksdb.a /usr/local/lib X- sudo cp -R rocksdb-rocksdb-3.5/include/rocksdb /usr/local/include X+ sudo cp rocksdb-rocksdb-3.10.2/librocksdb.a /usr/local/lib X+ sudo cp -R rocksdb-rocksdb-3.10.2/include/rocksdb /usr/local/include X else X log "rocksdb already installed. skipping." X fi X@@ -253,7 +257,7 @@ function package() { X brew install --build-bottle $1 || brew upgrade $@ X fi X elif [[ $OS = "freebsd" ]]; then X- if [[ -z "$(pkg info -q $1)" ]]; then X+ if pkg info -q $1; then X log "$1 is already installed. skipping." X else X log "installing $1" X@@ -285,7 +289,7 @@ function remove_package() { X log "Removing: $1 is not installed. skipping." X fi X elif [[ $OS = "freebsd" ]]; then X- if [[ -n "$(pkg info -q $1)" ]]; then X+ if ! pkg info -q $1; then X log "removing $1" X sudo pkg delete -y $1 X else d9891c7d84790914e1b4e932e6637893 echo x - osquery/files/patch-tools_tests_test__extensions.py sed 's/^X//' >osquery/files/patch-tools_tests_test__extensions.py << 'ecdff8f69c1d735943ff7186a69e169a' X--- tools/tests/test_extensions.py.orig 2015-05-05 00:16:41 UTC X+++ tools/tests/test_extensions.py X@@ -364,9 +364,11 @@ if __name__ == "__main__": X thrift_path = test_base.ARGS.build + "/generated/gen-py" X try: X sys.path.append(thrift_path) X+ sys.path.append(thrift_path + "/osquery") X from osquery import * X- except ImportError: X+ except ImportError as e: X print ("Cannot import osquery thrift API from %s" % (thrift_path)) X+ print ("Exception: %s" % (str(e))) X print ("You must first run: make") X exit(1) X ecdff8f69c1d735943ff7186a69e169a echo x - osquery/files/patch-CMake_CMakeLibs.cmake sed 's/^X//' >osquery/files/patch-CMake_CMakeLibs.cmake << '452e1ab0e607cc156bfbd44487b0138f' X--- CMake/CMakeLibs.cmake.orig 2015-05-05 00:16:41 UTC X+++ CMake/CMakeLibs.cmake X@@ -15,7 +15,7 @@ endmacro(SET_OSQUERY_COMPILE) X X macro(ADD_OSQUERY_PYTHON_TEST TEST_NAME SOURCE) X add_test(NAME python_${TEST_NAME} X- COMMAND python "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}" X+ COMMAND python2 "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}" X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/tools/tests/") X endmacro(ADD_OSQUERY_PYTHON_TEST) X X@@ -30,7 +30,7 @@ endmacro(ADD_OSQUERY_LINK) X X macro(ADD_OSQUERY_LINK_INTERNAL LINK LINK_PATHS LINK_SET) X if(NOT "${LINK}" MATCHES "(^[-/].*)") X- find_library("${LINK}_library" NAMES "lib${LINK}.a" "${LINK}" ${LINK_PATHS}) X+ find_library("${LINK}_library" NAMES "${LINK}" "lib${LINK}" ${LINK_PATHS}) X message("-- Found library dependency ${${LINK}_library}") X if("${${LINK}_library}" STREQUAL "${${LINK}_library}-NOTFOUND") X string(ASCII 27 Esc) X@@ -105,7 +105,6 @@ endmacro(ADD_OSQUERY_EXTENSION) X X macro(ADD_OSQUERY_MODULE TARGET) X add_library(${TARGET} SHARED ${ARGN}) X- target_link_libraries(${TARGET} dl) X add_dependencies(${TARGET} libglog libosquery) X if(APPLE) X target_link_libraries(${TARGET} "-undefined dynamic_lookup") X@@ -182,7 +181,7 @@ macro(GENERATE_TABLE TABLE_FILE NAME BAS X GET_GENERATION_DEPS(${BASE_PATH}) X add_custom_command( X OUTPUT "${TABLE_FILE_GEN}" X- COMMAND python "${BASE_PATH}/tools/codegen/gentable.py" X+ COMMAND python2 "${BASE_PATH}/tools/codegen/gentable.py" X "${TABLE_FILE}" "${TABLE_FILE_GEN}" "$ENV{DISABLE_BLACKLIST}" X DEPENDS ${TABLE_FILE} ${GENERATION_DEPENDENCIES} X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" X@@ -207,7 +206,7 @@ macro(AMALGAMATE BASE_PATH NAME OUTPUT) X # Append all of the code to a single amalgamation. X add_custom_command( X OUTPUT "${CMAKE_BINARY_DIR}/generated/${NAME}_amalgamation.cpp" X- COMMAND python "${BASE_PATH}/tools/codegen/amalgamate.py" X+ COMMAND python2 "${BASE_PATH}/tools/codegen/amalgamate.py" X "${BASE_PATH}/osquery/tables/" "${CMAKE_BINARY_DIR}/generated" "${NAME}" X DEPENDS ${GENERATED_TARGETS} ${GENERATION_DEPENDENCIES} X WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" 452e1ab0e607cc156bfbd44487b0138f echo x - osquery/files/patch-tools_deployment_osquery.example.conf sed 's/^X//' >osquery/files/patch-tools_deployment_osquery.example.conf << 'eafa4ad1f079cffbbb8a45bc6e745cb4' X--- tools/deployment/osquery.example.conf.orig 2015-05-09 02:10:08 UTC X+++ tools/deployment/osquery.example.conf X@@ -10,7 +10,7 @@ X // The log directory stores info, warning, and errors. X // If the daemon uses the 'filesystem' logging retriever then the log_dir X // will also contain the query results. X- //"logger_path": "/var/log/osquery", X+ "logger_path": "/var/log/osquery", X X // Set 'disable_logging' to true to prevent writing any info, warning, error X // logs. If a logging plugin is selected it will still write query results. X@@ -27,14 +27,14 @@ X //"schedule_splay_percent": "10", X X // Write the pid of the osqueryd process to a pidfile/mutex. X- //"pidfile": "/var/osquery/osquery.pidfile", X+ "pidfile": "/var/run/osqueryd.pid", X X // Clear events from the osquery backing store after a number of seconds. X "event_pubsub_expiry": "86000", X X // A filesystem path for disk-based backing storage used for events and X // and query results differentials. See also 'use_in_memory_database'. X- //"database_path": "/var/osquery/osquery.db", X+ "database_path": "/var/db/osquery/osquery.db", X X // Comma-delimited list of table names to be disabled. X // This allows osquery to be launched without certain tables. eafa4ad1f079cffbbb8a45bc6e745cb4 echo x - osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt sed 's/^X//' >osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt << '77ee88dc95511a5096114240ec26340e' X--- third-party/cpp-netlib/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC X+++ third-party/cpp-netlib/CMakeLists.txt X@@ -101,41 +101,3 @@ if (MSVC) X endif() X X enable_testing() X- X-install(DIRECTORY boost DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}) X- X-### X-## Export Targets X-# (so cpp-netlib can be easily used by other CMake projects) X-# [see http://www.cmake.org/Wiki/CMake/Tutorials/How_to_create_a_ProjectConfig.cmake_file] X- X-# Add all targets to the build-tree export set X-export(TARGETS cppnetlib-client-connections cppnetlib-server-parsers cppnetlib-uri X- FILE "${PROJECT_BINARY_DIR}/cppnetlibTargets.cmake") X-# Export the package for use from the build-tree X-# (this registers the build-tree with a global CMake-registry) X-export(PACKAGE cppnetlib) X-# Create the cppnetlibConfig.cmake and cppnetlibConfigVersion files X-file(RELATIVE_PATH REL_INCLUDE_DIR "${INSTALL_CMAKE_DIR}" X- "${CMAKE_INSTALL_FULL_INCLUDEDIR}") X-# ... for the build tree X-set(CONF_INCLUDE_DIRS "${PROJECT_SOURCE_DIR}") X-configure_file(cppnetlibConfig.cmake.in X- "${PROJECT_BINARY_DIR}/cppnetlibConfig.cmake" @ONLY) X-# ... for the install tree X-set(CONF_INCLUDE_DIRS "\${CPPNETLIB_CMAKE_DIR}/${REL_INCLUDE_DIR}") X-configure_file(cppnetlibConfig.cmake.in X- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake" @ONLY) X-# ... for both X-configure_file(cppnetlibConfigVersion.cmake.in X- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake" @ONLY) X-# Install the cppnetlibConfig.cmake and cppnetlibConfigVersion.cmake X-install(FILES X- "${PROJECT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/cppnetlibConfig.cmake" X- "${PROJECT_BINARY_DIR}/cppnetlibConfigVersion.cmake" X- DESTINATION "${INSTALL_CMAKE_DIR}" X- COMPONENT dev) X-# Install the export set for use with the install-tree X-install(EXPORT cppnetlibTargets X- DESTINATION "${INSTALL_CMAKE_DIR}" X- COMPONENT dev) 77ee88dc95511a5096114240ec26340e echo x - osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt sed 's/^X//' >osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt << 'b76adf00290bd7dd11af52906814f05a' X--- third-party/cpp-netlib/libs/network/src/CMakeLists.txt.orig 2015-04-16 17:06:51 UTC X+++ third-party/cpp-netlib/libs/network/src/CMakeLists.txt X@@ -17,11 +17,6 @@ set_target_properties(cppnetlib-uri X PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING} X SOVERSION ${CPPNETLIB_VERSION_MAJOR} X PUBLIC_HEADER "${CPP-NETLIB_HEADERS}") X-install(TARGETS cppnetlib-uri X- EXPORT cppnetlibTargets X- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR} X- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} X- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}) X X set(CPP-NETLIB_HTTP_SERVER_SRCS server_request_parsers_impl.cpp) X add_library(cppnetlib-server-parsers ${CPP-NETLIB_HTTP_SERVER_SRCS}) X@@ -29,11 +24,6 @@ set_target_properties(cppnetlib-server-p X PROPERTIES VERSION ${CPPNETLIB_VERSION_STRING} X SOVERSION ${CPPNETLIB_VERSION_MAJOR} X PUBLIC_HEADER "${CPP-NETLIB_HEADERS}") X-install(TARGETS cppnetlib-server-parsers X- EXPORT cppnetlibTargets X- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR} X- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} X- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}) X X set(CPP-NETLIB_HTTP_CLIENT_SRCS client.cpp) X add_library(cppnetlib-client-connections ${CPP-NETLIB_HTTP_CLIENT_SRCS}) X@@ -47,8 +37,3 @@ endif () X if (Boost_FOUND) X target_link_libraries(cppnetlib-client-connections ${Boost_System_LIBRARY}) X endif () X-install(TARGETS cppnetlib-client-connections X- EXPORT cppnetlibTargets X- PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_FULL_INCLUDEDIR} X- LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} X- ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}) b76adf00290bd7dd11af52906814f05a echo x - osquery/files/patch-third-party_glog_src_utilities.h sed 's/^X//' >osquery/files/patch-third-party_glog_src_utilities.h << 'bea7184faec56e1d57d56edd23b817c9' X--- third-party/glog/src/utilities.h.orig 2015-04-16 17:06:51 UTC X+++ third-party/glog/src/utilities.h X@@ -81,54 +81,6 @@ X #include "config.h" X #include "glog/logging.h" X X-// There are three different ways we can try to get the stack trace: X-// X-// 1) The libunwind library. This is still in development, and as a X-// separate library adds a new dependency, but doesn't need a frame X-// pointer. It also doesn't call malloc. X-// X-// 2) Our hand-coded stack-unwinder. This depends on a certain stack X-// layout, which is used by gcc (and those systems using a X-// gcc-compatible ABI) on x86 systems, at least since gcc 2.95. X-// It uses the frame pointer to do its work. X-// X-// 3) The gdb unwinder -- also the one used by the c++ exception code. X-// It's obviously well-tested, but has a fatal flaw: it can call X-// malloc() from the unwinder. This is a problem because we're X-// trying to use the unwinder to instrument malloc(). X-// X-// Note: if you add a new implementation here, make sure it works X-// correctly when GetStackTrace() is called with max_depth == 0. X-// Some code may do that. X- X-#if defined(HAVE_LIB_UNWIND) X-# define STACKTRACE_H "stacktrace_libunwind-inl.h" X-#elif !defined(NO_FRAME_POINTER) X-# if defined(__i386__) && __GNUC__ >= 2 X-# define STACKTRACE_H "stacktrace_x86-inl.h" X-# elif defined(__x86_64__) && __GNUC__ >= 2 && HAVE_UNWIND_H X-# define STACKTRACE_H "stacktrace_x86_64-inl.h" X-# elif (defined(__ppc__) || defined(__PPC__)) && __GNUC__ >= 2 X-# define STACKTRACE_H "stacktrace_powerpc-inl.h" X-# endif X-#endif X- X-#if !defined(STACKTRACE_H) && defined(HAVE_EXECINFO_H) X-# define STACKTRACE_H "stacktrace_generic-inl.h" X-#endif X- X-#if defined(STACKTRACE_H) X-# define HAVE_STACKTRACE X-#endif X- X-// defined by gcc X-#if defined(__ELF__) && defined(OS_LINUX) X-# define HAVE_SYMBOLIZE X-#elif defined(OS_MACOSX) && defined(HAVE_DLADDR) X-// Use dladdr to symbolize. X-# define HAVE_SYMBOLIZE X-#endif X- X #ifndef ARRAYSIZE X // There is a better way, but this is good enough for our purpose. X # define ARRAYSIZE(a) (sizeof(a) / sizeof(*(a))) bea7184faec56e1d57d56edd23b817c9 exit