osquery-1/osquery/events/darwin/iokit.h

/**
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under both the Apache 2.0 license (found in the
 *  LICENSE file in the root directory of this source tree) and the GPLv2 (found
 *  in the COPYING file in the root directory of this source tree).
 *  You may select, at your option, one of the above-listed licenses.
 */

#pragma once

#include <atomic>
#include <iomanip>

#include <CoreServices/CoreServices.h>
#include <IOKit/IOKitLib.h>

#include <osquery/events.h>
#include <osquery/status.h>

#include "osquery/core/conversions.h"
#include "osquery/core/darwin/iokit.hpp"

namespace osquery {

struct IOKitSubscriptionContext : public SubscriptionContext {
  std::string model_id;
  std::string vendor_id;

  /// Bus type, e.g., USB.
  std::string type;
};

struct IOKitEventContext : public EventContext {
  enum Action {
    DEVICE_ATTACH = 0,
    DEVICE_DETACH,
  };

  Action action;
  std::string type;
  std::string vendor;
  std::string model;
  std::string vendor_id;
  std::string model_id;
  std::string path;
  std::string driver;
  std::string version;
  std::string serial;
};

using IOKitEventContextRef = std::shared_ptr<IOKitEventContext>;
using IOKitSubscriptionContextRef = std::shared_ptr<IOKitSubscriptionContext>;

struct DeviceTracker;

class IOKitEventPublisher
    : public EventPublisher<IOKitSubscriptionContext, IOKitEventContext> {
  DECLARE_PUBLISHER("iokit");

 public:
  IOKitEventPublisher(const std::string& name = "IOKitEventPublisher")
      : EventPublisher() {
    runnable_name_ = name;
  }

  void tearDown() override;

  Status run() override;

  bool shouldFire(const IOKitSubscriptionContextRef& sc,
                  const IOKitEventContextRef& ec) const override;

 public:
  // Callbacks
  static void deviceAttach(void* refcon, io_iterator_t iterator);
  static void deviceDetach(void* refcon,
                           io_service_t device,
                           natural_t type,
                           void*);

  void newEvent(const io_service_t& device, IOKitEventContext::Action action);

 private:
  void restart();
  void stop() override;

 private:
  /// The publisher state machine will start, restart, and stop the run loop.
  CFRunLoopRef run_loop_{nullptr};

  /// Notification port, should close.
  IONotificationPortRef port_{nullptr};

  /// Device attach iterator.
  io_iterator_t iterator_;

  /// Device detach notification.
  std::vector<std::shared_ptr<struct DeviceTracker>> devices_;

  /// Device notification and container access protection mutex.
  mutable Mutex mutex_;

  /**
   * @brief Should events be emitted by the callback.
   *
   * The callback registration initially returns all matches, these must be
   * consumed by an iterator walk. Do not emit events for this initial seed.
   * The publisher started boolean is set after a successful restart.
   */
  std::atomic<bool> publisher_started_{false};
};
}
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`/**`
[osquery] Update copyright headers to new format. 2016-02-11 19:48:58 +00:00			`* Copyright (c) 2014-present, Facebook, Inc.`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`* All rights reserved.`
			`*`
license: Change license to Apache 2.0 and GPLv2 (#4007) 2017-12-19 00:04:06 +00:00			`* This source code is licensed under both the Apache 2.0 license (found in the`
			`* LICENSE file in the root directory of this source tree) and the GPLv2 (found`
			`* in the COPYING file in the root directory of this source tree).`
			`* You may select, at your option, one of the above-listed licenses.`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`*/`

			`#pragma once`

Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`#include <atomic>`
OS X IOKit utilities refactor to allow SKIP_TABLES (#2335) 2016-08-10 03:49:56 +00:00			`#include <iomanip>`
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`#include <CoreServices/CoreServices.h>`
IOKitLib.h not IOKitlib.h As with all other appearances of IOKitLib.h in the osquery sources, use the capitalization "IOKitLib.h" not "IOKitlib.h" to avoid build failure on case-sensitive file systems. 2016-03-15 16:43:11 +00:00			`#include <IOKit/IOKitLib.h>`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
darwin: Separate IOKit routines from IOKit event support (#4087) 2018-02-09 17:07:53 +00:00			`#include <osquery/events.h>`
			`#include <osquery/status.h>`

OS X IOKit utilities refactor to allow SKIP_TABLES (#2335) 2016-08-10 03:49:56 +00:00			`#include "osquery/core/conversions.h"`
darwin: Separate IOKit routines from IOKit event support (#4087) 2018-02-09 17:07:53 +00:00			`#include "osquery/core/darwin/iokit.hpp"`
OS X IOKit utilities refactor to allow SKIP_TABLES (#2335) 2016-08-10 03:49:56 +00:00
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`namespace osquery {`

			`struct IOKitSubscriptionContext : public SubscriptionContext {`
			`std::string model_id;`
			`std::string vendor_id;`

			`/// Bus type, e.g., USB.`
			`std::string type;`
			`};`

			`struct IOKitEventContext : public EventContext {`
			`enum Action {`
			`DEVICE_ATTACH = 0,`
			`DEVICE_DETACH,`
			`};`

			`Action action;`
			`std::string type;`
			`std::string vendor;`
			`std::string model;`
			`std::string vendor_id;`
			`std::string model_id;`
			`std::string path;`
			`std::string driver;`
			`std::string version;`
			`std::string serial;`
			`};`

Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`using IOKitEventContextRef = std::shared_ptr<IOKitEventContext>;`
			`using IOKitSubscriptionContextRef = std::shared_ptr<IOKitSubscriptionContext>;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
			`struct DeviceTracker;`

			`class IOKitEventPublisher`
			`: public EventPublisher<IOKitSubscriptionContext, IOKitEventContext> {`
			`DECLARE_PUBLISHER("iokit");`

			`public:`
Add labels for threads (#4295) 2018-07-23 18:13:43 +00:00			`IOKitEventPublisher(const std::string& name = "IOKitEventPublisher")`
			`: EventPublisher() {`
			`runnable_name_ = name;`
			`}`

Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`void tearDown() override;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`Status run() override;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
			`bool shouldFire(const IOKitSubscriptionContextRef& sc,`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`const IOKitEventContextRef& ec) const override;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
			`public:`
			`// Callbacks`
			`static void deviceAttach(void* refcon, io_iterator_t iterator);`
			`static void deviceDetach(void* refcon,`
			`io_service_t device,`
			`natural_t type,`
			`void*);`

			`void newEvent(const io_service_t& device, IOKitEventContext::Action action);`

			`private:`
			`void restart();`
[Fix #1920] Detach thread before joining/clearing (terminate) 2016-03-12 09:23:09 +00:00			`void stop() override;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
			`private:`
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`/// The publisher state machine will start, restart, and stop the run loop.`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`CFRunLoopRef run_loop_{nullptr};`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`/// Notification port, should close.`
Remove passwd_changes and user_data from event callbacks 2015-12-08 01:15:30 +00:00			`IONotificationPortRef port_{nullptr};`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`/// Device attach iterator.`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`io_iterator_t iterator_;`

Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`/// Device detach notification.`
			`std::vector<std::shared_ptr<struct DeviceTracker>> devices_;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`/// Device notification and container access protection mutex.`
			`mutable Mutex mutex_;`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00
			`/**`
			`* @brief Should events be emitted by the callback.`
			`*`
			`* The callback registration initially returns all matches, these must be`
			`* consumed by an iterator walk. Do not emit events for this initial seed.`
			`* The publisher started boolean is set after a successful restart.`
			`*/`
Enhance publisher resource locking on OS X 2016-03-18 23:14:15 +00:00			`std::atomic<bool> publisher_started_{false};`
Rewrite OS X hardware events to use IOKit proper 2015-11-16 06:37:28 +00:00			`};`
			`}`