From 208d2324d5823d48d06263dd9de4fbb93c118d22 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Fri, 14 Oct 2016 10:23:37 -0700 Subject: [PATCH] Extending chrome browser extension table to Windows (#2619) --- osquery/core/posix/process_ops.cpp | 8 ++- osquery/core/process.h | 19 +++-- osquery/core/windows/process_ops.cpp | 57 ++++++++++++--- osquery/events/linux/tests/inotify_tests.cpp | 14 ++-- osquery/filesystem/tests/fileops_tests.cpp | 42 +++++++---- osquery/filesystem/tests/filesystem_tests.cpp | 72 +++++++++++-------- osquery/filesystem/windows/fileops.cpp | 10 ++- osquery/tables/CMakeLists.txt | 8 +-- .../tables/applications/browser_chrome.cpp | 36 ++++++++++ .../{posix => }/browser_utils.cpp | 4 +- .../applications/{posix => }/browser_utils.h | 7 ++ .../applications/darwin/browser_plugins.cpp | 2 +- .../applications/posix/browser_chrome.cpp | 31 -------- .../applications/posix/browser_firefox.cpp | 2 +- .../applications/posix/browser_opera.cpp | 2 +- .../system/{posix => }/system_utils.cpp | 14 ++-- osquery/tests/test_util.cpp | 7 +- specs/{posix => }/chrome_extensions.table | 0 18 files changed, 217 insertions(+), 118 deletions(-) create mode 100644 osquery/tables/applications/browser_chrome.cpp rename osquery/tables/applications/{posix => }/browser_utils.cpp (96%) rename osquery/tables/applications/{posix => }/browser_utils.h (88%) delete mode 100644 osquery/tables/applications/posix/browser_chrome.cpp rename osquery/tables/system/{posix => }/system_utils.cpp (80%) rename specs/{posix => }/chrome_extensions.table (100%) diff --git a/osquery/core/posix/process_ops.cpp b/osquery/core/posix/process_ops.cpp index e5a6ff03..fef681fc 100644 --- a/osquery/core/posix/process_ops.cpp +++ b/osquery/core/posix/process_ops.cpp @@ -24,8 +24,8 @@ namespace osquery { -std::string getUserId() { - return std::to_string(::getuid()); +int platformGetUid() { + return ::getuid(); } bool isLauncherProcessDead(PlatformProcess& launcher) { @@ -82,4 +82,8 @@ void setToBackgroundPriority() { bool isUserAdmin() { return getuid() == 0; } + +int platformGetPid() { + return (int)getpid(); +} } diff --git a/osquery/core/process.h b/osquery/core/process.h index a4c244e6..81f4fceb 100644 --- a/osquery/core/process.h +++ b/osquery/core/process.h @@ -208,8 +208,8 @@ class SecurityDescriptor { }; #endif -/// Returns the current user's ID (UID on POSIX systems and SID for Windows) -std::string getUserId(); +/// Returns the current user's ID (UID on POSIX systems and RID for Windows) +int platformGetUid(); /// Causes the current thread to sleep for a specified time in milliseconds. void sleepFor(size_t msec); @@ -255,8 +255,11 @@ std::string platformModuleGetError(); */ bool platformModuleClose(ModuleHandle module); -/// Checks to see if the launcher process is dead (only works for worker -/// processes). +/** + * @brief Checks to see if the launcher process is dead + * + * Note, this only works on worker processes. + */ bool isLauncherProcessDead(PlatformProcess& launcher); /// Waits for defunct processes to terminate. @@ -264,4 +267,12 @@ void cleanupDefunctProcesses(); /// Sets the current process to run with background scheduling priority. void setToBackgroundPriority(); + +/** +* @brief Returns the current processes pid +* +* On Windows, returns the value of GetCurrentProcessId +* and on posix platforms returns getpid() +*/ +int platformGetPid(); } diff --git a/osquery/core/windows/process_ops.cpp b/osquery/core/windows/process_ops.cpp index 24d9b965..f6a199cb 100644 --- a/osquery/core/windows/process_ops.cpp +++ b/osquery/core/windows/process_ops.cpp @@ -8,28 +8,36 @@ * */ +#define _WIN32_DCOM +#define WIN32_LEAN_AND_MEAN +#include +// clang-format off +#include +// clang-format on + #include #include #include #include "osquery/core/process.h" +#include "osquery/core/windows/wmi.h" #include "osquery/system.h" namespace osquery { -std::string getUserId() { +int platformGetUid() { DWORD nbytes = 0; HANDLE token = INVALID_HANDLE_VALUE; if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token)) { - return ""; + return -1; } ::GetTokenInformation(token, TokenUser, nullptr, 0, &nbytes); if (nbytes == 0) { ::CloseHandle(token); - return ""; + return -1; } std::vector tu_buffer; @@ -43,19 +51,46 @@ std::string getUserId() { &nbytes); ::CloseHandle(token); if (status == 0) { - return ""; + return -1; } LPSTR sid = nullptr; tu = (PTOKEN_USER)tu_buffer.data(); - if (!::ConvertSidToStringSidA(tu->User.Sid, &sid)) { - return ""; + SID_NAME_USE eUse = SidTypeUnknown; + DWORD unameSize = 0; + DWORD domNameSize = 1; + + // LookupAccountSid first gets the size of the username buff required. + LookupAccountSid( + nullptr, tu->User.Sid, nullptr, &unameSize, nullptr, &domNameSize, &eUse); + + std::vector uname(unameSize); + std::vector domName(domNameSize); + auto ret = LookupAccountSid(nullptr, + tu->User.Sid, + uname.data(), + &unameSize, + domName.data(), + &domNameSize, + &eUse); + + if (ret == 0) { + return -1; } - std::string uid(sid); - ::LocalFree(sid); + // USER_INFO_3 struct contains the RID (uid) of our user + DWORD userInfoLevel = 3; + LPUSER_INFO_3 userBuff = nullptr; + std::wstring wideUserName = stringToWstring(std::string(uname.data())); + ret = NetUserGetInfo( + nullptr, wideUserName.c_str(), userInfoLevel, (LPBYTE*)&userBuff); - return uid; + if (ret != NERR_Success) { + return -1; + } + + ::LocalFree(sid); + return userBuff->usri3_user_id; } bool isLauncherProcessDead(PlatformProcess& launcher) { @@ -147,4 +182,8 @@ bool isUserAdmin() { } return Elevation.TokenIsElevated ? true : false; } + +int platformGetPid() { + return (int)GetCurrentProcessId(); +} } diff --git a/osquery/events/linux/tests/inotify_tests.cpp b/osquery/events/linux/tests/inotify_tests.cpp index e1e7be8f..582cad69 100644 --- a/osquery/events/linux/tests/inotify_tests.cpp +++ b/osquery/events/linux/tests/inotify_tests.cpp @@ -19,8 +19,8 @@ #include #include -#include "osquery/tests/test_util.h" #include "osquery/events/linux/inotify.h" +#include "osquery/tests/test_util.h" namespace fs = boost::filesystem; @@ -233,7 +233,9 @@ TEST_F(INotifyTests, test_inotify_match_subscription) { class TestINotifyEventSubscriber : public EventSubscriber { public: - TestINotifyEventSubscriber() { setName("TestINotifyEventSubscriber"); } + TestINotifyEventSubscriber() { + setName("TestINotifyEventSubscriber"); + } Status init() override { callback_count_ = 0; @@ -283,7 +285,9 @@ class TestINotifyEventSubscriber return actions_; } - int count() { return callback_count_; } + int count() { + return callback_count_; + } public: std::atomic callback_count_{0}; @@ -450,7 +454,7 @@ TEST_F(INotifyTests, test_inotify_recursion) { pub->configure(); // Expect only the directories to be monitored. - EXPECT_EQ(pub->path_descriptors_.size(), 6U); + EXPECT_EQ(pub->path_descriptors_.size(), 11U); RemoveAll(pub); // Use a directory structure that includes a loop. @@ -463,7 +467,7 @@ TEST_F(INotifyTests, test_inotify_recursion) { pub->configure(); // Also expect canonicalized resolution (to prevent loops). - EXPECT_EQ(pub->path_descriptors_.size(), 6U); + EXPECT_EQ(pub->path_descriptors_.size(), 11U); RemoveAll(pub); // Remove mock directory structure. diff --git a/osquery/filesystem/tests/fileops_tests.cpp b/osquery/filesystem/tests/fileops_tests.cpp index fbbab3f6..eee10f0b 100644 --- a/osquery/filesystem/tests/fileops_tests.cpp +++ b/osquery/filesystem/tests/fileops_tests.cpp @@ -239,7 +239,8 @@ TEST_F(FileOpsTests, test_glob) { kFakeDirectory + "/door.txt", kFakeDirectory + "/root.txt", kFakeDirectory + "/root2.txt", - kFakeDirectory + "/roto.txt"}; + kFakeDirectory + "/roto.txt", + kFakeDirectory + "/toplevel/"}; auto result = platformGlob(kFakeDirectory + "/*"); EXPECT_TRUE(globResultsMatch(result, expected)); } @@ -249,15 +250,21 @@ TEST_F(FileOpsTests, test_glob) { kFakeDirectory + "/deep1/level1.txt", kFakeDirectory + "/deep11/deep2/", kFakeDirectory + "/deep11/level1.txt", - kFakeDirectory + "/deep11/not_bash"}; + kFakeDirectory + "/deep11/not_bash", + kFakeDirectory + "/toplevel/secondlevel1/", + kFakeDirectory + "/toplevel/secondlevel2/", + kFakeDirectory + "/toplevel/secondlevel3/"}; auto result = platformGlob(kFakeDirectory + "/*/*"); EXPECT_TRUE(globResultsMatch(result, expected)); } { - std::vector expected{kFakeDirectory + "/deep1/deep2/level2.txt", - kFakeDirectory + "/deep11/deep2/deep3/", - kFakeDirectory + "/deep11/deep2/level2.txt"}; + std::vector expected{ + kFakeDirectory + "/deep1/deep2/level2.txt", + kFakeDirectory + "/deep11/deep2/deep3/", + kFakeDirectory + "/deep11/deep2/level2.txt", + kFakeDirectory + "/toplevel/secondlevel3/thirdlevel1/", + }; auto result = platformGlob(kFakeDirectory + "/*/*/*"); EXPECT_TRUE(globResultsMatch(result, expected)); } @@ -285,16 +292,21 @@ TEST_F(FileOpsTests, test_glob) { } { - std::vector expected{kFakeDirectory + "/deep1/deep2/", -#ifdef WIN32 - kFakeDirectory + "/deep1/level1.txt", - kFakeDirectory + "/deep11/deep2/", -#else - kFakeDirectory + "/deep11/deep2/", - kFakeDirectory + "/deep1/level1.txt", -#endif - kFakeDirectory + "/deep11/level1.txt", - kFakeDirectory + "/deep11/not_bash"}; + std::vector expected; + if (isPlatform(PlatformType::TYPE_WINDOWS)) { + expected = {kFakeDirectory + "/deep1/deep2/", + kFakeDirectory + "/deep1/level1.txt", + kFakeDirectory + "/deep11/deep2/", + kFakeDirectory + "/deep11/level1.txt", + kFakeDirectory + "/deep11/not_bash"}; + } else { + expected = {kFakeDirectory + "/deep1/deep2/", + kFakeDirectory + "/deep11/deep2/", + kFakeDirectory + "/deep1/level1.txt", + kFakeDirectory + "/deep11/level1.txt", + kFakeDirectory + "/deep11/not_bash"}; + } + auto result = platformGlob(kFakeDirectory + "/*/{deep2,level1,not_bash}{,.txt}"); EXPECT_TRUE(globResultsMatch(result, expected)); diff --git a/osquery/filesystem/tests/filesystem_tests.cpp b/osquery/filesystem/tests/filesystem_tests.cpp index 2fc91d8c..813fccca 100644 --- a/osquery/filesystem/tests/filesystem_tests.cpp +++ b/osquery/filesystem/tests/filesystem_tests.cpp @@ -54,7 +54,6 @@ std::string kDoorTxtPath; std::string kDeep11Path; class FilesystemTests : public testing::Test { - protected: void SetUp() { createMockFileStructure(); @@ -65,10 +64,12 @@ class FilesystemTests : public testing::Test { fs::path(kFakeDirectory + "/deep11").make_preferred().string(); } - void TearDown() { tearDownMockFileStructure(); } + void TearDown() { + tearDownMockFileStructure(); + } /// Helper method to check if a path was included in results. - bool contains(const std::vector &all, const std::string &n) { + bool contains(const std::vector& all, const std::string& n) { return !(std::find(all.begin(), all.end(), n) == all.end()); } }; @@ -98,8 +99,7 @@ TEST_F(FilesystemTests, test_read_limit) { EXPECT_FALSE(status.ok()); FLAGS_read_max = max; -#ifndef WIN32 - if (getuid() != 0) { + if (platformGetUid() != 0) { content.erase(); FLAGS_read_user_max = 2; status = readFile(kFakeDirectory + "/root.txt", content); @@ -115,7 +115,6 @@ TEST_F(FilesystemTests, test_read_limit) { status = readFile(kFakeDirectory + "/root2.txt", content); EXPECT_TRUE(status.ok()); } -#endif } TEST_F(FilesystemTests, test_list_files_missing_directory) { @@ -142,6 +141,14 @@ TEST_F(FilesystemTests, test_list_files_valid_directory) { EXPECT_TRUE(contains(results, kEtcHostsPath)); } +TEST_F(FilesystemTests, test_intermediate_globbing_directories) { + fs::path thirdLevelDir = + fs::path(kFakeDirectory) / "toplevel" / "%" / "thirdlevel1"; + std::vector results; + resolveFilePattern(thirdLevelDir, results); + EXPECT_EQ(results.size(), 1U); +} + TEST_F(FilesystemTests, test_canonicalization) { std::string complex = (fs::path(kFakeDirectory) / "deep1" / ".." / "deep1" / "..") @@ -179,7 +186,7 @@ TEST_F(FilesystemTests, test_simple_globs) { // Test the shell '*', we will support SQL's '%' too. auto status = resolveFilePattern(kFakeDirectory + "/*", results); EXPECT_TRUE(status.ok()); - EXPECT_EQ(results.size(), 6U); + EXPECT_EQ(results.size(), 7U); // Test the csh-style bracket syntax: {}. results.clear(); @@ -199,7 +206,7 @@ TEST_F(FilesystemTests, test_wildcard_single_all) { std::vector results; auto status = resolveFilePattern(kFakeDirectory + "/%", results, GLOB_ALL); EXPECT_TRUE(status.ok()); - EXPECT_EQ(results.size(), 6U); + EXPECT_EQ(results.size(), 7U); EXPECT_TRUE(contains( results, fs::path(kFakeDirectory + "/roto.txt").make_preferred().string())); @@ -221,7 +228,7 @@ TEST_F(FilesystemTests, test_wildcard_single_files) { TEST_F(FilesystemTests, test_wildcard_single_folders) { std::vector results; resolveFilePattern(kFakeDirectory + "/%", results, GLOB_FOLDERS); - EXPECT_EQ(results.size(), 2U); + EXPECT_EQ(results.size(), 3U); EXPECT_TRUE(contains( results, fs::path(kFakeDirectory + "/deep11/").make_preferred().string())); @@ -232,9 +239,10 @@ TEST_F(FilesystemTests, test_wildcard_dual) { std::vector results; auto status = resolveFilePattern(kFakeDirectory + "/%/%", results); EXPECT_TRUE(status.ok()); - EXPECT_TRUE(contains(results, fs::path(kFakeDirectory + "/deep1/level1.txt") - .make_preferred() - .string())); + EXPECT_TRUE(contains(results, + fs::path(kFakeDirectory + "/deep1/level1.txt") + .make_preferred() + .string())); } TEST_F(FilesystemTests, test_wildcard_double) { @@ -242,21 +250,21 @@ TEST_F(FilesystemTests, test_wildcard_double) { std::vector results; auto status = resolveFilePattern(kFakeDirectory + "/%%", results); EXPECT_TRUE(status.ok()); - EXPECT_EQ(results.size(), 15U); - EXPECT_TRUE( - contains(results, fs::path(kFakeDirectory + "/deep1/deep2/level2.txt") - .make_preferred() - .string())); + EXPECT_EQ(results.size(), 20U); + EXPECT_TRUE(contains(results, + fs::path(kFakeDirectory + "/deep1/deep2/level2.txt") + .make_preferred() + .string())); } TEST_F(FilesystemTests, test_wildcard_double_folders) { std::vector results; resolveFilePattern(kFakeDirectory + "/%%", results, GLOB_FOLDERS); - EXPECT_EQ(results.size(), 5U); - EXPECT_TRUE( - contains(results, fs::path(kFakeDirectory + "/deep11/deep2/deep3/") - .make_preferred() - .string())); + EXPECT_EQ(results.size(), 10U); + EXPECT_TRUE(contains(results, + fs::path(kFakeDirectory + "/deep11/deep2/deep3/") + .make_preferred() + .string())); } TEST_F(FilesystemTests, test_wildcard_end_last_component) { @@ -275,12 +283,14 @@ TEST_F(FilesystemTests, test_wildcard_middle_component) { EXPECT_TRUE(status.ok()); EXPECT_EQ(results.size(), 5U); - EXPECT_TRUE(contains(results, fs::path(kFakeDirectory + "/deep1/level1.txt") - .make_preferred() - .string())); - EXPECT_TRUE(contains(results, fs::path(kFakeDirectory + "/deep11/level1.txt") - .make_preferred() - .string())); + EXPECT_TRUE(contains(results, + fs::path(kFakeDirectory + "/deep1/level1.txt") + .make_preferred() + .string())); + EXPECT_TRUE(contains(results, + fs::path(kFakeDirectory + "/deep11/level1.txt") + .make_preferred() + .string())); } TEST_F(FilesystemTests, test_wildcard_all_types) { @@ -288,8 +298,9 @@ TEST_F(FilesystemTests, test_wildcard_all_types) { auto status = resolveFilePattern(kFakeDirectory + "/%p11/%/%%", results); EXPECT_TRUE(status.ok()); - EXPECT_TRUE(contains( - results, fs::path(kFakeDirectory + "/deep11/deep2/deep3/level3.txt") + EXPECT_TRUE( + contains(results, + fs::path(kFakeDirectory + "/deep11/deep2/deep3/level3.txt") .make_preferred() .string())); } @@ -393,4 +404,3 @@ TEST_F(FilesystemTests, test_read_urandom) { } #endif } - diff --git a/osquery/filesystem/windows/fileops.cpp b/osquery/filesystem/windows/fileops.cpp index f4f52129..26903917 100644 --- a/osquery/filesystem/windows/fileops.cpp +++ b/osquery/filesystem/windows/fileops.cpp @@ -1024,7 +1024,9 @@ std::vector platformGlob(const std::string& find_path) { boost::system::error_code ec; if (fs::exists(valid_path / component, ec) && ec.value() == errc::success) { - tmp_valid_paths.push_back(valid_path / component); + fs::path tmp_vpath = + component.string() != "." ? valid_path / component : valid_path; + tmp_valid_paths.push_back(tmp_vpath); } } } @@ -1054,7 +1056,11 @@ std::vector platformGlob(const std::string& find_path) { } } } else { - WindowsFindFiles wf(valid_path / full_path.filename()); + fs::path glob_path = full_path.filename() == "." + ? valid_path + : valid_path / full_path.filename(); + + WindowsFindFiles wf(glob_path); for (auto& result : wf.get()) { auto result_path = result.make_preferred().string(); diff --git a/osquery/tables/CMakeLists.txt b/osquery/tables/CMakeLists.txt index c8fe70d2..8b79f841 100644 --- a/osquery/tables/CMakeLists.txt +++ b/osquery/tables/CMakeLists.txt @@ -106,10 +106,10 @@ if(NOT WINDOWS) endif() # No cross-platform application tables yet. -# file(GLOB OSQUERY_CROSS_APPLICATIONS_TABLES "applications/*.cpp") -# ADD_OSQUERY_LIBRARY_ADDITIONAL(osquery_tables_applications -# ${OSQUERY_CROSS_APPLICATIONS_TABLES} -#) +file(GLOB OSQUERY_CROSS_APPLICATIONS_TABLES "applications/*.cpp") +ADD_OSQUERY_LIBRARY_ADDITIONAL(osquery_tables_applications + ${OSQUERY_CROSS_APPLICATIONS_TABLES} +) file(GLOB OSQUERY_CROSS_NETWORKING_TABLES "networking/*.cpp") ADD_OSQUERY_LIBRARY_ADDITIONAL(osquery_tables_networking diff --git a/osquery/tables/applications/browser_chrome.cpp b/osquery/tables/applications/browser_chrome.cpp new file mode 100644 index 00000000..46a901e8 --- /dev/null +++ b/osquery/tables/applications/browser_chrome.cpp @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2014-present, Facebook, Inc. + * All rights reserved. + * + * This source code is licensed under the BSD-style license found in the + * LICENSE file in the root directory of this source tree. An additional grant + * of patent rights can be found in the PATENTS file in the same directory. + * + */ + +#include "osquery/tables/applications/browser_utils.h" + +namespace fs = boost::filesystem; +namespace pt = boost::property_tree; + +namespace osquery { +namespace tables { + +#pragma warning(disable : 4503) + +QueryData genChromeExtensions(QueryContext& context) { + fs::path chromePath; + + /// Each home directory will include custom extensions. + if (isPlatform(PlatformType::TYPE_WINDOWS)) { + chromePath = "\\AppData\\Local\\Google\\Chrome\\User Data\\%\\Extensions\\"; + } else if (isPlatform(PlatformType::TYPE_OSX)) { + chromePath = "/Library/Application Support/Google/Chrome/%/Extensions/"; + } else { + chromePath = "/.config/google-chrome/%/Extensions/"; + } + + return genChromeBasedExtensions(context, chromePath); +} +} +} diff --git a/osquery/tables/applications/posix/browser_utils.cpp b/osquery/tables/applications/browser_utils.cpp similarity index 96% rename from osquery/tables/applications/posix/browser_utils.cpp rename to osquery/tables/applications/browser_utils.cpp index d9635b60..857f150c 100644 --- a/osquery/tables/applications/posix/browser_utils.cpp +++ b/osquery/tables/applications/browser_utils.cpp @@ -10,7 +10,7 @@ #include -#include "osquery/tables/applications/posix/browser_utils.h" +#include "osquery/tables/applications/browser_utils.h" #include "osquery/tables/system/system_utils.h" namespace osquery { @@ -42,7 +42,7 @@ void genExtension(const std::string& uid, std::stringstream json_stream; json_stream << json_data; pt::read_json(json_stream, tree); - } catch (const pt::json_parser::json_parser_error& e) { + } catch (const pt::json_parser::json_parser_error& /* e */) { VLOG(1) << "Could not parse JSON from: " << path + kManifestFile; return; } diff --git a/osquery/tables/applications/posix/browser_utils.h b/osquery/tables/applications/browser_utils.h similarity index 88% rename from osquery/tables/applications/posix/browser_utils.h rename to osquery/tables/applications/browser_utils.h index 8c64128f..76608e91 100644 --- a/osquery/tables/applications/posix/browser_utils.h +++ b/osquery/tables/applications/browser_utils.h @@ -10,7 +10,14 @@ #pragma once +#ifdef WIN32 +#pragma warning(push, 3) +#pragma warning(disable : 4715) +#endif #include +#ifdef WIN32 +#pragma warning(pop) +#endif #include #include diff --git a/osquery/tables/applications/darwin/browser_plugins.cpp b/osquery/tables/applications/darwin/browser_plugins.cpp index c564c786..d704aa81 100644 --- a/osquery/tables/applications/darwin/browser_plugins.cpp +++ b/osquery/tables/applications/darwin/browser_plugins.cpp @@ -16,7 +16,7 @@ #include #include -#include "osquery/tables/applications/posix/browser_utils.h" +#include "osquery/tables/applications/browser_utils.h" #include "osquery/tables/system/system_utils.h" namespace fs = boost::filesystem; diff --git a/osquery/tables/applications/posix/browser_chrome.cpp b/osquery/tables/applications/posix/browser_chrome.cpp deleted file mode 100644 index 42ff565f..00000000 --- a/osquery/tables/applications/posix/browser_chrome.cpp +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (c) 2014-present, Facebook, Inc. - * All rights reserved. - * - * This source code is licensed under the BSD-style license found in the - * LICENSE file in the root directory of this source tree. An additional grant - * of patent rights can be found in the PATENTS file in the same directory. - * - */ - -#include "osquery/tables/applications/posix/browser_utils.h" - -namespace fs = boost::filesystem; -namespace pt = boost::property_tree; - -namespace osquery { -namespace tables { - -/// Each home directory will include custom extensions. -#ifdef __APPLE__ -#define kChromePath "/Library/Application Support/Google/Chrome/%/" -#else -#define kChromePath "/.config/google-chrome/%/" -#endif -#define kChromeExtensionsPath "Extensions/" - -QueryData genChromeExtensions(QueryContext& context) { - return genChromeBasedExtensions(context, (kChromePath kChromeExtensionsPath)); -} -} -} diff --git a/osquery/tables/applications/posix/browser_firefox.cpp b/osquery/tables/applications/posix/browser_firefox.cpp index 6dcb5fef..e44629c8 100644 --- a/osquery/tables/applications/posix/browser_firefox.cpp +++ b/osquery/tables/applications/posix/browser_firefox.cpp @@ -14,7 +14,7 @@ #include #include -#include "osquery/tables/applications/posix/browser_utils.h" +#include "osquery/tables/applications/browser_utils.h" #include "osquery/tables/system/system_utils.h" namespace fs = boost::filesystem; diff --git a/osquery/tables/applications/posix/browser_opera.cpp b/osquery/tables/applications/posix/browser_opera.cpp index d25b66df..9fd7a661 100644 --- a/osquery/tables/applications/posix/browser_opera.cpp +++ b/osquery/tables/applications/posix/browser_opera.cpp @@ -8,7 +8,7 @@ * */ -#include "osquery/tables/applications/posix/browser_utils.h" +#include "osquery/tables/applications/browser_utils.h" namespace fs = boost::filesystem; namespace pt = boost::property_tree; diff --git a/osquery/tables/system/posix/system_utils.cpp b/osquery/tables/system/system_utils.cpp similarity index 80% rename from osquery/tables/system/posix/system_utils.cpp rename to osquery/tables/system/system_utils.cpp index 24f3f01e..d16d6ab0 100644 --- a/osquery/tables/system/posix/system_utils.cpp +++ b/osquery/tables/system/system_utils.cpp @@ -17,15 +17,13 @@ QueryData usersFromContext(const QueryContext& context, bool all) { QueryData users; if (context.hasConstraint("uid", EQUALS)) { context.forEachConstraint( - "uid", - EQUALS, - ([&users](const std::string& expr) { + "uid", EQUALS, ([&users](const std::string& expr) { auto user = SQL::selectAllFrom("users", "uid", EQUALS, expr); users.insert(users.end(), user.begin(), user.end()); })); } else if (!all) { - users = - SQL::selectAllFrom("users", "uid", EQUALS, std::to_string(getuid())); + users = SQL::selectAllFrom( + "users", "uid", EQUALS, std::to_string(platformGetUid())); } else { users = SQL::selectAllFrom("users"); } @@ -36,15 +34,13 @@ QueryData pidsFromContext(const QueryContext& context, bool all) { QueryData procs; if (context.hasConstraint("pid", EQUALS)) { context.forEachConstraint( - "pid", - EQUALS, - ([&procs](const std::string& expr) { + "pid", EQUALS, ([&procs](const std::string& expr) { auto proc = SQL::selectAllFrom("processes", "pid", EQUALS, expr); procs.insert(procs.end(), procs.begin(), procs.end()); })); } else if (!all) { procs = SQL::selectAllFrom( - "processes", "pid", EQUALS, std::to_string(getpid())); + "processes", "pid", EQUALS, std::to_string(platformGetPid())); } else { procs = SQL::selectAllFrom("processes"); } diff --git a/osquery/tests/test_util.cpp b/osquery/tests/test_util.cpp index a59a260d..b51e58c6 100644 --- a/osquery/tests/test_util.cpp +++ b/osquery/tests/test_util.cpp @@ -82,7 +82,7 @@ void initTesting() { // Set safe default values for path-based flags. // Specific unittests may edit flags temporarily. - kTestWorkingDirectory += getUserId() + "/"; + kTestWorkingDirectory += std::to_string(platformGetUid()) + "/"; kFakeDirectory = kTestWorkingDirectory + kFakeDirectoryName; fs::remove_all(kTestWorkingDirectory); @@ -393,6 +393,11 @@ QueryData getEtcProtocolsExpectedResults() { } void createMockFileStructure() { + fs::create_directories(kFakeDirectory + "/toplevel/"); + fs::create_directories(kFakeDirectory + "/toplevel/secondlevel1"); + fs::create_directories(kFakeDirectory + "/toplevel/secondlevel2"); + fs::create_directories(kFakeDirectory + "/toplevel/secondlevel3"); + fs::create_directories(kFakeDirectory + "/toplevel/secondlevel3/thirdlevel1"); fs::create_directories(kFakeDirectory + "/deep11/deep2/deep3/"); fs::create_directories(kFakeDirectory + "/deep1/deep2/"); writeTextFile(kFakeDirectory + "/root.txt", "root"); diff --git a/specs/posix/chrome_extensions.table b/specs/chrome_extensions.table similarity index 100% rename from specs/posix/chrome_extensions.table rename to specs/chrome_extensions.table