Merge pull request #1311 from mofarrell/package-kernel

Build system changes for kernel extension testing and deployment.
2024-11-08 10:23:54 +00:00 · 2015-07-10 10:42:17 -07:00 · 2015-07-10 10:42:17 -07:00 · 4e7e18844e
commit 4e7e18844e
parent 066962267d dd1f0af0ff
6 changed files with 97 additions and 22 deletions
--- a/CMake/Packages.cmake
+++ b/CMake/Packages.cmake
@ -1,12 +1,22 @@
 # make package
 if(APPLE)
-  add_custom_target(
-    packages
-    "${CMAKE_SOURCE_DIR}/tools/deployment/make_osx_package.sh"
-    WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
-    COMMENT "Building default OS X package (no custom config)" VERBATIM
-    DEPENDS daemon shell
-  )
+  if(DEFINED ENV{PACKAGE_KERNEL})
+    add_custom_target(
+      packages
+      COMMAND "${CMAKE_SOURCE_DIR}/tools/deployment/make_osx_package.sh" -k
+      WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+      COMMENT "Building default OS X package (no custom config)" VERBATIM
+      DEPENDS daemon shell kernel-build
+    )
+  else()
+    add_custom_target(
+      packages
+      COMMAND "${CMAKE_SOURCE_DIR}/tools/deployment/make_osx_package.sh"
+      WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
+      COMMENT "Building default OS X package (no custom config)" VERBATIM
+      DEPENDS daemon shell
+    )
+  endif()
 elseif(LINUX)
  if(DEBIAN_BASED)
    set(PACKAGE_TYPE "deb")
--- a/kernel/CMakeLists.txt
+++ b/kernel/CMakeLists.txt
@ -109,6 +109,7 @@ if(APPLE)
    # A virtual machine shared folder/filesystem may not allow root owned files.
    COMMAND sudo cp -R "${CMAKE_BINARY_DIR}/kernel/osquery.kext" "/tmp/"
    COMMAND sudo chown -R root:wheel "/tmp/osquery.kext"
+    COMMAND sudo chmod -R 0644 "/tmp/osquery.kext"
    COMMAND sudo kextload -v "/tmp/osquery.kext"
    COMMAND echo "Wrote unsigned extension bundle: /tmp/osquery.kext"
  )
@ -117,9 +118,10 @@ if(APPLE)
  add_custom_target(
    kernel-unload
    # Unload the kernel extension.
-    COMMAND sudo kextunload -v -b "com.facebook.security.osquery"
+    COMMAND sudo "./kernel/tools/unload_with_retry.sh"
    COMMAND echo "Attempted to unload kernel extension with identifier:"
    COMMAND echo "com.facebook.security.osquery"
+    WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
  )

  # Additional helpful commands for configuring a debug environment for OS X.
@ -169,6 +171,16 @@ elseif(LINUX)
    COMMAND echo "-- No kernel dependencies for Linux"
  )

+  add_custom_target(
+    kernel-load
+    COMMAND echo "-- No kernel load for Linux"
+  )
+
+  add_custom_target(
+    kernel-unload
+    COMMAND echo "-- No kernel unload for Linux"
+  )
+
  add_custom_target(
    kernel-test
    COMMAND echo "-- No kernel test is run for Linux"
@ -189,6 +201,16 @@ else()
    COMMAND echo "-- No kernel dependencies for unsupported platform"
  )

+  add_custom_target(
+    kernel-load
+    COMMAND echo "-- No kernel load for unsupported platform"
+  )
+
+  add_custom_target(
+    kernel-unload
+    COMMAND echo "-- No kernel unload for unsupported platform"
+  )
+
  add_custom_target(
    kernel-test
    COMMAND echo "-- No kernel test is run for unsupported platform"
--- a/kernel/tools/deployment/Info.plist
+++ b/kernel/tools/deployment/Info.plist
@ -25,13 +25,13 @@
 	<key>OSBundleLibraries</key>
 	<dict>
 		<key>com.apple.kpi.bsd</key>
-		<string>14.3</string>
+		<string>14.0</string>
 		<key>com.apple.kpi.libkern</key>
-		<string>14.3</string>
+		<string>14.0</string>
 		<key>com.apple.kpi.iokit</key>
-		<string>14.3</string>
+		<string>14.0</string>
 		<key>com.apple.kpi.mach</key>
-		<string>14.3</string>
+		<string>14.0</string>
 	</dict>
 </dict>
 </plist>
--- a/kernel/tools/unload_with_retry.sh
+++ b/kernel/tools/unload_with_retry.sh
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+KERNEL_EXTENSION_IDENTIFIER="com.facebook.security.osquery"
+
+if kextstat | grep -qcm1 $KERNEL_EXTENSION_IDENTIFIER; then
+  tries=5
+  n=0
+  until [ $n -ge $tries ]; do
+    kextunload -b $KERNEL_EXTENSION_IDENTIFIER && break
+    n=$[$n+1]
+    sleep 1  # We need to know the daemon has stopped for long enough for the
+    # kernel extension to allow unloading.
+  done
+  if [ $n -ge $tries ]; then
+    exit 1
+  fi
+fi
--- a/tools/build.sh
+++ b/tools/build.sh
@ -23,5 +23,15 @@ make clean
 # Build osquery
 make -j$THREADS

+# Build osquery kernel
+make kernel-build
+make kernel-load
+
 # Run code unit and integration tests
 make test
+
+make kernel-test
+
+# Cleanup kernel
+make kernel-unload || sudo reboot
+
--- a/tools/deployment/make_osx_package.sh
+++ b/tools/deployment/make_osx_package.sh
@ -38,9 +38,12 @@ OSQUERY_DB_LOCATION="/private/var/osquery/osquery.db/"
 OSQUERY_LOG_DIR="/private/var/log/osquery/"

 # Kernel extension identifiers and config files
+KERNEL_INLINE=false
+KERNEL_UNLOAD_SCRIPT="$SOURCE_DIR/kernel/tools/unload_with_retry.sh"
+KERNEL_EXTENSION_IDENTIFIER="com.facebook.security.osquery"
 KERNEL_EXTENSION_SRC="$BUILD_DIR/kernel/osquery.kext"
-KERNEL_EXTENSION_DST="/tmp/osquery.kext"
-# TODO: change to install to /Sys/Lib/Exts
+KERNEL_EXTENSION_DST="/private/var/osquery/osquery.kext"
+KERNEL_EXTENSION_INSTALL="/Library/Extensions/osquery.kext"

 WORKING_DIR=/tmp/osquery_kernel_packaging

@ -56,13 +59,22 @@ SCRIPT_PREFIX_TEXT="#!/usr/bin/env bash
 set -e
 "

-POSTINSTALL_AUTOSTART_TEXT="
+POSTINSTALL_UNLOAD_TEXT="
 if launchctl list | grep -qcm1 $LD_IDENTIFIER; then
  launchctl unload $LD_INSTALL
 fi
+"
+POSTINSTALL_AUTOSTART_TEXT="
 cp $LAUNCHD_DST $LD_INSTALL
 launchctl load $LD_INSTALL
 "
+POSTINSTALL_UNLOAD_KERNEL_TEXT="
+./unload_with_retry.sh
+"
+POSTINSTALL_AUTOSTART_KERNEL_TEXT="
+cp -R $KERNEL_EXTENSION_DST/ $KERNEL_EXTENSION_INSTALL
+kextload $KERNEL_EXTENSION_INSTALL
+"

 POSTINSTALL_CLEAN_TEXT="
 rm -rf $OSQUERY_DB_LOCATION
@ -75,8 +87,7 @@ function usage() {
    -o PATH override the output path.
    -a start the daemon when the package is installed
    -x force the daemon to start fresh, removing any results previously stored in the database
-    -k Build dedicated kernel extension package
-    -z Bundle kernel extension inline with osquery-VERSION.pkg
+    -k Bundle kernel extension inline with osquery-VERSION.pkg

  This will generate an OSX package with:
  (1) An example config /var/osquery/osquery.example.config
@ -105,9 +116,7 @@ function parse_args() {
                              ;;
      -x | --clean )          CLEAN=true
                              ;;
-      -k | --kernel )         KERNEL=true
-                              ;;
-      -z | --kernel-inline )  KERNEL_INLINE=true
+      -k | --kernel-inline )  KERNEL_INLINE=true
                              ;;
      -h | --help )           usage
                              ;;
@ -179,14 +188,20 @@ function main() {
        echo "$POSTINSTALL_CLEAN_TEXT" >> $POSTINSTALL
    fi
    if [ $AUTOSTART == true ]; then
+        echo "$POSTINSTALL_UNLOAD_TEXT" >> $POSTINSTALL
+        if [ $KERNEL_INLINE == true ]; then
+          cp $KERNEL_UNLOAD_SCRIPT $SCRIPT_ROOT
+          echo "$POSTINSTALL_UNLOAD_KERNEL_TEXT" >> $POSTINSTALL
+          echo "$POSTINSTALL_AUTOSTART_KERNEL_TEXT" >> $POSTINSTALL
+        fi
        echo "$POSTINSTALL_AUTOSTART_TEXT" >> $POSTINSTALL
    fi
  fi

  # Check if a kernel extension should be included inline.
-  if [ $KERNEL == true || $KERNEL_INLINE == true ]; then
+  if [ $KERNEL_INLINE == true ]; then
    mkdir -p $INSTALL_PREFIX$KERNEL_EXTENSION_DST
-    cp -R $KERNEL_EXTENSION_SRC $INSTALL_PREFIX$KERNEL_EXTENSION_DST
+    cp -R $KERNEL_EXTENSION_SRC/ $INSTALL_PREFIX$KERNEL_EXTENSION_DST
  fi

  log "creating package"