The instruction doesn't exist on other processors, and while there
might be ways to retrieve the equivalent information, none directly
matches the x86 "cpuid". This takes out the table completely on
non-x86_64 architectures.
Co-Authored-By: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Some syscalls are deprecated on newer architectures, for example
fork and vfork are all variants of clone now; symlink, unlink, rename
etc... at variants of the *at() versions, dup2 of dup3, etc...
Note about the test events: Because the events are synthetic, we
only really test the parser, as such it doesn't matter if aarch64
doesn't use a snapshot of a real event. To keep things simple we
only replace the arch and syscall fields.
Co-Authored-By: Benjamin Herrenschmidt <benh@kernel.crashing.org>
We currenty inclulde unistd_64.h which doesn't work on aarch64. Rather
add #ifdef's around it, let's just use unistd.h which should do the
right thing on all architectures.
Additionally remove the duplicate #include's from the .cpp files
CMake ignores the sysroot when testing the support of PIE,
so the link test fails when it tries to check for PIE support
and decides that it's not supported.
Therefore we tell CMake that PIE is supported when using the
osquery-toolchain and leave the automatic test for other toolchains.
Temporarily disable PIE on executables built with the
osquery-toolchain libFuzzer, since it has not been compiled with PIE/PIC
support.
The PR adds an on-demand version of the Windows events log table that can return the WEL entries from an arbitrary event provider. It supports selective filtering based on additional query parameters. An example query:
```
osquery> select * from windows_events_vtable where channel = 'Application' and eventid = 1000;
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| channel | datetime | task | level | provider_name | provider_guid | eventid | recordid | keywords | data | pid | tid |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
| Application | 2020-07-22T03:19:32.617052900Z | 0 | 4 | Microsoft-Windows-LoadPerf | {122EE297-BB47-41AE-B265-1CA8D1886D40} | 1000 | -1 | 0x8000000000000000 | {"UserData":{"EventXML":"","binaryData":"EC2C0000BC2D0000ED2C0000BD2D0000","binaryDataSize":"16","param1":"WmiApRpl","param2":"WmiApRpl"}} | 5824 | 5828 |
+-------------+--------------------------------+------+-------+----------------------------+----------------------------------------+---------+----------+--------------------+--------------------------------------------------------------------------------------------------------------------------------------------+------+------+
```
Change the counter behavior so only when a differential results is
calculated the counter increments. With this new behavior the counter
represents the order in which differentials results should be replayed
to recreate state at a point in time.
