* Fix packaging regression on Windows
Component variables should be set only for Linux and macOS,
otherwise on Windows the internal WiX IDs change and the
WiX fragment patch won't work.
Cleanup the version patch component, since WiX doesn't support
version components that are not digits.
* Add the rpm package to the CI Dockerfile, to test rpm packaging
* Fix TGZ generation on other platforms
* Add dpkg-dev and file packages to the CI Dockerfile
They are needed for creating DEB debug packages.
* Add a packaging steps to the CI
Set TGZ as a default packaging system when one cannot detected.
Fix generatePackageTarget indentation.
This enables a component install for DEB (only). This is required in
CMake version 3.17.0 (planned) and lower to produce a debuginfo version.
One side-effect is we have to gate the stripping for DEB.
This defines a new CMake option: OSQUERY_FUZZ, which appends compiler
and linker flags for libFuzzer to be effective.
There is one example harness that will fuzz config parsing.
Mitigates recent CVEs in SQLite. It was already this version on Linux.
Establish a pattern for migrating source dependency builds to macOS and Windows.
* deployment: Add Mozilla CA certificate store 2019-08-28
This is the cacerts file that was once proviced by the OpenSSL Homebrew
formula. The osquery packages in 3.x and previous provided this store as
the default / fallback.
The hash can be corroborated via:
https://curl.haxx.se/ca/cacert.pem.sha256
38b6230aa4bee062cd34ee0ff6da173250899642b1937fc130896290b6bd91e3
* install certs.pem directly from source
- Always link to libc++abi.a, dl and rt.
- Add OSQUERY_TOOLCHAIN_SYSROOT option which should contain
the path to the sysroot where the portable compiler and its libraries are in.
- Fix OpenSSL build with custom toolchain.
- Always include the custom toolchain cmake.
Unfortunately system name detection is done when project() is called
which is also when compiler detection is done, and we need the compiler
to be set before that, so we always include the cmake file.
- Do not use getrandom syscall in Boost, for glibc < 2.25 support.
- Remove usage of secure_getenv and getauxval in librpm.
- Update CI to use the toolchain.
- Reflect changes in the docs.
Full RELRO is a useful exploit mitigation which disables lazy
binding of functions, makes the GOT read-only and also reorders the ELF sections so
that a buffer overflow cannot easily overwrite the next ones, where
normally the GOT is.
Add a way to compile third-party libraries from source instead of downloading prebuilt ones.
Each library source code is downloaded with git into a submodule at configure time,
in response to the find_package(library_name) CMake call,
except for OpenSSL where the official source archive is used.
Each submodule is attached to a release tag on its own upstream repository.
All the libraries are built using CMake directly, except for OpenSSL which uses a formula system,
which permits to build libraries with a separate build system
when there's no easy way to integrate it directly with CMake.
This new dependency system determines which library is fetched from where using the concept of "layers".
Currently we have three of them: source, formula, facebook,
where the last layer represents the pre-built libraries.
The provided order will be used when looking for libraries.
A system to patch submodule source code has been added and it's currently used with googletest, libudev and util-linux.
Patches should be put under libraries/cmake/source/<library name>/patches/<submodule>,
where <submodule> is often one and is "src", but in other cases, like AWS,
there are multiple with a more specific name.
If for whatever reason the submodule cloning or the patching fails,
the submodule has to be unregistered and its folder should be cleared.
This should be achievable with "git submodule deinit -f <submodule path>"
Following some other changes on existing functionality:
- Changed the CMake variable BUILD_TESTING to OSQUERY_BUILD_TESTS
to avoid enabling tests on third party libraries.
Due to an issue with glog the BUILD_TESTING variable
will be always forced to OFF.
- Moved compiler and linker flags to their own file cmake/flags.cmake
- Moved all the third-party CMakeLists.txt used for pre-built libraries under libraries/cmake/facebook
- Added the --exclude-folders option to tools/format-check.py and tools/git-clang-format.py,
so that it's possible to ignore any third party library source code.
- The format and format_check target use the new --exclude-folders option
to exclude libraries/cmake/source from formatting.
- The test and osquery binaries are properly compiled with PIE (osquery/osquery#5611)
Co-authored-by: Stefano Bonicatti <stefano.bonicatti@gmail.com>
Co-authored-by: Teddy Reed <teddy@casualhacking.io>
Add OSQUERY_VERSION cache variable to force the version to be set at
that value.
Add OSQUERY_VERSION_AUTODECTED cache variable to show the osquery
version that has been detected through git
Add OSQUERY_VERSION_SUFFIX cache variable to append its value to the
final version, if the version was autodected.
Add OSQUERY_VERSION_INTERNAL variable to globally store the final
osquery version, to be used in other CMake scripts.
Add OSQUERY_VERSION_COMPONENTS variable to globally store the components
of the final osquery version. Currently used by the packaging system.
Modify overwrite_cache_variable so that's possible to specify the type.
The version is always autodetected using "git describe --tags --always --dirty"
and OSQUERY_VERSION_SUFFIX is appended to it, unless OSQUERY_VERSION is manually set.
Incorporates suggestions by @directionless.
CMake part of osquery/osquery#5615
* Add an option to avoid generating debug symbols
A new option, OSQUERY_NO_DEBUG_SYMBOLS, has been added
to avoid generating debug symbols when building in Debug or RelWithDebInfo.
This is especially needed on the CI where the disk size is limited
and symbols are not necessary, because we cannot directly access
processes to debug them.
* Enable Debug builds on the CI
Enabled Debug builds on macOS and Linux; a special job has been created
to represent the combined build status of Release and Debug builds.
Also format the other long cmakeArgs line so that there's one argument
per line.
* Run Docker as privileged also in Debug builds
* Simplify azure pipelines configuration
Use strategy and matrix to avoid repeating the script
for Release and Debug builds.
Some IDE require that the headers are assigned to a target, so they know
which TU uses them and also that they are part of the project.
The option ADD_HEADERS_AS_SOURCES has been added, if it's ON,
we assign those headers as INTERFACE sources of the target that publish
them.
Taken from osql-experimental.
- Change CMake code license to the one present in osquery right now
- Package metadata doesn't mention Trail of Bits or osql anymore
- Set specific ACLs for the osqueryd on Windows when packaging
- Remove LLVM_INSTALL_PATH support on macOS, since we are using AppleClang
- Remove OSQUERY_SOURCE_DIR variable need and source in a submodule support
- Add targets format_check and format to check code formatting and
format it with clang-format
- Do not warn about not using Clang on macOS when using AppleClang
