- Add the possibility of running table logic inside a container
namespace, so that's possible to query it instead of the host.
Needs minor modifications to each table logic and how they use logging.
In practice it works by having a pid_with_namespace column, which should
contain pids that are in the same mount namespace of the container one
wants to query.
The worker receives that column as a constraint, prepares two unnamed
pipes for read/write communications with the future child, then forks
into a new process.
While the parent sends a query job to the just created child and then waits
for results, the child receives the job, takes all the values given in the
pid_with_namespace constraint, retrieves the fd of the mount namespace
under "/proc/<constraint pid>/ns/mnt", then switches to it.
Finally it runs the table logic, sending the results back to the parent
through the pipe with a JSON message.
Important to note that the logging in the table logic is not GLOG
directly, because in the child this is in an unknown state; a custom
logging system that resembles glog and that takes advantage of the
existing communication channel is used to send the messages in JSON
format to the parent, which will take care to forward to GLOG.
- Add FLAGS_keep_container_worker_open so that the process used for
accessing a container is kept open, until the queries are for the same
table; when the table changes, the process will be closed
and a new one created.
This is off by default, which means that a new process will be always
created.
- Implemented a way to run tests that require root separated
from the others.
The OSQUERY_BUILD_ROOT_TESTS has been added to requests such tests to
be built.
To run only tests which require a normal user, one has to use
`ctest -LE "root-required"`, while `sudo ctest -L "root-required"`
to run those who need root.
PR: osquery/osquery#6209
The windows documentation mentions that ExitThread should not be
used in C++ code. When debugging these exit flows I saw exceptions
when running dtors.
When reviewing the shutdown code for Windows and POSIX there was a
lot of complexity. This change allows any part of code to request
a shutdown and simplifies the response.
We should expect the main thread to call ::waitForShutdown.
The exception is the shell, which waits in a repl.
Fix UsersTest.test_sanity on Windows.
uid and gid were returned as int (while they normally are unsigned int)
and converted to signed integers in the table row.
This is wrong because beyond uid and gid not being ints,
they are taken from the RID part of the SID which in some cases,
like for a Service SID, it can have a value higher than then maximum
value of an int, so in the end the number shown in table is negative.
Now they are returned as uint32_t and converted as BIGINTs for the table
that uses them.
Fix other functions return values and conversions depending on the meaning of
the value.
On Windows stick to its specific types where possible.
Convert CRLF to LF on some of the files modified.
Summary:
It cause implicit dependency to osquery/core:core, that cause circular dependency :(. The point is to get rid of it. Let's use just exit() instead.
As far as we don't have decent implementation of Initializer::shutdown it will not cause us any more problems.
We can live with it for a while.
Reviewed By: marekcirkos
Differential Revision: D14182915
fbshipit-source-id: 22c54cde910ea29b1fb19d96598db381b9d1c60d
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5452
As suggested in another diff, this diff updates the language we use to describe the osquery licensing terms. We are changing all instances of
//This source code is licensed as defined on the LICENSE file found in the root directory of this source tree.//
to
//This source code is licensed in accordance with the terms specified in the LICENSE file found in the root directory of this source tree.//
We accomplish this with a codemod:
$ codemod -md xplat/osquery/oss --extensions cpp,h,in,py,sh,mm,ps1 "(.\s+)This source code is licensed as defined on the LICENSE file found in the(.*)root directory of this source tree\." "\1This source code is licensed in accordance with the terms specified in\2the LICENSE file found in the root directory of this source tree."
Reviewed By: fmanco
Differential Revision: D14131290
fbshipit-source-id: 52c90da342263e2a80f5a678ecd760c19cf7513e
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
