Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5428
This is a final diff to be able to track syscalls by using eBPF + kernel events. Basically that one and previous are about to join high level initialisation routine in one place.
Part of a linux tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: SAlexandru
Differential Revision: D13801093
fbshipit-source-id: db8503b0d42127281a975ff517600872e9ed4302
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5419
to load new programs, enable native events and attach program to them.
Reviewed By: SAlexandru
Differential Revision: D13787783
fbshipit-source-id: cfc001da15b343e5c80fd0ab6a276f263aa0ef7a
Summary:
Fixed crash in virtual tables that occurs after following steps:
1. sqlite opens VT with xCreate
2. during query executions invokes xFilter with multiple tables
3. Few tables accumulated in affectedTables
4. xDestroy called before finishing query (last step of query execution)
5. query execution finished, SQL instance try to cleanup affected tables, but they were already destroyed by xDestory
This is only hotfix for this crash and this code base require full memory management review in future
Reviewed By: SAlexandru
Differential Revision: D13917015
fbshipit-source-id: 15396e47e4c4e592cf30608a783bc80d560c776f
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5417
Hash multimap based joiner with ability to perform clean up old unpaired events from time to time.
Part of a linux tracing system, blueprint: [#5218](https://github.com/facebook/osquery/issues/5218)
Reviewed By: SAlexandru
Differential Revision: D13761675
fbshipit-source-id: f4b17cbeed495b2a9e6616a005f001963849875e
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
Summary:
While running `misspell` on a different codebase. I happened to notice that some misspellings in the osquery code base. So, I fixed them
Pull Request resolved: https://github.com/facebook/osquery/pull/5256
Reviewed By: guliashvili
Differential Revision: D13670897
Pulled By: fmanco
fbshipit-source-id: 5d33d858284955c376e8c3980acdf366d4edf3d3
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5335
It was reported that osquery eventing mechanism uses too much disk space. As daebeike found it, event expiring was failing in some cases to be executed.
More specifically, expiration check was supposed to run every time EVENTS_CHECKPOINT number of events where added. However, in between the checks for expiration more than EVENTS_CHECKPOINT events could be added and no expiration would be executed. I suppose, this behaviour would be easily reproducible under the high load
Reviewed By: fmanco
Differential Revision: D13565250
fbshipit-source-id: 78bbad3f7aded4beb9e5f42bafd9184e9c2f8efb
Summary: Some tools does not support virtual headers namespaces and expect header path to match actual file path from project root. This diff will fix few namespaces in utils library
Reviewed By: guliashvili
Differential Revision: D13552878
fbshipit-source-id: 2a06f73550c69777bf73be73abdde297fe580583
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit
changes `TableRow` to be an interface rather than simply an alias for `Row`.
Accordingly, `DynamicTableRow` becomes an implementation of that interface
backed by a `Row`. The few remaining pieces of code that treated `TableRow`s as
`Row`s now call methods on the `TableRow` interface. Subsequent commits will
add code generation for strongly-typed table-specific implementations of
`TableRow`.
(Adapted from https://github.com/facebook/osquery/pull/5198)
Reviewed By: guliashvili
Differential Revision: D13438015
fbshipit-source-id: 61d5547e878e519c9706f94f844aab9d3e553410
Summary:
Continuing to march toward low-overhead, type-safe table rows, this commit changes
much of the code that uses `TableRow`s to stop assuming that they're just `vector`s
by another name. (`TableRow` is on the way to becoming an interface with multiple
implementations.) They're now held in `unique_ptr`s (`TableRowHolder`). For cases
where we really want a `vector`-backed `TableRow` (mostly test code and extension
support), we have a factory function (`make_table_row`) and a helper class
(`DynamicTableRowHolder`) to make that smoother.
(Adapted from https://github.com/facebook/osquery/pull/5198)
Reviewed By: mkareta
Differential Revision: D13438016
fbshipit-source-id: 2de9ce46a64c0a067b5d3299c59bbe3ccacd4abe
* InterruptableRunnable RunnerInterruptPoint redesign
There were several inefficiencies in the old version of RunnerInterruptPoint and InterruptableRunnable.
1) RunnerInterruptPoint was throwing the exception when interrupted, however, the exception was always ignored.
2) InterruptableRunnable used the read-write lock, however only write lock was used.
3) InterruptableRunnable InterruptableRunnable, stored almost similar variable stop_, interrupted_.
4) std::atomic<bool> interrupted_ was used with locks, even though it was accessed by default safest access mode memory_order_seq_cst. So no additional cache invalidation was needed.
5) InterruptableRunnable contained code(in method interrupted() and variables bypass_check_, checked) just for testing. Which was slowing down method interrupted().
6) Some more confusing things. notify_all was not needed, as only one thread could be waiting for the conditional variable. RunnerInterruptPoint:: pause(void) looks ambiguous and that's why was not used anywhere.
I resolved all these problems by merging InterruptableRunnable and RunnerInterruptPoint into the InterruptableRunnable.
1) No use of the exception.
2) 4) Simple mutex, which is only used for pauseMilli. InterruptableRunnable::interrupted and InterruptableRunnable::interrupt function lock-free.
3) Single variable interrupted_.
5) Made InterruptableRunnable::interrupt virtual. Tests override interrupt to make things testable.
6) change to notify_one and removed pause without the specific time.
