libdpkg is leaking memory on every initialization.
Initialization happens everytime deb_packages gets queried.
The memory leaked is allocated for the "triggersdir"
global variable by "dpkg_db_get_path" called in "trigdef_update_start".
"trigdef_update_start" is called by "trig_incorporate" just after
the memory for "triggersdir" has been allocated.
In some occasions "trigdef_update_start" is also called two times in a
row. In all these cases the memory do not get deallocated in between calls,
so the old memory is lost.
Since the result of "dpkg_db_get_path" depends on the database dir that
has been set, and in the "trigdef_update_start" function it's not possible
to know if it has changed from the previous allocation or not,
it's necessary to always deallocate vs just avoid to call "dpkg_db_get_path".
Fix also a couple of other leaks on error.
To completely remove sqlite3 as a dependency of sleuthkit,
case_db.cpp and auto_db.cpp should not be compiled,
because both depend on the header tsk_case_db.h,
which in turn include tsk_db_sqlite.h
which then depends on the sqlite3.h header.
Add OSQUERY_ENABLE_VALGRIND_SUPPORT so that it's possible
to run osquery under Valgrind.
This is specifically required by the boost library
that needs to be compiled with a special define
and it also requires the valgrind.h header.
Also move the defines for the ASAN usage to the boost
library CMakeLists.txt instead of being in flags.cmake.
This way we reduce the unnecessary recompilation of code that
doesn't depend on boost, when switching options.
* deb_packages: Fix include order issue
* bpf_socket_events, bpf_process_events: Initial implementation
* BPF: Add process tracking to process events, remove sockets_event
* CMake: Upgrade the C++ standard to C++17
* BPF: Improve initial system state snapshot and event collection
* BPF: Add tests for SystemStateTracker
* BPF: Add tests for BPFEventPublisher
* BPF: Refactor, add tests for ProcessContextFactory
* Refactor: Improve initial scan/event handling, fix openat
* BPF: Improve event ordering
* BPF: Fix test issue in BPFEventPublisher::processOpenAt
* BPF: Mark WIP functions as deprecated
* BPF: Improve tests
* BPF: Add back bpf_socket_events and connect() support
* BPF: Add Netlink addr support, add bind()
* BPF: Add accept/accept4 support
* BPF: Add tests for BPFEventPublisher::processOpenat2Event
* BPF: Add remaining tests for BPFEventPublisher
* BPF: Add configuration flags for memory management
* BPF: Add cmdline support to ProcessContextFactory
* BPF: Add additional tests
* BPF: Add unit test for SystemStateTracker::accept
* BPF: Update cwd handling
* BPF: Add tests for bpf_socket_events
* BPF: Add tests for bpf_process_events
* BPF: Add json_cmdline hidden column to bpf_process_events
* BPF: Update all copyright headers
* BPF: Add syscall duration in socket_events/process_events
* BPF: Code review changes
* BPF: Update ebpfpub to the latest version
* BPF: Removed unused functions
* BPF: Code review changes
Add whitespace around namespaces
* BPF: Revert header changes in rot13.cpp
* BPF: Code review changes
Rename the bpf_ntime column in bpf_socket_events/bpf_process_events
to ntime and make it the last visible column
* BPF: Code review changes
Update the dependencies for the BPF tests
* BPF: Code review changes
Update the dependencies for the BPF table tests
* BPF: Code review changes
Update how characters are appended to strings in the
system state tracker class
* BPF: Code review changes
Update the string -> integer conversion utilities in the
process context factory class.
* BPF: Hide failed exec syscalls from bpf_process_events results
* BPF: Do not log an error for invalid sockaddr structures
* BPF: Code review changes
Remove clang-format ignore block
* BPF: Code review changes
Update log messages in the BPFEventPublisher class
* BPF: Code review changes
Remove clang-format ignore block around the function tracer
descriptors
* BPF: Code review changes
Document the IFilesystem interface
* BPF: Code review changes
Document the IProcessContextFactory interface
* BPF: Code review changes
Document the ISystemStateTracker interface
Starting in glibc 2.25, the macros `major` and `minor` were moved
from `<sys/types.h>` to `<sys/sysmacros.h>`, to stop leaking these
common words into the global namespace of those including <stdlib.h>
https://sourceware.org/bugzilla/show_bug.cgi?format=multiple&id=19239
The macros MAJOR_IN_MKDEV and MAJOR_IN_SYSMACROS would be defined if
necessary by autoconfig, and put in `config.h`. But osquery build
uses CMake instead of autotools, with a git-committed `config.h`.
This generally is all right across Ubuntu variations, as an automake
for one will likely make a config.h that works on others. However
the glibc change makes a "one-size-fits-all-Ubuntu" config impossible.
This mirrors detection done by autoconf/headers.m4 as CMake code.
It is a relatively simple patch, which unblocks building of librpm
on (K)ubuntu 20 while still working on Ubuntu 18.
This is a followup of PR osquery/osquery#6472,
while the code was patched we were still using the unpatched version.
This should finally fix ossfuzz build failure.
We have ported all platforms to use the source layer.
The facebook layer is not needed anymore since we build everything from source now,
the same is for the transitional source_migration layer.
Minor cleanups about the recently removed python modules.
The set_binding function is incorrectly marked as const,
since it actually modifies one of the struct members.
This was somehow not caught by older compilers,
but is failing on LLVM/Clang 10, so we create a patch to fix this.
