Also separated the C from the C++ source code in a different library,
so that the C code is not compiled as C with a C++ compiler.
This would make the macOS C++ compiler fail to compile sleuthkit
since it wasn't how the original build system of the library was building it.
- Add the possibility of running table logic inside a container
namespace, so that's possible to query it instead of the host.
Needs minor modifications to each table logic and how they use logging.
In practice it works by having a pid_with_namespace column, which should
contain pids that are in the same mount namespace of the container one
wants to query.
The worker receives that column as a constraint, prepares two unnamed
pipes for read/write communications with the future child, then forks
into a new process.
While the parent sends a query job to the just created child and then waits
for results, the child receives the job, takes all the values given in the
pid_with_namespace constraint, retrieves the fd of the mount namespace
under "/proc/<constraint pid>/ns/mnt", then switches to it.
Finally it runs the table logic, sending the results back to the parent
through the pipe with a JSON message.
Important to note that the logging in the table logic is not GLOG
directly, because in the child this is in an unknown state; a custom
logging system that resembles glog and that takes advantage of the
existing communication channel is used to send the messages in JSON
format to the parent, which will take care to forward to GLOG.
- Add FLAGS_keep_container_worker_open so that the process used for
accessing a container is kept open, until the queries are for the same
table; when the table changes, the process will be closed
and a new one created.
This is off by default, which means that a new process will be always
created.
- Implemented a way to run tests that require root separated
from the others.
The OSQUERY_BUILD_ROOT_TESTS has been added to requests such tests to
be built.
To run only tests which require a normal user, one has to use
`ctest -LE "root-required"`, while `sudo ctest -L "root-required"`
to run those who need root.
PR: osquery/osquery#6209
The specific key the test checks for its existence,
which is Microsoft.Windows.Explorer,
might not be always present.
Use UEME_CTLSESSION key which should be always present since
it generically represents the start of a session.
Do not set CPACK_WIX_SKIP_PROGRAM_FOLDER to true and a specific install path,
this will break the Program Files folder drive resolution
to the system drive, and instead will enable the ROOTDRIVE logic
which chooses the disk with the most space available.
Fixesosquery/osquery#6314Fixesosquery/osquery#6342
When a block size is passed to the readFile function
or a file has no size, the read is forced to be blocking,
even if the handle is opened as non-blocking.
The opposite can happen too, a blocking handle is opened
but since a block size of 0 is passed, and the file size is not 0,
the file is read with non-blocking I/O.
This change bases the decision of doing blocking
or non-blocking I/O mainly on the "blocking" parameter
of the readFile function and the file being a special file or not.
If a handle is opened in non-blocking mode but the file is special,
the handle is reopened as blocking.
Also give a different name to the overload that provides
a way to do a read file check via readFile.
- Add fallback url to download the openssl tar.gz from the "old" archives
- Add URL_HASH to the openssl external project,
to avoid to redownload the archive if it has been alredy downloaded
and the integrity is verified
- Update curl_certificate table to use the newer openssl API,
so that it builds.
Remove a level of indirection when configuring and building formulas.
This should simplify working with them and also remove some issues
encountered when trying to build on Windows.
- Update libarchive to build from source on Windows and macOS
- Update yara to build from source on macOS
- Update librdkafka to build from source on macOS
- Build librdkafka with SSL and SASL_SCRAM support on Linux
- Update librpm to 4.15.1 to support the newer openssl
- Update libxml2 to build from source on Windows and macOS
- Update lzma to build from source on Windows and macOS
- Use ICU library not only for boost but libxml2 too
- Implement a workaround to have Buck builds still compile
with the old openssl version
When a query triggers multiple xFilter calls
and there's an operation that has to work on the sum of rows
resulting from all those calls, we trigger a use-after-free
when such operation tries to access the rows data.
This happens because each xFilter call we clear the rows
resulting from the previous xFilter call, and because
when returning the values of a text column we don't copy it,
but return a pointer to it.
A contrived example of a query with the issue is:
SELECT path=count(*) FROM file WHERE path = '/' OR path = '1'
This changes the last sqlite3_result_text parameter
from SQLITE_STATIC to SQLITE_TRANSIENT.
Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20833
Parsing a configuration file as a JSON document
which contains deeply nested elements can lead to a stack overflow
when using the recursive parser of RapidJSON.
Since the configuration isn't changed or parsed frequently,
use the slower iterative parser instead.
Copying the configuration JSON document
that contains deeply nested elements, using the CopyFrom API,
can lead to a stack overflow, due to the recursive nature
of the RapidJSON GenericValue construction.
Detect the depth/nesting level of a config document
and limit it to 32 levels.
Using an iterative parser, while it avoids stack overflows,
can cause memory exhaustion if the config size is too big.
Limit the maximum config size, stripped from its comments, to 1MiB.
Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20779
Removed the columns "script" and "match" from the test
since they do not belong to the chrome_extensions table,
they belong to chrome_extension_content_scripts.
Added the missing integration test for the table
chrome_extension_content_scripts.
Do not close the http server after 10s if there are requests coming,
since some tests may take more than 10s to run.
Reset the timer each time a request is received by the server instead.
This new toolchain contains a newer LLVM version (9.0.1),
a fix for the scan-build scripts and it keeps the LLVM static libraries,
necessary to implement the new BPF framework and tables.
The "decorators" configuration value must be a JSON object,
otherwise we try to search through its inexistent members
and dereference a null pointer.
Added also a regression test.
Addresses https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19274
