We have ported all platforms to use the source layer.
The facebook layer is not needed anymore since we build everything from source now,
the same is for the transitional source_migration layer.
Minor cleanups about the recently removed python modules.
The set_binding function is incorrectly marked as const,
since it actually modifies one of the struct members.
This was somehow not caught by older compilers,
but is failing on LLVM/Clang 10, so we create a patch to fix this.
By using RPM-DEFAULT and DEB-DEFAULT as package names,
CPack leaves the naming of the packages to the underlying
packaging tools which will use the standard naming format.
This is meant to reduce the noise in the installation output of openssl,
since docs would easily fill the scrollback of most terminals.
Since we don't care about the docs, only install binaries.
Openssl was depending on zlib for SSL/TLS compression,
though it was trying to load it as a dynamic library.
On Windows especially this is an issue because the dll
could possibly be loaded from a insecure place,
so this can be exploited.
Moreover it's proven that compression can lead
to leaks of information; so we completely disable it
to resolve both issues.
Also separated the C from the C++ source code in a different library,
so that the C code is not compiled as C with a C++ compiler.
This would make the macOS C++ compiler fail to compile sleuthkit
since it wasn't how the original build system of the library was building it.
- Add the possibility of running table logic inside a container
namespace, so that's possible to query it instead of the host.
Needs minor modifications to each table logic and how they use logging.
In practice it works by having a pid_with_namespace column, which should
contain pids that are in the same mount namespace of the container one
wants to query.
The worker receives that column as a constraint, prepares two unnamed
pipes for read/write communications with the future child, then forks
into a new process.
While the parent sends a query job to the just created child and then waits
for results, the child receives the job, takes all the values given in the
pid_with_namespace constraint, retrieves the fd of the mount namespace
under "/proc/<constraint pid>/ns/mnt", then switches to it.
Finally it runs the table logic, sending the results back to the parent
through the pipe with a JSON message.
Important to note that the logging in the table logic is not GLOG
directly, because in the child this is in an unknown state; a custom
logging system that resembles glog and that takes advantage of the
existing communication channel is used to send the messages in JSON
format to the parent, which will take care to forward to GLOG.
- Add FLAGS_keep_container_worker_open so that the process used for
accessing a container is kept open, until the queries are for the same
table; when the table changes, the process will be closed
and a new one created.
This is off by default, which means that a new process will be always
created.
- Implemented a way to run tests that require root separated
from the others.
The OSQUERY_BUILD_ROOT_TESTS has been added to requests such tests to
be built.
To run only tests which require a normal user, one has to use
`ctest -LE "root-required"`, while `sudo ctest -L "root-required"`
to run those who need root.
PR: osquery/osquery#6209
The specific key the test checks for its existence,
which is Microsoft.Windows.Explorer,
might not be always present.
Use UEME_CTLSESSION key which should be always present since
it generically represents the start of a session.
