Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5542
We replace deprecated calls to the Status class with newer ones. This will stop Lint from nagging me every time I open these files. There should be no change to functionality.
Specifically, we use a codemod on `.cpp` files to replace any instance of `return Status();` with `return Status::success();`.
Reviewed By: guliashvili
Differential Revision: D14652922
fbshipit-source-id: 243576195ed201d6b82fc942a785742c6b01cf83
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5483
Initial steps to separate plugins from the rest of osquery. On the long run separating plugins will provide more build flexibility such that we can have configurable builds that include only the bits and pieces we actually need per deployment. Reducing the attack surface, possibility of supply chain attacks, binary size, etc.
Move killswitch
Reviewed By: guliashvili
Differential Revision: D14259760
fbshipit-source-id: deaaa148fac25b3f534a8881a1ea9eda0ec6bdc9
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5487
I got tired of Lint telling me to update the calls to the Status class, so I wrote some codemods to update the vast majority of them:
$ cd ~/fbsource
$ codemod -d xplat/osquery/oss/osquery --extensions cpp,h "return Status\(0\, \".*\"\);" "return Status::success();"
**Blindly accepted all changes**.
FWIW, I tried to do something similar with the failure return values, but the unit tests were failing afterward.
Reviewed By: guliashvili
Differential Revision: D14278739
fbshipit-source-id: b023f6e969be697eeb67d66ea3ad10d16c69ff0c
Summary: to be able to preserve old python namespace for backward compatibility and satisfy fbcode naming rules
Reviewed By: jessek, fmanco
Differential Revision: D14242579
fbshipit-source-id: b50ba0df6ad75752f651f0bf642f3278de363874
Summary: To be able to build with different `thrift_impl` modules in extensions (like facebook does with fbthrift) I removed implementation from `extensions` lib and explicitly used for `osqueryd` and for all tests. This allows us to remove `thrift_impl` from sdk dependencies list. If you need it - please use explicitly as I did for `osqueryd`. If you want to use your own implementation of `thrift_impl` - build it and link against it and sdk simultaneously.
Reviewed By: marekcirkos
Differential Revision: D14224206
fbshipit-source-id: 218dc05d87e1ffaca37783185fc672a20684d757
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5466
To be able to use other implementation (like `fbthrift_impl.cpp`) instead of `thrift_impl.cpp`, if required.
Reviewed By: marekcirkos
Differential Revision: D14208053
fbshipit-source-id: ba379ea85fc66deef517763eaca896e88729d68e
Summary:
I didn't find a way to refer file in fbcode thrift_library from xplat. So, let's copy it.
There is something wrong with a namespaces in python - I'll fix it later. This is not a problem for now - file is not used.
Reviewed By: marekcirkos
Differential Revision: D14124542
fbshipit-source-id: 1060e23675a8086af494aa93037e1c613f250c71
Summary:
As far as this file is only for internal build, to be able to build osquery sdk against fbthrift I moved it to fbcode from oss.
Later if we want to osqeruy work with fbthrift we can copy/move it again
Reviewed By: marekcirkos
Differential Revision: D14124448
fbshipit-source-id: aaeadb40a6fac19621423b225cf6d522607d1313
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5452
As suggested in another diff, this diff updates the language we use to describe the osquery licensing terms. We are changing all instances of
//This source code is licensed as defined on the LICENSE file found in the root directory of this source tree.//
to
//This source code is licensed in accordance with the terms specified in the LICENSE file found in the root directory of this source tree.//
We accomplish this with a codemod:
$ codemod -md xplat/osquery/oss --extensions cpp,h,in,py,sh,mm,ps1 "(.\s+)This source code is licensed as defined on the LICENSE file found in the(.*)root directory of this source tree\." "\1This source code is licensed in accordance with the terms specified in\2the LICENSE file found in the root directory of this source tree."
Reviewed By: fmanco
Differential Revision: D14131290
fbshipit-source-id: 52c90da342263e2a80f5a678ecd760c19cf7513e
Summary:
Initial steps to separate plugins from the rest of osquery. On the long run separating plugins will provide more build flexibility such that we can have configurable builds that include only the bits and pieces we actually need per deployment. Reducing the attack surface, possibility of supply chain attacks, binary size, etc.
Move config and config_parser plugins
Reviewed By: marekcirkos
Differential Revision: D14119102
fbshipit-source-id: 0bc956398b3829c6f1013b38ebba2f0fc1071a93
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5445
This diff adds a Facebook copyright header to files in the osquery open source repository which:
* Facebook owns
* Do not currently have a Facebook copyright header
Reviewed By: marekcirkos
Differential Revision: D14122845
fbshipit-source-id: 5a0fea10189ec4ec893f7a036911fd51de0e01ae
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5390
to eliminate the effect of dropping privileges in other threads causing poll-ing EINTR errors in thrift.
According to ref to [bugzilla.redhat](https://bugzilla.redhat.com/show_bug.cgi?id=473907) in case of changing privileges `glibc` sends SIGRT_1 to other threads which lead to poll be interrupted. On posix we can not have different credentials for thread of one process. Therefore the solution is either to do not use dropping privileges for the whole osquery process or patch all usages of poll in thrift code. I like first option more because playing with permissions of the whole `osqueryd` can cause unpredicted interferences between threads. For instance the same table can provide different results because some other thread dropping and regaining privileges at the same time.
So, the solution for now I'd like to suggest is remove dropping privileges from safe places like reading files with known hostnames or shell history files. And because we can not interact with apt/rpm/yum databases as root and should drop to none user for it I'd suggest to increase the number of attempts to poll in case of EINTR. It can significantly eliminate the problem for now.
To address the problem in issue: [#5326](https://github.com/facebook/osquery/issues/5326)
Thanks fmanco for the help to investigate this problem.
Reviewed By: fmanco
Differential Revision: D13781886
fbshipit-source-id: 4b1f2b7d20c925cc19ba79cc0a2906b65e815c0b
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5375
LICENSE is now defined in a single file on the root of the project, update the
header to contain that information.
**Project LICENSE did not change.**
Reviewed By: akindyakov
Differential Revision: D13750575
fbshipit-source-id: 1e608a81b260b8395f9d008fc67f463160c1fc2b
Summary:
While running `misspell` on a different codebase. I happened to notice that some misspellings in the osquery code base. So, I fixed them
Pull Request resolved: https://github.com/facebook/osquery/pull/5256
Reviewed By: guliashvili
Differential Revision: D13670897
Pulled By: fmanco
fbshipit-source-id: 5d33d858284955c376e8c3980acdf366d4edf3d3
Summary: Windows named pipe requires a bit different name format in compare to posix platforms.
Reviewed By: guliashvili
Differential Revision: D13376805
fbshipit-source-id: 443c8f963863adbacd1edb76945919f00a1a2e4e
osquery itself does not care about unicode validity in table columns,
just takes it "as is". It definetely makes sense, because it could be broken.
But thrift extensions interface for python do it.
If, for instance, shell history contains broken unicode test `python_test_example_queries`
will fail.
```bash
% sed -n '5277p' < ~/.zsh_history | xxd -b [146]
00000000: 11000011 10000011 10111111 01101100 01110011 00001010 ...ls.
```
