mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 09:58:54 +00:00
57c6b2a521
The OS X kernel subscribers have not been starting because they expect the publisher thread to run before they begin configuration. Due to some recent refactors the publisher thread creation now occurs after configuration. The subscriber logic to check for a valid kernel connection is still valid. This commit has two additional side-effects: - The RocksDB plugin is modified to use 3 background merge threads. - The OS X kernel publisher syncing thread is now non-blocking.
218 lines
4.7 KiB
C
218 lines
4.7 KiB
C
/*
|
|
* Copyright (c) 2014-present, Facebook, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This source code is licensed under the BSD-style license found in the
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
*
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <stdint.h>
|
|
#include <sys/types.h>
|
|
|
|
#ifdef __linux__
|
|
#include <linux/ioctl.h>
|
|
#include <linux/limits.h>
|
|
|
|
#define MAXPATHLEN PATH_MAX
|
|
#else
|
|
#include <sys/ioccom.h>
|
|
#include <sys/param.h>
|
|
#endif
|
|
|
|
/** @brief Communication version between kernel and daemon.
|
|
*
|
|
* A daemon may only connect to a kernel with the same communication version.
|
|
* Bump this number when changing or adding any event structs.
|
|
*/
|
|
#define OSQUERY_KERNEL_COMMUNICATION_VERSION 4
|
|
#ifdef KERNEL_TEST
|
|
#define OSQUERY_KERNEL_COMM_VERSION \
|
|
(OSQUERY_KERNEL_COMMUNICATION_VERSION | (1UL << 63))
|
|
#else
|
|
#define OSQUERY_KERNEL_COMM_VERSION (OSQUERY_KERNEL_COMMUNICATION_VERSION | 0UL)
|
|
#endif
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/**
|
|
* @def KERNEL_TEST
|
|
* @brief This gates the testing portions of kernel module.
|
|
*
|
|
* When kernel test is defined two testing events are exposed. Additionally
|
|
* the character device can be opened multiple times, which allows the use of
|
|
* a reentrant testing IOCTL call that adds test events to the cqueue structure.
|
|
*/
|
|
|
|
//
|
|
// Event feed types
|
|
//
|
|
|
|
typedef enum {
|
|
// Null event used to signal the end of the buffer.
|
|
END_OF_BUFFER_EVENT = 0,
|
|
OSQUERY_NULL_EVENT = 0,
|
|
OSQUERY_PROCESS_EVENT,
|
|
OSQUERY_FILE_EVENT,
|
|
|
|
#ifdef KERNEL_TEST
|
|
OSQUERY_TEST_EVENT_0,
|
|
OSQUERY_TEST_EVENT_1,
|
|
#endif // KERNEL_TEST
|
|
|
|
// Number of different event types.
|
|
OSQUERY_NUM_EVENTS,
|
|
} osquery_event_t;
|
|
|
|
typedef struct {
|
|
uint64_t pid;
|
|
uint64_t ppid;
|
|
uint64_t uid;
|
|
uint64_t euid;
|
|
uint64_t gid;
|
|
uint64_t egid;
|
|
uint64_t owner_uid;
|
|
uint64_t owner_gid;
|
|
uint64_t create_time;
|
|
uint64_t access_time;
|
|
uint64_t modify_time;
|
|
uint64_t change_time;
|
|
int mode;
|
|
char path[MAXPATHLEN];
|
|
size_t argv_offset;
|
|
int argc;
|
|
int actual_argc;
|
|
size_t arg_length;
|
|
size_t envv_offset;
|
|
int envc;
|
|
int actual_envc;
|
|
size_t env_length;
|
|
|
|
// Flexible array space.
|
|
char flexible_data[0];
|
|
} osquery_process_event_t;
|
|
|
|
typedef enum {
|
|
OSQUERY_FILE_ACTION_NONE = 0,
|
|
OSQUERY_FILE_ACTION_OPEN = 1,
|
|
OSQUERY_FILE_ACTION_CLOSE = 1 << 1,
|
|
OSQUERY_FILE_ACTION_CLOSE_MODIFIED = 1 << 2
|
|
} osquery_file_action_t;
|
|
|
|
typedef struct {
|
|
osquery_file_action_t action;
|
|
uint64_t pid;
|
|
uint64_t ppid;
|
|
uint64_t uid;
|
|
uint64_t euid;
|
|
uint64_t gid;
|
|
uint64_t egid;
|
|
uint64_t owner_uid;
|
|
uint64_t owner_gid;
|
|
uint64_t create_time;
|
|
uint64_t access_time;
|
|
uint64_t modify_time;
|
|
uint64_t change_time;
|
|
int mode;
|
|
char path[MAXPATHLEN];
|
|
} osquery_file_event_t;
|
|
|
|
typedef struct {
|
|
osquery_file_action_t actions;
|
|
char path[MAXPATHLEN];
|
|
} osquery_file_event_subscription_t;
|
|
|
|
#ifdef KERNEL_TEST
|
|
typedef struct {
|
|
uint32_t my_num;
|
|
char my_str[4096];
|
|
} test_event_0_data_t;
|
|
|
|
typedef struct {
|
|
uint32_t my_num;
|
|
char my_str[33];
|
|
} test_event_1_data_t;
|
|
#endif // KERNEL_TEST
|
|
|
|
//
|
|
// Header for event data.
|
|
//
|
|
|
|
typedef struct {
|
|
/// Calendar time in seconds since UNIX epoch.
|
|
uint32_t time;
|
|
/// System uptime in seconds.
|
|
uint32_t uptime;
|
|
} osquery_event_time_t;
|
|
|
|
typedef struct {
|
|
osquery_event_t event;
|
|
int finished;
|
|
|
|
// Should be second to last member of header.
|
|
size_t size;
|
|
|
|
// Should be last member of header.
|
|
osquery_event_time_t time;
|
|
} osquery_data_header_t;
|
|
|
|
//
|
|
// IOCTL messages
|
|
//
|
|
|
|
typedef struct {
|
|
osquery_event_t event;
|
|
int subscribe;
|
|
} osquery_subscription_args_t;
|
|
|
|
// Flags for buffer sync options.
|
|
enum osquery_options {
|
|
OSQUERY_OPTIONS_DEFAULT = 0,
|
|
OSQUERY_OPTIONS_NO_BLOCK = 1,
|
|
};
|
|
|
|
typedef struct {
|
|
// Option such as OSQUERY_NO_BLOCK.
|
|
int options;
|
|
|
|
// Offset of daemon read pointer.
|
|
size_t read_offset;
|
|
|
|
// (Output) Offset of max_read pointer.
|
|
size_t max_read_offset;
|
|
|
|
// (Output) Number of drops or negative on overflow.
|
|
int drops;
|
|
} osquery_buf_sync_args_t;
|
|
|
|
typedef struct {
|
|
// Size of shared user kernel buffer.
|
|
size_t size;
|
|
// (Output) Pointer to buffer location.
|
|
void *buffer;
|
|
// osquery kernel communication version.
|
|
uint64_t version;
|
|
} osquery_buf_allocate_args_t;
|
|
|
|
// TODO: Choose a proper IOCTL num.
|
|
#define OSQUERY_IOCTL_NUM 0xFA
|
|
#define OSQUERY_IOCTL_SUBSCRIPTION \
|
|
_IOW(OSQUERY_IOCTL_NUM, 0x1, osquery_subscription_args_t)
|
|
#define OSQUERY_IOCTL_BUF_SYNC \
|
|
_IOWR(OSQUERY_IOCTL_NUM, 0x2, osquery_buf_sync_args_t)
|
|
#define OSQUERY_IOCTL_BUF_ALLOCATE \
|
|
_IOWR(OSQUERY_IOCTL_NUM, 0x3, osquery_buf_allocate_args_t)
|
|
|
|
#ifdef KERNEL_TEST
|
|
#define OSQUERY_IOCTL_TEST _IOW(OSQUERY_IOCTL_NUM, 0x4, int)
|
|
#endif // KERNEL_TEST
|
|
|
|
#ifdef __cplusplus
|
|
} // end extern "c"
|
|
#endif
|