Date: Sun, 10 May 2015 15:19:12 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r385963 - in head/sysutils: . osquery osquery/files Message-ID: <201505101519.t4AFJCH4087366@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Sun May 10 15:19:11 2015 New Revision: 385963 URL: https://svnweb.freebsd.org/changeset/ports/385963 Log: New port: sysutils/osquery: osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. WWW: https://osquery.io/ Sponsored by: Beer from wxs@ Added: head/sysutils/osquery/ head/sysutils/osquery/Makefile (contents, props changed) head/sysutils/osquery/distinfo (contents, props changed) head/sysutils/osquery/files/ head/sysutils/osquery/files/osqueryd.in (contents, props changed) head/sysutils/osquery/files/patch-CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-CMake_CMakeLibs.cmake (contents, props changed) head/sysutils/osquery/files/patch-CMake_FindGlog.cmake (contents, props changed) head/sysutils/osquery/files/patch-Makefile (contents, props changed) head/sysutils/osquery/files/patch-include_osquery_core.h (contents, props changed) head/sysutils/osquery/files/patch-include_osquery_events.h (contents, props changed) head/sysutils/osquery/files/patch-include_osquery_flags.h (contents, props changed) head/sysutils/osquery/files/patch-include_osquery_registry.h (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_.gitignore (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_Makefile (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_hash.c (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_hash.h (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_hide.c (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_hide.h (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_main.c (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_sysfs.c (contents, props changed) head/sysutils/osquery/files/patch-kernel_linux_sysfs.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-osquery_config_config.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_config_plugins_http.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_config_plugins_tests_http__config__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_core_watcher.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_core_watcher.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_database_db__handle.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_dispatcher_dispatcher.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_dispatcher_scheduler.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_dispatcher_scheduler.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_dispatcher_tests_dispatcher__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_events_darwin_fsevents.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_events_darwin_fsevents.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_events_darwin_tests_fsevents__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_events_events.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_extensions_extensions.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_extensions_interface.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_extensions_interface.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_extensions_tests_extensions__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_filesystem_CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-osquery_main_run.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_remote_enrollment_plugins_tests_http__enrollment__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_remote_requests.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_remote_transports_http.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_remote_transports_tests_http__transports__tests.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_networking_interfaces.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_networking_utils.h (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_specs_blacklist (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_system_centos_rpm__packages.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_system_freebsd_sysctl__utils.cpp (contents, props changed) head/sysutils/osquery/files/patch-osquery_tables_system_linux_os__version.cpp (contents, props changed) head/sysutils/osquery/files/patch-third-party_cpp-netlib_CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-third-party_cpp-netlib_libs_network_src_CMakeLists.txt (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_glog_stl__logging.h.in (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_googletest.h (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_logging__unittest.cc (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_stacktrace__unittest.cc (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_stl__logging__unittest.cc (contents, props changed) head/sysutils/osquery/files/patch-third-party_glog_src_utilities.h (contents, props changed) head/sysutils/osquery/files/patch-tools_codegen_gentable.py (contents, props changed) head/sysutils/osquery/files/patch-tools_deployment_osquery.example.conf (contents, props changed) head/sysutils/osquery/files/patch-tools_provision_freebsd.sh (contents, props changed) head/sysutils/osquery/files/patch-tools_provision_lib.sh (contents, props changed) head/sysutils/osquery/files/patch-tools_tests_test__extensions.py (contents, props changed) head/sysutils/osquery/pkg-descr (contents, props changed) head/sysutils/osquery/pkg-message (contents, props changed) head/sysutils/osquery/pkg-plist (contents, props changed) Modified: head/sysutils/Makefile Modified: head/sysutils/Makefile ============================================================================== --- head/sysutils/Makefile Sun May 10 15:17:08 2015 (r385962) +++ head/sysutils/Makefile Sun May 10 15:19:11 2015 (r385963) @@ -581,6 +581,7 @@ SUBDIR += openipmi SUBDIR += openupsd SUBDIR += ori + SUBDIR += osquery SUBDIR += p5-BSD-Jail-Object SUBDIR += p5-BSD-Process SUBDIR += p5-BSD-Sysctl Added: head/sysutils/osquery/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/Makefile Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,74 @@ +# Created by: Ryan Steinmetz <zi@FreeBSD.org> +# $FreeBSD$ + +PORTNAME= osquery +PORTVERSION= 1.4.5 +CATEGORIES= sysutils +MASTER_SITES= GH:ghc \ + https://codeload.github.com/${PORTNAME}/third-party/tar.gz/${PORTVERSION}?dummy=/:gh +DISTFILES= ${PORTNAME}-${PORTVERSION}.tar.gz:ghc \ + third-party-${PORTVERSION}.tar.gz:gh + +MAINTAINER= zi@FreeBSD.org +COMMENT= SQL powered OS instrumentation, monitoring, and analytics + +LICENSE= BSD3CLAUSE + +BUILD_DEPENDS= snappy>0:${PORTSDIR}/archivers/snappy \ + rocksdb>0:${PORTSDIR}/databases/rocksdb \ + thrift>0:${PORTSDIR}/devel/thrift \ + thrift-cpp>0:${PORTSDIR}/devel/thrift-cpp \ + bash>0:${PORTSDIR}/shells/bash \ + yara>0:${PORTSDIR}/security/yara \ + doxygen:${PORTSDIR}/devel/doxygen \ + ${PYTHON_PKGNAMEPREFIX}MarkupSafe>0:${PORTSDIR}/textproc/py-MarkupSafe \ + ${PYTHON_PKGNAMEPREFIX}psutil>0:${PORTSDIR}/sysutils/py-psutil \ + ${PYTHON_PKGNAMEPREFIX}argparse>0:${PORTSDIR}/devel/py-argparse \ + ${PYTHON_PKGNAMEPREFIX}pexpect>0:${PORTSDIR}/misc/py-pexpect \ + ${PYTHON_PKGNAMEPREFIX}Jinja2>0:${PORTSDIR}/devel/py-Jinja2 \ + ${PYTHON_PKGNAMEPREFIX}thrift>0:${PORTSDIR}/devel/py-thrift \ + ${PYTHON_PKGNAMEPREFIX}pip>0:${PORTSDIR}/devel/py-pip +LIB_DEPENDS= libboost_regex.so:${PORTSDIR}/devel/boost-libs \ + libgflags.so:${PORTSDIR}/devel/gflags \ + libicuuc.so:${PORTSDIR}/devel/icu + +USES= cmake:outsource gmake libtool python:build compiler:c++11-lib +CMAKE_ENV+= OSQUERY_BUILD_VERSION="${PORTVERSION}" HOME="${WRKDIR}" SKIP_TESTS="yes" +CMAKE_ARGS+= -DFREEBSD=awesome -DCMAKE_SYSTEM_NAME="FreeBSD" +BLDDIR= ${WRKDIR}/.build/${PORTNAME} +USE_RC_SUBR= ${PORTNAME}d +USE_GITHUB= yes +GH_ACCOUNT= facebook +MAKE_JOBS_UNSAFE= yes + +.include <bsd.port.pre.mk> + +.if ${OSVERSION} <= 1000000 +CFLAGS+= -D_GLIBCXX_USE_C99 +.endif + +post-extract: + ${RMDIR} ${WRKSRC}/third-party + ${LN} -sf ${WRKDIR}/third-party-${PORTVERSION} ${WRKSRC}/third-party + +post-patch: + ${REINPLACE_CMD} -e 's|/var/osquery/osquery.conf|${PREFIX}/etc/osquery.conf|g' \ + ${WRKSRC}/osquery/config/plugins/filesystem.cpp + ${REINPLACE_CMD} -e 's|/var/osquery/|/var/db/osquery/|g' \ + ${WRKSRC}/tools/deployment/osquery.example.conf + ${REINPLACE_CMD} -e 's|python |${PYTHON_CMD} |g' \ + ${WRKSRC}/CMake/CMakeLibs.cmake \ + ${WRKSRC}/CMakeLists.txt + +do-install: + ${INSTALL_PROGRAM} ${BLDDIR}/osqueryi ${STAGEDIR}${PREFIX}/bin + ${INSTALL_PROGRAM} ${BLDDIR}/osqueryd ${STAGEDIR}${PREFIX}/sbin + ${INSTALL_DATA} ${BLDDIR}/libosquery.a ${STAGEDIR}${PREFIX}/lib + (cd ${WRKSRC}/include && ${COPYTREE_SHARE} ${PORTNAME} ${STAGEDIR}${PREFIX}/include) + ${INSTALL_DATA} ${WRKSRC}/tools/deployment/osquery.example.conf \ + ${STAGEDIR}${PREFIX}/etc/osquery.conf.sample + +post-stage: + ${MKDIR} ${STAGEDIR}/var/db/osquery + +.include <bsd.port.post.mk> Added: head/sysutils/osquery/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/distinfo Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,4 @@ +SHA256 (osquery-1.4.5.tar.gz) = b0812eec4ca53eb6ada4692330caaed00ed1e50ead43b99486b3d15139369738 +SIZE (osquery-1.4.5.tar.gz) = 412622 +SHA256 (third-party-1.4.5.tar.gz) = 06897b9ddf637c61f5c9e90f640b9f8c50c124d6276058a71f7d952439c8e58f +SIZE (third-party-1.4.5.tar.gz) = 6073986 Added: head/sysutils/osquery/files/osqueryd.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/osqueryd.in Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# PROVIDE: osqueryd +# REQUIRE: %%REQUIRE%% +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf to enable osqueryd: +# +# osqueryd_enable="YES" +# + +. /etc/rc.subr + +name=osqueryd +rcvar=osqueryd_enable +load_rc_config $name + +command=%%PREFIX%%/sbin/osqueryd + +osqueryd_enable=${osqueryd_enable-"NO"} +osqueryd_flags=${osqueryd_flags-""} +osqueryd_config=${osqueryd_config-"%%PREFIX%%/etc/osquery.conf"} +required_files=${osqueryd_config} +command_args="--pidfile /var/run/osqueryd.pid --disable_watchdog --daemonize=true --config_path=${osqueryd_config}" +extra_commands="configtest" +configtest_cmd="configtest" +pidfile="/var/run/osqueryd.pid" + +start_precmd=prestart + +configtest() { + ${command} ${osqueryd_flags} --config_check --config_path=${osqueryd_config} --verbose +} + +prestart() { + install -d /var/db/osquery +} + +run_rc_command "$1" Added: head/sysutils/osquery/files/patch-CMakeLists.txt ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-CMakeLists.txt Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,164 @@ +--- CMakeLists.txt.orig 2015-05-05 00:16:41 UTC ++++ CMakeLists.txt +@@ -1,7 +1,18 @@ + cmake_minimum_required(VERSION 2.8.12) + +-set(CMAKE_C_COMPILER "clang") +-set(CMAKE_CXX_COMPILER "clang++") ++#if(NOT DEFINED ENV{CC}) ++# set(CMAKE_C_COMPILER "clang") ++#else() ++# set(CMAKE_C_COMPILER "$ENV{CC}") ++# message("-- Overriding C compiler from clang to $ENV{CC}") ++#endif() ++#if(NOT DEFINED ENV{CXX}) ++# set(CMAKE_CXX_COMPILER "clang++") ++#else() ++# set(CMAKE_CXX_COMPILER "$ENV{CXX}") ++# message("-- Overriding CXX compiler from clang++ to $ENV{CXX}") ++#endif() ++ + add_compile_options( + -Wall + -Wextra +@@ -22,6 +33,21 @@ add_compile_options( + ) + set(CXX_COMPILE_FLAGS "") + ++# Use osquery language to set platform/os ++execute_process( ++ COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform ++ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" ++ OUTPUT_VARIABLE PLATFORM ++ OUTPUT_STRIP_TRAILING_WHITESPACE ++) ++ ++list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM) ++list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO) ++string(REPLACE "." "_" PLATFORM "${PLATFORM}") ++string(TOUPPER "${PLATFORM}" PLATFORM) ++list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE) ++list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE) ++ + # Set non-C compile flags and whole-loading linker flags. + # osquery needs ALL symbols in the libraries it includes for relaxed ctors + # late-loading modules and SQLite introspection utilities. +@@ -34,34 +60,21 @@ if(APPLE) + # Special compile flags for Objective-C++ + set(OBJCXX_COMPILE_FLAGS + "-x objective-c++ -fobjc-arc -Wno-c++11-extensions -mmacosx-version-min=${APPLE_MIN_ABI}") +-elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") +- set(FREEBSD TRUE) +- set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11 -stdlib=libc++") +- set(OS_WHOLELINK_PRE "") +- set(OS_WHOLELINK_POST "") + else() +- set(LINUX TRUE) +- # Do not use the shared linker flags for modules. + set(CXX_COMPILE_FLAGS "${CXX_COMPILE_FLAGS} -std=c++11") + set(OS_WHOLELINK_PRE "-Wl,-whole-archive") + set(OS_WHOLELINK_POST "-Wl,-no-whole-archive") ++ # Set CMAKE variables depending on platform, to know which tables and what ++ # component-specific globbing is needed. ++ if(${OSQUERY_BUILD_PLATFORM} STREQUAL "freebsd") ++ set(FREEBSD TRUE) ++ set(LINUX FALSE) ++ else() ++ set(LINUX TRUE) ++ set(FREEBSD FALSE) ++ endif() + endif() + +-# Use osquery language to set platform/os +-execute_process( +- COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" get_platform +- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" +- OUTPUT_VARIABLE PLATFORM +- OUTPUT_STRIP_TRAILING_WHITESPACE +-) +- +-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM) +-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO) +-string(REPLACE "." "_" PLATFORM "${PLATFORM}") +-string(TOUPPER "${PLATFORM}" PLATFORM) +-list(GET PLATFORM 0 OSQUERY_BUILD_PLATFORM_DEFINE) +-list(GET PLATFORM 1 OSQUERY_BUILD_DISTRO_DEFINE) +- + # RHEL6 uses a different gcc 4.9 runtime + if(${OSQUERY_BUILD_DISTRO} STREQUAL "rhel6") + set(GCC_RUNTIME "/opt/rh/devtoolset-3/root/usr/") +@@ -73,7 +86,7 @@ endif() + if(DEFINED ENV{DEBUG}) + set(DEBUG TRUE) + set(CMAKE_BUILD_TYPE "Debug") +- add_compile_options(-g -O0 -pg) ++ add_compile_options(-g -O0) + add_definitions(-DDEBUG) + message("-- Setting DEBUG build") + elseif(DEFINED ENV{SANITIZE}) +@@ -116,7 +129,7 @@ endif() + # Finished setting compiler/compiler flags. + project(OSQUERY) + +-# Make sure deps were built before compiling (else show warning) ++# Make sure deps were built before compiling (else show warning). + execute_process( + COMMAND "${CMAKE_SOURCE_DIR}/tools/provision.sh" check "${CMAKE_BINARY_DIR}" + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" +@@ -126,16 +139,23 @@ execute_process( + ) + string(ASCII 27 Esc) + if(OSQUERY_DEPS_CHECK) +- message(WARNING "${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m") ++ message("-- ${Esc}[31m${OSQUERY_DEPS_MESSAGE}${Esc}[m") + endif() + +-# Generate version from git +-execute_process( +- COMMAND git describe --tags HEAD --always +- WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" +- OUTPUT_VARIABLE OSQUERY_BUILD_VERSION +- OUTPUT_STRIP_TRAILING_WHITESPACE +-) ++# Discover build version from an environment variable or from the git checkout. ++if(DEFINED ENV{OSQUERY_BUILD_VERSION}) ++ set(OSQUERY_BUILD_VERSION "$ENV{OSQUERY_BUILD_VERSION}") ++else() ++ # Generate version from git ++ execute_process( ++ COMMAND git describe --tags HEAD --always ++ WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" ++ OUTPUT_VARIABLE OSQUERY_BUILD_VERSION ++ OUTPUT_STRIP_TRAILING_WHITESPACE ++ ) ++endif() ++ ++# Discover the SDK version from an environment variable or the build version. + if(DEFINED ENV{SDK_VERSION}) + set(OSQUERY_BUILD_SDK_VERSION "${ENV{SDK_VERSION}}") + else() +@@ -164,7 +184,8 @@ elseif(OSQUERY_BUILD_PLATFORM STREQUAL " + elseif(OSQUERY_BUILD_PLATFORM STREQUAL "rhel") + set(RHEL TRUE) + message("-- Building for RHEL") +-elseif(FREEBSD) ++elseif(OSQUERY_BUILD_PLATFORM STREQUAL "freebsd") ++ set(FREEBSD TRUE) + message("-- Building for FreeBSD") + endif() + +@@ -233,7 +254,7 @@ add_custom_target( + # make format + add_custom_target( + format +- python "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py" ++ python2 "${CMAKE_SOURCE_DIR}/tools/formatting/git-clang-format.py" + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" + COMMENT "Formatting code staged code changes with clang-format" VERBATIM + ) +@@ -244,4 +265,5 @@ add_custom_target( + "${CMAKE_SOURCE_DIR}/tools/sync.sh" "${CMAKE_BINARY_DIR}" + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" + COMMENT "Generating sdk sync: ${CMAKE_BINARY_DIR}/sync" ++ DEPENDS osquery_extensions osquery_amalgamation + ) Added: head/sysutils/osquery/files/patch-CMake_CMakeLibs.cmake ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-CMake_CMakeLibs.cmake Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,46 @@ +--- CMake/CMakeLibs.cmake.orig 2015-05-05 00:16:41 UTC ++++ CMake/CMakeLibs.cmake +@@ -15,7 +15,7 @@ endmacro(SET_OSQUERY_COMPILE) + + macro(ADD_OSQUERY_PYTHON_TEST TEST_NAME SOURCE) + add_test(NAME python_${TEST_NAME} +- COMMAND python "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}" ++ COMMAND python2 "${CMAKE_SOURCE_DIR}/tools/tests/${SOURCE}" --build "${CMAKE_BINARY_DIR}" + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/tools/tests/") + endmacro(ADD_OSQUERY_PYTHON_TEST) + +@@ -30,7 +30,7 @@ endmacro(ADD_OSQUERY_LINK) + + macro(ADD_OSQUERY_LINK_INTERNAL LINK LINK_PATHS LINK_SET) + if(NOT "${LINK}" MATCHES "(^[-/].*)") +- find_library("${LINK}_library" NAMES "lib${LINK}.a" "${LINK}" ${LINK_PATHS}) ++ find_library("${LINK}_library" NAMES "${LINK}" "lib${LINK}" ${LINK_PATHS}) + message("-- Found library dependency ${${LINK}_library}") + if("${${LINK}_library}" STREQUAL "${${LINK}_library}-NOTFOUND") + string(ASCII 27 Esc) +@@ -105,7 +105,6 @@ endmacro(ADD_OSQUERY_EXTENSION) + + macro(ADD_OSQUERY_MODULE TARGET) + add_library(${TARGET} SHARED ${ARGN}) +- target_link_libraries(${TARGET} dl) + add_dependencies(${TARGET} libglog libosquery) + if(APPLE) + target_link_libraries(${TARGET} "-undefined dynamic_lookup") +@@ -182,7 +181,7 @@ macro(GENERATE_TABLE TABLE_FILE NAME BAS + GET_GENERATION_DEPS(${BASE_PATH}) + add_custom_command( + OUTPUT "${TABLE_FILE_GEN}" +- COMMAND python "${BASE_PATH}/tools/codegen/gentable.py" ++ COMMAND python2 "${BASE_PATH}/tools/codegen/gentable.py" + "${TABLE_FILE}" "${TABLE_FILE_GEN}" "$ENV{DISABLE_BLACKLIST}" + DEPENDS ${TABLE_FILE} ${GENERATION_DEPENDENCIES} + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" +@@ -207,7 +206,7 @@ macro(AMALGAMATE BASE_PATH NAME OUTPUT) + # Append all of the code to a single amalgamation. + add_custom_command( + OUTPUT "${CMAKE_BINARY_DIR}/generated/${NAME}_amalgamation.cpp" +- COMMAND python "${BASE_PATH}/tools/codegen/amalgamate.py" ++ COMMAND python2 "${BASE_PATH}/tools/codegen/amalgamate.py" + "${BASE_PATH}/osquery/tables/" "${CMAKE_BINARY_DIR}/generated" "${NAME}" + DEPENDS ${GENERATED_TARGETS} ${GENERATION_DEPENDENCIES} + WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" Added: head/sysutils/osquery/files/patch-CMake_FindGlog.cmake ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-CMake_FindGlog.cmake Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,34 @@ +--- CMake/FindGlog.cmake.orig 2015-05-05 00:16:41 UTC ++++ CMake/FindGlog.cmake +@@ -6,20 +6,6 @@ endif() + set(GLOG_ROOT_DIR "${CMAKE_BINARY_DIR}/third-party/glog") + set(GLOG_SOURCE_DIR "${CMAKE_SOURCE_DIR}/third-party/glog") + +-if(NOT APPLE) +- include(CheckIncludeFiles) +- unset(LIBUNWIND_FOUND CACHE) +- check_include_files("libunwind.h;unwind.h" LIBUNWIND_FOUND) +- if(LIBUNWIND_FOUND) +- unset(libglog_FOUND CACHE) +- execute_process( +- COMMAND rm -rf "${GLOG_ROOT_DIR}" "${CMAKE_BINARY_DIR}/libglog-prefix" +- ERROR_QUIET +- ) +- message(WARNING "${Esc}[31mWarning: libunwind headers found [Issue #596], please: make deps\n${Esc}[m") +- endif() +-endif() +- + set(GLOG_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-register -Wno-unnamed-type-template-args -Wno-deprecated -Wno-error") + + INCLUDE(ExternalProject) +@@ -31,8 +17,8 @@ ExternalProject_Add( + CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER} + CXXFLAGS=${GLOG_CXX_FLAGS} + --enable-frame-pointers --enable-shared=no --prefix=${GLOG_ROOT_DIR} +- BUILD_COMMAND make +- INSTALL_COMMAND make install ++ BUILD_COMMAND ${CMAKE_MAKE_PROGRAM} ++ INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install + LOG_CONFIGURE ON + LOG_INSTALL ON + LOG_BUILD ON Added: head/sysutils/osquery/files/patch-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-Makefile Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,53 @@ +--- Makefile.orig 2015-05-05 00:16:41 UTC ++++ Makefile +@@ -1,8 +1,11 @@ + PLATFORM := $(shell uname -s) + VERSION := $(shell git describe --tags HEAD --always) +-MAKE = make ++SHELL := $(shell which bash) + +-SHELL := /bin/bash ++MAKE = make ++ifeq ($(PLATFORM),FreeBSD) ++ MAKE = gmake ++endif + + DISTRO := $(shell . ./tools/lib.sh; _platform) + DISTRO_VERSION := $(shell . ./tools/lib.sh; _distro $(DISTRO)) +@@ -16,11 +19,11 @@ DEFINES := CTEST_OUTPUT_ON_FAILURE=1 + .PHONY: docs build + + all: .setup +- cd build/$(BUILD_DIR) && cmake ../.. && \ ++ cd build/$(BUILD_DIR) && cmake ../../ && \ + $(DEFINES) $(MAKE) --no-print-directory $(MAKEFLAGS) + + docs: .setup +- cd build && cmake .. && \ ++ cd build && cmake ../ && \ + $(DEFINES) $(MAKE) docs --no-print-directory $(MAKEFLAGS) + + debug: .setup +@@ -74,6 +77,10 @@ test_debug_build: + deps: .setup + ./tools/provision.sh build build/$(BUILD_DIR) + ++clean: .setup ++ cd build/$(BUILD_DIR) && cmake ../../ && \ ++ $(DEFINES) $(MAKE) clean --no-print-directory $(MAKEFLAGS) ++ + distclean: + rm -rf .sources build/$(BUILD_DIR) build/debug_$(BUILD_DIR) build/docs + ifeq ($(PLATFORM),Linux) +@@ -101,6 +108,10 @@ packages: .setup + cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \ + $(DEFINES) $(MAKE) packages --no-print-directory $(MAKEFLAGS) + ++sync: .setup ++ cd build/$(BUILD_DIR) && PACKAGE=True cmake ../../ && \ ++ $(DEFINES) $(MAKE) sync --no-print-directory $(MAKEFLAGS) ++ + %:: +- cd build/$(BUILD_DIR) && cmake ../.. && \ ++ cd build/$(BUILD_DIR) && cmake ../../ && \ + $(DEFINES) $(MAKE) --no-print-directory $@ Added: head/sysutils/osquery/files/patch-include_osquery_core.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-include_osquery_core.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,15 @@ +--- include/osquery/core.h.orig 2015-05-05 00:16:41 UTC ++++ include/osquery/core.h +@@ -30,7 +30,11 @@ + // clang-format on + + #ifndef __constructor__ +-#define __constructor__ __attribute__((constructor)) ++#define __registry_constructor__ __attribute__((constructor(101))) ++#define __plugin_constructor__ __attribute__((constructor(102))) ++#else ++#define __registry_constructor__ __attribute__((__constructor__(101))) ++#define __plugin_constructor__ __attribute__((__constructor__(102))) + #endif + + /// A configuration error is catastrophic and should exit the watcher. Added: head/sysutils/osquery/files/patch-include_osquery_events.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-include_osquery_events.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,110 @@ +--- include/osquery/events.h.orig 2015-05-05 00:16:41 UTC ++++ include/osquery/events.h +@@ -197,8 +197,8 @@ class EventPublisherPlugin : public Plug + * @brief Perform handle opening, OS API callback registration. + * + * `setUp` is the event framework's EventPublisher constructor equivalent. +- * When `setUp` is called the EventPublisher is running in a dedicated thread +- * and may manage/allocate/wait for resources. ++ * This is called in the main thread before the publisher's run loop has ++ * started, immediately following registration. + */ + virtual Status setUp() { return Status(0, "Not used"); } + +@@ -206,17 +206,28 @@ class EventPublisherPlugin : public Plug + * @brief Perform handle closing, resource cleanup. + * + * osquery is about to end, the EventPublisher should close handle descriptors +- * unblock resources, and prepare to exit. ++ * unblock resources, and prepare to exit. This will be called from the main ++ * thread after the run loop thread has exited. + */ + virtual void tearDown() {} + + /** +- * @brief Implement a step of an optional run loop. ++ * @brief Implement a "step" of an optional run loop. + * + * @return A SUCCESS status will immediately call `run` again. A FAILED status + * will exit the run loop and the thread. + */ +- virtual Status run() { return Status(1, "No runloop required"); } ++ virtual Status run() { return Status(1, "No run loop required"); } ++ ++ /** ++ * @brief Allow the EventFactory to interrupt the run loop. ++ * ++ * Assume the main thread may ask the run loop to stop at anytime. ++ * Before end is called the publisher's `isEnding` is set and the EventFactory ++ * run loop manager will exit the stepping loop and fall through to a call ++ * to tearDown followed by a removal of the publisher. ++ */ ++ virtual void end() {} + + /** + * @brief A new EventSubscriber is subscriptioning events of this +@@ -260,9 +271,16 @@ class EventPublisherPlugin : public Plug + /// Return a string identifier associated with this EventPublisher. + virtual EventPublisherID type() const { return "publisher"; } + ++ /// Check if the EventFactory is ending all publisher threads. + bool isEnding() const { return ending_; } ++ ++ /// Set the ending status for this publisher. + void isEnding(bool ending) { ending_ = ending; } ++ ++ /// Check if the publisher's run loop has started. + bool hasStarted() const { return started_; } ++ ++ /// Set the run or started status for this publisher. + void hasStarted(bool started) { started_ = started; } + + protected: +@@ -284,6 +302,7 @@ class EventPublisherPlugin : public Plug + private: + /// Set ending to True to cause event type run loops to finish. + bool ending_; ++ + /// Set to indicate whether the event run loop ever started. + bool started_; + +@@ -661,11 +680,14 @@ class EventFactory : private boost::nonc + } + + /** +- * @brief Halt the EventPublisher run loop and call its `tearDown`. ++ * @brief Halt the EventPublisher run loop. + * + * Any EventSubscriber%s with Subscription%s for this EventPublisher will + * become useless. osquery callers MUST deregister events. + * EventPublisher%s assume they can hook/trampoline, which requires cleanup. ++ * This will tear down and remove the publisher if the run loop did not start. ++ * Otherwise it will call end on the publisher and assume the run loop will ++ * tear down and remove. + * + * @param event_pub The string label for the EventPublisher. + * +@@ -681,6 +703,8 @@ class EventFactory : private boost::nonc + + /// Return an instance to a registered EventSubscriber. + static EventSubscriberRef getEventSubscriber(EventSubscriberID& sub); ++ ++ /// Check if an event subscriber exists. + static bool exists(EventSubscriberID& sub); + + static std::vector<std::string> publisherTypes(); +@@ -701,9 +725,12 @@ class EventFactory : private boost::nonc + } + + /** +- * @brief End all EventPublisher run loops and call their `tearDown` methods. ++ * @brief End all EventPublisher run loops and deregister. + * +- * End is NOT the same as deregistration. ++ * End is NOT the same as deregistration. End will call deregister on all ++ * publishers then either join or detach their run loop threads. ++ * See EventFactory::deregisterEventPublisher for actions taken during ++ * deregistration. + * + * @param should_end Reset the "is ending" state if False. + */ Added: head/sysutils/osquery/files/patch-include_osquery_flags.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-include_osquery_flags.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,14 @@ +--- include/osquery/flags.h.orig 2015-05-05 00:16:41 UTC ++++ include/osquery/flags.h +@@ -19,7 +19,11 @@ + + #include <osquery/core.h> + ++#ifdef FREEBSD ++#define GFLAGS_NAMESPACE gflags ++#elif !defined(GFLAGS_NAMESPACE) + #define GFLAGS_NAMESPACE google ++#endif + + namespace boost { + /// We define a lexical_cast template for boolean for Gflags boolean string Added: head/sysutils/osquery/files/patch-include_osquery_registry.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-include_osquery_registry.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,58 @@ +--- include/osquery/registry.h.orig 2015-05-05 00:16:41 UTC ++++ include/osquery/registry.h +@@ -41,11 +41,11 @@ namespace osquery { + * @param type A typename that derives from Plugin. + * @param name A string identifier for the registry. + */ +-#define CREATE_REGISTRY(type, name) \ +- namespace registry { \ +- __constructor__ static void type##Registry() { \ +- Registry::create<type>(name); \ +- } \ ++#define CREATE_REGISTRY(type, name) \ ++ namespace registry { \ ++ __registry_constructor__ static void type##Registry() { \ ++ Registry::create<type>(name); \ ++ } \ + } + + /** +@@ -56,11 +56,11 @@ namespace osquery { + * @param type A typename that derives from Plugin. + * @param name A string identifier for the registry. + */ +-#define CREATE_LAZY_REGISTRY(type, name) \ +- namespace registry { \ +- __constructor__ static void type##Registry() { \ +- Registry::create<type>(name, true); \ +- } \ ++#define CREATE_LAZY_REGISTRY(type, name) \ ++ namespace registry { \ ++ __registry_constructor__ static void type##Registry() { \ ++ Registry::create<type>(name, true); \ ++ } \ + } + + /** +@@ -75,15 +75,15 @@ namespace osquery { + * @param registry The string name for the registry. + * @param name A string identifier for this registry item. + */ +-#define REGISTER(type, registry, name) \ +- __constructor__ static void type##RegistryItem() { \ +- Registry::add<type>(registry, name); \ ++#define REGISTER(type, registry, name) \ ++ __plugin_constructor__ static void type##RegistryItem() { \ ++ Registry::add<type>(registry, name); \ + } + + /// The same as REGISTER but prevents the plugin item from being broadcasted. +-#define REGISTER_INTERNAL(type, registry, name) \ +- __constructor__ static void type##RegistryItem() { \ +- Registry::add<type>(registry, name, true); \ ++#define REGISTER_INTERNAL(type, registry, name) \ ++ __plugin_constructor__ static void type##RegistryItem() { \ ++ Registry::add<type>(registry, name, true); \ + } + + /** Added: head/sysutils/osquery/files/patch-kernel_linux_.gitignore ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_.gitignore Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,9 @@ +--- kernel/linux/.gitignore.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/.gitignore +@@ -1,6 +0,0 @@ +-Module.symvers +-modules.order +-.tmp_versions* +-*.cmd +-*.mod.c +-*.ko Added: head/sysutils/osquery/files/patch-kernel_linux_Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_Makefile Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,50 @@ +--- kernel/linux/Makefile.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/Makefile +@@ -1,47 +0,0 @@ +-obj-m += camb.o +-camb-objs += main.o sysfs.o hash.o +- +-# We need headers to build against a specific kernel version +-ifndef KDIR +- KDIR = /lib/modules/$(shell uname -r)/build +-# @echo "Using default kernel directory: ${KDIR}" +-endif +- +-# If user specifies a System.map, get addresses from there +-ifdef SMAP +- OPTS += -DTEXT_SEGMENT_START="0x$(shell grep '\s\+T\s\+_stext\b' ${SMAP} | cut -f1 -d' ')" +- OPTS += -DTEXT_SEGMENT_END="0x$(shell grep '\s\+T\s\+_etext\b' ${SMAP} | cut -f1 -d' ')" +- OPTS += -DSYSCALL_BASE_ADDR="0x$(shell grep '\s\+R\s\+sys_call_table\b' ${SMAP} | cut -f1 -d' ')" +- +-# Otherwise, they must be present on the build line +-else +- OPTS += -DTEXT_SEGMENT_START="${TEXT_SEGMENT_START}" +- OPTS += -DTEXT_SEGMENT_END="${TEXT_SEGMENT_END}" +- OPTS += -DSYSCALL_BASE_ADDR="${SYSCALL_BASE_ADDR}" +-endif +- +-ifdef HIDE_ME +- OPTS += -DHIDE_ME +- camb-objs += hide.o +-endif +- +-all: +- +-ifndef SMAP +- ifndef TEXT_SEGMENT_START +- @echo "Missing parameter: TEXT_SEGMENT_START" +- @exit 1 +- endif +- +- ifndef TEXT_SEGMENT_END +- @echo "Missing parameter: TEXT_SEGMENT_END" +- @exit 1 +- endif +- +- ifndef SYSCALL_BASE_ADDR +- @echo "Missing parameter: SYSCALL_BASE_ADDR" +- @exit 1 +- endif +-endif +- +- $(MAKE) -C $(KDIR) M=$(shell pwd) EXTRA_CFLAGS="${OPTS}" modules Added: head/sysutils/osquery/files/patch-kernel_linux_hash.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_hash.c Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,94 @@ +--- kernel/linux/hash.c.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/hash.c +@@ -1,91 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-#include <linux/init.h> +-#include <linux/kernel.h> +-#include <linux/module.h> +- +-/* Crypto */ +-#include <linux/crypto.h> +-#include <linux/err.h> +-#include <linux/scatterlist.h> +-#include <crypto/sha.h> +- +-#include "hash.h" +- +-unsigned char *kernel_text_hash(void) { +- return (unsigned char *) hash_data((void *) TEXT_SEGMENT_START, +- TEXT_SEGMENT_END - TEXT_SEGMENT_START); +-} +- +-/** +- * @brief Generic function for performing a SHA-1 hash of a memory range +- * +- * @param data - Beginning memory address to perform hash +- * @param len - size in bytes of the address range to hash +- * +- * @return allocated buffer containing the hash string; or NULL upon error. +- */ +-unsigned char *hash_data(const void *data, size_t len) { +- struct scatterlist sg; +- struct hash_desc desc; +- size_t out_len = SHA1_DIGEST_SIZE * 2 + 1; +- unsigned char hashtext[SHA1_DIGEST_SIZE]; +- unsigned char *hashtext_out = kmalloc(out_len, GFP_KERNEL); +- +- if (!hashtext_out) { +- printk(KERN_INFO "Could not allocate space for hash\n"); +- return NULL; +- } +- +- sg_init_one(&sg, data, len); +- desc.flags = 0; +- desc.tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC); +- +- crypto_hash_init(&desc); +- crypto_hash_update(&desc, &sg, sg.length); +- crypto_hash_final(&desc, hashtext); +- +- snprintf(hashtext_out, +- out_len, +- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" +- "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", +- hashtext[0], hashtext[1], hashtext[2], hashtext[3], +- hashtext[4], hashtext[5], hashtext[6], hashtext[7], +- hashtext[8], hashtext[9], hashtext[10], hashtext[11], +- hashtext[12], hashtext[13], hashtext[14], hashtext[15], +- hashtext[16], hashtext[17], hashtext[18], hashtext[19] +- ); +- +- if (desc.tfm) { +- crypto_free_hash(desc.tfm); +- } +- +- return hashtext_out; +-} +- +-/** +- * @brief Callback for the sysfs object read. This happens when a file is +- * read(2) (or equivalent) from within sysfs. E.g. cat /sys/foo/bar will +- * call bar's *_show callback method. +- * +- * @param obj - reference to a kernel object within the sysfs filesystem +- * @param attr - attribute of said kernel object +- * @param buf - buffer that will be allocated and filled with the hash +- * +- * @return size in bytes of the hash string; or -1 upon error. +- */ +-ssize_t text_segment_hash_show(struct kobject *obj, +- struct attribute *attr, +- char *buf) { +- ssize_t ret; +- char *hash = kernel_text_hash(); +- +- if (hash) { +- ret = scnprintf(buf, PAGE_SIZE, "%s\n", hash); +- kfree(hash); +- } else { +- ret = -1; +- } +- +- return ret; +-} Added: head/sysutils/osquery/files/patch-kernel_linux_hash.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_hash.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,7 @@ +--- kernel/linux/hash.h.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/hash.h +@@ -1,4 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-unsigned char *kernel_text_hash(void); +-unsigned char *hash_data(const void *, size_t); Added: head/sysutils/osquery/files/patch-kernel_linux_hide.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_hide.c Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,29 @@ +--- kernel/linux/hide.c.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/hide.c +@@ -1,26 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-#include <linux/module.h> +- +-#include "hide.h" +- +-extern char *module_str; +- +-void rm_mod_from_list(void) { +- THIS_MODULE->list.next->prev = THIS_MODULE->list.prev; +- THIS_MODULE->list.prev->next = THIS_MODULE->list.next; +-} +- +-void rm_mod_from_sysfs(void) { +- kobject_del(THIS_MODULE->holders_dir->parent); +-} +- +-void rm_mod_from_ddebug_tables(void) { +- ddebug_remove_module(module_str); +-} +- +-void hide_me(void) { +- rm_mod_from_list(); +- rm_mod_from_sysfs(); +- rm_mod_from_ddebug_tables(); +-} Added: head/sysutils/osquery/files/patch-kernel_linux_hide.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_hide.h Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,9 @@ +--- kernel/linux/hide.h.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/hide.h +@@ -1,6 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-void rm_mod_from_list(void); +-void rm_mod_from_sysfs(void); +-void rm_mod_from_ddebug_tables(void); +-void hide_me(void); Added: head/sysutils/osquery/files/patch-kernel_linux_main.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_main.c Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,99 @@ +--- kernel/linux/main.c.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/main.c +@@ -1,96 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-#include <linux/init.h> +-#include <linux/kernel.h> +-#include <linux/module.h> +-#include <linux/file.h> +-#include <linux/fdtable.h> +-#include <linux/dcache.h> +-#include <linux/syscalls.h> +-#include <linux/fs.h> +-#include <linux/fcntl.h> +-#include <linux/slab.h> +-#include <linux/mutex.h> +-#include <linux/kallsyms.h> +-#include <linux/sched.h> +-#include <linux/dirent.h> +-#include <linux/reboot.h> +-#include <linux/notifier.h> +-#include <linux/kobject.h> +-#include <asm/syscall.h> +- +-#include "sysfs.h" +-#include "hash.h" +-#ifdef HIDE_ME +- #include "hide.h" +-#endif +- +-extern struct kobject *camb_kobj; +-char *module_str = "camb"; +- +-static unsigned long **syscall_table = (unsigned long **) SYSCALL_BASE_ADDR; +-static unsigned long *syscall_table_copy[NR_syscalls]; +- +-/* Allow writes to executable memory pages */ +-void en_mem_wr(void) { +- write_cr0(read_cr0() & (~0x10000)); +-} +- +-/* Disallow writes to executable memory pages */ +-void dis_mem_wr(void) { +- write_cr0(read_cr0() | 0x10000); +-} +- +-int syscall_addr_modified_show(struct kobject *obj, +- struct attribute *attr, +- char *buf) { +- unsigned int i = -1, mod = 0, ret; +- +- while(++i < NR_syscalls) +- if (syscall_table[i] != syscall_table_copy[i]) +- mod = 1; +- ret = scnprintf(buf, PAGE_SIZE, "%d\n", mod); +- +- return ret; +-} +- +-/* Copy the system call pointer table */ +-void grab_syscall_table(void) { +- unsigned int i; +- for (i = 0; i < NR_syscalls; i++) +- syscall_table_copy[i] = syscall_table[i]; +-} +- +-static int __init camb_init(void) { +- printk(KERN_INFO "[%s] init\n", module_str); +- +- if (expose_sysfs()) { +- printk(KERN_ERR "Cannot expose self to sysfs\n"); +- return -1; +- } +- +- /* Hide the fact that we're monitoring the system for tampering */ +-#ifdef HIDE_ME +- hide_me(); +-#endif +- +- grab_syscall_table(); +- +- return 0; +-} +- +-static void __exit camb_exit(void) { +- printk(KERN_INFO "[%s] exit\n", module_str); +- +- if (camb_kobj) { +- kobject_put(camb_kobj); +- } +- +-} +- +-module_init(camb_init); +-module_exit(camb_exit); +- +-MODULE_LICENSE("GPL"); +-MODULE_AUTHOR("@unixist"); +-MODULE_DESCRIPTION("Detect kernel tampering"); Added: head/sysutils/osquery/files/patch-kernel_linux_sysfs.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/osquery/files/patch-kernel_linux_sysfs.c Sun May 10 15:19:11 2015 (r385963) @@ -0,0 +1,52 @@ +--- kernel/linux/sysfs.c.orig 2015-05-05 00:16:41 UTC ++++ kernel/linux/sysfs.c +@@ -1,49 +0,0 @@ +-// Copyright 2004-present Facebook. All Rights Reserved. +- +-#include <linux/sysfs.h> +-#include <linux/kobject.h> +-#include <linux/module.h> +-#include <linux/slab.h> +- +-#include "hash.h" +-#include "sysfs.h" +- +-struct kobject *camb_kobj; +- +-extern ssize_t syscall_addr_modified_show(struct kobject *obj, +- struct attribute *attr, +- char *buf); +-extern ssize_t text_segment_hash_show(struct kobject *obj, +- struct attribute *attr, +- char *buf); +- +-struct kobj_attribute attr_syscall_addr_modified = *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505101519.t4AFJCH4087366>