static Boolean eventCallback(int so) { ssize_t status; union { char bytes[1024]; struct kern_event_msg ev_msg1; // first kernel event } buf; struct kern_event_msg *ev_msg = &buf.ev_msg1; ssize_t offset = 0; status = recv(so, &buf, sizeof(buf), 0); if (status == -1) { SCLog(TRUE, LOG_ERR, CFSTR("recv() failed: %s"), strerror(errno)); return FALSE; } cache_open(); while (offset < status) { if ((offset + ev_msg->total_size) > status) { SCLog(TRUE, LOG_NOTICE, CFSTR("missed SYSPROTO_EVENT event, buffer not big enough")); break; } switch (ev_msg->vendor_code) { case KEV_VENDOR_APPLE : switch (ev_msg->kev_class) { case KEV_NETWORK_CLASS : processEvent_Apple_Network(ev_msg); break; case KEV_IOKIT_CLASS : case KEV_SYSTEM_CLASS : case KEV_APPLESHARE_CLASS : case KEV_FIREWALL_CLASS : case KEV_IEEE80211_CLASS : break; default : /* unrecognized (Apple) event class */ logEvent(CFSTR("New (Apple) class"), ev_msg); break; } break; default : /* unrecognized vendor code */ logEvent(CFSTR("New vendor"), ev_msg); break; } offset += ev_msg->total_size; ev_msg = (struct kern_event_msg *)(void *)&buf.bytes[offset]; } cache_write(store); cache_close(); post_network_changed(); return TRUE; }
__private_extern__ void prime_KernelEventMonitor() { struct ifaddrs *ifap = NULL; struct ifaddrs *scan; int sock = -1; SCLog(_verbose, LOG_DEBUG, CFSTR("prime() called")); cache_open(); sock = dgram_socket(AF_INET); if (sock == -1) { SCLog(TRUE, LOG_ERR, CFSTR("could not get interface list, socket() failed: %s"), strerror(errno)); goto done; } if (getifaddrs(&ifap) == -1) { SCLog(TRUE, LOG_ERR, CFSTR("could not get interface info, getifaddrs() failed: %s"), strerror(errno)); goto done; } /* update list of interfaces & link status */ for (scan = ifap; scan != NULL; scan = scan->ifa_next) { if (scan->ifa_addr == NULL || scan->ifa_addr->sa_family != AF_LINK) { continue; } /* get the per-interface link/media information */ link_add(scan->ifa_name); } /* * update IPv4 network addresses already assigned to * the interfaces. */ interface_update_ipv4(ifap, NULL); /* * update IPv6 network addresses already assigned to * the interfaces. */ interface_update_ipv6(ifap, NULL); freeifaddrs(ifap); done: if (sock != -1) close(sock); cache_write(store); cache_close(); network_changed = TRUE; post_network_changed(); return; }
static void eventCallback(CFSocketRef s, CFSocketCallBackType type, CFDataRef address, const void *data, void *info) { int so = CFSocketGetNative(s); int status; union { char bytes[1024]; struct kern_event_msg ev_msg1; // first kernel event } buf; struct kern_event_msg *ev_msg = &buf.ev_msg1; int offset = 0; status = recv(so, &buf, sizeof(buf), 0); if (status == -1) { SCLog(TRUE, LOG_ERR, CFSTR("recv() failed: %s"), strerror(errno)); goto error; } cache_open(); while (offset < status) { if ((offset + ev_msg->total_size) > status) { SCLog(TRUE, LOG_NOTICE, CFSTR("missed SYSPROTO_EVENT event, buffer not big enough")); break; } switch (ev_msg->vendor_code) { case KEV_VENDOR_APPLE : switch (ev_msg->kev_class) { case KEV_NETWORK_CLASS : processEvent_Apple_Network(ev_msg); break; case KEV_IOKIT_CLASS : case KEV_SYSTEM_CLASS : case KEV_APPLESHARE_CLASS : case KEV_FIREWALL_CLASS : case KEV_IEEE80211_CLASS : break; default : /* unrecognized (Apple) event class */ logEvent(CFSTR("New (Apple) class"), ev_msg); break; } break; default : /* unrecognized vendor code */ logEvent(CFSTR("New vendor"), ev_msg); break; } offset += ev_msg->total_size; ev_msg = (struct kern_event_msg *)(void *)&buf.bytes[offset]; } cache_write(store); cache_close(); post_network_changed(); return; error : SCLog(TRUE, LOG_ERR, CFSTR("kernel event monitor disabled.")); CFSocketInvalidate(s); return; }