kern_return_t OsqueryStop(kmod_info_t *ki, void *d) {
dbg_printf("Kernel module stopping!\n");
// Only stop if there are no connected daemons.
lck_mtx_lock(osquery.mtx);
if (osquery.open_count > 0) {
lck_mtx_unlock(osquery.mtx);
return KERN_FAILURE;
}
// Stop sharing the queue and remove queue locks.
// This will potentially block as heuristics are applied to make sure the
// queue is no longer is use.
if (osquery_cqueue_teardown(&osquery.cqueue)) {
lck_mtx_unlock(osquery.mtx);
return KERN_FAILURE;
}
// Remove the device node.
devfs_remove(osquery.devfs);
osquery.devfs = NULL;
// Tear down the device node data.
if (cdevsw_remove(osquery.major_number, &osquery_cdevsw) < 0) {
panic("osquery kext: Cannot remove osquery from cdevsw");
}
// Deallocate the IOCTL and kernel API locks.
lck_mtx_unlock(osquery.mtx);
teardown_locks();
return KERN_SUCCESS;
}
kern_return_t OsqueryStop(kmod_info_t *ki, void *d) {
dbg_printf("Kernel module stoping!\n");
lck_mtx_lock(osquery.mtx);
if (osquery.open_count > 0) {
lck_mtx_unlock(osquery.mtx);
return KERN_FAILURE;
}
if (osquery_cqueue_teardown(&osquery.cqueue)) {
lck_mtx_unlock(osquery.mtx);
return KERN_FAILURE;
}
devfs_remove(osquery.devfs);
osquery.devfs = NULL;
if (cdevsw_remove(osquery.major_number, &osquery_cdevsw) < 0) {
panic("osquery kext: Cannot remove osquery from cdevsw");
}
lck_mtx_unlock(osquery.mtx);
teardown_locks();
return KERN_SUCCESS;
}
kern_return_t OsqueryStart(kmod_info_t *ki, void *d) {
dbg_printf("Kernel module starting!\n");
// Restart the queue and setup queue locks.
// This does not allocate, share, or set the queue buffer or buffer values.
osquery_cqueue_setup(&osquery.cqueue);
// Initialize the IOCTL (and more) device node.
osquery.major_number = cdevsw_add(osquery.major_number, &osquery_cdevsw);
if (osquery.major_number < 0) {
dbg_printf("Could not get a major number!\n");
goto error_exit;
}
// Create the IOCTL (and more) device node.
osquery.devfs = devfs_make_node(makedev(osquery.major_number, 0),
DEVFS_CHAR,
UID_ROOT,
GID_WHEEL,
0600,
"osquery",
0);
if (osquery.devfs == NULL) {
dbg_printf("Could not get a devfs entry!\n");
goto error_exit;
}
// Set up the IOCTL and kernel API locks (not queue locks).
setup_locks();
return KERN_SUCCESS;
error_exit:
// Upon error, remove the device node if it was allocated.
if (osquery.devfs != NULL) {
devfs_remove(osquery.devfs);
osquery.devfs = NULL;
}
// Tear down device node data.
if (!(osquery.major_number < 0)) {
if (cdevsw_remove(osquery.major_number, &osquery_cdevsw) < 0) {
panic("osquery kext: Cannot remove osquery from cdevsw");
}
}
// Reset the queue and remove the queue locks.
osquery_cqueue_teardown(&osquery.cqueue);
return KERN_FAILURE;
}
kern_return_t OsqueryStart(kmod_info_t *ki, void *d) {
dbg_printf("Kernel module starting!\n");
osquery_cqueue_setup(&osquery.cqueue);
osquery.major_number = cdevsw_add(osquery.major_number, &osquery_cdevsw);
if (osquery.major_number < 0) {
dbg_printf("Could not get a major number!\n");
goto error_exit;
}
osquery.devfs = devfs_make_node(makedev(osquery.major_number, 0),
DEVFS_CHAR, UID_ROOT, GID_WHEEL,
0644, "osquery", 0);
if (osquery.devfs == NULL) {
dbg_printf("Could not get a devfs entry!\n");
goto error_exit;
}
setup_locks();
return KERN_SUCCESS;
error_exit:
if (osquery.devfs != NULL) {
devfs_remove(osquery.devfs);
osquery.devfs = NULL;
}
if (!(osquery.major_number < 0)) {
if (cdevsw_remove(osquery.major_number, &osquery_cdevsw) < 0) {
panic("osquery kext: Cannot remove osquery from cdevsw");
}
}
osquery_cqueue_teardown(&osquery.cqueue);
return KERN_FAILURE;
}