void genFDEStatusForBSDName(const std::string& bsd_name,
const std::string& uuid,
QueryData& results) {
auto matching_dict =
IOBSDNameMatching(kIOMasterPortDefault, kNilOptions, bsd_name.c_str());
if (matching_dict == nullptr) {
CFRelease(matching_dict);
return;
}
auto service =
IOServiceGetMatchingService(kIOMasterPortDefault, matching_dict);
if (!service) {
IOObjectRelease(service);
return;
}
CFMutableDictionaryRef properties;
IORegistryEntryCreateCFProperties(
service, &properties, kCFAllocatorDefault, kNilOptions);
Row r;
r["name"] = kDeviceNamePrefix + bsd_name;
r["uuid"] = uuid;
auto encrypted = getIOKitProperty(properties, kCoreStorageIsEncryptedKey_);
r["encrypted"] = (encrypted.empty()) ? "0" : encrypted;
r["type"] = (r.at("encrypted") == "1") ? kEncryptionType : std::string();
results.push_back(r);
CFRelease(properties);
IOObjectRelease(service);
}
void genPCIDevice(const io_service_t& device, QueryData& results) {
Row r;
// Get the device details
CFMutableDictionaryRef details;
IORegistryEntryCreateCFProperties(
device, &details, kCFAllocatorDefault, kNilOptions);
r["pci_slot"] = getIOKitProperty(details, "pcidebug");
std::vector<std::string> properties;
auto compatible = getIOKitProperty(details, "compatible");
boost::trim(compatible);
boost::split(properties, compatible, boost::is_any_of(" "));
if (properties.size() < 2) {
VLOG(1) << "Error parsing IOKit compatible properties";
return;
}
size_t prop_index = 0;
if (properties[1].find("pci") == 0 && properties[1].find("pciclass") != 0) {
// There are two sets of PCI definitions.
prop_index = 1;
} else if (properties[0].find("pci") != 0) {
VLOG(1) << "No vendor/model found";
return;
}
std::vector<std::string> vendor;
boost::split(vendor, properties[prop_index++], boost::is_any_of(","));
r["vendor_id"] = vendor[0].substr(3);
r["model_id"] = (vendor[1].size() == 3) ? "0" + vendor[1] : vendor[1];
if (properties[prop_index].find("pciclass") == 0) {
// There is a class definition.
r["pci_class"] = properties[prop_index++].substr(9);
}
if (properties.size() > prop_index) {
// There is a driver/ID.
r["driver"] = properties[prop_index];
}
results.push_back(r);
CFRelease(details);
}
void genPCIDevice(const io_service_t& device, QueryData& results) {
Row r;
// Get the device details
CFMutableDictionaryRef details;
IORegistryEntryCreateCFProperties(
device, &details, kCFAllocatorDefault, kNilOptions);
r["pci_slot"] = getIOKitProperty(details, "pcidebug");
auto compatible = getIOKitProperty(details, "compatible");
auto properties = IOKitPCIProperties(compatible);
r["vendor_id"] = properties.vendor_id;
r["model_id"] = properties.model_id;
r["pci_class"] = properties.pci_class;
r["driver"] = properties.driver;
results.push_back(r);
CFRelease(details);
}
QueryData genPlatformInfo(QueryContext& context) {
auto rom = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/rom");
if (rom == 0) {
return {};
}
CFMutableDictionaryRef details = nullptr;
IORegistryEntryCreateCFProperties(
rom, &details, kCFAllocatorDefault, kNilOptions);
IOObjectRelease(rom);
// Success is determined by the details dictionary existence.
if (details == nullptr) {
return {};
}
Row r;
r["vendor"] = getIOKitProperty(details, "vendor");
r["volume_size"] = getIOKitProperty(details, "fv-main-size");
r["size"] = getIOKitProperty(details, "rom-size");
r["date"] = getIOKitProperty(details, "release-date");
r["version"] = getIOKitProperty(details, "version");
{
auto address = getIOKitProperty(details, "fv-main-address");
auto value = boost::lexical_cast<size_t>(address);
std::stringstream hex_id;
hex_id << std::hex << std::setw(8) << std::setfill('0') << value;
r["address"] = "0x" + hex_id.str();
}
{
std::vector<std::string> extra_items;
auto info = getIOKitProperty(details, "apple-rom-info");
std::vector<std::string> info_lines;
iter_split(info_lines, info, boost::algorithm::first_finder("%0a"));
for (const auto& line : info_lines) {
std::vector<std::string> details;
iter_split(details, line, boost::algorithm::first_finder(": "));
if (details.size() > 1) {
boost::trim(details[1]);
if (details[0].find("Revision") != std::string::npos) {
r["revision"] = details[1];
}
extra_items.push_back(details[1]);
}
}
r["extra"] = osquery::join(extra_items, "; ");
}
CFRelease(details);
return {r};
}
void genFDEStatusForBSDName(const std::string& bsd_name,
const std::string& uuid,
QueryData& results) {
auto matching_dict =
IOBSDNameMatching(kIOMasterPortDefault, kNilOptions, bsd_name.c_str());
if (matching_dict == nullptr) {
return;
}
auto service =
IOServiceGetMatchingService(kIOMasterPortDefault, matching_dict);
if (!service) {
return;
}
CFMutableDictionaryRef properties;
if (IORegistryEntryCreateCFProperties(
service, &properties, kCFAllocatorDefault, kNilOptions) !=
KERN_SUCCESS) {
IOObjectRelease(service);
return;
}
Row r;
r["name"] = kDeviceNamePrefix + bsd_name;
r["uuid"] = uuid;
auto encrypted = getIOKitProperty(properties, kCoreStorageIsEncryptedKey_);
if (encrypted.empty()) {
r["encrypted"] = "0";
} else {
r["encrypted"] = encrypted;
id_t uid;
uuid_string_t uuid_string = {0};
if (genUid(uid, uuid_string).ok()) {
r["uid"] = BIGINT(uid);
r["user_uuid"] = TEXT(uuid_string);
}
}
r["type"] = (r.at("encrypted") == "1") ? kEncryptionType : std::string();
results.push_back(r);
CFRelease(properties);
IOObjectRelease(service);
}
void IOKitEventPublisher::newEvent(const io_service_t& device,
IOKitEventContext::Action action) {
auto ec = createEventContext();
ec->action = action;
{
// The IORegistry name is not needed.
io_name_t class_name = {0};
if (IOObjectGetClass(device, class_name) != kIOReturnSuccess) {
return;
}
ec->type = std::string(class_name);
}
// Get the device details
CFMutableDictionaryRef details;
IORegistryEntryCreateCFProperties(
device, &details, kCFAllocatorDefault, kNilOptions);
if (ec->type == kIOUSBDeviceClassName_) {
ec->path = getIOKitProperty(details, "USB Address") + ":";
ec->path += getIOKitProperty(details, "PortNum");
ec->model = getIOKitProperty(details, "USB Product Name");
ec->model_id = getIOKitProperty(details, "idProduct");
ec->vendor = getIOKitProperty(details, "USB Vendor Name");
ec->vendor_id = getIOKitProperty(details, "idVendor");
idToHex(ec->vendor_id);
idToHex(ec->model_id);
ec->serial = getIOKitProperty(details, "USB Serial Number");
if (ec->serial.size() == 0) {
ec->serial = getIOKitProperty(details, "iSerialNumber");
}
ec->version = "";
ec->driver = getIOKitProperty(details, "IOUserClientClass");
} else if (ec->type == kIOPCIDeviceClassName_) {
auto compatible = getIOKitProperty(details, "compatible");
auto properties = IOKitPCIProperties(compatible);
ec->model_id = properties.model_id;
ec->vendor_id = properties.vendor_id;
ec->driver = properties.driver;
if (ec->driver.empty()) {
ec->driver = getIOKitProperty(details, "IOName");
}
ec->path = getIOKitProperty(details, "pcidebug");
ec->version = getIOKitProperty(details, "revision-id");
ec->model = getIOKitProperty(details, "model");
} else {
// Get the name as the model.
io_name_t name = {0};
IORegistryEntryGetName(device, name);
if (name[0] != 0) {
ec->model = std::string(name);
}
}
CFRelease(details);
fire(ec);
}
void genIOMediaDevice(const io_service_t& device,
std::vector<std::string>& whole_devices,
QueryData& results) {
Row r;
// Get the device properties
CFMutableDictionaryRef properties;
IORegistryEntryCreateCFProperties(
device, &properties, kCFAllocatorDefault, kNilOptions);
r["uuid"] = getIOKitProperty(properties, "UUID");
r["name"] = "/dev/" + getIOKitProperty(properties, "BSD Name");
r["size"] = getIOKitProperty(properties, "Size");
auto type = getIOKitProperty(properties, "Whole");
if (type == "1") {
// The "Whole" property applies to the entire disk entry, not partitions.
whole_devices.push_back(r["name"]);
} else {
// Otherwise search the list of whole disks to find the node parent.
for (const auto& parent : whole_devices) {
if (r.at("name").find(parent) == 0) {
r["parent"] = parent;
}
}
}
// This is the IOKit name, which is the device's label.
io_name_t name;
auto kr = IORegistryEntryGetName(device, name);
if (kr == KERN_SUCCESS && (char*)name != nullptr) {
r["label"] = std::string(name);
}
// Remaining details come from the Disk Arbitration service.
DASessionRef session = DASessionCreate(kCFAllocatorDefault);
CFDictionaryRef details;
if (session != nullptr) {
auto disk = DADiskCreateFromIOMedia(kCFAllocatorDefault, session, device);
if (disk != nullptr) {
details = DADiskCopyDescription(disk);
if (details != nullptr) {
r["vendor"] =
getIOKitProperty((CFMutableDictionaryRef)details, "DADeviceVendor");
r["model"] =
getIOKitProperty((CFMutableDictionaryRef)details, "DADeviceModel");
r["type"] = getIOKitProperty((CFMutableDictionaryRef)details,
"DADeviceProtocol");
CFRelease(details);
}
CFRelease(disk);
}
CFRelease(session);
}
results.push_back(r);
CFRelease(properties);
}
