https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
a

Altaf

09/19/2022, 3:49 AM
I'm writing a Mac app in Swift. When I try running osqueryi from within this app, by calling: 
/bin/bash -c '/usr/local/bin/osqueryi --json "select * from uptime"'
I get this error: /bin/bash /usr/local/bin/osqueryi: Operation not permitted exit code 126 But when I run the exact same thing on the same Mac from the terminal, it works as expected. Any pointers ?
s

sharvil

09/19/2022, 5:34 AM
@Altaf That sounds like a bash exit code — does osqueryi have executable permissions?
s

seph

09/19/2022, 1:23 PM
Why are you using bash there?
a

Altaf

09/19/2022, 1:51 PM
@sharvil yes, osqueryi has permissions, that's why when I run the exact same thing on the same MAc from the terminal, it works as expected
m

Mike Myers

09/19/2022, 4:01 PM
Why are you using bash there?
I'm guessing someone is subprocessing 
osqueryi
to use it in their product
s

seph

09/19/2022, 4:04 PM
But why have bash in the exec? Ignoring whether it’s a good idea, just invoke osqueryi
a

Altaf

09/20/2022, 4:29 AM
@seph I tried without bash, ie. I invoked a process with launchpath = '/usr/local/bin/osqueryi' with a command line query using --json, and this is the error: exception caught Error Domain=NSCocoaErrorDomain Code=4 "The file “osqueryd” doesn’t exist." UserInfo={NSFilePath=/usr/local/bin/osqueryi}
s

seph

09/22/2022, 5:59 PM
Is 
/usr/local/bin/osqueryi
a symlink?
Instead of 
osqueryi
can you invoked 
osqueryd -S
?
a

Altaf

09/22/2022, 6:01 PM
@seph yes, it's a symlink like this: /usr/local/bin/osqueryi -> /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
s

seph

09/22/2022, 6:02 PM
This seems like some oddness in how your environment execs stuff, I don’t know much about it
Sorry
a

Altaf

09/22/2022, 6:04 PM
no worries @seph. can you tell me if osqueryd daemon can be invoked from within a Mac app ?
s

seph

09/22/2022, 6:04 PM
I don’t know any reason it can’t be. But I’d have said the same about osqueryi. 🙂
s

sharvil

09/22/2022, 6:06 PM
just spitballing here: might be worth trying the full path instead of symlink 
/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd -S --json "select * from uptime"
the other thing I can think of if you are using Xcode (again not too familiar with it myself), maybe try turning the hardened-runtime and sandbox thingies off in the build target..?
the other thing to try would be using some of the swift apis, something like 
let path = URL(fileURLWithPath: "/usr/local/bin/osqueryi")
and then calling 
Process.run(path, args,…)
a

Altaf

09/22/2022, 6:10 PM
Just turned off sandbox and hardened runtime, and issued what you mentioned in your previous commend. This is what I get now: /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: cannot execute binary file termination status 126
s

sharvil

09/22/2022, 6:16 PM
hmm..sorry, I am not sure what else is going on..
m

Mike Myers

09/23/2022, 3:27 AM
I would test this out launching a simple 
hello world
executable first. I think this is a Swift programming question or API call quirk
a

Altaf

09/23/2022, 6:24 PM
Thanks @Mike Myers I figured out the issue and resolved it. I just had to use Process object with launchPath = '/usr/local/bin/osqueryi' and pass it parameters
4 Views
Powered by