I m writing a Mac app in Swift When I try running osqueryi f osquery #general

I'm writing a Mac app in Swift. When I try running...

Altaf

09/19/2022, 3:49 AM

I'm writing a Mac app in Swift. When I try running osqueryi from within this app, by calling:

/bin/bash -c '/usr/local/bin/osqueryi --json "select * from uptime"'

I get this error: /bin/bash /usr/local/bin/osqueryi: Operation not permitted exit code 126 But when I run the exact same thing on the same Mac from the terminal, it works as expected. Any pointers ?

sharvil

09/19/2022, 5:34 AM

@Altaf That sounds like a bash exit code — does osqueryi have executable permissions?

seph

09/19/2022, 1:23 PM

Why are you using bash there?

Altaf

09/19/2022, 1:51 PM

@sharvil yes, osqueryi has permissions, that's why when I run the exact same thing on the same MAc from the terminal, it works as expected

Mike Myers

09/19/2022, 4:01 PM

Why are you using bash there?

I'm guessing someone is subprocessing

osqueryi

to use it in their product

seph

09/19/2022, 4:04 PM

But why have bash in the exec? Ignoring whether it’s a good idea, just invoke osqueryi

🤷‍♂️ 1

Altaf

09/20/2022, 4:29 AM

@seph I tried without bash, ie. I invoked a process with launchpath = '/usr/local/bin/osqueryi' with a command line query using --json, and this is the error: exception caught Error Domain=NSCocoaErrorDomain Code=4 "The file “osqueryd” doesn’t exist." UserInfo={NSFilePath=/usr/local/bin/osqueryi}

seph

09/22/2022, 5:59 PM

/usr/local/bin/osqueryi

a symlink?

seph

09/22/2022, 5:59 PM

Instead of

osqueryi

can you invoked

osqueryd -S

Altaf

09/22/2022, 6:01 PM

@seph yes, it's a symlink like this: /usr/local/bin/osqueryi -> /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd

seph

09/22/2022, 6:02 PM

This seems like some oddness in how your environment execs stuff, I don’t know much about it

seph

09/22/2022, 6:02 PM

Sorry

Altaf

09/22/2022, 6:04 PM

no worries @seph. can you tell me if osqueryd daemon can be invoked from within a Mac app ?

seph

09/22/2022, 6:04 PM

I don’t know any reason it can’t be. But I’d have said the same about osqueryi. 🙂

sharvil

09/22/2022, 6:06 PM

just spitballing here: might be worth trying the full path instead of symlink

/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd -S --json "select * from uptime"

the other thing I can think of if you are using Xcode (again not too familiar with it myself), maybe try turning the hardened-runtime and sandbox thingies off in the build target..?

sharvil

09/22/2022, 6:09 PM

the other thing to try would be using some of the swift apis, something like

let path = URL(fileURLWithPath: "/usr/local/bin/osqueryi")

and then calling

Process.run(path, args,…)

Altaf

09/22/2022, 6:10 PM

Just turned off sandbox and hardened runtime, and issued what you mentioned in your previous commend. This is what I get now: /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: cannot execute binary file termination status 126

sharvil

09/22/2022, 6:16 PM

hmm..sorry, I am not sure what else is going on..

Mike Myers

09/23/2022, 3:27 AM

I would test this out launching a simple

hello world

executable first. I think this is a Swift programming question or API call quirk

this 1

Altaf

09/23/2022, 6:24 PM

Thanks @Mike Myers I figured out the issue and resolved it. I just had to use Process object with launchPath = '/usr/local/bin/osqueryi' and pass it parameters

👌 1

6 Views

Open in Slack

Previous Next