Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Altaf
09/19/2022, 3:49 AMI'm writing a Mac app in Swift. When I try running osqueryi from within this app, by calling:
/bin/bash -c '/usr/local/bin/osqueryi --json "select * from uptime"'s
sharvil
09/19/2022, 5:34 AM@Altaf That sounds like a bash exit code — does osqueryi have executable permissions?
s
seph
09/19/2022, 1:23 PMWhy are you using bash there?
a
Altaf
09/19/2022, 1:51 PM@sharvil yes, osqueryi has permissions, that's why when I run the exact same thing on the same MAc from the terminal, it works as expected
m
Mike Myers
09/19/2022, 4:01 PMWhy are you using bash there?I'm guessing someone is subprocessing
osqueryis
seph
09/19/2022, 4:04 PMBut why have bash in the exec? Ignoring whether it’s a good idea, just invoke osqueryi
a
Altaf
09/20/2022, 4:29 AM@seph
I tried without bash, ie. I invoked a process with launchpath = '/usr/local/bin/osqueryi' with a command line query using --json, and this is the error:
exception caught Error Domain=NSCocoaErrorDomain Code=4 "The file “osqueryd” doesn’t exist." UserInfo={NSFilePath=/usr/local/bin/osqueryi}
s
seph
09/22/2022, 5:59 PMIs
/usr/local/bin/osqueryiInstead of
osqueryiosqueryd -Sa
Altaf
09/22/2022, 6:01 PM@seph yes, it's a symlink like this:
/usr/local/bin/osqueryi -> /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
s
seph
09/22/2022, 6:02 PMThis seems like some oddness in how your environment execs stuff, I don’t know much about it
Sorry
a
Altaf
09/22/2022, 6:04 PMno worries @seph. can you tell me if osqueryd daemon can be invoked from within a Mac app ?
s
seph
09/22/2022, 6:04 PMI don’t know any reason it can’t be. But I’d have said the same about osqueryi. 🙂
s
sharvil
09/22/2022, 6:06 PMjust spitballing here: might be worth trying the full path instead of symlink
/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd -S --json "select * from uptime"the other thing to try would be using some of the swift apis, something like
let path = URL(fileURLWithPath: "/usr/local/bin/osqueryi")Process.run(path, args,…)a
Altaf
09/22/2022, 6:10 PMJust turned off sandbox and hardened runtime, and issued what you mentioned in your previous commend. This is what I get now:
/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd: cannot execute binary file
termination status 126
s
sharvil
09/22/2022, 6:16 PMhmm..sorry, I am not sure what else is going on..
m
Mike Myers
09/23/2022, 3:27 AMI would test this out launching a simple
hello worlda
Altaf
09/23/2022, 6:24 PMThanks @Mike Myers I figured out the issue and resolved it. I just had to use Process object with launchPath = '/usr/local/bin/osqueryi' and pass it parameters