Robin Powell
09/23/2021, 10:15 PMselect * from augeas where path LIKE '/etc/hosts%';
returns a bunch of stuff but in >=5.0 it's going to return nothing.ASSERT_EQ(
SQL("select * from augeas where path LIKE '/etc/hosts/%'").rows().size(),
0U);
match /files/etc/hosts/*
, which totally works and does not return zero results.seph
Robin Powell
09/23/2021, 11:43 PMseph
match /files/*
and let sqlite filter the output. This presented two issues. The bigger issue was that there was no way to access things outside the files tree. (eg, /augeas
).
Second, and smaller, was that the āreturn everythingā approach just feels wrong to me. I think practically speaking the performance was okay, but it feels like there are dragons about. Iād usually rather call underlying APIs narrowly.*
is a single level, and //*
is recursive. But in sql, wildcards are simple strings/
is treated./etc/hosts/%
is converted to `/files/etc/hosts/%ā. So augeas returns data. But sql filters it. (because the augeas return is is missing that trailing slash)
⢠/etc/host%
is converted to /files/etc/hosts*
which augeas has no matches for, because itās a weird postfix search.
⢠/etc/host%%
is converted to /files/etc/hosts/*
which is a full recursion return, and it will get passed back through the sql filterpath
I donāt think itās very meaningful to wildcard a file. Wildcarding a directory is more meaningful.
Compare select * from augeas where path LIKE '/etc/%';
and select * from augeas where path LIKE '/etc/%%';
Robin Powell
09/24/2021, 3:49 PM^^ Why doesn't that get converted toĀ is converted to `/files/etc/hosts/%ā./etc/hosts/%
/filles/etc/hosts/*
? Like, not "why did you make that decision?" but "where in the code does that happen?".(because the augeas return is is missing that trailing slash)^^ I didn't follow that part at alll.
This seems reasonable but we should mark it as an API change due to change with queries likeĀ; do I correctly understand that that query currrently returns stuff (which I just checked) but it won't in 5.0 because it gets converted to, where before this would full-scan and have SQL apply theĀselect * from augeas where path LIKE '/etc/hosts%';
Ā filtering.LIKE
match /files/etc/hosts*
?seph
> /etc/hosts/%Ā is converted to `/files/etc/hosts/%ā.
^^ Why doesnāt that get converted toĀ /filles/etc/hosts/*?Ā Like, not āwhy did you make that decision?ā but āwhere in the code does that happen?āTypo, I mean to
/files/etc/hosts/*
And all the conversion is in patternsFromOsquery
https://github.com/osquery/osquery/blob/master/osquery/tables/system/posix/augeas.cpp#L156%
and %%
akin to the existing file pattern as single wild card, vs recursive. Thus breaking a couple of placespath like '/etc/hosts/%
, it would map to /files/etc/hosts/*'
might work. (donāt remember). But the data that the table implementation returns would be path: /etc/hosts
which wonāt match the sql expression.