Channels
#core
Title
# core
s
seph
11/21/2019, 7:32 PM
I don’t think I’ve seen anything yet (not to say there isn’t). But I’d probably go the route of whomping the registry.
p
packetzero
11/21/2019, 7:49 PMNot a bad idea
s
seph
11/21/2019, 7:50 PM
I’ve been playing with trying to suppress table registration. But having some unclear issue. I should push that code and get help
p
packetzero
11/21/2019, 8:38 PMDefinitely. Send me a link and I’ll take a look tonight
s
seph
11/21/2019, 8:43 PM
I’m playing with https://github.com/osquery/osquery/compare/master...directionless:seph/table-suppression-for-testing (It’s got a lot of random notes for my tracing)
The trouble I’m having is in https://github.com/directionless/osquery/blob/dd5585f1fa9cfd17a090cf11483cb636d825a8a8/osquery/registry/registry_interface.cpp#L384-L416
That if block is being parsed. But the flag value appear incorrect. It’s always the default. I don’t really understand how flags are supposed to work
s
Stefano Bonicatti
11/21/2019, 9:56 PMthose functions are running during global initialization afaik
which means that main() didn't even started yet
tables registers during global init
s
seph
11/21/2019, 9:58 PM
s
Stefano Bonicatti
11/21/2019, 10:05 PMSorry, what is the question?
this is what I was talking about
which starts from using the REGISTER macro
in global space
s
seph
11/21/2019, 10:07 PM
Right — I found that via the REGISTER macro.
But I may not understand something in c here.
What causes this code to get run? And where does flag prsing happen
s
Stefano Bonicatti
11/21/2019, 10:10 PMglobal init is causing it to run, and the first lines of code I copied are declaring a constructor that gets called by the REGISTER macro, which is constructing an object in global scope in a variable named kclassname
so for the audit case is kAuditEventPublisher
s
seph
11/21/2019, 10:11 PM
I did not think that code ran in the proprocess stage? It creates those
kAuditEventPublisherWhat is “global init” ?
Maybe I’m being misled by the bit in init.cpp:
Copy code
// Initialize registries and plugins
registryAndPluginInit();s
Stefano Bonicatti
11/21/2019, 10:14 PMglobal initialization or static initialization is a phase of variable initialization that "runs as soon as the program starts"
but before main() is being called
compilers insert special code to do so
it's something given by the language
s
seph
11/21/2019, 10:15 PM
Ah. this is maybe a c++ thing I haven’t seen before?
s
Stefano Bonicatti
11/21/2019, 10:16 PMwell, it's not only in C++
s
seph
11/21/2019, 10:16 PM
Sure.
But if we do all the table registration in the global init phase, then there’s probably no clean way in.
I guess I could make this:
• a build time option
• an environmental variable switch
• change registration ordering
• add a de-register function
s
Stefano Bonicatti
11/21/2019, 10:18 PMwell yeah, to be fair it would've been nicer if the only thing that happens in global init is collecting functions that can initialize something, more than actually initializing anything.
That been said yes, they get initialized anyway but in theory you could make them unreachable by removing them later from the registry
s
seph
11/21/2019, 10:19 PM
Moving it out of global init seems nice, but also a deeper change than I think I can do quickly.
s
Stefano Bonicatti
11/21/2019, 10:20 PMah sure; just saying that global init is a bit finicky, especially in the init and deinit order (which is "unknown")
s
seph
11/21/2019, 10:20 PM
Yeah.
Okay, maybe I’ll look at making a de-register function.
Thank you for walking me through some of this.
Having actual code, but that’s running in an init phase is new to me
s
Stefano Bonicatti
11/21/2019, 10:22 PMYeah, it's a "trick" that uses class constructors as functions to do things.. since initializing a variable, if that variable is a C++ class, means constructing it.
And well, with C++ it's also easy enough to have code that runs at compile time with constexpr so..
2 Views