https://github.com/osquery/osquery logo
Join Slack
Powered by
I don’t think I’ve seen anything yet (not to say t...
# core
s
I don’t think I’ve seen anything yet (not to say there isn’t). But I’d probably go the route of whomping the registry.
p
Not a bad idea
s
I’ve been playing with trying to suppress table registration. But having some unclear issue. I should push that code and get help
p
Definitely. Send me a link and I’ll take a look tonight
s
I’m playing with https://github.com/osquery/osquery/compare/master...directionless:seph/table-suppression-for-testing (It’s got a lot of random notes for my tracing)
The trouble I’m having is in https://github.com/directionless/osquery/blob/dd5585f1fa9cfd17a090cf11483cb636d825a8a8/osquery/registry/registry_interface.cpp#L384-L416 That if block is being parsed. But the flag value appear incorrect. It’s always the default. I don’t really understand how flags are supposed to work
s
those functions are running during global initialization afaik
which means that main() didn't even started yet
tables registers during global init
s
s
Sorry, what is the question?
this is what I was talking about
which starts from using the REGISTER macro
in global space
s
Right — I found that via the REGISTER macro.
But I may not understand something in c here.
What causes this code to get run? And where does flag prsing happen
s
global init is causing it to run, and the first lines of code I copied are declaring a constructor that gets called by the REGISTER macro, which is constructing an object in global scope in a variable named kclassname
so for the audit case is kAuditEventPublisher
s
I did not think that code ran in the proprocess stage? It creates those 
kAuditEventPublisher
blobs, right?
What is “global init” ?
Maybe I’m being misled by the bit in init.cpp:
Copy code
// Initialize registries and plugins
  registryAndPluginInit();
Is that not where it happens?
s
global initialization or static initialization is a phase of variable initialization that "runs as soon as the program starts"
but before main() is being called
compilers insert special code to do so
it's something given by the language
s
Ah. this is maybe a c++ thing I haven’t seen before?
s
well, it's not only in C++
s
Sure.
But if we do all the table registration in the global init phase, then there’s probably no clean way in.
I guess I could make this: • a build time option • an environmental variable switch • change registration ordering • add a de-register function
s
well yeah, to be fair it would've been nicer if the only thing that happens in global init is collecting functions that can initialize something, more than actually initializing anything. That been said yes, they get initialized anyway but in theory you could make them unreachable by removing them later from the registry
s
Moving it out of global init seems nice, but also a deeper change than I think I can do quickly.
s
ah sure; just saying that global init is a bit finicky, especially in the init and deinit order (which is "unknown")
s
Yeah.
Okay, maybe I’ll look at making a de-register function.
Thank you for walking me through some of this.
Having actual code, but that’s running in an init phase is new to me
s
Yeah, it's a "trick" that uses class constructors as functions to do things.. since initializing a variable, if that variable is a C++ class, means constructing it.
And well, with C++ it's also easy enough to have code that runs at compile time with constexpr so..
2 Views
Open in Slack
PreviousNext
Powered by