Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATC tables - Registry call after adding the plugins to the registry #8320

Closed
wants to merge 1 commit into from
Closed

ATC tables - Registry call after adding the plugins to the registry #8320

wants to merge 1 commit into from

Conversation

Micah-Kolide
Copy link
Contributor

@Micah-Kolide Micah-Kolide commented Apr 29, 2024
edited

It seems there was a slight bug introduced in #8233 where the atc table isn't created after being successfully registered:

I0429 13:56:57.628793 -251938112 init.cpp:413] osquery initialized [version=5.11.0-16-g47af2b035-dirty]
I0429 13:56:58.012014 -251938112 auto_constructed_tables.cpp:241] ATC table: atc_test Registered
osquery> SELECT * FROM atc_test LIMIT 1;
+-----------------------------------+-----------------------------------------------------------------------+
| service                           | path                                                                  |
+-----------------------------------+-----------------------------------------------------------------------+
| kTCCServiceAccessibility          | /System/Volumes/Data/Library/Application Support/com.apple.TCC/TCC.db |
+-----------------------------------+-----------------------------------------------------------------------+

I0429 13:54:13.307732 -251938112 init.cpp:413] osquery initialized [version=5.11.0-17-gc5145f0bf-dirty]
I0429 13:54:13.667146 -251938112 auto_constructed_tables.cpp:233] ATC table: atc_test Registered
osquery> SELECT * FROM atc_test LIMIT 1;
Error: no such table: atc_test

I'm still learning osquery's registry code, but this seems to be because of the Registry::call, when it reaches the point to get the plugin, it isn't there since the call was placed before the Registry::add and fails.

After moving the Registry::call back to after the Registry::add:

I0429 14:44:11.254305 -251938112 init.cpp:413] osquery initialized [version=5.12.1-2-gf298485c9-dirty]
I0429 14:44:11.635435 -251938112 auto_constructed_tables.cpp:230] ATC table: atc_test Registered
osquery> SELECT * FROM atc_test LIMIT 1;
+-----------------------------------+-----------------------------------------------------------------------+
| service                           | path                                                                  |
+-----------------------------------+-----------------------------------------------------------------------+
| kTCCServiceAccessibility          | /System/Volumes/Data/Library/Application Support/com.apple.TCC/TCC.db |
+-----------------------------------+-----------------------------------------------------------------------+

@Micah-Kolide Micah-Kolide requested review from a team as code owners April 29, 2024 21:53
@Micah-Kolide Micah-Kolide changed the title ATC tables - Only call the active plugin after it's added to the registry ATC tables - Registry call after adding the plugins to the registry Apr 29, 2024
@Micah-Kolide
Copy link
Contributor Author

Micah-Kolide commented Apr 29, 2024
edited

I believe I've misunderstood the root cause, so I'm closing this to research further. The problem seems to only occur when loading both an external extension and the atc tables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Micah-Kolide