/// <summary> /// Starts listening for reports from the kernel extension on a dedicated thread /// </summary> private void StartReceivingAccessReports(ulong address, uint port) { Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "Kernel extension report queue failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // Update last received timestamp Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks); // Remember the latest enqueue time Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime); // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { m_failureCallback?.Invoke(-1, $"Unexpected PID for Pip {report.PipId:X}: Expected {process.ProcessId}, Reported {report.RootPid}"); } else { process.PostAccessReport(report); } } }; Sandbox.ListenForFileAccessReports(callback, Marshal.SizeOf <Sandbox.AccessReport>(), address, port); }
/// <summary> /// Initializes the ES sandbox /// </summary> public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false) { m_reportQueueLastEnqueueTime = 0; m_esConnectionInfo = new Sandbox.ESConnectionInfo() { Error = Sandbox.SandboxSuccess }; MeasureCpuTimes = measureCpuTimes; IsInTestMode = isInTestMode; var process = System.Diagnostics.Process.GetCurrentProcess(); Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id); if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess) { throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})"); } #if DEBUG ProcessUtilities.SetNativeConfiguration(true); #else ProcessUtilities.SetNativeConfiguration(false); #endif m_AccessReportCallback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "EndpointSecurity event delivery failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // Stamp the access report with a dequeue timestamp report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime(); // Update last received timestamp Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks); // Remember the latest enqueue time Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime); // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast); } else { process.PostAccessReport(report); } } }; Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, m_AccessReportCallback, Marshal.SizeOf <Sandbox.AccessReport>()); }
/// <summary> /// Starts listening for reports from the kernel extension on a dedicated thread /// </summary> private void StartReceivingAccessReports(ulong address, uint port) { Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "Kernel extension report queue failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { throw new BuildXLException($"Unexpected PID for Pip {report.PipId:X}: Expected {process.ProcessId}, Reported {report.RootPid}"); } process.PostAccessReport(report); } }; Sandbox.ListenForFileAccessReports(callback, address, port); }
/// <summary> /// Starts listening for reports from the EndpointSecurity sandbox /// </summary> private void StartReceivingAccessReports() { Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "EndpointSecurity event delivery failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // Stamp the access report as it has been dequeued at this point report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime(); // Update last received timestamp Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks); // Remember the latest enqueue time Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime); // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast); } else { process.PostAccessReport(report); } } }; Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, callback, Marshal.SizeOf <Sandbox.AccessReport>()); }
/// <summary> /// Releases all resources and cleans up the interop instance too /// </summary> public void ReleaseResources() { Sandbox.DeinitializeSandbox(); m_AccessReportCallback = null; }
/// <summary> /// Releases all resources and cleans up the interop instance too /// </summary> public void ReleaseResources() { Sandbox.DeinitializeEndpointSecuritySandbox(m_esConnectionInfo); m_AccessReportCallback = null; }