/// <summary>
/// Starts listening for reports from the kernel extension on a dedicated thread
/// </summary>
private void StartReceivingAccessReports(ulong address, uint port)
{
Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) =>
{
if (code != Sandbox.ReportQueueSuccessCode)
{
var message = "Kernel extension report queue failed with error: " + code;
throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency);
}
// Update last received timestamp
Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks);
// Remember the latest enqueue time
Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime);
// The only way it can happen that no process is found for 'report.PipId' is when that pip is
// explicitly terminated (e.g., because it timed out or Ctrl-c was pressed)
if (m_pipProcesses.TryGetValue(report.PipId, out var process))
{
// if the process is found, its ProcessId must match the RootPid of the report.
if (process.ProcessId != report.RootPid)
{
m_failureCallback?.Invoke(-1, $"Unexpected PID for Pip {report.PipId:X}: Expected {process.ProcessId}, Reported {report.RootPid}");
}
else
{
process.PostAccessReport(report);
}
}
};
Sandbox.ListenForFileAccessReports(callback, Marshal.SizeOf <Sandbox.AccessReport>(), address, port);
}
/// <summary>
/// Initializes the ES sandbox
/// </summary>
public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false)
{
m_reportQueueLastEnqueueTime = 0;
m_esConnectionInfo = new Sandbox.ESConnectionInfo()
{
Error = Sandbox.SandboxSuccess
};
MeasureCpuTimes = measureCpuTimes;
IsInTestMode = isInTestMode;
var process = System.Diagnostics.Process.GetCurrentProcess();
Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id);
if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess)
{
throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})");
}
#if DEBUG
ProcessUtilities.SetNativeConfiguration(true);
#else
ProcessUtilities.SetNativeConfiguration(false);
#endif
m_AccessReportCallback = (Sandbox.AccessReport report, int code) =>
{
if (code != Sandbox.ReportQueueSuccessCode)
{
var message = "EndpointSecurity event delivery failed with error: " + code;
throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency);
}
// Stamp the access report with a dequeue timestamp
report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime();
// Update last received timestamp
Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks);
// Remember the latest enqueue time
Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime);
// The only way it can happen that no process is found for 'report.PipId' is when that pip is
// explicitly terminated (e.g., because it timed out or Ctrl-c was pressed)
if (m_pipProcesses.TryGetValue(report.PipId, out var process))
{
// if the process is found, its ProcessId must match the RootPid of the report.
if (process.ProcessId != report.RootPid)
{
throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast);
}
else
{
process.PostAccessReport(report);
}
}
};
Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, m_AccessReportCallback, Marshal.SizeOf <Sandbox.AccessReport>());
}
/// <summary>
/// Starts listening for reports from the kernel extension on a dedicated thread
/// </summary>
private void StartReceivingAccessReports(ulong address, uint port)
{
Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) =>
{
if (code != Sandbox.ReportQueueSuccessCode)
{
var message = "Kernel extension report queue failed with error: " + code;
throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency);
}
// The only way it can happen that no process is found for 'report.PipId' is when that pip is
// explicitly terminated (e.g., because it timed out or Ctrl-c was pressed)
if (m_pipProcesses.TryGetValue(report.PipId, out var process))
{
// if the process is found, its ProcessId must match the RootPid of the report.
if (process.ProcessId != report.RootPid)
{
throw new BuildXLException($"Unexpected PID for Pip {report.PipId:X}: Expected {process.ProcessId}, Reported {report.RootPid}");
}
process.PostAccessReport(report);
}
};
Sandbox.ListenForFileAccessReports(callback, address, port);
}
/// <summary>
/// Starts listening for reports from the EndpointSecurity sandbox
/// </summary>
private void StartReceivingAccessReports()
{
Sandbox.AccessReportCallback callback = (Sandbox.AccessReport report, int code) =>
{
if (code != Sandbox.ReportQueueSuccessCode)
{
var message = "EndpointSecurity event delivery failed with error: " + code;
throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency);
}
// Stamp the access report as it has been dequeued at this point
report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime();
// Update last received timestamp
Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks);
// Remember the latest enqueue time
Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime);
// The only way it can happen that no process is found for 'report.PipId' is when that pip is
// explicitly terminated (e.g., because it timed out or Ctrl-c was pressed)
if (m_pipProcesses.TryGetValue(report.PipId, out var process))
{
// if the process is found, its ProcessId must match the RootPid of the report.
if (process.ProcessId != report.RootPid)
{
throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast);
}
else
{
process.PostAccessReport(report);
}
}
};
Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, callback, Marshal.SizeOf <Sandbox.AccessReport>());
}
/// <summary>
/// Releases all resources and cleans up the interop instance too
/// </summary>
public void ReleaseResources()
{
Sandbox.DeinitializeSandbox();
m_AccessReportCallback = null;
}
/// <summary>
/// Releases all resources and cleans up the interop instance too
/// </summary>
public void ReleaseResources()
{
Sandbox.DeinitializeEndpointSecuritySandbox(m_esConnectionInfo);
m_AccessReportCallback = null;
}
