/// <summary> /// Initializes the ES sandbox /// </summary> public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false) { m_reportQueueLastEnqueueTime = 0; m_esConnectionInfo = new Sandbox.ESConnectionInfo() { Error = Sandbox.SandboxSuccess }; MeasureCpuTimes = measureCpuTimes; IsInTestMode = isInTestMode; var process = System.Diagnostics.Process.GetCurrentProcess(); Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id); if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess) { throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})"); } #if DEBUG ProcessUtilities.SetNativeConfiguration(true); #else ProcessUtilities.SetNativeConfiguration(false); #endif m_workerThread = new Thread(() => StartReceivingAccessReports()); m_workerThread.Name = "EndpointSecurityCallbackProcessor"; m_workerThread.Priority = ThreadPriority.Highest; m_workerThread.IsBackground = true; m_workerThread.Start(); }
/// <summary> /// Initializes the ES sandbox /// </summary> public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false) { m_reportQueueLastEnqueueTime = 0; m_esConnectionInfo = new Sandbox.ESConnectionInfo() { Error = Sandbox.SandboxSuccess }; MeasureCpuTimes = measureCpuTimes; IsInTestMode = isInTestMode; var process = System.Diagnostics.Process.GetCurrentProcess(); Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id); if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess) { throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})"); } #if DEBUG ProcessUtilities.SetNativeConfiguration(true); #else ProcessUtilities.SetNativeConfiguration(false); #endif m_AccessReportCallback = (Sandbox.AccessReport report, int code) => { if (code != Sandbox.ReportQueueSuccessCode) { var message = "EndpointSecurity event delivery failed with error: " + code; throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency); } // Stamp the access report with a dequeue timestamp report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime(); // Update last received timestamp Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks); // Remember the latest enqueue time Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime); // The only way it can happen that no process is found for 'report.PipId' is when that pip is // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed) if (m_pipProcesses.TryGetValue(report.PipId, out var process)) { // if the process is found, its ProcessId must match the RootPid of the report. if (process.ProcessId != report.RootPid) { throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast); } else { process.PostAccessReport(report); } } }; Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, m_AccessReportCallback, Marshal.SizeOf <Sandbox.AccessReport>()); }
/// <summary> /// Initializes the sandbox kernel extension connection manager, setting up the kernel extension connection and workers that drain the /// kernel event queue and report file accesses /// </summary> public KextConnection(Config config = null, bool skipDisposingForTests = false) { m_reportQueueLastEnqueueTime = 0; m_kextConnectionInfo = new Sandbox.KextConnectionInfo() { Error = Sandbox.KextSuccess }; m_sharedMemoryInfo = new Sandbox.KextSharedMemoryInfo() { Error = Sandbox.KextSuccess }; MeasureCpuTimes = config.MeasureCpuTimes; IsInTestMode = skipDisposingForTests; // initialize kext connection Sandbox.InitializeKextConnection(ref m_kextConnectionInfo); if (m_kextConnectionInfo.Error != Sandbox.KextSuccess) { throw new BuildXLException($@"Unable to connect to sandbox kernel extension (Code: {m_kextConnectionInfo.Error}) - make sure it is loaded and retry! {KextInstallHelper}"); } // check and set if the sandbox is running in debug configuration bool isDebug = false; Sandbox.CheckForDebugMode(ref isDebug, m_kextConnectionInfo); ProcessUtilities.SetNativeConfiguration(isDebug); #if DEBUG if (!ProcessUtilities.IsNativeInDebugConfiguration()) #else if (ProcessUtilities.IsNativeInDebugConfiguration()) #endif { throw new BuildXLException($"Sandbox kernel extension build flavor missmatch - the extension must match the engine build flavor, Debug != Release. {KextInstallHelper}"); } // check if the sandbox version matches var stringBufferLength = MaxVersionNumberLength + 1; var version = new StringBuilder(stringBufferLength); Sandbox.KextVersionString(version, stringBufferLength); if (!RequiredKextVersionNumber.Equals(version.ToString().TrimEnd('\0'))) { throw new BuildXLException($"Sandbox kernel extension version mismatch, the loaded kernel extension version '{version}' does not match the required version '{RequiredKextVersionNumber}'. {KextInstallHelper}"); } if (config?.KextConfig != null) { if (!Sandbox.Configure(config.KextConfig.Value, m_kextConnectionInfo)) { throw new BuildXLException($"Unable to configure sandbox kernel extension"); } } m_failureCallback = config?.FailureCallback; // Initialize the shared memory region Sandbox.InitializeKextSharedMemory(m_kextConnectionInfo, ref m_sharedMemoryInfo); if (m_sharedMemoryInfo.Error != Sandbox.KextSuccess) { throw new BuildXLException($"Unable to allocate shared memory region for worker (Code:{m_sharedMemoryInfo.Error})"); } if (!SetFailureNotificationHandler()) { throw new BuildXLException($"Unable to set sandbox kernel extension failure notification callback handler"); } m_workerThread = new Thread(() => StartReceivingAccessReports(m_sharedMemoryInfo.Address, m_sharedMemoryInfo.Port)); m_workerThread.IsBackground = true; m_workerThread.Priority = ThreadPriority.Highest; m_workerThread.Start(); unsafe bool SetFailureNotificationHandler() { return(Sandbox.SetFailureNotificationHandler(KextFailureCallback, m_kextConnectionInfo)); void KextFailureCallback(void *refCon, int status) { m_failureCallback?.Invoke(status, $"Unrecoverable kernel extension failure happened - try reloading the kernel extension or restart your system. {KextInstallHelper}"); } } }