コード例 #1
0
        /// <summary>
        /// Initializes the ES sandbox
        /// </summary>
        public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false)
        {
            m_reportQueueLastEnqueueTime = 0;
            m_esConnectionInfo           = new Sandbox.ESConnectionInfo()
            {
                Error = Sandbox.SandboxSuccess
            };

            MeasureCpuTimes = measureCpuTimes;
            IsInTestMode    = isInTestMode;

            var process = System.Diagnostics.Process.GetCurrentProcess();

            Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id);
            if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess)
            {
                throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})");
            }

#if DEBUG
            ProcessUtilities.SetNativeConfiguration(true);
#else
            ProcessUtilities.SetNativeConfiguration(false);
#endif

            m_workerThread              = new Thread(() => StartReceivingAccessReports());
            m_workerThread.Name         = "EndpointSecurityCallbackProcessor";
            m_workerThread.Priority     = ThreadPriority.Highest;
            m_workerThread.IsBackground = true;
            m_workerThread.Start();
        }
コード例 #2
0
        /// <summary>
        /// Initializes the ES sandbox
        /// </summary>
        public SandboxConnectionES(bool isInTestMode = false, bool measureCpuTimes = false)
        {
            m_reportQueueLastEnqueueTime = 0;
            m_esConnectionInfo           = new Sandbox.ESConnectionInfo()
            {
                Error = Sandbox.SandboxSuccess
            };

            MeasureCpuTimes = measureCpuTimes;
            IsInTestMode    = isInTestMode;

            var process = System.Diagnostics.Process.GetCurrentProcess();

            Sandbox.InitializeEndpointSecuritySandbox(ref m_esConnectionInfo, process.Id);
            if (m_esConnectionInfo.Error != Sandbox.SandboxSuccess)
            {
                throw new BuildXLException($@"Unable to connect to EndpointSecurity sandbox (Code: {m_esConnectionInfo.Error})");
            }

#if DEBUG
            ProcessUtilities.SetNativeConfiguration(true);
#else
            ProcessUtilities.SetNativeConfiguration(false);
#endif

            m_AccessReportCallback = (Sandbox.AccessReport report, int code) =>
            {
                if (code != Sandbox.ReportQueueSuccessCode)
                {
                    var message = "EndpointSecurity event delivery failed with error: " + code;
                    throw new BuildXLException(message, ExceptionRootCause.MissingRuntimeDependency);
                }

                // Stamp the access report with a dequeue timestamp
                report.Statistics.DequeueTime = Sandbox.GetMachAbsoluteTime();

                // Update last received timestamp
                Volatile.Write(ref m_lastReportReceivedTimestampTicks, DateTime.UtcNow.Ticks);

                // Remember the latest enqueue time
                Volatile.Write(ref m_reportQueueLastEnqueueTime, report.Statistics.EnqueueTime);

                // The only way it can happen that no process is found for 'report.PipId' is when that pip is
                // explicitly terminated (e.g., because it timed out or Ctrl-c was pressed)
                if (m_pipProcesses.TryGetValue(report.PipId, out var process))
                {
                    // if the process is found, its ProcessId must match the RootPid of the report.
                    if (process.ProcessId != report.RootPid)
                    {
                        throw new BuildXLException("The process id from the lookup did not match the file access report process id", ExceptionRootCause.FailFast);
                    }
                    else
                    {
                        process.PostAccessReport(report);
                    }
                }
            };

            Sandbox.ObserverFileAccessReports(ref m_esConnectionInfo, m_AccessReportCallback, Marshal.SizeOf <Sandbox.AccessReport>());
        }
コード例 #3
0
        /// <summary>
        /// Initializes the sandbox kernel extension connection manager, setting up the kernel extension connection and workers that drain the
        /// kernel event queue and report file accesses
        /// </summary>
        public KextConnection(Config config = null, bool skipDisposingForTests = false)
        {
            m_reportQueueLastEnqueueTime = 0;
            m_kextConnectionInfo         = new Sandbox.KextConnectionInfo()
            {
                Error = Sandbox.KextSuccess
            };
            m_sharedMemoryInfo = new Sandbox.KextSharedMemoryInfo()
            {
                Error = Sandbox.KextSuccess
            };

            MeasureCpuTimes = config.MeasureCpuTimes;
            IsInTestMode    = skipDisposingForTests;

            // initialize kext connection
            Sandbox.InitializeKextConnection(ref m_kextConnectionInfo);
            if (m_kextConnectionInfo.Error != Sandbox.KextSuccess)
            {
                throw new BuildXLException($@"Unable to connect to sandbox kernel extension (Code: {m_kextConnectionInfo.Error}) - make sure it is loaded and retry! {KextInstallHelper}");
            }

            // check and set if the sandbox is running in debug configuration
            bool isDebug = false;

            Sandbox.CheckForDebugMode(ref isDebug, m_kextConnectionInfo);
            ProcessUtilities.SetNativeConfiguration(isDebug);

#if DEBUG
            if (!ProcessUtilities.IsNativeInDebugConfiguration())
#else
            if (ProcessUtilities.IsNativeInDebugConfiguration())
#endif
            {
                throw new BuildXLException($"Sandbox kernel extension build flavor missmatch - the extension must match the engine build flavor, Debug != Release. {KextInstallHelper}");
            }

            // check if the sandbox version matches
            var stringBufferLength = MaxVersionNumberLength + 1;
            var version            = new StringBuilder(stringBufferLength);
            Sandbox.KextVersionString(version, stringBufferLength);

            if (!RequiredKextVersionNumber.Equals(version.ToString().TrimEnd('\0')))
            {
                throw new BuildXLException($"Sandbox kernel extension version mismatch, the loaded kernel extension version '{version}' does not match the required version '{RequiredKextVersionNumber}'. {KextInstallHelper}");
            }

            if (config?.KextConfig != null)
            {
                if (!Sandbox.Configure(config.KextConfig.Value, m_kextConnectionInfo))
                {
                    throw new BuildXLException($"Unable to configure sandbox kernel extension");
                }
            }

            m_failureCallback = config?.FailureCallback;

            // Initialize the shared memory region
            Sandbox.InitializeKextSharedMemory(m_kextConnectionInfo, ref m_sharedMemoryInfo);
            if (m_sharedMemoryInfo.Error != Sandbox.KextSuccess)
            {
                throw new BuildXLException($"Unable to allocate shared memory region for worker (Code:{m_sharedMemoryInfo.Error})");
            }

            if (!SetFailureNotificationHandler())
            {
                throw new BuildXLException($"Unable to set sandbox kernel extension failure notification callback handler");
            }

            m_workerThread = new Thread(() => StartReceivingAccessReports(m_sharedMemoryInfo.Address, m_sharedMemoryInfo.Port));
            m_workerThread.IsBackground = true;
            m_workerThread.Priority     = ThreadPriority.Highest;
            m_workerThread.Start();

            unsafe bool SetFailureNotificationHandler()
            {
                return(Sandbox.SetFailureNotificationHandler(KextFailureCallback, m_kextConnectionInfo));

                void KextFailureCallback(void *refCon, int status)
                {
                    m_failureCallback?.Invoke(status, $"Unrecoverable kernel extension failure happened - try reloading the kernel extension or restart your system. {KextInstallHelper}");
                }
            }
        }