Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect reporting for unix domain sockets on macOS #8296

Open
zwass opened this issue Mar 14, 2024 · 0 comments · May be fixed by #8315
Open

Incorrect reporting for unix domain sockets on macOS #8296

zwass opened this issue Mar 14, 2024 · 0 comments · May be fixed by #8315
Labels
bug macOS

Comments

@zwass
Copy link
Member

zwass commented Mar 14, 2024
edited

Bug report

What operating system and version are you using?

osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 14.3
   build = 23D56
platform = darwin

What version of osquery are you using?

osqueryi --line "SELECT version from osquery_info;"
version = 5.11.0

What steps did you take to reproduce the issue?

  1. Open a unix domain socket: nc -lkU aSocket.sock (leave running)
  2. Query for it with listening_ports and process_open_sockets tables.

What did you expect to see?

process_open_sockets.family and listening_ports.family should be 1 instead of 0.

listening_ports.path should be nonempty.

What did you see instead?

osquery> select * from process_open_sockets where pid = 92233;
           pid = 92233
            fd =
        socket = 3
        family = 0
      protocol = 0
 local_address =
remote_address =
    local_port = 0
   remote_port = 0
          path = aSocket.sock
         state =

osquery> select * from listening_ports where pid = 92233;
     pid = 92233
    port = 0
protocol = 0
  family = 0
 address =
      fd = 0
  socket = 3
    path =

Looking at the code it seems the path issue may result from the family issue.

This line should be setting the value to 1?

osquery/osquery/tables/system/darwin/process_open_descriptors.cpp

Line 181 in b9720d9

r["family"] = "0";

This would then properly set the path?

osquery/osquery/tables/networking/listening_ports.cpp

Lines 42 to 44 in b9720d9

if (socket.at("family") == kAF_UNIX) {
r["port"] = "0";
r["path"] = socket.at("path");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug macOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set the fields family and protocol correctly for Unix domain sockets on macOS iko1/osquery
1 participant
@zwass