Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional file stat flags to darwin (bsd_flags) #6699

Merged
merged 2 commits into from
Oct 7, 2020
Merged

Add additional file stat flags to darwin (bsd_flags) #6699

merged 2 commits into from
Oct 7, 2020

Conversation

directionless
Copy link
Member

On macOS, there are several additional bsd_flags that may be set. These are not documented in the man page, but are documented in the header file.

(plus a tiny unrelated spelling fix)

osqueryd --verbose -S "select bsd_flags from file where path = '/private/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound'"
I1006 12:09:15.603936 82957760 init.cpp:343] osquery initialized [version=4.4.0]
I1006 12:09:15.627223 82957760 file.cpp:107] The following file had undocumented BSD file flags (chflags) set: "/private/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound"
+------------+
| bsd_flags  |
+------------+
| 0x00080000 |
+------------+

After patch:

dover:build seph$ ./osquery/osqueryd --verbose -S "select bsd_flags from file where path = '/private/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound'"
I1006 12:11:04.253655 275928512 init.cpp:340] osquery initialized [version=4.5.0-43-g335c01360-dirty]
+-----------------------------+
| bsd_flags                   |
+-----------------------------+
| SF_RESTRICTED, SF_SUPPORTED |
+-----------------------------+

@directionless
Add additional file stat flags to darwin
6a9b2a2 
Adds missing flags to macOS filesystem stat
@directionless
spelling
72ad017
sharvilshah
sharvilshah reviewed Oct 7, 2020
View reviewed changes
osquery/filesystem/darwin/bsd_file_flags.cpp
{UF_TRACKED, "TRACKED"}, // 0x00000040

{SF_APPEND, "SF_APPEND"}, // 0x00040000
{SF_ARCHIVED, "ARCHIVED"}, // 0x00010000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SF_ARCHIVED perhaps for consistency? It seems most super-user flags are prefixed with SF

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That one is pre-existing, and I didn't want to change the format

@sharvilshah
Copy link
Member

Looks good!

@theopolis theopolis merged commit e8b9932 into osquery:master Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharvilshah sharvilshah sharvilshah left review comments

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
bug macOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@directionless @sharvilshah @theopolis