forked from Lainports/freebsd-ports
6efaeef862
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. WWW: https://osquery.io/ Sponsored by: Beer from wxs@
70 lines
2.4 KiB
C++
70 lines
2.4 KiB
C++
--- osquery/events/events.cpp.orig 2015-05-05 00:16:41 UTC
|
|
+++ osquery/events/events.cpp
|
|
@@ -407,6 +407,8 @@ void EventFactory::delay() {
|
|
}
|
|
|
|
Status EventFactory::run(EventPublisherID& type_id) {
|
|
+ auto& ef = EventFactory::getInstance();
|
|
+
|
|
// An interesting take on an event dispatched entrypoint.
|
|
// There is little introspection into the event type.
|
|
// Assume it can either make use of an entrypoint poller/selector or
|
|
@@ -414,12 +416,17 @@ Status EventFactory::run(EventPublisherI
|
|
// only once and handle event queueing/firing in callbacks.
|
|
EventPublisherRef publisher;
|
|
try {
|
|
- publisher = EventFactory::getInstance().getEventPublisher(type_id);
|
|
+ publisher = ef.getEventPublisher(type_id);
|
|
} catch (std::out_of_range& e) {
|
|
return Status(1, "No event type found");
|
|
}
|
|
|
|
- VLOG(1) << "Starting event publisher runloop: " + type_id;
|
|
+ if (publisher == nullptr) {
|
|
+ return Status(1, "Event publisher is missing");
|
|
+ } else if (publisher->hasStarted()) {
|
|
+ return Status(1, "Cannot restart an event publisher");
|
|
+ }
|
|
+ VLOG(1) << "Starting event publisher run loop: " + type_id;
|
|
publisher->hasStarted(true);
|
|
|
|
auto status = Status(0, "OK");
|
|
@@ -428,11 +435,12 @@ Status EventFactory::run(EventPublisherI
|
|
status = publisher->run();
|
|
osquery::publisherSleep(EVENTS_COOLOFF);
|
|
}
|
|
-
|
|
// The runloop status is not reflective of the event type's.
|
|
- publisher->tearDown();
|
|
VLOG(1) << "Event publisher " << publisher->type()
|
|
- << " runloop terminated for reason: " << status.getMessage();
|
|
+ << " run loop terminated for reason: " << status.getMessage();
|
|
+ // Publishers auto tear down when their run loop stops.
|
|
+ publisher->tearDown();
|
|
+ ef.event_pubs_.erase(type_id);
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
@@ -573,9 +581,12 @@ Status EventFactory::deregisterEventPubl
|
|
// If a publisher's run loop was not started, call tearDown since
|
|
// the setUp happened at publisher registration time.
|
|
publisher->tearDown();
|
|
+ // If the run loop did run the tear down and erase will happen in the event
|
|
+ // thread wrapper when isEnding is next checked.
|
|
+ ef.event_pubs_.erase(type_id);
|
|
+ } else {
|
|
+ publisher->end();
|
|
}
|
|
-
|
|
- ef.event_pubs_.erase(type_id);
|
|
return Status(0, "OK");
|
|
}
|
|
|
|
@@ -612,6 +623,7 @@ void EventFactory::end(bool join) {
|
|
}
|
|
}
|
|
|
|
+ // A small cool off helps OS API event publisher flushing.
|
|
::usleep(400);
|
|
ef.threads_.clear();
|
|
}
|