The arm64 and x86 toolchain should use the same kernel headers version as found on the oldest distro version we want to support. Not newer, not older.
Currently the x86 toolchain targets CentOS 6.10, glibc 2.12.2, which has a kernel version 2.6.32, but we use kernel headers for 4.7.
This causes problems when configuring the third party libraries for the target system, because they can detect features that aren't actually present.
At the same time the kernel data structures used might not be in sync with what the actual underlying kernel is using (think of audit, netlink, perf etc), which could result in errors, access to invalid memory, crashes.
What we should do instead is to have the toolchain use the correct headers and then have osquery create it's own copy of defines or data structures where necessary, and switch between them depending on the version of kernel it's running on.
The arm64 and x86 toolchain should use the same kernel headers version as found on the oldest distro version we want to support. Not newer, not older.
Currently the x86 toolchain targets CentOS 6.10, glibc 2.12.2, which has a kernel version 2.6.32, but we use kernel headers for 4.7.
This causes problems when configuring the third party libraries for the target system, because they can detect features that aren't actually present. At the same time the kernel data structures used might not be in sync with what the actual underlying kernel is using (think of audit, netlink, perf etc), which could result in errors, access to invalid memory, crashes.
What we should do instead is to have the toolchain use the correct headers and then have osquery create it's own copy of defines or data structures where necessary, and switch between them depending on the version of kernel it's running on.