Added support for:

MySQL 64-bit   8.0.30

MySQL 64-bit   5.7.39, 5.7.38
MySQL 32-bit   5.7.39, 5.7.38

MariaDB 64-bit  10.7.5, 10.7.4, 10.7.3, 10.5.16, 10.2.44
MariaDB 32-bit  10.2.44

.github/CODEOWNERS

@@ -0,0 +1 @@
+@awalicka @pwrpw @wpdbarrett

CODE_OF_CONDUCT.md

@@ -0,0 +1,77 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+
+reported by contacting the project team via **Github Issues**
+
+All complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1,63 @@
+# Contributing to mysql-audit
+
+Welcome, and thank you for your interest in contributing to mysql-audit!
+
+
+## Asking Questions
+
+Have a question? </br> 
+We accept questions as issues on GitHub.</br>
+https://github.com/mcafee/mysql-audit/issues
+
+
+## Providing Feedback
+
+Have some feedback? We would love to hear it!</br>
+Open an issue and let us know what you think.</br>
+https://github.com/mcafee/mysql-audit/issues
+
+
+## Reporting Issues
+Found a bug?
+
+Please feel free to report to: https://github.com/mcafee/mysql-audit/issues
+
+### Look For an Existing Issue
+
+Before you create a new issue, please do a search in [open issues](https://github.com/mcafee/mysql-audit/issues) to see if the issue or feature request has already been filed.
+
+If you find your issue already exists, make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in place of a "+1" comment:
+
+* 👍 - upvote
+* 👎 - downvote
+
+If you cannot find an existing issue that describes your bug or feature, create a new issue using the guidelines below.
+
+### Writing Good Bug Reports and Feature Requests
+
+Be sure to include a **title and clear description** with as much information as possible.
+
+If reporting a bug, please describe the problem verbosely. Try to see if it reproduces and 
+include a detailed description on how to reproduce.
+ 
+Make sure to include your MySQL Server version and Audit Plugin version.
+To print MySQL Server version: log into MySQL and execute the command: 
+
+    status
+
+Please include with the bug the MySQL error log. 
+Log file location can be queried by running the following command: 
+
+    show global variables like 'log_error'
+
+
+## Contributing 
+
+* Open a new GitHub pull request with a patch - name the patch something along the lines of `{contributor-name}-short-description`
+* Ensure the pull request description clearly describes the problem/fix and solution.  Include the relevant issue number if applicable.
+* Follow the coding and documentation conventions in the existing project.  Pull requests that simply reformat or restructure the content will not be accepted.
+
+
+# Thank You!
+
+Your contributions to open source, large or small, make great projects like this possible. Thank you for taking the time to contribute.

LICENSE.md

@@ -0,0 +1,13 @@
+# License
+Copyright (C) 2021 Musarubra US LLC.
+
+This program is free software; you can redistribute it and/or modify it under the terms of the GNU 
+General Public License as published by the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; 
+without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
+See the GNU General Public License for more details.
+
+See COPYING file for a copy of the GPL Version 2 license.
+
+<sup>*</sup> Other trademarks and brands may be claimed as the property of others.

README.md

@@ -1,48 +1,37 @@
-AUDIT Plugin for MySQL<sup>*</sup>
-===================
+# AUDIT Plugin for MySQL<sup>*</sup>
 
-A MySQL plugin from McAfee providing audit capabilities for MySQL, 
+
+## Overview
+A MySQL plugin from Trellix providing audit capabilities for MySQL, 
 designed with an emphasis on security and audit requirements. The plugin may be used 
 as a standalone audit solution or configured to feed data to external monitoring tools.
 
 
-Installation and Configuration 
-------------------------------
-
-Please check out our wiki on github for detailed installation and configuration instructions:
-
+## Documentation
+Please check out our wiki on GitHub. <br/>
 https://github.com/mcafee/mysql-audit/wiki 
 
 
-Issues
-------------------------------
+## Installation / Configuration
+Official Trellix plugin binary releases can be downloaded from the Releases page on GitHub: <br/>
+https://github.com/mcafee/mysql-audit/releases
 
+Please check out our wiki on GitHub for detailed installation and configuration instructions: <br/>
+https://github.com/mcafee/mysql-audit/wiki 
+
+
+## Feedback / Bug Reporting
 Found a bug? Got a feature request or question?
 
-Please feel free to report to: https://github.com/mcafee/mysql-audit/issues
-
-If reporting a bug, please describe the problem verbosely. Try to see if it reproduces and 
-include a detailed description on how to reproduce.
- 
-Make sure to include your MySQL Server version and Audit Plugin version.
-To print MySQL Server version: log into MySQL and execute the command: 
-
-    status
-
-Please include with the bug the MySQL error log. 
-Log file location can be queried by running the following command: 
-
-     show global variables like 'log_error'
+Check out the [CONTRIBUTING.md](https://github.com/mcafee/mysql-audit/blob/master/CONTRIBUTING.md) to see how you can get involved.
 
 
-Source Code
--------------------------------
+## Source Code
 Source code is available at: https://github.com/mcafee/mysql-audit
 
-	
-License
--------------------------------
-Copyright (C) 2016 McAfee, Inc.
+
+## License
+Copyright (C) 2011-2022 Musarubra US LLC.
 
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU 
 General Public License as published by the Free Software Foundation; version 2 of the License.

compiling.txt

@@ -52,6 +52,8 @@ first (see www.boost.org). In such a case, use:
 
 Note: For MariaDB use:  cmake . -DBUILD_CONFIG=mysql_release
 
+Note: For Percona`s MySQL use: cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_CONFIG=mysql_release -DWITH_BOOST=boost_1_59_0 .
+
 Note: to speed things up it is possible to build just the following directories:  
 libservices 
 extra
@@ -63,6 +65,8 @@ chmod +x bootstrap.sh
 CXX='gcc -static-libgcc' CC='gcc -static-libgcc' ./configure --with-mysql=mysql-5.x.x --with-mysql-libservices=mysql-5.x.x/libservices/libmysqlservices.a
 make
 
+Note: For Percona`s MySQL define also PERCONA_BUILD=true variable, like "PERCONA_BUILD=true ./configure..."
+
 ==== Compiling with make =====
 
 Go to top source dir and run:
@@ -77,3 +81,20 @@ Some documentation about configure command for mysql:
 
 http://dev.mysql.com/doc/refman/5.1/en/source-configuration-options.html
 
+
+==== MariaDB 10.2.10 ======
+1. Firstly checkout the source code:-
+	- svn co https://beasource3.corp.nai.org/svn/projects/DBSec-MySQL audit_plugin_mysql
+2. cd audit_plugin_mysql
+3. unzip zip-sources/mariadb-10.2.10.zip
+4. cd mariadb-10.2.10
+5. CC=gcc CXX=g++ cmake .    -DBUILD_CONFIG=mysql_release -DGNUTLS_INCLUDE_DIR=./zip-sources/mariadb-10.2.10/gnutls-3.3.24/64b/include -DGNUTLS_LIBRARY=./zip-sources/mariadb-10.2.10/gnutls-3.3.24/64b/lib
+6. cd mariadb-10.2.10/libservices
+7. make
+8. cd ../extra
+9. make
+10. cd ../..
+11. chmod +x bootstrap.sh
+12. ./bootstrap.sh
+13. CXX='gcc -static-libgcc' CC='gcc -static-libgcc' MYSQL_AUDIT_PLUGIN_VERSION=1.1.13 MYSQL_AUDIT_PLUGIN_REVISION=`svn info|grep ^Revision|awk -F ": " '{print $2}'` ./configure --enable-debug=no --with-mysql=mariadb-10.2.10 --with-mysql-libservices=mariadb-10.2.10/libservices/libmysqlservices.a
+14. gmake <======== This will create the plugin "libaudit_plugin.so"

config/ac_mysql.m4

@@ -33,7 +33,7 @@ dnl
 dnl table_id.h included from table.h included by mysql_inc.h is
 dnl in libbinlogevents/include.
     AC_DEFINE([MYSQL_SRC], [1], [Source directory for MySQL])
-    MYSQL_INC="-I$withval/sql -I$withval/libbinlogevents/export -I$withval/libbinlogevents/include -I$withval/include -I$withval/regex -I$withval"
+    MYSQL_INC="-I$withval/sql -I$withval/libbinlogevents/export -I$withval/libbinlogevents/include -I$withval/include -I$withval/regex -I$withval -I$withval/extra/rapidjson/include -I$withval/wsrep-lib/include -I$withval/wsrep-lib/wsrep-API/v26"
     AC_MSG_RESULT(["$withval"])
   ],
   [

configure.ac

@@ -16,10 +16,19 @@ AC_DEFUN([CHECK_DEBUG], [
         AC_MSG_CHECKING(whether to enable debugging)
 
         if test "x$enable_debug" = "xyes"; then
-        CPPFLAGS="$CPPFLAGS -g -D_DEBUG"
+# Note that SAFE_MUTEX is needed in debug plugin compilation, in order that
+# it aligns with MySQL at debug level. Specifically, in the MySQL source file
+# "include/thr_mutex.h", we need both the my_mutex_init() function and the
+# my_mutex_lock() function to use the same paradigm (i.e. both using
+# "safe_mutex_*" calls ... or both using "native_mutex_*" calls ... but
+# definitely NOT a mix of 'safe' and 'native').
+        CPPFLAGS="$CPPFLAGS -g -D_DEBUG -DSAFE_MUTEX"
                 AC_MSG_RESULT(yes)
         else
-        		CPPFLAGS="$CPPFLAGS -g -O2 -DDBUG_OFF"
+# We need to specify -DDBUG_OFF and -DNDEBUG in order to compile the plugin
+# without MySQL debug components. Later versions of MySQL ignore the DBUG_OFF
+# flag, but continue to respect the NDEBUG flag.
+        CPPFLAGS="$CPPFLAGS -g -O2 -DDBUG_OFF -DNDEBUG"
                 AC_MSG_RESULT(no)
 		fi
 
@@ -96,8 +105,7 @@ AC_PATH_PROG(DIFF, diff, diff)
 #we can add the following flags for better error catching: -Werror -Wimplicit
 CPPFLAGS="$CPPFLAGS -Werror -Wall"
 CFLAGS="$CFLAGS -Wimplicit"
-# From MySQL: Disable exceptions as they seams to create problems with gcc and threads.
-CXXFLAGS="-fno-implicit-templates -fno-exceptions -fno-rtti -Wno-reorder -Wno-strict-aliasing"
+CXXFLAGS="-fno-implicit-templates -fno-strict-aliasing"
 
 #add pthread libs
 LIBS="$LIBS -lpthread"
@@ -128,12 +136,29 @@ CPPFLAGS="$CPPFLAGS -DMYSQL_AUDIT_PLUGIN_VERSION='\"$MYSQL_AUDIT_PLUGIN_VERSION\
 CPPFLAGS="$CPPFLAGS -DMYSQL_AUDIT_PLUGIN_REVISION='\"$MYSQL_AUDIT_PLUGIN_REVISION\"'"
 CPPFLAGS="$CPPFLAGS '-DMYSQL_AUDIT_PLUGIN_SYMBOL_VERSION()=extern const char audit_plugin_version_$MYSQL_AUDIT_PLUGIN_SYMBOL_VERSION'"
 
+# Percona`s MySQL macro
+if [[ "$PERCONA_BUILD" = "true" ]]; then
+	CPPFLAGS="$CPPFLAGS -DPERCONA_BUILD" # Percona`s build macro, used to distinguish between MySQL/MariaDB build VS Percona build
+fi
 
 #subst the relevant variables
 AC_SUBST(CPPFLAGS)
 AC_SUBST(CXXLAGS)
 AC_SUBST(CLAGS)
 
+#mariadb-visibility section start
+AC_ARG_ENABLE(mariadb-visibility,
+[ --enable-mariadb-visibility, Enable symbol visibility for Mariadb, default:no ],
+[case "${enableval}" in
+	 yes) mariadb_visibility=yes ;;
+	 no) mariadb_visibility=no ;;
+	 *) AC_MSG_ERROR([bad value ${enableval} for --enable-mariadb-visibility]) ;;
+esac],
+[ mariadb_visibility=no ]
+)
+AC_MSG_RESULT($mariadb_visibility)
+AM_CONDITIONAL([ENABLE_MARIADB_SYMBOLS], [test "x$mariadb_visibility" = "xyes"])
+#mariadb-visibility section end
 
 AC_CONFIG_FILES([Makefile
 		src/Makefile

include/audit_handler.h

@@ -17,7 +17,7 @@
 
 #include <pcre.h>
 
-#define AUDIT_LOG_PREFIX "Audit Plugin:"
+#define AUDIT_LOG_PREFIX "Trellix Audit Plugin:"
 #define AUDIT_PROTOCOL_VERSION "1.0"
 
 #if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50709
@@ -69,7 +69,7 @@ typedef size_t OFFSET;
 
 // mysql max identifier is 64 so 2*64 + . and null
 #define MAX_OBJECT_CHAR_NUMBERS 131
-#define MAX_USER_CHAR_NUMBERS 20
+#define MAX_USER_CHAR_NUMBERS 32
 #define MAX_NUM_OBJECT_ELEM 256
 #define MAX_NUM_USER_ELEM 256
 
@@ -101,6 +101,10 @@ typedef struct ThdOffsets {
 	OFFSET found_rows;
 	OFFSET sent_row_count;
 	OFFSET row_count_func;
+	OFFSET stmt_da;
+	OFFSET da_status;
+	OFFSET da_sql_errno;
+	OFFSET view_tables;
 } ThdOffsets;
 
 /*
@@ -145,6 +149,9 @@ public:
 	const char *getOsUser() const;
 	const int getPort() const { return m_port; }
 	const StatementSource getStatementSource() const { return m_source; }
+	void storeErrorCode();
+	void setErrorCode(uint code) { m_errorCode = code; m_setErrorCode = true; }
+	bool getErrorCode(uint & code) const { code = m_errorCode; return m_setErrorCode; }
 	/**
 	 * Start fetching objects. Return true if there are objects available.
 	 */
@@ -178,6 +185,9 @@ private:
 
 	int m_port;	// TCP port of remote side
 
+	uint m_errorCode;
+	bool m_setErrorCode;
+
 protected:
 	ThdSesData(const ThdSesData&);
 	ThdSesData &operator =(const ThdSesData&);
@@ -215,9 +225,13 @@ public:
 	virtual ssize_t stop_msg_format(IWriter *writer) { return 0; }
 
 	static const char *retrieve_object_type(TABLE_LIST *pObj);
+#if defined(MARIADB_BASE_VERSION) || MYSQL_VERSION_ID < 80000
 	static QueryTableInf *getQueryCacheTableList1(THD *thd);
+#endif
 
 	// utility functions for fetching thd stuff
+	static int thd_client_port(THD *thd);
+
 	static inline my_thread_id thd_inst_thread_id(THD *thd)
 	{
 		return *(my_thread_id *) (((unsigned char *) thd)
@@ -238,8 +252,14 @@ public:
 	{
 		if (! Audit_formatter::thd_offsets.db) // no offsets use compiled in header
 		{
-#if defined(MARIADB_BASE_VERSION) || MYSQL_VERSION_ID < 50709
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID < 50709
 			return thd->db;
+#elif defined(MARIADB_BASE_VERSION)
+#if MYSQL_VERSION_ID >= 100307
+			return thd->db.str;
+#else
+			return thd->db;
+#endif
 #else
 			return thd->db().str;
 #endif
@@ -276,7 +296,9 @@ public:
 	static inline const char *thd_inst_main_security_ctx_host(THD *thd)
 	{
 		Security_context *sctx = thd_inst_main_security_ctx(thd);
-		if (! Audit_formatter::thd_offsets.sec_ctx_ip) // check ip to understand if set as host is first and may actually be set to 0
+		// check ip to understand if set, as host is first in the struct and may actually be set to 0
+		// we expect to have offsets for both ip and host or for neither of them
+		if (! Audit_formatter::thd_offsets.sec_ctx_ip)
 		{
 			// interface changed in 5.5.34 and 5.6.14 and up host changed to get_host()
 			// see: http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4407.1.1/sql/sql_class.h
@@ -335,15 +357,9 @@ public:
 			return sctx->priv_user().str;
 #endif
 		}
-#if MYSQL_VERSION_ID < 50505
-		// in 5.1.x priv_user is a pointer
-		return *(const char **) (((unsigned char *) sctx)
-				+ Audit_formatter::thd_offsets.sec_ctx_priv_user);
-#else
 		// in 5.5 and up priv_user is an array (char priv_user[USERNAME_LENGTH])
 		return (const char *) (((unsigned char *) sctx)
 				+ Audit_formatter::thd_offsets.sec_ctx_priv_user);
-#endif
 	}
 
 	static inline int thd_inst_command(THD *thd)
@@ -385,25 +401,21 @@ public:
 	}
 #endif
 
-	static inline const char * pfs_connect_attrs(void * pfs)
+	static inline const char * pfs_connect_attrs(const void * pfs)
 	{
-		if (! Audit_formatter::thd_offsets.pfs_connect_attrs)
+		if (! Audit_formatter::thd_offsets.pfs_connect_attrs || pfs == NULL)
 		{
 			//no offsets - return null
 			return NULL;
 		}
 		const char **pfs_pointer = (const char **) (((unsigned char *) pfs) + Audit_formatter::thd_offsets.pfs_connect_attrs);
-		if (pfs_pointer == NULL)
-		{
-			return NULL;
-		}
 
 		return *pfs_pointer;
 	}
 
-	static inline uint pfs_connect_attrs_length(void * pfs)
+	static inline uint pfs_connect_attrs_length(const void * pfs)
 	{
-		if (! Audit_formatter::thd_offsets.pfs_connect_attrs_length)
+		if (! Audit_formatter::thd_offsets.pfs_connect_attrs_length || pfs == NULL)
 		{
 			//no offsets - return 0
 			return 0;
@@ -411,9 +423,9 @@ public:
 		return *(uint *) (((unsigned char *) pfs) + Audit_formatter::thd_offsets.pfs_connect_attrs_length);
 	}
   
-static inline const CHARSET_INFO * pfs_connect_attrs_cs(void * pfs)
+static inline const CHARSET_INFO * pfs_connect_attrs_cs(const void * pfs)
 {
-	if (! Audit_formatter::thd_offsets.pfs_connect_attrs_cs)
+	if (! Audit_formatter::thd_offsets.pfs_connect_attrs_cs || pfs == NULL)
 	{
 		//no offsets - return null
 		return NULL;
@@ -435,7 +447,7 @@ static inline const CHARSET_INFO * pfs_connect_attrs_cs(void * pfs)
 		//			major, minor, patch);
 	}
 
-	if (   ( major == 5  && ( (minor == 6 && patch >= 15) || minor >= 7) )		// MySQL
+	if (   ( major == 5  && ( (minor == 6 && patch >= 15) || minor >= 7) ) || (major == 8)	// MySQL
 	    || ( major == 10 && ( (minor == 0 && patch >= 11) || minor >= 1) ) )	// MariaDB
 	{
 		uint cs_number = *(uint *) (((unsigned char *) pfs) + Audit_formatter::thd_offsets.pfs_connect_attrs_cs);
@@ -475,29 +487,6 @@ static inline const CHARSET_INFO * pfs_connect_attrs_cs(void * pfs)
 		return sock;
 	}
 
-	static inline int thd_client_port(THD *thd)
-	{
-		if (! Audit_formatter::thd_offsets.net)
-		{
-			return -1;
-		}
-		NET *net = ((NET *) (((unsigned char *) thd)
-				+ Audit_formatter::thd_offsets.net));
-
-		// get the port for the remote end
-		int port = -1;
-
-		if (net->vio != NULL)	// MySQL 5.7.17 - this can happen. :-(
-		{
-			struct sockaddr_in *in;
-			
-			in = (struct sockaddr_in *) & net->vio->remote;
-			port = in->sin_port;
-		}
-
-		return port;
-	}
-
 	static inline ulonglong thd_found_rows(THD *thd)
 	{
 		if (Audit_formatter::thd_offsets.found_rows == 0)
@@ -537,6 +526,47 @@ static inline const CHARSET_INFO * pfs_connect_attrs_cs(void * pfs)
 		return *rows;
 	}
 
+	static inline bool thd_error_code(THD *thd, uint & code)
+	{
+#if MYSQL_VERSION_ID >= 50534
+
+		if ( Audit_formatter::thd_offsets.stmt_da == 0      ||
+		     Audit_formatter::thd_offsets.da_status == 0    ||
+		     Audit_formatter::thd_offsets.da_sql_errno == 0 )
+		{
+			return false;
+		}
+
+		Diagnostics_area **stmt_da = ((Diagnostics_area **) (((unsigned char *) thd)
+						+ Audit_formatter::thd_offsets.stmt_da));
+
+		enum Diagnostics_area::enum_diagnostics_status *status =
+			((enum Diagnostics_area::enum_diagnostics_status *) (((unsigned char *) (*stmt_da))
+						+ Audit_formatter::thd_offsets.da_status));
+
+		uint *sql_errno = ((uint *) (((unsigned char *) (*stmt_da))
+						+ Audit_formatter::thd_offsets.da_sql_errno));
+
+		if (*status == Diagnostics_area::DA_OK  ||
+			*status == Diagnostics_area::DA_EOF	)
+		{
+			code = 0;
+			return true;
+		}
+		else if (*status == Diagnostics_area::DA_ERROR)
+		{
+			code = *sql_errno;
+			return true;
+		}
+		else // DA_EMPTY, DA_DISABLE
+		{
+			return false;
+		}
+#else
+		return false;
+#endif
+	}
+
 #if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50709
 	static inline Sql_cmd_uninstall_plugin* lex_sql_cmd(LEX *lex)
 	{
@@ -548,17 +578,28 @@ static inline const CHARSET_INFO * pfs_connect_attrs_cs(void * pfs)
 	// and it may return an invalid value for view_db
 	static inline const char *table_get_db_name(TABLE_LIST *table)
 	{
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100307
+		return table->db.str;
+#else
 		return table->db;
+#endif
 	}
 
 	static inline const char *table_get_name(TABLE_LIST *table)
 	{
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100307
+		return table->table_name.str;
+#else
 		return table->table_name;
+#endif
 	}
 
 	static inline bool table_is_view(TABLE_LIST *table)
 	{
-		return table->view_tables != 0;
+		if (!Audit_formatter::thd_offsets.view_tables)
+			return table->view_tables != 0;
+		List<TABLE_LIST> **view_tables = (List<TABLE_LIST> **)((char*)table + Audit_formatter::thd_offsets.view_tables);
+		return *view_tables;
 	}
 };
 
@@ -571,14 +612,14 @@ public:
 	static const char *DEF_MSG_DELIMITER;
 
 	Audit_json_formatter()
-		: m_msg_delimiter(NULL),
-		m_write_start_msg(true),
+		: m_write_start_msg(true),
 		m_write_sess_connect_attrs(true),
 		m_write_client_capabilities(false),
 		m_write_socket_creds(true),
-		m_password_mask_regex_preg(NULL),
+		m_perform_password_masking(NULL),
+		m_msg_delimiter(NULL),
 		m_password_mask_regex_compiled(false),
-		m_perform_password_masking(NULL)
+		m_password_mask_regex_preg(NULL)
 	{
 
 	}
@@ -685,8 +726,12 @@ public:
 	static void stop_all();
 
 	Audit_handler() :
-		m_initialized(false), m_enabled(false), m_print_offset_err(true),
-		m_formatter(NULL), m_failed(false), m_log_io_errors(true)
+		m_formatter()
+		,m_initialized()
+		,m_enabled()
+		,m_failed()
+		,m_log_io_errors(true)
+		,m_print_offset_err(true)
 	{
 	}
 
@@ -852,7 +897,10 @@ class Audit_file_handler: public Audit_io_handler {
 public:
 
 	Audit_file_handler() :
-		m_sync_period(0), m_log_file(NULL), m_sync_counter(0), m_bufsize(0)
+		m_sync_period(0)
+		, m_bufsize(0)
+		, m_log_file(NULL)
+		, m_sync_counter(0)
 	{
 		m_io_type = "file";
 	}
@@ -899,7 +947,10 @@ class Audit_socket_handler: public Audit_io_handler {
 public:
 
 	Audit_socket_handler() :
-		m_vio(NULL), m_connect_timeout(1)
+		m_connect_timeout(1)
+		, m_write_timeout()
+		, m_vio()
+		, m_log_with_error_severity()
 	{
 		m_io_type = "socket";
 	}
@@ -922,6 +973,8 @@ public:
 	void close();
 
 	int open(const char *io_dest, bool log_errors);
+
+	unsigned long m_write_timeout; // write timeout in microseconds
 protected:
 	// override default assignment and copy to protect against creating additional instances
 	Audit_socket_handler & operator=(const Audit_socket_handler&);
@@ -930,6 +983,9 @@ protected:
 	// Vio we write to
 	// define as void* so we don't access members directly
 	void *m_vio;
+
+	// log using error severity only the second time same issue occurs
+	bool m_log_with_error_severity;
 };
 
 #endif /* AUDIT_HANDLER_H_ */

include/hot_patch.h

@@ -4,7 +4,6 @@
  *  Created on: Jan 10, 2011
  *      Author: Guyl
  */
-
 #ifndef HOT_PATCH_H_
 #define HOT_PATCH_H_
 
@@ -14,9 +13,14 @@
 
 #define GETPAGESIZE()         sysconf (_SC_PAGE_SIZE)
 
-int hot_patch_function(void* targetFunction, void* newFunction, void* trampolineFunction, unsigned int *trampolinesize, unsigned int *usedsize, bool log_info);
+struct SavedCode {
+    char code [1024];
+    size_t size;
+};
 
-void remove_hot_patch_function(void* targetFunction, void* trampolineFunction, unsigned int trampolinesize, bool log_info);
+int hot_patch_function(void* targetFunction, void* newFunction, void* trampolineFunction, unsigned int *trampolinesize, unsigned int *usedsize, bool log_info, SavedCode* saved_code);
+
+void remove_hot_patch_function(void* targetFunction, void* trampolineFunction, unsigned int trampolinesize, bool log_info, SavedCode* saved_code);
 
 //8KB NOP + 16
 //can be used to define a block of memory to use for trampolines

include/mysql_inc.h

@@ -17,12 +17,6 @@
 #include <my_config.h>
 #include <mysql_version.h>
 
-#if MYSQL_VERSION_ID < 50505
-#include <mysql_priv.h>
-#else
-
-// version 5.5.x doesn't contain mysql_priv.h . We need to add the includes provided by it.
-#if MYSQL_VERSION_ID >= 50505
 
 // These two are not present in 5.7.9
 #if MYSQL_VERSION_ID < 50709
@@ -37,13 +31,44 @@
 #include <mysql/plugin_audit.h>
 #endif
 
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100307
+// From MariaDB 10.3 we include macro definitions for items like MY_GNUC_PREREQ
+#include <my_compiler.h>
+#include <my_global.h>
+#endif
+
 #include <sql_parse.h>
 #include <sql_class.h>
+
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80019
+#include <mysql/components/services/mysql_connection_attributes_iterator.h>
+#include <mysql/components/my_service.h>
+#include <mysql/service_plugin_registry.h>
+#endif
+
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
+using my_bool = bool;
+#if MYSQL_VERSION_ID < 80012
+#define PLUGIN_VAR_NOSYSVAR 0x0400
+#endif
+#include <sql/item.h>
+#include <sql/log.h>
+#include <sql/log_event.h>
+#include <sql/mysqld.h>
+#include <sql/protocol.h>
+#include <sql/sql_lex.h>
+#else
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID < 100504
 #include <my_global.h>
+#endif
+typedef struct st_mysql_sys_var SYS_VAR;
+#endif
+
 #include <sql_connect.h>
 #include <sql/sql_base.h>
 #include <sql/sql_table.h>
 #include <sql/sql_view.h>
+#include <sql/sql_error.h>
 
 // TODO: use mysql mutex instead of pthread
 /*
@@ -53,8 +78,6 @@
 #define pthread_mutex_destroy mysql_mutex_destroy
 #define pthread_mutex_t mysql_mutex_t
 */
-#endif /* ! if MYSQL_VERSION_ID >= 50505 */
-#endif /* ! if MYSQL_VERSION_ID < 50505 */
 
 #if MYSQL_VERSION_ID >= 50709
 #include <sql/log.h>
@@ -80,10 +103,7 @@
 # endif
 #endif
 
-// MariaDB doesn't have my_getsystime (returns 100 nano seconds) function. They replaced with my_hrtime_t my_hrtime() which returns microseconds
-#if  defined(MARIADB_BASE_VERSION)
-
-#define my_getsystime() ((my_hrtime()).val * 10)
+#if defined(MARIADB_BASE_VERSION)
 // MariaDB has a kill service that overrides thd_killed as a macro. It also has thd_killed function defined for backwards compatibility, so we redefine it.
 #undef thd_killed
 extern "C" int thd_killed(const MYSQL_THD thd);
@@ -92,12 +112,161 @@ extern "C" int thd_killed(const MYSQL_THD thd);
 #if MYSQL_VERSION_ID >= 100010
 extern "C"  char *thd_security_context(MYSQL_THD thd, char *buffer, unsigned int length, unsigned int max_query_len);
 #endif
-
 #endif
 
-//Define HAVE_SESS_CONNECT_ATTRS. We define it for mysql 5.6 and above
-#if (!defined(MARIADB_BASE_VERSION)) && MYSQL_VERSION_ID >= 50600
+//Define HAVE_SESS_CONNECT_ATTRS. We define it for mysql 5.6 and above and MariaDB 10.0 and above
+#if MYSQL_VERSION_ID >= 50600
 #define HAVE_SESS_CONNECT_ATTRS 1
 #endif
+#include <storage/perfschema/pfs_instr.h>
+
+
+#if defined(MARIADB_BASE_VERSION) || MYSQL_VERSION_ID < 80000
+#include <dlfcn.h>
+#endif
+
+namespace compat {
+/*************************/
+/*     my_getsystime     */
+/*************************/
+#if  defined(MARIADB_BASE_VERSION)
+// MariaDB doesn't have my_getsystime (returns 100 nano seconds) function. They replaced with my_hrtime_t my_hrtime() which returns microseconds
+static inline unsigned long long int my_getsystime() { return (my_hrtime()).val * 10; }
+#elif MYSQL_VERSION_ID < 80000
+static inline unsigned long long int my_getsystime() { return ::my_getsystime(); }
+#else
+static inline unsigned long long int my_getsystime() {
+#ifdef HAVE_CLOCK_GETTIME
+  // Performance regression testing showed this to be preferable
+  struct timespec tp;
+  clock_gettime(CLOCK_REALTIME, &tp);
+  return (static_cast<unsigned long long int>(tp.tv_sec) * 10000000 +
+          static_cast<unsigned long long int>(tp.tv_nsec) / 100);
+#else
+  return std::chrono::duration_cast<
+             std::chrono::duration<std::int64_t, std::ratio<1, 10000000>>>(
+             UTC_clock::now().time_since_epoch())
+      .count();
+#endif /* HAVE_CLOCK_GETTIME */
+}
+#endif
+
+/*********************************************/
+/*   vio_socket_connect                      */
+/*********************************************/
+#if MYSQL_VERSION_ID >= 50600
+#ifndef MYSQL_VIO
+#define MYSQL_VIO Vio*
+#endif
+#if defined(MARIADB_BASE_VERSION) || MYSQL_VERSION_ID < 80000
+static inline bool vio_socket_connect(MYSQL_VIO vio, struct sockaddr *addr, socklen_t len, int timeout)
+{
+    return ::vio_socket_connect(vio, addr, len, timeout);
+}
+#else
+/*********************************************/
+/*                                           */
+/*  resolve the symbols manually to permit   */
+/*  loading of the plugin in their absence   */
+/*                                           */
+/*********************************************/
+extern bool (*_vio_socket_connect)(MYSQL_VIO vio, struct sockaddr *addr, socklen_t len, int timeout);
+extern bool (*_vio_socket_connect_80016)(MYSQL_VIO vio, struct sockaddr *addr, socklen_t len, bool nonblocking, int timeout);
+extern bool (*_vio_socket_connect_80020)(MYSQL_VIO vio, struct sockaddr *addr, socklen_t len, bool nonblocking, int timeout, bool *connect_done);
+
+static inline bool vio_socket_connect(MYSQL_VIO vio, struct sockaddr *addr, socklen_t len, int timeout)
+{
+    if (_vio_socket_connect) return _vio_socket_connect(vio, addr, len, timeout);
+    if (_vio_socket_connect_80016) return _vio_socket_connect_80016(vio, addr, len, false, timeout);
+    if (_vio_socket_connect_80020) return _vio_socket_connect_80020(vio, addr, len, false, timeout, nullptr);
+    return true;
+}
+
+static inline bool init_vio_socket_connect()
+{
+    void* handle = dlopen(NULL, RTLD_LAZY);
+    if (!handle)
+        return false;
+    _vio_socket_connect = (decltype(_vio_socket_connect))dlsym(handle, "_Z18vio_socket_connectP3VioP8sockaddrji");
+    _vio_socket_connect_80016 = (decltype(_vio_socket_connect_80016))dlsym(handle, "_Z18vio_socket_connectP3VioP8sockaddrjbi");
+    _vio_socket_connect_80020 = (decltype(_vio_socket_connect_80020))dlsym(handle, "_Z18vio_socket_connectP3VioP8sockaddrjbiPb");
+    dlclose(handle);
+    return _vio_socket_connect || _vio_socket_connect_80016 || _vio_socket_connect_80020;
+}
+
+extern const std::string & (*_str_session_80026)(int cmd);
+extern const LEX_STRING *_command_name;
+
+static inline const char* str_session(int cmd)
+{
+    if (_str_session_80026) return _str_session_80026(cmd).c_str();
+    if (_command_name) return _command_name[cmd].str;
+    return "";
+}
+
+static inline bool init_str_session()
+{
+    void* handle = dlopen(NULL, RTLD_LAZY);
+    if (!handle)
+        return false;
+    _command_name = (decltype(_command_name))dlsym(handle, "command_name");
+    _str_session_80026 = (decltype(_str_session_80026))dlsym(handle, "_ZN13Command_names11str_sessionE19enum_server_command");
+    dlclose(handle);
+    return _command_name || _str_session_80026;
+}
+#endif
+#endif
+
+/*********************************************/
+/*      PFS_thread::get_current_thread       */
+/*********************************************/
+#if defined(HAVE_SESS_CONNECT_ATTRS) && defined(MARIADB_BASE_VERSION)
+typedef const ::PFS_thread* (*pfs_thread_t)();
+extern pfs_thread_t _pfs_thread_get_current_thread;
+extern PSI_v1* _psi_interface;
+namespace PFS_thread  {
+static inline const ::PFS_thread* get_current_thread()
+{
+    // Try PFS_thread and PSI_hook when MariaDB
+    if (_pfs_thread_get_current_thread) return _pfs_thread_get_current_thread();
+    if (_psi_interface) return (::PFS_thread*)_psi_interface->get_thread();
+    return NULL;
+}
+}
+static inline bool init_PFS_thread_get_current_thread()
+{
+    // obtain the PFS_thread::get_current_thread() address if it is exported
+    void* handle = dlopen(NULL, RTLD_LAZY);
+    if (handle) {
+        _pfs_thread_get_current_thread = (pfs_thread_t)dlsym(handle, "_ZN10PFS_thread18get_current_threadEv");
+        dlclose(handle);
+    }
+    // obtain the PSI interface address
+    if (PSI_hook)
+        _psi_interface = (PSI_v1*)PSI_hook->get_interface(PSI_VERSION_1);
+    if (!_pfs_thread_get_current_thread && !_psi_interface)
+        sql_print_information("Failed to initialize Performance Schema. 'osuser' and 'appname' will not be avalilable.");
+    return true;
+}
+#elif defined(HAVE_SESS_CONNECT_ATTRS)
+namespace PFS_thread  {
+static inline const ::PFS_thread* get_current_thread()
+{
+    // Use PFS_thread when MySQL
+    return ::PFS_thread::get_current_thread();
+}
+}
+#endif
+static inline bool init()
+{
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000
+    return init_vio_socket_connect() && init_str_session();
+#elif defined(HAVE_SESS_CONNECT_ATTRS) && defined(MARIADB_BASE_VERSION)
+    return init_PFS_thread_get_current_thread();
+#else
+    return true;
+#endif
+}
+}
 
 #endif // MYSQL_INCL_H

offset-extract/offset-extract.sh

@@ -32,7 +32,7 @@ DB=db
 CLIENT_CAPS="print_offset THD client_capabilities"
 
 # In 5.6 command member is named m_command
-if echo $MYVER | grep -P '^(5\.6|5\.7|10\.)' > /dev/null
+if echo $MYVER | grep -P '^(5\.6|5\.7|8\.|10\.)' > /dev/null
 then
 	COMMAND_MEMBER=m_command
 	HAS_CONNECT_ATTRS=yes
@@ -40,7 +40,7 @@ fi
 
 CONNECT_ATTRS_CS=m_session_connect_attrs_cs
 # In 5.7 thread_id changed to m_thread_id. main_security_ctx changed to m_main_security_ctx
-if echo $MYVER | grep -P '^(5\.7)' > /dev/null
+if echo $MYVER | grep -P '^(5\.7|8\.)' > /dev/null
 then
 	THREAD_ID=m_thread_id
 	SEC_CONTEXT=m_main_security_ctx
@@ -59,7 +59,7 @@ fi
 
 # In 5.6.15 and up, 5.7 and mariabdb 10.0.11 and up, mariadb 10.1 
 # m_session_connect_attrs_cs changed to m_session_connect_attrs_cs_number
-if echo $MYVER | grep -P '^(5\.7|10\.1|5\.6\.(1[5-9]|[2-9][0-9])|10.0.(1[1-9]|[2-9][0-9]))' > /dev/null
+if echo $MYVER | grep -P '^(5\.7|8\.|10\.[1-5]|5\.6\.(1[5-9]|[2-9][0-9])|10.0.(1[1-9]|[2-9][0-9]))' > /dev/null
 then
 	CONNECT_ATTRS_CS=m_session_connect_attrs_cs_number
 fi
@@ -75,7 +75,7 @@ else
 	CONNECT_ATTRS='printf ", 0, 0, 0"'
 fi
 
-if echo $MYVER | grep -P '^5\.7' > /dev/null
+if echo $MYVER | grep -P '^(5\.7|8\.0)' > /dev/null
 then
 	if echo $MYVER | grep -P '^5\.7\.8' > /dev/null
 	then
@@ -110,6 +110,37 @@ else
 	LEX_SQL='printf ", 0, 0"'
 fi
 
+# Exit status info 5.5, 5.6, 5.7
+DA_STATUS="print_offset Diagnostics_area m_status"		# 5.5, 5.6, 5.7, mariadb 10.0 to 10.5
+DA_SQL_ERRNO="print_offset Diagnostics_area m_sql_errno"	# 5.5, 5.6, mariadb 10.0 to 10.5
+STMT_DA="print_offset THD m_stmt_da"				# 5.6, 5.7, mariadb 10.0 to 10.5
+
+if echo $MYVER | grep -P '^(5\.7|8\.0)' > /dev/null
+then
+	DA_SQL_ERRNO="print_offset Diagnostics_area m_mysql_errno"
+elif echo $MYVER | grep -P '^(5\.6|10\.)' > /dev/null
+then
+	: place holder
+elif echo $MYVER | grep -P '^(5\.5)' > /dev/null
+then
+	STMT_DA="print_offset THD stmt_da"
+else
+	STMT_DA='printf ", 0"'
+	DA_STATUS='printf ", 0"'
+	DA_SQL_ERRNO='printf ", 0"'
+fi
+
+LEX_COMMENT=""
+VIEW_TABLES=""
+if echo $MYVER | grep -P '^(8\.0)' > /dev/null
+then
+	LEX_COMMENT='printf ", 0"'
+	VIEW_TABLES="print_offset TABLE_LIST view_tables"
+else
+	LEX_COMMENT="print_offset LEX comment"
+	VIEW_TABLES='printf ", 0"'
+fi
+
 cat <<EOF > offsets.gdb
 set logging on
 set width 0
@@ -122,7 +153,7 @@ print_offset THD $THREAD_ID
 print_offset THD $SEC_CONTEXT
 print_offset THD $COMMAND_MEMBER
 print_offset THD lex
-print_offset LEX comment
+$LEX_COMMENT
 print_offset Security_context $USER
 print_offset Security_context $HOST
 print_offset Security_context $IP
@@ -136,6 +167,10 @@ $LEX_SQL
 $FOUND_ROWS
 $SENT_ROW_COUNT
 $ROW_COUNT_FUNC
+$STMT_DA
+$DA_STATUS
+$DA_SQL_ERRNO
+$VIEW_TABLES
 printf "}"
 EOF
 

plugin-name.txt

@@ -0,0 +1,54 @@
+Mon, Apr 11, 2022 10:48:38 AM
+=============================
+
+By default, the Trellix AUDIT plugin for MySQL* is named "AUDIT" and
+that is the name you should use when installing the plugin with the SQL
+"INSTALL PLUGIN" command.
+
+It is the "AUDIT" name that provides the "audit_" prefix to the plugin's
+various configuration variables.
+
+In order to avoid conflict with other vendors' auditing plugins whose
+names may start with "audit" (such as MySQL's "audit_log" plugin) it
+is possible to change the name of the Trellix plugin.  The steps are
+as follows:
+
+1. If you're currently using the Trellix plugin, unload it.
+
+2. Edit the /usr/bin/mysqld_safe shell script (using the correct location
+for your system). For MySQL 5.7.9, look for the eval_log_error() function.
+Before the line that says:
+
+	eval "$cmd"
+
+add a line like this:
+
+	export MCAFEE_AUDIT_PLUGIN_NAME=TRELLIX # use any name you want
+
+You can use any name you like, "TRELLIX" is just an example.
+
+For other MySQL versions, determine where the mysqld daemon is actually
+started, and set the environment variable right before that.
+
+3. After restarting MySQL, you will need to load the plugin using the
+new name. From the MySQL client:
+
+	install plugin TRELLIX soname 'libaudit_plugin.so';
+
+and/or from /etc/my.cnf:
+
+	[mysqld]
+	plugin-load=TRELLIX=libaudit_plugin.so
+
+Once you've done that, you must remember that the names of ALL the
+configuration variables will start with the lowercase version of the
+name you've chosen. For example, "trellix_json_log_file" instead of
+"audit_json_log_file".
+
+If you previously had various "audit_XXX" variables set in your
+/etc/my.cnf file, you will need to rename them! Otherwise MySQL will
+fail to start, with an error about unknown variables.
+
+That's it!  Good luck.
+
+* Other trademarks and brands may be claimed as the property of others.

src/Makefile.am

@@ -24,7 +24,11 @@ pkgplugin_LTLIBRARIES =	libaudit_plugin.la
 
 libaudit_plugin_la_DEPENDENCIESADD = pcre
 
-libaudit_plugin_la_LDFLAGS =	-module -Wl,--version-script=MySQLPlugin.map 
+if ENABLE_MARIADB_SYMBOLS
+libaudit_plugin_la_LDFLAGS =	-module -Wl,--version-script=MariadbPlugin.map
+else
+libaudit_plugin_la_LDFLAGS =	-module -Wl,--version-script=MySQLPlugin.map
+endif 
 
 libaudit_plugin_la_SOURCES =	hot_patch.cc audit_offsets.cc audit_plugin.cc audit_handler.cc md5.cc
 

src/MariadbPlugin.map

@@ -0,0 +1,13 @@
+{
+	global:
+		_mysql_plugin_declarations_;
+		_mysql_plugin_interface_version_;
+		_mysql_sizeof_struct_st_plugin_;
+		_maria_plugin_declarations_;
+		_maria_plugin_interface_version_;
+		_maria_sizeof_struct_st_plugin_;
+		audit_plugin_so_init;
+		thd_alloc_service;
+
+	local: *;
+};

src/audit_handler.cc

@@ -27,6 +27,11 @@
 #include <unistd.h>
 #include "static_assert.h"
 
+#if MYSQL_VERSION_ID < 50600
+// for 5.5 and 5.1
+extern "C" void vio_timeout(Vio *vio,uint which, uint timeout);
+#endif
+
 // utility macro to log also with a date as a prefix
 // FIXME: This is no longer used. Remove?
 #define log_with_date(f, ...) do {\
@@ -111,6 +116,49 @@ const char *Audit_formatter::retrieve_object_type(TABLE_LIST *pObj)
 	return "TABLE";
 }
 
+// This routine used to pull the client port out of the thd->net->vio->remote
+// object, but on MySQL 5.7 the port is zero.  So we resort to getting the
+// underlying fd and using getpeername(2) on it.
+
+int Audit_formatter::thd_client_port(THD *thd)
+{
+	int port = -1;
+	int sock = thd_client_fd(thd);
+
+	if (sock < 0)
+	{
+		return port;	// shouldn't happen
+	}
+
+	struct sockaddr_storage addr;
+	socklen_t len = sizeof(addr);
+
+	// get port of the guy on the other end of our connection
+	if (getpeername(sock, (struct sockaddr *) & addr, & len) < 0)
+	{
+		return port;
+	}
+
+
+	if (addr.ss_family == AF_INET)
+	{
+		struct sockaddr_in *sin = (struct sockaddr_in *) & addr;
+		port = ntohs(sin->sin_port);
+	}
+	else
+	{
+		struct sockaddr_in6 *sin = (struct sockaddr_in6 *) & addr;
+		port = ntohs(sin->sin6_port);
+	}
+
+	if (port == 0)	// shouldn't happen
+	{
+		port = -1;
+	}
+
+	return port;
+}
+
 void Audit_handler::stop_all()
 {
 	for (size_t i = 0; i < MAX_AUDIT_HANDLERS_NUM; ++i)
@@ -460,19 +508,51 @@ int Audit_socket_handler::open(const char *io_dest, bool log_errors)
 				m_connect_timeout))
 #else
 	// in 5.6 timeout is in ms
-	if (vio_socket_connect((Vio*)m_vio,(struct sockaddr *) &UNIXaddr, sizeof(UNIXaddr),
+	if (compat::vio_socket_connect((Vio*)m_vio,(struct sockaddr *) &UNIXaddr, sizeof(UNIXaddr),
 				m_connect_timeout * 1000))
 #endif
 	{
 		if (log_errors)
+		{
+			sql_print_warning(
+				"%s unable to connect to socket: %s. err: %s.",
+				AUDIT_LOG_PREFIX, m_io_dest, strerror(errno));
+
+			// The next time this occurs, log as an error
+			m_log_with_error_severity = true;
+		}
+		// Only if issue persist also in second retry, report it by using 'error' severity.
+		else if (m_log_with_error_severity)
 		{
 			sql_print_error(
 				"%s unable to connect to socket: %s. err: %s.",
 				AUDIT_LOG_PREFIX, m_io_dest, strerror(errno));
+
+			m_log_with_error_severity = false;
 		}
+
 		close();
 		return -2;
 	}
+
+	// At this point, connected successfully.
+	// Ensure same behavior in case first time failed but second retry was successful
+	m_log_with_error_severity = false;
+
+	if (m_write_timeout > 0)
+	{
+		int timeout = m_write_timeout / 1000;	// milliseconds to seconds, integer dvision
+		if (timeout == 0)
+		{
+			timeout = 1;	// round up to 1 second
+		}
+		// we don't check the result of this call since in earlier
+		// versions it returns void
+		//
+		// 1 as the 2nd argument means write timeout
+		vio_timeout((Vio*)m_vio, 1, timeout);
+	}
+
 	return 0;
 }
 
@@ -505,7 +585,7 @@ static void yajl_add_uint64(yajl_gen gen, const char *name, uint64 num)
 {
 	const size_t max_int64_str_len = 21;
 	char buf[max_int64_str_len];
-	snprintf(buf, max_int64_str_len, "%llu", num);
+	snprintf(buf, max_int64_str_len, "%llu", (unsigned long long)num);
 	yajl_add_string_val(gen, name, buf);
 }
 
@@ -542,8 +622,11 @@ static const char *retrieve_user(THD *thd)
 // starting with MySQL version 5.1.41 thd_query_string is added
 // And at 5.7 it changed
 #if ! defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50709
-
+#if MYSQL_VERSION_ID >= 80000
+extern LEX_CSTRING thd_query_unsafe(MYSQL_THD thd);
+#else
 extern "C" LEX_CSTRING thd_query_unsafe(MYSQL_THD thd);
+#endif
 
 static const char *thd_query_str(THD *thd, size_t *len)
 {
@@ -614,9 +697,9 @@ ssize_t Audit_json_formatter::start_msg_format(IWriter *writer)
 	yajl_gen gen = yajl_gen_alloc(NULL);
 	yajl_gen_map_open(gen);
 	yajl_add_string_val(gen, "msg-type", "header");
-	uint64 ts = my_getsystime() / (10000);
+	uint64 ts = compat::my_getsystime() / (10000);
 	yajl_add_uint64(gen, "date", ts);
-	yajl_add_string_val(gen, "audit-version", MYSQL_AUDIT_PLUGIN_VERSION"-"MYSQL_AUDIT_PLUGIN_REVISION);
+	yajl_add_string_val(gen, "audit-version", MYSQL_AUDIT_PLUGIN_VERSION "-" MYSQL_AUDIT_PLUGIN_REVISION);
 	yajl_add_string_val(gen, "audit-protocol-version", AUDIT_PROTOCOL_VERSION);
 	yajl_add_string_val(gen, "hostname", glob_hostname);
 	yajl_add_string_val(gen, "mysql-version", server_version);
@@ -676,8 +759,7 @@ static const char *replace_in_string(THD *thd,
 }
 
 #ifdef HAVE_SESS_CONNECT_ATTRS
-#include <storage/perfschema/pfs_instr.h>
-
+#if MYSQL_VERSION_ID < 80000
 //declare the function: parse_length_encoded_string from: storage/perfschema/table_session_connect.cc
 bool parse_length_encoded_string(const char **ptr,
 	char *dest, uint dest_size,
@@ -687,13 +769,105 @@ bool parse_length_encoded_string(const char **ptr,
 	const CHARSET_INFO *from_cs,
 	uint nchars_max);
 
+#else
+// the function is not exported in MySQL 8 and neither in MariaDB
+/**
+  Take a length encoded string
+
+  @arg ptr  inout       the input string array
+  @arg dest             where to store the result
+  @arg dest_size        max size of @c dest
+  @arg copied_len       the actual length of the data copied
+  @arg start_ptr        pointer to the start of input
+  @arg input_length     the length of the incoming data
+  @arg from_cs          character set in which @c ptr is encoded
+  @arg nchars_max       maximum number of characters to read
+  @return status
+    @retval true    parsing failed
+    @retval false   parsing succeeded
+*/
+static bool parse_length_encoded_string(
+    const char **ptr
+    ,char *dest
+    ,uint dest_size
+    ,uint *copied_len
+    ,const char *start_ptr
+    ,uint input_length
+    ,bool /* unused */
+    ,const CHARSET_INFO *from_cs
+    ,uint nchars_max
+)
+{
+  ulong copy_length, data_length;
+
+  copy_length = data_length = net_field_length((uchar **)ptr);
+
+  /* we don't tolerate NULL as a length */
+  if (data_length == NULL_LENGTH) {
+    return true;
+  }
+
+  if (*ptr - start_ptr + data_length > input_length) {
+    return true;
+  }
+
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100504
+  String_copier copier;
+  copy_length = copier.well_formed_copy(
+      &my_charset_utf8mb3_bin
+    , dest
+    , dest_size
+    , from_cs
+    , *ptr
+    , data_length
+    , nchars_max
+  );
+#elif defined(MARIADB_BASE_VERSION) && ( MYSQL_VERSION_ID >= 100104 && MYSQL_VERSION_ID < 100504 )
+  String_copier copier;
+  copy_length = copier.well_formed_copy(
+      &my_charset_utf8_bin
+    , dest
+    , dest_size
+    , from_cs
+    , *ptr
+    , data_length
+    , nchars_max
+  );
+#else
+  /*
+    TODO: Migrate the data itself to UTF8MB4,
+    this is still UTF8MB3 printed in a UTF8MB4 column.
+  */
+  const char *well_formed_error_pos = NULL, *cannot_convert_error_pos = NULL,
+             *from_end_pos = NULL;
+  copy_length = well_formed_copy_nchars(
+      &my_charset_utf8_bin
+    , dest
+    , dest_size
+    , from_cs
+    , *ptr
+    , data_length
+    , nchars_max
+    , &well_formed_error_pos
+    , &cannot_convert_error_pos
+    , &from_end_pos
+  );
+ #endif
+  *copied_len = copy_length;
+  (*ptr) += data_length;
+
+  return false;
+}
+#endif
 /**
  * Code based upon read_nth_attribute of storage/perfschema/table_session_connect.cc
  * Only difference we do once loop and write out the attributes
  */ 
 static void log_session_connect_attrs(yajl_gen gen, THD *thd)
 {
-	PFS_thread * pfs = PFS_thread::get_current_thread();
+	const PFS_thread * pfs = compat::PFS_thread::get_current_thread();
+	if (!pfs)
+		return;
 	const char * connect_attrs = Audit_formatter::pfs_connect_attrs(pfs);
 	const uint connect_attrs_length = Audit_formatter::pfs_connect_attrs_length(pfs);
 	const CHARSET_INFO *connect_attrs_cs = Audit_formatter::pfs_connect_attrs_cs(pfs);  
@@ -702,9 +876,10 @@ static void log_session_connect_attrs(yajl_gen gen, THD *thd)
 	const uint max_idx = 32;
 	uint idx;
 	const char *ptr;  
-	bool array_start = false;
+	// bool array_start = false;
 	if(!connect_attrs || !connect_attrs_length || !connect_attrs_cs)
 	{
+		sql_print_information("%s Failed to compute offsets connect_attrs. pfs [%p], connect_attrs [%p], connect_attrs_length [%d], connect_attrs_cs [%p]", AUDIT_LOG_PREFIX, pfs, connect_attrs, connect_attrs_length, connect_attrs_cs);
 		//either offsets are wrong or not set
 		return;
 	}
@@ -732,6 +907,7 @@ static void log_session_connect_attrs(yajl_gen gen, THD *thd)
 					connect_attrs_cs, MAX_COPY_CHARS_NAME) || !copy_length)
 		{
 			//something went wrong or we are done
+			// sql_print_information("%s something went wrong or we are done 1", AUDIT_LOG_PREFIX);
 			break;
 		}
 
@@ -745,23 +921,14 @@ static void log_session_connect_attrs(yajl_gen gen, THD *thd)
 					fill_in_attr_value,
 					connect_attrs_cs, MAX_COPY_CHARS_VAL) || !copy_length)
 		{
+			// sql_print_information("%s something went wrong or we are done 2", AUDIT_LOG_PREFIX);
 			break;
 		}          
 		attr_value_length= copy_length;
-		if(!array_start)
-		{
-			yajl_add_string(gen, "connect_attrs");
-			yajl_gen_map_open(gen);
-			array_start = true;
-		}
 		yajl_gen_string(gen, (const unsigned char*)attr_name, attr_name_length);
 		yajl_gen_string(gen, (const unsigned char*)attr_value, attr_value_length);
 
 	} //close for loop
-	if(array_start)
-	{
-		yajl_gen_map_close(gen);
-	}
 	return;
 }
 #endif
@@ -781,7 +948,7 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 	// TODO: get the start date from THD (but it is not in millis. Need to think about how we handle this)
 	// for now simply use the current time.
 	// my_getsystime() time since epoc in 100 nanosec units. Need to devide by 1000*(1000/100) to reach millis
-	uint64 ts = my_getsystime() / (10000);
+	uint64 ts = compat::my_getsystime() / (10000);
 	yajl_add_uint64(gen, "date", ts);
 	yajl_add_uint64(gen, "thread-id", thdid);
 	yajl_add_uint64(gen, "query-id", qid);
@@ -848,7 +1015,12 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 	         (strcasestr(cmd, "select") != NULL && thd_row_count_func(thd) > 0))
 	{
 		// m_row_count_func will be -1 for most selects but can be > 0, e.g. select into file
-		rows = thd_row_count_func(thd);
+		// thd_row_count_func() returns signed valiue. Don't assign it to rows directly.
+		longlong row_count = thd_row_count_func(thd);
+		if (row_count > 0)
+		{
+			rows = row_count;
+		}
 	}
 	else
 	{
@@ -860,6 +1032,12 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 		yajl_add_uint64(gen, "rows", rows);
 	}
 
+	uint code;
+	if (pThdData->getErrorCode(code))
+	{
+		yajl_add_uint64(gen, "status", code); // 0 - success, otherwise reports specific errno
+	}
+
 	yajl_add_string_val(gen, "cmd", cmd);
 
 	// get objects
@@ -895,7 +1073,11 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 		const char *query_text = query;
 		size_t query_len = qlen;
 
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100603
+		if (strcmp(col_connection->cs_name.str, "utf8") != 0)
+#else
 		if (strcmp(col_connection->csname, "utf8") != 0)
+#endif
 		{
 			// max UTF-8 bytes per char is 4.
 			size_t to_amount = (qlen * 4) + 1;
@@ -904,7 +1086,11 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 			uint errors = 0;
 
 			size_t len = copy_and_convert(to, to_amount,
+#if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 100504
+					&my_charset_utf8mb3_general_ci,
+#else
 					&my_charset_utf8_general_ci,
+#endif
 					query, qlen,
 					col_connection, & errors);
 
@@ -986,10 +1172,19 @@ ssize_t Audit_json_formatter::event_format(ThdSesData *pThdData, IWriter *writer
 }
 
 ThdSesData::ThdSesData(THD *pTHD, StatementSource source)
-      : m_pThd (pTHD), m_CmdName(NULL), m_UserName(NULL),
-        m_objIterType(OBJ_NONE), m_tables(NULL), m_firstTable(true),
-        m_tableInf(NULL), m_index(0), m_isSqlCmd(false),
-	m_port(-1), m_source(source)
+      : m_pThd (pTHD)
+      , m_CmdName()
+      , m_UserName()
+      , m_isSqlCmd()
+      , m_objIterType(OBJ_NONE)
+      , m_tables()
+      , m_firstTable(true)
+      , m_tableInf()
+      , m_index()
+      , m_source(source)
+      , m_port(-1)
+      , m_errorCode()
+      , m_setErrorCode()
 {
 	m_CmdName = retrieve_command (m_pThd, m_isSqlCmd);
 	m_UserName = retrieve_user (m_pThd);
@@ -1002,6 +1197,15 @@ ThdSesData::ThdSesData(THD *pTHD, StatementSource source)
 	}
 }
 
+void ThdSesData::storeErrorCode()
+{
+	uint code = 0;
+	if (Audit_formatter::thd_error_code(m_pThd, code))
+	{
+		setErrorCode(code);
+	}
+}
+
 bool ThdSesData::startGetObjects()
 {
 	// reset vars as this may be called multiple times
@@ -1009,15 +1213,17 @@ bool ThdSesData::startGetObjects()
 	m_tables = NULL;
 	m_firstTable = true;
 	m_index = 0;
-	m_tableInf = Audit_formatter::getQueryCacheTableList1(getTHD());
 	int command = Audit_formatter::thd_inst_command(getTHD());
 	LEX *pLex = Audit_formatter::thd_lex(getTHD());
+#if defined(MARIADB_BASE_VERSION) || MYSQL_VERSION_ID < 80000
 	// query cache case
+	m_tableInf = Audit_formatter::getQueryCacheTableList1(getTHD());
 	if (pLex && command == COM_QUERY && m_tableInf && m_tableInf->num_of_elem > 0)
 	{
 		m_objIterType = OBJ_QUERY_CACHE;
 		return true;
 	}
+#endif
 	const char *cmd = getCmdName();
 	// commands which have single database object
 	if (strcmp(cmd,"Init DB") == 0

src/hot_patch.cc

@@ -228,7 +228,7 @@ static void WriteJump32(void *pAddress, ULONG_PTR JumpTo)
 // Hooks a function
 //
 static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_PTR trampolineFunction,
-	unsigned int *trampolinesize, unsigned int *usedsize)
+    unsigned int *trampolinesize, unsigned int *usedsize, SavedCode* saved_code)
 {
 #define MAX_INSTRUCTIONS 100
 	uint8_t raw[MAX_INSTRUCTIONS];
@@ -293,6 +293,9 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 				ud_obj.operand[0].type == UD_OP_JIMM)
 		{
 			bool cannot_disassemble = true;
+            sql_print_information("ud_obj.mnemonic == UD_Ijmp: %d", ud_obj.mnemonic == UD_Ijmp);
+            sql_print_information("ud_obj.mnemonic == UD_Icall: %d", ud_obj.mnemonic == UD_Icall);
+            sql_print_information("ud_obj.operand[0].type == UD_OP_JIMM: %d", ud_obj.operand[0].type == UD_OP_JIMM);
 
 #ifdef __i386__
 			const BYTE *pc = (const BYTE *)targetFunction + InstrSize;
@@ -324,7 +327,59 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 					cannot_disassemble = false;
 				}
 			}
+            sql_print_error("in __i386__");
 
+#else
+            // If there is a relative jump or call in the to be overwritten chunk,
+            // construct an absolute jump/call in the trampoline.
+#ifdef __x86_64__
+            sql_print_information("__x86_64__");
+#endif
+            if (ud_obj.operand[0].type == UD_OP_JIMM && (ud_obj.mnemonic == UD_Ijmp || ud_obj.mnemonic == UD_Icall)) {
+                // jump or call
+                size_t rewrite_size = 0;
+                switch (ud_obj.mnemonic) {
+                case UD_Ijmp:
+                    sql_print_information("rewriting relative jump as absolute");
+                    memcpy((void*)(trampolineFunction + uCurrentSize), "\xff\x25\x00\x00\x00\x00", 6);  // jmpq *0x0(%rip)
+                    rewrite_size = 6;
+                    break;
+                case UD_Icall:
+                    sql_print_information("rewriting relative call as absolute");
+                    memcpy((void*)(trampolineFunction + uCurrentSize),     "\xff\x15\x02\x00\x00\x00", 6);  // callq *0x2(%rip)  -- call the function via the address stored at RIP+2
+                    memcpy((void*)(trampolineFunction + uCurrentSize + 6), "\xeb\x08", 2);                  // jmp   0x08        -- jump over the function address (8 bytes forward)
+                    rewrite_size = 8;
+                    break;
+                default:
+                    break;
+                }
+
+                // calculate the jump target from the instruction pointer and the immediate operand
+                unsigned long jump_target = ud_obj.pc;
+                switch (ud_obj.operand[0].size) {
+                case 8:
+                    jump_target += ud_obj.operand[0].lval.sbyte;
+                    break;
+                case 16:
+                    jump_target += ud_obj.operand[0].lval.sword;
+                    break;
+                case 32:
+                    jump_target += ud_obj.operand[0].lval.sdword;
+                    break;
+                }
+                memcpy((void*)(trampolineFunction + uCurrentSize + rewrite_size), &jump_target, 8);
+                rewrite_size += 8;
+
+                // update the indexes
+                uCurrentSize += rewrite_size;
+                InstrSize += ud_insn_len (&ud_obj);
+
+                // clear the flag
+                cannot_disassemble = false;
+
+                sql_print_information("target address: [0x%016lx]", jump_target);
+                sql_print_information("original instruction: [%s]", ud_insn_asm(&ud_obj));
+            }
 #endif
 			if (cannot_disassemble)
 			{
@@ -381,8 +436,17 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 		return false;
 	}
 
-	WriteJump((BYTE*)trampolineFunction + uCurrentSize, targetFunction + InstrSize);
+    // Save the original code that is going to be overwitten by the jump.
+    // The code in the trampoline can be larger due to rewriting of RIP
+    // relative instructions and unsuitable for writting back on unhook.
+    memcpy(saved_code->code, (void*)targetFunction, InstrSize);
+    saved_code->size = InstrSize;
+
+    // jump from trampoline back to continue the original function
+    WriteJump((BYTE*)trampolineFunction + uCurrentSize, targetFunction + InstrSize);
 	*usedsize = uCurrentSize + JUMP_SIZE;
+
+    // jump from the begin of the original function to our function
 #ifndef __x86_64__
 	WriteJump((void *) targetFunction, newFunction);
 #else
@@ -411,7 +475,7 @@ static bool HookFunction(ULONG_PTR targetFunction, ULONG_PTR newFunction, ULONG_
 //
 
 
-static void UnhookFunction(ULONG_PTR Function, ULONG_PTR trampolineFunction, unsigned int trampolinesize)
+static void UnhookFunction(ULONG_PTR Function, ULONG_PTR trampolineFunction, unsigned int trampolinesize, SavedCode* saved_code)
 {
 	DATATYPE_ADDRESS FunctionPage = get_page_address((void*)Function);
 	if (unprotect((void*)FunctionPage, PAGE_SIZE) != 0)
@@ -421,7 +485,7 @@ static void UnhookFunction(ULONG_PTR Function, ULONG_PTR trampolineFunction, uns
 				log_prefix, (void *) FunctionPage);
 		return;
 	}
-	memcpy((void *) Function, (void*)trampolineFunction,trampolinesize);
+    memcpy((void *) Function, saved_code->code, saved_code->size);
 	protect((void*)FunctionPage, PAGE_SIZE);
 }
 
@@ -442,12 +506,12 @@ static void UnhookFunction(ULONG_PTR Function, ULONG_PTR trampolineFunction, uns
  * @Return 0 on success otherwise failure
  * @See MS Detours paper: http:// research.microsoft.com/pubs/68568/huntusenixnt99.pdf for some background info.
  */
-int hot_patch_function(void *targetFunction, void *newFunction, void *trampolineFunction, unsigned int *trampolinesize, unsigned int *usedsize, bool info_print)
+int hot_patch_function(void *targetFunction, void *newFunction, void *trampolineFunction, unsigned int *trampolinesize, unsigned int *usedsize, bool info_print, SavedCode* saved_code)
 {
 	DATATYPE_ADDRESS trampolinePage = get_page_address(trampolineFunction);
 	cond_info_print(info_print, "%s hot patching function: %p, trampolineFunction: %p trampolinePage: %p",log_prefix, (void *)targetFunction, (void *)trampolineFunction, (void *)trampolinePage);
 	if (HookFunction((ULONG_PTR) targetFunction, (ULONG_PTR) newFunction,
-				(ULONG_PTR) trampolineFunction, trampolinesize, usedsize))
+                (ULONG_PTR) trampolineFunction, trampolinesize, usedsize, saved_code))
 	{
 		return 0;
 	}
@@ -466,15 +530,18 @@ int hot_patch_function(void *targetFunction, void *newFunction, void *trampoline
  * @param trampolineFunction a function which contains a jump back to the targetFunction.
  * @param log_file if not null will log about progress of installing the plugin
  */
-void remove_hot_patch_function(void *targetFunction, void *trampolineFunction, unsigned int trampolinesize, bool info_print)
+void remove_hot_patch_function(void *targetFunction, void *trampolineFunction, unsigned int trampolinesize, bool info_print, SavedCode* saved_code)
 {
-	if (trampolinesize == 0)
+    sql_print_information("trampolinesize: %d", trampolinesize);
+    sql_print_information("saved_code->size: %zd", saved_code->size);
+    if (trampolinesize == 0 || !saved_code->size)
 	{
 		// nothing todo. As hot patch was not set.
-		return;
+        cond_info_print(info_print, "%s not removing as hot patch was not set: %p",log_prefix, (void *)targetFunction);
+        return;
 	}
 	DATATYPE_ADDRESS targetPage = get_page_address(targetFunction);
 	cond_info_print(info_print, "%s removing hot patching function: %p targetPage: %p trampolineFunction: %p",log_prefix, (void *)targetFunction, (void *)targetPage, (void *)trampolineFunction);
-	UnhookFunction ((ULONG_PTR) targetFunction, (ULONG_PTR)trampolineFunction,trampolinesize);
+    UnhookFunction ((ULONG_PTR) targetFunction, (ULONG_PTR)trampolineFunction,trampolinesize, saved_code);
 	return;
 }

udis86/libudis86/Makefile.am

@@ -22,3 +22,6 @@ libudis86_la_SOURCES =	itab.c \
 
 itab.c itab.h: ../docs/x86optable.xml opgen.py
 	python ./opgen.py
+
+# generate the generated sources prior to the compilation
+BUILT_SOURCES = itab.c itab.h