diff --git a/CMakeLists.txt b/CMakeLists.txt index de8d5967ace..5883441e78e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -114,6 +114,11 @@ set(DRIVER_NAME "falco") set(DRIVER_DEVICE_NAME "falco") set(DRIVERS_REPO "https://download.falco.org/driver") +# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` +# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`. +set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o") +add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}") + if(NOT DEFINED FALCO_COMPONENT_NAME) set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}") endif() diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index 72899858b6d..9d56ce26316 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4") - set(DRIVER_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04") + set(DRIVER_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf") + set(DRIVER_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd") endif() # cd /path/to/build && cmake /path/to/source @@ -45,4 +45,4 @@ set(DRIVER_NAME "falco") set(DRIVER_PACKAGE_NAME "falco") set(DRIVER_COMPONENT_NAME "falco-driver") -add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver) \ No newline at end of file +add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver) diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index d4f754348e2..0e51c3ebb55 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04") + set(FALCOSECURITY_LIBS_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd") endif() # cd /path/to/build && cmake /path/to/source @@ -49,7 +49,6 @@ if(MUSL_OPTIMIZED_BUILD) add_definitions(-DMUSL_OPTIMIZED) endif() -set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE") set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT") if(NOT LIBSCAP_DIR) @@ -85,4 +84,4 @@ endif() include(driver) include(libscap) -include(libsinsp) \ No newline at end of file +include(libsinsp) diff --git a/cmake/modules/plugins.cmake b/cmake/modules/plugins.cmake index 8a4a1d28048..794fca579d6 100644 --- a/cmake/modules/plugins.cmake +++ b/cmake/modules/plugins.cmake @@ -19,11 +19,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME) set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins") endif() -set(PLUGIN_K8S_AUDIT_VERSION "0.3.0") +set(PLUGIN_K8S_AUDIT_VERSION "0.4.0-rc1") if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") - set(PLUGIN_K8S_AUDIT_HASH "214915fc2a61d147d64aaf4cb29c3fc6a513eda621dad1dfe77f2fd7099b31e1") + set(PLUGIN_K8S_AUDIT_HASH "9b77560861ae2b1539a32a542e0b282b4ae83e0a8c26aad7ecefd3e721e9eb99") else() # aarch64 - set(PLUGIN_K8S_AUDIT_HASH "d9b4610714df581043db76ecb4caf3a41aae5494cf61ab8740a3749bfac8457e") + set(PLUGIN_K8S_AUDIT_HASH "9c7de9a1213dc2e125f1ad2302818e5d34a7c95bfc67532b9d37395c60785d02") endif() ExternalProject_Add( @@ -39,18 +39,18 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/ ExternalProject_Add( k8saudit-rules URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz" - URL_HASH "SHA256=3913a8c6095794c7de6a97a2a64953a0fa4f87caab014d11b2c8f9221eb77591" + URL_HASH "SHA256=f65982fd1c6bc12ae8db833c36127a70252464bd5983fd75c39b91d630eb7f40" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}") -set(PLUGIN_CLOUDTRAIL_VERSION "0.5.0") +set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0-rc1") if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") - set(PLUGIN_CLOUDTRAIL_HASH "ca6c0d087b37090145ef0c92f10d1dd32bb2a08c7bae83cc6fb7a1ba712f3182") + set(PLUGIN_CLOUDTRAIL_HASH "a6c6acf16f7b4acd2b836e2be514346ee15a1e5adce936bd97ab6338d16ad6f9") else() # aarch64 - set(PLUGIN_CLOUDTRAIL_HASH "f6e12d3bd16ae0f504ed2bb56d13531d15b7d55beb1b63932cbe603cff941372") + set(PLUGIN_CLOUDTRAIL_HASH "a6105cb3864a613b3488c60c723163630484bc36b2aa219fb1c730c7735fb5fa") endif() ExternalProject_Add( @@ -66,18 +66,18 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu ExternalProject_Add( cloudtrail-rules URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz" - URL_HASH "SHA256=7f88fb6b530f8ee739b65d38a36c69cdc70398576299b90118bd7324dbdb5f46" + URL_HASH "SHA256=4df7a0d56300d6077807bc205a8ab7ab3b45c495adcc209c5cca1e8da6fc93c6" CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "") install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}") -set(PLUGIN_JSON_VERSION "0.5.0") +set(PLUGIN_JSON_VERSION "0.6.0-rc1") if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64") - set(PLUGIN_JSON_HASH "b422c4f08bb54ccd384a87c5922e120d5731028c87742ef657cacf936447c202") + set(PLUGIN_JSON_HASH "7969e4731e529c5a9d9895ee52ec1845d4d1889cfa3562170288bb7a593bf6b9") else() # aarch64 - set(PLUGIN_JSON_HASH "8358f04325d8a9e9675f38fae8d13a250fb132dcf6741fd0f9830e8c39f48aed") + set(PLUGIN_JSON_HASH "c19fd1b64228ff95b1dc88d441143017807aa59ba57ae868a5f7db85b93bff99") endif() ExternalProject_Add( diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index 9108597058d..118ca5e944c 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -1098,7 +1098,7 @@ trace_files: !mux - rules/catchall_order.yaml detect_counts: - open_dev_null: 1 - dev_null: 0 + dev_null: 6 trace_file: trace_files/cat_write.scap validate_skip_unknown_noevt: diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in index 4d22ff4435d..38758a4a245 100644 --- a/test/falco_traces.yaml.in +++ b/test/falco_traces.yaml.in @@ -123,8 +123,10 @@ traces: !mux # falco-event-generator.scap so the rule is still being tested. run-shell-untrusted: trace_file: traces-positive/run-shell-untrusted.scap - detect: False + detect: True detect_level: DEBUG + detect_counts: + - "Run shell untrusted": 1 system-binaries-network-activity: trace_file: traces-positive/system-binaries-network-activity.scap diff --git a/test/plugins/test_extract.cpp b/test/plugins/test_extract.cpp index 0e7a49470f7..7131966ff27 100644 --- a/test/plugins/test_extract.cpp +++ b/test/plugins/test_extract.cpp @@ -19,7 +19,7 @@ limitations under the License. #include #include -static const char *pl_required_api_version = "1.0.0"; +static const char *pl_required_api_version = PLUGIN_API_VERSION_STR; static const char *pl_name_base = "test_extract"; static char pl_name[1024]; static const char *pl_desc = "Test Plugin For Regression Tests"; diff --git a/test/plugins/test_source.cpp b/test/plugins/test_source.cpp index 1377b532792..ea026f4a13f 100644 --- a/test/plugins/test_source.cpp +++ b/test/plugins/test_source.cpp @@ -20,7 +20,7 @@ limitations under the License. #include -static const char *pl_required_api_version = "1.0.0"; +static const char *pl_required_api_version = PLUGIN_API_VERSION_STR; static uint32_t pl_id = 999; static const char *pl_name = "test_source"; static const char *pl_desc = "Test Plugin For Regression Tests"; diff --git a/userspace/engine/rule_loader.cpp b/userspace/engine/rule_loader.cpp index 89e625e1bb5..37b16c11986 100644 --- a/userspace/engine/rule_loader.cpp +++ b/userspace/engine/rule_loader.cpp @@ -81,7 +81,7 @@ rule_loader::context::context(const YAML::Node &item, init(parent.name(), position(item.Mark()), item_type, item_name, parent); } -rule_loader::context::context(const libsinsp::filter::parser::pos_info& pos, +rule_loader::context::context(const libsinsp::filter::ast::pos_info& pos, const std::string& condition, const context& parent) : alt_content(condition) diff --git a/userspace/engine/rule_loader.h b/userspace/engine/rule_loader.h index 5f070c544d6..a89df117721 100644 --- a/userspace/engine/rule_loader.h +++ b/userspace/engine/rule_loader.h @@ -112,7 +112,7 @@ class rule_loader // from the YAML node containing the condition expression. // - When compiling, the condition expression has expanded // macro and list references with their values. - context(const libsinsp::filter::parser::pos_info& pos, + context(const libsinsp::filter::ast::pos_info& pos, const std::string& condition, const context& parent); diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index f2d9240324d..9338dfa532e 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -42,6 +42,7 @@ set( app_actions/start_webserver.cpp app_actions/validate_rules_files.cpp app_actions/create_requested_paths.cpp + app_actions/configure_interesting_sets.cpp configuration.cpp logger.cpp falco_outputs.cpp diff --git a/userspace/falco/app_actions/configure_interesting_sets.cpp b/userspace/falco/app_actions/configure_interesting_sets.cpp new file mode 100644 index 00000000000..82c2cd0bacc --- /dev/null +++ b/userspace/falco/app_actions/configure_interesting_sets.cpp @@ -0,0 +1,43 @@ +/* +Copyright (C) 2022 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "application.h" + +using namespace falco::app; + +void application::configure_interesting_sets() +{ + /// TODO: in the next future we need to change the interface of `enforce_simple_ppm_sc_set` + /// and `enforce_sinsp_state_tp` APIs, they shouldn't require an inspector to be called! + std::unique_ptr inspector(new sinsp()); + + /* Please note: here we fill these 2 sets because we are interested in only some features, if we leave + * them empty `libsinsp` will fill them with all the available syscalls and all the available tracepoints! + */ + + /* Here the `libsinsp` state set is not enough, we need other syscalls used in the rules, + * so we use the `simple_set`, this `simple_set` contains all the syscalls of the `libsinsp` state + * plus syscalls for Falco default rules. + */ + m_state->ppm_sc_of_interest = inspector->enforce_simple_ppm_sc_set(); + + /* In this case we get the tracepoints for the `libsinsp` state and we remove + * the `sched_switch` tracepoint since it is highly noisy and not so useful + * for our state/events enrichment. + */ + m_state->tp_of_interest = inspector->enforce_sinsp_state_tp(); + m_state->tp_of_interest.erase(SCHED_SWITCH); +} diff --git a/userspace/falco/app_actions/init_inspectors.cpp b/userspace/falco/app_actions/init_inspectors.cpp index d6f6770e193..14d21469e19 100644 --- a/userspace/falco/app_actions/init_inspectors.cpp +++ b/userspace/falco/app_actions/init_inspectors.cpp @@ -20,7 +20,7 @@ limitations under the License. using namespace falco::app; -static void init_syscall_inspector( +void application::init_syscall_inspector( std::shared_ptr inspector, const falco::app::cmdline_options& opts) { @@ -48,12 +48,7 @@ static void init_syscall_inspector( if(!opts.all_events) { - // Drop EF_DROP_SIMPLE_CONS kernel side - inspector->set_simple_consumer(); - // Eventually, drop any EF_DROP_SIMPLE_CONS event - // that reached userspace (there are some events that are not syscall-based - // like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag) - inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS); + configure_interesting_sets(); } inspector->set_hostname_and_port_resolution_mode(false); diff --git a/userspace/falco/app_actions/load_rules_files.cpp b/userspace/falco/app_actions/load_rules_files.cpp index 341634fc00b..a4879c2b613 100644 --- a/userspace/falco/app_actions/load_rules_files.cpp +++ b/userspace/falco/app_actions/load_rules_files.cpp @@ -21,52 +21,58 @@ using namespace falco::app; void application::check_for_ignored_events() { - std::set evttypes; - std::unique_ptr inspector(new sinsp()); - sinsp_evttables* einfo = inspector->get_event_info_tables(); - const struct ppm_event_info* etable = einfo->m_event_info; - + /* Get the events from the rules. */ + std::set rule_events; std::string source = falco_common::syscall_source; - m_state->engine->evttypes_for_ruleset(source, evttypes); + m_state->engine->evttypes_for_ruleset(source, rule_events); - // Save event names so we don't warn for both the enter and exit event. - std::set warn_event_names; + /* Get the events we consider interesting from the application state `ppm_sc` codes. */ + std::unique_ptr inspector(new sinsp()); + auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest); + std::unordered_set ignored_events; - for(auto evtnum : evttypes) + for(const auto& it : rule_events) { - if(evtnum == PPME_GENERIC_E || evtnum == PPME_GENERIC_X) + /* If we have the old version of the event we will have also the recent one + * so we can avoid analyzing the presence of old events. + */ + if(sinsp::is_old_version_event(it)) { continue; } - if(!sinsp::simple_consumer_consider_evtnum(evtnum)) + /* Here we are interested only in syscall events the internal events are not + * altered without the `-A` flag. + * + * TODO: We could consider also the tracepoint events here but right now we don't have + * the support from the libraries. + */ + if(!sinsp::is_syscall_event(it)) { - std::string name = etable[evtnum].name; - if(warn_event_names.find(name) == warn_event_names.end()) - { - warn_event_names.insert(name); - } + continue; } - } - // Print a single warning with the list of ignored events - if (!warn_event_names.empty()) - { - std::string skipped_events; - bool first = true; - for (const auto& evtname : warn_event_names) + /* If the event is not in this set it is not considered by Falco. */ + if(interesting_events.find(it) == interesting_events.end()) { - if (first) - { - skipped_events += evtname; - first = false; - } else - { - skipped_events += "," + evtname; - } + ignored_events.insert(it); } - fprintf(stderr,"Rules match ignored syscall: warning (ignored-evttype):\n loaded rules match the following events: %s;\n but these events are not returned unless running falco with -A\n", skipped_events.c_str()); } + + if(ignored_events.empty()) + { + return; + } + + /* Get the names of the ignored events and print them. */ + auto event_names = inspector->get_events_names(ignored_events); + std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl; + std::cerr << "Loaded rules match the following events:" << std::endl; + for(const auto& it : event_names) + { + std::cerr << "\t- " << it.c_str() << std::endl; + } + std::cerr << "But these events are not returned unless running falco with -A" << std::endl << std::endl; } application::run_result application::load_rules_files() @@ -171,11 +177,13 @@ application::run_result application::load_rules_files() m_state->engine->enable_rule_by_tag(m_options.enabled_rule_tags, true); } - if(!m_options.all_events) + /* Reading a scap file we have no concepts of ignored events we read all we need. */ + if(!m_options.all_events && !is_capture_mode()) { - // For syscalls, see if any event types used by the - // loaded rules are ones with the EF_DROP_SIMPLE_CONS - // label. + /* Here we have already initialized the application state with the interesting syscalls, + * so we have to check if any event types used by the loaded rules are not considered by + * Falco interesting set. + */ check_for_ignored_events(); } diff --git a/userspace/falco/app_actions/open_inspector.cpp b/userspace/falco/app_actions/open_inspector.cpp index 6c79cc1fd08..43e4878ebf6 100644 --- a/userspace/falco/app_actions/open_inspector.cpp +++ b/userspace/falco/app_actions/open_inspector.cpp @@ -22,13 +22,16 @@ limitations under the License. #include "application.h" +/* DEPRECATED: we will remove it in Falco 0.34. */ +#define FALCO_BPF_ENV_VARIABLE "FALCO_BPF_PROBE" + using namespace falco::app; application::run_result application::open_offline_inspector() { try { - m_state->offline_inspector->open(m_options.trace_filename); + m_state->offline_inspector->open_savefile(m_options.trace_filename); falco_logger::log(LOG_INFO, "Reading system call events from file: " + m_options.trace_filename + "\n"); return run_result::ok(); } @@ -44,63 +47,74 @@ application::run_result application::open_live_inspector( { try { - if (source != falco_common::syscall_source) + if (source != falco_common::syscall_source) /* Plugin engine */ { - for (const auto p: inspector->get_plugin_manager()->plugins()) + for (const auto& p: inspector->get_plugin_manager()->plugins()) { if (p->caps() & CAP_SOURCING && p->event_source() == source) { auto cfg = m_state->plugin_configs.at(p->name()); - inspector->set_input_plugin(cfg->m_name, cfg->m_open_params); - inspector->open(); + falco_logger::log(LOG_INFO, "Falco uses the '" + cfg->m_name + "' plugin\n"); + inspector->open_plugin(cfg->m_name, cfg->m_open_params); return run_result::ok(); } } return run_result::fatal("Can't open inspector for plugin event source: " + source); } - - if (m_options.userspace) + else if (m_options.userspace) /* udig engine. */ { // open_udig() is the underlying method used in the capture code to parse userspace events from the kernel. // // Falco uses a ptrace(2) based userspace implementation. // Regardless of the implementation, the underlying method remains the same. + falco_logger::log(LOG_INFO, "Starting capture with udig\n"); inspector->open_udig(); } - else if(m_options.gvisor_config != "") + else if(!m_options.gvisor_config.empty()) /* gvisor engine. */ { falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config); inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root); } - else + else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */ { - inspector->open(); - } - } - catch (sinsp_exception &e) - { - // If syscall input source is enabled and not through userspace instrumentation - if (m_options.gvisor_config.empty() && !m_options.userspace) - { - // Try to insert the Falco kernel module - if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null")) + const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE); + char full_path[PATH_MAX]; + /* If the path is empty try to load the probe from the default path. */ + if(strncmp(bpf_probe_path, "", 1) == 0) { - falco_logger::log(LOG_ERR, "Unable to load the driver.\n"); + const char *home = std::getenv("HOME"); + if(!home) + { + return run_result::fatal("Cannot get the env variable 'HOME'"); + } + snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH); + bpf_probe_path = full_path; } - inspector->open(); + falco_logger::log(LOG_INFO, "Starting capture with BPF probe. BPF probe path: " + std::string(bpf_probe_path)); + inspector->open_bpf(bpf_probe_path, DEFAULT_DRIVER_BUFFER_BYTES_DIM, m_state->ppm_sc_of_interest, m_state->tp_of_interest); } - else + else /* Kernel module (default). */ { - return run_result::fatal(e.what()); + try + { + falco_logger::log(LOG_INFO, "Starting capture with Kernel module."); + inspector->open_kmod(DEFAULT_DRIVER_BUFFER_BYTES_DIM, m_state->ppm_sc_of_interest, m_state->tp_of_interest); + } + catch(sinsp_exception &e) + { + // Try to insert the Falco kernel module + falco_logger::log(LOG_INFO, "Trying to inject the Kernel module and starting the capture again..."); + if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null")) + { + falco_logger::log(LOG_ERR, "Unable to load the driver.\n"); + } + inspector->open_kmod(DEFAULT_DRIVER_BUFFER_BYTES_DIM, m_state->ppm_sc_of_interest, m_state->tp_of_interest); + } } } - - /// TODO: we can add a method to the inspector that tells us what - /// is the underline engine used. Right now we print something only - /// in case of BPF engine - if (inspector->is_bpf_enabled()) + catch (sinsp_exception &e) { - falco_logger::log(LOG_INFO, "Falco is using the BPF probe\n"); + return run_result::fatal(e.what()); } // This must be done after the open diff --git a/userspace/falco/app_actions/print_ignored_events.cpp b/userspace/falco/app_actions/print_ignored_events.cpp index 3eb3f8b0333..68ff3100ba9 100644 --- a/userspace/falco/app_actions/print_ignored_events.cpp +++ b/userspace/falco/app_actions/print_ignored_events.cpp @@ -18,54 +18,50 @@ limitations under the License. using namespace falco::app; -void application::print_all_ignored_events() +/// TODO: probably in the next future would be more meaningful to print the ignored syscalls rather than +/// the ignored events, or maybe change the name of the events since right now they are almost the same of +/// the syscalls. +application::run_result application::print_ignored_events() { - std::unique_ptr inspector(new sinsp()); - sinsp_evttables* einfo = inspector->get_event_info_tables(); - const struct ppm_event_info* etable = einfo->m_event_info; - const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table; - - std::set ignored_event_names; - for(uint32_t j = 0; j < PPM_EVENT_MAX; j++) + /* If the option is true we print the events ignored with Falco `-A`, otherwise + * we return immediately. + */ + if(!m_options.print_ignored_events) { - if(!sinsp::simple_consumer_consider_evtnum(j)) - { - std::string name = etable[j].name; - // Ignore event names NA* - if(name.find("NA") != 0) - { - ignored_event_names.insert(name); - } - } + return run_result::ok(); } - for(uint32_t j = 0; j < PPM_SC_MAX; j++) + /* Fill the application syscall and tracepoint sets. + * The execution will be interrupted after this call so + * we don't care if we populate these sets even if the `-A` flag + * is not set. + */ + configure_interesting_sets(); + + /* Search for all the ignored syscalls. */ + std::unique_ptr inspector(new sinsp()); + std::unordered_set all_ppm_sc = inspector->get_all_ppm_sc(); + std::unordered_set ignored_ppm_sc; + + for(const auto& it : all_ppm_sc) { - if(!sinsp::simple_consumer_consider_syscallid(j)) + /* If the syscall is not in this set we ignore it. */ + if(m_state->ppm_sc_of_interest.find(it) == m_state->ppm_sc_of_interest.end()) { - std::string name = stable[j].name; - // Ignore event names NA* - if(name.find("NA") != 0) - { - ignored_event_names.insert(name); - } + ignored_ppm_sc.insert(it); } } - printf("Ignored Event(s):"); - for(auto it : ignored_event_names) - { - printf(" %s", it.c_str()); - } - printf("\n"); -} + /* Obtain the ignored events names from the ignored syscalls. */ + auto ignored_events = inspector->get_event_set_from_ppm_sc_set(ignored_ppm_sc); + auto event_names = inspector->get_events_names(ignored_events); -application::run_result application::print_ignored_events() -{ - if(m_options.print_ignored_events) + std::cout << "Ignored Event(s):" << std::endl; + for(const auto& it : event_names) { - print_all_ignored_events(); - return run_result::exit(); + std::cout << "- " << it.c_str() << std::endl; } - return run_result::ok(); + std::cout << std::endl; + + return run_result::exit(); } diff --git a/userspace/falco/app_actions/process_events.cpp b/userspace/falco/app_actions/process_events.cpp index 645a9f92fc0..f5872bc5092 100644 --- a/userspace/falco/app_actions/process_events.cpp +++ b/userspace/falco/app_actions/process_events.cpp @@ -189,11 +189,6 @@ application::run_result application::do_inspect( return run_result::fatal("Drop manager internal error"); } - if(!ev->simple_consumer_consider() && !m_options.all_events) - { - continue; - } - // As the inspector has no filter at its level, all // events are returned here. Pass them to the falco // engine, which will match the event against the set diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index d85aada3a8c..663b85a90c8 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -155,7 +155,7 @@ void cmdline_options::define() #else ("c", "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "") #endif - ("A", "Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.", cxxopts::value(all_events)->default_value("false")) + ("A", "Monitor all events, including not interesting ones. Please use the `-i` command line option to see the ignored events. This option is implicit when the capture is not live.", cxxopts::value(all_events)->default_value("false")) ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") ("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false")) diff --git a/userspace/falco/application.cpp b/userspace/falco/application.cpp index 7efe4409fe1..e8f957c59f4 100644 --- a/userspace/falco/application.cpp +++ b/userspace/falco/application.cpp @@ -44,7 +44,9 @@ application::state::state() loaded_sources(), enabled_sources(), source_infos(), - plugin_configs() + plugin_configs(), + ppm_sc_of_interest(), + tp_of_interest() { config = std::make_shared(); engine = std::make_shared(); diff --git a/userspace/falco/application.h b/userspace/falco/application.h index c178163cc9c..aee0565defd 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -110,6 +110,12 @@ class application { std::string cmdline; + // Set of syscalls we want the driver to capture + std::unordered_set ppm_sc_of_interest; + + // Set of tracepoints we want the driver to capture + std::unordered_set tp_of_interest; + #ifndef MINIMAL_BUILD falco::grpc::server grpc_server; std::thread grpc_server_thread; @@ -243,6 +249,7 @@ class application { run_result print_version(); run_result process_events(); run_result select_event_sources(); + void configure_interesting_sets(); #ifndef MINIMAL_BUILD run_result start_grpc_server(); run_result start_webserver(); @@ -263,11 +270,11 @@ class application { bool create_handler(int sig, void (*func)(int), run_result &ret); void configure_output_format(); void check_for_ignored_events(); - void print_all_ignored_events(); void format_plugin_info(std::shared_ptr p, std::ostream& os) const; run_result open_offline_inspector(); run_result open_live_inspector(std::shared_ptr inspector, const std::string& source); void add_source_to_engine(const std::string& src); + void init_syscall_inspector(std::shared_ptr inspector, const falco::app::cmdline_options& opts); run_result do_inspect( std::shared_ptr inspector, const std::string& source, // an empty source represents capture mode diff --git a/userspace/falco/event_drops.cpp b/userspace/falco/event_drops.cpp index ef4bf12163c..07d2a0b043f 100644 --- a/userspace/falco/event_drops.cpp +++ b/userspace/falco/event_drops.cpp @@ -117,7 +117,7 @@ bool syscall_evt_drop_mgr::process_event(std::shared_ptr inspector, sinsp { m_num_actions++; - return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled()); + return perform_actions(evt->get_ts(), delta, inspector->check_current_engine(BPF_ENGINE)); } else {