From 0326210f49afc4b04f54a4360d7c27963c71a3f5 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Wed, 30 Apr 2025 11:02:18 +0200
Subject: [PATCH] cleanup(userspace/falco): deprecate `-p` option.

Also, `-pc` and `-pk` won't do anything now.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
 .../falco/app/actions/init_falco_engine.cpp   | 49 +++++++------------
 userspace/falco/app/options.cpp               |  2 +-
 2 files changed, 18 insertions(+), 33 deletions(-)

diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp
index 710b1a69..dfda3151 100644
--- a/userspace/falco/app/actions/init_falco_engine.cpp
+++ b/userspace/falco/app/actions/init_falco_engine.cpp
@@ -94,40 +94,25 @@ void configure_output_format(falco::app::state& s) {
 	}
 
 	// See https://falco.org/docs/rules/style-guide/
-	const std::string container_info =
-	        "container_image=%container.image.repository "
-	        "container_image_tag=%container.image.tag";
-	const std::string k8s_info = "k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name";
 	const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
 
-	if(s.options.print_additional == "c" || s.options.print_additional == "container") {
-		s.engine->add_extra_output_format(container_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "cg" ||
-	          s.options.print_additional == "container-gvisor") {
-		s.engine->add_extra_output_format(gvisor_info + " " + container_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
-		s.engine->add_extra_output_format(container_info + " " + k8s_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "kg" ||
-	          s.options.print_additional == "kubernetes-gvisor") {
-		s.engine->add_extra_output_format(gvisor_info + " " + container_info + " " + k8s_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(!s.options.print_additional.empty()) {
-		s.engine->add_extra_output_format(s.options.print_additional, "", {}, "", false);
+	if(!s.options.print_additional.empty()) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -p/--print option is deprecated and will be removed. Use -o "
+		                  "append_output=... instead.\n");
+
+		if(s.options.print_additional == "c" || s.options.print_additional == "container" ||
+		   s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
+			// Don't do anything, we don't need these anymore
+			// since container plugin takes care of suggesting the output format fields itself.
+		} else if(s.options.print_additional == "cg" ||
+		          s.options.print_additional == "container-gvisor" ||
+		          s.options.print_additional == "kg" ||
+		          s.options.print_additional == "kubernetes-gvisor") {
+			s.engine->add_extra_output_format(gvisor_info, falco_common::syscall_source, {}, "", true);
+		} else {
+			s.engine->add_extra_output_format(s.options.print_additional, "", {}, "", false);
+		}
 	}
 }
 
diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp
index be45f8f2..be6b563b 100644
--- a/userspace/falco/app/options.cpp
+++ b/userspace/falco/app/options.cpp
@@ -117,7 +117,7 @@ void options::define(cxxopts::Options& opts)
 		("N",                        "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false"))
 		("o,option",                 "Set the value of option <opt> to <val>. Overrides values in the configuration file. <opt> can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
 		("plugin-info",              "Print info for the plugin specified by <plugin_name> and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "<plugin_name>")
-		("p,print",                  "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
+		("p,print",                  "DEPRECATED: use -o append_output... instead. Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
 		("r",                        "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("support",                  "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))