update(userspace/falco): moved to a config option.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
2025-09-16 23:08:16 +00:00 · 2022-05-06 11:20:16 +02:00
parent a9fe979071
commit 293a6c2b40
7 changed files with 15 additions and 9 deletions
--- a/falco.yaml
+++ b/falco.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -65,6 +65,11 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []

+# Watch config file and rules files for modification.
+# When a file is modified, Falco will propagate new config,
+# by reloading itself.
+watch_config_files: true
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
--- a/userspace/falco/app_actions/create_signal_handlers.cpp
+++ b/userspace/falco/app_actions/create_signal_handlers.cpp
@@ -91,7 +91,7 @@ application::run_result application::create_signal_handlers()
 application::run_result application::attach_inotify_signals()
 {
 	run_result ret;
-        if (m_options.monitor_files)
+        if (m_state->config->m_watch_config_files)
 	{
 		ret.proceed = false;
 		ret.success = false;
--- a/userspace/falco/app_actions/load_rules_files.cpp
+++ b/userspace/falco/app_actions/load_rules_files.cpp
@@ -86,12 +86,12 @@ application::run_result application::load_rules_files()
 	}

 	falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
-	for (auto filename : m_state->config->m_rules_filenames)
+	for (const auto& filename : m_state->config->m_rules_filenames)
 	{
 		falco_logger::log(LOG_DEBUG, string("   ") + filename + "\n");
 	}

-	for (auto filename : m_state->config->m_rules_filenames)
+	for (const auto& filename : m_state->config->m_rules_filenames)
 	{
 		falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
 		uint64_t required_engine_version;
@@ -125,13 +125,13 @@ application::run_result application::load_rules_files()
 	// Free-up memory for the rule loader, which is not used from now on
 	m_state->engine->clear_loader();

-	for (auto substring : m_options.disabled_rule_substrings)
+	for (const auto& substring : m_options.disabled_rule_substrings)
 	{
 		falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
 		m_state->engine->enable_rule(substring, false);
 	}

-	if(m_options.disabled_rule_tags.size() > 0)
+	if(!m_options.disabled_rule_tags.empty())
 	{
 		for(auto &tag : m_options.disabled_rule_tags)
 		{
@@ -140,7 +140,7 @@ application::run_result application::load_rules_files()
 		m_state->engine->enable_rule_by_tag(m_options.disabled_rule_tags, false);
 	}

-	if(m_options.enabled_rule_tags.size() > 0)
+	if(!m_options.enabled_rule_tags.empty())
 	{
 		// Since we only want to enable specific
 		// rules, first disable all rules.
--- a/userspace/falco/app_cmdline_options.cpp
+++ b/userspace/falco/app_cmdline_options.cpp
@@ -181,7 +181,6 @@ void cmdline_options::define()
 #endif
 		("M",                             "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
 		("markdown",                      "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value<bool>(markdown))
-		("monitor_files",                 "Monitor rules and config files to reload Falco on change.", cxxopts::value<bool>(monitor_files))
 		("N",                             "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false"))
 		("o,option",                      "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
 		("p,print",                       "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
--- a/userspace/falco/app_cmdline_options.h
+++ b/userspace/falco/app_cmdline_options.h
@@ -35,7 +35,6 @@ public:
 	// Each of these maps directly to a command line option.
 	bool help;
 	std::string conf_filename;
-	bool monitor_files;
 	bool all_events;
 	sinsp_evt::param_fmt event_buffer_format;
 	std::vector<std::string> cri_socket_paths;
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -301,6 +301,8 @@ void falco_configuration::init(string conf_filename, const vector<string> &cmdli
 			m_plugins.push_back(p);
 		}
 	}
+
+	m_watch_config_files = m_config->get_scalar<bool>("watch_config_files", true);
 }

 void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -232,6 +232,7 @@ public:

 	falco_common::priority_type m_min_priority;

+	bool m_watch_config_files;
 	bool m_buffered_outputs;
 	bool m_time_format_iso_8601;
 	uint32_t m_output_timeout;