github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-11 05:33:33 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/falco): support new plugin API definitions

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-05-17 15:28:10 +00:00 committed by poiana
parent 5175a04c6b
commit 301c4efeb7
7 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
test/falco_tests_plugins.yaml
View File

@ -56,7 +56,7 @@ trace_files: !mux
incompatible_extract_sources: incompatible_extract_sources:
exit_status: 1 exit_status: 1
stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any known event source" stderr_contains: "Plugin '.*' is loaded but unused as not compatible with any known event source"
conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
rules_file: rules_file:
- rules/plugins/cloudtrail_create_instances.yaml - rules/plugins/cloudtrail_create_instances.yaml

9
userspace/falco/app/actions/helpers_generic.cpp
View File

@ -58,8 +58,13 @@ void falco::app::actions::format_plugin_info(std::shared_ptr<sinsp_plugin> p, st
os << "Capabilities: " << std::endl; os << "Capabilities: " << std::endl;
if(p->caps() & CAP_SOURCING) if(p->caps() & CAP_SOURCING)
{ {
os << " - Event Sourcing (ID=" << p->id(); os << " - Event Sourcing";
os << ", source='" << p->event_source() << "')" << std::endl; if (p->id() != 0)
{
os << " (ID=" << p->id();
os << ", source='" << p->event_source() << "')";
}
os << std::endl;
} }
if(p->caps() & CAP_EXTRACTION) if(p->caps() & CAP_EXTRACTION)
{ {

2
userspace/falco/app/actions/helpers_inspector.cpp
View File

@ -53,7 +53,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
{ {
for (const auto& p: inspector->get_plugin_manager()->plugins()) for (const auto& p: inspector->get_plugin_manager()->plugins())
{ {
if (p->caps() & CAP_SOURCING && p->event_source() == source) if (p->caps() & CAP_SOURCING && p->id() != 0 && p->event_source() == source)
{ {
auto cfg = s.plugin_configs.at(p->name()); auto cfg = s.plugin_configs.at(p->name());
falco_logger::log(LOG_INFO, "Opening capture with plugin '" + cfg->m_name + "'\n"); falco_logger::log(LOG_INFO, "Opening capture with plugin '" + cfg->m_name + "'\n");

2
userspace/falco/app/actions/init_falco_engine.cpp
View File

@ -117,7 +117,7 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
auto manager = s.offline_inspector->get_plugin_manager(); auto manager = s.offline_inspector->get_plugin_manager();
for (const auto &p : manager->plugins()) for (const auto &p : manager->plugins())
{ {
if (p->caps() & CAP_SOURCING) if (p->caps() & CAP_SOURCING && p->id() != 0)
{ {
bool added = false; bool added = false;
auto source_idx = manager->source_idx_by_plugin_id(p->id(), added); auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);

22
userspace/falco/app/actions/init_inspectors.cpp
View File

@ -118,12 +118,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
? s.offline_inspector ? s.offline_inspector
: std::make_shared<sinsp>(); : std::make_shared<sinsp>();
// handle syscall and plugin sources differently // do extra preparation for the syscall source
// todo(jasondellaluce): change this once we support extracting plugin fields from syscalls too
if (src == falco_common::syscall_source) if (src == falco_common::syscall_source)
{ {
init_syscall_inspector(s, src_info->inspector); init_syscall_inspector(s, src_info->inspector);
continue;
} }
// load and init all plugins compatible with this event source // load and init all plugins compatible with this event source
@ -132,7 +130,9 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
{ {
std::shared_ptr<sinsp_plugin> plugin = nullptr; std::shared_ptr<sinsp_plugin> plugin = nullptr;
auto config = s.plugin_configs.at(p->name()); auto config = s.plugin_configs.at(p->name());
auto is_input = p->caps() & CAP_SOURCING && p->event_source() == src; auto is_input = (p->caps() & CAP_SOURCING)
&& ((p->id() != 0 && src == p->event_source())
|| (p->id() == 0 && src == falco_common::syscall_source));
if (s.is_capture_mode()) if (s.is_capture_mode())
{ {
@ -146,7 +146,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
// event source, we must register the plugin supporting // event source, we must register the plugin supporting
// that event source and also plugins with field extraction // that event source and also plugins with field extraction
// capability that are compatible with that event source // capability that are compatible with that event source
if (is_input || (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src))) if (is_input
|| (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src))
|| (p->caps() & CAP_PARSING && sinsp_plugin::is_source_compatible(p->parse_event_sources(), src))
|| (p->caps() & CAP_ASYNC && sinsp_plugin::is_source_compatible(p->async_event_sources(), src)))
{ {
plugin = src_info->inspector->register_plugin(config->m_library_path); plugin = src_info->inspector->register_plugin(config->m_library_path);
} }
@ -182,15 +185,12 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
} }
// check if some plugin with field extraction capability remains unused // check if some plugin remains unused
for (const auto& p : all_plugins) for (const auto& p : all_plugins)
{ {
if(used_plugins.find(p->name()) == used_plugins.end() if (used_plugins.find(p->name()) == used_plugins.end())
&& p->caps() & CAP_EXTRACTION
&& !(p->caps() & CAP_SOURCING && sinsp_plugin::is_source_compatible(p->extract_event_sources(), p->event_source())))
{ {
return run_result::fatal("Plugin '" + p->name() return run_result::fatal("Plugin '" + p->name() + "' is loaded but unused as not compatible with any known event source");
+ "' has field extraction capability but is not compatible with any known event source");
} }
} }

2
userspace/falco/app/actions/load_plugins.cpp
View File

@ -51,7 +51,7 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s)
falco_logger::log(LOG_INFO, "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n"); falco_logger::log(LOG_INFO, "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
auto plugin = s.offline_inspector->register_plugin(p.m_library_path); auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
s.plugin_configs.insert(p, plugin->name()); s.plugin_configs.insert(p, plugin->name());
if(plugin->caps() & CAP_SOURCING) if(plugin->caps() & CAP_SOURCING && plugin->id() != 0)
{ {
auto sname = plugin->event_source(); auto sname = plugin->event_source();
s.source_infos.insert(empty_src_info, sname); s.source_infos.insert(empty_src_info, sname);

9
userspace/falco/app/actions/process_events.cpp
View File

@ -283,11 +283,10 @@ static falco::app::run_result do_inspect(
// so we report an error if we fetch an event of a different source. // so we report an error if we fetch an event of a different source.
if (source_engine_idx != ev->get_source_idx()) if (source_engine_idx != ev->get_source_idx())
{ {
std::string msg = "Unexpected event source for inspector's event: expected='" + source + "'"; auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
if (ev->get_source_name() != NULL) msg += (ev->get_source_name() != NULL)
{ ? ("'" + std::string(ev->get_source_name()) + "'")
msg += ", actual='" + std::string(ev->get_source_name()) + "'"; : ("<NA>");
}
return run_result::fatal(msg); return run_result::fatal(msg);
} }