mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-11 05:33:33 +00:00
update(userspace/falco): support new plugin API definitions
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
parent
5175a04c6b
commit
301c4efeb7
@ -56,7 +56,7 @@ trace_files: !mux
|
|||||||
|
|
||||||
incompatible_extract_sources:
|
incompatible_extract_sources:
|
||||||
exit_status: 1
|
exit_status: 1
|
||||||
stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any known event source"
|
stderr_contains: "Plugin '.*' is loaded but unused as not compatible with any known event source"
|
||||||
conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
|
conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
|
||||||
rules_file:
|
rules_file:
|
||||||
- rules/plugins/cloudtrail_create_instances.yaml
|
- rules/plugins/cloudtrail_create_instances.yaml
|
||||||
|
@ -58,8 +58,13 @@ void falco::app::actions::format_plugin_info(std::shared_ptr<sinsp_plugin> p, st
|
|||||||
os << "Capabilities: " << std::endl;
|
os << "Capabilities: " << std::endl;
|
||||||
if(p->caps() & CAP_SOURCING)
|
if(p->caps() & CAP_SOURCING)
|
||||||
{
|
{
|
||||||
os << " - Event Sourcing (ID=" << p->id();
|
os << " - Event Sourcing";
|
||||||
os << ", source='" << p->event_source() << "')" << std::endl;
|
if (p->id() != 0)
|
||||||
|
{
|
||||||
|
os << " (ID=" << p->id();
|
||||||
|
os << ", source='" << p->event_source() << "')";
|
||||||
|
}
|
||||||
|
os << std::endl;
|
||||||
}
|
}
|
||||||
if(p->caps() & CAP_EXTRACTION)
|
if(p->caps() & CAP_EXTRACTION)
|
||||||
{
|
{
|
||||||
|
@ -53,7 +53,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
|
|||||||
{
|
{
|
||||||
for (const auto& p: inspector->get_plugin_manager()->plugins())
|
for (const auto& p: inspector->get_plugin_manager()->plugins())
|
||||||
{
|
{
|
||||||
if (p->caps() & CAP_SOURCING && p->event_source() == source)
|
if (p->caps() & CAP_SOURCING && p->id() != 0 && p->event_source() == source)
|
||||||
{
|
{
|
||||||
auto cfg = s.plugin_configs.at(p->name());
|
auto cfg = s.plugin_configs.at(p->name());
|
||||||
falco_logger::log(LOG_INFO, "Opening capture with plugin '" + cfg->m_name + "'\n");
|
falco_logger::log(LOG_INFO, "Opening capture with plugin '" + cfg->m_name + "'\n");
|
||||||
|
@ -117,7 +117,7 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
|
|||||||
auto manager = s.offline_inspector->get_plugin_manager();
|
auto manager = s.offline_inspector->get_plugin_manager();
|
||||||
for (const auto &p : manager->plugins())
|
for (const auto &p : manager->plugins())
|
||||||
{
|
{
|
||||||
if (p->caps() & CAP_SOURCING)
|
if (p->caps() & CAP_SOURCING && p->id() != 0)
|
||||||
{
|
{
|
||||||
bool added = false;
|
bool added = false;
|
||||||
auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
|
auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
|
||||||
|
@ -118,12 +118,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
|
|||||||
? s.offline_inspector
|
? s.offline_inspector
|
||||||
: std::make_shared<sinsp>();
|
: std::make_shared<sinsp>();
|
||||||
|
|
||||||
// handle syscall and plugin sources differently
|
// do extra preparation for the syscall source
|
||||||
// todo(jasondellaluce): change this once we support extracting plugin fields from syscalls too
|
|
||||||
if (src == falco_common::syscall_source)
|
if (src == falco_common::syscall_source)
|
||||||
{
|
{
|
||||||
init_syscall_inspector(s, src_info->inspector);
|
init_syscall_inspector(s, src_info->inspector);
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// load and init all plugins compatible with this event source
|
// load and init all plugins compatible with this event source
|
||||||
@ -132,7 +130,9 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
|
|||||||
{
|
{
|
||||||
std::shared_ptr<sinsp_plugin> plugin = nullptr;
|
std::shared_ptr<sinsp_plugin> plugin = nullptr;
|
||||||
auto config = s.plugin_configs.at(p->name());
|
auto config = s.plugin_configs.at(p->name());
|
||||||
auto is_input = p->caps() & CAP_SOURCING && p->event_source() == src;
|
auto is_input = (p->caps() & CAP_SOURCING)
|
||||||
|
&& ((p->id() != 0 && src == p->event_source())
|
||||||
|
|| (p->id() == 0 && src == falco_common::syscall_source));
|
||||||
|
|
||||||
if (s.is_capture_mode())
|
if (s.is_capture_mode())
|
||||||
{
|
{
|
||||||
@ -146,7 +146,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
|
|||||||
// event source, we must register the plugin supporting
|
// event source, we must register the plugin supporting
|
||||||
// that event source and also plugins with field extraction
|
// that event source and also plugins with field extraction
|
||||||
// capability that are compatible with that event source
|
// capability that are compatible with that event source
|
||||||
if (is_input || (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src)))
|
if (is_input
|
||||||
|
|| (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src))
|
||||||
|
|| (p->caps() & CAP_PARSING && sinsp_plugin::is_source_compatible(p->parse_event_sources(), src))
|
||||||
|
|| (p->caps() & CAP_ASYNC && sinsp_plugin::is_source_compatible(p->async_event_sources(), src)))
|
||||||
{
|
{
|
||||||
plugin = src_info->inspector->register_plugin(config->m_library_path);
|
plugin = src_info->inspector->register_plugin(config->m_library_path);
|
||||||
}
|
}
|
||||||
@ -182,15 +185,12 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if some plugin with field extraction capability remains unused
|
// check if some plugin remains unused
|
||||||
for (const auto& p : all_plugins)
|
for (const auto& p : all_plugins)
|
||||||
{
|
{
|
||||||
if(used_plugins.find(p->name()) == used_plugins.end()
|
if (used_plugins.find(p->name()) == used_plugins.end())
|
||||||
&& p->caps() & CAP_EXTRACTION
|
|
||||||
&& !(p->caps() & CAP_SOURCING && sinsp_plugin::is_source_compatible(p->extract_event_sources(), p->event_source())))
|
|
||||||
{
|
{
|
||||||
return run_result::fatal("Plugin '" + p->name()
|
return run_result::fatal("Plugin '" + p->name() + "' is loaded but unused as not compatible with any known event source");
|
||||||
+ "' has field extraction capability but is not compatible with any known event source");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s)
|
|||||||
falco_logger::log(LOG_INFO, "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
|
falco_logger::log(LOG_INFO, "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
|
||||||
auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
|
auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
|
||||||
s.plugin_configs.insert(p, plugin->name());
|
s.plugin_configs.insert(p, plugin->name());
|
||||||
if(plugin->caps() & CAP_SOURCING)
|
if(plugin->caps() & CAP_SOURCING && plugin->id() != 0)
|
||||||
{
|
{
|
||||||
auto sname = plugin->event_source();
|
auto sname = plugin->event_source();
|
||||||
s.source_infos.insert(empty_src_info, sname);
|
s.source_infos.insert(empty_src_info, sname);
|
||||||
|
@ -283,11 +283,10 @@ static falco::app::run_result do_inspect(
|
|||||||
// so we report an error if we fetch an event of a different source.
|
// so we report an error if we fetch an event of a different source.
|
||||||
if (source_engine_idx != ev->get_source_idx())
|
if (source_engine_idx != ev->get_source_idx())
|
||||||
{
|
{
|
||||||
std::string msg = "Unexpected event source for inspector's event: expected='" + source + "'";
|
auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
|
||||||
if (ev->get_source_name() != NULL)
|
msg += (ev->get_source_name() != NULL)
|
||||||
{
|
? ("'" + std::string(ev->get_source_name()) + "'")
|
||||||
msg += ", actual='" + std::string(ev->get_source_name()) + "'";
|
: ("<NA>");
|
||||||
}
|
|
||||||
return run_result::fatal(msg);
|
return run_result::fatal(msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user