update(userspace/falco): support new plugin API definitions

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

test/falco_tests_plugins.yaml

@@ -56,7 +56,7 @@ trace_files: !mux
 
   incompatible_extract_sources:
     exit_status: 1
-    stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any known event source"
+    stderr_contains: "Plugin '.*' is loaded but unused as not compatible with any known event source"
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml

userspace/falco/app/actions/helpers_generic.cpp

@@ -58,8 +58,13 @@ void falco::app::actions::format_plugin_info(std::shared_ptr<sinsp_plugin> p, st
 	os << "Capabilities: " << std::endl;
 	if(p->caps() & CAP_SOURCING)
 	{
-		os << "  - Event Sourcing (ID=" << p->id();
-		os << ", source='" << p->event_source() << "')" << std::endl;
+		os << "  - Event Sourcing";
+		if (p->id() != 0)
+		{
+			os << " (ID=" << p->id();
+			os << ", source='" << p->event_source() << "')";
+		}
+		os << std::endl;
 	}
 	if(p->caps() & CAP_EXTRACTION)
 	{

userspace/falco/app/actions/helpers_inspector.cpp

@@ -53,7 +53,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 		{
 			for (const auto& p: inspector->get_plugin_manager()->plugins())
 			{
-				if (p->caps() & CAP_SOURCING && p->event_source() == source)
+				if (p->caps() & CAP_SOURCING && p->id() != 0 && p->event_source() == source)
 				{
 					auto cfg = s.plugin_configs.at(p->name());
 					falco_logger::log(LOG_INFO, "Opening capture with plugin '" + cfg->m_name + "'\n");

userspace/falco/app/actions/init_falco_engine.cpp

@@ -117,7 +117,7 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
 		auto manager = s.offline_inspector->get_plugin_manager();
 		for (const auto &p : manager->plugins())
 		{
-			if (p->caps() & CAP_SOURCING)
+			if (p->caps() & CAP_SOURCING && p->id() != 0)
 			{
 				bool added = false;
 				auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);

userspace/falco/app/actions/init_inspectors.cpp

@@ -118,12 +118,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 			? s.offline_inspector
 			: std::make_shared<sinsp>();
 
-		// handle syscall and plugin sources differently
-		// todo(jasondellaluce): change this once we support extracting plugin fields from syscalls too
+		// do extra preparation for the syscall source
 		if (src == falco_common::syscall_source)
 		{
 			init_syscall_inspector(s, src_info->inspector);
-			continue;
 		}
 
 		// load and init all plugins compatible with this event source
@@ -132,7 +130,9 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 		{
 			std::shared_ptr<sinsp_plugin> plugin = nullptr;
 			auto config = s.plugin_configs.at(p->name());
-			auto is_input = p->caps() & CAP_SOURCING && p->event_source() == src;
+			auto is_input = (p->caps() & CAP_SOURCING)
+				&& ((p->id() != 0 && src == p->event_source())
+					|| (p->id() == 0 && src == falco_common::syscall_source));
 
 			if (s.is_capture_mode())
 			{
@@ -146,7 +146,10 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 				// event source, we must register the plugin supporting
 				// that event source and also plugins with field extraction
 				// capability that are compatible with that event source
-				if (is_input || (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src)))
+				if (is_input
+					|| (p->caps() & CAP_EXTRACTION && sinsp_plugin::is_source_compatible(p->extract_event_sources(), src))
+					|| (p->caps() & CAP_PARSING && sinsp_plugin::is_source_compatible(p->parse_event_sources(), src))
+					|| (p->caps() & CAP_ASYNC && sinsp_plugin::is_source_compatible(p->async_event_sources(), src)))
 				{
 					plugin = src_info->inspector->register_plugin(config->m_library_path);
 				}
@@ -182,15 +185,12 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 
 	}
 
-	// check if some plugin with field extraction capability remains unused
+	// check if some plugin remains unused
 	for (const auto& p : all_plugins)
 	{
-		if(used_plugins.find(p->name()) == used_plugins.end() 
-			&& p->caps() & CAP_EXTRACTION
-			&& !(p->caps() & CAP_SOURCING && sinsp_plugin::is_source_compatible(p->extract_event_sources(), p->event_source())))
+		if (used_plugins.find(p->name()) == used_plugins.end())
 		{
-			return run_result::fatal("Plugin '" + p->name()
-				+ "' has field extraction capability but is not compatible with any known event source");
+			return run_result::fatal("Plugin '" + p->name() + "' is loaded but unused as not compatible with any known event source");
 		}
 	}
 

userspace/falco/app/actions/load_plugins.cpp

@@ -51,7 +51,7 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s)
 		falco_logger::log(LOG_INFO, "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
 		auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
 		s.plugin_configs.insert(p, plugin->name());
-		if(plugin->caps() & CAP_SOURCING)
+		if(plugin->caps() & CAP_SOURCING && plugin->id() != 0)
 		{
 			auto sname = plugin->event_source();
 			s.source_infos.insert(empty_src_info, sname);

userspace/falco/app/actions/process_events.cpp

@@ -283,11 +283,10 @@ static falco::app::run_result do_inspect(
 			// so we report an error if we fetch an event of a different source.
 			if (source_engine_idx != ev->get_source_idx())
 			{
-				std::string msg = "Unexpected event source for inspector's event: expected='" + source + "'";
-				if (ev->get_source_name() != NULL)
-				{
-					msg += ", actual='" + std::string(ev->get_source_name()) + "'";
-				}
+				auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
+				msg += (ev->get_source_name() != NULL)
+					? ("'" + std::string(ev->get_source_name()) + "'")
+					: ("<NA>");
 				return run_result::fatal(msg);
 			}