new(falco): add base_syscalls.all option to falco.yaml

Signed-off-by: Luca Guerra <luca@guerra.sh>
2025-09-16 23:08:16 +00:00 · 2024-09-30 11:02:50 +00:00
parent b242f90510
commit 3b28450171
6 changed files with 52 additions and 1 deletions
--- a/userspace/falco/app/actions/configure_interesting_sets.cpp
+++ b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -205,7 +205,7 @@ static void select_event_set(falco::app::state& s,
 	       without high volume syscalls
 	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events) {
+	if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);
--- a/userspace/falco/config_json_schema.h
+++ b/userspace/falco/config_json_schema.h
@@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
            "type": "object",
            "additionalProperties": false,
            "properties": {
+                "all": {
+                    "type": "boolean"
+                },
                "custom_set": {
                    "type": "array",
                    "items": {
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -85,6 +85,7 @@ falco_configuration::falco_configuration():
        m_syscall_evt_timeout_max_consecutives(1000),
        m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
        m_falco_libs_snaplen(0),
+        m_base_syscalls_all(false),
        m_base_syscalls_repair(false),
        m_metrics_enabled(false),
        m_metrics_interval_str("5000"),
@@ -577,6 +578,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	m_config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set,
 	                                                       std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = m_config.get_scalar<bool>("base_syscalls.repair", false);
+	m_base_syscalls_all = m_config.get_scalar<bool>("base_syscalls.all", false);

 	m_metrics_enabled = m_config.get_scalar<bool>("metrics.enabled", false);
 	m_metrics_interval_str = m_config.get_scalar<std::string>("metrics.interval", "5000");
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -179,6 +179,7 @@ public:

 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
+	bool m_base_syscalls_all;
 	bool m_base_syscalls_repair;

 	// metrics configs