new(falco): add base_syscalls.all option to falco.yaml

Signed-off-by: Luca Guerra <luca@guerra.sh>
2025-07-02 01:22:16 +00:00 · 2024-09-30 11:02:50 +00:00 · 2024-09-30 11:02:50 +00:00 · 3b28450171
commit 3b28450171
parent b242f90510
6 changed files with 52 additions and 1 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -1155,6 +1155,14 @@ metrics:
 # Falco, the `base_syscalls` option allows for finer end-user control of
 # syscalls traced by Falco.
 #
+# --- [base_syscalls.all]
+#
+# `base_syscalls.all` enables monitoring of all events supported by Falco and
+# defined in rules and configs.
+# By default some events, such as `write`, are ignored (run `falco -i` to get
+# the full list) unless base_syscalls.all is true.
+# This option may negatively impact performance.
+#
 # --- [base_syscalls.custom_set]
 #
 # CAUTION: Misconfiguration of this setting may result in incomplete Falco event
--- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
+++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@ -528,6 +528,43 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }

+TEST_F(test_falco_engine, selection_base_syscalls_all) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
+	falco::app::state s7;
+	s7.engine = m_engine;
+
+	// simulate empty custom set but repair option set.
+	s7.config->m_base_syscalls_custom_set = {};
+	s7.config->m_base_syscalls_repair = true;
+	s7.config->m_base_syscalls_all = true;
+	auto result = falco::app::actions::configure_interesting_sets(s7);
+	auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
+	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
+	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
+}
+
 TEST(ConfigureInterestingSets, ignored_set_expected_size) {
 	// unit test fence to make sure we don't have unexpected regressions
 	// in the ignored set, to be updated in the future
--- a/userspace/falco/app/actions/configure_interesting_sets.cpp
+++ b/userspace/falco/app/actions/configure_interesting_sets.cpp
@ -205,7 +205,7 @@ static void select_event_set(falco::app::state& s,
 	       without high volume syscalls
 	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events) {
+	if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);
--- a/userspace/falco/config_json_schema.h
+++ b/userspace/falco/config_json_schema.h
@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
            "type": "object",
            "additionalProperties": false,
            "properties": {
+                "all": {
+                    "type": "boolean"
+                },
                "custom_set": {
                    "type": "array",
                    "items": {
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@ -85,6 +85,7 @@ falco_configuration::falco_configuration():
        m_syscall_evt_timeout_max_consecutives(1000),
        m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
        m_falco_libs_snaplen(0),
+        m_base_syscalls_all(false),
        m_base_syscalls_repair(false),
        m_metrics_enabled(false),
        m_metrics_interval_str("5000"),
@ -577,6 +578,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	m_config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set,
 	                                                       std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = m_config.get_scalar<bool>("base_syscalls.repair", false);
+	m_base_syscalls_all = m_config.get_scalar<bool>("base_syscalls.all", false);

 	m_metrics_enabled = m_config.get_scalar<bool>("metrics.enabled", false);
 	m_metrics_interval_str = m_config.get_scalar<std::string>("metrics.interval", "5000");
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@ -179,6 +179,7 @@ public:

 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
+	bool m_base_syscalls_all;
 	bool m_base_syscalls_repair;

 	// metrics configs