new(falco): add buffer_format_base64

Signed-off-by: Luca Guerra <luca@guerra.sh>

falco.yaml

@@ -492,6 +492,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified

userspace/falco/app/actions/init_inspectors.cpp

@@ -26,7 +26,12 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
-	inspector->set_buffer_format(s.options.event_buffer_format);
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	if(s.options.print_base64 || s.config->m_buffer_format_base64) {
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	inspector->set_buffer_format(event_buffer_format);
 
 	//
 	// Container engines

userspace/falco/app/options.cpp

@@ -74,7 +74,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 	}
 
 	if(m_cmdline_parsed.count("b") > 0) {
-		event_buffer_format = sinsp_evt::PF_BASE64;
+		print_base64 = true;
 	}
 
 	if(m_cmdline_parsed.count("r") > 0) {

userspace/falco/app/options.h

@@ -47,6 +47,7 @@ public:
 	std::string conf_filename;
 	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	bool print_base64 = false;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
 	std::string gvisor_generate_config_with_socket;

userspace/falco/config_json_schema.h

@@ -80,6 +80,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "time_format_iso_8601": {
                     "type": "boolean"
                 },
+                "buffer_format_base64": {
+                    "type": "boolean"
+                },
                 "priority": {
                     "type": "string"
                 },

userspace/falco/configuration.cpp

@@ -74,6 +74,7 @@ falco_configuration::falco_configuration():
         m_buffered_outputs(false),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
+        m_buffer_format_base64(false),
         m_output_timeout(2000),
         m_grpc_enabled(false),
         m_grpc_threadiness(0),
@@ -491,6 +492,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_time_format_iso_8601 = m_config.get_scalar<bool>("time_format_iso_8601", false);
+	m_buffer_format_base64 = m_config.get_scalar<bool>("buffer_format_base64", false);
 
 	m_webserver_enabled = m_config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_config.m_threadiness = m_config.get_scalar<uint32_t>("webserver.threadiness", 0);

userspace/falco/configuration.h

@@ -153,6 +153,7 @@ public:
 	bool m_buffered_outputs;
 	size_t m_outputs_queue_capacity;
 	bool m_time_format_iso_8601;
+	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;