update(build): bump libs version to caa0e4d0044fdaaebab086592a97f0c7f32aeaa9

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

cmake/modules/falcosecurity-libs.cmake

@@ -24,8 +24,8 @@ else()
   # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
   # -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "b7eb0dd65226a8dc254d228c8d950d07bf3521d2")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=0f6dcdc3b94243c91294698ee343806539af81c5b33c60c6acf83fc1aa455e85")
+    set(FALCOSECURITY_LIBS_VERSION "caa0e4d0044fdaaebab086592a97f0c7f32aeaa9")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=a0cea9996b708109ff9538f343500d30b6e7ec5a860f714c61425d4598a0534d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

userspace/engine/json_evt.cpp

@@ -591,13 +591,15 @@ const json_event_filter_check::values_t &json_event_filter_check::extracted_valu
 
 bool json_event_filter_check::compare(gen_event *evt)
 {
-	auto jevt = (json_event *)evt;
+	auto jevt = (json_event *) evt;
+	std::vector<extract_value_t> values;
+	if (!extract(jevt, values))
+	{
+		return false;
+	}
+	auto evalues = (const extracted_values_t *) values[0].ptr;
 
-	uint32_t len;
-
-	auto evalues = (const extracted_values_t *) extract(jevt, &len);
 	values_set_t setvals;
-
 	switch(m_cmpop)
 	{
 	case CO_EQ:
@@ -712,7 +714,7 @@ void json_event_filter_check::add_extracted_value_num(int64_t val)
 	m_evalues.second.emplace(json_event_value(val));
 }
 
-uint8_t *json_event_filter_check::extract(gen_event *evt, uint32_t *len, bool sanitize_strings)
+bool json_event_filter_check::extract(gen_event *evt, std::vector<extract_value_t>& values, bool sanitize_strings)
 {
 	m_evalues.first.clear();
 	m_evalues.second.clear();
@@ -723,9 +725,8 @@ uint8_t *json_event_filter_check::extract(gen_event *evt, uint32_t *len, bool sa
 		m_evalues.second.clear();
 		add_extracted_value(no_value);
 	}
-
-	*len = sizeof(m_evalues);
-	return (uint8_t *)&m_evalues;
+	values.push_back({(uint8_t *)&m_evalues, sizeof(m_evalues)});
+	return true;
 }
 
 bool json_event_filter_check::extract_values(json_event *jevt)
@@ -1659,13 +1660,13 @@ void json_event_formatter::parse_format()
 
 void json_event_formatter::resolve_format(json_event *ev, std::list<std::pair<std::string, std::string>> &resolved)
 {
+	vector<extract_value_t> values;
 	for(auto tok : m_tokens)
 	{
 		if(tok.check)
 		{
-			uint32_t len;
-
-			(void) tok.check->extract(ev, &len);
+			values.clear();
+			tok.check->extract(ev, values);
 
 			const json_event_filter_check::values_t &evals =
 				tok.check->extracted_values();

userspace/engine/json_evt.h

@@ -179,8 +179,16 @@ public:
 	void add_filter_value(const char *str, uint32_t len, uint32_t i = 0);
 	bool compare(gen_event *evt);
 
-	// This always returns a const extracted_values_t *. The pointer points to m_evalues;
-	uint8_t* extract(gen_event *evt, uint32_t* len, bool sanitize_strings = true) final;
+	// This is adapted to support the new extract() method signature that
+	// supports extracting list of values, however json_evt was implemented
+	// to support this feature in the first place through the
+	// extracted_values_t structure. As such, for now this is only used for
+	// signature compliance, and always pushes a single value. The value pushed
+	// in the vector is a a const extracted_values_t* that points to the
+	// internal m_evalues. This is a temporary workaround to sync with the
+	// latest falcosecurity/libs development without re-designing the whole K8S
+	// support, which will eventually be refactored as a plugin in the future anyway.
+	bool extract(gen_event *evt, std::vector<extract_value_t>& values, bool sanitize_strings = true) final;
 
 	const std::string &field();
 	const std::string &idx();