From 481e32cab92ff0e8e26bb40e7b90a72865672c28 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Fri, 18 Mar 2022 10:11:12 +0000 Subject: [PATCH] update(build): bump libs version to caa0e4d0044fdaaebab086592a97f0c7f32aeaa9 Signed-off-by: Jason Dellaluce --- cmake/modules/falcosecurity-libs.cmake | 4 ++-- userspace/engine/json_evt.cpp | 25 +++++++++++++------------ userspace/engine/json_evt.h | 12 ++++++++++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 21471578..777c66b0 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -24,8 +24,8 @@ else() # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake # -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "b7eb0dd65226a8dc254d228c8d950d07bf3521d2") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=0f6dcdc3b94243c91294698ee343806539af81c5b33c60c6acf83fc1aa455e85") + set(FALCOSECURITY_LIBS_VERSION "caa0e4d0044fdaaebab086592a97f0c7f32aeaa9") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=a0cea9996b708109ff9538f343500d30b6e7ec5a860f714c61425d4598a0534d") endif() # cd /path/to/build && cmake /path/to/source diff --git a/userspace/engine/json_evt.cpp b/userspace/engine/json_evt.cpp index 3c14cb6b..e10ade59 100644 --- a/userspace/engine/json_evt.cpp +++ b/userspace/engine/json_evt.cpp @@ -591,13 +591,15 @@ const json_event_filter_check::values_t &json_event_filter_check::extracted_valu bool json_event_filter_check::compare(gen_event *evt) { - auto jevt = (json_event *)evt; + auto jevt = (json_event *) evt; + std::vector values; + if (!extract(jevt, values)) + { + return false; + } + auto evalues = (const extracted_values_t *) values[0].ptr; - uint32_t len; - - auto evalues = (const extracted_values_t *) extract(jevt, &len); values_set_t setvals; - switch(m_cmpop) { case CO_EQ: @@ -712,7 +714,7 @@ void json_event_filter_check::add_extracted_value_num(int64_t val) m_evalues.second.emplace(json_event_value(val)); } -uint8_t *json_event_filter_check::extract(gen_event *evt, uint32_t *len, bool sanitize_strings) +bool json_event_filter_check::extract(gen_event *evt, std::vector& values, bool sanitize_strings) { m_evalues.first.clear(); m_evalues.second.clear(); @@ -723,9 +725,8 @@ uint8_t *json_event_filter_check::extract(gen_event *evt, uint32_t *len, bool sa m_evalues.second.clear(); add_extracted_value(no_value); } - - *len = sizeof(m_evalues); - return (uint8_t *)&m_evalues; + values.push_back({(uint8_t *)&m_evalues, sizeof(m_evalues)}); + return true; } bool json_event_filter_check::extract_values(json_event *jevt) @@ -1659,13 +1660,13 @@ void json_event_formatter::parse_format() void json_event_formatter::resolve_format(json_event *ev, std::list> &resolved) { + vector values; for(auto tok : m_tokens) { if(tok.check) { - uint32_t len; - - (void) tok.check->extract(ev, &len); + values.clear(); + tok.check->extract(ev, values); const json_event_filter_check::values_t &evals = tok.check->extracted_values(); diff --git a/userspace/engine/json_evt.h b/userspace/engine/json_evt.h index 40fe85f1..75ed0dd6 100644 --- a/userspace/engine/json_evt.h +++ b/userspace/engine/json_evt.h @@ -179,8 +179,16 @@ public: void add_filter_value(const char *str, uint32_t len, uint32_t i = 0); bool compare(gen_event *evt); - // This always returns a const extracted_values_t *. The pointer points to m_evalues; - uint8_t* extract(gen_event *evt, uint32_t* len, bool sanitize_strings = true) final; + // This is adapted to support the new extract() method signature that + // supports extracting list of values, however json_evt was implemented + // to support this feature in the first place through the + // extracted_values_t structure. As such, for now this is only used for + // signature compliance, and always pushes a single value. The value pushed + // in the vector is a a const extracted_values_t* that points to the + // internal m_evalues. This is a temporary workaround to sync with the + // latest falcosecurity/libs development without re-designing the whole K8S + // support, which will eventually be refactored as a plugin in the future anyway. + bool extract(gen_event *evt, std::vector& values, bool sanitize_strings = true) final; const std::string &field(); const std::string &idx();