From 596e7ee303890df1c7f5a584671027755da8d913 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Tue, 14 Jul 2020 18:45:38 +0000 Subject: [PATCH] fix(userspace/falco): try to insert kernel module driver conditionally Do it only when not running with userspace instrumentation enabled and the syscall input source is enabled (!disable_syscall) Signed-off-by: Leonardo Di Donato --- userspace/falco/falco.cpp | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index d24017f7..15b7f9a8 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -158,7 +158,7 @@ static void usage() " This causes every single line emitted by falco to be flushed,\n" " which generates higher CPU usage but is useful when piping those outputs\n" " into another process or into a script.\n" - " -u Parse events from userspace.\n" + " -u, --userspace Parse events from userspace.\n" " To be used in conjunction with the ptrace(2) based driver (pdig).\n" " -V, --validate Read the contents of the specified rules(s) file and exit.\n" " Can be specified multiple times to validate multiple files.\n" @@ -445,7 +445,7 @@ int falco_init(int argc, char **argv) set disable_sources; bool disable_syscall = false; bool disable_k8s_audit = false; - bool udig = false; + bool userspace = false; // Used for writing trace files int duration_seconds = 0; @@ -485,7 +485,7 @@ int falco_init(int argc, char **argv) {"stats-interval", required_argument, 0}, {"support", no_argument, 0}, {"unbuffered", no_argument, 0, 'U'}, - {"udig", no_argument, 0, 'u'}, + {"userspace", no_argument, 0, 'u'}, {"validate", required_argument, 0, 'V'}, {"version", no_argument, 0, 0}, {"writefile", required_argument, 0, 'w'}, @@ -612,7 +612,7 @@ int falco_init(int argc, char **argv) buffered_cmdline = true; break; case 'u': - udig = true; + userspace = true; break; case 'v': verbose = true; @@ -1098,17 +1098,14 @@ int falco_init(int argc, char **argv) } else { - open_t open_cb = [&udig](sinsp* inspector) + open_t open_cb = [&userspace](sinsp* inspector) { - if(udig) + if(userspace) { - // open_udig() is the underlying method used in the capture - // code to parse userspace events from the kernel. - // - // In the case of falco we use ptrace(2) for one - // of these userspace implementations. Regardless - // of the implementation, the underlying method - // remains the same. + // open_udig() is the underlying method used in the capture code to parse userspace events from the kernel. + // + // Falco uses a ptrace(2) based userspace implementation. + // Regardless of the implementation, the underlying method remains the same. inspector->open_udig(); } else @@ -1138,11 +1135,16 @@ int falco_init(int argc, char **argv) } catch(sinsp_exception &e) { - if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null")) + // If syscall input source is enabled and not through userspace instrumentation + if (!disable_syscall && !userspace) { - falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n"); + // Try to insert the Falco kernel module + if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null")) + { + falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n"); + } + open_f(inspector); } - open_f(inspector); } } @@ -1161,7 +1163,7 @@ int falco_init(int argc, char **argv) duration = ((double)clock()) / CLOCKS_PER_SEC; // - // run k8s, if required + // Run k8s, if required // if(k8s_api) { @@ -1200,7 +1202,7 @@ int falco_init(int argc, char **argv) } // - // run mesos, if required + // Run mesos, if required // if(mesos_api) {