diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index db62089b..087b180c 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -19,6 +19,9 @@ set( app/state.cpp app/signals.cpp app/options.cpp + app/actions/helpers_generic.cpp + app/actions/helpers_inspector.cpp + app/actions/helpers_interesting_sets.cpp app/actions/create_signal_handlers.cpp app/actions/daemonize.cpp app/actions/init_falco_engine.cpp @@ -30,7 +33,6 @@ set( app/actions/load_config.cpp app/actions/load_plugins.cpp app/actions/load_rules_files.cpp - app/actions/open_inspector.cpp app/actions/process_events.cpp app/actions/print_generated_gvisor_config.cpp app/actions/print_help.cpp @@ -46,7 +48,6 @@ set( app/actions/start_webserver.cpp app/actions/validate_rules_files.cpp app/actions/create_requested_paths.cpp - app/actions/configure_interesting_sets.cpp configuration.cpp logger.cpp falco_outputs.cpp diff --git a/userspace/falco/app/actions/actions.h b/userspace/falco/app/actions/actions.h index fd7e4329..740de6d3 100644 --- a/userspace/falco/app/actions/actions.h +++ b/userspace/falco/app/actions/actions.h @@ -23,88 +23,37 @@ namespace falco { namespace app { namespace actions { -falco::app::run_result create_signal_handlers(falco::app::state& s); falco::app::run_result attach_inotify_signals(falco::app::state& s); +falco::app::run_result configure_syscall_buffer_size(falco::app::state& s); +falco::app::run_result create_requested_paths(falco::app::state& s); +falco::app::run_result create_signal_handlers(falco::app::state& s); falco::app::run_result daemonize(falco::app::state& s); +falco::app::run_result init_clients(falco::app::state& s); falco::app::run_result init_falco_engine(falco::app::state& s); falco::app::run_result init_inspectors(falco::app::state& s); -falco::app::run_result init_clients(falco::app::state& s); falco::app::run_result init_outputs(falco::app::state& s); falco::app::run_result list_fields(falco::app::state& s); falco::app::run_result list_plugins(falco::app::state& s); falco::app::run_result load_config(falco::app::state& s); -falco::app::run_result require_config_file(falco::app::state& s); falco::app::run_result load_plugins(falco::app::state& s); falco::app::run_result load_rules_files(falco::app::state& s); -falco::app::run_result create_requested_paths(falco::app::state& s); falco::app::run_result print_generated_gvisor_config(falco::app::state& s); falco::app::run_result print_help(falco::app::state& s); falco::app::run_result print_ignored_events(falco::app::state& s); +falco::app::run_result print_page_size(falco::app::state& s); falco::app::run_result print_plugin_info(falco::app::state& s); falco::app::run_result print_support(falco::app::state& s); falco::app::run_result print_syscall_events(falco::app::state& s); falco::app::run_result print_version(falco::app::state& s); -falco::app::run_result print_page_size(falco::app::state& s); falco::app::run_result process_events(falco::app::state& s); +falco::app::run_result require_config_file(falco::app::state& s); falco::app::run_result select_event_sources(falco::app::state& s); -falco::app::run_result configure_syscall_buffer_size(falco::app::state& s); falco::app::run_result start_grpc_server(falco::app::state& s); falco::app::run_result start_webserver(falco::app::state& s); -falco::app::run_result validate_rules_files(falco::app::state& s); - -// teardown -falco::app::run_result unregister_signal_handlers(falco::app::state& s); falco::app::run_result stop_grpc_server(falco::app::state& s); falco::app::run_result stop_webserver(falco::app::state& s); - -// helpers -bool check_rules_plugin_requirements(falco::app::state& s, std::string& err); -falco::app::run_result open_offline_inspector(falco::app::state& s); -void print_enabled_event_sources(falco::app::state& s); -void configure_interesting_sets(falco::app::state& s); -void format_plugin_info(std::shared_ptr p, std::ostream& os); -falco::app::run_result open_live_inspector( - falco::app::state& s, - std::shared_ptr inspector, - const std::string& source); - -template -void read_files(InputIterator begin, InputIterator end, - std::vector& rules_contents, - falco::load_result::rules_contents_t& rc) -{ - // Read the contents in a first pass - for(auto it = begin; it != end; it++) - { - std::string &filename = *it; - std::ifstream is; - is.open(filename); - if (!is.is_open()) - { - throw falco_exception("Could not open file " + filename + " for reading"); - } - - std::string rules_content((std::istreambuf_iterator(is)), - std::istreambuf_iterator()); - rules_contents.emplace_back(std::move(rules_content)); - } - - // Populate the map in a second pass to avoid - // references becoming invalid. - auto it = begin; - auto rit = rules_contents.begin(); - for(; it != end && rit != rules_contents.end(); it++, rit++) - { - rc.emplace(*it, *rit); - } - - // Both it and rit must be at the end, otherwise - // there's a bug in the above - if(it != end || rit != rules_contents.end()) - { - throw falco_exception("Unexpected mismatch in rules content name/rules content sets?"); - } -} +falco::app::run_result unregister_signal_handlers(falco::app::state& s); +falco::app::run_result validate_rules_files(falco::app::state& s); }; // namespace actions }; // namespace app diff --git a/userspace/falco/app/actions/helpers.h b/userspace/falco/app/actions/helpers.h new file mode 100644 index 00000000..d8bdb934 --- /dev/null +++ b/userspace/falco/app/actions/helpers.h @@ -0,0 +1,77 @@ +/* +Copyright (C) 2023 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#pragma once + +#include "../state.h" +#include "../run_result.h" + +namespace falco { +namespace app { +namespace actions { + +bool check_rules_plugin_requirements(falco::app::state& s, std::string& err); +void print_enabled_event_sources(falco::app::state& s); +void configure_interesting_sets(falco::app::state& s); +void format_plugin_info(std::shared_ptr p, std::ostream& os); +falco::app::run_result open_offline_inspector(falco::app::state& s); +falco::app::run_result open_live_inspector( + falco::app::state& s, + std::shared_ptr inspector, + const std::string& source); + +template +void read_files(InputIterator begin, InputIterator end, + std::vector& rules_contents, + falco::load_result::rules_contents_t& rc) +{ + // Read the contents in a first pass + for(auto it = begin; it != end; it++) + { + std::string &filename = *it; + std::ifstream is; + is.open(filename); + if (!is.is_open()) + { + throw falco_exception("Could not open file " + filename + " for reading"); + } + + std::string rules_content((std::istreambuf_iterator(is)), + std::istreambuf_iterator()); + rules_contents.emplace_back(std::move(rules_content)); + } + + // Populate the map in a second pass to avoid + // references becoming invalid. + auto it = begin; + auto rit = rules_contents.begin(); + for(; it != end && rit != rules_contents.end(); it++, rit++) + { + rc.emplace(*it, *rit); + } + + // Both it and rit must be at the end, otherwise + // there's a bug in the above + if(it != end || rit != rules_contents.end()) + { + throw falco_exception("Unexpected mismatch in rules content name/rules content sets?"); + } +} + + +}; // namespace actions +}; // namespace app +}; // namespace falco diff --git a/userspace/falco/app/actions/helpers_generic.cpp b/userspace/falco/app/actions/helpers_generic.cpp new file mode 100644 index 00000000..469aeb88 --- /dev/null +++ b/userspace/falco/app/actions/helpers_generic.cpp @@ -0,0 +1,69 @@ +/* +Copyright (C) 2023 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "helpers.h" +#include + +#include + +using namespace falco::app; +using namespace falco::app::actions; + +bool falco::app::actions::check_rules_plugin_requirements(falco::app::state& s, std::string& err) +{ + // Ensure that all plugins are compatible with the loaded set of rules + // note: offline inspector contains all the loaded plugins + std::vector plugin_reqs; + for (const auto &plugin : s.offline_inspector->get_plugin_manager()->plugins()) + { + falco_engine::plugin_version_requirement req; + req.name = plugin->name(); + req.version = plugin->plugin_version().as_string(); + plugin_reqs.push_back(req); + } + return s.engine->check_plugin_requirements(plugin_reqs, err); +} + +void falco::app::actions::print_enabled_event_sources(falco::app::state& s) +{ + /* Print all enabled sources. */ + std::string str; + for (const auto &s : s.enabled_sources) + { + str += str.empty() ? "" : ", "; + str += s; + } + falco_logger::log(LOG_INFO, "Enabled event sources: " + str + "\n"); +} + +void falco::app::actions::format_plugin_info(std::shared_ptr p, std::ostream& os) +{ + os << "Name: " << p->name() << std::endl; + os << "Description: " << p->description() << std::endl; + os << "Contact: " << p->contact() << std::endl; + os << "Version: " << p->plugin_version().as_string() << std::endl; + os << "Capabilities: " << std::endl; + if(p->caps() & CAP_SOURCING) + { + os << " - Event Sourcing (ID=" << p->id(); + os << ", source='" << p->event_source() << "')" << std::endl; + } + if(p->caps() & CAP_EXTRACTION) + { + os << " - Field Extraction" << std::endl; + } +} + diff --git a/userspace/falco/app/actions/open_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp similarity index 99% rename from userspace/falco/app/actions/open_inspector.cpp rename to userspace/falco/app/actions/helpers_inspector.cpp index 2080397e..85d36473 100644 --- a/userspace/falco/app/actions/open_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -20,7 +20,7 @@ limitations under the License. #include -#include "actions.h" +#include "helpers.h" /* DEPRECATED: we will remove it in Falco 0.34. */ #define FALCO_BPF_ENV_VARIABLE "FALCO_BPF_PROBE" diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/helpers_interesting_sets.cpp similarity index 99% rename from userspace/falco/app/actions/configure_interesting_sets.cpp rename to userspace/falco/app/actions/helpers_interesting_sets.cpp index 219238d3..c3dc8762 100644 --- a/userspace/falco/app/actions/configure_interesting_sets.cpp +++ b/userspace/falco/app/actions/helpers_interesting_sets.cpp @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -#include "actions.h" +#include "helpers.h" using namespace falco::app; using namespace falco::app::actions; diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index 65cc55db..980bfb84 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -15,7 +15,10 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" + #include + #include using namespace falco::app; diff --git a/userspace/falco/app/actions/list_plugins.cpp b/userspace/falco/app/actions/list_plugins.cpp index ada8e201..c9b023d6 100644 --- a/userspace/falco/app/actions/list_plugins.cpp +++ b/userspace/falco/app/actions/list_plugins.cpp @@ -15,6 +15,8 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" + #include using namespace falco::app; diff --git a/userspace/falco/app/actions/load_rules_files.cpp b/userspace/falco/app/actions/load_rules_files.cpp index 1a680e97..278809ac 100644 --- a/userspace/falco/app/actions/load_rules_files.cpp +++ b/userspace/falco/app/actions/load_rules_files.cpp @@ -15,6 +15,8 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" + #include #include @@ -22,21 +24,6 @@ limitations under the License. using namespace falco::app; using namespace falco::app::actions; -bool falco::app::actions::check_rules_plugin_requirements(falco::app::state& s, std::string& err) -{ - // Ensure that all plugins are compatible with the loaded set of rules - // note: offline inspector contains all the loaded plugins - std::vector plugin_reqs; - for (const auto &plugin : s.offline_inspector->get_plugin_manager()->plugins()) - { - falco_engine::plugin_version_requirement req; - req.name = plugin->name(); - req.version = plugin->plugin_version().as_string(); - plugin_reqs.push_back(req); - } - return s.engine->check_plugin_requirements(plugin_reqs, err); -} - static void check_for_ignored_events(falco::app::state& s) { /* Get the events from the rules. */ diff --git a/userspace/falco/app/actions/print_ignored_events.cpp b/userspace/falco/app/actions/print_ignored_events.cpp index 446a18e9..cdff823c 100644 --- a/userspace/falco/app/actions/print_ignored_events.cpp +++ b/userspace/falco/app/actions/print_ignored_events.cpp @@ -15,6 +15,7 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" using namespace falco::app; using namespace falco::app::actions; diff --git a/userspace/falco/app/actions/print_plugin_info.cpp b/userspace/falco/app/actions/print_plugin_info.cpp index 68a8217a..95574df6 100644 --- a/userspace/falco/app/actions/print_plugin_info.cpp +++ b/userspace/falco/app/actions/print_plugin_info.cpp @@ -15,29 +15,13 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" + #include using namespace falco::app; using namespace falco::app::actions; -void falco::app::actions::format_plugin_info(std::shared_ptr p, std::ostream& os) -{ - os << "Name: " << p->name() << std::endl; - os << "Description: " << p->description() << std::endl; - os << "Contact: " << p->contact() << std::endl; - os << "Version: " << p->plugin_version().as_string() << std::endl; - os << "Capabilities: " << std::endl; - if(p->caps() & CAP_SOURCING) - { - os << " - Event Sourcing (ID=" << p->id(); - os << ", source='" << p->event_source() << "')" << std::endl; - } - if(p->caps() & CAP_EXTRACTION) - { - os << " - Field Extraction" << std::endl; - } -} - falco::app::run_result falco::app::actions::print_plugin_info(falco::app::state& s) { #ifdef MUSL_OPTIMIZED diff --git a/userspace/falco/app/actions/print_support.cpp b/userspace/falco/app/actions/print_support.cpp index e03c2389..69abdfd9 100644 --- a/userspace/falco/app/actions/print_support.cpp +++ b/userspace/falco/app/actions/print_support.cpp @@ -16,7 +16,6 @@ limitations under the License. #include -#include "versions_info.h" #include "actions.h" #include "../../versions_info.h" diff --git a/userspace/falco/app/actions/print_syscall_events.cpp b/userspace/falco/app/actions/print_syscall_events.cpp index 8be77737..17c91b7d 100644 --- a/userspace/falco/app/actions/print_syscall_events.cpp +++ b/userspace/falco/app/actions/print_syscall_events.cpp @@ -15,6 +15,7 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" using namespace falco::app; using namespace falco::app::actions; diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index 38c6dfc1..4a89e38d 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -24,14 +24,16 @@ limitations under the License. #include #include "falco_utils.h" -#include "event_drops.h" -#include "actions.h" -#include "falco_outputs.h" #include "token_bucket.h" + +#include "actions.h" +#include "helpers.h" #include "../options.h" #include "../signals.h" #include "../../semaphore.h" #include "../../stats_writer.h" +#include "../../falco_outputs.h" +#include "../../event_drops.h" #ifndef MINIMAL_BUILD #include "../../webserver.h" #endif @@ -460,8 +462,10 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s) } else { - ctx.thread.reset(new std::thread([&s, &src_info, &statsw, &source, &ctx](){ - process_inspector_events(s, src_info->inspector, statsw, source, ctx.sync.get(), &ctx.res); + auto res_ptr = &ctx.res; + auto sync_ptr = ctx.sync.get(); + ctx.thread.reset(new std::thread([&s, src_info, &statsw, source, sync_ptr, res_ptr](){ + process_inspector_events(s, src_info->inspector, statsw, source, sync_ptr, res_ptr); })); } } diff --git a/userspace/falco/app/actions/select_event_sources.cpp b/userspace/falco/app/actions/select_event_sources.cpp index 1eb64092..318d72b4 100644 --- a/userspace/falco/app/actions/select_event_sources.cpp +++ b/userspace/falco/app/actions/select_event_sources.cpp @@ -12,22 +12,11 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" using namespace falco::app; using namespace falco::app::actions; -void falco::app::actions::print_enabled_event_sources(falco::app::state& s) -{ - /* Print all enabled sources. */ - std::string str; - for (const auto &s : s.enabled_sources) - { - str += str.empty() ? "" : ", "; - str += s; - } - falco_logger::log(LOG_INFO, "Enabled event sources: " + str + "\n"); -} - falco::app::run_result falco::app::actions::select_event_sources(falco::app::state& s) { s.enabled_sources = s.loaded_sources; diff --git a/userspace/falco/app/actions/validate_rules_files.cpp b/userspace/falco/app/actions/validate_rules_files.cpp index 6c2afdc9..ce490f3e 100644 --- a/userspace/falco/app/actions/validate_rules_files.cpp +++ b/userspace/falco/app/actions/validate_rules_files.cpp @@ -15,6 +15,8 @@ limitations under the License. */ #include "actions.h" +#include "helpers.h" + #include using namespace falco::app;