mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-07 19:59:25 +00:00
new(userspace/falco): select driver from config
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
This commit is contained in:
parent
ea2d62d56b
commit
626e609e4b
@ -20,6 +20,7 @@ limitations under the License.
|
|||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
|
|
||||||
#include <plugin_manager.h>
|
#include <plugin_manager.h>
|
||||||
|
#include <configuration.h>
|
||||||
|
|
||||||
#include "helpers.h"
|
#include "helpers.h"
|
||||||
|
|
||||||
@ -52,6 +53,13 @@ falco::app::run_result falco::app::actions::open_live_inspector(
|
|||||||
std::shared_ptr<sinsp> inspector,
|
std::shared_ptr<sinsp> inspector,
|
||||||
const std::string& source)
|
const std::string& source)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
bool is_driver_mode_from_cmdline = (s.options.nodriver ||
|
||||||
|
s.is_gvisor_enabled() ||
|
||||||
|
s.options.modern_bpf ||
|
||||||
|
getenv(FALCO_BPF_ENV_VARIABLE) != NULL
|
||||||
|
);
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
if (source != falco_common::syscall_source) /* Plugin engine */
|
if (source != falco_common::syscall_source) /* Plugin engine */
|
||||||
@ -71,7 +79,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
|
|||||||
}
|
}
|
||||||
return run_result::fatal("Can't find plugin for event source: " + source);
|
return run_result::fatal("Can't find plugin for event source: " + source);
|
||||||
}
|
}
|
||||||
else if (s.options.nodriver) /* nodriver engine. */
|
else if (s.options.nodriver || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::NODRIVER)) /* nodriver engine. */
|
||||||
{
|
{
|
||||||
// when opening a capture with no driver, Falco will first check
|
// when opening a capture with no driver, Falco will first check
|
||||||
// if a plugin is capable of generating raw events from the libscap
|
// if a plugin is capable of generating raw events from the libscap
|
||||||
@ -90,18 +98,18 @@ falco::app::run_result falco::app::actions::open_live_inspector(
|
|||||||
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with no driver\n");
|
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with no driver\n");
|
||||||
inspector->open_nodriver();
|
inspector->open_nodriver();
|
||||||
}
|
}
|
||||||
else if(s.is_gvisor_enabled()) /* gvisor engine. */
|
else if(s.is_gvisor_enabled() || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::GVISOR)) /* gvisor engine. */
|
||||||
{
|
{
|
||||||
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with gVisor. Configuration path: " + s.options.gvisor_config);
|
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with gVisor. Configuration path: " + s.options.gvisor_config);
|
||||||
inspector->open_gvisor(s.options.gvisor_config, s.options.gvisor_root);
|
inspector->open_gvisor(s.options.gvisor_config, s.options.gvisor_root);
|
||||||
}
|
}
|
||||||
else if(s.options.modern_bpf) /* modern BPF engine. */
|
else if(s.options.modern_bpf || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::MODERN_BPF)) /* modern BPF engine. */
|
||||||
{
|
{
|
||||||
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with modern BPF probe.");
|
falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with modern BPF probe.");
|
||||||
falco_logger::log(falco_logger::level::INFO, "One ring buffer every '" + std::to_string(s.config->m_cpus_for_each_syscall_buffer) + "' CPUs.");
|
falco_logger::log(falco_logger::level::INFO, "One ring buffer every '" + std::to_string(s.config->m_cpus_for_each_syscall_buffer) + "' CPUs.");
|
||||||
inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_cpus_for_each_syscall_buffer, true, s.selected_sc_set);
|
inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_cpus_for_each_syscall_buffer, true, s.selected_sc_set);
|
||||||
}
|
}
|
||||||
else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */
|
else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::BPF)) /* BPF engine. */
|
||||||
{
|
{
|
||||||
const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE);
|
const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE);
|
||||||
char full_path[PATH_MAX];
|
char full_path[PATH_MAX];
|
||||||
|
@ -22,6 +22,7 @@ limitations under the License.
|
|||||||
#include <cxxopts.hpp>
|
#include <cxxopts.hpp>
|
||||||
|
|
||||||
#include <fstream>
|
#include <fstream>
|
||||||
|
#include <sys/syslog.h>
|
||||||
|
|
||||||
namespace falco {
|
namespace falco {
|
||||||
namespace app {
|
namespace app {
|
||||||
@ -149,7 +150,11 @@ bool options::parse(int argc, char **argv, std::string &errstr)
|
|||||||
open_modes += !trace_filename.empty();
|
open_modes += !trace_filename.empty();
|
||||||
open_modes += !gvisor_config.empty();
|
open_modes += !gvisor_config.empty();
|
||||||
open_modes += modern_bpf;
|
open_modes += modern_bpf;
|
||||||
open_modes += getenv("FALCO_BPF_PROBE") != NULL;
|
if(getenv("FALCO_BPF_PROBE") != NULL)
|
||||||
|
{
|
||||||
|
falco_logger::log(LOG_WARNING, "DEPRECATION NOTICE: the FALCO_BPF_PROBE environment variable will be soon deprecated!\n");
|
||||||
|
open_modes += 1;
|
||||||
|
}
|
||||||
open_modes += nodriver;
|
open_modes += nodriver;
|
||||||
if (open_modes > 1)
|
if (open_modes > 1)
|
||||||
{
|
{
|
||||||
|
@ -112,6 +112,8 @@ static driver_mode_type get_driver_mode(const std::string& input){
|
|||||||
{"kmod",driver_mode_type::KMOD},
|
{"kmod",driver_mode_type::KMOD},
|
||||||
{"bpf",driver_mode_type::BPF},
|
{"bpf",driver_mode_type::BPF},
|
||||||
{"modern_bpf",driver_mode_type::MODERN_BPF},
|
{"modern_bpf",driver_mode_type::MODERN_BPF},
|
||||||
|
{"gvisor",driver_mode_type::GVISOR},
|
||||||
|
{"nodriver",driver_mode_type::NODRIVER},
|
||||||
{"custom",driver_mode_type::CUSTOM},
|
{"custom",driver_mode_type::CUSTOM},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -43,6 +43,8 @@ enum class driver_mode_type : uint8_t
|
|||||||
KMOD,
|
KMOD,
|
||||||
BPF,
|
BPF,
|
||||||
MODERN_BPF,
|
MODERN_BPF,
|
||||||
|
GVISOR,
|
||||||
|
NODRIVER,
|
||||||
CUSTOM
|
CUSTOM
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user