github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 22:57:24 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(userspace/falco): remove legacy hacks on source selection action

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-08-30 12:40:43 +00:00 committed by poiana
parent 9dc3eb2fc6
commit 63bdc1119f
1 changed files with 45 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
userspace/falco/app_actions/select_event_sources.cpp
View File

@ -17,65 +17,54 @@ using namespace falco::app;
application::run_result application::select_event_sources()
{
m_state->enabled_sources = m_state->loaded_sources;
// event sources selection is meaningless when reading trace files
if (!is_capture_mode())
if (is_capture_mode())
{
if (!m_options.enable_sources.empty() && !m_options.disable_sources.empty())
{
return run_result::fatal("You can not mix --enable-source and --disable-source");
}
if (!m_options.enable_sources.empty())
{
m_state->enabled_sources.clear();
for(const auto &src : m_options.enable_sources)
{
if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
{
return run_result::fatal("Attempted enabling an unknown event source: " + src);
}
m_state->enabled_sources.insert(src);
}
}
else if (!m_options.disable_sources.empty())
{
// this little hack ensure that the single-source samentic gets respected
// todo(jasondellaluce): remove this insert once we support multiple enabled event sources
m_state->enabled_sources = m_state->loaded_sources;
for(const auto &src : m_options.disable_sources)
{
if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
{
return run_result::fatal("Attempted disabling an unknown event source: " + src);
}
m_state->enabled_sources.erase(src);
}
}
if(m_state->enabled_sources.empty())
{
return run_result::fatal("Must enable at least one event source");
}
// these two little hacks ensure that the single-source samentic gets respected
// todo(jasondellaluce): remove these two once we support multiple enabled event sources
if(m_state->enabled_sources.size() > 1)
{
return run_result::fatal("Can not enable more than one event source");
}
if(*m_state->enabled_sources.begin() == falco_common::syscall_source)
{
m_state->inspector->m_input_plugin = nullptr;
}
/* Print all enabled sources. */
std::ostringstream os;
std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ","));
std::string result = os.str();
result.pop_back();
falco_logger::log(LOG_INFO, "Enabled event sources: " + result + "\n");
return run_result::ok();
}
if (!m_options.enable_sources.empty() && !m_options.disable_sources.empty())
{
return run_result::fatal("You can not mix --enable-source and --disable-source");
}
if (!m_options.enable_sources.empty())
{
m_state->enabled_sources.clear();
for(const auto &src : m_options.enable_sources)
{
if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
{
return run_result::fatal("Attempted enabling an unknown event source: " + src);
}
m_state->enabled_sources.insert(src);
}
}
else if (!m_options.disable_sources.empty())
{
for(const auto &src : m_options.disable_sources)
{
if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
{
return run_result::fatal("Attempted disabling an unknown event source: " + src);
}
m_state->enabled_sources.erase(src);
}
}
if(m_state->enabled_sources.empty())
{
return run_result::fatal("Must enable at least one event source");
}
/* Print all enabled sources. */
std::ostringstream os;
std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ", "));
std::string result = os.str();
result.pop_back();
falco_logger::log(LOG_INFO, "Enabled event sources: " + result + "\n");
return run_result::ok();
}