github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-05 00:31:38 +00:00
Code Issues Projects Releases Wiki Activity

Falco engine support for plugins

Browse Source 
Mostly plugins are just handled as a new filter/formatter factory with
a new source based on the loaded input plugin, but there are a few
changes at the engine level:

- is_source_valid returns whether a filter/formatter factory exists
  for a given source. Will be used by rules loaded to skip rules for
  an unknown source.

- the falco engine now holds the required_plugin_version predicates
  found in rules files and a method is_plugin_compatible returns whether
  a plugin semver is compatible with the predicates in the rules

- Update the falco engine version and fields checksum for plugins

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2021-10-15 16:36:30 -07:00
committed by poiana
parent 69e32f7ed1
commit 9075eea62f
3 changed files with 68 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
userspace/engine/falco_engine.h
View File

@@ -184,10 +184,14 @@ public:
// Configure the engine to support events with the provided
// source, with the provided filter factory and formatter factory.
//
void add_source(std::string &source,
void add_source(const std::string &source,
std::shared_ptr<gen_event_filter_factory> filter_factory,
std::shared_ptr<gen_event_formatter_factory> formatter_factory);
// Return whether or not there is a valid filter/formatter
// factory for this source.
bool is_source_valid(const std::string &source);
//
// Add a filter for the provided event source to the engine
//
@@ -216,6 +220,12 @@ public:
std::shared_ptr<gen_event_formatter> create_formatter(const std::string &source,
const std::string &output);
// Return whether the provided plugin name + version is
// compatible with the current set of loaded rules files.
// required_version will be filled in with the required
// version when the method returns false.
bool is_plugin_compatible(const std::string &name, const std::string &version, std::string &required_version);
private:
//
@@ -239,6 +249,10 @@ private:
std::map<string, uint16_t> m_known_rulesets;
falco_common::priority_type m_min_priority;
// Maps from plugin to a list of required plugin versions
// found in any loaded rules files.
std::map<std::string, std::list<std::string>> m_required_plugin_versions;
void populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev);
//