new(falco): enable gVisor event collection

Signed-off-by: Luca Guerra <luca@guerra.sh>
2025-09-18 07:51:12 +00:00 · 2022-06-20 14:47:40 +00:00
parent 1966fa1f91
commit 927c1c4126
5 changed files with 26 additions and 4 deletions
--- a/userspace/falco/app_actions/init_falco_engine.cpp
+++ b/userspace/falco/app_actions/init_falco_engine.cpp
@@ -43,6 +43,11 @@ void application::configure_output_format()
 		output_format = m_options.print_additional;
 		replace_container_info = false;
 	}
+	else if(m_options.gvisor_config != "")
+	{
+		output_format = "container=%container.id pid=%proc.vpid tid=%thread.vtid ";
+		replace_container_info = true;
+	}

 	if(!output_format.empty())
 	{
--- a/userspace/falco/app_actions/open_inspector.cpp
+++ b/userspace/falco/app_actions/open_inspector.cpp
@@ -46,14 +46,20 @@ application::run_result application::open_inspector()
 	{
 		try
 		{
-			// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
-			//
-			// Falco uses a ptrace(2) based userspace implementation.
-			// Regardless of the implementation, the underlying method remains the same.
 			if(m_options.userspace)
 			{
+				// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
+				//
+				// Falco uses a ptrace(2) based userspace implementation.
+				// Regardless of the implementation, the underlying method remains the same.
 				m_state->inspector->open_udig();
 			}
+			else if(m_options.gvisor_config != "")
+			{
+				falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config);
+				// XXX the first argument "/tmp/gvisor.sock" needs to be removed in favor of parsing everything from config."
+				m_state->inspector->open_gvisor("/tmp/gvisor.sock", m_options.gvisor_config, m_options.gvisor_root);
+			}
 			else
 			{
 				m_state->inspector->open();
--- a/userspace/falco/app_cmdline_options.cpp
+++ b/userspace/falco/app_cmdline_options.cpp
@@ -162,6 +162,9 @@ void cmdline_options::define()
 		("disable-source",                "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
 		("D",                             "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
 		("e",                             "Read the events from <events_file> in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
+		("g,gvisor-config",				  "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "<gvisor_config>")
+		("gvisor-generate-config",		  "Generate a configuration file that can be used for gVisor.", cxxopts::value<bool>(gvisor_generate_config))
+		("gvisor-root",					  "gVisor root directory for storage of container state. Equivalent to runsc --root flag.", cxxopts::value(gvisor_root), "<gvisor_root>")
 		("i",                             "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 #ifndef MINIMAL_BUILD
 		("k,k8s-api",                     "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
--- a/userspace/falco/app_cmdline_options.h
+++ b/userspace/falco/app_cmdline_options.h
@@ -43,6 +43,9 @@ public:
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> disabled_rule_substrings;
 	std::string trace_filename;
+	std::string gvisor_config;
+	bool gvisor_generate_config;
+	std::string gvisor_root;
 	std::string k8s_api;
 	std::string k8s_api_cert;
 	std::string k8s_node_name;
--- a/userspace/falco/application.h
+++ b/userspace/falco/application.h
@@ -193,6 +193,11 @@ private:
 		return !m_options.trace_filename.empty();
 	}

+	inline bool is_gvisor_enabled() const
+	{
+		return m_state->inspector->is_gvisor();
+	}
+
 	std::unique_ptr<state> m_state;
 	cmdline_options m_options;
 	bool m_initialized;