refactor(userspace/falco): introduce standalone action for event source selection

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

userspace/falco/CMakeLists.txt

@@ -37,6 +37,7 @@ set(
   app_actions/print_support.cpp
   app_actions/print_syscall_events.cpp
   app_actions/print_version.cpp
+  app_actions/select_event_sources.cpp
   app_actions/start_grpc_server.cpp
   app_actions/start_webserver.cpp
   app_actions/validate_rules_files.cpp

userspace/falco/app_actions/init_falco_engine.cpp

@@ -76,28 +76,6 @@ application::run_result application::init_falco_engine()
 		syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
 	}
 
-	for(const auto &src : m_options.disable_sources)
-	{
-		if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end())
-		{
-			return run_result::fatal("Attempted disabling unknown event source: " + src);
-		}
-		m_state->enabled_sources.erase(src);
-	}
-
-	// todo(jasondellaluce,leogr): change this once we attain multiple active source
-	if(m_state->enabled_sources.empty())
-	{
-		return run_result::fatal("At least one event source needs to be enabled");
-	}
-
-	/* Print all enabled sources. */
-	std::ostringstream os;
-	std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ","));
-	std::string result = os.str();
-	result.pop_back();
-	falco_logger::log(LOG_INFO, "Enabled sources: " + result + "\n");
-
 	m_state->engine->set_min_priority(m_state->config->m_min_priority);
 
 	return run_result::ok();

userspace/falco/app_actions/select_event_sources.cpp

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "application.h"
+
+using namespace falco::app;
+
+application::run_result application::select_event_sources()
+{
+	// event sources selection is meaningless when reading trace files
+	if (!is_capture_mode())
+	{
+		for(const auto &src : m_options.disable_sources)
+		{
+			if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end())
+			{
+				return run_result::fatal("Attempted disabling an unknown event source: " + src);
+			}
+			m_state->enabled_sources.erase(src);
+		}
+
+		if(m_state->enabled_sources.empty())
+		{
+			return run_result::fatal("Must enable at least one event source");
+		}
+
+		/* Print all enabled sources. */
+		std::ostringstream os;
+		std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ","));
+		std::string result = os.str();
+		result.pop_back();
+		falco_logger::log(LOG_INFO, "Enabled event sources: " + result + "\n");
+	}
+
+	return run_result::ok();
+}

userspace/falco/application.cpp

@@ -136,6 +136,7 @@ bool application::run(std::string &errstr, bool &restart)
 		std::bind(&application::init_inspector, this),
 		std::bind(&application::load_plugins, this),
 		std::bind(&application::init_falco_engine, this),
+		std::bind(&application::select_event_sources, this),
 		std::bind(&application::list_fields, this),
 		std::bind(&application::validate_rules_files, this),
 		std::bind(&application::load_rules_files, this),

userspace/falco/application.h

@@ -200,6 +200,7 @@ private:
 	run_result print_syscall_events();
 	run_result print_version();
 	run_result process_events();
+	run_result select_event_sources();
 #ifndef MINIMAL_BUILD
 	run_result start_grpc_server();
 	run_result start_webserver();