diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index cdd6fe03..667a79f1 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -37,6 +37,7 @@ set( app_actions/print_support.cpp app_actions/print_syscall_events.cpp app_actions/print_version.cpp + app_actions/select_event_sources.cpp app_actions/start_grpc_server.cpp app_actions/start_webserver.cpp app_actions/validate_rules_files.cpp diff --git a/userspace/falco/app_actions/init_falco_engine.cpp b/userspace/falco/app_actions/init_falco_engine.cpp index 6fe513ae..09e6ffaf 100644 --- a/userspace/falco/app_actions/init_falco_engine.cpp +++ b/userspace/falco/app_actions/init_falco_engine.cpp @@ -76,28 +76,6 @@ application::run_result application::init_falco_engine() syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON); } - for(const auto &src : m_options.disable_sources) - { - if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end()) - { - return run_result::fatal("Attempted disabling unknown event source: " + src); - } - m_state->enabled_sources.erase(src); - } - - // todo(jasondellaluce,leogr): change this once we attain multiple active source - if(m_state->enabled_sources.empty()) - { - return run_result::fatal("At least one event source needs to be enabled"); - } - - /* Print all enabled sources. */ - std::ostringstream os; - std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator(os, ",")); - std::string result = os.str(); - result.pop_back(); - falco_logger::log(LOG_INFO, "Enabled sources: " + result + "\n"); - m_state->engine->set_min_priority(m_state->config->m_min_priority); return run_result::ok(); diff --git a/userspace/falco/app_actions/select_event_sources.cpp b/userspace/falco/app_actions/select_event_sources.cpp new file mode 100644 index 00000000..2270030f --- /dev/null +++ b/userspace/falco/app_actions/select_event_sources.cpp @@ -0,0 +1,46 @@ +/* +Copyright (C) 2022 The Falco Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "application.h" + +using namespace falco::app; + +application::run_result application::select_event_sources() +{ + // event sources selection is meaningless when reading trace files + if (!is_capture_mode()) + { + for(const auto &src : m_options.disable_sources) + { + if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end()) + { + return run_result::fatal("Attempted disabling an unknown event source: " + src); + } + m_state->enabled_sources.erase(src); + } + + if(m_state->enabled_sources.empty()) + { + return run_result::fatal("Must enable at least one event source"); + } + + /* Print all enabled sources. */ + std::ostringstream os; + std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator(os, ",")); + std::string result = os.str(); + result.pop_back(); + falco_logger::log(LOG_INFO, "Enabled event sources: " + result + "\n"); + } + + return run_result::ok(); +} \ No newline at end of file diff --git a/userspace/falco/application.cpp b/userspace/falco/application.cpp index 7a88472e..bc55d88f 100644 --- a/userspace/falco/application.cpp +++ b/userspace/falco/application.cpp @@ -136,6 +136,7 @@ bool application::run(std::string &errstr, bool &restart) std::bind(&application::init_inspector, this), std::bind(&application::load_plugins, this), std::bind(&application::init_falco_engine, this), + std::bind(&application::select_event_sources, this), std::bind(&application::list_fields, this), std::bind(&application::validate_rules_files, this), std::bind(&application::load_rules_files, this), diff --git a/userspace/falco/application.h b/userspace/falco/application.h index c6ee5ff1..b721a468 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -200,6 +200,7 @@ private: run_result print_syscall_events(); run_result print_version(); run_result process_events(); + run_result select_event_sources(); #ifndef MINIMAL_BUILD run_result start_grpc_server(); run_result start_webserver();