github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 07:07:23 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/falco/app): check illegal source setup in live inspectors

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-06-22 09:06:21 +00:00 committed by poiana
parent 893a3c90da
commit 9d29a3afb2
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
userspace/falco/app/actions/init_inspectors.cpp
View File

@ -187,6 +187,23 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
{
return run_result::fatal(err);
}
// in live mode, each inspector should have registered at most two event sources:
// the "syscall" on, loaded at default at index 0, and optionally another
// one defined by a plugin, at index 0
if (!s.is_capture_mode())
{
const auto& sources = src_info->inspector->event_sources();
if (sources.size() == 0 || sources.size() > 2 || sources[0] != falco_common::syscall_source)
{
std::string err;
for (const auto &s : sources)
{
err += (err.empty() ? "" : ", ") + s;
}
return run_result::fatal("Illegal sources setup in live inspector for source '" + src + "': " + err);
}
}
}
// check if some plugin remains unused