github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-24 08:58:52 +00:00
Code Issues Projects Releases Wiki Activity

refactor(falco/app): apply early return pattern in actions code

Browse Source 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
This commit is contained in:
Leonardo Di Giovanna 2025-02-05 11:27:58 +01:00 committed by poiana
parent 31c94df10e
commit 9e2c22804c
19 changed files with 456 additions and 437 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
userspace/falco/app/actions/init_falco_engine.cpp
View File

@ -170,7 +170,9 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
if(s.is_capture_mode()) {
auto manager = s.offline_inspector->get_plugin_manager();
for(const auto& p : manager->plugins()) {
if(p->caps() & CAP_SOURCING && p->id() != 0) {
if((p->caps() & CAP_SOURCING) == 0 || p->id() == 0) {
continue;
}
bool added = false;
auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
auto engine_idx = s.source_infos.at(p->event_source())->engine_idx;
@ -180,7 +182,6 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
}
}
}
}
configure_output_format(s);
s.engine->set_min_priority(s.config->m_min_priority);

43
userspace/falco/app/actions/init_inspectors.cpp
View File

@ -147,13 +147,14 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
std::string err;
std::unordered_set<std::string> used_plugins;
const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();
const bool is_capture_mode = s.is_capture_mode();
for(const auto& src : s.loaded_sources) {
auto src_info = s.source_infos.at(src);
// in capture mode, every event source uses the offline inspector.
// in live mode, we create a new inspector for each event source
if(s.is_capture_mode()) {
if(is_capture_mode) {
src_info->inspector = s.offline_inspector;
} else {
src_info->inspector =
@ -174,15 +175,16 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
((p->id() != 0 && src == p->event_source()) ||
(p->id() == 0 && src == falco_common::syscall_source));
if(s.is_capture_mode()) {
if(is_capture_mode) {
// in capture mode, every plugin is already registered
// in the offline inspector by the load_plugins action
plugin = p;
} else {
// in live mode, for the inspector assigned to the given
// event source, we must register the plugin supporting
// that event source and also plugins with field extraction
// capability that are compatible with that event source
// in live mode, for the inspector assigned to the given event source, we must
// register a plugin if one of the following condition applies to it:
// - it has event sourcing capability for the given event source
// - it has one among field extraction, event parsing and async events capabilities
// and is compatible (with respect to that capability) with the given event source
if(is_input ||
(p->caps() & CAP_EXTRACTION &&
sinsp_plugin::is_source_compatible(p->extract_event_sources(), src)) ||
@ -194,12 +196,14 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
}
}
// init the plugin, if we registered it into an inspector
// (in capture mode, this is true for every plugin)
if(plugin) {
// avoid initializing the same plugin twice in the same
if(!plugin) {
continue;
}
// init the plugin only if we registered it into an inspector (in capture mode, this is
// true for every plugin). Avoid initializing the same plugin twice in the same
// inspector if we're in capture mode
if(!s.is_capture_mode() || used_plugins.find(p->name()) == used_plugins.end()) {
if(!is_capture_mode || used_plugins.find(p->name()) == used_plugins.end()) {
if(!plugin->init(config->m_init_config, err)) {
return run_result::fatal(err);
}
@ -210,7 +214,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
}
used_plugins.insert(plugin->name());
}
}
// populate filtercheck list for this inspector
if(!populate_filterchecks(src_info->inspector,
@ -221,10 +224,13 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
return run_result::fatal(err);
}
// in live mode, each inspector should have registered at most two event sources:
// the "syscall" on, loaded at default at index 0, and optionally another
// one defined by a plugin, at index 1
if(!s.is_capture_mode()) {
if(is_capture_mode) {
continue;
}
// in live mode, each inspector should have registered at most two event sources: the
// "syscall" on, loaded at default at index 0, and optionally another one defined by a
// plugin, at index 1
const auto& sources = src_info->inspector->event_sources();
if(sources.size() == 0 || sources.size() > 2 ||
sources[0] != falco_common::syscall_source) {
@ -232,9 +238,8 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
for(const auto& source : sources) {
err += (err.empty() ? "" : ", ") + source;
}
return run_result::fatal("Illegal sources setup in live inspector for source '" +
src + "': " + err);
}
return run_result::fatal("Illegal sources setup in live inspector for source '" + src +
"': " + err);
}
}

9
userspace/falco/app/actions/list_fields.cpp
View File

@ -21,17 +21,18 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::list_fields(falco::app::state& s) {
if(s.options.list_fields) {
if(!s.options.list_fields) {
return run_result::ok();
}
if(s.options.list_source_fields != "" &&
!s.engine->is_source_valid(s.options.list_source_fields)) {
return run_result::fatal("Value for --list must be a valid source type");
}
s.engine->list_fields(s.options.list_source_fields,
s.options.verbose,
s.options.names_only,
s.options.markdown);
return run_result::exit();
}
return run_result::ok();
}

8
userspace/falco/app/actions/list_plugins.cpp
View File

@ -24,7 +24,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::list_plugins(const falco::app::state& s) {
if(s.options.list_plugins) {
if(!s.options.list_plugins) {
return run_result::ok();
}
std::ostringstream os;
sinsp inspector;
const auto& configs = s.config->m_plugins;
@ -38,6 +41,3 @@ falco::app::run_result falco::app::actions::list_plugins(const falco::app::state
printf("%lu Plugins Loaded:\n\n%s\n", configs.size(), os.str().c_str());
return run_result::exit();
}
return run_result::ok();
}

14
userspace/falco/app/actions/load_plugins.cpp
View File

@ -51,16 +51,18 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s) {
"Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
s.plugin_configs.insert(p, plugin->name());
if(plugin->caps() & CAP_SOURCING && plugin->id() != 0) {
if((plugin->caps() & CAP_SOURCING) == 0 || plugin->id() == 0) {
continue;
}
// Account the plugin event source
state::source_info src_info;
src_info.filterchecks = std::make_shared<filter_check_list>();
auto sname = plugin->event_source();
s.source_infos.insert(src_info, sname);
auto src_name = plugin->event_source();
s.source_infos.insert(src_info, src_name);
// note: this avoids duplicate values
if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), sname) ==
if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), src_name) ==
s.loaded_sources.end()) {
s.loaded_sources.push_back(sname);
}
s.loaded_sources.push_back(src_name);
}
}

6
userspace/falco/app/actions/pidfile.cpp
View File

@ -30,7 +30,10 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
return run_result::ok();
}
if(!state.options.pidfilename.empty()) {
if(state.options.pidfilename.empty()) {
return run_result::ok();
}
int64_t self_pid = getpid();
std::ofstream stream;
@ -44,7 +47,6 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
}
stream << self_pid;
stream.close();
}
return run_result::ok();
}

7
userspace/falco/app/actions/print_config_schema.cpp
View File

@ -21,9 +21,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_config_schema(falco::app::state &s) {
if(s.options.print_config_schema) {
if(!s.options.print_config_schema) {
return run_result::ok();
}
printf("%s", s.config->m_config_schema.dump(2).c_str());
return run_result::exit();
}
return run_result::ok();
}

7
userspace/falco/app/actions/print_generated_gvisor_config.cpp
View File

@ -22,12 +22,13 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco::app::state& s) {
if(!s.options.gvisor_generate_config_with_socket.empty()) {
if(s.options.gvisor_generate_config_with_socket.empty()) {
return run_result::ok();
}
sinsp i;
std::string gvisor_config =
i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
printf("%s\n", gvisor_config.c_str());
return run_result::exit();
}
return run_result::ok();
}

7
userspace/falco/app/actions/print_help.cpp
View File

@ -21,9 +21,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_help(falco::app::state& s) {
if(s.options.help) {
if(!s.options.help) {
return run_result::ok();
}
printf("%s", s.options.usage().c_str());
return run_result::exit();
}
return run_result::ok();
}

15
userspace/falco/app/actions/print_kernel_version.cpp
View File

@ -28,14 +28,18 @@ using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_kernel_version(const falco::app::state& s) {
#ifdef __linux__
// We print this info only when a kernel driver is injected
if(s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod()) {
bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod();
if(!is_kernel_driver_injected) {
return run_result::ok();
}
std::ifstream input_file("/proc/version");
if(!input_file.is_open()) {
// We don't want to fail, we just need to log something
falco_logger::log(falco_logger::level::INFO,
"Cannot read under '/proc/version' (err_message: '" +
std::string(strerror(errno)) + "', err_code: " +
std::to_string(errno) + "). No info provided, go on.");
falco_logger::log(
falco_logger::level::INFO,
"Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) +
"', err_code: " + std::to_string(errno) + "). No info provided, go on.");
return run_result::ok();
}
@ -43,7 +47,6 @@ falco::app::run_result falco::app::actions::print_kernel_version(const falco::ap
buffer << input_file.rdbuf();
std::string contents(buffer.str());
falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
}
#endif
return run_result::ok();
}

17
userspace/falco/app/actions/print_page_size.cpp
View File

@ -24,7 +24,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_page_size(const falco::app::state& s) {
if(s.options.print_page_size) {
if(!s.options.print_page_size) {
return run_result::ok();
}
#ifndef _WIN32
long page_size = getpagesize();
#else
@ -35,14 +38,10 @@ falco::app::run_result falco::app::actions::print_page_size(const falco::app::st
long page_size = sysInfo.dwPageSize;
#endif
if(page_size <= 0) {
return run_result::fatal(
"\nUnable to get the system page size through 'getpagesize()'\n");
} else {
falco_logger::log(
falco_logger::level::INFO,
"Your system page size is: " + std::to_string(page_size) + " bytes\n");
return run_result::fatal("\nUnable to get the system page size through 'getpagesize()'\n");
}
falco_logger::log(falco_logger::level::INFO,
"Your system page size is: " + std::to_string(page_size) + " bytes\n");
return run_result::exit();
}
return run_result::ok();
}

19
userspace/falco/app/actions/print_plugin_info.cpp
View File

@ -24,12 +24,18 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_plugin_info(const falco::app::state &s) {
if(!s.options.print_plugin_info.empty()) {
if(s.options.print_plugin_info.empty()) {
return run_result::ok();
}
sinsp inspector;
for(auto &pc : s.config->m_plugins) {
if(pc.m_name == s.options.print_plugin_info ||
pc.m_library_path == s.options.print_plugin_info) {
// load the plugin
if(pc.m_name != s.options.print_plugin_info &&
pc.m_library_path != s.options.print_plugin_info) {
continue;
}
// found matching plugin; load it
auto p = inspector.register_plugin(pc.m_library_path);
// print plugin descriptive info
@ -92,10 +98,7 @@ falco::app::run_result falco::app::actions::print_plugin_info(const falco::app::
// exit
return run_result::exit();
}
}
return run_result::fatal("can't find plugin and print its info: " +
s.options.print_plugin_info);
}
return run_result::ok();
}

7
userspace/falco/app/actions/print_rule_schema.cpp
View File

@ -21,9 +21,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_rule_schema(falco::app::state &s) {
if(s.options.print_rule_schema) {
if(!s.options.print_rule_schema) {
return run_result::ok();
}
printf("%s", s.engine->m_rule_schema.dump(2).c_str());
return run_result::exit();
}
return run_result::ok();
}

9
userspace/falco/app/actions/print_support.cpp
View File

@ -88,7 +88,10 @@ static int get_sysinfo(nlohmann::json& support) {
#endif
falco::app::run_result falco::app::actions::print_support(falco::app::state& s) {
if(s.options.print_support) {
if(!s.options.print_support) {
return run_result::ok();
}
nlohmann::json support;
if(get_sysinfo(support) != 0) {
@ -110,9 +113,5 @@ falco::app::run_result falco::app::actions::print_support(falco::app::state& s)
support["rules_files"].push_back(finfo);
}
printf("%s\n", support.dump().c_str());
return run_result::exit();
}
return run_result::ok();
}

11
userspace/falco/app/actions/print_syscall_events.cpp
View File

@ -157,13 +157,15 @@ static void print_events(const std::vector<event_entry>& events, bool markdown)
}
falco::app::run_result falco::app::actions::print_syscall_events(falco::app::state& s) {
if(s.options.list_syscall_events) {
if(!s.options.list_syscall_events) {
return run_result::ok();
}
const falco::versions_info info(s.offline_inspector);
printf("The events below are valid for Falco *Schema Version*: %s\n",
info.driver_schema_version.c_str());
const libsinsp::events::set<ppm_event_code> available =
libsinsp::events::all_event_set().diff(
const libsinsp::events::set<ppm_event_code> available = libsinsp::events::all_event_set().diff(
sc_set_to_event_set(falco::app::ignored_sc_set()));
const struct events_by_category events_bc = get_event_entries_by_category(true, available);
@ -181,6 +183,3 @@ falco::app::run_result falco::app::actions::print_syscall_events(falco::app::sta
return run_result::exit();
}
return run_result::ok();
}

8
userspace/falco/app/actions/print_version.cpp
View File

@ -22,7 +22,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_version(falco::app::state& s) {
if(s.options.print_version_info) {
if(!s.options.print_version_info) {
return run_result::ok();
}
const falco::versions_info info(s.offline_inspector);
if(s.config->m_json_output) {
printf("%s\n", info.as_json().dump().c_str());
@ -38,6 +41,3 @@ falco::app::run_result falco::app::actions::print_version(falco::app::state& s)
}
return run_result::exit();
}
return run_result::ok();
}

18
userspace/falco/app/actions/start_grpc_server.cpp
View File

@ -27,10 +27,12 @@ using namespace falco::app::actions;
falco::app::run_result falco::app::actions::start_grpc_server(falco::app::state& s) {
#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
// gRPC server
if(s.config->m_grpc_enabled) {
if(!s.config->m_grpc_enabled) {
return run_result::ok();
}
if(s.options.dry_run) {
falco_logger::log(falco_logger::level::DEBUG,
"Skipping starting gRPC server in dry-run\n");
falco_logger::log(falco_logger::level::DEBUG, "Skipping starting gRPC server in dry-run\n");
return run_result::ok();
}
@ -47,17 +49,18 @@ falco::app::run_result falco::app::actions::start_grpc_server(falco::app::state&
s.config->m_grpc_root_certs,
s.config->m_log_level);
s.grpc_server_thread = std::thread([&s] { s.grpc_server.run(); });
}
#endif
return run_result::ok();
}
falco::app::run_result falco::app::actions::stop_grpc_server(falco::app::state& s) {
#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
if(s.config->m_grpc_enabled) {
if(!s.config->m_grpc_enabled) {
return run_result::ok();
}
if(s.options.dry_run) {
falco_logger::log(falco_logger::level::DEBUG,
"Skipping stopping gRPC server in dry-run\n");
falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping gRPC server in dry-run\n");
return run_result::ok();
}
@ -65,7 +68,6 @@ falco::app::run_result falco::app::actions::stop_grpc_server(falco::app::state&
s.grpc_server.shutdown();
s.grpc_server_thread.join();
}
}
#endif
return run_result::ok();
}

25
userspace/falco/app/actions/start_webserver.cpp
View File

@ -26,10 +26,12 @@ using namespace falco::app::actions;
falco::app::run_result falco::app::actions::start_webserver(falco::app::state& state) {
#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
return run_result::ok();
}
if(state.options.dry_run) {
falco_logger::log(falco_logger::level::DEBUG,
"Skipping starting webserver in dry-run\n");
falco_logger::log(falco_logger::level::DEBUG, "Skipping starting webserver in dry-run\n");
return run_result::ok();
}
@ -37,28 +39,27 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
std::string ssl_option = (webserver_config.m_ssl_enabled ? " (SSL)" : "");
falco_logger::log(falco_logger::level::INFO,
"Starting health webserver with threadiness " +
std::to_string(webserver_config.m_threadiness) +
", listening on " + webserver_config.m_listen_address + ":" +
std::to_string(webserver_config.m_listen_port) + ssl_option +
"\n");
std::to_string(webserver_config.m_threadiness) + ", listening on " +
webserver_config.m_listen_address + ":" +
std::to_string(webserver_config.m_listen_port) + ssl_option + "\n");
state.webserver.start(state, webserver_config);
}
#endif
return run_result::ok();
}
falco::app::run_result falco::app::actions::stop_webserver(falco::app::state& state) {
#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
return run_result::ok();
}
if(state.options.dry_run) {
falco_logger::log(falco_logger::level::DEBUG,
"Skipping stopping webserver in dry-run\n");
falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping webserver in dry-run\n");
return run_result::ok();
}
state.webserver.stop();
}
#endif
return run_result::ok();
}

16
userspace/falco/app/actions/validate_rules_files.cpp
View File

@ -26,7 +26,10 @@ using namespace falco::app;
using namespace falco::app::actions;
falco::app::run_result falco::app::actions::validate_rules_files(falco::app::state& s) {
if(s.options.validate_rules_filenames.size() > 0) {
if(s.options.validate_rules_filenames.size() == 0) {
return run_result::ok();
}
std::vector<std::string> rules_contents;
falco::load_result::rules_contents_t rc;
@ -108,8 +111,7 @@ falco::app::run_result falco::app::actions::validate_rules_files(falco::app::sta
// printout of `-L` option
nlohmann::json describe_res;
if(successful && (s.options.describe_all_rules || !s.options.describe_rule.empty())) {
std::string* rptr =
!s.options.describe_rule.empty() ? &(s.options.describe_rule) : nullptr;
std::string* rptr = !s.options.describe_rule.empty() ? &(s.options.describe_rule) : nullptr;
const auto& plugins = s.offline_inspector->get_plugin_manager()->plugins();
describe_res = s.engine->describe_rule(rptr, plugins);
}
@ -129,12 +131,8 @@ falco::app::run_result falco::app::actions::validate_rules_files(falco::app::sta
}
}
if(successful) {
return run_result::exit();
} else {
if(!successful) {
return run_result::fatal(summary);
}
}
return run_result::ok();
return run_result::exit();
}