diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index e9d34925..a1b2c4f6 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "7cdd608db39287417a09c5c4743cd90efde7baec") - set(DRIVER_CHECKSUM "SHA256=ab9b621aad060b0dfddba0d7ee16f5f53ae72a7c9fe5dd84aadfed27046343e6") + set(DRIVER_VERSION "ccb0e0a2ce564f32e0fdc00b60ed9a1f4d01a3df") + set(DRIVER_CHECKSUM "SHA256=d6ef99d45825dad298580e41b25b5683eb7f97cd886533325b17428c4c6c5148") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 03efaa59..7288c358 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "7cdd608db39287417a09c5c4743cd90efde7baec") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=ab9b621aad060b0dfddba0d7ee16f5f53ae72a7c9fe5dd84aadfed27046343e6") + set(FALCOSECURITY_LIBS_VERSION "ccb0e0a2ce564f32e0fdc00b60ed9a1f4d01a3df") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=d6ef99d45825dad298580e41b25b5683eb7f97cd886533325b17428c4c6c5148") endif() # cd /path/to/build && cmake /path/to/source diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index 91085970..118ca5e9 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -1098,7 +1098,7 @@ trace_files: !mux - rules/catchall_order.yaml detect_counts: - open_dev_null: 1 - dev_null: 0 + dev_null: 6 trace_file: trace_files/cat_write.scap validate_skip_unknown_noevt: diff --git a/userspace/falco/app_actions/configure_interesting_sets.cpp b/userspace/falco/app_actions/configure_interesting_sets.cpp index 61654338..82c2cd0b 100644 --- a/userspace/falco/app_actions/configure_interesting_sets.cpp +++ b/userspace/falco/app_actions/configure_interesting_sets.cpp @@ -21,7 +21,7 @@ using namespace falco::app; void application::configure_interesting_sets() { /// TODO: in the next future we need to change the interface of `enforce_simple_ppm_sc_set` - /// and `enforce_sinsp_state_tracepoints` APIs, they shouldn't require an inspector to be called! + /// and `enforce_sinsp_state_tp` APIs, they shouldn't require an inspector to be called! std::unique_ptr inspector(new sinsp()); /* Please note: here we fill these 2 sets because we are interested in only some features, if we leave @@ -38,6 +38,6 @@ void application::configure_interesting_sets() * the `sched_switch` tracepoint since it is highly noisy and not so useful * for our state/events enrichment. */ - m_state->tp_of_interest = inspector->enforce_sinsp_state_tracepoints(); + m_state->tp_of_interest = inspector->enforce_sinsp_state_tp(); m_state->tp_of_interest.erase(SCHED_SWITCH); } diff --git a/userspace/falco/app_actions/load_rules_files.cpp b/userspace/falco/app_actions/load_rules_files.cpp index 57ea44fc..a4879c2b 100644 --- a/userspace/falco/app_actions/load_rules_files.cpp +++ b/userspace/falco/app_actions/load_rules_files.cpp @@ -177,7 +177,8 @@ application::run_result application::load_rules_files() m_state->engine->enable_rule_by_tag(m_options.enabled_rule_tags, true); } - if(!m_options.all_events) + /* Reading a scap file we have no concepts of ignored events we read all we need. */ + if(!m_options.all_events && !is_capture_mode()) { /* Here we have already initialized the application state with the interesting syscalls, * so we have to check if any event types used by the loaded rules are not considered by diff --git a/userspace/falco/app_actions/process_events.cpp b/userspace/falco/app_actions/process_events.cpp index 09cfc856..f5872bc5 100644 --- a/userspace/falco/app_actions/process_events.cpp +++ b/userspace/falco/app_actions/process_events.cpp @@ -189,13 +189,6 @@ application::run_result application::do_inspect( return run_result::fatal("Drop manager internal error"); } - /* If we have not set the `-A` flag and the event is unused or old, interrupt the flow */ - uint16_t evt_type = ev->get_type(); - if(!m_options.all_events && (sinsp::is_unused_event(evt_type) || sinsp::is_old_version_event(evt_type))) - { - continue; - } - // As the inspector has no filter at its level, all // events are returned here. Pass them to the falco // engine, which will match the event against the set diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index d85aada3..ca5199d8 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -155,7 +155,7 @@ void cmdline_options::define() #else ("c", "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "") #endif - ("A", "Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.", cxxopts::value(all_events)->default_value("false")) + ("A", "Monitor all events, including not interesting ones. Please use the `--i` command line option to see the ignored events. This option has no effect if the capture is not live", cxxopts::value(all_events)->default_value("false")) ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") ("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))