github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 06:24:29 +00:00
Code Issues Projects Releases Wiki Activity

new(falco): print all events (not just syscall)

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2023-07-21 10:27:09 +00:00 committed by poiana
parent 79b39b54d0
commit b21bfd6e8d
1 changed files with 137 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
userspace/falco/app/actions/print_syscall_events.cpp
View File

@ -16,6 +16,8 @@ limitations under the License.
#include "actions.h" #include "actions.h"
#include "helpers.h" #include "helpers.h"
#include "../app.h"
#include "../../versions_info.h"
using namespace falco::app; using namespace falco::app;
using namespace falco::app::actions; using namespace falco::app::actions;
@ -28,10 +30,56 @@ struct event_entry
const ppm_event_info* info; const ppm_event_info* info;
}; };
static std::vector<event_entry> get_event_entries(bool include_generics, const libsinsp::events::set<ppm_event_code>& available) struct events_by_category
{ {
event_entry entry; std::vector<event_entry> syscalls;
std::vector<event_entry> events; std::vector<event_entry> tracepoints;
std::vector<event_entry> pluginevents;
std::vector<event_entry> metaevents;
void add_event(ppm_event_code e, bool available, std::string name = "") {
event_entry entry;
entry.is_enter = PPME_IS_ENTER(e);
entry.info = libsinsp::events::info(e);
entry.available = available;
if (name == "")
{
entry.name = entry.info->name;
} else {
entry.name = name;
}
if (libsinsp::events::is_syscall_event(e))
{
syscalls.push_back(entry);
return;
}
if (libsinsp::events::is_tracepoint_event(e))
{
tracepoints.push_back(entry);
return;
}
if (libsinsp::events::is_plugin_event(e))
{
pluginevents.push_back(entry);
return;
}
if (libsinsp::events::is_metaevent(e))
{
metaevents.push_back(entry);
return;
}
}
};
static struct events_by_category get_event_entries_by_category(bool include_generics, const libsinsp::events::set<ppm_event_code>& available)
{
events_by_category result;
// skip generic events // skip generic events
for (const auto& e: libsinsp::events::all_event_set()) for (const auto& e: libsinsp::events::all_event_set())
@ -41,11 +89,7 @@ static std::vector<event_entry> get_event_entries(bool include_generics, const l
&& !libsinsp::events::is_unused_event(e) && !libsinsp::events::is_unused_event(e)
&& !libsinsp::events::is_unknown_event(e)) && !libsinsp::events::is_unknown_event(e))
{ {
entry.is_enter = PPME_IS_ENTER(e); result.add_event(e, available.contains(e));
entry.available = available.contains(e);
entry.info = libsinsp::events::info(e);
entry.name = entry.info->name;
events.push_back(entry);
} }
} }
@ -55,60 +99,104 @@ static std::vector<event_entry> get_event_entries(bool include_generics, const l
const auto names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E}); const auto names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E});
for (const auto& name : names) for (const auto& name : names)
{ {
entry.is_enter = PPME_IS_ENTER(ppm_event_code::PPME_GENERIC_E); result.add_event(ppm_event_code::PPME_GENERIC_E, available.contains(ppm_event_code::PPME_GENERIC_E), name);
entry.available = available.contains(ppm_event_code::PPME_GENERIC_E); result.add_event(ppm_event_code::PPME_GENERIC_X, available.contains(ppm_event_code::PPME_GENERIC_X), name);
entry.info = libsinsp::events::info(ppm_event_code::PPME_GENERIC_E);
entry.name = name;
events.push_back(entry);
entry.is_enter = PPME_IS_ENTER(ppm_event_code::PPME_GENERIC_X);
entry.available = available.contains(ppm_event_code::PPME_GENERIC_X);
entry.info = libsinsp::events::info(ppm_event_code::PPME_GENERIC_X);
entry.name = name;
events.push_back(entry);
} }
} }
return events; return result;
}
static bool is_flag_type(ppm_param_type type)
{
return (type == PT_FLAGS8 || type == PT_FLAGS16 || type == PT_FLAGS32 ||
type == PT_ENUMFLAGS8 || type == PT_ENUMFLAGS16 || type == PT_ENUMFLAGS32);
}
static void print_param(const struct ppm_param_info *param, bool markdown) {
printf("%s **%s**", param_type_to_string(param->type), param->name);
if (is_flag_type(param->type) && param->info) {
auto flag_info = static_cast<const ppm_name_value*>(param->info);
printf(": ");
for (size_t i = 0; flag_info[i].name != NULL; i++) {
if (i != 0)
{
printf(", ");
}
if (markdown) {
printf("*%s*", flag_info[i].name);
} else {
printf("%s", flag_info[i].name);
}
}
}
}
static void print_events(const std::vector<event_entry> &events, bool markdown)
{
if(markdown)
{
printf("Default | Dir | Name | Params \n");
printf(":-------|:----|:-----|:-----\n");
}
for (const auto& e : events)
{
char dir = e.is_enter ? '>' : '<';
if (markdown)
{
printf(e.available ? "Yes" : "No");
printf(" | `%c` | `%s` | ", dir, e.name.c_str());
}
else
{
printf("%c %s(", dir, e.name.c_str());
}
for(uint32_t k = 0; k < e.info->nparams; k++)
{
if(k != 0)
{
printf(", ");
}
print_param(&e.info->params[k], markdown);
}
if (markdown)
{
printf("\n");
}
else
{
printf(")\n");
}
}
} }
falco::app::run_result falco::app::actions::print_syscall_events(falco::app::state& s) falco::app::run_result falco::app::actions::print_syscall_events(falco::app::state& s)
{ {
if(s.options.list_syscall_events) if(s.options.list_syscall_events)
{ {
const auto events = get_event_entries(true, libsinsp::events::all_event_set()); const falco::versions_info info(s.offline_inspector);
printf("The events below are valid for Falco *Schema Version*: %s\n", info.driver_schema_version.c_str());
if(s.options.markdown) const libsinsp::events::set<ppm_event_code> available = libsinsp::events::all_event_set().diff(sc_set_to_event_set(falco::app::ignored_sc_set()));
{ const struct events_by_category events_bc = get_event_entries_by_category(true, available);
printf("Falco | Dir | Event\n");
printf(":-----|:----|:-----\n");
}
for (const auto& e : events) printf("## Syscall events\n\n");
{ print_events(events_bc.syscalls, s.options.markdown);
char dir = e.is_enter ? '>' : '<';
if (s.options.markdown)
{
printf(e.available ? "Yes" : "No");
printf(" | %c | **%s**(", dir, e.name.c_str());
}
else
{
printf("%c %s(", dir, e.name.c_str());
}
for(uint32_t k = 0; k < e.info->nparams; k++) printf("\n\n## Tracepoint events\n\n");
{ print_events(events_bc.tracepoints, s.options.markdown);
if(k != 0)
{
printf(", ");
}
printf("%s %s", param_type_to_string(e.info->params[k].type), printf("\n\n## Plugin events\n\n");
e.info->params[k].name); print_events(events_bc.pluginevents, s.options.markdown);
}
printf(")\n"); printf("\n\n## Metaevents\n\n");
} print_events(events_bc.metaevents, s.options.markdown);
return run_result::exit(); return run_result::exit();
} }