diff --git a/falco.yaml b/falco.yaml index 64c064b2..111ad4a8 100644 --- a/falco.yaml +++ b/falco.yaml @@ -170,6 +170,8 @@ syscall_event_drops: syscall_event_timeouts: max_consecutives: 1000 +syscall_drop_failed: false + # --- [Description] # # This is an index that controls the dimension of the syscall buffers. diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 763c67d7..ade62702 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -125,5 +125,10 @@ falco::app::run_result falco::app::actions::open_live_inspector( return run_result::fatal(e.what()); } + if (s.config->m_syscall_drop_failed) + { + falco_logger::log(LOG_DEBUG, "Failed syscalls exit event will be dropped.\n"); + inspector->set_dropfailed(true); + } return run_result::ok(); } diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index a3d9f645..ef276f3c 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -57,7 +57,8 @@ falco_configuration::falco_configuration(): m_metadata_download_chunk_wait_us(1000), m_metadata_download_watch_freq_sec(1), m_syscall_buf_size_preset(4), - m_cpus_for_each_syscall_buffer(2) + m_cpus_for_each_syscall_buffer(2), + m_syscall_drop_failed(false) { } @@ -313,6 +314,8 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h m_cpus_for_each_syscall_buffer = config.get_scalar("modern_bpf.cpus_for_each_syscall_buffer", 2); + m_syscall_drop_failed = config.get_scalar("syscall_drop_failed", false); + m_base_syscalls.clear(); config.get_sequence>(m_base_syscalls, std::string("base_syscalls")); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index e4f864e1..8bd14f38 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -106,6 +106,8 @@ public: // Number of CPUs associated with a single ring buffer. uint16_t m_cpus_for_each_syscall_buffer; + bool m_syscall_drop_failed; + // User supplied base_syscalls, overrides any Falco state engine enforcement. std::unordered_set m_base_syscalls;