new(userspace/falco): added syscall_drop_failed option to drop failed syscalls exit events.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

falco.yaml

@@ -170,6 +170,8 @@ syscall_event_drops:
 syscall_event_timeouts:
   max_consecutives: 1000
 
+syscall_drop_failed: false
+
 # --- [Description]
 #
 # This is an index that controls the dimension of the syscall buffers.

userspace/falco/app/actions/helpers_inspector.cpp

@@ -125,5 +125,10 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 		return run_result::fatal(e.what());
 	}
 
+	if (s.config->m_syscall_drop_failed)
+	{
+		falco_logger::log(LOG_DEBUG, "Failed syscalls exit event will be dropped.\n");
+		inspector->set_dropfailed(true);
+	}
 	return run_result::ok();
 }

userspace/falco/configuration.cpp

@@ -57,7 +57,8 @@ falco_configuration::falco_configuration():
 	m_metadata_download_chunk_wait_us(1000),
 	m_metadata_download_watch_freq_sec(1),
 	m_syscall_buf_size_preset(4),
-	m_cpus_for_each_syscall_buffer(2)
+	m_cpus_for_each_syscall_buffer(2),
+	m_syscall_drop_failed(false)
 {
 }
 
@@ -313,6 +314,8 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 
 	m_cpus_for_each_syscall_buffer = config.get_scalar<uint16_t>("modern_bpf.cpus_for_each_syscall_buffer", 2);
 
+	m_syscall_drop_failed = config.get_scalar<bool>("syscall_drop_failed", false);
+
 	m_base_syscalls.clear();
 	config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls, std::string("base_syscalls"));
 

userspace/falco/configuration.h

@@ -106,6 +106,8 @@ public:
 	// Number of CPUs associated with a single ring buffer.
 	uint16_t m_cpus_for_each_syscall_buffer;
 
+	bool m_syscall_drop_failed;
+
 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls;