refactor(userspace/falco): implement complete event source selection

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
2025-06-25 06:12:06 +00:00 · 2022-06-22 15:29:10 +00:00 · 2022-06-22 15:29:10 +00:00 · cc4ccc40d7
commit cc4ccc40d7
parent 0e2a053151
4 changed files with 47 additions and 6 deletions
--- a/userspace/falco/app_actions/load_plugins.cpp
+++ b/userspace/falco/app_actions/load_plugins.cpp
@ -28,7 +28,8 @@ application::run_result application::load_plugins()
 	}
 #endif

-	// The only enabled event source is syscall by default
+	// By default only the syscall event source is loaded and enabled
+	m_state->loaded_sources = {falco_common::syscall_source};
 	m_state->enabled_sources = {falco_common::syscall_source};

 	std::string err = "";
@ -54,8 +55,11 @@ application::run_result application::load_plugins()
 						+ "' already loaded");
 				}
 				loaded_plugin = plugin;
-				m_state->enabled_sources = {plugin->event_source()};
 				m_state->inspector->set_input_plugin(p.m_name, p.m_open_params);
+
+				m_state->loaded_sources.insert(plugin->event_source());
+				// todo(jasondellaluce): change this once we support multiple enabled event sources
+				m_state->enabled_sources = {plugin->event_source()};
 			}

 			// Init filtercheck list for the plugin's source and add the
--- a/userspace/falco/app_actions/select_event_sources.cpp
+++ b/userspace/falco/app_actions/select_event_sources.cpp
@ -20,13 +20,37 @@ application::run_result application::select_event_sources()
 	// event sources selection is meaningless when reading trace files
 	if (!is_capture_mode())
 	{
-		for(const auto &src : m_options.disable_sources)
+		if (!m_options.enable_sources.empty() && !m_options.disable_sources.empty())
 		{
-			if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end())
+			return run_result::fatal("You can not mix --enable-source and --disable-source");
+		}
+
+		if (!m_options.enable_sources.empty())
+		{
+			m_state->enabled_sources.clear();
+			for(const auto &src : m_options.enable_sources)
 			{
-				return run_result::fatal("Attempted disabling an unknown event source: " + src);
+				if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
+				{
+					return run_result::fatal("Attempted enabling an unknown event source: " + src);
+				}
+				m_state->enabled_sources.insert(src);
+			}
+		}
+		else if (!m_options.disable_sources.empty())
+		{
+			// this little hack ensure that the single-source samentic gets respected
+			// todo(jasondellaluce): remove this insert once we support multiple enabled event sources
+			m_state->enabled_sources = m_state->loaded_sources;
+
+			for(const auto &src : m_options.disable_sources)
+			{
+				if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end())
+				{
+					return run_result::fatal("Attempted disabling an unknown event source: " + src);
+				}
+				m_state->enabled_sources.erase(src);
 			}
-			m_state->enabled_sources.erase(src);
 		}

 		if(m_state->enabled_sources.empty())
@ -34,6 +58,17 @@ application::run_result application::select_event_sources()
 			return run_result::fatal("Must enable at least one event source");
 		}

+		// these two little hacks ensure that the single-source samentic gets respected
+		// todo(jasondellaluce): remove these two once we support multiple enabled event sources
+		if(m_state->enabled_sources.size() > 1)
+		{
+			return run_result::fatal("Can not enable more than one event source");
+		}
+		if(*m_state->enabled_sources.begin() == falco_common::syscall_source)
+		{
+			m_state->inspector->m_input_plugin = nullptr;
+		}
+
 		/* Print all enabled sources. */
 		std::ostringstream os;
 		std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator<std::string>(os, ","));
--- a/userspace/falco/application.cpp
+++ b/userspace/falco/application.cpp
@ -41,6 +41,7 @@ application::run_result::~run_result()
 application::state::state()
 	: restart(false),
 	  terminate(false),
+	  loaded_sources({falco_common::syscall_source}),
 	  enabled_sources({falco_common::syscall_source})
 {
 	config = std::make_shared<falco_configuration>();
--- a/userspace/falco/application.h
+++ b/userspace/falco/application.h
@ -69,6 +69,7 @@ private:
 		std::shared_ptr<falco_outputs> outputs;
 		std::shared_ptr<falco_engine> engine;
 		std::shared_ptr<sinsp> inspector;
+		std::set<std::string> loaded_sources;
 		std::set<std::string> enabled_sources;

 		// The event source index that correspond to "syscall"