diff --git a/userspace/falco/app_actions/load_plugins.cpp b/userspace/falco/app_actions/load_plugins.cpp index f767e7c5..e198dc32 100644 --- a/userspace/falco/app_actions/load_plugins.cpp +++ b/userspace/falco/app_actions/load_plugins.cpp @@ -28,7 +28,8 @@ application::run_result application::load_plugins() } #endif - // The only enabled event source is syscall by default + // By default only the syscall event source is loaded and enabled + m_state->loaded_sources = {falco_common::syscall_source}; m_state->enabled_sources = {falco_common::syscall_source}; std::string err = ""; @@ -54,8 +55,11 @@ application::run_result application::load_plugins() + "' already loaded"); } loaded_plugin = plugin; - m_state->enabled_sources = {plugin->event_source()}; m_state->inspector->set_input_plugin(p.m_name, p.m_open_params); + + m_state->loaded_sources.insert(plugin->event_source()); + // todo(jasondellaluce): change this once we support multiple enabled event sources + m_state->enabled_sources = {plugin->event_source()}; } // Init filtercheck list for the plugin's source and add the diff --git a/userspace/falco/app_actions/select_event_sources.cpp b/userspace/falco/app_actions/select_event_sources.cpp index 2270030f..476b152b 100644 --- a/userspace/falco/app_actions/select_event_sources.cpp +++ b/userspace/falco/app_actions/select_event_sources.cpp @@ -20,13 +20,37 @@ application::run_result application::select_event_sources() // event sources selection is meaningless when reading trace files if (!is_capture_mode()) { - for(const auto &src : m_options.disable_sources) + if (!m_options.enable_sources.empty() && !m_options.disable_sources.empty()) { - if (m_state->enabled_sources.find(src) == m_state->enabled_sources.end()) + return run_result::fatal("You can not mix --enable-source and --disable-source"); + } + + if (!m_options.enable_sources.empty()) + { + m_state->enabled_sources.clear(); + for(const auto &src : m_options.enable_sources) { - return run_result::fatal("Attempted disabling an unknown event source: " + src); + if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end()) + { + return run_result::fatal("Attempted enabling an unknown event source: " + src); + } + m_state->enabled_sources.insert(src); + } + } + else if (!m_options.disable_sources.empty()) + { + // this little hack ensure that the single-source samentic gets respected + // todo(jasondellaluce): remove this insert once we support multiple enabled event sources + m_state->enabled_sources = m_state->loaded_sources; + + for(const auto &src : m_options.disable_sources) + { + if (m_state->loaded_sources.find(src) == m_state->loaded_sources.end()) + { + return run_result::fatal("Attempted disabling an unknown event source: " + src); + } + m_state->enabled_sources.erase(src); } - m_state->enabled_sources.erase(src); } if(m_state->enabled_sources.empty()) @@ -34,6 +58,17 @@ application::run_result application::select_event_sources() return run_result::fatal("Must enable at least one event source"); } + // these two little hacks ensure that the single-source samentic gets respected + // todo(jasondellaluce): remove these two once we support multiple enabled event sources + if(m_state->enabled_sources.size() > 1) + { + return run_result::fatal("Can not enable more than one event source"); + } + if(*m_state->enabled_sources.begin() == falco_common::syscall_source) + { + m_state->inspector->m_input_plugin = nullptr; + } + /* Print all enabled sources. */ std::ostringstream os; std::copy(m_state->enabled_sources.begin(), m_state->enabled_sources.end(), std::ostream_iterator(os, ",")); diff --git a/userspace/falco/application.cpp b/userspace/falco/application.cpp index bc55d88f..39ea3edf 100644 --- a/userspace/falco/application.cpp +++ b/userspace/falco/application.cpp @@ -41,6 +41,7 @@ application::run_result::~run_result() application::state::state() : restart(false), terminate(false), + loaded_sources({falco_common::syscall_source}), enabled_sources({falco_common::syscall_source}) { config = std::make_shared(); diff --git a/userspace/falco/application.h b/userspace/falco/application.h index b721a468..60586af0 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -69,6 +69,7 @@ private: std::shared_ptr outputs; std::shared_ptr engine; std::shared_ptr inspector; + std::set loaded_sources; std::set enabled_sources; // The event source index that correspond to "syscall"