github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity

Squash w Move falco_init() code to individual app actions

Browse Source
This commit is contained in:
Mark Stemm
2022-03-04 12:52:59 -08:00
parent 4e5f6c0517
commit cec0f8c6cc
19 changed files with 172 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
userspace/falco/app_actions/daemonize.cpp
View File

@@ -48,7 +48,7 @@ runnable_action::run_result act_daemonize::run()
// If daemonizing, do it here so any init errors will
// be returned in the foreground process.
if (app().options().daemon && !m_daemonized) {
if (options().daemon && !m_daemonized) {
pid_t pid, sid;
pid = fork();
@@ -61,12 +61,12 @@ runnable_action::run_result act_daemonize::run()
} else if (pid > 0) {
// parent. Write child pid to pidfile and exit
std::ofstream pidfile;
pidfile.open(app().options().pidfilename);
pidfile.open(options().pidfilename);
if (!pidfile.good())
{
ret.success = false;
ret.errstr = string("Could not write pid to pid file ") + app().options().pidfilename + ".";
ret.errstr = string("Could not write pid to pid file ") + options().pidfilename + ".";
ret.proceed = false;
return ret;
}

30
userspace/falco/app_actions/init_falco_engine.cpp
View File

@@ -49,34 +49,34 @@ runnable_action::run_result act_init_falco_engine::run()
// syscalls and k8s audit events.
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(app().state().inspector.get()));
std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(state().inspector.get()));
std::shared_ptr<gen_event_filter_factory> k8s_audit_filter_factory(new json_event_filter_factory());
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(app().state().inspector.get()));
std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get()));
std::shared_ptr<gen_event_formatter_factory> k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory));
app().state().engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
app().state().engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
state().engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
state().engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
if(app().state().config->m_json_output)
if(state().config->m_json_output)
{
syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
}
for(const auto &src : app().options().disable_sources)
for(const auto &src : options().disable_sources)
{
app().state().enabled_sources.erase(src);
state().enabled_sources.erase(src);
}
// XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin.
if(app().state().enabled_sources.empty())
if(state().enabled_sources.empty())
{
throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
}
app().state().engine->set_min_priority(app().state().config->m_min_priority);
state().engine->set_min_priority(state().config->m_min_priority);
return ret;
}
@@ -86,30 +86,30 @@ void act_init_falco_engine::configure_output_format()
std::string output_format;
bool replace_container_info = false;
if(app().options().print_container)
if(options().print_container)
{
output_format = "container=%container.name (id=%container.id)";
replace_container_info = true;
}
else if(app().options().print_kubernetes)
else if(options().print_kubernetes)
{
output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
replace_container_info = true;
}
else if(app().options().print_mesos)
else if(options().print_mesos)
{
output_format = "task=%mesos.task.name container=%container.id";
replace_container_info = true;
}
else if(!app().options().print_additional.empty())
else if(!options().print_additional.empty())
{
output_format = app().options().print_additional;
output_format = options().print_additional;
replace_container_info = false;
}
if(!output_format.empty())
{
app().state().engine->set_extra(output_format, replace_container_info);
state().engine->set_extra(output_format, replace_container_info);
}
}

44
userspace/falco/app_actions/init_inspector.cpp
View File

@@ -42,46 +42,46 @@ runnable_action::run_result act_init_inspector::run()
{
run_result ret = {true, "", true};
app().state().inspector->set_buffer_format(app().options().event_buffer_format);
state().inspector->set_buffer_format(options().event_buffer_format);
// If required, set the CRI paths
for (auto &p : app().options().cri_socket_paths)
for (auto &p : options().cri_socket_paths)
{
if (!p.empty())
{
app().state().inspector->add_cri_socket_path(p);
state().inspector->add_cri_socket_path(p);
}
}
// Decide wether to do sync or async for CRI metadata fetch
app().state().inspector->set_cri_async(!app().options().disable_cri_async);
state().inspector->set_cri_async(!options().disable_cri_async);
//
// If required, set the snaplen
//
if(app().options().snaplen != 0)
if(options().snaplen != 0)
{
app().state().inspector->set_snaplen(app().options().snaplen);
state().inspector->set_snaplen(options().snaplen);
}
if(!app().options().all_events)
if(!options().all_events)
{
// Drop EF_DROP_SIMPLE_CONS kernel side
app().state().inspector->set_simple_consumer();
state().inspector->set_simple_consumer();
// Eventually, drop any EF_DROP_SIMPLE_CONS event
// that reached userspace (there are some events that are not syscall-based
// like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag)
app().state().inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
state().inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
}
app().state().inspector->set_hostname_and_port_resolution_mode(false);
state().inspector->set_hostname_and_port_resolution_mode(false);
#ifndef MINIMAL_BUILD
falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(app().state().config->m_metadata_download_max_mb) + " MB\n");
falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(app().state().config->m_metadata_download_chunk_wait_us) + " μs\n");
falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(app().state().config->m_metadata_download_watch_freq_sec) + " seconds\n");
app().state().inspector->set_metadata_download_params(app().state().config->m_metadata_download_max_mb * 1024 * 1024, app().state().config->m_metadata_download_chunk_wait_us, app().state().config->m_metadata_download_watch_freq_sec);
falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(state().config->m_metadata_download_max_mb) + " MB\n");
falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(state().config->m_metadata_download_chunk_wait_us) + " μs\n");
falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(state().config->m_metadata_download_watch_freq_sec) + " seconds\n");
state().inspector->set_metadata_download_params(state().config->m_metadata_download_max_mb * 1024 * 1024, state().config->m_metadata_download_chunk_wait_us, state().config->m_metadata_download_watch_freq_sec);
#endif
@@ -91,15 +91,15 @@ runnable_action::run_result act_init_inspector::run()
// Run k8s, if required
//
char *k8s_api_env = NULL;
if(!app().options().k8s_api.empty() ||
if(!options().k8s_api.empty() ||
(k8s_api_env = getenv("FALCO_K8S_API")))
{
// Create string pointers for some config vars
// and pass to inspector. The inspector then
// owns the pointers.
std::string *k8s_api_ptr = new string((!app().options().k8s_api.empty() ? app().options().k8s_api : k8s_api_env));
std::string *k8s_api_cert_ptr = new string(app().options().k8s_api_cert);
std::string *k8s_node_name_ptr = new string(app().options().k8s_node_name);
std::string *k8s_api_ptr = new string((!options().k8s_api.empty() ? options().k8s_api : k8s_api_env));
std::string *k8s_api_cert_ptr = new string(options().k8s_api_cert);
std::string *k8s_node_name_ptr = new string(options().k8s_node_name);
if(k8s_api_cert_ptr->empty())
{
@@ -108,24 +108,24 @@ runnable_action::run_result act_init_inspector::run()
*k8s_api_cert_ptr = k8s_cert_env;
}
}
app().state().inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, app().options().verbose);
state().inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, options().verbose);
}
//
// Run mesos, if required
//
if(!app().options().mesos_api.empty())
if(!options().mesos_api.empty())
{
// Differs from init_k8s_client in that it
// passes a pointer but the inspector does
// *not* own it and does not use it after
// init_mesos_client() returns.
app().state().inspector->init_mesos_client(&(app().options().mesos_api), app().options().verbose);
state().inspector->init_mesos_client(&(options().mesos_api), options().verbose);
}
else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
{
std::string mesos_api_copy = mesos_api_env;
app().state().inspector->init_mesos_client(&mesos_api_copy, app().options().verbose);
state().inspector->init_mesos_client(&mesos_api_copy, options().verbose);
}
#endif

20
userspace/falco/app_actions/init_outputs.cpp
View File

@@ -65,19 +65,19 @@ runnable_action::run_result act_init_outputs::run()
hostname = c_hostname;
}
app().state().outputs->init(app().state().engine,
app().state().config->m_json_output,
app().state().config->m_json_include_output_property,
app().state().config->m_json_include_tags_property,
app().state().config->m_output_timeout,
app().state().config->m_notifications_rate, app().state().config->m_notifications_max_burst,
app().state().config->m_buffered_outputs,
app().state().config->m_time_format_iso_8601,
state().outputs->init(state().engine,
state().config->m_json_output,
state().config->m_json_include_output_property,
state().config->m_json_include_tags_property,
state().config->m_output_timeout,
state().config->m_notifications_rate, state().config->m_notifications_max_burst,
state().config->m_buffered_outputs,
state().config->m_time_format_iso_8601,
hostname);
for(auto output : app().state().config->m_outputs)
for(auto output : state().config->m_outputs)
{
app().state().outputs->add_output(output);
state().outputs->add_output(output);
}
return ret;

8
userspace/falco/app_actions/list_fields.cpp
View File

@@ -43,17 +43,17 @@ runnable_action::run_result act_list_fields::run()
{
run_result ret = {true, "", true};
if(app().options().list_fields)
if(options().list_fields)
{
if(app().options().list_source_fields != "" &&
!app().state().engine->is_source_valid(app().options().list_source_fields))
if(options().list_source_fields != "" &&
!state().engine->is_source_valid(options().list_source_fields))
{
ret.success = false;
ret.errstr = "Value for --list must be a valid source type";
ret.proceed = false;
return ret;
}
app().state().engine->list_fields(app().options().list_source_fields, app().options().verbose, app().options().names_only);
state().engine->list_fields(options().list_source_fields, options().verbose, options().names_only);
ret.proceed = false;
}

6
userspace/falco/app_actions/list_plugins.cpp
View File

@@ -43,11 +43,11 @@ runnable_action::run_result act_list_plugins::run()
{
run_result ret = {true, "", true};
if(app().options().list_plugins)
if(options().list_plugins)
{
std::ostringstream os;
for(auto &info : app().state().plugin_infos)
for(auto &info : state().plugin_infos)
{
os << "Name: " << info.name << std::endl;
os << "Description: " << info.description << std::endl;
@@ -66,7 +66,7 @@ runnable_action::run_result act_list_plugins::run()
os << std::endl;
}
printf("%lu Plugins Loaded:\n\n%s\n", app().state().plugin_infos.size(), os.str().c_str());
printf("%lu Plugins Loaded:\n\n%s\n", state().plugin_infos.size(), os.str().c_str());
ret.proceed = false;
}

10
userspace/falco/app_actions/load_config.cpp
View File

@@ -42,14 +42,14 @@ runnable_action::run_result act_load_config::run()
{
run_result ret = {true, "", true};
if (app().options().conf_filename.size())
if (options().conf_filename.size())
{
app().state().config->init(app().options().conf_filename, app().options().cmdline_config_options);
falco_logger::set_time_format_iso_8601(app().state().config->m_time_format_iso_8601);
state().config->init(options().conf_filename, options().cmdline_config_options);
falco_logger::set_time_format_iso_8601(state().config->m_time_format_iso_8601);
// log after config init because config determines where logs go
falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + app().options().conf_filename + "\n");
falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + options().conf_filename + "\n");
}
else
{
@@ -63,7 +63,7 @@ runnable_action::run_result act_load_config::run()
#endif
}
app().state().config->m_buffered_outputs = !app().options().unbuffered_outputs;
state().config->m_buffered_outputs = !options().unbuffered_outputs;
return ret;
}

24
userspace/falco/app_actions/load_plugins.cpp
View File

@@ -53,17 +53,17 @@ runnable_action::run_result act_load_plugins::run()
// Factories that can create filters/formatters for
// the (single) source supported by the (single) input plugin.
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
std::shared_ptr<gen_event_filter_factory> plugin_filter_factory(new sinsp_filter_factory(app().state().inspector.get(), plugin_filter_checks));
std::shared_ptr<gen_event_formatter_factory> plugin_formatter_factory(new sinsp_evt_formatter_factory(app().state().inspector.get(), plugin_filter_checks));
std::shared_ptr<gen_event_filter_factory> plugin_filter_factory(new sinsp_filter_factory(state().inspector.get(), plugin_filter_checks));
std::shared_ptr<gen_event_formatter_factory> plugin_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get(), plugin_filter_checks));
if(app().state().config->m_json_output)
if(state().config->m_json_output)
{
plugin_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
}
std::shared_ptr<sinsp_plugin> input_plugin;
std::list<std::shared_ptr<sinsp_plugin>> extractor_plugins;
for(auto &p : app().state().config->m_plugins)
for(auto &p : state().config->m_plugins)
{
std::shared_ptr<sinsp_plugin> plugin;
#ifdef MUSL_OPTIMIZED
@@ -74,7 +74,7 @@ runnable_action::run_result act_load_plugins::run()
falco_logger::log(LOG_INFO, "Loading plugin (" + p.m_name + ") from file " + p.m_library_path + "\n");
// libs requires raw pointer, we should modify libs to use reference/shared_ptr
plugin = sinsp_plugin::register_plugin(app().state().inspector.get(),
plugin = sinsp_plugin::register_plugin(state().inspector.get(),
p.m_library_path,
(p.m_init_config.empty() ? NULL : (char *)p.m_init_config.c_str()),
plugin_filter_checks);
@@ -93,15 +93,15 @@ runnable_action::run_result act_load_plugins::run()
}
input_plugin = plugin;
app().state().event_source = splugin->event_source();
state().event_source = splugin->event_source();
app().state().inspector->set_input_plugin(p.m_name);
state().inspector->set_input_plugin(p.m_name);
if(!p.m_open_params.empty())
{
app().state().inspector->set_input_plugin_open_params(p.m_open_params.c_str());
state().inspector->set_input_plugin_open_params(p.m_open_params.c_str());
}
app().state().engine->add_source(app().state().event_source, plugin_filter_factory, plugin_formatter_factory);
state().engine->add_source(state().event_source, plugin_filter_factory, plugin_formatter_factory);
} else {
extractor_plugins.push_back(plugin);
@@ -121,10 +121,10 @@ runnable_action::run_result act_load_plugins::run()
if(input_plugin &&
!compat_sources.empty())
{
if (compat_sources.find(app().state().event_source) == compat_sources.end())
if (compat_sources.find(state().event_source) == compat_sources.end())
{
ret.success = ret.proceed = false;
ret.errstr = string("Extractor plugin not compatible with event source ") + app().state().event_source;
ret.errstr = string("Extractor plugin not compatible with event source ") + state().event_source;
return ret;
}
@@ -141,7 +141,7 @@ runnable_action::run_result act_load_plugins::run()
}
}
app().state().plugin_infos = sinsp_plugin::plugin_infos(app().state().inspector.get());
state().plugin_infos = sinsp_plugin::plugin_infos(state().inspector.get());
return ret;
}

50
userspace/falco/app_actions/load_rules_files.cpp
View File

@@ -45,12 +45,12 @@ runnable_action::run_result act_load_rules_files::run()
string all_rules;
if (app().options().rules_filenames.size())
if (options().rules_filenames.size())
{
app().state().config->m_rules_filenames = app().options().rules_filenames;
state().config->m_rules_filenames = options().rules_filenames;
}
if(app().state().config->m_rules_filenames.size() == 0)
if(state().config->m_rules_filenames.size() == 0)
{
ret.success = false;
ret.errstr = "You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml";
@@ -59,18 +59,18 @@ runnable_action::run_result act_load_rules_files::run()
}
falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
for (auto filename : app().state().config->m_rules_filenames)
for (auto filename : state().config->m_rules_filenames)
{
falco_logger::log(LOG_DEBUG, string(" ") + filename + "\n");
}
for (auto filename : app().state().config->m_rules_filenames)
for (auto filename : state().config->m_rules_filenames)
{
falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
uint64_t required_engine_version;
try {
app().state().engine->load_rules_file(filename, app().options().verbose, app().options().all_events, required_engine_version);
state().engine->load_rules_file(filename, options().verbose, options().all_events, required_engine_version);
}
catch(falco_exception &e)
{
@@ -79,15 +79,15 @@ runnable_action::run_result act_load_rules_files::run()
ret.proceed = false;
return ret;
}
app().state().required_engine_versions[filename] = required_engine_version;
state().required_engine_versions[filename] = required_engine_version;
}
// Ensure that all plugins are compatible with the loaded set of rules
for(auto &info : app().state().plugin_infos)
for(auto &info : state().plugin_infos)
{
std::string required_version;
if(!app().state().engine->is_plugin_compatible(info.name, info.plugin_version.as_string(), required_version))
if(!state().engine->is_plugin_compatible(info.name, info.plugin_version.as_string(), required_version))
{
ret.success = false;
ret.errstr = std::string("Plugin ") + info.name + " version " + info.plugin_version.as_string() + " not compatible with required plugin version " + required_version;
@@ -95,34 +95,34 @@ runnable_action::run_result act_load_rules_files::run()
}
}
for (auto substring : app().options().disabled_rule_substrings)
for (auto substring : options().disabled_rule_substrings)
{
falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
app().state().engine->enable_rule(substring, false);
state().engine->enable_rule(substring, false);
}
if(app().options().disabled_rule_tags.size() > 0)
if(options().disabled_rule_tags.size() > 0)
{
for(auto &tag : app().options().disabled_rule_tags)
for(auto &tag : options().disabled_rule_tags)
{
falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
}
app().state().engine->enable_rule_by_tag(app().options().disabled_rule_tags, false);
state().engine->enable_rule_by_tag(options().disabled_rule_tags, false);
}
if(app().options().enabled_rule_tags.size() > 0)
if(options().enabled_rule_tags.size() > 0)
{
// Since we only want to enable specific
// rules, first disable all rules.
app().state().engine->enable_rule(all_rules, false);
for(auto &tag : app().options().enabled_rule_tags)
state().engine->enable_rule(all_rules, false);
for(auto &tag : options().enabled_rule_tags)
{
falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
}
app().state().engine->enable_rule_by_tag(app().options().enabled_rule_tags, true);
state().engine->enable_rule_by_tag(options().enabled_rule_tags, true);
}
if(!app().options().all_events)
if(!options().all_events)
{
// For syscalls, see if any event types used by the
// loaded rules are ones with the EF_DROP_SIMPLE_CONS
@@ -130,16 +130,16 @@ runnable_action::run_result act_load_rules_files::run()
check_for_ignored_events();
}
if (app().options().describe_all_rules)
if (options().describe_all_rules)
{
app().state().engine->describe_rule(NULL);
state().engine->describe_rule(NULL);
ret.proceed = false;
return ret;
}
if (!app().options().describe_rule.empty())
if (!options().describe_rule.empty())
{
app().state().engine->describe_rule(&(app().options().describe_rule));
state().engine->describe_rule(&(options().describe_rule));
ret.proceed = false;
return ret;
}
@@ -150,10 +150,10 @@ runnable_action::run_result act_load_rules_files::run()
void act_load_rules_files::check_for_ignored_events()
{
std::set<uint16_t> evttypes;
sinsp_evttables* einfo = app().state().inspector->get_event_info_tables();
sinsp_evttables* einfo = state().inspector->get_event_info_tables();
const struct ppm_event_info* etable = einfo->m_event_info;
app().state().engine->evttypes_for_ruleset(application::s_syscall_source, evttypes);
state().engine->evttypes_for_ruleset(application::s_syscall_source, evttypes);
// Save event names so we don't warn for both the enter and exit event.
std::set<std::string> warn_event_names;

40
userspace/falco/app_actions/open_inspector.cpp
View File

@@ -47,21 +47,21 @@ runnable_action::run_result act_open_inspector::run()
{
run_result ret = {true, "", true};
if(app().options().trace_filename.size())
if(options().trace_filename.size())
{
// Try to open the trace file as a
// capture file first.
try {
app().state().inspector->open(app().options().trace_filename);
falco_logger::log(LOG_INFO, "Reading system call events from file: " + app().options().trace_filename + "\n");
state().inspector->open(options().trace_filename);
falco_logger::log(LOG_INFO, "Reading system call events from file: " + options().trace_filename + "\n");
}
catch(sinsp_exception &e)
{
falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + app().options().trace_filename + "\": " + string(e.what()));
app().state().trace_is_scap=false;
falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + options().trace_filename + "\": " + string(e.what()));
state().trace_is_scap=false;
}
if(!app().state().trace_is_scap)
if(!state().trace_is_scap)
{
#ifdef MINIMAL_BUILD
ret.success = false;
@@ -75,16 +75,16 @@ runnable_action::run_result act_open_inspector::run()
// Note we only temporarily open the file here.
// The read file read loop will be later.
ifstream ifs(app().options().trace_filename);
ifstream ifs(options().trace_filename);
getline(ifs, line);
j = nlohmann::json::parse(line);
falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + app().options().trace_filename + "\n");
falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + options().trace_filename + "\n");
}
catch (nlohmann::json::parse_error& e)
{
ret.success = false;
ret.errstr = std::string("Trace filename ") + app().options().trace_filename + " not recognized as system call events or k8s audit events";
ret.errstr = std::string("Trace filename ") + options().trace_filename + " not recognized as system call events or k8s audit events";
ret.proceed = false;
return ret;
@@ -92,7 +92,7 @@ runnable_action::run_result act_open_inspector::run()
catch (exception &e)
{
ret.success = false;
ret.errstr = std::string("Could not open trace filename ") + app().options().trace_filename + " for reading: " + e.what();
ret.errstr = std::string("Could not open trace filename ") + options().trace_filename + " for reading: " + e.what();
ret.proceed = false;
return ret;
}
@@ -103,7 +103,7 @@ runnable_action::run_result act_open_inspector::run()
{
open_t open_cb = [this](std::shared_ptr<sinsp> inspector)
{
if(app().options().userspace)
if(options().userspace)
{
// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
//
@@ -120,35 +120,35 @@ runnable_action::run_result act_open_inspector::run()
open_t open_f;
// Default mode: both event sources enabled
if (app().state().enabled_sources.find(application::s_syscall_source) != app().state().enabled_sources.end() &&
app().state().enabled_sources.find(application::s_k8s_audit_source) != app().state().enabled_sources.end())
if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() &&
state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
{
open_f = open_cb;
}
if (app().state().enabled_sources.find(application::s_syscall_source) == app().state().enabled_sources.end())
if (state().enabled_sources.find(application::s_syscall_source) == state().enabled_sources.end())
{
open_f = open_nodriver_cb;
}
if (app().state().enabled_sources.find(application::s_k8s_audit_source) == app().state().enabled_sources.end())
if (state().enabled_sources.find(application::s_k8s_audit_source) == state().enabled_sources.end())
{
open_f = open_cb;
}
try
{
open_f(app().state().inspector);
open_f(state().inspector);
}
catch(sinsp_exception &e)
{
// If syscall input source is enabled and not through userspace instrumentation
if (app().state().enabled_sources.find(application::s_syscall_source) != app().state().enabled_sources.end() && !app().options().userspace)
if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() && !options().userspace)
{
// Try to insert the Falco kernel module
if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
{
falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
}
open_f(app().state().inspector);
open_f(state().inspector);
}
else
{
@@ -161,9 +161,9 @@ runnable_action::run_result act_open_inspector::run()
}
// This must be done after the open
if(!app().options().all_events)
if(!options().all_events)
{
app().state().inspector->start_dropping_mode(1);
state().inspector->start_dropping_mode(1);
}
return ret;

4
userspace/falco/app_actions/print_help.cpp
View File

@@ -42,9 +42,9 @@ runnable_action::run_result act_print_help::run()
{
run_result ret = {true, "", true};
if(app().options().help)
if(options().help)
{
printf("%s", app().options().usage().c_str());
printf("%s", options().usage().c_str());
ret.proceed = false;
}

4
userspace/falco/app_actions/print_ignored_events.cpp
View File

@@ -43,7 +43,7 @@ runnable_action::run_result act_print_ignored_events::run()
{
run_result ret = {true, "", true};
if(app().options().print_ignored_events)
if(options().print_ignored_events)
{
print_all_ignored_events();
ret.proceed = false;
@@ -54,7 +54,7 @@ runnable_action::run_result act_print_ignored_events::run()
void act_print_ignored_events::print_all_ignored_events()
{
sinsp_evttables* einfo = app().state().inspector->get_event_info_tables();
sinsp_evttables* einfo = state().inspector->get_event_info_tables();
const struct ppm_event_info* etable = einfo->m_event_info;
const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table;

10
userspace/falco/app_actions/print_support.cpp
View File

@@ -46,7 +46,7 @@ runnable_action::run_result act_print_support::run()
{
run_result ret = {true, "", true};
if(app().options().print_support)
if(options().print_support)
{
nlohmann::json support;
struct utsname sysinfo;
@@ -66,16 +66,16 @@ runnable_action::run_result act_print_support::run()
support["system_info"]["release"] = sysinfo.release;
support["system_info"]["version"] = sysinfo.version;
support["system_info"]["machine"] = sysinfo.machine;
support["cmdline"] = app().state().cmdline;
support["cmdline"] = state().cmdline;
support["engine_info"]["engine_version"] = FALCO_ENGINE_VERSION;
support["config"] = read_file(app().options().conf_filename);
support["config"] = read_file(options().conf_filename);
support["rules_files"] = nlohmann::json::array();
for(auto filename : app().state().config->m_rules_filenames)
for(auto filename : state().config->m_rules_filenames)
{
nlohmann::json finfo;
finfo["name"] = filename;
nlohmann::json variant;
variant["required_engine_version"] = app().state().required_engine_versions[filename];
variant["required_engine_version"] = state().required_engine_versions[filename];
variant["content"] = read_file(filename);
finfo["variants"].push_back(variant);
support["rules_files"].push_back(finfo);

2
userspace/falco/app_actions/print_version.cpp
View File

@@ -43,7 +43,7 @@ runnable_action::run_result act_print_version::run()
{
run_result ret = {true, "", true};
if(app().options().print_version_info)
if(options().print_version_info)
{
printf("Falco version: %s\n", FALCO_VERSION);
printf("Driver version: %s\n", DRIVER_VERSION);

41
userspace/falco/app_actions/process_events.cpp
View File

@@ -14,12 +14,17 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#define __STDC_FORMAT_MACROS
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "falco_utils.h"
#ifndef MINIMAL_BUILD
#include "webserver.h"
#endif
#include "statsfilewriter.h"
#include "process_events.h"
@@ -57,33 +62,33 @@ runnable_action::run_result act_process_events::run()
duration = ((double)clock()) / CLOCKS_PER_SEC;
if(!app().options().trace_filename.empty() && !app().state().trace_is_scap)
if(!options().trace_filename.empty() && !state().trace_is_scap)
{
#ifndef MINIMAL_BUILD
read_k8s_audit_trace_file(app().options().trace_filename);
read_k8s_audit_trace_file(options().trace_filename);
#endif
}
else
{
uint64_t num_evts;
num_evts = do_inspect(app().state().engine,
app().state().outputs,
app().state().inspector,
app().state().event_source,
app().state().config,
num_evts = do_inspect(state().engine,
state().outputs,
state().inspector,
state().event_source,
state().config,
sdropmgr,
uint64_t(app().options().duration_to_tot*ONE_SECOND_IN_NS),
app().options().stats_filename,
app().options().stats_interval,
app().options().all_events,
uint64_t(options().duration_to_tot*ONE_SECOND_IN_NS),
options().stats_filename,
options().stats_interval,
options().all_events,
ret);
duration = ((double)clock()) / CLOCKS_PER_SEC - duration;
app().state().inspector->get_capture_stats(&cstats);
state().inspector->get_capture_stats(&cstats);
if(app().options().verbose)
if(options().verbose)
{
fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n",
cstats.n_evts,
@@ -100,13 +105,13 @@ runnable_action::run_result act_process_events::run()
// Honor -M also when using a trace file.
// Since inspection stops as soon as all events have been consumed
// just await the given duration is reached, if needed.
if(!app().options().trace_filename.empty() && app().options().duration_to_tot>0)
if(!options().trace_filename.empty() && options().duration_to_tot>0)
{
std::this_thread::sleep_for(std::chrono::seconds(app().options().duration_to_tot));
std::this_thread::sleep_for(std::chrono::seconds(options().duration_to_tot));
}
app().state().inspector->close();
app().state().engine->print_stats();
state().inspector->close();
state().engine->print_stats();
sdropmgr.print_stats();
return ret;
@@ -132,7 +137,7 @@ void act_process_events::read_k8s_audit_trace_file(string &trace_filename)
continue;
}
if(!k8s_audit_handler::accept_data(app().state().engine, app().state().outputs, line, errstr))
if(!k8s_audit_handler::accept_data(state().engine, state().outputs, line, errstr))
{
falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping");
return;

16
userspace/falco/app_actions/start_grpc_server.cpp
View File

@@ -46,18 +46,18 @@ runnable_action::run_result act_start_grpc_server::run()
run_result ret = {true, "", true};
// gRPC server
if(app().state().config->m_grpc_enabled)
if(state().config->m_grpc_enabled)
{
falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(app().state().config->m_grpc_threadiness) + "\n");
falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(state().config->m_grpc_threadiness) + "\n");
// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
// different queuing mechanisms, round robin, fanout? What we want to achieve?
m_grpc_server.init(
app().state().config->m_grpc_bind_address,
app().state().config->m_grpc_threadiness,
app().state().config->m_grpc_private_key,
app().state().config->m_grpc_cert_chain,
app().state().config->m_grpc_root_certs,
app().state().config->m_log_level
state().config->m_grpc_bind_address,
state().config->m_grpc_threadiness,
state().config->m_grpc_private_key,
state().config->m_grpc_cert_chain,
state().config->m_grpc_root_certs,
state().config->m_log_level
);
m_grpc_server_thread = std::thread([this] {
m_grpc_server.run();

8
userspace/falco/app_actions/start_webserver.cpp
View File

@@ -45,11 +45,11 @@ runnable_action::run_result act_start_webserver::run()
{
run_result ret = {true, "", true};
if(app().options().trace_filename.empty() && app().state().config->m_webserver_enabled && app().state().enabled_sources.find(application::s_k8s_audit_source) != app().state().enabled_sources.end())
if(options().trace_filename.empty() && state().config->m_webserver_enabled && state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
{
std::string ssl_option = (app().state().config->m_webserver_ssl_enabled ? " (SSL)" : "");
falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(app().state().config->m_webserver_listen_port) + ssl_option + "\n");
m_webserver.init(app().state().config, app().state().engine, app().state().outputs);
std::string ssl_option = (state().config->m_webserver_ssl_enabled ? " (SSL)" : "");
falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(state().config->m_webserver_listen_port) + ssl_option + "\n");
m_webserver.init(state().config, state().engine, state().outputs);
m_webserver.start();
}

3
userspace/falco/app_actions/start_webserver.h
View File

@@ -20,6 +20,8 @@ limitations under the License.
#include <string>
#include "init_action.h"
#ifndef MINIMAL_BUILD
#include "webserver.h"
namespace falco {
@@ -44,6 +46,7 @@ private:
std::list<std::string> m_prerequsites;
};
#endif
}; // namespace application
}; // namespace falco

10
userspace/falco/app_actions/validate_rules_files.cpp
View File

@@ -43,19 +43,19 @@ runnable_action::run_result act_validate_rules_files::run()
{
run_result ret = {true, "", true};
if(app().options().validate_rules_filenames.size() > 0)
if(options().validate_rules_filenames.size() > 0)
{
falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
for(auto file : app().options().validate_rules_filenames)
for(auto file : options().validate_rules_filenames)
{
falco_logger::log(LOG_INFO, " " + file + "\n");
}
for(auto file : app().options().validate_rules_filenames)
for(auto file : options().validate_rules_filenames)
{
// Only include the prefix if there is more than one file
std::string prefix = (app().options().validate_rules_filenames.size() > 1 ? file + ": " : "");
std::string prefix = (options().validate_rules_filenames.size() > 1 ? file + ": " : "");
try {
app().state().engine->load_rules_file(file, app().options().verbose, app().options().all_events);
state().engine->load_rules_file(file, options().verbose, options().all_events);
}
catch(falco_exception &e)
{