github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 15:17:50 +00:00
Code Issues Projects Releases Wiki Activity

refactor(userspace/falco): turn open inspector action into convenience private methods

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-08-30 12:42:00 +00:00 committed by poiana
parent 9cf3d118f6
commit cf8b85ad86
1 changed files with 62 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
userspace/falco/app_actions/open_inspector.cpp
View File

@ -18,94 +18,96 @@ limitations under the License.
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <plugin_manager.h>
#include "application.h" #include "application.h"
using namespace falco::app; using namespace falco::app;
typedef std::function<void(std::shared_ptr<sinsp> inspector)> open_t; application::run_result application::open_offline_inspector()
application::run_result application::open_inspector()
{ {
// Notify engine that we finished loading and enabling all rules try
m_state->engine->complete_rule_loading();
if(is_capture_mode())
{ {
// Try to open the trace file as a m_state->offline_inspector->open(m_options.trace_filename);
// capture file first. falco_logger::log(LOG_INFO, "Reading system call events from file: " + m_options.trace_filename + "\n");
try { return run_result::ok();
m_state->inspector->open(m_options.trace_filename); }
falco_logger::log(LOG_INFO, "Reading system call events from file: " + m_options.trace_filename + "\n"); catch (sinsp_exception &e)
} {
catch(sinsp_exception &e) return run_result::fatal("Could not open trace filename " + m_options.trace_filename + " for reading: " + e.what());
}
}
application::run_result application::open_live_inspector(
std::shared_ptr<sinsp> inspector,
const std::string& source)
{
try
{
if (source != falco_common::syscall_source)
{ {
return run_result::fatal("Could not open trace filename " + m_options.trace_filename + " for reading: " + e.what()); for (const auto p: inspector->get_plugin_manager()->plugins())
{
if (p->caps() & CAP_SOURCING && p->event_source() == source)
{
auto cfg = m_state->plugin_configs.at(p->name());
inspector->set_input_plugin(cfg->m_name, cfg->m_open_params);
inspector->open();
return run_result::ok();
}
}
return run_result::fatal("Can't open inspector for plugin event source: " + source);
}
if (m_options.userspace)
{
// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
//
// Falco uses a ptrace(2) based userspace implementation.
// Regardless of the implementation, the underlying method remains the same.
inspector->open_udig();
}
else if(m_options.gvisor_config != "")
{
falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config);
inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root);
}
else
{
inspector->open();
} }
} }
else catch (sinsp_exception &e)
{ {
try // If syscall input source is enabled and not through userspace instrumentation
if (m_options.gvisor_config.empty() && !m_options.userspace)
{ {
if(m_options.userspace) // Try to insert the Falco kernel module
if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
{ {
// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel. falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
//
// Falco uses a ptrace(2) based userspace implementation.
// Regardless of the implementation, the underlying method remains the same.
m_state->inspector->open_udig();
}
else if(m_options.gvisor_config != "")
{
falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config);
m_state->inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root);
}
else
{
m_state->inspector->open();
} }
inspector->open();
} }
catch(sinsp_exception &e) else
{ {
// If syscall input source is enabled and not through userspace instrumentation return run_result::fatal(e.what());
if (is_syscall_source_enabled() && !m_options.userspace)
{
// Try to insert the Falco kernel module
if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
{
falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
}
m_state->inspector->open();
}
else
{
return run_result::fatal(e.what());
}
} }
} }
/// TODO: we can add a method to the inspector that tells us what /// TODO: we can add a method to the inspector that tells us what
/// is the underline engine used. Right now we print something only /// is the underline engine used. Right now we print something only
/// in case of BPF engine /// in case of BPF engine
if(m_state->inspector->is_bpf_enabled()) if (inspector->is_bpf_enabled())
{ {
falco_logger::log(LOG_INFO, "Falco is using the BPF probe\n"); falco_logger::log(LOG_INFO, "Falco is using the BPF probe\n");
} }
// This must be done after the open // This must be done after the open
if(!m_options.all_events) if (!m_options.all_events)
{ {
m_state->inspector->start_dropping_mode(1); inspector->start_dropping_mode(1);
} }
return run_result::ok(); return run_result::ok();
} }
bool application::close_inspector(std::string &errstr)
{
if(m_state->inspector != nullptr)
{
m_state->inspector->close();
}
return true;
}