github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 11:12:36 +00:00
Code Issues Projects Releases Wiki Activity
3,203 Commits 122 Branches 184 Tags
buffer_dimension
Commit Graph

933 Commits

Author SHA1 Message Date
Andrea Terzolo
7e8bf42ff9 update: address some review comments 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-20 15:52:12 +00:00
Andrea Terzolo
a151418270 update(syscall_buffer_size): don't crash in case of getpagesize error 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 15:16:29 +00:00
Andrea Terzolo
69623e9b93 new: configure syscall buffer dimension from Falco 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 12:14:45 +00:00
Andrea Terzolo
f57c67cc96 docs(falco.yaml): fix a typo 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7686c03a36 update(app_actions): add a depraction comment for BPF 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
a325086363 test(falco): fix broken tests 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7e37c72431 update: falco works with the latest libs commit 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
0274959981 update(userspace/falco, cmake): updated libs to latest master. 
Adapted API to sinsp::open API break, and simple consumer API break.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Leonardo Grasso
c0ea753262 update(userspace/falco): gVisor sock now defaults to /run/falco/gvisor.sock 
Co-authored-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 10:27:24 +02:00
Vicente JJ. Miras
e4008217b9 Replacing /tmp/gvisor.sock with /run/gvisor.sock 
According to the FHS 3.0 (https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html), transient UNIX-domain sockets should be placed under the directory /run, so this commit updates the implicit value generated by the application.

Signed-off-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
 2022-09-14 10:27:24 +02:00
Jason Dellaluce
9c184af2a1 fix(userspace/falco): adopt stricter memory order semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d11aec28d5 fix(userspace/falco): move stats collection in event success path 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d17e173e35 chore(userspace/falco): rename sources app state list for more clarity 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
25e9bd1c91 chore(userspace/falco): fix codespell typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
4bc9fc74c8 update(userspace/falco)!: adapt stats writer for multiple parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
b65cc49221 update(userspace/falco): rename init_inspector action into init_inspectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
65993ad1ed refactor(userspace/falco): support multiple parallel event processing loops 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f4c6a81ed8 update(userspace/falco): fix plugin list access in rule file loading action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
f9a152b24c refactor(userspace/falco): generalize responsibilities of init_inspector action 
Now, the action takes care of inizializing all app inspectors
(just one in capture mode, one for each evt source in live mode), and of
registering and initializing all loaded plugins in the right inspector as needed.
The plugin initialization logic, which also involves the filtercheck list
population and checks, was moved and refactored from the previous
implementation of the load_plugins action.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
ed025f1a86 refactor(userspace/falco): init all event sources in falco engine and in the right order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
8ba779de8c refactor(userspace/falco): restrict load_plugins action responsibilities 
Now, the action is in charge of loading all plugins and initializing:
- the offline inspector
- the list of loaded event sources
- the list of loaded plugins and their config

After this action runs, plugins are loaded but not yet initialized.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
cf8b85ad86 refactor(userspace/falco): turn open inspector action into convenience private methods 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
9cf3d118f6 update(userspace/falco): restrict clients init action to syscall inspector only 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
63bdc1119f cleanup(userspace/falco): remove legacy hacks on source selection action 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
9dc3eb2fc6 update(userspace/falco): reorder actions for their new semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
7bb319b21e update(userspace/falco): add convenience method for merging app run results 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
3f7d61f150 refactor(userspace/falco): re-design application state and methods 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
cf9baea624 fix(userspace/engine): avoid reading duplicate exception values 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 15:53:15 +02:00
Federico Di Pierro
ccd3c896de fix(userspace/engine): properly include stdexcept header to fix build. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-12 12:28:15 +02:00
Federico Di Pierro
11644ecafc chore(userspace/falco): be somewhat more portable, avoiding assuming that '/' is the path delim. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-09 09:59:06 +02:00
Federico Di Pierro
23df49a47f new(userspace/falco): create grpc unix socket and gvisor endpoint path automatically. 
It is also able to handle multipart paths, like /run/falco/falco/falco/falco.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-09 09:59:06 +02:00
Mark Stemm
0f45cf49db Use enums for rules content item type 
Use an enum instead of a string for the item_type aka "parts of a
rules file" field of contexts.

The set of values is mostly defined by the contexts that were already
created. There are a couple of forward-looking values for rule
outputs/macro conditions/etc. that may be useful for later.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
Mark Stemm
7a5a4c32ee Support condition parse errors in rule loading results 
In #2098 and #2158, we reworked how rules loading errors/warnings were
returned to provide a richer set of information, including
locations/context for the errors/warnings.

That did *not* include locations within condition expressions,
though. When parsing a condition expression resulted in a
warning/error, the location simply pointed to the condition property
of the rule.

This commit improves this to handle parse errors:

- When libsinsp::filter::parser::parse() throws an exception, use
  get_pos() to get the position within the condition string.
- Add a new context() constructor that takes a filter pos_info instead
  of a YAML::Mark.

Now that positions aren't always related to the location of yaml
nodes, Make up a generic "position" struct for locations and convert
YAML::Mark and parser positions to a position struct.

Also allow a context to contain an alternate content string which is
used to build the snippet. For contexts related to condition strings,
the content is the condition.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-07 10:13:02 +02:00
VadimZy
af95455bab dropping fix for list parsing due to the absence of regex portability. 
reverting to the inefficient code.

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
4b75f213c6 use <onigposix.h> instead of <regex.h> 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
0de617a7fb remove sinsp.h public dependencies 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
5745faeccc fix tests, remove dead code 
Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
VadimZy
f9ee45b38e Improve Falco engine performance when loading rules and creating the rule sets 
- replace std::set<uint16_t> with fixed size vector in event types propagation
- rework lists expansion by replacing repetitive string::find in constantly growing expansion string with regex tokenization
- improve json_event parsing by moving const initializations into static routines

Signed-off-by: VadimZy <vadim.zyarko@sysdig.com>
 2022-09-05 17:42:31 +02:00
Jason Dellaluce
7d2f82fddc update(usperspace/engine): bump engine version to 15 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
1b410ea2cc update(userspace/engine): consider plugin version requirements in engine checks 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
52402ac805 update(userspace/engine): support plugin version requirement alternatives in rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6e0971f1e1 update(userspace/engine): support plugin version requirement alternatives in rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-05 14:40:31 +02:00
Jason Dellaluce
6c1f908ca5 cleanup(cmake): rename legacy cmake variables 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-29 15:42:33 +02:00
Jason Dellaluce
574a4b9f0a update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
c05ad6fde4 update(userspace/falco): fix copyright notice year 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
e361069092 chore(userspace/falco): fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00
Jason Dellaluce
9c6ad6ce84 update(userspace/falco): use json lib in stats writer 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-08-26 12:48:18 +02:00