github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 11:12:36 +00:00
Code Issues Projects Releases Wiki Activity
3,310 Commits 122 Branches 184 Tags
fix/dev_version
Commit Graph

1004 Commits

Author SHA1 Message Date
Federico Di Pierro
67d592e83a fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash. 
`describe` can no more be used as tags are now made on release branches.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-05 15:55:17 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
ba61706557 update(userspace/falco): enable using zlib with webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-30 19:24:47 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
f08a5b4067 update(cli): also add cg / kg container-gvisor / kubernetes-gvisor 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
dea02f82e8 update(falco): add container-gvisor and kubernetes-gvisor print options 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Aldo Lacuku
161246fe1a fix(output): do not print syscall_buffer_size when gvisor is enabled 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-11-10 10:32:05 +01:00
Jason Dellaluce
240c0b870d fix(userspace/falco): verify engine fields only for syscalls 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-07 15:37:25 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Yarden Shoham
4a4fa2592b fix(plugins): trim whitespace in open_params 
`open_params` is read from the falco YAML configuration file and parsed using Go's URL.

For example:
c349be6e84/plugins/k8saudit/pkg/k8saudit/source.go (L41-L42)

Go's URL parser does not handle whitespace, so if a user defines the `open_params` in the falco configuration file as follows

```yaml
open_params: >
/file/path
```

the parser returns an error. To avoid this, we now trim this parameter so no whitespace will be left for Go's URL parser to error out on.

For reference see #2262.

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
 2022-10-21 19:12:58 +02:00
Jason Dellaluce
10fe9fd84b fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
3d7677ce5b update(userspace/falco): create struct for sync parallel event sources parallelization 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
0fd765f7c3 new(userspace/falco): add simple semaphre implementation 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-14 13:12:22 +02:00
Jason Dellaluce
cca90b2f80 update(userspace/falco): move on from deprecated libs API for printing event list 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 17:00:18 +02:00
Jason Dellaluce
6c873418ce chore(userspace/falco): improve the CLI options helper 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 15:39:18 +02:00
Jason Dellaluce
f12531a153 chore(userspace/falco): log cli options with debug level 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-13 15:39:18 +02:00
Jason Dellaluce
9d8f130f47 fix(userspace/falco): make sure validation summary is populated even when json output is requested 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
7da30ca661 chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 13:14:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
3629c4dc4a update(userspace): solve cppcheck performance suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
5e531870a9 fix(userspace/engine): fix unit test segfault 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
f684e144be chore(userspace/falco): polish ignored event warning message 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
a4218a4b4f fix(userspace/falco): print right list in ignored events warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
48fbe0801d fix(userspace/falco): print right list of ignored events when in simple cons mode 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
c47492ab6d update(userspace/falco): populate list of interesting event types in app state 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
4cb556aed2 update(userspace/engine): use sinsp api to access event table information 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
5f2bc6a2d3 fix(userspace/falco): properly handle termination at source opening failures 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
88c7202fdc fix(userspace/falco): check conditions in right order 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
a98a1b2c4c fix(userspace/falco/falco): allow output reopening to happen multiple times 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
77857a7236 fix(userspace/falco): solve warning 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
e011b3b5e5 chore(userspace/falco): fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
fd4d521a5f fix(userspace/falco): make multi-source termination condition more stable 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
3f3386cfe0 fix(userspace/falco): make signal handlers safe with multi-threading 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 19:23:17 +02:00
Jason Dellaluce
11160f8463 fix(userspace): safely check string bounded access 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 11:23:15 +02:00
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
e85a8c914f chore(userspace/falco): move enabled sources list printout when capture is opened 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
21c2b1f472 update(userspace/falco): use unordered_set where possible for faster lookups 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
909f6d0961 chore(userspace/falco): make log messages formatting more consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
b4ea2f4da2 fix(userspace/falco): stabilize termination signal handler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Jason Dellaluce
59ba2f9aab fix(userspace/falco): properly terminate threads 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Federico Di Pierro
e68151eb07 chore(test,userspace/falco): fixed tests after libs bump. 
Moreover, try to create grpc socket folder path only if grpc is actually enabled.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-10-05 19:38:21 +02:00
Andrea Terzolo
ec7ddbbaf8 chore: bump libs/driver to pre-release tag 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-10-05 19:38:21 +02:00
Jason Dellaluce
663c1d073a fix(userspace/falco): check plugin requirements when validating rule files 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-05 13:21:20 +02:00