github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 18:58:41 +00:00
Code Issues Projects Releases Wiki Activity
3,241 Commits 122 Branches 184 Tags
test_deb_rpm
Commit Graph

964 Commits

Author SHA1 Message Date
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
e85a8c914f chore(userspace/falco): move enabled sources list printout when capture is opened 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
21c2b1f472 update(userspace/falco): use unordered_set where possible for faster lookups 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
909f6d0961 chore(userspace/falco): make log messages formatting more consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
b4ea2f4da2 fix(userspace/falco): stabilize termination signal handler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Jason Dellaluce
59ba2f9aab fix(userspace/falco): properly terminate threads 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 18:21:05 +02:00
Federico Di Pierro
e68151eb07 chore(test,userspace/falco): fixed tests after libs bump. 
Moreover, try to create grpc socket folder path only if grpc is actually enabled.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-10-05 19:38:21 +02:00
Andrea Terzolo
ec7ddbbaf8 chore: bump libs/driver to pre-release tag 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-10-05 19:38:21 +02:00
Jason Dellaluce
663c1d073a fix(userspace/falco): check plugin requirements when validating rule files 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-05 13:21:20 +02:00
Jason Dellaluce
bbb821fb8e refactor(userspace/falco): move rules plugin requirements check in an internal funcion 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-05 13:21:20 +02:00
Jason Dellaluce
5781c53ddc fix(userspace): add explicit constructors and initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-03 13:04:15 +02:00
Andrea Terzolo
545b58ee14 update(open_inspector): use variable buffer dim in modern bpf 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Andrea Terzolo
8d8e7622e1 update(cmd_line): put modern bpf to false 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Andrea Terzolo
fd097e94d7 new(cmdline): add support for modern BPF probe 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-28 18:55:06 +02:00
Luca Guerra
6634c896b7 fix(falco): print container info and gvisor info in the same way 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-09-28 12:45:04 +02:00
Andrea Terzolo
3aa9267b48 fix(syscall_buffer): set dimension if page size not available 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
725714726d update(configuration): define m_syscall_buf_size_preset as uint16_t 
improve also some logs for `m_syscall_buf_size_preset` configuration errors

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
c9fa585801 update: address some review comments 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
90e4634a79 update(syscall_buffer_size): don't crash in case of getpagesize error 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-27 10:47:59 +02:00
Andrea Terzolo
b0b2f05eb5 new: configure syscall buffer dimension from Falco 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-27 10:47:59 +02:00
Jason Dellaluce
8aea0935c9 chore(userspace/engine): remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9c240198a0 refactor(userspace/engine): refactor falco_engine with new loader defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
f6f763fe84 refactor(userspace/engine): clean up rule collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9b5f3ee99e refactor(userspace/engine): clean up rule compiler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
89e8f70de0 refactor(userspace/engine): clean up and rename rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b0f0105116 refactor(userspace/engine): clean up rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b2b1feb1f2 refactor(userspace/engine): split rule loader git history (4) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b900e46dfe refactor(userspace/engine): split rule loader git history (3) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
a98c9cdd20 refactor(userspace/engine): split rule loader git history (2) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
2a427925a0 refactor(userspace/engine): split rule loader git history (1) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Andrea Terzolo
c0c37d87f5 fix(process_events): check the return value of open_live_inspector 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 18:07:30 +02:00
Andrea Terzolo
f57c67cc96 docs(falco.yaml): fix a typo 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7686c03a36 update(app_actions): add a depraction comment for BPF 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
a325086363 test(falco): fix broken tests 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Andrea Terzolo
7e37c72431 update: falco works with the latest libs commit 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
e068df514c chore(userspace/engine,userspace/falco): upgraded to latest libs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-09-20 11:35:28 +02:00
Federico Di Pierro
0274959981 update(userspace/falco, cmake): updated libs to latest master. 
Adapted API to sinsp::open API break, and simple consumer API break.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-09-20 11:35:28 +02:00
Mark Stemm
2d5fc0b647 Use the same falco_rule struct for every call to filter_ruleset 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Mark Stemm
e5cd5eacf5 Save syscall source separately and check explicitly in process_event 
When doing some testing of falco on very high event volumes (> 1.5M
events/second), I found that the time taken to look up a falco_source
struct had a non-negligible contribution to cpu usage.

So instead of looking up the source from the source_idx every time,
separately save the source for syscalls in the falco_engine object
directly. The separately saved copy is only used once someone calls
add_source with source="syscall".

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-09-16 12:50:39 +02:00
Leonardo Grasso
c0ea753262 update(userspace/falco): gVisor sock now defaults to /run/falco/gvisor.sock 
Co-authored-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-09-14 10:27:24 +02:00
Vicente JJ. Miras
e4008217b9 Replacing /tmp/gvisor.sock with /run/gvisor.sock 
According to the FHS 3.0 (https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html), transient UNIX-domain sockets should be placed under the directory /run, so this commit updates the implicit value generated by the application.

Signed-off-by: Vicente J. Jiménez Miras <vjjmiras@gmail.com>
 2022-09-14 10:27:24 +02:00
Jason Dellaluce
9c184af2a1 fix(userspace/falco): adopt stricter memory order semantics 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d11aec28d5 fix(userspace/falco): move stats collection in event success path 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
d17e173e35 chore(userspace/falco): rename sources app state list for more clarity 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
25e9bd1c91 chore(userspace/falco): fix codespell typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
4bc9fc74c8 update(userspace/falco)!: adapt stats writer for multiple parallel event sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00
Jason Dellaluce
b65cc49221 update(userspace/falco): rename init_inspector action into init_inspectors 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-12 16:14:15 +02:00