random() uses internal static state that is not thread-safe. Since
should_drop_evt() can be called concurrently from per-source event
processing threads, replace it with a thread_local std::mt19937
seeded by std::random_device. Remove the now-unused srandom() seed
and Windows compat defines.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
gmtime() and localtime() return pointers to a shared static buffer,
making them unsafe in multi-threaded contexts. Replace all call sites
with gmtime_r() and localtime_r() which use caller-provided buffers.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
- Move output_format.h from userspace/falco/ to userspace/engine/ to
fix reverse dependency (engine layer was including from app layer);
update all include paths accordingly
- Add SPDX-License-Identifier to output_format.h
- Remove leftover m_first_event_in_category field from MarkdownFormatter
(was set in begin_category() but never read)
- Emit deprecation warning to stderr when --markdown is used
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
- Added support of the JSON format
- Refactored field and events formatting using the strategy pattern
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
- Bump default falcosecurity/libs to latest main (8f6b914) with
transformer_list_expr and field_transformer_expr (values) support
- Add visit(transformer_list_expr*) to filter_details_resolver and
filter_macro_resolver visitors
- Fix field_transformer_expr handling to use e->values instead of e->value
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Falco 0.43.0 deprecated the gRPC output and server supports. Drop
their supports as well as any reference to them.
BREAKING CHANGE: drop gRPC output and server support
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.
Signed-off-by: Iacopo Rozzo <iacopo.rozzo@iacopo.rozzo>
Make Falco's libs internal auto thread purging interval and timeout
configurable and set their default values to 5 minutes. This helps
controlling the memory impact of process exit events dropping and
events re-ordering.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Merge-strategy for included config files must now be
specified as yaml map of the form:
- path: foo
strategy: bar
If `strategy` is omitted, or the old `string-only` form is used,
`append` strategy is enforced.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
By default we now use the `append` merge-strategy:
* existing sequence keys will be appended
* existing scalar keys will be overridden
* non-existing keys will be added
We also have an `override` merge-strategy:
* existing keys will be overridden
* non-existing keys will be added
Finally, there is an `add-only` merge-strategy:
* existing keys will be ignored
* non-existing keys will be added
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
