adding changes for laptop

Signed-off-by: Kris Nova <kris@nivenly.com>

docker/build/install-falco.yaml

@@ -0,0 +1,45 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: falco
+  namespace: falco
+  labels:
+    app: falco
+spec:
+  selector:
+    matchLabels:
+      app: falco
+  template:
+    metadata:
+      labels:
+        app: falco
+    spec:
+      tolerations:
+        - operator: Exists
+      hostPID: true
+      hostNetwork: true
+containers:
+  - name: falco-init
+    image: alpine
+    imagePullPolicy: Always
+    securityContext:
+      privileged: true
+lifecycle:
+  preStop:
+    exec:
+      command:
+        - "nsenter"
+        - "-t"
+        - "1"
+        - "-m"
+        - "--"
+        - "/bin/sh"
+        - "-c"
+        - |
+          #!/bin/bash
+          curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
+          echo "deb https://dl.bintray.com/falcosecurity/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
+          apt-get update -y
+          apt-get -y install linux-headers-$(uname -r)
+          apt-get install -y falco
+          exit 0

userspace/README.md

@@ -0,0 +1,22 @@
+# Userspace
+
+Here is where the main Falco engine lives.
+
+There are two libraries here that are roughly seperated in the following way.are
+
+### falco
+
+This is the beloved `main()` function of the Falco program, as well as the logic for various falco outputs.
+
+An output is just a way of delivering a Falco alert, the most simple output is the Falco stdout log.
+
+### engine
+
+This is the processing engine that connect the inbound stream of systemcalls to the rules engine.
+
+This is the main powerhouse behind Falco, and does the assertion at runtime that compares system call events to rules.are
+
+
+### CMake
+
+If you are adding new files to either library you must define the `.cpp` file in the associated CMakeLists.txt file such that the linker will know where to find your new file.

userspace/engine/CMakeLists.txt

@@ -16,6 +16,7 @@ set(FALCO_ENGINE_SOURCE_FILES
     falco_engine.cpp
     falco_utils.cpp
     json_evt.cpp
+    prettyprint.cpp
     ruleset.cpp
     token_bucket.cpp
     formats.cpp)

userspace/engine/falco_engine.cpp

@@ -22,6 +22,7 @@ limitations under the License.
 #include "falco_engine.h"
 #include "falco_utils.h"
 #include "falco_engine_version.h"
+#include "prettyprint.h"
 #include "config_falco_engine.h"
 
 #include "formats.h"
@@ -316,6 +317,9 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
+
+		prettyprint::sinsp_event(ev, "Raw event just before popping to Lua");
+
 		res->evt = ev;
 		const char *p =  lua_tostring(m_ls, -3);
 		res->rule = p;

userspace/engine/prettyprint.cpp

@@ -0,0 +1,82 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "prettyprint.h"
+
+/**
+ * sinsp_event will pretty print a pointer to a sinsp_evt.
+ *
+ * This can be used for debugging an event at various times during development.
+ * This should never be turned on in production. Feel free to add fields below
+ * as we need them, and we can just dump an event in here whenever we need while
+ * debugging.
+ *
+ * sinsp_events are blue because they are happy.
+ */
+void prettyprint::sinsp_event(sinsp_evt *ev, const char* note)
+{
+  ev->get_type()
+  prettyprint::warning();
+  printf("\033[0;34m"); // Start Blue
+  printf("\n*************************************************************\n");
+  printf("[Sinsp Event: %s]\n\n", note);
+  printf("name: %s\n", ev->get_name());
+  for(uint32_t i = 0; i <= ev->get_num_params(); i++){
+  }
+  for(int64_t j = 0; j <= ev->get_fd_num(); j++) {
+    printf("%s: %s\n", ev->get_param_name(j), ev->get_param_value_str(j, true).c_str());
+  };
+  // One off fields
+  //printf("fdinfo: %s\n", ev->get_fd_info()->tostring_clean().c_str());
+  //printf("type: %d\n", ev->get_type());
+/*
+  printf("k8s.ns.name: %s\n", ev->get_param_value_str("k8s.ns.name", true).c_str());
+  printf("k8s %s\n", ev->get_param_value_str("k8s", true).c_str());
+  printf("container: %s\n", ev->get_param_value_str("container", true).c_str());
+  printf("proc.pid: %s\n", ev->get_param_value_str("%proc.pid", true).c_str());
+  printf("proc: %s\n", ev->get_param_value_str("%proc", true).c_str());
+  printf("data: %s\n", ev->get_param_value_str("data", true).c_str());
+  printf("cpu: %s\n", ev->get_param_value_str("cpu", true).c_str());
+  printf("fd: %s\n", ev->get_param_value_str("fd", true).c_str());
+  printf("fd: %s\n", ev->get_param_value_str("evt.arg.fd", true).c_str());
+  printf("user: %s\n", ev->get_param_value_str("user", true).c_str());
+*/
+
+  printf("*************************************************************\n");
+  printf("\033[0m");
+}
+
+/**
+ * has_alerted controls our one time preliminary alert for using pretty print which is debug only
+ */
+bool prettyprint::has_alerted = false;
+
+/**
+ * Warnings are red
+ */
+void prettyprint::warning() {
+  if (!prettyprint::has_alerted) {
+    printf("\033[0;31m"); // Start Red
+    printf("\n\n");
+    printf("*************************************************************\n");
+    printf("          [Pretty Printing Debugging is Enabled]             \n");
+    printf("  This should never be used in production, by anyone, ever.  \n");
+    printf("*************************************************************\n");
+    printf("\033[0m");
+    prettyprint::has_alerted = true;
+  }
+}
+

userspace/engine/prettyprint.h

@@ -0,0 +1,42 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string>
+#include <set>
+#include <vector>
+#include <list>
+#include <map>
+
+#include "sinsp.h"
+#include "filter.h"
+#include "event.h"
+
+#include "gen_filter.h"
+
+
+#ifndef FALCO_FALCO_USERSPACE_PRETTYPRINT_H_
+#define FALCO_FALCO_USERSPACE_PRETTYPRINT_H_
+
+class prettyprint {
+ public:
+  static void sinsp_event(sinsp_evt *ev, const char* note = "");
+
+ private:
+  static bool has_alerted;
+  static void warning();
+};
+
+#endif //FALCO_FALCO_USERSPACE_PRETTYPRINT_H_

userspace/falco/falco_outputs.cpp

@@ -145,6 +145,8 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
 		return;
 	}
 
+
+
 	std::lock_guard<std::mutex> guard(m_ls_semaphore);
 	lua_getglobal(m_ls, m_lua_output_event.c_str());