squash w Move falco_init() code to individual app actions

Convert use of raw pointers (originally passed from falco_init or
functions it called) with shared_ptr, as they are now held in actions
state.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

tests/CMakeLists.txt

@@ -17,17 +17,25 @@
 if(MINIMAL_BUILD)
   set(
     FALCO_TESTS_SOURCES
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_runnable_action.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_action_manager.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/logger.cpp
     test_base.cpp
     engine/test_rulesets.cpp
     engine/test_falco_utils.cpp
+    falco/test_actions.cpp
     falco/test_configuration.cpp
   )
 else()
   set(
     FALCO_TESTS_SOURCES
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_runnable_action.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/app_action_manager.cpp
+    ${PROJECT_SOURCE_DIR}/userspace/falco/logger.cpp
     test_base.cpp
     engine/test_rulesets.cpp
     engine/test_falco_utils.cpp
+    falco/test_actions.cpp
     falco/test_configuration.cpp
     falco/test_webserver.cpp
   )

tests/falco/test_actions.cpp

@@ -0,0 +1,387 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_action_manager.h"
+
+#include <string>
+#include <vector>
+
+#include <catch.hpp>
+
+// Test actions just record the order they were run (or skipped)
+class test_action : public falco::app::runnable_action {
+public:
+
+	static std::vector<std::string> s_actions_run;
+
+	test_action(const std::string &name,
+		    const std::string &group,
+		    const std::list<std::string> &prerequsites,
+		    run_result res)
+		: m_name(name),
+		  m_group(group),
+		  m_prerequsites(prerequsites),
+		  m_res(res)
+		{
+		}
+
+	~test_action()
+		{
+		}
+
+	const std::string &name()
+	{
+		return m_name;
+	}
+
+	const std::string &group()
+	{
+		return m_group;
+	}
+
+	const std::list<std::string> &prerequsites()
+	{
+		return m_prerequsites;
+	}
+
+	run_result run()
+	{
+		s_actions_run.push_back(m_name);
+		return m_res;
+	}
+
+private:
+	std::string m_name;
+	std::string m_group;
+	std::list<std::string> m_prerequsites;
+	run_result m_res;
+};
+
+std::vector<std::string> test_action::s_actions_run;
+
+static std::list<std::string> empty;
+static std::list<std::string> prereq_a = {"a"};
+static std::list<std::string> prereq_aa = {"aa"};
+static std::list<std::string> prereq_ab = {"ab"};
+static std::list<std::string> prereq_m = {"m"};
+static std::list<std::string> prereq_n = {"n"};
+
+// The action names denote the dependency order e.g. "a", "b", "c" are
+// all independent, "aa" and "ab" depend on a but are independent of
+// each other, "aaa" "aab" depend on "aa" but are independent, etc.
+
+static falco::app::runnable_action::run_result success_proceed{true, "", true};
+
+static falco::app::runnable_action::run_result success_noproceed{true, "", false};
+
+
+static std::shared_ptr<test_action> a = std::make_shared<test_action>(std::string("a"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> a_noproceed = std::make_shared<test_action>(std::string("a"),
+										std::string("init"),
+										empty,
+										success_noproceed);
+
+static std::shared_ptr<test_action> b = std::make_shared<test_action>(std::string("b"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> c = std::make_shared<test_action>(std::string("c"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> d = std::make_shared<test_action>(std::string("d"),
+								      std::string("init"),
+								      empty,
+								      success_proceed);
+
+std::shared_ptr<test_action> aa = std::make_shared<test_action>(std::string("aa"),
+								std::string("init"),
+								prereq_a,
+								success_proceed);
+
+std::shared_ptr<test_action> ab = std::make_shared<test_action>(std::string("ab"),
+								std::string("init"),
+								prereq_a,
+								success_proceed);
+
+std::shared_ptr<test_action> aa_noproceed = std::make_shared<test_action>(std::string("aa"),
+									  std::string("init"),
+									  prereq_a,
+									  success_noproceed);
+
+std::shared_ptr<test_action> aaa = std::make_shared<test_action>(std::string("aaa"),
+								 std::string("init"),
+								 prereq_aa,
+								 success_proceed);
+
+std::shared_ptr<test_action> aab = std::make_shared<test_action>(std::string("aab"),
+								 std::string("init"),
+								 prereq_aa,
+								 success_proceed);
+
+std::shared_ptr<test_action> aba = std::make_shared<test_action>(std::string("aba"),
+								 std::string("init"),
+								 prereq_ab,
+								 success_proceed);
+
+static std::shared_ptr<test_action> m = std::make_shared<test_action>(std::string("m"),
+								      std::string("run"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> ma = std::make_shared<test_action>(std::string("ma"),
+								       std::string("run"),
+								       prereq_m,
+								       success_proceed);
+
+static std::shared_ptr<test_action> n = std::make_shared<test_action>(std::string("n"),
+								      std::string("run"),
+								      empty,
+								      success_proceed);
+
+static std::shared_ptr<test_action> na = std::make_shared<test_action>(std::string("na"),
+								       std::string("run"),
+								       prereq_n,
+								       success_proceed);
+
+static std::vector<std::string>::iterator find_action(const std::string &name,
+						    std::vector<std::string>::iterator begin = test_action::s_actions_run.begin())
+{
+	return std::find(begin,
+			 test_action::s_actions_run.end(),
+			 name);
+}
+
+static bool action_is_found(const std::string &name,
+			    std::vector<std::string>::iterator begin = test_action::s_actions_run.begin())
+{
+	auto it = find_action(name, begin);
+
+	return (it != test_action::s_actions_run.end());
+}
+
+TEST_CASE("action manager can add and run actions", "[actions]")
+{
+	std::list<std::string> groups = {"init", "run"};
+
+	SECTION("Two independent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(b);
+
+		amgr.run();
+
+		// Can't compare to any direct vector as order is not guaranteed
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+	}
+
+	SECTION("Two dependent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("One independent, two dependent")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa);
+		amgr.add(b);
+
+		amgr.run();
+
+		// Can't compare to any direct vector as order is not guaranteed
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(aa->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+
+		// Ensure that aa appears after a
+		auto it = find_action(a->name());
+		REQUIRE(action_is_found(aa->name(), it) == true);
+	}
+
+	SECTION("Two dependent, first does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a_noproceed);
+		amgr.add(aa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Two dependent, second does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa_noproceed);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Three dependent, first does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a_noproceed);
+		amgr.add(aa);
+		amgr.add(aaa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Three dependent, second does not proceed")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(aa_noproceed);
+		amgr.add(aaa);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Groups")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(ma);
+		amgr.add(m);
+		amgr.add(aa);
+		amgr.add(a);
+
+		amgr.run();
+
+		std::vector<std::string> exp_actions_run = {"a", "aa", "m", "ma"};
+		REQUIRE(test_action::s_actions_run == exp_actions_run);
+	}
+
+	SECTION("Complex")
+	{
+		falco::app::action_manager amgr;
+		amgr.set_groups(groups);
+
+		test_action::s_actions_run.clear();
+
+		amgr.add(a);
+		amgr.add(b);
+		amgr.add(c);
+		amgr.add(d);
+		amgr.add(aa);
+		amgr.add(ab);
+		amgr.add(aaa);
+		amgr.add(aab);
+		amgr.add(aba);
+		amgr.add(m);
+		amgr.add(ma);
+		amgr.add(n);
+		amgr.add(na);
+
+		amgr.run();
+
+		// a, b, c, d must be found. Order not specified.
+		REQUIRE(action_is_found(a->name()) == true);
+		REQUIRE(action_is_found(b->name()) == true);
+		REQUIRE(action_is_found(c->name()) == true);
+		REQUIRE(action_is_found(d->name()) == true);
+
+		// aa, ab must be after a.
+		auto it = find_action(a->name());
+		REQUIRE(action_is_found(aa->name(), it) == true);
+		REQUIRE(action_is_found(ab->name(), it) == true);
+
+		// aaa, aab must be after aa
+		it = find_action(aa->name());
+		REQUIRE(action_is_found(aaa->name(), it) == true);
+		REQUIRE(action_is_found(aab->name(), it) == true);
+
+		// aba must be after ab
+		it = find_action(ab->name());
+		REQUIRE(action_is_found(aba->name(), it) == true);
+
+		// The run actions must be the last four
+		std::vector<std::string>::iterator last_four = test_action::s_actions_run.end() - 4;
+		REQUIRE(action_is_found(m->name(), last_four) == true);
+		REQUIRE(action_is_found(ma->name(), last_four) == true);
+		REQUIRE(action_is_found(n->name(), last_four) == true);
+		REQUIRE(action_is_found(na->name(), last_four) == true);
+
+		// ma must be after m
+		it = find_action(m->name());
+		REQUIRE(action_is_found(ma->name(), it) == true);
+
+		// na must be after n
+		it = find_action(n->name());
+		REQUIRE(action_is_found(na->name(), it) == true);
+	}
+}
+
+
+

userspace/engine/formats.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-falco_formats::falco_formats(falco_engine *engine,
+falco_formats::falco_formats(std::shared_ptr<falco_engine> engine,
 			     bool json_include_output_property,
 			     bool json_include_tags_property)
 	: m_falco_engine(engine),

userspace/engine/formats.h

@@ -33,7 +33,7 @@ extern "C"
 class falco_formats
 {
 public:
-	falco_formats(falco_engine *engine,
+	falco_formats(std::shared_ptr<falco_engine> engine,
 		      bool json_include_output_property,
 		      bool json_include_tags_property);
 	virtual ~falco_formats();
@@ -45,7 +45,7 @@ public:
 					     const std::string &format);
 
 protected:
-	falco_engine *m_falco_engine;
+	std::shared_ptr<falco_engine> m_falco_engine;
 	bool m_json_include_output_property;
 	bool m_json_include_tags_property;
 };

userspace/falco/CMakeLists.txt

@@ -17,6 +17,30 @@ set(
   FALCO_SOURCES
   application.cpp
   app_cmdline_options.cpp
+  app_action.cpp
+  app_runnable_action.cpp
+  app_actions/create_signal_handlers.cpp
+  app_actions/init_action.cpp
+  app_actions/run_action.cpp
+  app_actions/init_falco_engine.cpp
+  app_actions/init_inspector.cpp
+  app_actions/init_outputs.cpp
+  app_actions/list_fields.cpp
+  app_actions/list_plugins.cpp
+  app_actions/load_config.cpp
+  app_actions/load_plugins.cpp
+  app_actions/load_rules_files.cpp
+  app_actions/print_help.cpp
+  app_actions/print_ignored_events.cpp
+  app_actions/print_support.cpp
+  app_actions/print_version.cpp
+  app_actions/start_grpc_server.cpp
+  app_actions/start_webserver.cpp
+  app_actions/validate_rules_files.cpp
+  app_actions/daemonize.cpp
+  app_actions/open_inspector.cpp
+  app_actions/process_events.cpp
+  app_action_manager.cpp
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
@@ -131,6 +155,7 @@ target_include_directories(
   falco
   PUBLIC
   ${FALCO_INCLUDE_DIRECTORIES}
+  ${CMAKE_CURRENT_SOURCE_DIR}
 )
 
 if(NOT MINIMAL_BUILD)

userspace/falco/app_action.cpp

@@ -0,0 +1,48 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "application.h"
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+action::action(application &app)
+	: m_app(app)
+{
+}
+
+action::~action()
+{
+}
+
+application &action::app()
+{
+	return m_app;
+}
+
+cmdline_options &action::options()
+{
+	return m_app.options();
+}
+
+application::action_state &action::state()
+{
+	return m_app.state();
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_action.h

@@ -0,0 +1,59 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "application.h"
+#include "app_runnable_action.h"
+
+namespace falco {
+namespace app {
+
+// This class represents an "action" e.g. a chunk of code to execute
+// as a part of running the falco application. Examples of actions are:
+//   - initializing/configuring the inspector
+//   - loading/configuring plugins
+//   - reading events from a trace file or live event source
+//
+// Actions also include "one off" actions for things like --help
+// output, --list fields, etc.
+//
+// There's no attempt to distribute state (e.g. inspectors, lists of
+// plugins, etc) across actions. The expectation is that all state
+// that needs to be used across actions is held in the provided
+// application object and actions know which state they should create
+// and destroy.
+
+// The reason for a sublcass is to allow for building/running unit
+// tests for the action manager without bringing in all of the falco
+// application code (engine, outputs, grpc, etc).
+class action : public runnable_action {
+public:
+	action(application &app);
+	virtual ~action();
+
+	application &app();
+
+	cmdline_options &options();
+	application::action_state &state();
+
+private:
+	application &m_app;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_action_manager.cpp

@@ -0,0 +1,148 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_action_manager.h"
+#include "logger.h"
+#include "falco_common.h"
+
+#include <algorithm>
+#include <list>
+#include <memory>
+#include <string>
+
+namespace falco {
+namespace app {
+
+action_manager::action_manager()
+{
+}
+
+action_manager::~action_manager()
+{
+}
+
+void action_manager::set_groups(std::list<std::string> &groups)
+{
+	m_groups = groups;
+}
+
+void action_manager::add(std::shared_ptr<runnable_action> act)
+{
+	m_actions[act->name()] = act;
+}
+
+bool action_manager::compare_actions(const std::shared_ptr<runnable_action> &a, const std::shared_ptr<runnable_action> &b)
+{
+	// Check b's prerequsites. If a is found return true.
+	for(auto &prereq_name : b->prerequsites())
+	{
+		if(prereq_name == a->name())
+		{
+			return true;
+		}
+	}
+
+	// Not a direct dependency. Check b's prerequsites recursively
+	for(auto &prereq_name : b->prerequsites())
+	{
+		auto it = m_actions.find(prereq_name);
+		if(it == m_actions.end())
+		{
+			throw falco_exception("No action with name " + prereq_name + " exists?");
+		}
+
+		if(compare_actions(a, it->second))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+void action_manager::run()
+{
+	for(auto &group : m_groups)
+	{
+		falco_logger::log(LOG_DEBUG, string("Running group ") + group);
+		bool proceed = run_group(group);
+
+		if(!proceed)
+		{
+			break;
+		}
+	}
+}
+
+bool action_manager::run_group(std::string &group)
+{
+	bool proceed = true;
+
+	std::vector<std::shared_ptr<runnable_action>> actions_ordered;
+
+	for(auto &pair : m_actions)
+	{
+		if(pair.second->group() == group)
+		{
+			actions_ordered.push_back(pair.second);
+		}
+	}
+
+	auto compare = [this](const std::shared_ptr<runnable_action> &a,
+			      const std::shared_ptr<runnable_action> &b) {
+		return this->compare_actions(a, b);
+	};
+
+	// Order the actions according to precedence
+	std::sort(actions_ordered.begin(), actions_ordered.end(), compare);
+
+	for(auto &act : actions_ordered)
+	{
+		falco_logger::log(LOG_DEBUG, string("Initializing action ") + act->name());
+
+		act->init();
+	}
+
+	for(auto &act : actions_ordered)
+	{
+		falco_logger::log(LOG_DEBUG, string("Running action ") + act->name());
+
+		runnable_action::run_result res = act->run();
+
+		if(!res.success)
+		{
+			fprintf(stderr, "Could not complete %s: %s\n", act->name().c_str(), res.errstr.c_str());
+		}
+
+		if(!res.proceed)
+		{
+			proceed = false;
+			break;
+		}
+	}
+
+	for(auto &act : actions_ordered)
+	{
+		falco_logger::log(LOG_DEBUG, string("Deinitializing action ") + act->name());
+
+		act->deinit();
+	}
+
+	return proceed;
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_action_manager.h

@@ -0,0 +1,63 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "app_runnable_action.h"
+
+#include <memory>
+#include <vector>
+#include <map>
+
+namespace falco {
+namespace app {
+
+// This class manages a set of actions, ensuring that they run in an
+// order that honors their dependencies and their run results.
+
+class action_manager {
+public:
+	action_manager();
+	virtual ~action_manager();
+
+	// Actions are organized into groups. All actions from a
+	// given group are run before actions from another group.
+	//
+	// Example groups are "init", "run", etc.
+	//
+	// This specifies the order of groups.
+	void set_groups(std::list<std::string> &groups);
+
+	void add(std::shared_ptr<runnable_action> act);
+
+	void run();
+
+private:
+
+	// Returns true if subsequent groups should run, false otherwise.
+        bool run_group(std::string &group);
+
+	std::list<std::string> m_groups;
+
+	// Return true if a is less (e.g. a should run before b)
+	bool compare_actions(const std::shared_ptr<runnable_action> &a, const std::shared_ptr<runnable_action> &b);
+
+	std::map<std::string, std::shared_ptr<runnable_action>> m_actions;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/create_signal_handlers.cpp

@@ -0,0 +1,94 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <string.h>
+#include <signal.h>
+
+#include "create_signal_handlers.h"
+
+static void signal_callback(int signal)
+{
+	falco::app::application::get().state().terminate = true;
+}
+
+static void reopen_outputs(int signal)
+{
+	falco::app::application::get().state().reopen_outputs = true;
+}
+
+static void restart_falco(int signal)
+{
+	falco::app::application::get().state().restart = true;
+}
+
+namespace falco {
+namespace app {
+
+act_create_signal_handlers::act_create_signal_handlers(application &app)
+	: init_action(app), m_name("create signal handlers")
+{
+}
+
+act_create_signal_handlers::~act_create_signal_handlers()
+{
+}
+
+const std::string &act_create_signal_handlers::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_create_signal_handlers::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_create_signal_handlers::run()
+{
+	run_result ret = {true, "", true};
+
+	if(! create_handler(SIGINT, signal_callback, ret) ||
+	   ! create_handler(SIGTERM, signal_callback, ret) ||
+	   ! create_handler(SIGUSR1, reopen_outputs, ret) ||
+	   ! create_handler(SIGHUP, restart_falco, ret))
+	{
+		return ret;
+	}
+
+	return ret;
+}
+
+bool act_create_signal_handlers::create_handler(int sig, void (*func)(int), run_result &ret)
+{
+	if(signal(sig, func) == SIG_ERR)
+	{
+		char errbuf[1024];
+
+		ret.success = false;
+		ret.errstr = std::string("Could not create signal handler for ") +
+			strsignal(sig) +
+			": " +
+			strerror_r(errno, errbuf, sizeof(errbuf));
+
+		ret.proceed = false;
+	}
+
+	return ret.success;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/create_signal_handlers.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_create_signal_handlers : public init_action {
+public:
+	act_create_signal_handlers(application &app);
+	virtual ~act_create_signal_handlers();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+
+	bool create_handler(int sig, void (*func)(int), run_result &ret);
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/daemonize.cpp

@@ -0,0 +1,115 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "daemonize.h"
+
+namespace falco {
+namespace app {
+
+act_daemonize::act_daemonize(application &app)
+	: run_action(app), m_name("daemonize"), m_daemonized(false)
+{
+}
+
+act_daemonize::~act_daemonize()
+{
+}
+
+const std::string &act_daemonize::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_daemonize::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_daemonize::run()
+{
+	run_result ret = {true, "", true};
+
+	// If daemonizing, do it here so any init errors will
+	// be returned in the foreground process.
+	if (options().daemon && !m_daemonized) {
+		pid_t pid, sid;
+
+		pid = fork();
+		if (pid < 0) {
+			// error
+			ret.success = false;
+			ret.errstr = "Could not fork.";
+			ret.proceed = false;
+			return ret;
+		} else if (pid > 0) {
+			// parent. Write child pid to pidfile and exit
+			std::ofstream pidfile;
+			pidfile.open(options().pidfilename);
+
+			if (!pidfile.good())
+			{
+				ret.success = false;
+				ret.errstr = string("Could not write pid to pid file ") + options().pidfilename + ".";
+				ret.proceed = false;
+				return ret;
+			}
+			pidfile << pid;
+			pidfile.close();
+			return ret;
+		}
+		// if here, child.
+
+		// Become own process group.
+		sid = setsid();
+		if (sid < 0) {
+			ret.success = false;
+			ret.errstr = string("Could not set session id.");
+			ret.proceed = false;
+			return ret;
+		}
+
+		// Set umask so no files are world anything or group writable.
+		umask(027);
+
+		// Change working directory to '/'
+		if ((chdir("/")) < 0) {
+			ret.success = false;
+			ret.errstr = string("Could not change working directory to '/'.");
+			ret.proceed = false;
+			return ret;
+		}
+
+		// Close stdin, stdout, stderr and reopen to /dev/null
+		close(0);
+		close(1);
+		close(2);
+		open("/dev/null", O_RDONLY);
+		open("/dev/null", O_RDWR);
+		open("/dev/null", O_RDWR);
+
+		m_daemonized = true;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/daemonize.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_daemonize : public run_action {
+public:
+	act_daemonize(application &app);
+	virtual ~act_daemonize();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+	bool m_daemonized;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_action.cpp

@@ -0,0 +1,40 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_plugins.h"
+
+namespace falco {
+namespace app {
+
+static std::string init_group = "init";
+
+init_action::init_action(application &app)
+	: action(app)
+{
+}
+
+init_action::~init_action()
+{
+}
+
+const std::string &init_action::group()
+{
+	return init_group;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_action.h

@@ -0,0 +1,37 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+// All actions in the "init" group derive from this class
+
+class init_action : public action {
+public:
+	init_action(application &app);
+	virtual ~init_action();
+
+	const std::string &group() override;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_falco_engine.cpp

@@ -0,0 +1,118 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "init_falco_engine.h"
+
+namespace falco {
+namespace app {
+
+act_init_falco_engine::act_init_falco_engine(application &app)
+	: init_action(app), m_name("init falco engine"),
+	  m_prerequsites({"init inspector"})
+{
+}
+
+act_init_falco_engine::~act_init_falco_engine()
+{
+}
+
+const std::string &act_init_falco_engine::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_falco_engine::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_falco_engine::run()
+{
+	run_result ret = {true, "", true};
+
+	configure_output_format();
+
+	// Create "factories" that can create filters/formatters for
+	// syscalls and k8s audit events.
+
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(state().inspector.get()));
+	std::shared_ptr<gen_event_filter_factory> k8s_audit_filter_factory(new json_event_filter_factory());
+
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get()));
+	std::shared_ptr<gen_event_formatter_factory> k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory));
+
+	state().engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
+	state().engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
+
+	if(state().config->m_json_output)
+	{
+		syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+		k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+	}
+
+	for(const auto &src : options().disable_sources)
+	{
+		state().enabled_sources.erase(src);
+	}
+
+	// XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin.
+	if(state().enabled_sources.empty())
+	{
+		throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
+	}
+
+	state().engine->set_min_priority(state().config->m_min_priority);
+
+	return ret;
+}
+
+void act_init_falco_engine::configure_output_format()
+{
+	std::string output_format;
+	bool replace_container_info = false;
+
+	if(options().print_container)
+	{
+		output_format = "container=%container.name (id=%container.id)";
+		replace_container_info = true;
+	}
+	else if(options().print_kubernetes)
+	{
+		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
+		replace_container_info = true;
+	}
+	else if(options().print_mesos)
+	{
+		output_format = "task=%mesos.task.name container=%container.id";
+		replace_container_info = true;
+	}
+	else if(!options().print_additional.empty())
+	{
+		output_format = options().print_additional;
+		replace_container_info = false;
+	}
+
+	if(!output_format.empty())
+	{
+		state().engine->set_extra(output_format, replace_container_info);
+	}
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_falco_engine.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_falco_engine : public init_action {
+public:
+	act_init_falco_engine(application &app);
+	virtual ~act_init_falco_engine();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void configure_output_format();
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_inspector.cpp

@@ -0,0 +1,137 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "init_inspector.h"
+
+namespace falco {
+namespace app {
+
+act_init_inspector::act_init_inspector(application &app)
+	: init_action(app), m_name("init inspector")
+{
+}
+
+act_init_inspector::~act_init_inspector()
+{
+}
+
+const std::string &act_init_inspector::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_inspector::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_inspector::run()
+{
+	run_result ret = {true, "", true};
+
+	state().inspector->set_buffer_format(options().event_buffer_format);
+
+	// If required, set the CRI paths
+	for (auto &p : options().cri_socket_paths)
+	{
+		if (!p.empty())
+		{
+			state().inspector->add_cri_socket_path(p);
+		}
+	}
+
+	// Decide wether to do sync or async for CRI metadata fetch
+	state().inspector->set_cri_async(!options().disable_cri_async);
+
+	//
+	// If required, set the snaplen
+	//
+	if(options().snaplen != 0)
+	{
+		state().inspector->set_snaplen(options().snaplen);
+	}
+
+	if(!options().all_events)
+	{
+		// Drop EF_DROP_SIMPLE_CONS kernel side
+		state().inspector->set_simple_consumer();
+		// Eventually, drop any EF_DROP_SIMPLE_CONS event
+		// that reached userspace (there are some events that are not syscall-based
+		// like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag)
+		state().inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
+	}
+
+	state().inspector->set_hostname_and_port_resolution_mode(false);
+
+#ifndef MINIMAL_BUILD
+
+		falco_logger::log(LOG_DEBUG, "Setting metadata download max size to " + to_string(state().config->m_metadata_download_max_mb) + " MB\n");
+		falco_logger::log(LOG_DEBUG, "Setting metadata download chunk wait time to " + to_string(state().config->m_metadata_download_chunk_wait_us) + " μs\n");
+		falco_logger::log(LOG_DEBUG, "Setting metadata download watch frequency to " + to_string(state().config->m_metadata_download_watch_freq_sec) + " seconds\n");
+		state().inspector->set_metadata_download_params(state().config->m_metadata_download_max_mb * 1024 * 1024, state().config->m_metadata_download_chunk_wait_us, state().config->m_metadata_download_watch_freq_sec);
+
+#endif
+
+#ifndef MINIMAL_BUILD
+	// Initializing k8s/mesos might have to move to open inspector
+	//
+	// Run k8s, if required
+	//
+	char *k8s_api_env = NULL;
+	if(!options().k8s_api.empty() ||
+	   (k8s_api_env = getenv("FALCO_K8S_API")))
+	{
+		// Create string pointers for some config vars
+		// and pass to inspector. The inspector then
+		// owns the pointers.
+		std::string *k8s_api_ptr = new string((!options().k8s_api.empty() ? options().k8s_api : k8s_api_env));
+		std::string *k8s_api_cert_ptr = new string(options().k8s_api_cert);
+		std::string *k8s_node_name_ptr = new string(options().k8s_node_name);
+
+		if(k8s_api_cert_ptr->empty())
+		{
+			if(char* k8s_cert_env = getenv("FALCO_K8S_API_CERT"))
+			{
+				*k8s_api_cert_ptr = k8s_cert_env;
+			}
+		}
+		state().inspector->init_k8s_client(k8s_api_ptr, k8s_api_cert_ptr, k8s_node_name_ptr, options().verbose);
+	}
+
+	//
+	// Run mesos, if required
+	//
+	if(!options().mesos_api.empty())
+	{
+		// Differs from init_k8s_client in that it
+		// passes a pointer but the inspector does
+		// *not* own it and does not use it after
+		// init_mesos_client() returns.
+		state().inspector->init_mesos_client(&(options().mesos_api), options().verbose);
+	}
+	else if(char* mesos_api_env = getenv("FALCO_MESOS_API"))
+	{
+		std::string mesos_api_copy = mesos_api_env;
+		state().inspector->init_mesos_client(&mesos_api_copy, options().verbose);
+	}
+
+#endif
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_inspector.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_inspector : public init_action {
+public:
+	act_init_inspector(application &app);
+	virtual ~act_init_inspector();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_outputs.cpp

@@ -0,0 +1,88 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "init_outputs.h"
+
+namespace falco {
+namespace app {
+
+act_init_outputs::act_init_outputs(application &app)
+	: init_action(app), m_name("init outputs"),
+	  m_prerequsites({"load config", "init falco engine"})
+{
+}
+
+act_init_outputs::~act_init_outputs()
+{
+}
+
+const std::string &act_init_outputs::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_init_outputs::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_init_outputs::run()
+{
+	run_result ret = {true, "", true};
+
+	// read hostname
+	std::string hostname;
+	if(char* env_hostname = getenv("FALCO_GRPC_HOSTNAME"))
+	{
+		hostname = env_hostname;
+	}
+	else
+	{
+		char c_hostname[256];
+		int err = gethostname(c_hostname, 256);
+		if(err != 0)
+		{
+			ret.success = false;
+			ret.errstr = "Failed to get hostname";
+			ret.proceed = false;
+		}
+		hostname = c_hostname;
+	}
+
+	state().outputs->init(state().engine,
+				    state().config->m_json_output,
+				    state().config->m_json_include_output_property,
+				    state().config->m_json_include_tags_property,
+				    state().config->m_output_timeout,
+				    state().config->m_notifications_rate, state().config->m_notifications_max_burst,
+				    state().config->m_buffered_outputs,
+				    state().config->m_time_format_iso_8601,
+				    hostname);
+
+	for(auto output : state().config->m_outputs)
+	{
+		state().outputs->add_output(output);
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/init_outputs.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_init_outputs : public init_action {
+public:
+	act_init_outputs(application &app);
+	virtual ~act_init_outputs();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_fields.cpp

@@ -0,0 +1,66 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "list_fields.h"
+
+namespace falco {
+namespace app {
+
+act_list_fields::act_list_fields(application &app)
+	: init_action(app), m_name("list fields"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_list_fields::~act_list_fields()
+{
+}
+
+const std::string &act_list_fields::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_list_fields::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_list_fields::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().list_fields)
+	{
+		if(options().list_source_fields != "" &&
+		   !state().engine->is_source_valid(options().list_source_fields))
+		{
+			ret.success = false;
+			ret.errstr = "Value for --list must be a valid source type";
+			ret.proceed = false;
+			return ret;
+		}
+		state().engine->list_fields(options().list_source_fields, options().verbose, options().names_only);
+
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_fields.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_list_fields : public init_action {
+public:
+	act_list_fields(application &app);
+	virtual ~act_list_fields();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_plugins.cpp

@@ -0,0 +1,78 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "list_plugins.h"
+
+namespace falco {
+namespace app {
+
+act_list_plugins::act_list_plugins(application &app)
+	: init_action(app), m_name("list plugins"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_list_plugins::~act_list_plugins()
+{
+}
+
+const std::string &act_list_plugins::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_list_plugins::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_list_plugins::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().list_plugins)
+	{
+		std::ostringstream os;
+
+		for(auto &info : state().plugin_infos)
+		{
+			os << "Name: " << info.name << std::endl;
+			os << "Description: " << info.description << std::endl;
+			os << "Contact: " << info.contact << std::endl;
+			os << "Version: " << info.plugin_version.as_string() << std::endl;
+
+			if(info.type == TYPE_SOURCE_PLUGIN)
+			{
+				os << "Type: source plugin" << std::endl;
+				os << "ID: " << info.id << std::endl;
+			}
+			else
+			{
+				os << "Type: extractor plugin" << std::endl;
+			}
+			os << std::endl;
+		}
+
+		printf("%lu Plugins Loaded:\n\n%s\n", state().plugin_infos.size(), os.str().c_str());
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/list_plugins.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_list_plugins : public init_action {
+public:
+	act_list_plugins(application &app);
+	virtual ~act_list_plugins();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_config.cpp

@@ -0,0 +1,73 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_config.h"
+
+namespace falco {
+namespace app {
+
+act_load_config::act_load_config(application &app)
+	: init_action(app), m_name("load config")
+{
+}
+
+act_load_config::~act_load_config()
+{
+}
+
+const std::string &act_load_config::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_config::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_config::run()
+{
+	run_result ret = {true, "", true};
+
+	if (options().conf_filename.size())
+	{
+		state().config->init(options().conf_filename, options().cmdline_config_options);
+		falco_logger::set_time_format_iso_8601(state().config->m_time_format_iso_8601);
+
+		// log after config init because config determines where logs go
+		falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
+		falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + options().conf_filename + "\n");
+	}
+	else
+	{
+		ret.success = false;
+		ret.proceed = false;
+
+#ifndef BUILD_TYPE_RELEASE
+		ret.errstr = std::string("You must create a config file at ")  + FALCO_SOURCE_CONF_FILE + ", " + FALCO_INSTALL_CONF_FILE + " or by passing -c";
+#else
+		ret.errstr = std::string("You must create a config file at ")  + FALCO_INSTALL_CONF_FILE + " or by passing -c";
+#endif
+	}
+
+	state().config->m_buffered_outputs = !options().unbuffered_outputs;
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_config.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_config : public init_action {
+public:
+	act_load_config(application &app);
+	virtual ~act_load_config();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_plugins.cpp

@@ -0,0 +1,151 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_plugins.h"
+
+namespace falco {
+namespace app {
+
+act_load_plugins::act_load_plugins(application &app)
+	: init_action(app), m_name("load plugins"),
+	  m_prerequsites({"init falco engine", "load config"})
+{
+}
+
+act_load_plugins::~act_load_plugins()
+{
+}
+
+const std::string &act_load_plugins::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_plugins::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_plugins::run()
+{
+	run_result ret = {true, "", true};
+
+	// All filterchecks created by plugins go in this
+	// list. If we ever support multiple event sources at
+	// the same time, this (and the below factories) will
+	// have to be a map from event source to filtercheck
+	// list.
+	filter_check_list plugin_filter_checks;
+
+	// Factories that can create filters/formatters for
+	// the (single) source supported by the (single) input plugin.
+	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+	std::shared_ptr<gen_event_filter_factory> plugin_filter_factory(new sinsp_filter_factory(state().inspector.get(), plugin_filter_checks));
+	std::shared_ptr<gen_event_formatter_factory> plugin_formatter_factory(new sinsp_evt_formatter_factory(state().inspector.get(), plugin_filter_checks));
+
+	if(state().config->m_json_output)
+	{
+		plugin_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+	}
+
+	std::shared_ptr<sinsp_plugin> input_plugin;
+	std::list<std::shared_ptr<sinsp_plugin>> extractor_plugins;
+	for(auto &p : state().config->m_plugins)
+	{
+		std::shared_ptr<sinsp_plugin> plugin;
+#ifdef MUSL_OPTIMIZED
+		ret.success = ret.proceed = false;
+		ret.errstr = "Can not load/use plugins with musl optimized build";
+		return ret;
+#else
+		falco_logger::log(LOG_INFO, "Loading plugin (" + p.m_name + ") from file " + p.m_library_path + "\n");
+
+		// libs requires raw pointer, we should modify libs to use reference/shared_ptr
+		plugin = sinsp_plugin::register_plugin(state().inspector.get(),
+						       p.m_library_path,
+						       (p.m_init_config.empty() ? NULL : (char *)p.m_init_config.c_str()),
+						       plugin_filter_checks);
+#endif
+
+		if(plugin->type() == TYPE_SOURCE_PLUGIN)
+		{
+			sinsp_source_plugin *splugin = static_cast<sinsp_source_plugin *>(plugin.get());
+
+			if(input_plugin)
+			{
+				ret.success = false;
+				ret.errstr = string("Can not load multiple source plugins. ") + input_plugin->name() + " already loaded";
+				ret.proceed = false;
+				return ret;
+			}
+
+			input_plugin = plugin;
+			state().event_source = splugin->event_source();
+
+			state().inspector->set_input_plugin(p.m_name);
+			if(!p.m_open_params.empty())
+			{
+				state().inspector->set_input_plugin_open_params(p.m_open_params.c_str());
+			}
+
+			state().engine->add_source(state().event_source, plugin_filter_factory, plugin_formatter_factory);
+
+		} else {
+			extractor_plugins.push_back(plugin);
+		}
+	}
+
+	// Ensure that extractor plugins are compatible with the event source.
+	// Also, ensure that extractor plugins don't have overlapping compatible event sources.
+	std::set<std::string> compat_sources_seen;
+	for(auto plugin : extractor_plugins)
+	{
+		// If the extractor plugin names compatible sources,
+		// ensure that the input plugin's source is in the list
+		// of compatible sources.
+		sinsp_extractor_plugin *eplugin = static_cast<sinsp_extractor_plugin *>(plugin.get());
+		const std::set<std::string> &compat_sources = eplugin->extract_event_sources();
+		if(input_plugin &&
+		   !compat_sources.empty())
+		{
+			if (compat_sources.find(state().event_source) == compat_sources.end())
+			{
+				ret.success = ret.proceed = false;
+				ret.errstr = string("Extractor plugin not compatible with event source ") + state().event_source;
+				return ret;
+			}
+
+			for(const auto &compat_source : compat_sources)
+			{
+				if(compat_sources_seen.find(compat_source) != compat_sources_seen.end())
+				{
+					ret.success = ret.proceed = false;
+					ret.errstr = string("Extractor plugins have overlapping compatible event source ") + compat_source;
+					return ret;
+				}
+				compat_sources_seen.insert(compat_source);
+			}
+		}
+	}
+
+	state().plugin_infos = sinsp_plugin::plugin_infos(state().inspector.get());
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_plugins.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_plugins : public init_action {
+public:
+	act_load_plugins(application &app);
+	virtual ~act_load_plugins();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_rules_files.cpp

@@ -0,0 +1,200 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "load_rules_files.h"
+
+namespace falco {
+namespace app {
+
+act_load_rules_files::act_load_rules_files(application &app)
+	: init_action(app), m_name("load rules files"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_load_rules_files::~act_load_rules_files()
+{
+}
+
+const std::string &act_load_rules_files::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_load_rules_files::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_load_rules_files::run()
+{
+	run_result ret = {true, "", true};
+
+	string all_rules;
+
+	if (options().rules_filenames.size())
+	{
+		state().config->m_rules_filenames = options().rules_filenames;
+	}
+
+	if(state().config->m_rules_filenames.size() == 0)
+	{
+		ret.success = false;
+		ret.errstr = "You must specify at least one rules file/directory via -r or a rules_file entry in falco.yaml";
+		ret.proceed = false;
+		return ret;
+	}
+
+	falco_logger::log(LOG_DEBUG, "Configured rules filenames:\n");
+	for (auto filename : state().config->m_rules_filenames)
+	{
+		falco_logger::log(LOG_DEBUG, string("   ") + filename + "\n");
+	}
+
+	for (auto filename : state().config->m_rules_filenames)
+	{
+		falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
+		uint64_t required_engine_version;
+
+		try {
+			state().engine->load_rules_file(filename, options().verbose, options().all_events, required_engine_version);
+		}
+		catch(falco_exception &e)
+		{
+			ret.success = false;
+			ret.errstr = string("Could not load rules file ") + filename + ": " + e.what();
+			ret.proceed = false;
+			return ret;
+		}
+		state().required_engine_versions[filename] = required_engine_version;
+	}
+
+	// Ensure that all plugins are compatible with the loaded set of rules
+	for(auto &info : state().plugin_infos)
+	{
+		std::string required_version;
+
+		if(!state().engine->is_plugin_compatible(info.name, info.plugin_version.as_string(), required_version))
+		{
+			ret.success = false;
+			ret.errstr = std::string("Plugin ") + info.name + " version " + info.plugin_version.as_string() + " not compatible with required plugin version " + required_version;
+			ret.proceed = false;
+		}
+	}
+
+	for (auto substring : options().disabled_rule_substrings)
+	{
+		falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
+		state().engine->enable_rule(substring, false);
+	}
+
+	if(options().disabled_rule_tags.size() > 0)
+	{
+		for(auto &tag : options().disabled_rule_tags)
+		{
+			falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
+		}
+		state().engine->enable_rule_by_tag(options().disabled_rule_tags, false);
+	}
+
+	if(options().enabled_rule_tags.size() > 0)
+	{
+		// Since we only want to enable specific
+		// rules, first disable all rules.
+		state().engine->enable_rule(all_rules, false);
+		for(auto &tag : options().enabled_rule_tags)
+		{
+			falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
+		}
+		state().engine->enable_rule_by_tag(options().enabled_rule_tags, true);
+	}
+
+	if(!options().all_events)
+	{
+		// For syscalls, see if any event types used by the
+		// loaded rules are ones with the EF_DROP_SIMPLE_CONS
+		// label.
+		check_for_ignored_events();
+	}
+
+	if (options().describe_all_rules)
+	{
+		state().engine->describe_rule(NULL);
+		ret.proceed = false;
+		return ret;
+	}
+
+	if (!options().describe_rule.empty())
+	{
+		state().engine->describe_rule(&(options().describe_rule));
+		ret.proceed = false;
+		return ret;
+	}
+
+	return ret;
+}
+
+void act_load_rules_files::check_for_ignored_events()
+{
+	std::set<uint16_t> evttypes;
+	sinsp_evttables* einfo = state().inspector->get_event_info_tables();
+	const struct ppm_event_info* etable = einfo->m_event_info;
+
+	state().engine->evttypes_for_ruleset(application::s_syscall_source, evttypes);
+
+	// Save event names so we don't warn for both the enter and exit event.
+	std::set<std::string> warn_event_names;
+
+	for(auto evtnum : evttypes)
+	{
+		if(evtnum == PPME_GENERIC_E || evtnum == PPME_GENERIC_X)
+		{
+			continue;
+		}
+
+		if(!sinsp::simple_consumer_consider_evtnum(evtnum))
+		{
+			std::string name = etable[evtnum].name;
+			if(warn_event_names.find(name) == warn_event_names.end())
+			{
+				warn_event_names.insert(name);
+			}
+		}
+	}
+
+	// Print a single warning with the list of ignored events
+	if (!warn_event_names.empty())
+	{
+		std::string skipped_events;
+		bool first = true;
+		for (const auto& evtname : warn_event_names)
+		{
+			if (first)
+			{
+				skipped_events += evtname;
+				first = false;
+			} else
+			{
+				skipped_events += "," + evtname;
+			}
+		}
+		fprintf(stderr,"Rules match ignored syscall: warning (ignored-evttype):\n         loaded rules match the following events: %s;\n         but these events are not returned unless running falco with -A\n", skipped_events.c_str());
+	}
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/load_rules_files.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_load_rules_files : public init_action {
+public:
+	act_load_rules_files(application &app);
+	virtual ~act_load_rules_files();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void check_for_ignored_events();
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/open_inspector.cpp

@@ -0,0 +1,174 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "open_inspector.h"
+
+namespace falco {
+namespace app {
+
+act_open_inspector::act_open_inspector(application &app)
+	: run_action(app), m_name("open_inspector"),
+	  m_prerequsites({"daemonize"})
+{
+}
+
+act_open_inspector::~act_open_inspector()
+{
+}
+
+const std::string &act_open_inspector::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_open_inspector::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_open_inspector::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().trace_filename.size())
+	{
+		// Try to open the trace file as a
+		// capture file first.
+		try {
+			state().inspector->open(options().trace_filename);
+			falco_logger::log(LOG_INFO, "Reading system call events from file: " + options().trace_filename + "\n");
+		}
+		catch(sinsp_exception &e)
+		{
+			falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + options().trace_filename + "\": " + string(e.what()));
+			state().trace_is_scap=false;
+		}
+
+		if(!state().trace_is_scap)
+		{
+#ifdef MINIMAL_BUILD
+			ret.success = false;
+			ret.errstr = "Cannot use k8s audit events trace file with a minimal Falco build";
+			ret.proceed = false;
+			return ret;
+#else
+			try {
+				string line;
+				nlohmann::json j;
+
+				// Note we only temporarily open the file here.
+				// The read file read loop will be later.
+				ifstream ifs(options().trace_filename);
+				getline(ifs, line);
+				j = nlohmann::json::parse(line);
+
+				falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + options().trace_filename + "\n");
+			}
+			catch (nlohmann::json::parse_error& e)
+			{
+				ret.success = false;
+				ret.errstr = std::string("Trace filename ") + options().trace_filename + " not recognized as system call events or k8s audit events";
+				ret.proceed = false;
+				return ret;
+
+			}
+			catch (exception &e)
+			{
+				ret.success = false;
+				ret.errstr = std::string("Could not open trace filename ") + options().trace_filename + " for reading: " + e.what();
+				ret.proceed = false;
+				return ret;
+			}
+#endif
+		}
+	}
+	else
+	{
+		open_t open_cb = [this](std::shared_ptr<sinsp> inspector)
+			{
+				if(options().userspace)
+				{
+					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
+					//
+					// Falco uses a ptrace(2) based userspace implementation.
+					// Regardless of the implementation, the underlying method remains the same.
+					inspector->open_udig();
+					return;
+				}
+				inspector->open();
+			};
+		open_t open_nodriver_cb = [](std::shared_ptr<sinsp> inspector) {
+			inspector->open_nodriver();
+		};
+		open_t open_f;
+
+		// Default mode: both event sources enabled
+		if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() &&
+		    state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
+		{
+			open_f = open_cb;
+		}
+		if (state().enabled_sources.find(application::s_syscall_source) == state().enabled_sources.end())
+		{
+			open_f = open_nodriver_cb;
+		}
+		if (state().enabled_sources.find(application::s_k8s_audit_source) == state().enabled_sources.end())
+		{
+			open_f = open_cb;
+		}
+
+		try
+		{
+			open_f(state().inspector);
+		}
+		catch(sinsp_exception &e)
+		{
+			// If syscall input source is enabled and not through userspace instrumentation
+			if (state().enabled_sources.find(application::s_syscall_source) != state().enabled_sources.end() && !options().userspace)
+			{
+				// Try to insert the Falco kernel module
+				if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
+				{
+					falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
+				}
+				open_f(state().inspector);
+			}
+			else
+			{
+				ret.success = false;
+				ret.errstr = e.what();
+				ret.proceed = false;
+				return ret;
+			}
+		}
+	}
+
+	// This must be done after the open
+	if(!options().all_events)
+	{
+		state().inspector->start_dropping_mode(1);
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/open_inspector.h

@@ -0,0 +1,47 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_open_inspector : public run_action {
+public:
+	typedef function<void(std::shared_ptr<sinsp> inspector)> open_t;
+
+	act_open_inspector(application &app);
+	virtual ~act_open_inspector();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_help.cpp

@@ -0,0 +1,56 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "print_help.h"
+
+namespace falco {
+namespace app {
+
+act_print_help::act_print_help(application &app)
+	: init_action(app), m_name("print help")
+{
+}
+
+act_print_help::~act_print_help()
+{
+}
+
+const std::string &act_print_help::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_help::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_help::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().help)
+	{
+		printf("%s", options().usage().c_str());
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_help.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_help : public init_action {
+public:
+	act_print_help(application &app);
+	virtual ~act_print_help();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_ignored_events.cpp

@@ -0,0 +1,98 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "print_ignored_events.h"
+
+namespace falco {
+namespace app {
+
+act_print_ignored_events::act_print_ignored_events(application &app)
+	: init_action(app), m_name("print ignored events"),
+	  m_prerequsites({"init inspector"})
+{
+}
+
+act_print_ignored_events::~act_print_ignored_events()
+{
+}
+
+const std::string &act_print_ignored_events::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_ignored_events::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_ignored_events::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_ignored_events)
+	{
+		print_all_ignored_events();
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+void act_print_ignored_events::print_all_ignored_events()
+{
+	sinsp_evttables* einfo = state().inspector->get_event_info_tables();
+	const struct ppm_event_info* etable = einfo->m_event_info;
+	const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table;
+
+	std::set<string> ignored_event_names;
+	for(uint32_t j = 0; j < PPM_EVENT_MAX; j++)
+	{
+		if(!sinsp::simple_consumer_consider_evtnum(j))
+		{
+			std::string name = etable[j].name;
+			// Ignore event names NA*
+			if(name.find("NA") != 0)
+			{
+				ignored_event_names.insert(name);
+			}
+		}
+	}
+
+	for(uint32_t j = 0; j < PPM_SC_MAX; j++)
+	{
+		if(!sinsp::simple_consumer_consider_syscallid(j))
+		{
+			std::string name = stable[j].name;
+			// Ignore event names NA*
+			if(name.find("NA") != 0)
+			{
+				ignored_event_names.insert(name);
+			}
+		}
+	}
+
+	printf("Ignored Event(s):");
+	for(auto it : ignored_event_names)
+	{
+		printf(" %s", it.c_str());
+	}
+	printf("\n");
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_ignored_events.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_ignored_events : public init_action {
+public:
+	act_print_ignored_events(application &app);
+	virtual ~act_print_ignored_events();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	void print_all_ignored_events();
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_support.cpp

@@ -0,0 +1,100 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <sys/utsname.h>
+
+#include "falco_engine_version.h"
+#include "print_support.h"
+
+namespace falco {
+namespace app {
+
+act_print_support::act_print_support(application &app)
+	: init_action(app), m_name("print support"),
+	  m_prerequsites({"load rules files"})
+{
+}
+
+act_print_support::~act_print_support()
+{
+}
+
+const std::string &act_print_support::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_support::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_support::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_support)
+	{
+		nlohmann::json support;
+		struct utsname sysinfo;
+		std::string cmdline;
+
+		if(uname(&sysinfo) != 0)
+		{
+			ret.success = false;
+			ret.errstr = string("Could not uname() to find system info: ") + strerror(errno);
+			ret.proceed = false;
+			return ret;
+		}
+
+		support["version"] = FALCO_VERSION;
+		support["system_info"]["sysname"] = sysinfo.sysname;
+		support["system_info"]["nodename"] = sysinfo.nodename;
+		support["system_info"]["release"] = sysinfo.release;
+		support["system_info"]["version"] = sysinfo.version;
+		support["system_info"]["machine"] = sysinfo.machine;
+		support["cmdline"] = state().cmdline;
+		support["engine_info"]["engine_version"] = FALCO_ENGINE_VERSION;
+		support["config"] = read_file(options().conf_filename);
+		support["rules_files"] = nlohmann::json::array();
+		for(auto filename : state().config->m_rules_filenames)
+		{
+			nlohmann::json finfo;
+			finfo["name"] = filename;
+			nlohmann::json variant;
+			variant["required_engine_version"] = state().required_engine_versions[filename];
+			variant["content"] = read_file(filename);
+			finfo["variants"].push_back(variant);
+			support["rules_files"].push_back(finfo);
+		}
+		printf("%s\n", support.dump().c_str());
+	}
+
+	return ret;
+}
+
+std::string act_print_support::read_file(std::string &filename)
+{
+	std::ifstream t(filename);
+	std::string str((std::istreambuf_iterator<char>(t)),
+			std::istreambuf_iterator<char>());
+
+	return str;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_support.h

@@ -0,0 +1,46 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_support : public init_action {
+public:
+	act_print_support(application &app);
+	virtual ~act_print_support();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string read_file(std::string &filename);
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_version.cpp

@@ -0,0 +1,58 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "config_falco.h"
+#include "print_version.h"
+
+namespace falco {
+namespace app {
+
+act_print_version::act_print_version(application &app)
+	: init_action(app), m_name("print version")
+{
+}
+
+act_print_version::~act_print_version()
+{
+}
+
+const std::string &act_print_version::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_print_version::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_print_version::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().print_version_info)
+	{
+		printf("Falco version: %s\n", FALCO_VERSION);
+		printf("Driver version: %s\n", DRIVER_VERSION);
+		ret.proceed = false;
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/print_version.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_print_version : public init_action {
+public:
+	act_print_version(application &app);
+	virtual ~act_print_version();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/process_events.cpp

@@ -0,0 +1,301 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#define __STDC_FORMAT_MACROS
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "falco_utils.h"
+#ifndef MINIMAL_BUILD
+#include "webserver.h"
+#endif
+#include "statsfilewriter.h"
+#include "process_events.h"
+
+namespace falco {
+namespace app {
+
+act_process_events::act_process_events(application &app)
+	: run_action(app), m_name("process_events"),
+	  m_prerequsites({"open inspector"})
+{
+}
+
+act_process_events::~act_process_events()
+{
+}
+
+const std::string &act_process_events::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_process_events::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_process_events::run()
+{
+	syscall_evt_drop_mgr sdropmgr;
+	// Used for stats
+	double duration;
+	scap_stats cstats;
+
+	run_result ret = {true, "", true};
+
+	duration = ((double)clock()) / CLOCKS_PER_SEC;
+
+	if(!options().trace_filename.empty() && !state().trace_is_scap)
+	{
+#ifndef MINIMAL_BUILD
+		read_k8s_audit_trace_file(options().trace_filename);
+#endif
+	}
+	else
+	{
+		uint64_t num_evts;
+
+		num_evts = do_inspect(state().engine,
+				      state().outputs,
+				      state().inspector,
+				      state().event_source,
+				      state().config,
+				      sdropmgr,
+				      uint64_t(options().duration_to_tot*ONE_SECOND_IN_NS),
+				      options().stats_filename,
+				      options().stats_interval,
+				      options().all_events,
+				      ret);
+
+		duration = ((double)clock()) / CLOCKS_PER_SEC - duration;
+
+		state().inspector->get_capture_stats(&cstats);
+
+		if(options().verbose)
+		{
+			fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n",
+				cstats.n_evts,
+				cstats.n_drops);
+
+			fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n",
+				duration,
+				num_evts,
+				num_evts / duration);
+		}
+
+	}
+
+	// Honor -M also when using a trace file.
+	// Since inspection stops as soon as all events have been consumed
+	// just await the given duration is reached, if needed.
+	if(!options().trace_filename.empty() && options().duration_to_tot>0)
+	{
+		std::this_thread::sleep_for(std::chrono::seconds(options().duration_to_tot));
+	}
+
+	state().inspector->close();
+	state().engine->print_stats();
+	sdropmgr.print_stats();
+
+	return ret;
+}
+
+#ifndef MINIMAL_BUILD
+// Read a jsonl file containing k8s audit events and pass each to the engine.
+void act_process_events::read_k8s_audit_trace_file(string &trace_filename)
+{
+	ifstream ifs(trace_filename);
+
+	uint64_t line_num = 0;
+
+	while(ifs)
+	{
+		string line, errstr;
+
+		getline(ifs, line);
+		line_num++;
+
+		if(line == "")
+		{
+			continue;
+		}
+
+		if(!k8s_audit_handler::accept_data(state().engine, state().outputs, line, errstr))
+		{
+			falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping");
+			return;
+		}
+	}
+}
+#endif
+
+//
+// Event processing loop
+//
+uint64_t act_process_events::do_inspect(std::shared_ptr<falco_engine> engine,
+					std::shared_ptr<falco_outputs> outputs,
+					std::shared_ptr<sinsp> inspector,
+					std::string &event_source,
+					std::shared_ptr<falco_configuration> config,
+					syscall_evt_drop_mgr &sdropmgr,
+					uint64_t duration_to_tot_ns,
+					string &stats_filename,
+					uint64_t stats_interval,
+					bool all_events,
+					run_result &result)
+{
+	uint64_t num_evts = 0;
+	int32_t rc;
+	sinsp_evt* ev;
+	StatsFileWriter writer;
+	uint64_t duration_start = 0;
+	uint32_t timeouts_since_last_success_or_msg = 0;
+
+	sdropmgr.init(inspector,
+		      outputs,
+		      config->m_syscall_evt_drop_actions,
+		      config->m_syscall_evt_drop_threshold,
+		      config->m_syscall_evt_drop_rate,
+		      config->m_syscall_evt_drop_max_burst,
+		      config->m_syscall_evt_simulate_drops);
+
+	if (stats_filename != "")
+	{
+		string errstr;
+
+		if (!writer.init(inspector, stats_filename, stats_interval, errstr))
+		{
+			throw falco_exception(errstr);
+		}
+	}
+
+	//
+	// Loop through the events
+	//
+	while(1)
+	{
+
+		rc = inspector->next(&ev);
+
+		writer.handle();
+
+		if(falco::app::application::get().state().reopen_outputs)
+		{
+			outputs->reopen_outputs();
+			falco::app::application::get().state().reopen_outputs = false;
+		}
+
+		if(falco::app::application::get().state().terminate)
+		{
+			falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
+			break;
+		}
+		else if (falco::app::application::get().state().restart)
+		{
+			falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
+			break;
+		}
+		else if(rc == SCAP_TIMEOUT)
+		{
+			if(unlikely(ev == nullptr))
+			{
+				timeouts_since_last_success_or_msg++;
+				if(event_source == application::s_syscall_source &&
+				   (timeouts_since_last_success_or_msg > config->m_syscall_evt_timeout_max_consecutives))
+				{
+					std::string rule = "Falco internal: timeouts notification";
+					std::string msg = rule + ". " + std::to_string(config->m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
+					std::string last_event_time_str = "none";
+					if(duration_start > 0)
+					{
+						sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
+					}
+					std::map<std::string, std::string> o = {
+						{"last_event_time", last_event_time_str},
+					};
+					auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
+					outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
+					// Reset the timeouts counter, Falco alerted
+					timeouts_since_last_success_or_msg = 0;
+				}
+			}
+
+			continue;
+		}
+		else if(rc == SCAP_EOF)
+		{
+			break;
+		}
+		else if(rc != SCAP_SUCCESS)
+		{
+			//
+			// Event read error.
+			//
+			cerr << "rc = " << rc << endl;
+			throw sinsp_exception(inspector->getlasterr().c_str());
+		}
+
+		// Reset the timeouts counter, Falco succesfully got an event to process
+		timeouts_since_last_success_or_msg = 0;
+		if(duration_start == 0)
+		{
+			duration_start = ev->get_ts();
+		}
+		else if(duration_to_tot_ns > 0)
+		{
+			if(ev->get_ts() - duration_start >= duration_to_tot_ns)
+			{
+				break;
+			}
+		}
+
+		if(!sdropmgr.process_event(inspector, ev))
+		{
+			result.success = false;
+			result.errstr = "";
+			result.proceed = false;
+			break;
+		}
+
+		if(!ev->simple_consumer_consider() && !all_events)
+		{
+			continue;
+		}
+
+		// As the inspector has no filter at its level, all
+		// events are returned here. Pass them to the falco
+		// engine, which will match the event against the set
+		// of rules. If a match is found, pass the event to
+		// the outputs.
+		unique_ptr<falco_engine::rule_result> res = engine->process_event(event_source, ev);
+		if(res)
+		{
+			outputs->handle_event(res->evt, res->rule, res->source, res->priority_num, res->format, res->tags);
+		}
+
+		num_evts++;
+	}
+
+	return num_evts;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/process_events.h

@@ -0,0 +1,62 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+class act_process_events : public run_action {
+public:
+	act_process_events(application &app);
+	virtual ~act_process_events();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+
+#ifndef MINIMAL_BUILD
+	void read_k8s_audit_trace_file(std::string &trace_filename);
+#endif
+
+	uint64_t do_inspect(std::shared_ptr<falco_engine> engine,
+			    std::shared_ptr<falco_outputs> outputs,
+			    std::shared_ptr<sinsp> inspector,
+			    std::string &event_source,
+			    std::shared_ptr<falco_configuration> config,
+			    syscall_evt_drop_mgr &sdropmgr,
+			    uint64_t duration_to_tot_ns,
+			    string &stats_filename,
+			    uint64_t stats_interval,
+			    bool all_events,
+			    run_result &result);
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/run_action.cpp

@@ -0,0 +1,40 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "run_action.h"
+
+namespace falco {
+namespace app {
+
+static std::string run_group = "run";
+
+run_action::run_action(application &app)
+	: action(app)
+{
+}
+
+run_action::~run_action()
+{
+}
+
+const std::string &run_action::group()
+{
+	return run_group;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/run_action.h

@@ -0,0 +1,37 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include "app_action.h"
+
+namespace falco {
+namespace app {
+
+// All actions in the "run" group derive from this class
+
+class run_action : public action {
+public:
+	run_action(application &app);
+	virtual ~run_action();
+
+	const std::string &group() override;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/start_grpc_server.cpp

@@ -0,0 +1,82 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "start_grpc_server.h"
+
+#ifndef MINIMAL_BUILD
+
+namespace falco {
+namespace app {
+
+act_start_grpc_server::act_start_grpc_server(application &app)
+	: init_action(app), m_name("start grpc server"),
+	  m_prerequsites({"init outputs"})
+{
+}
+
+act_start_grpc_server::~act_start_grpc_server()
+{
+}
+
+const std::string &act_start_grpc_server::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_start_grpc_server::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_start_grpc_server::run()
+{
+	run_result ret = {true, "", true};
+
+	// gRPC server
+	if(state().config->m_grpc_enabled)
+	{
+		falco_logger::log(LOG_INFO, "gRPC server threadiness equals to " + to_string(state().config->m_grpc_threadiness) + "\n");
+		// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
+		// different queuing mechanisms, round robin, fanout? What we want to achieve?
+		m_grpc_server.init(
+			state().config->m_grpc_bind_address,
+			state().config->m_grpc_threadiness,
+			state().config->m_grpc_private_key,
+			state().config->m_grpc_cert_chain,
+			state().config->m_grpc_root_certs,
+			state().config->m_log_level
+			);
+		m_grpc_server_thread = std::thread([this] {
+			m_grpc_server.run();
+		});
+	}
+	return ret;
+}
+
+void act_start_grpc_server::deinit()
+{
+	if(m_grpc_server_thread.joinable())
+	{
+		m_grpc_server.shutdown();
+		m_grpc_server_thread.join();
+	}
+}
+
+#endif
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/start_grpc_server.h

@@ -0,0 +1,56 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+#ifndef MINIMAL_BUILD
+
+#include "grpc_server.h"
+
+namespace falco {
+namespace app {
+
+class act_start_grpc_server : public init_action {
+public:
+	act_start_grpc_server(application &app);
+	virtual ~act_start_grpc_server();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+	void deinit() override;
+
+private:
+	falco::grpc::server m_grpc_server;
+	std::thread m_grpc_server_thread;
+
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+#endif
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/start_webserver.cpp

@@ -0,0 +1,68 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "start_webserver.h"
+
+#ifndef MINIMAL_BUILD
+
+namespace falco {
+namespace app {
+
+act_start_webserver::act_start_webserver(application &app)
+	: init_action(app), m_name("start webserver"),
+	  m_prerequsites({"init outputs"})
+{
+}
+
+act_start_webserver::~act_start_webserver()
+{
+}
+
+const std::string &act_start_webserver::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_start_webserver::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_start_webserver::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().trace_filename.empty() && state().config->m_webserver_enabled && state().enabled_sources.find(application::s_k8s_audit_source) != state().enabled_sources.end())
+	{
+		std::string ssl_option = (state().config->m_webserver_ssl_enabled ? " (SSL)" : "");
+		falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(state().config->m_webserver_listen_port) + ssl_option + "\n");
+		m_webserver.init(state().config, state().engine, state().outputs);
+		m_webserver.start();
+	}
+
+	return ret;
+}
+
+void act_start_webserver::deinit()
+{
+	m_webserver.stop();
+}
+
+#endif
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/start_webserver.h

@@ -0,0 +1,52 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+#ifndef MINIMAL_BUILD
+#include "webserver.h"
+
+namespace falco {
+namespace app {
+
+class act_start_webserver : public init_action {
+public:
+	act_start_webserver(application &app);
+	virtual ~act_start_webserver();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+	void deinit() override;
+
+private:
+	falco_webserver m_webserver;
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+#endif
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/validate_rules_files.cpp

@@ -0,0 +1,77 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "validate_rules_files.h"
+
+namespace falco {
+namespace app {
+
+act_validate_rules_files::act_validate_rules_files(application &app)
+	: init_action(app), m_name("validate rules files"),
+	  m_prerequsites({"load plugins"})
+{
+}
+
+act_validate_rules_files::~act_validate_rules_files()
+{
+}
+
+const std::string &act_validate_rules_files::name()
+{
+	return m_name;
+}
+
+const std::list<std::string> &act_validate_rules_files::prerequsites()
+{
+	return m_prerequsites;
+}
+
+runnable_action::run_result act_validate_rules_files::run()
+{
+	run_result ret = {true, "", true};
+
+	if(options().validate_rules_filenames.size() > 0)
+	{
+		falco_logger::log(LOG_INFO, "Validating rules file(s):\n");
+		for(auto file : options().validate_rules_filenames)
+		{
+			falco_logger::log(LOG_INFO, "   " + file + "\n");
+		}
+		for(auto file : options().validate_rules_filenames)
+		{
+			// Only include the prefix if there is more than one file
+			std::string prefix = (options().validate_rules_filenames.size() > 1 ? file + ": " : "");
+			try {
+				state().engine->load_rules_file(file, options().verbose, options().all_events);
+			}
+			catch(falco_exception &e)
+			{
+				ret.success = false;
+				ret.errstr = prefix +  e.what();
+				ret.proceed = false;
+				return ret;
+			}
+			printf("%sOk\n", prefix.c_str());
+		}
+		falco_logger::log(LOG_INFO, "Ok\n");
+	}
+
+	return ret;
+}
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_actions/validate_rules_files.h

@@ -0,0 +1,45 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+#pragma once
+
+#include <string>
+
+#include "init_action.h"
+
+namespace falco {
+namespace app {
+
+class act_validate_rules_files : public init_action {
+public:
+	act_validate_rules_files(application &app);
+	virtual ~act_validate_rules_files();
+
+	const std::string &name() override;
+
+	const std::list<std::string> &prerequsites() override;
+
+	run_result run() override;
+
+private:
+	std::string m_name;
+	std::list<std::string> m_prerequsites;
+};
+
+}; // namespace application
+}; // namespace falco
+

userspace/falco/app_runnable_action.cpp

@@ -0,0 +1,39 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_runnable_action.h"
+
+namespace falco {
+namespace app {
+
+runnable_action::runnable_action()
+{
+}
+
+runnable_action::~runnable_action()
+{
+}
+
+void runnable_action::init()
+{
+}
+
+void runnable_action::deinit()
+{
+}
+
+}; // namespace application
+}; // namespace falco

userspace/falco/app_runnable_action.h

@@ -0,0 +1,82 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <string>
+#include <list>
+
+namespace falco {
+namespace app {
+
+// Along with app_action.h, defines the interface for an application
+// action. The split implementation allows for building tests for the
+// action manager without bringing in all of the application related
+// code (falco engine, outputs, webserver, etc.).
+class runnable_action {
+public:
+
+	struct run_result {
+		// If true, the action completed successfully.
+		bool success;
+
+		// If success==false, details on the error.
+		std::string errstr;
+
+		// If true, subsequent actions should be performed. If
+		// false, subsequent actions should *not* be performed
+		// and falco should tear down/exit.
+		bool proceed;
+	};
+
+	runnable_action();
+	virtual ~runnable_action();
+
+	// Return the name of the action. Only used for logging
+	// purposes and to use in prerequsites().
+	virtual const std::string &name() = 0;
+
+	// Actions are organized into groups. All actions from a
+	// given group are run before actions from another group.
+	//
+	// The order of groups is passed to the action manager in its
+	// constructor.
+	virtual const std::string &group() = 0;
+
+	// Return a list of action names that *must* run before this
+	// action is run.
+	virtual const std::list<std::string> &prerequsites() = 0;
+
+	// Initialize any state in the application that might be
+	// shared with other components. This might include creating
+	// inspectors, falco engines, etc.
+	virtual void init();
+
+	// Destroy any state created in init()
+	virtual void deinit();
+
+	// Perform the action. The returned run_result holds the
+	// result of the action and whether later actions should
+	// procceed.
+	virtual run_result run() = 0;
+};
+
+}; // namespace application
+}; // namespace falco
+
+
+
+

userspace/falco/application.cpp

@@ -22,11 +22,32 @@ limitations under the License.
 // inspector, falco engine, etc.
 
 #include "application.h"
+#include "defined_app_actions.h"
 #include "falco_common.h"
 
 namespace falco {
 namespace app {
 
+std::string application::s_syscall_source = "syscall";
+std::string application::s_k8s_audit_source = "k8s_audit";
+
+application::action_state::action_state()
+	: restart(false),
+	  terminate(false),
+	  reopen_outputs(false),
+	  enabled_sources({application::s_syscall_source, application::s_k8s_audit_source}),
+	  event_source(application::s_syscall_source)
+{
+	config = std::make_shared<falco_configuration>();
+	outputs = std::make_shared<falco_outputs>();
+	inspector = std::make_shared<sinsp>();
+        engine = std::make_shared<falco_engine>();
+}
+
+application::action_state::~action_state()
+{
+}
+
 application::application()
 	: m_initialized(false)
 {
@@ -36,6 +57,12 @@ application::~application()
 {
 }
 
+application &application::get()
+{
+	static application instance;
+	return instance;
+}
+
 cmdline_options &application::options()
 {
 	if(!m_initialized)
@@ -46,6 +73,11 @@ cmdline_options &application::options()
 	return m_cmdline_options;
 }
 
+application::action_state &application::state()
+{
+	return m_state;
+}
+
 bool application::init(int argc, char **argv, std::string &errstr)
 {
 	if(!m_cmdline_options.parse(argc, argv, errstr))
@@ -53,9 +85,49 @@ bool application::init(int argc, char **argv, std::string &errstr)
 		return false;
 	}
 
+	for(char **arg = argv; *arg; arg++)
+	{
+		if(state().cmdline.size() > 0)
+		{
+			state().cmdline += " ";
+		}
+		state().cmdline += *arg;
+	}
+
+
+	std::list<std::string> groups = {"init", "run"};
+	m_action_manager.set_groups(groups);
+
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_create_signal_handlers(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_init_falco_engine(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_init_inspector(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_init_outputs(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_list_fields(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_list_plugins(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_load_config(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_load_plugins(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_load_rules_files(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_print_help(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_print_ignored_events(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_print_support(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_print_version(*this)));
+#ifndef MINIMAL_BUILD
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_start_grpc_server(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_start_webserver(*this)));
+#endif
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_validate_rules_files(*this)));
+
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_daemonize(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_open_inspector(*this)));
+	m_action_manager.add(std::shared_ptr<runnable_action>(new act_process_events(*this)));
 	m_initialized = true;
 	return true;
 }
 
+void application::run()
+{
+	m_action_manager.run();
+}
+
 }; // namespace app
 }; // namespace falco

userspace/falco/application.h

@@ -27,7 +27,10 @@ limitations under the License.
 // For now, it is only responsible for command line options.
 #pragma once
 
+#include "configuration.h"
+
 #include "app_cmdline_options.h"
+#include "app_action_manager.h"
 
 #include <string>
 
@@ -36,15 +39,54 @@ namespace app {
 
 class application {
 public:
+	class action_state {
+	public:
+		action_state();
+		virtual ~action_state();
+
+		bool restart;
+		bool terminate;
+		bool reopen_outputs;
+
+		std::shared_ptr<falco_configuration> config;
+		std::shared_ptr<falco_outputs> outputs;
+		std::shared_ptr<falco_engine> engine;
+		std::shared_ptr<sinsp> inspector;
+		std::set<std::string> enabled_sources;
+
+		// The event source is syscall by default. If an input
+		// plugin was found, the source is the source of that
+		// plugin.
+		std::string event_source;
+
+		std::list<sinsp_plugin::info> plugin_infos;
+
+		std::map<string,uint64_t> required_engine_versions;
+
+		std::string cmdline;
+
+		bool trace_is_scap;
+	};
+
+	static std::string s_syscall_source;
+	static std::string s_k8s_audit_source;
 
 	application();
 	virtual ~application();
 
+	// Singleton for application
+	static application &get();
+
 	cmdline_options &options();
+	action_state &state();
+
 	bool init(int argc, char **argv, std::string &errstr);
 
-private:
+	void run();
 
+private:
+	action_state m_state;
+	action_manager m_action_manager;
 	cmdline_options m_cmdline_options;
 	bool m_initialized;
 };

userspace/falco/defined_app_actions.h

@@ -0,0 +1,38 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_actions/create_signal_handlers.h"
+#include "app_actions/init_falco_engine.h"
+#include "app_actions/init_inspector.h"
+#include "app_actions/init_outputs.h"
+#include "app_actions/list_plugins.h"
+#include "app_actions/list_fields.h"
+#include "app_actions/load_config.h"
+#include "app_actions/load_plugins.h"
+#include "app_actions/load_rules_files.h"
+#include "app_actions/print_help.h"
+#include "app_actions/print_ignored_events.h"
+#include "app_actions/print_support.h"
+#include "app_actions/print_version.h"
+#include "app_actions/start_grpc_server.h"
+#include "app_actions/start_webserver.h"
+#include "app_actions/validate_rules_files.h"
+
+#include "app_actions/daemonize.h"
+#include "app_actions/open_inspector.h"
+#include "app_actions/process_events.h"
+
+

userspace/falco/event_drops.cpp

@@ -32,8 +32,8 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
 {
 }
 
-void syscall_evt_drop_mgr::init(sinsp *inspector,
-				falco_outputs *outputs,
+void syscall_evt_drop_mgr::init(std::shared_ptr<sinsp> inspector,
+				std::shared_ptr<falco_outputs> outputs,
 				syscall_evt_drop_actions &actions,
 				double threshold,
 				double rate,
@@ -55,7 +55,7 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
 	}
 }
 
-bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
+bool syscall_evt_drop_mgr::process_event(std::shared_ptr<sinsp> inspector, sinsp_evt *evt)
 {
 	if(m_next_check_ts == 0)
 	{

userspace/falco/event_drops.h

@@ -15,6 +15,7 @@ limitations under the License.
 */
 #pragma once
 
+#include <memory>
 #include <set>
 
 #include <sinsp.h>
@@ -41,8 +42,8 @@ public:
 	syscall_evt_drop_mgr();
 	virtual ~syscall_evt_drop_mgr();
 
-	void init(sinsp *inspector,
-		  falco_outputs *outputs,
+	void init(std::shared_ptr<sinsp> inspector,
+		  std::shared_ptr<falco_outputs> outputs,
 		  syscall_evt_drop_actions &actions,
 		  double threshold,
 		  double rate,
@@ -54,7 +55,7 @@ public:
 	// event drops, and performing any actions.
 	//
 	// Returns whether event processing should continue or stop (with an error).
-	bool process_event(sinsp *inspector, sinsp_evt *evt);
+	bool process_event(std::shared_ptr<sinsp> inspector, sinsp_evt *evt);
 
 	void print_stats();
 
@@ -64,8 +65,8 @@ protected:
 
 	uint64_t m_num_syscall_evt_drops;
 	uint64_t m_num_actions;
-	sinsp *m_inspector;
-	falco_outputs *m_outputs;
+	std::shared_ptr<sinsp> m_inspector;
+	std::shared_ptr<falco_outputs> m_outputs;
 	syscall_evt_drop_actions m_actions;
 	token_bucket m_bucket;
 	uint64_t m_next_check_ts;

userspace/falco/falco_outputs.cpp

@@ -60,7 +60,7 @@ falco_outputs::~falco_outputs()
 	}
 }
 
-void falco_outputs::init(falco_engine *engine,
+void falco_outputs::init(std::shared_ptr<falco_engine> engine,
 			 bool json_output,
 			 bool json_include_output_property,
 			 bool json_include_tags_property,

userspace/falco/falco_outputs.h

@@ -39,7 +39,7 @@ public:
 	falco_outputs();
 	virtual ~falco_outputs();
 
-	void init(falco_engine *engine,
+	void init(std::shared_ptr<falco_engine> engine,
 		  bool json_output,
 		  bool json_include_output_property,
 		  bool json_include_tags_property,

userspace/falco/statsfilewriter.cpp

@@ -31,7 +31,7 @@ static void timer_handler (int signum)
 extern char **environ;
 
 StatsFileWriter::StatsFileWriter()
-	: m_num_stats(0), m_inspector(NULL)
+	: m_num_stats(0)
 {
 }
 
@@ -40,7 +40,7 @@ StatsFileWriter::~StatsFileWriter()
 	m_output.close();
 }
 
-bool StatsFileWriter::init(sinsp *inspector, string &filename, uint32_t interval_msec, string &errstr)
+bool StatsFileWriter::init(std::shared_ptr<sinsp> inspector, string &filename, uint32_t interval_msec, string &errstr)
 {
 	struct itimerval timer;
 	struct sigaction handler;

userspace/falco/statsfilewriter.h

@@ -31,7 +31,7 @@ public:
 	virtual ~StatsFileWriter();
 
 	// Returns success as bool. On false fills in errstr.
-	bool init(sinsp *inspector, std::string &filename,
+	bool init(std::shared_ptr<sinsp> inspector, std::string &filename,
 		  uint32_t interval_msec,
 		  string &errstr);
 
@@ -41,7 +41,7 @@ public:
 
 protected:
 	uint32_t m_num_stats;
-	sinsp *m_inspector;
+	std::shared_ptr<sinsp> m_inspector;
 	std::ofstream m_output;
 	std::string m_extra;
 	scap_stats m_last_stats;

userspace/falco/webserver.cpp

@@ -27,7 +27,7 @@ using namespace std;
 
 string k8s_audit_handler::m_k8s_audit_event_source = "k8s_audit";
 
-k8s_audit_handler::k8s_audit_handler(falco_engine *engine, falco_outputs *outputs):
+k8s_audit_handler::k8s_audit_handler(std::shared_ptr<falco_engine> engine, std::shared_ptr<falco_outputs> outputs):
 	m_engine(engine), m_outputs(outputs)
 {
 }
@@ -45,8 +45,8 @@ bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *c
 	return true;
 }
 
-bool k8s_audit_handler::accept_data(falco_engine *engine,
-				    falco_outputs *outputs,
+bool k8s_audit_handler::accept_data(std::shared_ptr<falco_engine> engine,
+				    std::shared_ptr<falco_outputs> outputs,
 				    std::string &data,
 				    std::string &errstr)
 {
@@ -187,9 +187,9 @@ falco_webserver::~falco_webserver()
 	stop();
 }
 
-void falco_webserver::init(falco_configuration *config,
-			   falco_engine *engine,
-			   falco_outputs *outputs)
+void falco_webserver::init(std::shared_ptr<falco_configuration> config,
+			   std::shared_ptr<falco_engine> engine,
+			   std::shared_ptr<falco_outputs> outputs)
 {
 	m_config = config;
 	m_engine = engine;

userspace/falco/webserver.h

@@ -25,21 +25,21 @@ limitations under the License.
 class k8s_audit_handler : public CivetHandler
 {
 public:
-	k8s_audit_handler(falco_engine *engine, falco_outputs *outputs);
+	k8s_audit_handler(std::shared_ptr<falco_engine> engine, std::shared_ptr<falco_outputs> outputs);
 	virtual ~k8s_audit_handler();
 
 	bool handleGet(CivetServer *server, struct mg_connection *conn);
 	bool handlePost(CivetServer *server, struct mg_connection *conn);
 
-	static bool accept_data(falco_engine *engine,
-				falco_outputs *outputs,
+	static bool accept_data(std::shared_ptr<falco_engine> engine,
+				std::shared_ptr<falco_outputs> outputs,
 				std::string &post_data, std::string &errstr);
 
 	static std::string m_k8s_audit_event_source;
 
 private:
-	falco_engine *m_engine;
-	falco_outputs *m_outputs;
+	std::shared_ptr<falco_engine> m_engine;
+	std::shared_ptr<falco_outputs> m_outputs;
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };
 
@@ -63,17 +63,17 @@ public:
 	falco_webserver();
 	virtual ~falco_webserver();
 
-	void init(falco_configuration *config,
-		  falco_engine *engine,
-		  falco_outputs *outputs);
+	void init(std::shared_ptr<falco_configuration> config,
+		  std::shared_ptr<falco_engine> engine,
+		  std::shared_ptr<falco_outputs> outputs);
 
 	void start();
 	void stop();
 
 private:
-	falco_engine *m_engine;
-	falco_configuration *m_config;
-	falco_outputs *m_outputs;
+	std::shared_ptr<falco_engine> m_engine;
+	std::shared_ptr<falco_configuration> m_config;
+	std::shared_ptr<falco_outputs> m_outputs;
 	unique_ptr<CivetServer> m_server;
 	unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
 	unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;