mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-24 14:32:34 +00:00
6a1f4f7374
Update the falco binary to add support for plugins. - Keep track of an "event source", which is initially "syscall" but changes to the input plugin's source if an source plugin ends up being loaded. - New argument --list-plugins will return info on any loaded plugins, using sinsp_plugin::plugin_infos. - Create filter/formatter factories for plugins. This ensures that filterchecks for syscalls are not used for plugins and vice versa. - Use sinsp_plugin::register_plugin() to load each plugin found in config. The first source plugin found (if any) calls engine->add_source withthe source plugin's event source. - If a second source plugin is found, exit with an error. - Extractor plugins must be compatible with the event source (usually the plugin event source, but could be "syscall"). If not, exit with an error. - Multiple Extractor plugins are allowed, but they can not have overlapping compatible event sources. This is mostly to avoid confusion, but we might change this later. - After loading plugins, use engine is_plugin_compatible to ensure that the plugin is compatible with any required_plugin_version blocks in falco rules. - Normally falco would log warnings if too many SCAP_TIMEOUT results were received. These are more expected when using plugins, so only log these warnings when using syscalls. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>