Skip to content

Commit

Permalink
wip: driver selection in falco.yaml
Browse files Browse the repository at this point in the history
Signed-off-by: Roberto Scolaro <[email protected]>
  • Loading branch information
therealbobo committed Feb 9, 2023
1 parent eaeec7c commit efc957c
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 3 deletions.
7 changes: 7 additions & 0 deletions falco.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@
# limitations under the License.
#

# Driver modes available:
# - kmod
# - bpf
# - modern_bpf
# - custom
driver_mode: bpf

# File(s) or Directories containing Falco rules, loaded at startup.
# The name "rules_file" is only for backwards compatibility.
# If the entry is a file, it will be read directly. If the entry is a directory,
Expand Down
6 changes: 3 additions & 3 deletions userspace/falco/app_actions/open_inspector.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -75,18 +75,18 @@ application::run_result application::open_live_inspector(
falco_logger::log(LOG_INFO, "Opening capture with gVisor. Configuration path: " + m_options.gvisor_config);
inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root);
}
else if(m_options.modern_bpf) /* modern BPF engine. */
else if(m_options.modern_bpf || m_state->config->m_driver_mode == driver_mode_type::MODERN_BPF) /* modern BPF engine. */
{
falco_logger::log(LOG_INFO, "Opening capture with modern BPF probe.");
falco_logger::log(LOG_INFO, "One ring buffer every '" + std::to_string(m_state->config->m_cpus_for_each_syscall_buffer) + "' CPUs.");
inspector->open_modern_bpf(m_state->syscall_buffer_bytes_size, m_state->config->m_cpus_for_each_syscall_buffer, true, m_state->ppm_sc_of_interest, m_state->tp_of_interest);
}
else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */
else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL || m_state->config->m_driver_mode == driver_mode_type::BPF) /* BPF engine. */
{
const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE);
char full_path[PATH_MAX];
/* If the path is empty try to load the probe from the default path. */
if(strncmp(bpf_probe_path, "", 1) == 0)
if(bpf_probe_path == NULL || strncmp(bpf_probe_path, "", 1) == 0)
{
const char *home = std::getenv("HOME");
if(!home)
Expand Down
20 changes: 20 additions & 0 deletions userspace/falco/configuration.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ limitations under the License.
#include "banned.h" // This raises a compilation error when certain functions are used

falco_configuration::falco_configuration():
m_driver_mode(driver_mode_type::KMOD),
m_json_output(false),
m_json_include_output_property(true),
m_json_include_tags_property(true),
Expand Down Expand Up @@ -84,8 +85,27 @@ void falco_configuration::init(const std::string& conf_filename, const std::vect
load_yaml(conf_filename, config);
}

static driver_mode_type get_driver_mode(const std::string& input){
// Set driver mode if not already setted.
if( input == "bpf" )
{
return driver_mode_type::BPF;
}
else if( input == "modern_bpf" )
{
return driver_mode_type::MODERN_BPF;
}
else if( input == "custom" )
{
return driver_mode_type::CUSTOM;
}
return driver_mode_type::KMOD;
}

void falco_configuration::load_yaml(const std::string& config_name, const yaml_helper& config)
{
m_driver_mode = get_driver_mode(config.get_scalar<string>("driver_mode", ""));

std::list<std::string> rules_files;

config.get_sequence<std::list<std::string>>(rules_files, std::string("rules_file"));
Expand Down
10 changes: 10 additions & 0 deletions userspace/falco/configuration.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,15 @@ limitations under the License.
#include "event_drops.h"
#include "falco_outputs.h"

enum class driver_mode_type : uint8_t
{
INVALID = 0,
KMOD,
BPF,
MODERN_BPF,
CUSTOM
};

class falco_configuration
{
public:
Expand All @@ -58,6 +67,7 @@ class falco_configuration
std::list<std::string> m_loaded_rules_filenames;
// List of loaded rule folders
std::list<std::string> m_loaded_rules_folders;
driver_mode_type m_driver_mode;
bool m_json_output;
bool m_json_include_output_property;
bool m_json_include_tags_property;
Expand Down

0 comments on commit efc957c

Please sign in to comment.