Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set #3334

Merged
merged 1 commit into from
Sep 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions userspace/falco/app/actions/configure_interesting_sets.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ limitations under the License.
#include "actions.h"
#include "helpers.h"
#include "../app.h"
#include <libsinsp/plugin_manager.h>

using namespace falco::app;
using namespace falco::app::actions;
Expand Down Expand Up @@ -73,6 +74,25 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
+ ") syscalls in rules: " + concat_set_in_order(rules_names) + "\n");
}

/* Load PPM event codes needed by plugins with parsing capability */
libsinsp::events::set<ppm_event_code> plugin_ev_codes;
for (const auto &p : s.offline_inspector->get_plugin_manager()->plugins())
{
LucaGuerra marked this conversation as resolved.
Show resolved Hide resolved
if(!(p->caps() & CAP_PARSING))
{
continue;
}
plugin_ev_codes.merge(p->parse_event_codes());
}
const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);
if (!plugin_sc_set.empty())
{
falco_logger::log(falco_logger::level::DEBUG, "(" + std::to_string(plugin_names.size())
+ ") syscalls required by plugins: " + concat_set_in_order(plugin_names) + "\n");
}


/* DEFAULT OPTION:
* Current `sinsp_state_sc_set()` approach includes multiple steps:
* (1) Enforce all positive syscalls from each Falco rule
Expand Down Expand Up @@ -111,9 +131,10 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
+ concat_set_in_order(invalid_positive_sc_set_names));
}

// selected events are the union of the rules events set and the
// selected events are the union of the rules events set plus
// the parsing capability plugins events set and the
// base events set (either the default or the user-defined one)
s.selected_sc_set = rules_sc_set.merge(base_sc_set);
s.selected_sc_set = rules_sc_set.merge(plugin_sc_set).merge(base_sc_set);

/* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
if (s.config->m_base_syscalls_repair && user_positive_sc_set.empty())
Expand Down
5 changes: 0 additions & 5 deletions userspace/falco/app/actions/init_inspectors.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -163,11 +163,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
std::unordered_set<std::string> used_plugins;
const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();

if((s.config->m_metrics_flags & METRICS_V2_STATE_COUNTERS))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a cleanup :)

{

}

for (const auto &src : s.loaded_sources)
{
auto src_info = s.source_infos.at(src);
Expand Down
Loading