diff --git a/cmake/modules/CompilerFlags.cmake b/cmake/modules/CompilerFlags.cmake index 5a5d956a42..7eccbc0d70 100644 --- a/cmake/modules/CompilerFlags.cmake +++ b/cmake/modules/CompilerFlags.cmake @@ -106,8 +106,12 @@ else() # MSVC set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}") set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}") + # "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a + # workaround for windows GH runner issue, see + # https://github.com/actions/runner-images/issues/10004 add_compile_definitions( _HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN + _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR ) endif() diff --git a/cmake/modules/cares.cmake b/cmake/modules/cares.cmake index 01765e8312..4093a44fe0 100644 --- a/cmake/modules/cares.cmake +++ b/cmake/modules/cares.cmake @@ -43,8 +43,8 @@ else() message(STATUS "Using bundled c-ares in '${CARES_SRC}'") ExternalProject_Add(c-ares PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix" - URL "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz" - URL_HASH "SHA256=321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e" + URL "https://github.com/c-ares/c-ares/releases/download/v1.30.0/c-ares-1.30.0.tar.gz" + URL_HASH "SHA256=4fea312112021bcef081203b1ea020109842feb58cd8a36a3d3f7e0d8bc1138c" CONFIGURE_COMMAND CPPFLAGS=${CARES_CPPFLAGS} ./configure ${CARES_STATIC_OPTION} --prefix=${CARES_INSTALL_DIR} BUILD_COMMAND make BUILD_IN_SOURCE 1 diff --git a/userspace/libsinsp/filter_compare.cpp b/userspace/libsinsp/filter_compare.cpp index 29cc670d02..d409db0617 100644 --- a/userspace/libsinsp/filter_compare.cpp +++ b/userspace/libsinsp/filter_compare.cpp @@ -415,7 +415,7 @@ static inline void _throw_if_not_comparable(cmpop op, Check c) } template -static inline bool flt_compare_numeric(cmpop op, uint64_t operand1, uint64_t operand2) +static inline bool flt_compare_numeric(cmpop op, T operand1, T operand2) { switch(op) { diff --git a/userspace/libsinsp/metrics_collector.cpp b/userspace/libsinsp/metrics_collector.cpp index 00d7d3dfd6..a3fdff1b4c 100644 --- a/userspace/libsinsp/metrics_collector.cpp +++ b/userspace/libsinsp/metrics_collector.cpp @@ -457,19 +457,6 @@ void libs_metrics_collector::snapshot() return; } - /* - * plugins metrics - */ - - if(m_metrics_flags & METRICS_V2_PLUGINS) - { - for (auto& p : m_inspector->get_plugin_manager()->plugins()) - { - std::vector plugin_metrics = p->get_metrics(); - m_metrics.insert(m_metrics.end(), plugin_metrics.begin(), plugin_metrics.end()); - } - } - /* * libscap metrics */ @@ -783,6 +770,19 @@ void libs_metrics_collector::snapshot() } } } + + /* + * plugins metrics + */ + + if(m_metrics_flags & METRICS_V2_PLUGINS) + { + for (auto& p : m_inspector->get_plugin_manager()->plugins()) + { + std::vector plugin_metrics = p->get_metrics(); + m_metrics.insert(m_metrics.end(), plugin_metrics.begin(), plugin_metrics.end()); + } + } } const std::vector& libs_metrics_collector::get_metrics() const diff --git a/userspace/libsinsp/test/CMakeLists.txt b/userspace/libsinsp/test/CMakeLists.txt index 06ccdf475e..8dd0138fdc 100644 --- a/userspace/libsinsp/test/CMakeLists.txt +++ b/userspace/libsinsp/test/CMakeLists.txt @@ -107,6 +107,7 @@ set(LIBSINSP_UNIT_TESTS_SOURCES filter_parser.ut.cpp filter_op_bcontains.ut.cpp filter_op_pmatch.ut.cpp + filter_op_numeric_compare.ut.cpp filter_compiler.ut.cpp filter_transformer.ut.cpp user.ut.cpp diff --git a/userspace/libsinsp/test/filter_op_numeric_compare.ut.cpp b/userspace/libsinsp/test/filter_op_numeric_compare.ut.cpp new file mode 100644 index 0000000000..d73fd9a213 --- /dev/null +++ b/userspace/libsinsp/test/filter_op_numeric_compare.ut.cpp @@ -0,0 +1,59 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2024 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License")); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#include +#include + +#include + +TEST_F(sinsp_with_test_input, signed_int_compare) +{ + add_default_init_thread(); + + open_inspector(); + + sinsp_evt * evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_EPOLL_CREATE_X, 1, (uint64_t)-22); + + EXPECT_EQ(get_field_as_string(evt, "evt.cpu"), "1"); + + EXPECT_TRUE(eval_filter(evt, "evt.cpu < 300")); + EXPECT_FALSE(eval_filter(evt, "evt.cpu > 300")); + EXPECT_TRUE(eval_filter(evt, "evt.cpu < 2")); + EXPECT_TRUE(eval_filter(evt, "evt.cpu > -500")); + EXPECT_TRUE(eval_filter(evt, "evt.cpu < 500")); + EXPECT_TRUE(eval_filter(evt, "evt.cpu <= 500")); + + EXPECT_TRUE(eval_filter(evt, "evt.cpu <= 1025")); + EXPECT_FALSE(eval_filter(evt, "evt.cpu >= 1025")); + + EXPECT_FALSE(eval_filter(evt, "evt.rawarg.res > 0")); + EXPECT_TRUE(eval_filter(evt, "evt.rawarg.res < 0")); + EXPECT_FALSE(eval_filter(evt, "evt.rawarg.res > 4294967295")); + EXPECT_TRUE(eval_filter(evt, "evt.rawarg.res < -1")); + EXPECT_TRUE(eval_filter(evt, "evt.rawarg.res > -65535")); + + evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_OPEN_E, 3, "/tmp/the_file", PPM_O_NONE, 0666); + evt = add_event_advance_ts(increasing_ts(), 1, PPME_SYSCALL_OPEN_X, 6, (int64_t)(-1), "/tmp/the_file", PPM_O_NONE, 0666, 123, (uint64_t)456); + + EXPECT_FALSE(eval_filter(evt, "fd.num >= 0")); + EXPECT_FALSE(eval_filter(evt, "fd.num > 0")); + EXPECT_TRUE(eval_filter(evt, "fd.num < 0")); + EXPECT_FALSE(eval_filter(evt, "fd.num > 4294967295")); + EXPECT_FALSE(eval_filter(evt, "fd.num < -1")); + EXPECT_TRUE(eval_filter(evt, "fd.num > -65535")); +} diff --git a/userspace/libsinsp/test/sinsp_with_test_input.cpp b/userspace/libsinsp/test/sinsp_with_test_input.cpp index 17afbd3d43..a0b53f70af 100644 --- a/userspace/libsinsp/test/sinsp_with_test_input.cpp +++ b/userspace/libsinsp/test/sinsp_with_test_input.cpp @@ -497,6 +497,20 @@ std::string sinsp_with_test_input::get_field_as_string(sinsp_evt* evt, std::stri return result; } +bool sinsp_with_test_input::eval_filter(sinsp_evt* evt, std::string filter_str) +{ + auto factory = std::make_shared(&m_inspector, m_default_filterlist); + sinsp_filter_compiler compiler(factory, filter_str); + + auto filter = compiler.compile(); + if (!filter) + { + throw sinsp_exception(std::string("could not compile filter ") + filter_str); + } + + return filter->run(evt); +} + sinsp_evt* sinsp_with_test_input::next_event() { sinsp_evt* evt; diff --git a/userspace/libsinsp/test/sinsp_with_test_input.h b/userspace/libsinsp/test/sinsp_with_test_input.h index 8389bdd9bf..cac743c436 100644 --- a/userspace/libsinsp/test/sinsp_with_test_input.h +++ b/userspace/libsinsp/test/sinsp_with_test_input.h @@ -192,12 +192,15 @@ class sinsp_with_test_input : public ::testing::Test void add_default_init_thread(); void add_simple_thread(int64_t tid, int64_t pid, int64_t ptid, const std::string& comm = "random"); uint64_t increasing_ts(); + bool field_exists(sinsp_evt*, std::string_view field_name); bool field_exists(sinsp_evt*, std::string_view field_name, filter_check_list&); bool field_has_value(sinsp_evt*, std::string_view field_name); bool field_has_value(sinsp_evt*, std::string_view field_name, filter_check_list&); std::string get_field_as_string(sinsp_evt*, std::string_view field_name); std::string get_field_as_string(sinsp_evt*, std::string_view field_name, filter_check_list&); + bool eval_filter(sinsp_evt* evt, std::string filter); + sinsp_evt* next_event(); scap_test_input_data m_test_data; diff --git a/userspace/libsinsp/test/user.ut.cpp b/userspace/libsinsp/test/user.ut.cpp index 34ef20c010..c5a06153a8 100644 --- a/userspace/libsinsp/test/user.ut.cpp +++ b/userspace/libsinsp/test/user.ut.cpp @@ -169,13 +169,13 @@ class usergroup_manager_host_root_test : public sinsp_with_test_input { std::ofstream ofs(etc + "/passwd"); - ofs << "toor:x:0:0:toor:/toor:/bin/ash" << std::endl; - ofs.close(); + ofs << "toor:x:0:0:toor:/toor:/bin/ash\n" + << "+testuser::::::\n"; } { std::ofstream ofs(etc + "/group"); - ofs << "toor:x:0:toor" << std::endl; - ofs.close(); + ofs << "toor:x:0:toor\n" + << "+testgroup::::::\n"; } } @@ -211,4 +211,19 @@ TEST_F(usergroup_manager_host_root_test, host_root_lookup) ASSERT_EQ(group->gid, 0); ASSERT_STREQ(group->name, "toor"); } + +TEST_F(usergroup_manager_host_root_test, nss_user_lookup) +{ + std::string container_id; // empty container_id means host + + sinsp_usergroup_manager mgr(&m_inspector); + mgr.add_user(container_id, -1, 0, 0, {}, {}, {}); + mgr.add_user(container_id, -1, 65534, 0, {}, {}, {}); + + auto* usr = mgr.add_user(container_id, -1, 0, 0, "+test_user", "", ""); + ASSERT_EQ(usr, nullptr); + + auto* grp = mgr.add_group(container_id, -1, 0, "+test_group"); + ASSERT_EQ(grp, nullptr); +} #endif diff --git a/userspace/libsinsp/user.cpp b/userspace/libsinsp/user.cpp index a2397e6002..7a83260707 100644 --- a/userspace/libsinsp/user.cpp +++ b/userspace/libsinsp/user.cpp @@ -266,6 +266,14 @@ scap_groupinfo *sinsp_usergroup_manager::groupinfo_map_insert( scap_userinfo *sinsp_usergroup_manager::add_user(const std::string &container_id, int64_t pid, uint32_t uid, uint32_t gid, std::string_view name, std::string_view home, std::string_view shell, bool notify) { + // ignore NSS entries + if(!name.empty() && (name[0] == '+' || name[0] == '-')) + { + libsinsp_logger()->format(sinsp_logger::SEV_DEBUG, + "NSS user ignored: %.*s", static_cast(name.length()), name.data()); + return nullptr; + } + if (!m_import_users) { m_fallback_user.uid = uid; @@ -401,6 +409,14 @@ bool sinsp_usergroup_manager::rm_user(const string &container_id, uint32_t uid, scap_groupinfo *sinsp_usergroup_manager::add_group(const string &container_id, int64_t pid, uint32_t gid, std::string_view name, bool notify) { + // ignore NSS entries + if(!name.empty() && (name[0] == '+' || name[0] == '-')) + { + libsinsp_logger()->format(sinsp_logger::SEV_DEBUG, + "NSS group ignored: %.*s", static_cast(name.length()), name.data()); + return nullptr; + } + if (!m_import_users) { m_fallback_grp.gid = gid; diff --git a/userspace/plugin/plugin_api.h b/userspace/plugin/plugin_api.h index dea0c23ce7..d498fe57ad 100644 --- a/userspace/plugin/plugin_api.h +++ b/userspace/plugin/plugin_api.h @@ -30,7 +30,7 @@ extern "C" { // // todo(jasondellaluce): when/if major changes to v4, check and solve all todos #define PLUGIN_API_VERSION_MAJOR 3 -#define PLUGIN_API_VERSION_MINOR 5 +#define PLUGIN_API_VERSION_MINOR 6 #define PLUGIN_API_VERSION_PATCH 0 // diff --git a/userspace/plugin/plugin_loader.c b/userspace/plugin/plugin_loader.c index 48cee1fe21..3f86ae3aff 100644 --- a/userspace/plugin/plugin_loader.c +++ b/userspace/plugin/plugin_loader.c @@ -136,6 +136,7 @@ plugin_handle_t* plugin_load(const char* path, char* err) SYM_RESOLVE(ret, get_async_events); SYM_RESOLVE(ret, set_async_event_handler); SYM_RESOLVE(ret, set_config); + SYM_RESOLVE(ret, get_metrics); return ret; } diff --git a/userspace/plugin/plugin_types.h b/userspace/plugin/plugin_types.h index c7a63d6222..8cb2edcc9a 100644 --- a/userspace/plugin/plugin_types.h +++ b/userspace/plugin/plugin_types.h @@ -298,13 +298,13 @@ typedef enum ss_plugin_log_severity // Types supported by the by the metric values typedef enum ss_plugin_metric_value_type { - SS_PLUGIN_METRIC_VALUE_TYPE_U32 = 1, - SS_PLUGIN_METRIC_VALUE_TYPE_S32 = 2, - SS_PLUGIN_METRIC_VALUE_TYPE_U64 = 3, - SS_PLUGIN_METRIC_VALUE_TYPE_S64 = 4, - SS_PLUGIN_METRIC_VALUE_TYPE_D = 5, - SS_PLUGIN_METRIC_VALUE_TYPE_F = 6, - SS_PLUGIN_METRIC_VALUE_TYPE_I = 7, + SS_PLUGIN_METRIC_VALUE_TYPE_U32 = 0, + SS_PLUGIN_METRIC_VALUE_TYPE_S32 = 1, + SS_PLUGIN_METRIC_VALUE_TYPE_U64 = 2, + SS_PLUGIN_METRIC_VALUE_TYPE_S64 = 3, + SS_PLUGIN_METRIC_VALUE_TYPE_D = 4, + SS_PLUGIN_METRIC_VALUE_TYPE_F = 5, + SS_PLUGIN_METRIC_VALUE_TYPE_I = 6, } ss_plugin_metric_value_type; // Data representation of metric values @@ -322,8 +322,8 @@ typedef union ss_plugin_metric_value // Metric types typedef enum ss_plugin_metric_type { - SS_PLUGIN_METRIC_TYPE_MONOTONIC = 1, - SS_PLUGIN_METRIC_TYPE_NON_MONOTONIC = 2, + SS_PLUGIN_METRIC_TYPE_MONOTONIC = 0, + SS_PLUGIN_METRIC_TYPE_NON_MONOTONIC = 1, } ss_plugin_metric_type; //