From 6f153d7549157f83969645005732691180887df6 Mon Sep 17 00:00:00 2001 From: Loris Degioanni Date: Sun, 15 Mar 2020 14:34:19 -0700 Subject: [PATCH 1/8] feat(cli): adding -u to flip inspector method calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit udig support through the -u command line flag Signed-off-by: Kris Nóva Co-authored-by: Kris Nóva --- userspace/falco/falco.cpp | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 9a44da1c665..31dac02a81a 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -443,6 +443,7 @@ int falco_init(int argc, char **argv) set disable_sources; bool disable_syscall = false; bool disable_k8s_audit = false; + bool udig = false; // Used for writing trace files int duration_seconds = 0; @@ -482,6 +483,7 @@ int falco_init(int argc, char **argv) {"stats-interval", required_argument, 0}, {"support", no_argument, 0}, {"unbuffered", no_argument, 0, 'U'}, + {"udig", no_argument, 0, 'u'}, {"validate", required_argument, 0, 'V'}, {"version", no_argument, 0, 0}, {"writefile", required_argument, 0, 'w'}, @@ -500,7 +502,7 @@ int falco_init(int argc, char **argv) // Parse the args // while((op = getopt_long(argc, argv, - "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UvV:w:", + "hc:AbdD:e:F:ik:K:Ll:m:M:No:P:p:r:S:s:T:t:UuvV:w:", long_options, &long_index)) != -1) { switch(op) @@ -607,6 +609,9 @@ int falco_init(int argc, char **argv) buffered_outputs = false; buffered_cmdline = true; break; + case 'u': + udig = true; + break; case 'v': verbose = true; break; @@ -1091,8 +1096,16 @@ int falco_init(int argc, char **argv) } else { - open_t open_cb = [](sinsp* inspector) { - inspector->open(); + open_t open_cb = [&udig](sinsp* inspector) + { + if(udig) + { + inspector->open_udig(); + } + else + { + inspector->open(); + } }; open_t open_nodriver_cb = [](sinsp* inspector) { inspector->open_nodriver(); From 0e15e8d2234f0021c738a903e207b8a81a5aaab4 Mon Sep 17 00:00:00 2001 From: Kris Nova Date: Wed, 6 May 2020 13:02:26 -0700 Subject: [PATCH 2/8] feat(build): fixing MD5 of tpp for udig/pdig build Signed-off-by: Kris Nova --- CMakeLists.txt | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5ade32024cf..091e3407a2d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -193,8 +193,13 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/") set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a") ExternalProject_Add( tbb - URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz" - URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372" + # @kris-nova This was in head, saving as we work towards getting udig + # to compile for fargate. + # URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz" + # URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372" + # + URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz" + URL_MD5 "d180f4b025ff8432a447dd2f917cb3f6" CONFIGURE_COMMAND "" BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc BUILD_IN_SOURCE 1 From f75b5d45f5f9e4e9f814a1b8d29f501f9d37a83b Mon Sep 17 00:00:00 2001 From: Kris Nova Date: Wed, 6 May 2020 13:51:46 -0700 Subject: [PATCH 3/8] feat(cli): adding -u to the usage text Signed-off-by: Kris Nova --- userspace/falco/falco.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 31dac02a81a..876f46a9782 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -158,6 +158,8 @@ static void usage() " This causes every single line emitted by falco to be flushed,\n" " which generates higher CPU usage but is useful when piping those outputs\n" " into another process or into a script.\n" + " -u Flip the inspector code to parse from userspace. This can be used in conjunction with\n" + " the ptrace(2) based capture source pdig.\n" " -V, --validate Read the contents of the specified rules(s) file and exit.\n" " Can be specified multiple times to validate multiple files.\n" " -v Verbose output.\n" @@ -1096,10 +1098,17 @@ int falco_init(int argc, char **argv) } else { - open_t open_cb = [&udig](sinsp* inspector) + open_t open_cb = [&udig](sinsp* inspector) { if(udig) { + // open_udig() is the underlying method used in the capture + // code to parse userspace events from the kernel. + // + // In the case of falco we use ptrace(2) for one + // of these userspace implementations. Regardless + // of the implementation, the underlying method + // remains the same. inspector->open_udig(); } else From 7b38f78cce5b4f0910beeaf5e65338071e340b0e Mon Sep 17 00:00:00 2001 From: Kris Nova Date: Mon, 13 Jul 2020 14:16:17 -0700 Subject: [PATCH 4/8] update(userspace/falco): edits to the falco CLI Signed-off-by: Leonardo Di Donato Co-authored-by: Leonardo Di Donato --- userspace/falco/falco.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 876f46a9782..09ed48baa5b 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -159,7 +159,7 @@ static void usage() " which generates higher CPU usage but is useful when piping those outputs\n" " into another process or into a script.\n" " -u Flip the inspector code to parse from userspace. This can be used in conjunction with\n" - " the ptrace(2) based capture source pdig.\n" + " To be used in conjunction with the ptrace(2) based driver (pdig).\n" " -V, --validate Read the contents of the specified rules(s) file and exit.\n" " Can be specified multiple times to validate multiple files.\n" " -v Verbose output.\n" From 358ca11e31c9b0aeb66efc971f99e2efb00a3b10 Mon Sep 17 00:00:00 2001 From: Leo Di Donato Date: Tue, 14 Jul 2020 20:06:02 +0200 Subject: [PATCH 5/8] update(userspace/falco): userspace instrumentation help line Signed-off-by: Leonardo Di Donato --- userspace/falco/falco.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 09ed48baa5b..d24017f7071 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -158,7 +158,7 @@ static void usage() " This causes every single line emitted by falco to be flushed,\n" " which generates higher CPU usage but is useful when piping those outputs\n" " into another process or into a script.\n" - " -u Flip the inspector code to parse from userspace. This can be used in conjunction with\n" + " -u Parse events from userspace.\n" " To be used in conjunction with the ptrace(2) based driver (pdig).\n" " -V, --validate Read the contents of the specified rules(s) file and exit.\n" " Can be specified multiple times to validate multiple files.\n" @@ -485,7 +485,7 @@ int falco_init(int argc, char **argv) {"stats-interval", required_argument, 0}, {"support", no_argument, 0}, {"unbuffered", no_argument, 0, 'U'}, - {"udig", no_argument, 0, 'u'}, + {"udig", no_argument, 0, 'u'}, {"validate", required_argument, 0, 'V'}, {"version", no_argument, 0, 0}, {"writefile", required_argument, 0, 'w'}, From 4f431b4e0be83cd6f271c761bea185d641e09273 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Tue, 14 Jul 2020 18:15:25 +0000 Subject: [PATCH 6/8] chore: onetbb dependency is back Signed-off-by: Leonardo Di Donato --- CMakeLists.txt | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 091e3407a2d..5ade32024cf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -193,13 +193,8 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/") set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a") ExternalProject_Add( tbb - # @kris-nova This was in head, saving as we work towards getting udig - # to compile for fargate. - # URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz" - # URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372" - # - URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz" - URL_MD5 "d180f4b025ff8432a447dd2f917cb3f6" + URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz" + URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372" CONFIGURE_COMMAND "" BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc BUILD_IN_SOURCE 1 From 9c44e4d6942cb2089427b0a6480deac58347157c Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Tue, 14 Jul 2020 18:45:38 +0000 Subject: [PATCH 7/8] fix(userspace/falco): try to insert kernel module driver conditionally Do it only when not running with userspace instrumentation enabled and the syscall input source is enabled (!disable_syscall) Signed-off-by: Leonardo Di Donato --- userspace/falco/falco.cpp | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index d24017f7071..15b7f9a8357 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -158,7 +158,7 @@ static void usage() " This causes every single line emitted by falco to be flushed,\n" " which generates higher CPU usage but is useful when piping those outputs\n" " into another process or into a script.\n" - " -u Parse events from userspace.\n" + " -u, --userspace Parse events from userspace.\n" " To be used in conjunction with the ptrace(2) based driver (pdig).\n" " -V, --validate Read the contents of the specified rules(s) file and exit.\n" " Can be specified multiple times to validate multiple files.\n" @@ -445,7 +445,7 @@ int falco_init(int argc, char **argv) set disable_sources; bool disable_syscall = false; bool disable_k8s_audit = false; - bool udig = false; + bool userspace = false; // Used for writing trace files int duration_seconds = 0; @@ -485,7 +485,7 @@ int falco_init(int argc, char **argv) {"stats-interval", required_argument, 0}, {"support", no_argument, 0}, {"unbuffered", no_argument, 0, 'U'}, - {"udig", no_argument, 0, 'u'}, + {"userspace", no_argument, 0, 'u'}, {"validate", required_argument, 0, 'V'}, {"version", no_argument, 0, 0}, {"writefile", required_argument, 0, 'w'}, @@ -612,7 +612,7 @@ int falco_init(int argc, char **argv) buffered_cmdline = true; break; case 'u': - udig = true; + userspace = true; break; case 'v': verbose = true; @@ -1098,17 +1098,14 @@ int falco_init(int argc, char **argv) } else { - open_t open_cb = [&udig](sinsp* inspector) + open_t open_cb = [&userspace](sinsp* inspector) { - if(udig) + if(userspace) { - // open_udig() is the underlying method used in the capture - // code to parse userspace events from the kernel. - // - // In the case of falco we use ptrace(2) for one - // of these userspace implementations. Regardless - // of the implementation, the underlying method - // remains the same. + // open_udig() is the underlying method used in the capture code to parse userspace events from the kernel. + // + // Falco uses a ptrace(2) based userspace implementation. + // Regardless of the implementation, the underlying method remains the same. inspector->open_udig(); } else @@ -1138,11 +1135,16 @@ int falco_init(int argc, char **argv) } catch(sinsp_exception &e) { - if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null")) + // If syscall input source is enabled and not through userspace instrumentation + if (!disable_syscall && !userspace) { - falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n"); + // Try to insert the Falco kernel module + if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null")) + { + falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n"); + } + open_f(inspector); } - open_f(inspector); } } @@ -1161,7 +1163,7 @@ int falco_init(int argc, char **argv) duration = ((double)clock()) / CLOCKS_PER_SEC; // - // run k8s, if required + // Run k8s, if required // if(k8s_api) { @@ -1200,7 +1202,7 @@ int falco_init(int argc, char **argv) } // - // run mesos, if required + // Run mesos, if required // if(mesos_api) { From 20c7b71609f6594123c4c51c602df4c58c93a035 Mon Sep 17 00:00:00 2001 From: Lorenzo Fontana Date: Wed, 15 Jul 2020 11:38:53 +0200 Subject: [PATCH 8/8] fix(userspace): rethrow inspector open exceptions Co-Authored-By: Leonardo Di Donato Signed-off-by: Lorenzo Fontana --- userspace/falco/falco.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 15b7f9a8357..59a658f85d5 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -1107,11 +1107,9 @@ int falco_init(int argc, char **argv) // Falco uses a ptrace(2) based userspace implementation. // Regardless of the implementation, the underlying method remains the same. inspector->open_udig(); + return; } - else - { - inspector->open(); - } + inspector->open(); }; open_t open_nodriver_cb = [](sinsp* inspector) { inspector->open_nodriver(); @@ -1145,6 +1143,7 @@ int falco_init(int argc, char **argv) } open_f(inspector); } + rethrow_exception(current_exception()); } }