new: add option to enable event sources selectively #2085
Conversation
|
/milestone 0.33.0 |
jasondellaluce
force-pushed
the
new/source-selection
branch
2 times, most recently
from
0c114d9
to
e4014a6
Compare
jasondellaluce
force-pushed
the
new/source-selection
branch
from
e4014a6
to
4eb508b
Compare
jasondellaluce
force-pushed
the
new/source-selection
branch
from
4eb508b
to
2ddb23d
Compare
|
LGTM label has been added. Git tree hash: 46c532c0c2d5f4c9710fba2984a4c598586c9a7a
|
…ce selection Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
…sources Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
jasondellaluce
force-pushed
the
new/source-selection
branch
from
2ddb23d
to
54d9184
Compare
| } | ||
|
|
||
| /* Print all enabled sources. */ | ||
| std::ostringstream os; |
There was a problem hiding this comment.
For a future PR: perhaps move this part to a different app_action?
There was a problem hiding this comment.
Yeah, I agree. Plus, one day we should also decide if we want to enable/disable event source for capture files too (A single capture file can potentially contain events from more than one source).
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: f6095cacbb9ff469454f7ace18425b2b5087a781
|
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
/area tests
What this PR does / why we need it:
This PR introduces a new cmd line option
--enable-source=XXXthat is dual to the already-existing--disable-source=XXX. Both of them are opt-out: it is up to Falco to choose the default enable event sources depending on the provided configuration. So far, only one can be enabled per time (eithersyscall, or a plugin-based one).The semantic of
--disable-sourceis of disabling event sources selectively starting from the set of the ones enabled by Falco by default. On the opposite,--enable-sourceerases the Falco default enable set and allows enabling sources selectively.The feature of selecting a custom set of event sources has been introduced in the regression test suite too (
falco_tests.py). Tests relying on plugins have been updated accordingly.Which issue(s) this PR fixes:
Special notes for your reviewer:
For the current setup, this is sort of a huge no-op. However, this introduces preliminary work for #2074.
Does this PR introduce a user-facing change?: