Merged
Conversation
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Add a link to https://semver.org/ Co-authored-by: Angelo Puglisi <angelo.puglisi@sysdig.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Retrieve privileged from the correct locations of ContainerStatusResponse. - containerd: info/config/linux/security_context/privileged - crio: info/privileged Signed-off-by: Shang-Wen Wang (Sam Wang) <sam_s_wang@trendmicro.com>
Signed-off-by: lucklypse <lucklypse@gmail.com>
…parse_readv_writev_bufs() on recent kernel and llvm (linux 5.14.2 and llvm 12.0.1). Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Michele Zuccala <michele@zuccala.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: lucklypse <lucklypse@gmail.com>
Signed-off-by: lucklypse <lucklypse@gmail.com>
Co-authored-by: Mark Stemm <mark.stemm@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: lucklypse <lucklypse@gmail.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com> Signed-off-by: Michele Zuccala <michele@zuccala.com>
Add the ability to return the event types used by a filter. For
example, if a filter was "evt.type=open and fd.name=/tmp/foo", the
event types would be PPME_SYSCALL_OPEN*_{E,X}.
By default, an empty set is returned, meaning no specific events are
used.
Event types PPME_GENERIC_{E,X} are not included and it's assumed the
code using this will handle those event types directly.
This is used in programs like falco to provide a quick external test
against an event to see if it makes sense to evaluate the filter at
all. This can speed up event processing when falco has a large number
of loaded rules. Prior to this change, this was handled solely in
falco's lua code for loading rules. Moving responsibility to the
filter significantly simplifies the falco side of rule loading.
In the base classes, new methods
gen_event_filter_check::evttypes/possible_evttypes return a set of
event types. The base class implementation just returns a single event
type "1".
gen_event_filter_expression::evttypes() does all the work of iterating
over the filterchecks that make up an expression and combining sets of
event types. possible_evttypes is used for "not" operators, which
invert a set of event types to include everything outside the set.
The sinsp "base" class sinsp_filter_check just returns all event types
from 2 to PPM_EVENT_MAX.
The only actual implementation of evttypes() that does something is in
sinsp_filter_check_event for the field "evt.type". The method handles
=, in, and != as comparison operators.
Also add a unit test that compiles various filters and double-checks
the resulting set of event types.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Clean up the interface for lua_parser/lua_parser_api so it doesn't rely on a single object. Context--the lua_parser object simply holds some intermediate state (e.g. nesting level) and builds up a gen_filter as the lua side traverses the ast of a filter expression. The lua_parser_api class just has static methods that are registered into lua. lua_parser used to be a single object that was reset for each filter. Now, it's an object that is created as a single filter is parsed and deleted afterward. The callbacks always pass the lua_parser object as a first argument and the state/filter in the object is updated. Also, registering the lua callbacks is now done via a static method instead of in the constructor. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add the ability to return all fields exported by a factory. This is important for programs like falco that need to validate rule filter expressions for various event sources, as well as print out sets of supported fields. Previously, falco did direct calls to sinsp::get_filtercheck_fields_info but we're trying to standardize everything to work through factories, to make it easier to support new event sources. This PR supports that work. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add the notion of "generic" event formatters and formatter factories
that can create a formatter for a given format string:
- gen_filter.h defines two new classes: gen_event_formatter provides
the interface to format events:
- set_format(): set the output format and format string
- tostring(): resolve the format with info from a gen_event,
populating a resolved string.
- tostring_withformat(): like tostring() but with a one-off output
format.
- get_field_values(): return all templated field names and values
from the configured format string.
- get_output_format(): get the current output format.
- gen_event_formatter_factory performs a similar role as the existing
sinsp_evt_formatter_cache, in that it maintains a cache of previously
used format strings/formatters, to avoid the overhead of creating
formatters. It simply returns a formatter, though, rather than
duplicating the format methods like sinsp_evt_formatter_cache does.
This can be used in programs like falco to format general purpose
events without having a direct connection to an
inspector/filterchecks/etc.
- The eventformatter changes simply add gen_event_formatter as a
parent class and implements the interfaces. To aid in backwards
compatibility with other parts of libsinsp, this only adds new
methods as needed to conform to the gen_event_formatter
interface. In some cases, the new methods just call existing methods
that did the same thing.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Instead of returning errors in lua callbacks via lua_error(), which stops the lua interpreter, return the error explicitly as a string error or nil. This allows for more graceful error handling on the lua side. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
The event table has a few "old" versions of some events, where the libs needed new params for an event, and did that by defining a new event. PPM_SYSCALL_EXECVE_* are good examples, where the parameters kept changing as we wanted to track additional info during execs. There's no reason to consider these old events with a simple consumer, so exclude events with this flag. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
These events are replaced by PPME_CONTAINER_JSON_{E,X}.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
When iterating over event numbers (e.g. PPME_EVENT_CONTAINER_{E,X}) to
see if they match a param that has the event number as a
string (e.g. "container"), skip all events that are
old (e.g. EF_UNUSED or EF_OLD_VERSION).
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Events with EF_OLD_VERSION/EF_UNUSED are skipped by libsinsp, so skip them here too. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This fixes eBPF build for RHEL 8.0 kernels Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
New classes that represent a plugin/filterchecks for plugins. High level summary of classes: sinsp_plugin: base class, an object representing a loaded plugin, handles the dynamic library loading/function resolving/etc. Includes the functions that were dlsym()d from the shared library as well as demographic info (name, desc, contact) read from the plugin via plugin_get_name(), plugin_get_desc(), etc. Has static methods to create a plugin object and register it with sinsp. Note that sinsp_plugin does *not* have any ability to return events via a next() function. That's handled in libscap. sinsp_source_plugin: child of sinsp_plugin, has additional methods to get read progress and display events as a string. Both call the underlying plugin functions. sinsp_extractor_plugin: child of sinsp_plugin, has additional methods to check for a compatible source. sinsp_async_extractor: handles the framework side of plugin_register_async_extractor. In extract, updates the shared struct and waits for a value from the plugin. sinsp_filter_check_plugininfo: filtercheck class that handles the fields "evt.pluginname" and "evt.plugininfo". Each object is associated with a single plugin and the object is created in sinsp_plugin::register_plugin(). sinsp_filter_check_plugin: filtercheck class that handles all other fields exported by a plugin. The set of fields are those exported by the plugin in plugin_get_fields(), and extract calls the plugin's sinsp_plugin::extract_field() method, which in turn calls plugin_extract_fields(). Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
A plugin event has 2 fields: - plugin id - arbitrary event buffer, defined by the plugin This allows events created by plugins to live in capture files/be represented by sinsp_evt objects like all other events. Co-authored-by: Loris Degioanni <loris@sysdig.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This was required when libscap was included by other projects. Co-authored-by: Loris Degioanni <loris@sysdig.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add support for opening plugins and sourcing events from plugins in
libscap:
- The structs in plugin_info represent the interface to a plugin
dynamic library. Required enums/consts used for the plugin interface
are defined here. The source_plugin_info/extractor_plugin_info
structs contain the resolved functions.
- scap_open_plugin_int() handles the details of opening a plugin. It
takes a source_plugin_info struct and calls the plugin's open()
function.
- scap_next_plugin() calls the plugin's next() method to return
events.
Capture file handling also has some changes, with the introduction of
plugin sources:
- When writing capture files from plugin events, the resulting
capture file does not have any of the following:
- fd list
- process list
- machine info
- interface list
- user list
- When reading capture files, libscap does not mandate any of the
above blocks, as they could have been written by a libscap reading
plugin events.
- When reading capture files, if a section header block is found in
the middle of the file, instead of returning SCAP_UNEXPECTED_BLOCK,
read the section header, make no changes, and return
SCAP_TIMEOUT. This allows a capture file to contain a section
header block in the middle, which supports use cases involving
concatenating .scap files from plugins into a single file.
Co-authored-by: Loris Degioanni <loris@sysdig.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
libsinsp support for plugins involves: - methods to load a set of plugins and associate them with an inspector (add_plugin, get_plugins, get_plugin_by_id, get_source_plugin_by_source, etc.) - methods to open a stream of events from a plugin and check its progress (set_input_plugin/set_input_plugin_open_params, get_read_progress_plugin, etc.) - plugin_evt_processor is forward-looking and will allow for parallel reading of events from plugins. Co-authored-by: Loris Degioanni <loris@sysdig.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This is like evt.datetime but the the time part skips nanoseconds. This can be used for events from plugins, which might not need nanosecond resolution. Co-authored-by: Loris Degioanni <loris@sysdig.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
When including inttypes.h, define __STDC_FORMAT_MACROS to ensure that the PRIu32 defines are included. With newer g++ versions this happens automatically, but with older g++ versions, it's still required. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Commit d3a3d5b renamed PACKAGE_NAME to DRIVER_PACKAGE_NAME. While doing so, it missed the template substitution in driver/dkms.conf.in Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ing using system library. This fixes the linking of libraries at the end of Falco build. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
…make module is not found on system. Ubuntu focal is not shipping the module. Avoid breaking CI and builds on it. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
…path hint. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Loris Degioanni <loris@sysdig.com>
…shared_ptr to a sinsp_threadinfo* using the shared_ptr get() method. This avoids strange behaviors with some compilers. Signed-off-by: Loris Degioanni <loris@sysdig.com>
…excluded under Windows and Mac Signed-off-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Loris Degioanni <loris@sysdig.com>
Signed-off-by: Loris Degioanni <loris@sysdig.com>
…d 2 passes to load users: a first scan to count number of users, and a second scan to actually fill our data structures. Previously, if any user was added in between these 2 steps, we would've segfaulted. Now we will "lose" the new user but we won't crash. While this may seem an unnecessary check, there may be cases (even if never reported) where eg: falco is run as a systemd service and starts very soon during boot up, and some other systemd unit running in parallel is creating some users. The same fix applies to groups loading code too. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ers) Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
… to sinsp::get_user(), and use it where needed. Moreover, drop an useless assert() in sinsp_filter_check_user::extract(). Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…mmit, plus add another assert() still in sinsp_filter_check_user::extract() after get_user() call. On a second thought, it is better to leave them here as they alert that something is weird, and they only work for debug builds. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…nts. Avoid 2-pass scan of users and groups. Fixed up some small issues. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
This affects downstream packaging (the cmake component name ends up in package names) so make this configurable instead of forcing `scap-driver`. Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
Signed-off-by: Mujahid-Dandoti <Mujahid.Dandoti@ibm.com>
Molter73
pushed a commit
that referenced
this pull request
Oct 25, 2024
Signed-off-by: Eddy Duer <eddy.duer@sysdig.com>
Stringy
pushed a commit
that referenced
this pull request
Feb 26, 2026
glibc-2.42 added __inet_ntop_chk fortification, which started to fail: *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff6242572 in raise () from /lib64/libc.so.6 #2 0x00007ffff6229f3b in abort () from /lib64/libc.so.6 #3 0x00007ffff622b148 in __libc_message_impl.cold () from /lib64/libc.so.6 #4 0x00007ffff6327337 in __fortify_fail () from /lib64/libc.so.6 #5 0x00007ffff6326c92 in __chk_fail () from /lib64/libc.so.6 #6 0x00007ffff6327a62 in __inet_ntop_chk () from /lib64/libc.so.6 #7 0x000055555569da3d in inet_ntop (__af=10, __src=0x555555ee0800, __dst=0x7fffffff4f90 "\260P\377\377\377\177", __dst_size=100) at /usr/include/bits/inet-fortified.h:36 #8 ipv6tuple_to_string[abi:cxx11](ipv6tuple*, bool) (tuple=0x555555ee0800, resolve=false) at /tmp/portage/dev-debug/sysdig-0.40.1/work/libs-0.20.0/userspace/libsinsp/utils.c Use INET6_ADDRSTRLEN as destination buffer size. Fixes: falcosecurity/libs#2573 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bring our fork up to speed with the upstream falco repo.