Rebases our changes onto latest falco, fixing merge conflicts#5
Closed
Rebases our changes onto latest falco, fixing merge conflicts#5
Conversation
Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
As discussed with other contributors and proposed by @mstemm, we remove the next exported symbol to present an easier interface to plugin authors. Co-authored-by: Mark Stemm <mark.stemm@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
All plugin filterchecks will only work on the plugin event type PPME_PLUGINEVENT_E, so override the default evttypes() method to return that event type only. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
If plugin init fails, return some kind of error string rather than nothing. The init failure is likely before plugin_init completes, so we can't call get_last_error(). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Previously the type was checked but not returned in the list of ::info structs. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…es, that mark a block type with a 4B argument payload size header. Automatically resize scap handle->m_file_evt_buf to fit largest payload size (starting from 65536, ie: normal syscalls limit). Use 4B size header for plugins payloads. Syscall driven events still use old block type. new(userspace/libsinsp): Use 4B size header for container metadata. Switch various len function-local variables to uint32_t instead of uint16_t to deal with possible new size. Updated event::load_params() to account for new EF_LARGE_PAYLOAD flag. new(driver): added EF_LARGE_PAYLOAD flag. Updated event_table adding EF_LARGE_PAYLOAD flag for PPME_CONTAINER_JSON_E and PPME_PLUGINEVENT_E. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Now that memory is always either owned by the plugin framework (init config/open params) or owned by the plugin (data payloads, extracted strings, demographic info), all char*/uint8_t* values involved in the api should be const. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
* bound check state->n_drops_X counters * moved off_bounded declaration near its usage in bpf_parse_readv_writev_bufs() * force-disable switch jump table Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…, not kmod: kmod allows jump table usage. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Now that strings are being returned as const char*, make sure the variable holding the returned value is const char*. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Falco has a build variant that uses musl libc, and musl libc already defines strlcpy, so we don't want strlcpy when compiling with musl libc. So check for it at cmake time and if found set HAVE_STRLCPY. And only include the one in strlcpy.h if HAVE_STRLCPY is not defined. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This caused spurious segmentation faults, because generally there is no guarantee that the plugin sets res_str to NULL if field_present is set to false. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
In environments using CRI imageID can be recovered in 2 ways, by reading it from the container info or by doing an extra query. Due to the extra query not working in gke environments, it's safer to check whether imageID has already been found instead of unconditionally overwrite it. Signed-off-by: Radu Andries <radu.andries@sysdig.com>
Signed-off-by: Kevin Kauffman <speedyguy17@gmail.com>
Move the check for strlcpy to before including the libs dirs so CFLAGS is properly set. Also add some messages. Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
… with large payload; leave old ones untouched to avoid breaking backward compatibility. This way, new scap files with PPME_CONTAINER_JSON_2_ events cannot be open by old falco; moreover, new falco can correctly open old PPME_CONTAINER_JSON_ events. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Sachin Kumar Singh <sachinkumarsingh092@gmail.com>
This should explain the purpose of this class better Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Rootless podman containers have multiple sockets (one per user account), and we don't really want to spawn a separate thread for each user. This means that we can no longer use a single CURL handle but need to create a new one for each individual request. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
All the platform-specific code from docker_async_source is moved to a new docker_connection class. The interface is almost identical, so keep a single header file with two separate implementation files (one for Linux, one for Windows). Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
This is a private implementation detail of the connection class. Also, this fixes a but where (on Windows) we appended `?size=true` to the wrong place in the request (to the Host header, not the URL). Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
We need full control over the request to make this method suitable for putting in a base class. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
All the code after the initial docker container detection is platform-agnostic and can be moved to a base class. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
The return value is limited to 32 bits, which chops off most high-order bits. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Andrea Bonanno <andrea@bonanno.cloud>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
I noticed that some external projects were being reconfigured/built with every make, even though no files in the external project had been updated. With some debugging I noticed that git based external projects were re-running their "update" step every time, and that in turn caused the configure/build/install steps to re-run as well. (Generally the build step is a no-op as the Makefile/etc. in the external project is well formed and doesn't do anything, but the configure/install steps still run). It seems related to this cmake bug: https://gitlab.kitware.com/cmake/cmake/-/issues/19703. In short, the git update step for an external project does not create any "done" file that denotes that the files are still up-to-date. Without that "done" file, the update step is always run, and that in turn causes the other steps for the external project to re-run as well. The best way to fix this seems to be to skip the update step by defining an empty UPDATE_COMMAND. As long as the downloaded code for a given hash/tag/etc does not change, the update step is unnecessary. And if we *really* wanted to ensure unchanged dependencies, we would download our own copies anyway. Making this change significantly cleans up the falco build to avoid rebuilding git based external dependencies. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…to be tried in fallback manner. This allows to pass multiple "--cri" option in Falco and be sure that the first socket that works will be used. A PR in Falco is needed to manage multiple "--cri" options though. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
…bucket unit test. This fixes build in debian 10 for example. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
Prefer += over + Tested with callgrind, ~2x improvement Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
…roups(). Basically, cgroups v2 uses the "Unified hierarchy" for subsystems, thus the subsys list string is always empty in /proc/pid/cgroup file. Workaround this by forcing a default set of subsystems <cpu,cpuset,memory>. For cgroups v1 instead everything is kept the same. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…in evttype_filter unit tests to avoid a build failure with some gtest versions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Michael Cho <cho-m@tuta.io>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Stringy
force-pushed
the
giles/update-to-latest-falco
branch
from
72af61d to
27992b1
Compare
Collaborator
Author
|
superseded by #6 |
Stringy
pushed a commit
that referenced
this pull request
Feb 26, 2026
glibc-2.42 added __inet_ntop_chk fortification, which started to fail: *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff6242572 in raise () from /lib64/libc.so.6 #2 0x00007ffff6229f3b in abort () from /lib64/libc.so.6 #3 0x00007ffff622b148 in __libc_message_impl.cold () from /lib64/libc.so.6 #4 0x00007ffff6327337 in __fortify_fail () from /lib64/libc.so.6 #5 0x00007ffff6326c92 in __chk_fail () from /lib64/libc.so.6 #6 0x00007ffff6327a62 in __inet_ntop_chk () from /lib64/libc.so.6 #7 0x000055555569da3d in inet_ntop (__af=10, __src=0x555555ee0800, __dst=0x7fffffff4f90 "\260P\377\377\377\177", __dst_size=100) at /usr/include/bits/inet-fortified.h:36 #8 ipv6tuple_to_string[abi:cxx11](ipv6tuple*, bool) (tuple=0x555555ee0800, resolve=false) at /tmp/portage/dev-debug/sysdig-0.40.1/work/libs-0.20.0/userspace/libsinsp/utils.c Use INET6_ADDRSTRLEN as destination buffer size. Fixes: falcosecurity/libs#2573 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.