Merged
Conversation
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
…g state initialization Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
…syscall events Recently, concatenated scap files support has been extended to read dump files containing plugin events too. However, this apparently broke the support to concatenated files containing syscall events. This is now fixed by using the refactorings from the previous commits. Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
…imize simpleconsumer mode by filtering syscalls kernel side, for both eBPF and kmod. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ernal API to support sinsp::(un)set_eventmask() API on eBPF too. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Luca Guerra <luca@guerra.sh>
…) function. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…gtest Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
…bsinsp executable Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
…version() function. Moreover, provide sinsp wrappers: get_plugin_api_version() and get_plugin_api_version_str(). Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…rsion vs framework's one. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…ion defines from libscap and moved all the logic to libsinsp. This is way better because it is libsinsp that does all the checks indeed. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
…n defines to scap plugin_info.h. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
Previously, as plugins were loaded, each plugin would create two filtercheck objects: - A sinsp_filter_check_plugininfo object that defined the fields evt.pluginname/evt.plugininfo, with an implementation that only returned values for events coming from that specific plugin. - A sinsp_filter_check_plugin object that defined the fields exported by the plugin. This made interpreting the output of sysdig -l/falco --list confusing, as you would get multiple sections in the output for the almost-duplicate filterchecks. Fix this by moving evt.plugininfo/evt.pluginname into sinsp_filter_check_gen_event and looking up the plugin object on the fly. This avoids the almost-duplicate filtercheck objects, which makes it easier to print a clean list of fields, as these fields are only defined in one filtercheck object. Also, *only* create a sinsp_filter_check_gen_event object for source plugins. There isn't any need to create one for extractor plugins, which don't work directly with event meta-data like event number, timestamp, etc. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add additional info to filter_field_info: - shortdesc: a small (3-5 word) description of the field class, suitable for printing on the same line as the field class without line wrapping. - data_type: the data type the filtercheck field works with (e.g. CHARBUF, UINT64, IPADDR, etc). - tags: a set of free-form tags for the field. Examples include "FILTER ONLY", IDX_REQUIRED, etc. This will make it easier to print rich information about each field. Also fill in shortdesc for selected filtercheck objects to help provide context when printing fields. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
When plugins are loaded for programs that don't use event types, you might end up with duplicate sinsp_filter_check_gen_event objects being added to the g_filterlist filter_check_list. This isn't harmful, but it results in duplicate entries when listing the full set of filter fields. Handle this by checking to see if there's already a filter_check object with the same name (e.g. "evt") and shortdesc (e.g. "All event types"). If there's a duplicate, simply delete the to-be-added object. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add a convienence method sinsp_filter_factory::check_infos_to_fieldclass_infos() that converts from a vector<filter_check_info> (e.g. filterchecks specifically for sinsp events) to a list<filter_fieldclass_info> (e.g. description of fields for all event types). This makes it easier to have a single method to print info about filtercheck fields. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add methods to filter_fieldclass_info to return a pretty-printed representation of the field class, as a string. The output looks like the following: ------------------------------- Field Class: evt (All event types) Description: These fields can be used for all event types Event Sources: aws_cloudtrail syscall evt.num (Type: UINT64) event number. ... Internally, it uses stringstreams to tokenize long strings like the description, etc, and wrap them as needed. It also cleans up the output so words aren't broken across lines. It has options to print verbose information (adding Types for each field), and if a set of event sources was provided, those are printed as well. This will allow the --list outputs of falco, as well as other programs that use the libs, to have a single representation of fields. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
list_fields() is used by programs that use the falcosecurity libs but are not falco, with its strong notion of event types. Replace the old version, which used printf and character-by-character iteration over line strings, with using sinsp_filter_factory::check_infos_to_fieldclass_infos to get a generic representation of field classes, and filter_fieldclass_info::as_string to format the field class info as a string. markdown output is now in a dedicated (static) function list_fields_markdown(). This allows for a consistent display of field info across programs. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This ensures that they will be displayed next to each other when printing all fields. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
… code Signed-off-by: Joseph Pittman <joseph.pittman@sysdig.com>
Since we're switching the *effective* uid and gid, we should switch back to the original *effective* uid and gid as well, not the *real* one. Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
without this patch, compilation failed with ERROR: modpost: "__umoddi3" [/home/abuild/rpmbuild/BUILD/sysdig-0.27.0/build/driver/src/sysdig-probe.ko] undefined! sysdig-CLA-1.0-signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de> Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
…to be tried in fallback manner. This allows to pass multiple "--cri" option in Falco and be sure that the first socket that works will be used. A PR in Falco is needed to manage multiple "--cri" options though. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
…bucket unit test. This fixes build in debian 10 for example. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
Prefer += over + Tested with callgrind, ~2x improvement Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
…roups(). Basically, cgroups v2 uses the "Unified hierarchy" for subsystems, thus the subsys list string is always empty in /proc/pid/cgroup file. Workaround this by forcing a default set of subsystems <cpu,cpuset,memory>. For cgroups v1 instead everything is kept the same. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
…in evttype_filter unit tests to avoid a build failure with some gtest versions. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Michael Cho <cho-m@tuta.io>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Signed-off-by: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
… and exit for some syscalls Signed-off-by: Luca Guerra <luca@guerra.sh> Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
Signed-off-by: vadim.zyarko <vadim.zyarko@sysdig.com>
Stringy
approved these changes
Mar 10, 2022
Stringy
pushed a commit
that referenced
this pull request
Feb 26, 2026
glibc-2.42 added __inet_ntop_chk fortification, which started to fail: *** buffer overflow detected ***: terminated Program received signal SIGABRT, Aborted. 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff629b0dc in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff6242572 in raise () from /lib64/libc.so.6 #2 0x00007ffff6229f3b in abort () from /lib64/libc.so.6 #3 0x00007ffff622b148 in __libc_message_impl.cold () from /lib64/libc.so.6 #4 0x00007ffff6327337 in __fortify_fail () from /lib64/libc.so.6 #5 0x00007ffff6326c92 in __chk_fail () from /lib64/libc.so.6 #6 0x00007ffff6327a62 in __inet_ntop_chk () from /lib64/libc.so.6 #7 0x000055555569da3d in inet_ntop (__af=10, __src=0x555555ee0800, __dst=0x7fffffff4f90 "\260P\377\377\377\177", __dst_size=100) at /usr/include/bits/inet-fortified.h:36 #8 ipv6tuple_to_string[abi:cxx11](ipv6tuple*, bool) (tuple=0x555555ee0800, resolve=false) at /tmp/portage/dev-debug/sysdig-0.40.1/work/libs-0.20.0/userspace/libsinsp/utils.c Use INET6_ADDRSTRLEN as destination buffer size. Fixes: falcosecurity/libs#2573 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR pulls the changes made to the upstream falco repository.