From beef31dfb5c57c248cedcdeba6591933e6b738b0 Mon Sep 17 00:00:00 2001 From: Roberto Scolaro Date: Mon, 6 Feb 2023 16:29:55 +0000 Subject: [PATCH] wip: driver selection in falco.yaml Signed-off-by: Roberto Scolaro --- falco.yaml | 7 +++++++ .../falco/app_actions/open_inspector.cpp | 6 +++--- userspace/falco/configuration.cpp | 20 +++++++++++++++++++ userspace/falco/configuration.h | 10 ++++++++++ 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/falco.yaml b/falco.yaml index 5f20034d877..e7aba6c70d0 100644 --- a/falco.yaml +++ b/falco.yaml @@ -15,6 +15,13 @@ # limitations under the License. # +# Driver modes available: +# - kmod +# - bpf +# - modern_bpf +# - custom +driver_mode: bpf + # File(s) or Directories containing Falco rules, loaded at startup. # The name "rules_file" is only for backwards compatibility. # If the entry is a file, it will be read directly. If the entry is a directory, diff --git a/userspace/falco/app_actions/open_inspector.cpp b/userspace/falco/app_actions/open_inspector.cpp index 98cfa9d4d68..a9a34ac2ba1 100644 --- a/userspace/falco/app_actions/open_inspector.cpp +++ b/userspace/falco/app_actions/open_inspector.cpp @@ -75,18 +75,18 @@ application::run_result application::open_live_inspector( falco_logger::log(LOG_INFO, "Opening capture with gVisor. Configuration path: " + m_options.gvisor_config); inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root); } - else if(m_options.modern_bpf) /* modern BPF engine. */ + else if(m_options.modern_bpf || m_state->config->m_driver_mode == driver_mode_type::MODERN_BPF) /* modern BPF engine. */ { falco_logger::log(LOG_INFO, "Opening capture with modern BPF probe."); falco_logger::log(LOG_INFO, "One ring buffer every '" + std::to_string(m_state->config->m_cpus_for_each_syscall_buffer) + "' CPUs."); inspector->open_modern_bpf(m_state->syscall_buffer_bytes_size, m_state->config->m_cpus_for_each_syscall_buffer, true, m_state->ppm_sc_of_interest, m_state->tp_of_interest); } - else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */ + else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL || m_state->config->m_driver_mode == driver_mode_type::BPF) /* BPF engine. */ { const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE); char full_path[PATH_MAX]; /* If the path is empty try to load the probe from the default path. */ - if(strncmp(bpf_probe_path, "", 1) == 0) + if(bpf_probe_path == NULL || strncmp(bpf_probe_path, "", 1) == 0) { const char *home = std::getenv("HOME"); if(!home) diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 1cf7e03a56e..99eab24ebd9 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -30,6 +30,7 @@ limitations under the License. #include "banned.h" // This raises a compilation error when certain functions are used falco_configuration::falco_configuration(): + m_driver_mode(driver_mode_type::KMOD), m_json_output(false), m_json_include_output_property(true), m_json_include_tags_property(true), @@ -84,8 +85,27 @@ void falco_configuration::init(const std::string& conf_filename, const std::vect load_yaml(conf_filename, config); } +static driver_mode_type get_driver_mode(const std::string& input){ + // Set driver mode if not already setted. + if( input == "bpf" ) + { + return driver_mode_type::BPF; + } + else if( input == "modern_bpf" ) + { + return driver_mode_type::MODERN_BPF; + } + else if( input == "custom" ) + { + return driver_mode_type::CUSTOM; + } + return driver_mode_type::KMOD; +} + void falco_configuration::load_yaml(const std::string& config_name, const yaml_helper& config) { + m_driver_mode = get_driver_mode(config.get_scalar("driver_mode", "")); + std::list rules_files; config.get_sequence>(rules_files, std::string("rules_file")); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index b3d43756e53..92986141df0 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -32,6 +32,15 @@ limitations under the License. #include "event_drops.h" #include "falco_outputs.h" +enum class driver_mode_type : uint8_t +{ + INVALID = 0, + KMOD, + BPF, + MODERN_BPF, + CUSTOM +}; + class falco_configuration { public: @@ -58,6 +67,7 @@ class falco_configuration std::list m_loaded_rules_filenames; // List of loaded rule folders std::list m_loaded_rules_folders; + driver_mode_type m_driver_mode; bool m_json_output; bool m_json_include_output_property; bool m_json_include_tags_property;