Add ability to return all fields exported by a factory #75
Conversation
poiana
added
release-note
kind/feature
|
/ok-to-test |
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
| @@ -205,4 +232,7 @@ class gen_event_filter_factory | |||
|
|
|||
| // Create a new filtercheck | |||
| virtual gen_event_filter_check *new_filtercheck(const char *fldname) = 0; | |||
|
|
|||
| // Return the set of fields supported by this factory | |||
| virtual std::list<filter_fieldclass_info> get_fields() = 0; | |||
There was a problem hiding this comment.
No need for random access, just iteration.
There was a problem hiding this comment.
Still, I don't think a list should be the default choice for a container, due to the horrible memory accesses. Probably doesn't matter much here, but maybe at least we'd get cheap .size() with a vector
There was a problem hiding this comment.
According to https://stackoverflow.com/questions/228908/is-listsize-really-on .size() is supposed to be O(1) and actually is in gcc >= 5.0. Also, the only use of this method just iterates (once) anyway.
| std::list<gen_event_filter_factory::filter_fieldclass_info> get_fields() override; | ||
|
|
There was a problem hiding this comment.
I assume this is the only subclass?
There was a problem hiding this comment.
In the libraries, yes. In falco there's another subclass for "json_events", which are used by the k8s audit rules: https://github.com/leogr/falco/blob/new/plugin-system-api-additions/userspace/engine/json_evt.h#L376.
And after these changes are all merged, we'll be creating a subclass for plugins, so a given plugin can export the set of valid fields used by that plugin.
|
|
||
| for(int32_t k = 0; k < fci->m_nfields; k++) | ||
| { | ||
| const filtercheck_field_info* fld = &fci->m_fields[k]; |
There was a problem hiding this comment.
fci->m_fields isn't a vector we could iterate over without an explicit index, is it?
There was a problem hiding this comment.
that's right, looks like it's been a plain array the whole time: https://github.com/falcosecurity/libs/blob/factory-add-get-fields/userspace/libsinsp/sinsp.h#L143
There was a problem hiding this comment.
:sadpanda: might be nice to convert it to a vector later.
| if(fld->m_flags & EPF_TABLE_ONLY || | ||
| fld->m_flags & EPF_PRINT_ONLY) | ||
| { | ||
| continue; | ||
| } |
There was a problem hiding this comment.
What do these flags mean and why do we want this check here?
There was a problem hiding this comment.
They are defined here: https://github.com/falcosecurity/libs/blob/factory-add-get-fields/userspace/libsinsp/event.h#L44. Generally if a field can't be used to filter events, we don't want to print it.
(And btw, this is just moving code from falco that did this in a specific way for syscall filterchecks. This PR makes it generic for a "factory" e.g. source of filters/filterchecks/fields).
There was a problem hiding this comment.
Thanks for the explanation.
if a field can't be used to filter events, we don't want to print it
this should live as a comment above this if
|
By the way, all of these PRs are used in this Falco PR (falcosecurity/falco#1715), if you want to see how they are used. |
mstemm
force-pushed
the
factory-add-get-fields
branch
from
8038b1e to
ff9868b
Compare
poiana
added
dco-signoff: yes
dco-signoff: no
and removed
dco-signoff: no
dco-signoff: yes
labels
mstemm
force-pushed
the
factory-add-get-fields
branch
from
a179dc7 to
59ff689
Compare
There was a problem hiding this comment.
/approve
LGTM, just a note since the next Falco release is very close.
The new get_fields() conflicts with the one already present here in Falco (so basically Falco won't compile until the signature gets adjusted in Falco).
I know that's addressed by falcosecurity/falco#1715. However, we likely have to upgrade the version of the libs in Falco soon and I'm not confident falcosecurity/falco#1715 will get merged in time.
Thus, I wouldn't risk blocking the Falco release. So,
/hold
for the moment.
|
LGTM label has been added. Git tree hash: 883da564554e61b2aecfa056eadf99a7466a151d
|
|
Falco 0.30.0 is released so I'm removing the hold. |
Add the ability to return all fields exported by a factory. This is important for programs like falco that need to validate rule filter expressions for various event sources, as well as print out sets of supported fields. Previously, falco did direct calls to sinsp::get_filtercheck_fields_info but we're trying to standardize everything to work through factories, to make it easier to support new event sources. This PR supports that work. Signed-off-by: Mark Stemm <[email protected]>
mstemm
force-pushed
the
factory-add-get-fields
branch
from
59ff689 to
1fdf3af
Compare
|
LGTM label has been added. Git tree hash: f3f1fe505e425a28717cfb3c660ab20bf0034e88
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, mstemm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Pinned to a commit that contains PRs falcosecurity/libs#74, falcosecurity/libs#75, falcosecurity/libs#76, falcosecurity/libs#77 Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Take advantage of the changes in falcosecurity/libs#75 to have a general-purpose way to list fields for a given event source. in the engine, list_fields() now takes a source, iterates over filter factories, and calls get_fields() for each factory, printing the results. list_source_fields now calls the engine regardless of source. Signed-off-by: Mark Stemm <[email protected]>
Add the ability to return all fields exported by a factory. This is
important for programs like falco that need to validate rule filter
expressions for various event sources, as well as print out sets of
supported fields.
Previously, falco did direct calls to
sinsp::get_filtercheck_fields_info but we're trying to standardize
everything to work through factories, to make it easier to support new
event sources. This PR supports that work.
Signed-off-by: Mark Stemm [email protected]
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libsinsp
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: