Add plugins support #1753
Merged
Add plugins support #1753
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
5 times, most recently
from
6da25bd to
6094f58
Compare
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
2 times, most recently
from
a52c6a7 to
8be6eb0
Compare
|
/retest |
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
8be6eb0 to
a93d110
Compare
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
f32a212 to
bd1d88e
Compare
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
943ca74 to
6762711
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, mstemm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
3e087e4 to
56c5d8e
Compare
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
56c5d8e to
890c218
Compare
This moves up the commit to one that has plugins support. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Update config code/default falco.yaml to add support for plugins: - Update config parsing methods to support reading plugin config objects in a list from yaml. - The default config defines the cloudtrail/json plugins but does not give them any actual config for init config/open params (cloudtrail), or init config (json). - load_plugins is empty so neither plugin is actually loaded by default. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>-
It took a while, but we remembered to finish moving the token_bucket from falco engine to libs. There were 2 copies for a while. This brings over one change to libs--to have an optional timer function. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add a cmake module "plugins" that does the following: - Downloads/installs the plugins artifacts from a known tag - Copies the resulting cloudtrail/json shared libraries to CMAKE_CURRENT_BINARY_DIR/plugins - Installs them to FALCO_SHARE_DIR/plugins The default config will define the plugins but they will be disabled by default. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
These rules can be used when combined with the cloudtrail plugin. They're installed to /etc/falco like the other rules files. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Mostly plugins are just handled as a new filter/formatter factory with a new source based on the loaded input plugin, but there are a few changes at the engine level: - is_source_valid returns whether a filter/formatter factory exists for a given source. Will be used by rules loaded to skip rules for an unknown source. - the falco engine now holds the required_plugin_version predicates found in rules files and a method is_plugin_compatible returns whether a plugin semver is compatible with the predicates in the rules - Update the falco engine version and fields checksum for plugins Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Rules loading changes for plugins: - parse required_engine_versions from yaml and pass up to rules loader as a lua table as an additional return value from load_rules(). - c++ rules loader converts to map: plugin -> list of required plugin versions - support is_source_valid callback from lua, calls engine method. If a source is not valid, skip any rules for that source and add a warning. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
The generic events support already handled most of this, with a dedicated formatter factory for plugin sources. Just one missing header include and change the logic slightly for json parsing. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Update the falco binary to add support for plugins. - Keep track of an "event source", which is initially "syscall" but changes to the input plugin's source if an source plugin ends up being loaded. - New argument --list-plugins will return info on any loaded plugins, using sinsp_plugin::plugin_infos. - Create filter/formatter factories for plugins. This ensures that filterchecks for syscalls are not used for plugins and vice versa. - Use sinsp_plugin::register_plugin() to load each plugin found in config. The first source plugin found (if any) calls engine->add_source withthe source plugin's event source. - If a second source plugin is found, exit with an error. - Extractor plugins must be compatible with the event source (usually the plugin event source, but could be "syscall"). If not, exit with an error. - Multiple Extractor plugins are allowed, but they can not have overlapping compatible event sources. This is mostly to avoid confusion, but we might change this later. - After loading plugins, use engine is_plugin_compatible to ensure that the plugin is compatible with any required_plugin_version blocks in falco rules. - Normally falco would log warnings if too many SCAP_TIMEOUT results were received. These are more expected when using plugins, so only log these warnings when using syscalls. Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Loris Degioanni <loris@sysdig.com> Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Test infrastructure and sample confs/rules/traces for plugins automated tests: New test cases are in falco_tests_plugins.yaml and cover: - Listing plugins and fields when plugins are loaded. - Basic cloudtrail + json plugin on a fake cloudtrail json file and a sample rule that uses both plugins. - Conflicts between source/extractor plugins - Incompatible plugin api - Wrong plugin path - Checking for warnings when reading rules with unnown sources (e.g. when plugins are not loaded) Some test-only plugins written in C are in test/plugins and built on the fly. (They aren't included in packages of course). The test framework needed some small changes to handle these tests: - Add a mode to not check detection counts at all (for --list/--list-plugins) - addl_cmdline_opts to allow specifying --list/--list-plugins - Using DOTALL when matching stderr/stdout (allows multi-line matches more easily) Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Detect strlcpy on the fly, as was done in falcosecurity/libs#110. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
When MUSL_OPTIMIZED_BUILD is specified, falco is statically linked under musl, and can't dlopen() files: see https://inbox.vuxu.org/musl/20200423162406.GV11469@brightrain.aerifal.cx/T/ So skip listing/loading/testing plugins when MUSL_OPTIMIZED_BUILD is specified. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
force-pushed
the
new/plugin-system-api-additions
branch
from
890c218 to
a645011
Compare
|
Ok I also removed the leftover plugin_free_mem reference. Could you take a look again? |
leogr
approved these changes
Nov 12, 2021
|
LGTM label has been added. Git tree hash: 45f912af16a583d24210382a34ffd625e41eb4f1
|
This was referenced Nov 18, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
/kind rule-create
Any specific area of the project related to this PR?
/area engine
/area rules
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: