diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index fc9bb128b2c..63cefd7e692 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -34,8 +34,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62") - set(DRIVER_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2") + set(DRIVER_VERSION "93a04bb92f85142edbfb47120cbaafb45d9ba5d8") + set(DRIVER_CHECKSUM "SHA256=8df88170cfcdd617366ef470bca9ac29be22cff36cafdac74a288697d5c860ab") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index dff89949dca..10045e86f92 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -35,8 +35,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2") + set(FALCOSECURITY_LIBS_VERSION "93a04bb92f85142edbfb47120cbaafb45d9ba5d8") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=8df88170cfcdd617366ef470bca9ac29be22cff36cafdac74a288697d5c860ab") endif() # cd /path/to/build && cmake /path/to/source diff --git a/unit_tests/engine/test_add_source.cpp b/unit_tests/engine/test_add_source.cpp index 44ff230f388..a6fcc1604cc 100644 --- a/unit_tests/engine/test_add_source.cpp +++ b/unit_tests/engine/test_add_source.cpp @@ -31,7 +31,7 @@ namespace class test_ruleset_factory : public evttype_index_ruleset_factory { public: - test_ruleset_factory(std::shared_ptr factory): + test_ruleset_factory(std::shared_ptr factory): evttype_index_ruleset_factory(factory) { ruleset = evttype_index_ruleset_factory::new_ruleset(); @@ -54,9 +54,9 @@ TEST(AddSource, basic) sinsp inspector; sinsp_filter_check_list filterchecks; - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(&inspector, filterchecks)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(&inspector, filterchecks)); test_ruleset_factory *test_factory = new test_ruleset_factory(filter_factory); auto ruleset_factory = std::shared_ptr(test_factory); diff --git a/unit_tests/engine/test_alt_rule_loader.cpp b/unit_tests/engine/test_alt_rule_loader.cpp index 196079a7de4..f86e7a2a99a 100644 --- a/unit_tests/engine/test_alt_rule_loader.cpp +++ b/unit_tests/engine/test_alt_rule_loader.cpp @@ -124,7 +124,7 @@ class test_reader : public rule_loader::reader class test_ruleset : public evttype_index_ruleset { public: - test_ruleset(std::shared_ptr factory): + test_ruleset(std::shared_ptr factory): evttype_index_ruleset(factory){}; virtual ~test_ruleset() = default; @@ -154,7 +154,7 @@ class test_ruleset : public evttype_index_ruleset class test_ruleset_factory : public filter_ruleset_factory { public: - test_ruleset_factory(std::shared_ptr factory): + test_ruleset_factory(std::shared_ptr factory): m_filter_factory(factory) { } @@ -167,7 +167,7 @@ class test_ruleset_factory : public filter_ruleset_factory return ret; } - std::shared_ptr m_filter_factory; + std::shared_ptr m_filter_factory; }; }; // namespace @@ -235,9 +235,9 @@ static std::shared_ptr create_configuration(sinsp& i sinsp_filter_check_list& filterchecks, indexed_vector& sources) { - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(&inspector, filterchecks)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(&inspector, filterchecks)); auto ruleset_factory = std::shared_ptr( new evttype_index_ruleset_factory(filter_factory)); @@ -330,9 +330,9 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader) sinsp inspector; sinsp_filter_check_list filterchecks; - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(&inspector, filterchecks)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(&inspector, filterchecks)); auto ruleset_factory = std::shared_ptr( new test_ruleset_factory(filter_factory)); diff --git a/unit_tests/engine/test_enable_rule.cpp b/unit_tests/engine/test_enable_rule.cpp index 624c9e589d3..b49726fe290 100644 --- a/unit_tests/engine/test_enable_rule.cpp +++ b/unit_tests/engine/test_enable_rule.cpp @@ -56,9 +56,9 @@ static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_chec { std::unique_ptr res; - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(&inspector, filterchecks)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(&inspector, filterchecks)); engine.add_source("syscall", filter_factory, formatter_factory); diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp index 28366020409..5a3a5b44394 100644 --- a/unit_tests/engine/test_rule_loader.cpp +++ b/unit_tests/engine/test_rule_loader.cpp @@ -15,9 +15,9 @@ class engine_loader_test : public ::testing::Test { // create a falco engine ready to load the ruleset m_inspector.reset(new sinsp()); m_engine.reset(new falco_engine()); - m_filter_factory = std::shared_ptr( + m_filter_factory = std::shared_ptr( new sinsp_filter_factory(m_inspector.get(), m_filterlist)); - m_formatter_factory = std::shared_ptr( + m_formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(m_inspector.get(), m_filterlist)); m_engine->add_source(m_sample_source, m_filter_factory, m_formatter_factory); } @@ -107,8 +107,8 @@ class engine_loader_test : public ::testing::Test { std::string m_sample_ruleset; std::string m_sample_source; sinsp_filter_check_list m_filterlist; - std::shared_ptr m_filter_factory; - std::shared_ptr m_formatter_factory; + std::shared_ptr m_filter_factory; + std::shared_ptr m_formatter_factory; std::unique_ptr m_engine; std::unique_ptr m_load_result; std::string m_load_result_string; diff --git a/unit_tests/engine/test_rulesets.cpp b/unit_tests/engine/test_rulesets.cpp index 4d2fcf28bb9..33a5662ef67 100644 --- a/unit_tests/engine/test_rulesets.cpp +++ b/unit_tests/engine/test_rulesets.cpp @@ -23,31 +23,31 @@ limitations under the License. #define RULESET_2 2 /* Helpers methods */ -static std::shared_ptr create_factory(filter_check_list& list) +static std::shared_ptr create_factory(filter_check_list& list) { - std::shared_ptr ret(new sinsp_filter_factory(NULL, list)); + std::shared_ptr ret(new sinsp_filter_factory(NULL, list)); return ret; } -static std::shared_ptr create_ruleset(std::shared_ptr f) +static std::shared_ptr create_ruleset(std::shared_ptr f) { std::shared_ptr ret(new evttype_index_ruleset(f)); return ret; } -static std::shared_ptr create_ast(std::shared_ptr f) +static std::shared_ptr create_ast(std::shared_ptr f) { libsinsp::filter::parser parser("evt.type=open"); std::shared_ptr ret(parser.parse()); return ret; } -static std::shared_ptr create_filter( - std::shared_ptr f, +static std::shared_ptr create_filter( + std::shared_ptr f, std::shared_ptr ast) { sinsp_filter_compiler compiler(f, ast.get()); - std::shared_ptr filter(compiler.compile()); + std::shared_ptr filter(compiler.compile()); return filter; } diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp index f97016149b5..6b238615c12 100644 --- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp +++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp @@ -79,9 +79,9 @@ static std::shared_ptr mock_engine_from_filters(const strset_t& fi // create a falco engine and load the ruleset sinsp_filter_check_list filterlist; std::shared_ptr res(new falco_engine()); - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(nullptr, filterlist)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(nullptr, filterlist)); res->add_source(s_sample_source, filter_factory, formatter_factory); res->load_rules(dummy_rules, "dummy_rules.yaml"); diff --git a/userspace/engine/evttype_index_ruleset.cpp b/userspace/engine/evttype_index_ruleset.cpp index c67ea08e234..1bd3b48a8d7 100644 --- a/userspace/engine/evttype_index_ruleset.cpp +++ b/userspace/engine/evttype_index_ruleset.cpp @@ -20,7 +20,7 @@ limitations under the License. #include evttype_index_ruleset::evttype_index_ruleset( - std::shared_ptr f): m_filter_factory(f) + std::shared_ptr f): m_filter_factory(f) { } @@ -111,7 +111,7 @@ uint64_t evttype_index_ruleset::ruleset_filters::num_filters() return m_filters.size(); } -bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& match) +bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, falco_rule& match) { if(evt->get_type() < m_filter_by_event_type.size()) { @@ -138,7 +138,7 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat return false; } -bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, std::vector& matches) +bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, std::vector& matches) { bool match_found = false; @@ -194,7 +194,7 @@ libsinsp::events::set evttype_index_ruleset::ruleset_filters::ev void evttype_index_ruleset::add( const falco_rule& rule, - std::shared_ptr filter, + std::shared_ptr filter, std::shared_ptr condition) { try @@ -332,7 +332,7 @@ uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id) return m_rulesets[ruleset_id]->num_filters(); } -bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id) +bool evttype_index_ruleset::run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) { if(m_rulesets.size() < (size_t)ruleset_id + 1) { @@ -342,7 +342,7 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule return m_rulesets[ruleset_id]->run(evt, match); } -bool evttype_index_ruleset::run(gen_event *evt, std::vector& matches, uint16_t ruleset_id) +bool evttype_index_ruleset::run(sinsp_evt *evt, std::vector& matches, uint16_t ruleset_id) { if(m_rulesets.size() < (size_t)ruleset_id + 1) { diff --git a/userspace/engine/evttype_index_ruleset.h b/userspace/engine/evttype_index_ruleset.h index 9e7d14db396..71e7c11df7b 100644 --- a/userspace/engine/evttype_index_ruleset.h +++ b/userspace/engine/evttype_index_ruleset.h @@ -27,7 +27,6 @@ limitations under the License. #include #include #include -#include /*! \brief A filter_ruleset that indexes enabled rules by event type, @@ -36,18 +35,18 @@ limitations under the License. class evttype_index_ruleset: public filter_ruleset { public: - evttype_index_ruleset(std::shared_ptr factory); + evttype_index_ruleset(std::shared_ptr factory); virtual ~evttype_index_ruleset(); void add( const falco_rule& rule, - std::shared_ptr filter, + std::shared_ptr filter, std::shared_ptr condition) override; void clear() override; - bool run(gen_event *evt, falco_rule& match, uint16_t ruleset_id) override; - bool run(gen_event *evt, std::vector&matches, uint16_t ruleset_id) override; + bool run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) override; + bool run(sinsp_evt *evt, std::vector&matches, uint16_t ruleset_id) override; uint64_t enabled_count(uint16_t ruleset_id) override; @@ -102,7 +101,7 @@ class evttype_index_ruleset: public filter_ruleset falco_rule rule; libsinsp::events::set sc_codes; libsinsp::events::set event_codes; - std::shared_ptr filter; + std::shared_ptr filter; }; typedef std::list> filter_wrapper_list; @@ -121,11 +120,11 @@ class evttype_index_ruleset: public filter_ruleset // Evaluate an event against the ruleset and return the first rule // that matched. - bool run(gen_event *evt, falco_rule& match); + bool run(sinsp_evt *evt, falco_rule& match); // Evaluate an event against the ruleset and return all the // matching rules. - bool run(gen_event *evt, std::vector& matches); + bool run(sinsp_evt *evt, std::vector& matches); libsinsp::events::set sc_codes(); @@ -152,7 +151,7 @@ class evttype_index_ruleset: public filter_ruleset // All filters added. The set of enabled filters is held in m_rulesets std::set> m_filters; - std::shared_ptr m_filter_factory; + std::shared_ptr m_filter_factory; std::vector m_ruleset_names; }; @@ -160,7 +159,7 @@ class evttype_index_ruleset_factory: public filter_ruleset_factory { public: inline evttype_index_ruleset_factory( - std::shared_ptr factory + std::shared_ptr factory ): m_filter_factory(factory) { } inline std::shared_ptr new_ruleset() override @@ -171,5 +170,5 @@ class evttype_index_ruleset_factory: public filter_ruleset_factory } private: - std::shared_ptr m_filter_factory; + std::shared_ptr m_filter_factory; }; diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index b4007952fc7..ad8ed3b7ac8 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -115,7 +115,7 @@ std::shared_ptr falco_engine::get_rule_compiler() // Return a key that uniquely represents a field class. // For now, we assume name + shortdesc is unique. -static std::string fieldclass_key(const gen_event_filter_factory::filter_fieldclass_info &fld_info) +static std::string fieldclass_key(const sinsp_filter_factory::filter_fieldclass_info &fld_info) { return fld_info.name + fld_info.shortdesc; } @@ -372,14 +372,14 @@ libsinsp::events::set falco_engine::event_codes_for_ruleset(cons return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset)); } -std::shared_ptr falco_engine::create_formatter(const std::string &source, +std::shared_ptr falco_engine::create_formatter(const std::string &source, const std::string &output) const { return find_source(source)->formatter_factory->create_formatter(output); } std::unique_ptr> falco_engine::process_event(std::size_t source_idx, - gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy) + sinsp_evt *ev, uint16_t ruleset_id, falco_common::rule_matching strategy) { // note: there are no thread-safety guarantees on the filter_ruleset::run() // method, but the thread-safety assumptions of falco_engine::process_event() @@ -437,14 +437,14 @@ std::unique_ptr> falco_engine::process_ev } std::unique_ptr> falco_engine::process_event(std::size_t source_idx, - gen_event *ev, falco_common::rule_matching strategy) + sinsp_evt *ev, falco_common::rule_matching strategy) { return process_event(source_idx, ev, m_default_ruleset_id, strategy); } std::size_t falco_engine::add_source(const std::string &source, - std::shared_ptr filter_factory, - std::shared_ptr formatter_factory) + std::shared_ptr filter_factory, + std::shared_ptr formatter_factory) { // evttype_index_ruleset is the default ruleset implementation std::shared_ptr ruleset_factory( @@ -460,8 +460,8 @@ std::size_t falco_engine::add_source(const std::string &source, } std::size_t falco_engine::add_source(const std::string &source, - std::shared_ptr filter_factory, - std::shared_ptr formatter_factory, + std::shared_ptr filter_factory, + std::shared_ptr formatter_factory, std::shared_ptr ruleset_factory) { falco_source src; @@ -892,22 +892,22 @@ bool falco_engine::is_source_valid(const std::string &source) const return m_sources.at(source) != nullptr; } -std::shared_ptr falco_engine::filter_factory_for_source(const std::string& source) +std::shared_ptr falco_engine::filter_factory_for_source(const std::string& source) { return find_source(source)->filter_factory; } -std::shared_ptr falco_engine::filter_factory_for_source(std::size_t source_idx) +std::shared_ptr falco_engine::filter_factory_for_source(std::size_t source_idx) { return find_source(source_idx)->filter_factory; } -std::shared_ptr falco_engine::formatter_factory_for_source(const std::string& source) +std::shared_ptr falco_engine::formatter_factory_for_source(const std::string& source) { return find_source(source)->formatter_factory; } -std::shared_ptr falco_engine::formatter_factory_for_source(std::size_t source_idx) +std::shared_ptr falco_engine::formatter_factory_for_source(std::size_t source_idx) { return find_source(source_idx)->formatter_factory; } diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h index c7b54d78e0a..9484d605412 100644 --- a/userspace/engine/falco_engine.h +++ b/userspace/engine/falco_engine.h @@ -15,12 +15,6 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Gen filtering TODO -// - DONE Clean up use/sharing of factories amongst engine-related classes. -// - DONE Fix outputs to actually use factories -// - Review gen_filter apis to see if they have only the required interfaces -// - Fix json filterchecks to split json and evt.time filterchecks. - #pragma once #include @@ -30,7 +24,6 @@ limitations under the License. #include -#include #include "filter_ruleset.h" #include "rule_loader.h" #include "rule_loader_reader.h" @@ -180,7 +173,7 @@ class falco_engine // Represents the result of matching an event against a set of // rules. struct rule_result { - gen_event *evt; + sinsp_evt *evt; std::string rule; std::string source; falco_common::priority_type priority_num; @@ -214,7 +207,7 @@ class falco_engine // concurrently with the same source_idx would inherently cause data races // and lead to undefined behavior. std::unique_ptr> process_event(std::size_t source_idx, - gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy); + sinsp_evt *ev, uint16_t ruleset_id, falco_common::rule_matching strategy); // // Wrapper assuming the default ruleset. @@ -222,7 +215,7 @@ class falco_engine // This inherits the same thread-safety guarantees. // std::unique_ptr> process_event(std::size_t source_idx, - gen_event *ev, falco_common::rule_matching strategy); + sinsp_evt *ev, falco_common::rule_matching strategy); // // Configure the engine to support events with the provided @@ -230,16 +223,16 @@ class falco_engine // Return source index for fast lookup. // std::size_t add_source(const std::string &source, - std::shared_ptr filter_factory, - std::shared_ptr formatter_factory); + std::shared_ptr filter_factory, + std::shared_ptr formatter_factory); // // Equivalent to above, but allows specifying a ruleset factory // for the newly added source. // std::size_t add_source(const std::string &source, - std::shared_ptr filter_factory, - std::shared_ptr formatter_factory, + std::shared_ptr filter_factory, + std::shared_ptr formatter_factory, std::shared_ptr ruleset_factory); // Return whether or not there is a valid filter/formatter @@ -250,15 +243,15 @@ class falco_engine // Given a source, return a formatter factory that can create // filters for events of that source. // - std::shared_ptr filter_factory_for_source(const std::string& source); - std::shared_ptr filter_factory_for_source(std::size_t source_idx); + std::shared_ptr filter_factory_for_source(const std::string& source); + std::shared_ptr filter_factory_for_source(std::size_t source_idx); // // Given a source, return a formatter factory that can create // formatters for an event. // - std::shared_ptr formatter_factory_for_source(const std::string& source); - std::shared_ptr formatter_factory_for_source(std::size_t source_idx); + std::shared_ptr formatter_factory_for_source(const std::string& source); + std::shared_ptr formatter_factory_for_source(std::size_t source_idx); // // Given a source, return a ruleset factory that can create @@ -300,10 +293,10 @@ class falco_engine // // Given a source and output string, return an - // gen_event_formatter that can format output strings for an + // sinsp_evt_formatter that can format output strings for an // event. // - std::shared_ptr create_formatter(const std::string &source, + std::shared_ptr create_formatter(const std::string &source, const std::string &output) const; // The rule loader definition is aliased as it is exactly what we need diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h index 932249c4dc4..2ea4122a7fe 100644 --- a/userspace/engine/falco_engine_version.h +++ b/userspace/engine/falco_engine_version.h @@ -20,7 +20,7 @@ limitations under the License. // The version of this Falco engine #define FALCO_ENGINE_VERSION_MAJOR 0 -#define FALCO_ENGINE_VERSION_MINOR 33 +#define FALCO_ENGINE_VERSION_MINOR 34 #define FALCO_ENGINE_VERSION_PATCH 0 #define FALCO_ENGINE_VERSION \ @@ -34,4 +34,4 @@ limitations under the License. // It represents the fields supported by this version of Falco, // the event types, and the underlying driverevent schema. It's used to // detetect changes in engine version in our CI jobs. -#define FALCO_ENGINE_CHECKSUM "6de427ad72fad5911239683aa6627833f8006a2350808730c436a85fc8648a9a" +#define FALCO_ENGINE_CHECKSUM "8c1ad46ec49050af497561f732915f01adc699c6beed5139a7e6520a8196ca7d" diff --git a/userspace/engine/falco_rule.h b/userspace/engine/falco_rule.h index 700145d648e..52765ca1cb7 100644 --- a/userspace/engine/falco_rule.h +++ b/userspace/engine/falco_rule.h @@ -83,5 +83,5 @@ struct falco_rule std::set exception_fields; falco_common::priority_type priority; std::shared_ptr condition; - std::shared_ptr filter; + std::shared_ptr filter; }; diff --git a/userspace/engine/falco_source.h b/userspace/engine/falco_source.h index b81eb8b271d..469f9aec95a 100644 --- a/userspace/engine/falco_source.h +++ b/userspace/engine/falco_source.h @@ -49,8 +49,8 @@ struct falco_source std::string name; std::shared_ptr ruleset; std::shared_ptr ruleset_factory; - std::shared_ptr filter_factory; - std::shared_ptr formatter_factory; + std::shared_ptr filter_factory; + std::shared_ptr formatter_factory; // Used by the filter_ruleset interface. Filled in when a rule // matches an event. diff --git a/userspace/engine/filter_ruleset.h b/userspace/engine/filter_ruleset.h index b6b8a3ba42c..bf8f7b79bff 100644 --- a/userspace/engine/filter_ruleset.h +++ b/userspace/engine/filter_ruleset.h @@ -22,7 +22,6 @@ limitations under the License. #include #include #include -#include #include /*! @@ -61,7 +60,7 @@ class filter_ruleset */ virtual void add( const falco_rule& rule, - std::shared_ptr filter, + std::shared_ptr filter, std::shared_ptr condition) = 0; /*! @@ -114,7 +113,7 @@ class filter_ruleset \param ruleset_id The id of the ruleset to be used */ virtual bool run( - gen_event *evt, + sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) = 0; @@ -127,7 +126,7 @@ class filter_ruleset \param ruleset_id The id of the ruleset to be used */ virtual bool run( - gen_event *evt, + sinsp_evt *evt, std::vector& matches, uint16_t ruleset_id) = 0; diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp index 106a58b7665..64a2e75c035 100644 --- a/userspace/engine/formats.cpp +++ b/userspace/engine/formats.cpp @@ -33,20 +33,20 @@ falco_formats::~falco_formats() { } -std::string falco_formats::format_event(gen_event *evt, const std::string &rule, const std::string &source, +std::string falco_formats::format_event(sinsp_evt *evt, const std::string &rule, const std::string &source, const std::string &level, const std::string &format, std::set &tags, const std::string &hostname) const { std::string line; - std::shared_ptr formatter; + std::shared_ptr formatter; formatter = m_falco_engine->create_formatter(source, format); // Format the original output string, regardless of output format - formatter->tostring_withformat(evt, line, gen_event_formatter::OF_NORMAL); + formatter->tostring_withformat(evt, line, sinsp_evt_formatter::OF_NORMAL); - if(formatter->get_output_format() == gen_event_formatter::OF_JSON) + if(formatter->get_output_format() == sinsp_evt_formatter::OF_JSON) { std::string json_line; @@ -131,10 +131,10 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule, return line.c_str(); } -std::map falco_formats::get_field_values(gen_event *evt, const std::string &source, +std::map falco_formats::get_field_values(sinsp_evt *evt, const std::string &source, const std::string &format) const { - std::shared_ptr formatter; + std::shared_ptr formatter; formatter = m_falco_engine->create_formatter(source, format); diff --git a/userspace/engine/formats.h b/userspace/engine/formats.h index 6babbcf9143..ee0d7361d71 100644 --- a/userspace/engine/formats.h +++ b/userspace/engine/formats.h @@ -19,7 +19,6 @@ limitations under the License. #include #include -#include #include "falco_engine.h" class falco_formats @@ -30,11 +29,11 @@ class falco_formats bool json_include_tags_property); virtual ~falco_formats(); - std::string format_event(gen_event *evt, const std::string &rule, const std::string &source, + std::string format_event(sinsp_evt *evt, const std::string &rule, const std::string &source, const std::string &level, const std::string &format, std::set &tags, const std::string &hostname) const; - std::map get_field_values(gen_event *evt, const std::string &source, + std::map get_field_values(sinsp_evt *evt, const std::string &source, const std::string &format) const ; protected: diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp index 67ef7dea0aa..12266b97f38 100644 --- a/userspace/engine/rule_loader_compiler.cpp +++ b/userspace/engine/rule_loader_compiler.cpp @@ -60,7 +60,7 @@ static bool is_format_valid(const falco_source& source, std::string fmt, std::st { try { - std::shared_ptr formatter; + std::shared_ptr formatter; formatter = source.formatter_factory->create_formatter(fmt); return true; } @@ -410,13 +410,13 @@ bool rule_loader::compiler::compile_condition( indexed_vector& lists, const indexed_vector& macros, const std::string& condition, - std::shared_ptr filter_factory, + std::shared_ptr filter_factory, rule_loader::context cond_ctx, rule_loader::context parent_ctx, bool allow_unknown_fields, indexed_vector& macros_out, std::shared_ptr& ast_out, - std::shared_ptr& filter_out) const + std::shared_ptr& filter_out) const { std::set warn_codes; filter_warning_resolver warn_resolver; diff --git a/userspace/engine/rule_loader_compiler.h b/userspace/engine/rule_loader_compiler.h index 47e8ad141f4..2f438003b0a 100644 --- a/userspace/engine/rule_loader_compiler.h +++ b/userspace/engine/rule_loader_compiler.h @@ -64,13 +64,13 @@ class compiler indexed_vector& lists, const indexed_vector& macros, const std::string& condition, - std::shared_ptr filter_factory, + std::shared_ptr filter_factory, rule_loader::context cond_ctx, rule_loader::context parent_ctx, bool allow_unknown_fields, indexed_vector& macros_out, std::shared_ptr& ast_out, - std::shared_ptr& filter_out) const; + std::shared_ptr& filter_out) const; private: void compile_list_infos( diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp index a81f7ec7d5d..545c9ae445d 100644 --- a/userspace/falco/app/actions/init_falco_engine.cpp +++ b/userspace/falco/app/actions/init_falco_engine.cpp @@ -69,14 +69,14 @@ void add_source_to_engine(falco::app::state& s, const std::string& src) auto& filterchecks = *src_info->filterchecks.get(); auto* inspector = src_info->inspector.get(); - auto filter_factory = std::shared_ptr( + auto filter_factory = std::shared_ptr( new sinsp_filter_factory(inspector, filterchecks)); - auto formatter_factory = std::shared_ptr( + auto formatter_factory = std::shared_ptr( new sinsp_evt_formatter_factory(inspector, filterchecks)); if(s.config->m_json_output) { - formatter_factory->set_output_format(gen_event_formatter::OF_JSON); + formatter_factory->set_output_format(sinsp_evt_formatter::OF_JSON); } src_info->engine_idx = s.engine->add_source(src, filter_factory, formatter_factory); diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index 4d0dc661f73..ad2a09a824a 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -22,6 +22,7 @@ limitations under the License. #include #include #include +#include namespace cxxopts { class Options; }; diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index 21a2db351b3..5583d22c2d4 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -135,7 +135,7 @@ void falco_outputs::add_output(falco::outputs::config oc) } } -void falco_outputs::handle_event(gen_event *evt, std::string &rule, std::string &source, +void falco_outputs::handle_event(sinsp_evt *evt, std::string &rule, std::string &source, falco_common::priority_type priority, std::string &format, std::set &tags) { falco_outputs::ctrl_msg cmsg = {}; diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index be2e603dfeb..a529e29b7d9 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -20,7 +20,6 @@ limitations under the License. #include #include -#include #include "falco_common.h" #include "falco_engine.h" #include "outputs.h" @@ -59,7 +58,7 @@ class falco_outputs \brief Format then send the event to all configured outputs (`evt` is an event that has matched some rule). */ - void handle_event(gen_event *evt, std::string &rule, std::string &source, + void handle_event(sinsp_evt *evt, std::string &rule, std::string &source, falco_common::priority_type priority, std::string &format, std::set &tags); /*! diff --git a/userspace/falco/outputs.h b/userspace/falco/outputs.h index 70291fac026..f6bf3b7c2c9 100644 --- a/userspace/falco/outputs.h +++ b/userspace/falco/outputs.h @@ -21,7 +21,6 @@ limitations under the License. #include #include "falco_common.h" -#include #include namespace falco