Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More ef drop falco #1105

Merged
merged 4 commits into from
Apr 24, 2018
Merged

More ef drop falco #1105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
54417ad
Syncing driver and libscap event tables.
mstemm Apr 19, 2018
a382588
Start skipping more syscalls at falco level
mstemm Apr 19, 2018
3fd6380
Change EF_DROP_FALCO flag for additional syscalls
mstemm Apr 19, 2018
8309e9d
Add falco_consider to centralize flag comparisons
mstemm Apr 19, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 41 additions & 41 deletions driver/event_table.c
View file
Open in desktop

Large diffs are not rendered by default.

92 changes: 46 additions & 46 deletions userspace/libscap/event_table.c
View file
Open in desktop

Large diffs are not rendered by default.

204 changes: 102 additions & 102 deletions userspace/libscap/syscall_info_table.c
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 16 additions & 0 deletions userspace/libsinsp/event.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2474,3 +2474,19 @@ scap_dump_flags sinsp_evt::get_dump_flags(OUT bool* should_drop)
return (scap_dump_flags)dflags;
}
#endif

bool sinsp_evt::falco_consider()
{
uint16_t etype = get_type();

if(etype == PPME_GENERIC_E || etype == PPME_GENERIC_X)
{
sinsp_evt_param *parinfo = get_param(0);
ASSERT(parinfo->m_len == sizeof(uint16_t));
uint16_t scid = *(uint16_t *)parinfo->m_val;

return sinsp::falco_consider_syscallid(scid);
}

return sinsp::falco_consider_evtnum(etype);
}
8 changes: 8 additions & 0 deletions userspace/libsinsp/event.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,14 @@ class SINSP_PUBLIC sinsp_evt
scap_dump_flags get_dump_flags(OUT bool* should_drop);
#endif

/*!
\brief Return whether or not falco should consider this
event. (Generally, these events are automatically filtered
out, but some events related to internal tracking are returned by next() anyway).
*/

bool falco_consider();

// Doxygen doesn't understand VISIBILITY_PRIVATE
#ifdef _DOXYGEN
private:
Expand Down
1 change: 0 additions & 1 deletion userspace/libsinsp/sinsp.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ along with sysdig. If not, see <http://www.gnu.org/licenses/>.
#include "analyzer.h"
#endif

extern sinsp_evttables g_infotables;
#ifdef HAS_CHISELS
extern vector<chiseldir_info>* g_chisel_dirs;
#endif
Expand Down
19 changes: 19 additions & 0 deletions userspace/libsinsp/sinsp.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -829,8 +829,27 @@ class SINSP_PUBLIC sinsp
return scap_get_wmi_handle(m_h);
}
#endif

static inline bool falco_consider_evtnum(uint16_t etype)
{
enum ppm_event_flags flags = g_infotables.m_event_info[etype].flags;

return ! (flags & sinsp::falco_skip_flags());
}

static inline bool falco_consider_syscallid(uint16_t scid)
{
enum ppm_event_flags flags = g_infotables.m_syscall_info_table[scid].flags;

return ! (flags & sinsp::falco_skip_flags());
}

VISIBILITY_PRIVATE

static inline ppm_event_flags falco_skip_flags()
{
return (ppm_event_flags) (EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION | EF_DROP_FALCO);
}
// Doxygen doesn't understand VISIBILITY_PRIVATE
#ifdef _DOXYGEN
private:
Expand Down
2 changes: 2 additions & 0 deletions userspace/libsinsp/utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ typedef struct ipv4serverinfo ipv4serverinfo;
typedef struct ipv6serverinfo ipv6serverinfo;
class filter_check_info;

extern sinsp_evttables g_infotables;

///////////////////////////////////////////////////////////////////////////////
// Initializer class.
// An instance of this class is created when the library is loaded.
Expand Down