Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[LIBS PLUGINS] Expose libs syscalls PPME_ events enum over a new plugin API #1711

Open
incertum opened this issue Feb 27, 2024 · 8 comments
Open
Assignees
Labels
kind/feature New feature or request lifecycle/rotten
Milestone

Comments

@incertum
Copy link
Contributor

Motivation

Currently, plugins need to redefine syscalls event types (of type falcosecurity::event_type) resulting in needing to redefine an enum. This approach risks discrepancies between libs' native PPME_ enum and the enum used by the plugins. For example the current k8smeta plugin follows this practice of redefinition. On the other hand the open PR falcosecurity/plugins#419 for the anomalydetection plugin employs a workaround via importing the libs enum.

Feature

When the event source is syscall, a new plugin API should be introduced to allow the importing of syscall libs' PPME_ events enum, making them accessible. This enables us to switch the plugin's evt.get_type() within the parse_event plugin logic while reusing the PPME_ codes from libs, such as PPME_SYSCALL_EXECVEAT_X and PPME_SYSCALL_EXECVE_19_X, for example ...

@incertum incertum added the kind/feature New feature or request label Feb 27, 2024
@jasondellaluce
Copy link
Contributor

@incertum IMO this could be potentially part of the plugins SDKs, as the libs already expose this information. Ideally, we would isolate the "event schema" module and make it importable from outside. Not sure if adding extra layers on top of the current plugin API is the optimal solution, will think about it.

@incertum
Copy link
Contributor Author

@incertum IMO this could be potentially part of the plugins SDKs, as the libs already expose this information. Ideally, we would isolate the "event schema" module and make it importable from outside. Not sure if adding extra layers on top of the current plugin API is the optimal solution, will think about it.

Thanks @jasondellaluce either way would work. Looking forward to having the enum easily available. Thanks.

@jasondellaluce
Copy link
Contributor

@incertum FYI this is tracked here for the plugin SDK C++: falcosecurity/plugin-sdk-cpp#33

@poiana
Copy link
Contributor

poiana commented Jun 6, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@incertum
Copy link
Contributor Author

incertum commented Jun 6, 2024

/remove-lifecycle stale

@incertum
Copy link
Contributor Author

/milestone TBD

/assign @jasondellaluce

@poiana poiana added this to the TBD milestone Aug 17, 2024
@poiana
Copy link
Contributor

poiana commented Nov 15, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link
Contributor

poiana commented Dec 15, 2024

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature New feature or request lifecycle/rotten
Projects
None yet
Development

No branches or pull requests

3 participants