-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[LIBS PLUGINS] Expose libs syscalls PPME_
events enum over a new plugin API
#1711
Comments
@incertum IMO this could be potentially part of the plugins SDKs, as the libs already expose this information. Ideally, we would isolate the "event schema" module and make it importable from outside. Not sure if adding extra layers on top of the current plugin API is the optimal solution, will think about it. |
Thanks @jasondellaluce either way would work. Looking forward to having the enum easily available. Thanks. |
@incertum FYI this is tracked here for the plugin SDK C++: falcosecurity/plugin-sdk-cpp#33 |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
/milestone TBD /assign @jasondellaluce |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
Motivation
Currently, plugins need to redefine syscalls event types (of type
falcosecurity::event_type
) resulting in needing to redefine an enum. This approach risks discrepancies between libs' nativePPME_
enum and the enum used by the plugins. For example the currentk8smeta
plugin follows this practice of redefinition. On the other hand the open PR falcosecurity/plugins#419 for theanomalydetection
plugin employs a workaround via importing the libs enum.Feature
When the event source is
syscall
, a new plugin API should be introduced to allow the importing of syscall libs'PPME_
events enum, making them accessible. This enables us to switch the plugin'sevt.get_type()
within theparse_event
plugin logic while reusing thePPME_
codes from libs, such asPPME_SYSCALL_EXECVEAT_X
andPPME_SYSCALL_EXECVE_19_X
, for example ...The text was updated successfully, but these errors were encountered: