Falco bridge+falcodump: Various fixes

Fix building with Visual C++ and recent versions of falco-libs.
2023-12-12 14:23:26 -08:00 · 2023-12-12 14:23:26 -08:00 · 3588090b2a
parent 574fc0e1a6
commit 3588090b2a
5 changed files with 96 additions and 49 deletions
--- a/cmake/modules/FindSinsp.cmake
+++ b/cmake/modules/FindSinsp.cmake
@ -22,7 +22,7 @@
 #  SINSP_DLL            - (Windows) Name of the libsinsp and libscap DLLs

 include( FindWSWinLibs )
-FindWSWinLibs( "libsinsp-.*" "SINSP_HINTS" )
+FindWSWinLibs( "libfalcosecurity-.*" SINSP_HINTS )

 include(CMakeDependentOption)

@ -31,17 +31,21 @@ if( NOT USE_REPOSITORY)
  pkg_check_modules(SINSP libsinsp)
 endif()

+# Include both legacy (#include <sinsp.h>) and current (#include <libsinsp/sinsp.h>) paths for now.
 if(NOT SINSP_FOUND)
  # pkg_check_modules didn't work, so look for ourselves.
-  find_path(SINSP_INCLUDE_DIRS
-    NAMES sinsp.h
+  find_path(_sinsp_include_dirs NO_CACHE
+    NAMES libsinsp/sinsp.h
    HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
-    PATH_SUFFIXES falcosecurity/userspace/libsinsp
+    PATH_SUFFIXES falcosecurity/userspace
    /usr/include
    /usr/local/include
  )
+  if(_sinsp_include_dirs)
+    list(APPEND _sinsp_include_dirs ${_sinsp_include_dirs}/libsinsp)
+  endif()

-  find_path(_scap_include_dir
+  find_path(_scap_include_dir NO_CACHE
    NAMES scap.h
    HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
    PATH_SUFFIXES falcosecurity/userspace/libscap
@ -49,11 +53,11 @@ if(NOT SINSP_FOUND)
    /usr/local/include
  )
  if(_scap_include_dir)
-    list(APPEND SINSP_INCLUDE_DIRS _scap_include_dir)
+    list(APPEND _sinsp_include_dirs ${_scap_include_dir})
  endif()
  unset(_scap_include_dir)

-  find_library(SINSP_LINK_LIBRARIES
+  find_library(_sinsp_link_libs NO_CACHE
    NAMES sinsp
    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
    PATHS falcosecurity
@ -63,21 +67,18 @@ if(NOT SINSP_FOUND)

  set(_scap_libs
    scap
-    scap_engine_util
-    scap_event_schema
-    driver_event_schema
-    scap_engine_bpf
-    scap_engine_gvisor
-    scap_engine_kmod
    scap_engine_nodriver
    scap_engine_noop
    scap_engine_savefile
    scap_engine_source_plugin
-    scap_engine_udig
+    scap_engine_test_input
+    scap_error
+    scap_event_schema
+    scap_platform_util
  )

  foreach(_scap_lib ${_scap_libs})
-    find_library(_lib
+    find_library(_lib NO_CACHE
      NAMES ${_scap_lib}
      HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
      PATHS falcosecurity
@ -85,58 +86,108 @@ if(NOT SINSP_FOUND)
      /usr/local/lib
    )
    if (_lib)
-      list(APPEND SINSP_LINK_LIBRARIES ${_lib})
+      list(APPEND _sinsp_link_libs ${_lib})
+      unset(_lib)
    endif()
  endforeach()
  unset(_scap_libs)
  unset(_scap_lib)
-  unset(_lib)
-  if(SINSP_INCLUDE_DIRS AND JSONCPP_LIBRARY)
-    set(SINSP_FOUND 1)
-  endif()

-  find_path(JSONCPP_INCLUDE_DIR
+  find_path(_jsoncpp_include_dir NO_CACHE
    NAMES json/json.h
    HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
-    PATH_SUFFIXES jsoncpp
+    PATH_SUFFIXES falcosecurity jsoncpp
+    PATHS
    /usr/include
    /usr/local/include
  )
-  if (JSON_INCLUDE_DIR)
-    list(APPEND SINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE_DIR})
+  if (_jsoncpp_include_dir)
+    list(APPEND _sinsp_include_dirs ${_jsoncpp_include_dir})
+    unset(_jsoncpp_include_dir)
  endif()

-  find_library(JSONCPP_LIBRARY
+  find_library(_jsoncpp_lib NO_CACHE
    NAMES jsoncpp
-    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
+    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
    PATHS
    /usr/lib
    /usr/local/lib
  )
-  if (JSONCPP_LIBRARY)
-    list(APPEND JSONCPP_LIBRARY ${JSONCPP_LIBRARY})
+  if (_jsoncpp_lib)
+    list(APPEND _sinsp_link_libs ${_jsoncpp_lib})
+    unset(_jsoncpp_lib)
  endif()

-  find_path(TBB_INCLUDE_DIR
+  find_library(_re2_lib NO_CACHE
+    NAMES re2
+    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
+    PATHS
+    /usr/lib
+    /usr/local/lib
+  )
+  if (_re2_lib)
+    list(APPEND _sinsp_link_libs ${_re2_lib})
+    unset(_re2_lib)
+  endif()
+
+  find_path(_tbb_include_dir NO_CACHE
    NAMES tbb/tbb.h
    HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
+    PATHS
    /usr/include
    /usr/local/include
  )
-  if (TBB_INCLUDE_DIR)
-    list(APPEND SINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
+  if (_tbb_include_dir)
+    list(APPEND _sinsp_include_dirs ${_tbb_include_dir})
+    unset(_tbb_include_dir)
  endif()

-  find_library(TBB_LIBRARY
-    NAMES tbb
-    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
+  find_library(_tbb_lib NO_CACHE
+    NAMES tbb tbb12
+    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
    PATHS
    /usr/lib
    /usr/local/lib
  )
-  if (TBB_LIBRARY)
-    list(APPEND JSONCPP_LIBRARY ${TBB_LIBRARY})
+  if (_tbb_lib)
+    list(APPEND _sinsp_link_libs ${_tbb_lib})
+    unset(_tbb_lib)
  endif()
+
+  # This is terrible, but libsinsp/libscap doesn't support dynamic linking on Windows (yet).
+  find_path(_zlib_include_dir NO_CACHE
+    NAMES zlib/zlib.h
+    HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
+    PATHS
+    /usr/include
+    /usr/local/include
+  )
+  if (_zlib_include_dir)
+    list(APPEND _sinsp_include_dirs ${_zlib_include_dir})
+    unset(_zlib_include_dir)
+  endif()
+
+  find_library(_zlib_lib NO_CACHE
+    NAMES zlib
+    HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
+    PATHS
+    /usr/lib
+    /usr/local/lib
+  )
+  if (_zlib_lib)
+    list(APPEND _sinsp_link_libs ${_zlib_lib})
+    unset(_zlib_lib)
+  endif()
+
+  if(_sinsp_include_dirs AND _sinsp_link_libs)
+    list(REMOVE_DUPLICATES _sinsp_include_dirs)
+    set(SINSP_INCLUDE_DIRS ${_sinsp_include_dirs} CACHE PATH "Paths to libsinsp and libscap headers")
+    set(SINSP_LINK_LIBRARIES ${_sinsp_link_libs} CACHE PATH "Paths to libsinsp, libscap, etc.")
+    set(SINSP_FOUND 1)
+    unset(_sinsp_include_dirs)
+    unset(_sinsp_link_libs)
+  endif()
+
 endif()

 # As https://cmake.org/cmake/help/latest/command/link_directories.html
--- a/extcap/CMakeLists.txt
+++ b/extcap/CMakeLists.txt
@ -82,9 +82,7 @@ macro(set_extcap_executable_properties _executable)
 endmacro()

 macro(set_extlog_executable_properties _executable)
-	set_target_properties(${_executable} PROPERTIES
-		RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/run/extcap
-	)
+	set_extcap_executable_properties(${_executable})
 	if(ENABLE_APPLICATION_BUNDLE)
 		if(NOT CMAKE_CFG_INTDIR STREQUAL ".")
 			# Xcode
@ -364,13 +362,10 @@ if(BUILD_falcodump AND SINSP_FOUND)
 	add_executable(falcodump ${falcodump_FILES})
 	set_extlog_executable_properties(falcodump)
 	target_link_libraries(falcodump ${falcodump_LIBS})
-	target_include_directories(falcodump SYSTEM PRIVATE ${SINSP_INCLUDE_DIRS})
+	target_include_directories(falcodump SYSTEM PRIVATE ${SINSP_INCLUDE_DIRS} ${ZLIB_INCLUDE_DIR})
 	install(TARGETS falcodump RUNTIME DESTINATION ${EXTCAP_INSTALL_LIBDIR})
 	add_dependencies(extcaps falcodump)

-	# XXX Hack; We need to fix this in falcosecurity-libs.
-	target_compile_definitions(falcodump PRIVATE HAVE_STRLCPY=1)
-
 endif()

 #
--- a/plugins/epan/falco_bridge/CMakeLists.txt
+++ b/plugins/epan/falco_bridge/CMakeLists.txt
@ -49,6 +49,7 @@ target_compile_definitions(falco-bridge PRIVATE

 target_include_directories(falco-bridge SYSTEM PRIVATE
 	${SINSP_INCLUDE_DIRS}
+	${ZLIB_INCLUDE_DIR}
 )

 target_link_libraries(falco-bridge
--- a/plugins/epan/falco_bridge/packet-falco-bridge.c
+++ b/plugins/epan/falco_bridge/packet-falco-bridge.c
@ -552,9 +552,9 @@ static gchar* sysdig_thread_build_filter(packet_info *pinfo, void *user_data _U_
 static gchar* sysdig_fd_build_filter(packet_info *pinfo, void *user_data _U_) {
    falco_conv_filter_fields cff;
    extract_syscall_conversation_fields(pinfo, &cff);
-    return ws_strdup_printf("container.id==\"%s\" && thread.tid==%" PRIu64 " && fd.containername==\"%s\"", 
-        cff.container_id, 
-        cff.tid, 
+    return ws_strdup_printf("container.id==\"%s\" && thread.tid==%" PRIu64 " && fd.containername==\"%s\"",
+        cff.container_id,
+        cff.tid,
        cff.fd_containername);
 }

@ -889,8 +889,8 @@ dissect_sinsp_enriched(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void
        return tvb_captured_length(tvb);
    }

-    proto_tree *parent_trees[NUM_SINSP_SYSCALL_CATEGORIES] = {};
-    proto_tree *lineage_trees[N_PROC_LINEAGE_ENTRIES] = {};
+    proto_tree *parent_trees[NUM_SINSP_SYSCALL_CATEGORIES] = {0};
+    proto_tree *lineage_trees[N_PROC_LINEAGE_ENTRIES] = {0};
    bool is_io_write = false;
    const char* io_buffer = NULL;
    uint32_t io_buffer_len = 0;
--- a/plugins/epan/falco_bridge/sinsp-span.cpp
+++ b/plugins/epan/falco_bridge/sinsp-span.cpp
@ -46,7 +46,7 @@ typedef struct sinsp_source_info_t {
    std::vector<const filter_check_info *> syscall_filter_checks;
    std::vector<const filtercheck_field_info *> syscall_filter_fields;
    std::vector<gen_event_filter_check *> syscall_event_filter_checks;  // Same size as syscall_filter_fields
-    std::vector<const sinsp_syscall_category_e> field_to_category;      // Same size as syscall_filter_fields
+    std::vector<sinsp_syscall_category_e> field_to_category;            // Same size as syscall_filter_fields
    sinsp_evt *evt;
    uint8_t *evt_storage;
    size_t evt_storage_size;