osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Falco bridge+falcodump: Various fixes 

Fix building with Visual C++ and recent versions of falco-libs.
This commit is contained in:
Gerald Combs 2023-12-12 14:23:26 -08:00
parent 574fc0e1a6
commit 3588090b2a
5 changed files with 96 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
cmake/modules/FindSinsp.cmake
View File

@ -22,7 +22,7 @@
# SINSP_DLL - (Windows) Name of the libsinsp and libscap DLLs # SINSP_DLL - (Windows) Name of the libsinsp and libscap DLLs
include( FindWSWinLibs ) include( FindWSWinLibs )
FindWSWinLibs( "libsinsp-.*" "SINSP_HINTS" ) FindWSWinLibs( "libfalcosecurity-.*" SINSP_HINTS )
include(CMakeDependentOption) include(CMakeDependentOption)
@ -31,17 +31,21 @@ if( NOT USE_REPOSITORY)
pkg_check_modules(SINSP libsinsp) pkg_check_modules(SINSP libsinsp)
endif() endif()
# Include both legacy (#include <sinsp.h>) and current (#include <libsinsp/sinsp.h>) paths for now.
if(NOT SINSP_FOUND) if(NOT SINSP_FOUND)
# pkg_check_modules didn't work, so look for ourselves. # pkg_check_modules didn't work, so look for ourselves.
find_path(SINSP_INCLUDE_DIRS find_path(_sinsp_include_dirs NO_CACHE
NAMES sinsp.h NAMES libsinsp/sinsp.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include" HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES falcosecurity/userspace/libsinsp PATH_SUFFIXES falcosecurity/userspace
/usr/include /usr/include
/usr/local/include /usr/local/include
) )
if(_sinsp_include_dirs)
list(APPEND _sinsp_include_dirs ${_sinsp_include_dirs}/libsinsp)
endif()
find_path(_scap_include_dir find_path(_scap_include_dir NO_CACHE
NAMES scap.h NAMES scap.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include" HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES falcosecurity/userspace/libscap PATH_SUFFIXES falcosecurity/userspace/libscap
@ -49,11 +53,11 @@ if(NOT SINSP_FOUND)
/usr/local/include /usr/local/include
) )
if(_scap_include_dir) if(_scap_include_dir)
list(APPEND SINSP_INCLUDE_DIRS _scap_include_dir) list(APPEND _sinsp_include_dirs ${_scap_include_dir})
endif() endif()
unset(_scap_include_dir) unset(_scap_include_dir)
find_library(SINSP_LINK_LIBRARIES find_library(_sinsp_link_libs NO_CACHE
NAMES sinsp NAMES sinsp
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS falcosecurity PATHS falcosecurity
@ -63,21 +67,18 @@ if(NOT SINSP_FOUND)
set(_scap_libs set(_scap_libs
scap scap
scap_engine_util
scap_event_schema
driver_event_schema
scap_engine_bpf
scap_engine_gvisor
scap_engine_kmod
scap_engine_nodriver scap_engine_nodriver
scap_engine_noop scap_engine_noop
scap_engine_savefile scap_engine_savefile
scap_engine_source_plugin scap_engine_source_plugin
scap_engine_udig scap_engine_test_input
scap_error
scap_event_schema
scap_platform_util
) )
foreach(_scap_lib ${_scap_libs}) foreach(_scap_lib ${_scap_libs})
find_library(_lib find_library(_lib NO_CACHE
NAMES ${_scap_lib} NAMES ${_scap_lib}
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS falcosecurity PATHS falcosecurity
@ -85,58 +86,108 @@ if(NOT SINSP_FOUND)
/usr/local/lib /usr/local/lib
) )
if (_lib) if (_lib)
list(APPEND SINSP_LINK_LIBRARIES ${_lib}) list(APPEND _sinsp_link_libs ${_lib})
unset(_lib)
endif() endif()
endforeach() endforeach()
unset(_scap_libs) unset(_scap_libs)
unset(_scap_lib) unset(_scap_lib)
unset(_lib)
if(SINSP_INCLUDE_DIRS AND JSONCPP_LIBRARY)
set(SINSP_FOUND 1)
endif()
find_path(JSONCPP_INCLUDE_DIR find_path(_jsoncpp_include_dir NO_CACHE
NAMES json/json.h NAMES json/json.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include" HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES jsoncpp PATH_SUFFIXES falcosecurity jsoncpp
PATHS
/usr/include /usr/include
/usr/local/include /usr/local/include
) )
if (JSON_INCLUDE_DIR) if (_jsoncpp_include_dir)
list(APPEND SINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE_DIR}) list(APPEND _sinsp_include_dirs ${_jsoncpp_include_dir})
unset(_jsoncpp_include_dir)
endif() endif()
find_library(JSONCPP_LIBRARY find_library(_jsoncpp_lib NO_CACHE
NAMES jsoncpp NAMES jsoncpp
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
PATHS PATHS
/usr/lib /usr/lib
/usr/local/lib /usr/local/lib
) )
if (JSONCPP_LIBRARY) if (_jsoncpp_lib)
list(APPEND JSONCPP_LIBRARY ${JSONCPP_LIBRARY}) list(APPEND _sinsp_link_libs ${_jsoncpp_lib})
unset(_jsoncpp_lib)
endif() endif()
find_path(TBB_INCLUDE_DIR find_library(_re2_lib NO_CACHE
NAMES re2
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
PATHS
/usr/lib
/usr/local/lib
)
if (_re2_lib)
list(APPEND _sinsp_link_libs ${_re2_lib})
unset(_re2_lib)
endif()
find_path(_tbb_include_dir NO_CACHE
NAMES tbb/tbb.h NAMES tbb/tbb.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include" HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATHS
/usr/include /usr/include
/usr/local/include /usr/local/include
) )
if (TBB_INCLUDE_DIR) if (_tbb_include_dir)
list(APPEND SINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR}) list(APPEND _sinsp_include_dirs ${_tbb_include_dir})
unset(_tbb_include_dir)
endif() endif()
find_library(TBB_LIBRARY find_library(_tbb_lib NO_CACHE
NAMES tbb NAMES tbb tbb12
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
PATHS PATHS
/usr/lib /usr/lib
/usr/local/lib /usr/local/lib
) )
if (TBB_LIBRARY) if (_tbb_lib)
list(APPEND JSONCPP_LIBRARY ${TBB_LIBRARY}) list(APPEND _sinsp_link_libs ${_tbb_lib})
unset(_tbb_lib)
endif() endif()
# This is terrible, but libsinsp/libscap doesn't support dynamic linking on Windows (yet).
find_path(_zlib_include_dir NO_CACHE
NAMES zlib/zlib.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATHS
/usr/include
/usr/local/include
)
if (_zlib_include_dir)
list(APPEND _sinsp_include_dirs ${_zlib_include_dir})
unset(_zlib_include_dir)
endif()
find_library(_zlib_lib NO_CACHE
NAMES zlib
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib" "${SINSP_HINTS}/lib/falcosecurity"
PATHS
/usr/lib
/usr/local/lib
)
if (_zlib_lib)
list(APPEND _sinsp_link_libs ${_zlib_lib})
unset(_zlib_lib)
endif()
if(_sinsp_include_dirs AND _sinsp_link_libs)
list(REMOVE_DUPLICATES _sinsp_include_dirs)
set(SINSP_INCLUDE_DIRS ${_sinsp_include_dirs} CACHE PATH "Paths to libsinsp and libscap headers")
set(SINSP_LINK_LIBRARIES ${_sinsp_link_libs} CACHE PATH "Paths to libsinsp, libscap, etc.")
set(SINSP_FOUND 1)
unset(_sinsp_include_dirs)
unset(_sinsp_link_libs)
endif()
endif() endif()
# As https://cmake.org/cmake/help/latest/command/link_directories.html # As https://cmake.org/cmake/help/latest/command/link_directories.html

9
extcap/CMakeLists.txt
View File

@ -82,9 +82,7 @@ macro(set_extcap_executable_properties _executable)
endmacro() endmacro()
macro(set_extlog_executable_properties _executable) macro(set_extlog_executable_properties _executable)
set_target_properties(${_executable} PROPERTIES set_extcap_executable_properties(${_executable})
RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/run/extcap
)
if(ENABLE_APPLICATION_BUNDLE) if(ENABLE_APPLICATION_BUNDLE)
if(NOT CMAKE_CFG_INTDIR STREQUAL ".") if(NOT CMAKE_CFG_INTDIR STREQUAL ".")
# Xcode # Xcode
@ -364,13 +362,10 @@ if(BUILD_falcodump AND SINSP_FOUND)
add_executable(falcodump ${falcodump_FILES}) add_executable(falcodump ${falcodump_FILES})
set_extlog_executable_properties(falcodump) set_extlog_executable_properties(falcodump)
target_link_libraries(falcodump ${falcodump_LIBS}) target_link_libraries(falcodump ${falcodump_LIBS})
target_include_directories(falcodump SYSTEM PRIVATE ${SINSP_INCLUDE_DIRS}) target_include_directories(falcodump SYSTEM PRIVATE ${SINSP_INCLUDE_DIRS} ${ZLIB_INCLUDE_DIR})
install(TARGETS falcodump RUNTIME DESTINATION ${EXTCAP_INSTALL_LIBDIR}) install(TARGETS falcodump RUNTIME DESTINATION ${EXTCAP_INSTALL_LIBDIR})
add_dependencies(extcaps falcodump) add_dependencies(extcaps falcodump)
# XXX Hack; We need to fix this in falcosecurity-libs.
target_compile_definitions(falcodump PRIVATE HAVE_STRLCPY=1)
endif() endif()
# #

1
plugins/epan/falco_bridge/CMakeLists.txt
View File

@ -49,6 +49,7 @@ target_compile_definitions(falco-bridge PRIVATE
target_include_directories(falco-bridge SYSTEM PRIVATE target_include_directories(falco-bridge SYSTEM PRIVATE
${SINSP_INCLUDE_DIRS} ${SINSP_INCLUDE_DIRS}
${ZLIB_INCLUDE_DIR}
) )
target_link_libraries(falco-bridge target_link_libraries(falco-bridge

4
plugins/epan/falco_bridge/packet-falco-bridge.c
View File

@ -889,8 +889,8 @@ dissect_sinsp_enriched(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void
return tvb_captured_length(tvb); return tvb_captured_length(tvb);
} }
proto_tree *parent_trees[NUM_SINSP_SYSCALL_CATEGORIES] = {}; proto_tree *parent_trees[NUM_SINSP_SYSCALL_CATEGORIES] = {0};
proto_tree *lineage_trees[N_PROC_LINEAGE_ENTRIES] = {}; proto_tree *lineage_trees[N_PROC_LINEAGE_ENTRIES] = {0};
bool is_io_write = false; bool is_io_write = false;
const char* io_buffer = NULL; const char* io_buffer = NULL;
uint32_t io_buffer_len = 0; uint32_t io_buffer_len = 0;

2
plugins/epan/falco_bridge/sinsp-span.cpp
View File

@ -46,7 +46,7 @@ typedef struct sinsp_source_info_t {
std::vector<const filter_check_info *> syscall_filter_checks; std::vector<const filter_check_info *> syscall_filter_checks;
std::vector<const filtercheck_field_info *> syscall_filter_fields; std::vector<const filtercheck_field_info *> syscall_filter_fields;
std::vector<gen_event_filter_check *> syscall_event_filter_checks; // Same size as syscall_filter_fields std::vector<gen_event_filter_check *> syscall_event_filter_checks; // Same size as syscall_filter_fields
std::vector<const sinsp_syscall_category_e> field_to_category; // Same size as syscall_filter_fields std::vector<sinsp_syscall_category_e> field_to_category; // Same size as syscall_filter_fields
sinsp_evt *evt; sinsp_evt *evt;
uint8_t *evt_storage; uint8_t *evt_storage;
size_t evt_storage_size; size_t evt_storage_size;