osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Falco Bridge: Update to match falcosecurity-libs 0.8.0. 

Update sinsp-span to use the current Falco libs APIs. Update the
FindSinsp CMake module to use pkg-config.
This commit is contained in:
Gerald Combs 2022-07-19 10:24:16 -07:00
parent 08feb35af0
commit ec1986cb97
5 changed files with 148 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/modules/.editorconfig
View File

@ -1,3 +1,7 @@
[FindAsciidoctor.cmake]
indent_style = space
indent_size = 4
[FindSinsp.cmake]
indent_style = space
indent_size = 2

246
cmake/modules/FindSinsp.cmake
View File

@ -1,132 +1,160 @@
#
# - Find libsinsp
# Find libsinsp and libscap includes and libraries
# - Find libsinsp and libscap
# Find libsinsp and libscap includes and libraries.
# Adapted from FindZSTD.cmake.
#
# SINSP_INCLUDE_DIRS - Where to find sinsp.h, scap.h, etc.
# SINSP_LIBRARIES - List of libraries when using libsinsp.
# SINSP_PLUGINS - List of plugins.
# SINSP_FOUND - True if libsinsp found.
# SINSP_DLL_DIR - (Windows) Path to the libsinsp and libscap DLLs
# SINSP_DLL - (Windows) Name of the libsinsp and libscap DLLs
# This module will look for libsinsp and libscap using pkg-config. If that
# fails, it will search ${SINSP_INCLUDEDIR} and ${SINSP_HINTS}/include
# for the libsinsp and libscap include directory and ${SINSP_LIBDIR} and
# ${SINSP_HINTS}/lib for the libsinsp and libscap libraries.
#
# It will set the following variables:
#
# SINSP_FOUND - True if libsinsp found.
# SINSP_INCLUDE_DIRS - Where to find sinsp.h, scap.h, etc.
# SINSP_LINK_LIBRARIES - List of libraries when using libsinsp.
# SINSP_PLUGINS - List of plugins.
# To do:
# SINSP_DLL_DIR - (Windows) Path to the libsinsp and libscap DLLs
# SINSP_DLL - (Windows) Name of the libsinsp and libscap DLLs
include( FindWSWinLibs )
FindWSWinLibs( "libsinsp-.*" "SINSP_HINTS" )
if( NOT WIN32)
find_package(PkgConfig)
pkg_search_module(Sinsp libsinsp)
pkg_check_modules(SINSP libsinsp)
endif()
find_path(SINSP_INCLUDE_DIR
NAMES sinsp.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES userspace/libsinsp
/usr/include
/usr/local/include
)
if(NOT SINSP_FOUND)
# pkg_check_modules didn't work, so look for ourselves.
find_path(SINSP_INCLUDE_DIRS
NAMES sinsp.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES falcosecurity/userspace/libsinsp
/usr/include
/usr/local/include
)
find_path(SCAP_INCLUDE_DIR
NAMES scap.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES userspace/libscap
/usr/include
/usr/local/include
)
find_path(_scap_include_dir
NAMES scap.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES falcosecurity/userspace/libscap
/usr/include
/usr/local/include
)
if(_scap_include_dir)
list(APPEND SINSP_INCLUDE_DIRS _scap_include_dir)
endif()
unset(_scap_include_dir)
find_library(SINSP_LINK_LIBRARIES
NAMES sinsp
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS falcosecurity
/usr/lib
/usr/local/lib
)
set(_scap_libs
scap
scap_engine_util
scap_event_schema
driver_event_schema
scap_engine_bpf
scap_engine_gvisor
scap_engine_kmod
scap_engine_nodriver
scap_engine_noop
scap_engine_savefile
scap_engine_source_plugin
scap_engine_udig
)
foreach(_scap_lib ${_scap_libs})
find_library(_lib
NAMES ${_scap_lib}
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS falcosecurity
/usr/lib
/usr/local/lib
)
if (_lib)
list(APPEND SINSP_LINK_LIBRARIES ${_lib})
endif()
endforeach()
unset(_scap_libs)
unset(_scap_lib)
unset(_lib)
if(SINSP_INCLUDE_DIRS AND JSONCPP_LIBRARY)
set(SINSP_FOUND 1)
endif()
find_path(JSONCPP_INCLUDE_DIR
NAMES json/json.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES jsoncpp
/usr/include
/usr/local/include
)
if (JSON_INCLUDE_DIR)
list(APPEND SINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE_DIR})
endif()
find_library(JSONCPP_LIBRARY
NAMES jsoncpp
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS
/usr/lib
/usr/local/lib
)
if (JSONCPP_LIBRARY)
list(APPEND JSONCPP_LIBRARY ${JSONCPP_LIBRARY})
endif()
find_path(TBB_INCLUDE_DIR
NAMES tbb/tbb.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
/usr/include
/usr/local/include
)
if (TBB_INCLUDE_DIR)
list(APPEND SINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
endif()
find_library(TBB_LIBRARY
NAMES tbb
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATHS
/usr/lib
/usr/local/lib
)
if (TBB_LIBRARY)
list(APPEND JSONCPP_LIBRARY ${TBB_LIBRARY})
endif()
endif()
find_path(SINSP_PLUGIN_DIR
NAMES registry.yaml
HINTS "${SINSP_PLUGINDIR}"
)
# https://github.com/falcosecurity/libs doesn't yet have any official releases
# or tags. Add RelWithDebInfo to our sinsp and scap path suffixes so that we
# can find what we need in a local build.
find_library(SINSP_LIBRARY
NAMES sinsp
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATH_SUFFIXES libsinsp libsinsp/RelWithDebInfo
PATHS
/usr/lib
/usr/local/lib
)
find_library(SCAP_LIBRARY
NAMES scap
HINTS "${SINSP_LIBDIR}" "${SINSP_HINTS}/lib"
PATH_SUFFIXES libscap libscap/RelWithDebInfo
PATHS
/usr/lib
/usr/local/lib
)
find_path(JSON_INCLUDE_DIR
NAMES json/json.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
PATH_SUFFIXES userspace/libsinsp/third-party/jsoncpp
/usr/include
/usr/include/jsoncpp
/usr/local/include
)
find_library(JSONCPP_LIBRARY
NAMES jsoncpp
HINTS "${SINSP_LIBDIR}" "${SCAP_HINTS}/lib"
PATHS
/usr/lib
/usr/local/lib
)
find_path(TBB_INCLUDE_DIR
NAMES tbb/tbb.h
HINTS "${SINSP_INCLUDEDIR}" "${SINSP_HINTS}/include"
/usr/include
/usr/local/include
)
find_library(TBB_LIBRARY
NAMES tbb
HINTS "${SINSP_LIBDIR}" "${SCAP_HINTS}/lib"
PATHS
/usr/lib
/usr/local/lib
)
# if( SINSP_INCLUDE_DIR AND SCAP_INCLUDE_DIR AND SINSP_LIBRARY AND SCAP_LIBRARY )
# file(STRINGS ${SINSP_INCLUDE_DIR}/sinsp.h SINSP_VERSION_MAJOR
# REGEX "#define[ ]+SINSP_VERSION_MAJOR[ ]+[0-9]+")
# string(REGEX MATCH "[0-9]+" SINSP_VERSION_MAJOR ${SINSP_VERSION_MAJOR})
# file(STRINGS ${SINSP_INCLUDE_DIR}/sinsp.h SINSP_VERSION_MINOR
# REGEX "#define[ ]+SINSP_VERSION_MINOR[ ]+[0-9]+")
# string(REGEX MATCH "[0-9]+" SINSP_VERSION_MINOR ${SINSP_VERSION_MINOR})
# file(STRINGS ${SINSP_INCLUDE_DIR}/sinsp.h SINSP_VERSION_RELEASE
# REGEX "#define[ ]+SINSP_VERSION_RELEASE[ ]+[0-9]+")
# string(REGEX MATCH "[0-9]+" SINSP_VERSION_RELEASE ${SINSP_VERSION_RELEASE})
# set(SINSP_VERSION ${SINSP_VERSION_MAJOR}.${SINSP_VERSION_MINOR}.${SINSP_VERSION_RELEASE})
# endif()
# As https://cmake.org/cmake/help/latest/command/link_directories.html
# says, "Prefer to pass full absolute paths to libraries where possible,
# since this ensures the correct library will always be linked," so use
# SINSP_LINK_LIBRARIES instead of SINSP_LIBRARIES
# XXX SINSP_VERSION will require peeking for a #define or something similar.
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(Sinsp
REQUIRED_VARS
SINSP_LIBRARY SINSP_INCLUDE_DIR
SCAP_LIBRARY SCAP_INCLUDE_DIR
JSON_INCLUDE_DIR
SINSP_INCLUDE_DIRS
SINSP_LINK_LIBRARIES
SINSP_PLUGIN_DIR
# VERSION_VAR SINSP_VERSION
# VERSION_VAR SINSP_VERSION
)
if( SINSP_FOUND )
set(SINSP_INCLUDE_DIRS ${SINSP_INCLUDE_DIR} ${SCAP_INCLUDE_DIR} ${JSON_INCLUDE_DIR})
if(TBB_INCLUDE_DIR)
list(APPEND SINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
endif()
set(SINSP_LIBRARIES ${SINSP_LIBRARY} ${SCAP_LIBRARY})
if (JSONCPP_LIBRARY)
list(APPEND SINSP_LIBRARIES ${JSONCPP_LIBRARY})
endif()
if (TBB_LIBRARY)
list(APPEND SINSP_LIBRARIES ${TBB_LIBRARY})
endif()
if(SINSP_FOUND)
if (WIN32)
set(SINSP_PLUGINS ${SINSP_PLUGIN_DIR}/plugins/cloudtrail/cloudtrail.dll)
else()
@ -146,9 +174,9 @@ if( SINSP_FOUND )
# mark_as_advanced( SINSP_DLL_DIR SINSP_DLL )
# endif()
else()
set( SINSP_INCLUDE_DIRS )
set( SINSP_LIBRARIES )
set( SINSP_PLUGINS )
set(SINSP_INCLUDE_DIRS)
set(SINSP_LINK_LIBRARIES)
set(SINSP_PLUGINS)
endif()
mark_as_advanced( SINSP_LIBRARIES SINSP_INCLUDE_DIRS SINSP_PLUGINS )
mark_as_advanced(SINSP_INCLUDE_DIRS SINSP_LINK_LIBRARIES SINSP_PLUGINS)

2
plugins/epan/falco_bridge/CMakeLists.txt
View File

@ -52,7 +52,7 @@ target_include_directories(falco-bridge SYSTEM PRIVATE
target_link_libraries(falco-bridge
epan
${SINSP_LIBRARIES}
${SINSP_LINK_LIBRARIES}
)
install_plugin(falco-bridge epan)

12
plugins/epan/falco_bridge/sinsp-span.cpp
View File

@ -65,7 +65,7 @@ create_sinsp_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_
sinsp_source_info_t *ssi = new sinsp_source_info_t();
try {
sinsp_plugin *sp = sinsp_span->inspector.register_plugin(libname, "{}").get();
sinsp_plugin *sp = sinsp_span->inspector.register_plugin(libname).get();
if (sp->caps() & CAP_EXTRACTION) {
ssi->source = dynamic_cast<sinsp_plugin *>(sp);
} else {
@ -75,6 +75,11 @@ create_sinsp_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_
err_str = g_strdup_printf("Caught sinsp exception %s", e.what());
}
std::string init_err;
if (!ssi->source->init("{}", init_err)) {
err_str = g_strdup_printf("Unable to initialize %s: %s", libname, init_err.c_str());
}
if (err_str) {
delete ssi;
return err_str;
@ -91,11 +96,6 @@ uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi)
return ssi->source->id();
}
bool init_sinsp_source(sinsp_source_info_t *ssi, const char *config)
{
return ssi->source->init(config);
}
const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi)
{
if (ssi->last_error) {

1
plugins/epan/falco_bridge/sinsp-span.h
View File

@ -65,7 +65,6 @@ char *create_sinsp_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_s
// Extractor plugin routines.
// These roughly match common_plugin_info
uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi);
bool init_sinsp_source(sinsp_source_info_t *ssi, const char *config);
const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi);
const char *get_sinsp_source_name(sinsp_source_info_t *ssi);
const char* get_sinsp_source_description(sinsp_source_info_t *ssi);