From 4501b64b9daeb0ce279b697c9789014550a7e636 Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Mon, 30 Sep 2024 15:58:26 +0000
Subject: [PATCH] new(falco): add buffer_format_base64

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 falco.yaml                                      | 7 +++++++
 userspace/falco/app/actions/init_inspectors.cpp | 7 ++++++-
 userspace/falco/app/options.cpp                 | 2 +-
 userspace/falco/app/options.h                   | 1 +
 userspace/falco/config_json_schema.h            | 3 +++
 userspace/falco/configuration.cpp               | 2 ++
 userspace/falco/configuration.h                 | 1 +
 7 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/falco.yaml b/falco.yaml
index c917967ec69..80d7926b22c 100644
--- a/falco.yaml
+++ b/falco.yaml
@@ -492,6 +492,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified
diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp
index 2aca8fc2d9b..39a4b689fa9 100644
--- a/userspace/falco/app/actions/init_inspectors.cpp
+++ b/userspace/falco/app/actions/init_inspectors.cpp
@@ -26,7 +26,12 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
-	inspector->set_buffer_format(s.options.event_buffer_format);
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	if(s.options.print_base64 || s.config->m_buffer_format_base64) {
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	inspector->set_buffer_format(event_buffer_format);
 
 	//
 	// Container engines
diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp
index 7f5285ec5ca..2839b77cbe5 100644
--- a/userspace/falco/app/options.cpp
+++ b/userspace/falco/app/options.cpp
@@ -74,7 +74,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 	}
 
 	if(m_cmdline_parsed.count("b") > 0) {
-		event_buffer_format = sinsp_evt::PF_BASE64;
+		print_base64 = true;
 	}
 
 	if(m_cmdline_parsed.count("r") > 0) {
diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h
index 76d73d998e8..6b7b6db8362 100644
--- a/userspace/falco/app/options.h
+++ b/userspace/falco/app/options.h
@@ -47,6 +47,7 @@ class options {
 	std::string conf_filename;
 	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	bool print_base64 = false;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
 	std::string gvisor_generate_config_with_socket;
diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h
index 34081bc4ece..92ae04fe109 100644
--- a/userspace/falco/config_json_schema.h
+++ b/userspace/falco/config_json_schema.h
@@ -80,6 +80,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "time_format_iso_8601": {
                     "type": "boolean"
                 },
+                "buffer_format_base64": {
+                    "type": "boolean"
+                },
                 "priority": {
                     "type": "string"
                 },
diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
index 26f2fd96691..b2359ed1da4 100644
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -74,6 +74,7 @@ falco_configuration::falco_configuration():
         m_buffered_outputs(false),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
+        m_buffer_format_base64(false),
         m_output_timeout(2000),
         m_grpc_enabled(false),
         m_grpc_threadiness(0),
@@ -491,6 +492,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_time_format_iso_8601 = m_config.get_scalar<bool>("time_format_iso_8601", false);
+	m_buffer_format_base64 = m_config.get_scalar<bool>("buffer_format_base64", false);
 
 	m_webserver_enabled = m_config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_config.m_threadiness = m_config.get_scalar<uint32_t>("webserver.threadiness", 0);
diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
index f330f238b8f..ba6eb201e01 100644
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -153,6 +153,7 @@ class falco_configuration {
 	bool m_buffered_outputs;
 	size_t m_outputs_queue_capacity;
 	bool m_time_format_iso_8601;
+	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;