diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 28df58d221d..5be80abccdc 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -20,6 +20,7 @@ limitations under the License. #include #include +#include #include "helpers.h" @@ -52,6 +53,13 @@ falco::app::run_result falco::app::actions::open_live_inspector( std::shared_ptr inspector, const std::string& source) { + + bool is_driver_mode_from_cmdline = (s.options.nodriver || + s.is_gvisor_enabled() || + s.options.modern_bpf || + getenv(FALCO_BPF_ENV_VARIABLE) != NULL + ); + try { if (source != falco_common::syscall_source) /* Plugin engine */ @@ -71,7 +79,7 @@ falco::app::run_result falco::app::actions::open_live_inspector( } return run_result::fatal("Can't find plugin for event source: " + source); } - else if (s.options.nodriver) /* nodriver engine. */ + else if (s.options.nodriver || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::NODRIVER)) /* nodriver engine. */ { // when opening a capture with no driver, Falco will first check // if a plugin is capable of generating raw events from the libscap @@ -90,18 +98,18 @@ falco::app::run_result falco::app::actions::open_live_inspector( falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with no driver\n"); inspector->open_nodriver(); } - else if(s.is_gvisor_enabled()) /* gvisor engine. */ + else if(s.is_gvisor_enabled() || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::GVISOR)) /* gvisor engine. */ { falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with gVisor. Configuration path: " + s.options.gvisor_config); inspector->open_gvisor(s.options.gvisor_config, s.options.gvisor_root); } - else if(s.options.modern_bpf) /* modern BPF engine. */ + else if(s.options.modern_bpf || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::MODERN_BPF)) /* modern BPF engine. */ { falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with modern BPF probe."); falco_logger::log(falco_logger::level::INFO, "One ring buffer every '" + std::to_string(s.config->m_cpus_for_each_syscall_buffer) + "' CPUs."); inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_cpus_for_each_syscall_buffer, true, s.selected_sc_set); } - else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */ + else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL || (!is_driver_mode_from_cmdline && s.config->m_driver_mode == driver_mode_type::BPF)) /* BPF engine. */ { const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE); char full_path[PATH_MAX]; diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 582dff09f2f..7e9f6b5c841 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -22,6 +22,7 @@ limitations under the License. #include #include +#include namespace falco { namespace app { @@ -149,7 +150,11 @@ bool options::parse(int argc, char **argv, std::string &errstr) open_modes += !trace_filename.empty(); open_modes += !gvisor_config.empty(); open_modes += modern_bpf; - open_modes += getenv("FALCO_BPF_PROBE") != NULL; + if(getenv("FALCO_BPF_PROBE") != NULL) + { + falco_logger::log(LOG_WARNING, "DEPRECATION NOTICE: the FALCO_BPF_PROBE environment variable will be soon deprecated!\n"); + open_modes += 1; + } open_modes += nodriver; if (open_modes > 1) { diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index c98cac5f454..5b007028ad5 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -116,6 +116,8 @@ static driver_mode_type get_driver_mode(const std::string& input){ {"kmod",driver_mode_type::KMOD}, {"bpf",driver_mode_type::BPF}, {"modern_bpf",driver_mode_type::MODERN_BPF}, + {"gvisor",driver_mode_type::GVISOR}, + {"nodriver",driver_mode_type::NODRIVER}, {"custom",driver_mode_type::CUSTOM}, }; diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 643c54ee6c6..392e4478f9e 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -43,6 +43,8 @@ enum class driver_mode_type : uint8_t KMOD, BPF, MODERN_BPF, + GVISOR, + NODRIVER, CUSTOM };