new: print system info when Falco starts

Print kernel info when Falco starts with a kernel driver Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Nov 28, 2023 · c5364be · c5364be
1 parent ce4d28e
commit c5364be
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 0 deletions.
diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt
@@ -36,6 +36,7 @@ set(
   app/actions/print_generated_gvisor_config.cpp
   app/actions/print_help.cpp
   app/actions/print_ignored_events.cpp
+  app/actions/print_kernel_version.cpp
   app/actions/print_plugin_info.cpp
   app/actions/print_support.cpp
   app/actions/print_syscall_events.cpp

diff --git a/userspace/falco/app/actions/actions.h b/userspace/falco/app/actions/actions.h
@@ -41,6 +41,7 @@ falco::app::run_result load_rules_files(falco::app::state& s);
 falco::app::run_result print_generated_gvisor_config(falco::app::state& s);
 falco::app::run_result print_help(falco::app::state& s);
 falco::app::run_result print_ignored_events(falco::app::state& s);
+falco::app::run_result print_kernel_version(falco::app::state& s);
 falco::app::run_result print_page_size(falco::app::state& s);
 falco::app::run_result print_plugin_info(falco::app::state& s);
 falco::app::run_result print_support(falco::app::state& s);

diff --git a/userspace/falco/app/actions/print_kernel_version.cpp b/userspace/falco/app/actions/print_kernel_version.cpp
@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "actions.h"
+#include "helpers.h"
+#include "../app.h"
+#include <fstream>
+#include <sstream>
+#include <errno.h>
+
+using namespace falco::app;
+using namespace falco::app::actions;
+
+falco::app::run_result falco::app::actions::print_kernel_version(falco::app::state& s)
+{
+#ifdef __linux__
+	// We print this info only when a kernel driver is injected
+	if(s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod())
+	{
+		std::ifstream input_file("/proc/version");
+		if(!input_file.is_open())
+		{
+			// We don't want to fail, we just need to log something
+			falco_logger::log(falco_logger::level::INFO, "Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) + "', err_code: " + std::to_string(errno) + "). No info provided, go on.");
+			return run_result::ok();
+		}
+
+		std::stringstream buffer;
+		buffer << input_file.rdbuf();
+		std::string contents(buffer.str());
+		falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
+	}
+#endif
+	return run_result::ok();
+}
diff --git a/userspace/falco/app/app.cpp b/userspace/falco/app/app.cpp
@@ -62,6 +62,7 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr)
 	std::list<app_action> run_steps = {
 		falco::app::actions::load_config,
 		falco::app::actions::print_help,
+		falco::app::actions::print_kernel_version,
 		falco::app::actions::print_version,
 		falco::app::actions::print_page_size,
 		falco::app::actions::print_generated_gvisor_config,

diff --git a/userspace/falco/app/state.h b/userspace/falco/app/state.h
@@ -155,6 +155,11 @@ struct state
         return config->m_engine_mode == engine_kind_t::GVISOR;
     }
 
+    inline bool is_kmod() const
+    {
+        return config->m_engine_mode == engine_kind_t::KMOD;
+    }
+
     inline bool is_ebpf() const
     {
         return config->m_engine_mode == engine_kind_t::EBPF;