From c5364be191f580a7a1edce3314ea7ace0cff8a86 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Mon, 20 Nov 2023 17:19:40 +0100 Subject: [PATCH] new: print system info when Falco starts Print kernel info when Falco starts with a kernel driver Signed-off-by: Andrea Terzolo --- userspace/falco/CMakeLists.txt | 1 + userspace/falco/app/actions/actions.h | 1 + .../app/actions/print_kernel_version.cpp | 49 +++++++++++++++++++ userspace/falco/app/app.cpp | 1 + userspace/falco/app/state.h | 5 ++ 5 files changed, 57 insertions(+) create mode 100644 userspace/falco/app/actions/print_kernel_version.cpp diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index c2fc26f8205..6d8ebd435b2 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -36,6 +36,7 @@ set( app/actions/print_generated_gvisor_config.cpp app/actions/print_help.cpp app/actions/print_ignored_events.cpp + app/actions/print_kernel_version.cpp app/actions/print_plugin_info.cpp app/actions/print_support.cpp app/actions/print_syscall_events.cpp diff --git a/userspace/falco/app/actions/actions.h b/userspace/falco/app/actions/actions.h index 1910e5fa654..b5d4e73b57f 100644 --- a/userspace/falco/app/actions/actions.h +++ b/userspace/falco/app/actions/actions.h @@ -41,6 +41,7 @@ falco::app::run_result load_rules_files(falco::app::state& s); falco::app::run_result print_generated_gvisor_config(falco::app::state& s); falco::app::run_result print_help(falco::app::state& s); falco::app::run_result print_ignored_events(falco::app::state& s); +falco::app::run_result print_kernel_version(falco::app::state& s); falco::app::run_result print_page_size(falco::app::state& s); falco::app::run_result print_plugin_info(falco::app::state& s); falco::app::run_result print_support(falco::app::state& s); diff --git a/userspace/falco/app/actions/print_kernel_version.cpp b/userspace/falco/app/actions/print_kernel_version.cpp new file mode 100644 index 00000000000..cb0269ed2e4 --- /dev/null +++ b/userspace/falco/app/actions/print_kernel_version.cpp @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2023 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "actions.h" +#include "helpers.h" +#include "../app.h" +#include +#include +#include + +using namespace falco::app; +using namespace falco::app::actions; + +falco::app::run_result falco::app::actions::print_kernel_version(falco::app::state& s) +{ +#ifdef __linux__ + // We print this info only when a kernel driver is injected + if(s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod()) + { + std::ifstream input_file("/proc/version"); + if(!input_file.is_open()) + { + // We don't want to fail, we just need to log something + falco_logger::log(falco_logger::level::INFO, "Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) + "', err_code: " + std::to_string(errno) + "). No info provided, go on."); + return run_result::ok(); + } + + std::stringstream buffer; + buffer << input_file.rdbuf(); + std::string contents(buffer.str()); + falco_logger::log(falco_logger::level::INFO, "System info: " + contents); + } +#endif + return run_result::ok(); +} diff --git a/userspace/falco/app/app.cpp b/userspace/falco/app/app.cpp index 6d1578a0fd0..37302de17b9 100644 --- a/userspace/falco/app/app.cpp +++ b/userspace/falco/app/app.cpp @@ -62,6 +62,7 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr) std::list run_steps = { falco::app::actions::load_config, falco::app::actions::print_help, + falco::app::actions::print_kernel_version, falco::app::actions::print_version, falco::app::actions::print_page_size, falco::app::actions::print_generated_gvisor_config, diff --git a/userspace/falco/app/state.h b/userspace/falco/app/state.h index ff927c86ccd..7b420ad917a 100644 --- a/userspace/falco/app/state.h +++ b/userspace/falco/app/state.h @@ -155,6 +155,11 @@ struct state return config->m_engine_mode == engine_kind_t::GVISOR; } + inline bool is_kmod() const + { + return config->m_engine_mode == engine_kind_t::KMOD; + } + inline bool is_ebpf() const { return config->m_engine_mode == engine_kind_t::EBPF;