new(falco): add base_syscalls.all option to falco.yaml

Signed-off-by: Luca Guerra <luca@guerra.sh>
falcosecurity · Sep 30, 2024 · 12a1487 · 12a1487
1 parent 11bac9d
commit 12a1487
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 1 deletion.
diff --git a/falco.yaml b/falco.yaml
@@ -1155,6 +1155,14 @@ metrics:
 # Falco, the `base_syscalls` option allows for finer end-user control of
 # syscalls traced by Falco.
 #
+# --- [base_syscalls.all]
+#
+# `base_syscalls.all` enables monitoring of all events supported by Falco and
+# defined in rules and configs.
+# By default some events, such as `write`, are ignored (run `falco -i` to get
+# the full list) unless base_syscalls.all is true.
+# This option may negatively impact performance.
+#
 # --- [base_syscalls.custom_set]
 #
 # CAUTION: Misconfiguration of this setting may result in incomplete Falco event

diff --git a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@@ -421,6 +421,34 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair)
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }
 
+TEST_F(test_falco_engine, base_syscalls_all)
+{
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
+	falco::app::state s7;
+	// run app action with fake engine and with the `-A` option
+	s7.engine = m_engine;
+
+	// simulate empty custom set but repair option set.
+	s7.config->m_base_syscalls_custom_set = {};
+	s7.config->m_base_syscalls_repair = true;
+	s7.config->m_base_syscalls_all = true;
+	auto result = falco::app::actions::configure_interesting_sets(s7);
+	auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "procexit", \
+		"bind", "socket", "clone3", "close", "setuid"
+	});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
+	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
+	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
+}
+
 TEST(ConfigureInterestingSets, ignored_set_expected_size)
 {
 	// unit test fence to make sure we don't have unexpected regressions

diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -185,7 +185,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 	       without high volume syscalls
 	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events)
+	if(!(s.options.all_events || s.config->m_base_syscalls_all))
 	{
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);

diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h
@@ -277,6 +277,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
             "type": "object",
             "additionalProperties": false,
             "properties": {
+                "all": {
+                    "type": "boolean"
+                },
                 "custom_set": {
                     "type": "array",
                     "items": {

diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -69,6 +69,7 @@ falco_configuration::falco_configuration():
 	m_syscall_evt_simulate_drops(false),
 	m_syscall_evt_timeout_max_consecutives(1000),
 	m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
+	m_base_syscalls_all(false),
 	m_base_syscalls_repair(false),
 	m_metrics_enabled(false),
 	m_metrics_interval_str("5000"),
@@ -551,6 +552,7 @@ void falco_configuration::load_yaml(const std::string& config_name)
 	m_base_syscalls_custom_set.clear();
 	m_config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = m_config.get_scalar<bool>("base_syscalls.repair", false);
+	m_base_syscalls_all = m_config.get_scalar<bool>("base_syscalls.all", false);
 
 	m_metrics_enabled = m_config.get_scalar<bool>("metrics.enabled", false);
 	m_metrics_interval_str = m_config.get_scalar<std::string>("metrics.interval", "5000");

diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
@@ -185,6 +185,7 @@ class falco_configuration
 
 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
+	bool m_base_syscalls_all;
 	bool m_base_syscalls_repair;
 
 	// metrics configs