chore(userspace): renamed driver. config to engine.; renamed `eng…

…ine.replay.scap_file` to `engine.replay.trace_file`. Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Nov 17, 2023 · b69160c · b69160c
1 parent e56bfa4
commit b69160c
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 79 deletions.
diff --git a/falco.yaml b/falco.yaml
@@ -775,29 +775,27 @@ metrics:
 # Falco driver #
 ################
 
-# [Stable] `driver`
+# [Stable] `engine`
 #
 # --- [Description]
 #
-# Falco supports different driver modes for capturing syscall events. The choice
-# of driver mode can significantly impact the performance and compatibility of
-# Falco with your system. Choose the appropriate driver mode based on your
-# system's configuration and requirements.
+# Falco supports different engines to generate events.
+# Choose the appropriate engine kind based on your system's configuration and requirements.
 #
-# Available driver kinds:
+# Available engines:
 # - `kmod`: Kernel Module (Kernel Module)
 # - `ebpf`: eBPF (Extended Berkeley Packet Filter)
 # - `modern-ebpf`: Modern eBPF (Modern Extended Berkeley Packet Filter), available only for recent kernels
-# - `none`: No Driver (No driver loaded, useful to run `syscall` source plugin or just plugins without loading any driver)
 # - `gvisor`: gVisor (gVisor sandbox)
-# - `replay`: Replay a scap file
+# - `replay`: Replay a scap trace file
+# - `none`: No engine loaded, useful to run `syscall` source plugin or just plugins without loading any other event producer.
 
-# Select the appropriate driver mode by uncommenting the corresponding line.
-# Make sure to specify only one driver mode at a time.
-# Moreover, for each driver multiple options might be available and are grouped 
-# under the `driver.$kind` configuration key.
+# Select the appropriate engine kind by uncommenting the corresponding line.
+# Make sure to specify only one engine kind at a time.
+# Moreover, for each engine multiple options might be available,
+# grouped under the `engine.$kind` configuration key.
 
-driver:
+engine:
   kind: kmod
   kmod:
     buf_size_preset: 4 # Overridden by deprecated syscall_buf_size_preset
@@ -811,7 +809,7 @@ driver:
     buf_size_preset: 4 # Overridden by deprecated syscall_buf_size_preset
     drop_failed_exit: false # Overridden by deprecated syscall_drop_failed_exit
   replay:
-    scap_file: /path/to/file.scap
+    trace_file: /path/to/file.scap
   gvisor:
     config: /path/to/gvisor.yaml
     root: /gvisor/root
@@ -822,7 +820,7 @@ driver:
 
 # [DEPRECATED] `syscall_buf_size_preset`
 #
-# Deprecated in favor of driver.{kmod,ebpf,modern-ebpf}.buf_size_preset
+# Deprecated in favor of engine.{kmod,ebpf,modern-ebpf}.buf_size_preset
 #
 # --- [Description]
 #
@@ -875,7 +873,7 @@ driver:
 syscall_buf_size_preset: 4
 
 # [DEPRECATED] `syscall_drop_failed_exit`
-# Deprecated in favor of driver.{kmod,ebpf,modern-ebpf}.drop_failed_exit
+# Deprecated in favor of engine.{kmod,ebpf,modern-ebpf}.drop_failed_exit
 #
 # Enabling this option in Falco allows it to drop failed system call exit events
 # in the kernel drivers before pushing them onto the ring buffer. This
@@ -1002,7 +1000,7 @@ base_syscalls:
 
 # [DEPRECATED] `modern_bpf.cpus_for_each_syscall_buffer`, modern_bpf only
 #
-# Deprecated in favor of driver.modern-ebpf.cpus_for_each_syscall_buffer
+# Deprecated in favor of engine.modern-ebpf.cpus_for_each_syscall_buffer
 #
 # --- [Description]
 #

diff --git a/unit_tests/falco/app/actions/test_select_event_sources.cpp b/unit_tests/falco/app/actions/test_select_event_sources.cpp
@@ -30,7 +30,7 @@ TEST(ActionSelectEventSources, pre_post_conditions)
     // ignore source selection in capture mode
     {
         falco::app::state s;
-        s.config->m_driver_mode = driver_mode_type::REPLAY;
+        s.config->m_engine_mode = engine_kind_t::REPLAY;
         EXPECT_TRUE(s.is_capture_mode());
         EXPECT_ACTION_OK(action(s));
     }

diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp
@@ -35,13 +35,13 @@ falco::app::run_result falco::app::actions::open_offline_inspector(falco::app::s
 {
 	try
 	{
-		s.offline_inspector->open_savefile(s.config->m_replay.m_scap_file);
-		falco_logger::log(falco_logger::level::INFO, "Reading system call events from file: " + s.config->m_replay.m_scap_file + "\n");
+		s.offline_inspector->open_savefile(s.config->m_replay.m_trace_file);
+		falco_logger::log(falco_logger::level::INFO, "Reading system call events from file: " + s.config->m_replay.m_trace_file + "\n");
 		return run_result::ok();
 	}
 	catch (sinsp_exception &e)
 	{
-		return run_result::fatal("Could not open trace filename " + s.config->m_replay.m_scap_file + " for reading: " + e.what());
+		return run_result::fatal("Could not open trace filename " + s.config->m_replay.m_trace_file + " for reading: " + e.what());
 	}
 }
 
@@ -69,7 +69,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 			}
 			return run_result::fatal("Can't find plugin for event source: " + source);
 		}
-		else if (s.config->m_driver_mode == driver_mode_type::NONE) /* nodriver engine. */
+		else if (s.config->m_engine_mode == engine_kind_t::NONE) /* nodriver engine. */
 		{
 			// when opening a capture with no driver, Falco will first check
 			// if a plugin is capable of generating raw events from the libscap
@@ -93,13 +93,13 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 			falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with gVisor. Configuration path: " + s.config->m_gvisor.m_config);
 			inspector->open_gvisor(s.config->m_gvisor.m_config, s.config->m_gvisor.m_root);
 		}
-		else if(s.config->m_driver_mode == driver_mode_type::MODERN_EBPF) /* modern BPF engine. */
+		else if(s.config->m_engine_mode == engine_kind_t::MODERN_EBPF) /* modern BPF engine. */
 		{
 			falco_logger::log(falco_logger::level::INFO, "Opening '" + source + "' source with modern BPF probe.");
 			falco_logger::log(falco_logger::level::INFO, "One ring buffer every '" + std::to_string(s.config->m_modern_bpf.m_cpus_for_each_syscall_buffer) +  "' CPUs.");
 			inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_modern_bpf.m_cpus_for_each_syscall_buffer, true, s.selected_sc_set);
 		}
-		else if(s.config->m_driver_mode == driver_mode_type::EBPF) /* BPF engine. */
+		else if(s.config->m_engine_mode == engine_kind_t::EBPF) /* BPF engine. */
 		{
 			const char *bpf_probe_path = s.config->m_bpf.m_probe_path.c_str();
 			char full_path[PATH_MAX];

diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp
@@ -31,27 +31,27 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s)
 	// use the requested driver.
 	if (getenv(FALCO_BPF_ENV_VARIABLE))
 	{
-		s.config->m_driver_mode = driver_mode_type::EBPF;
+		s.config->m_engine_mode = engine_kind_t::EBPF;
 		s.config->m_bpf.m_probe_path = getenv(FALCO_BPF_ENV_VARIABLE);
 	}
 	else if (s.options.modern_bpf)
 	{
-		s.config->m_driver_mode = driver_mode_type::MODERN_EBPF;
+		s.config->m_engine_mode = engine_kind_t::MODERN_EBPF;
 	}
 	if (!s.options.gvisor_config.empty())
 	{
-		s.config->m_driver_mode =  driver_mode_type::GVISOR;
+		s.config->m_engine_mode =  engine_kind_t::GVISOR;
 		s.config->m_gvisor.m_config = s.options.gvisor_config;
 		s.config->m_gvisor.m_root = s.options.gvisor_root;
 	}
 	if (s.options.nodriver)
 	{
-		s.config->m_driver_mode =  driver_mode_type::NONE;
+		s.config->m_engine_mode =  engine_kind_t::NONE;
 	}
 	if (!s.options.trace_filename.empty())
 	{
-		s.config->m_driver_mode = driver_mode_type::REPLAY;
-		s.config->m_replay.m_scap_file = s.options.trace_filename;
+		s.config->m_engine_mode = engine_kind_t::REPLAY;
+		s.config->m_replay.m_trace_file = s.options.trace_filename;
 	}
 	return run_result::ok();
 }

diff --git a/userspace/falco/app/state.h b/userspace/falco/app/state.h
@@ -147,12 +147,12 @@ struct state
 
     inline bool is_capture_mode() const 
     {
-        return config->m_driver_mode == driver_mode_type::REPLAY;
+        return config->m_engine_mode == engine_kind_t::REPLAY;
     }
 
     inline bool is_gvisor_enabled() const
     {
-        return config->m_driver_mode == driver_mode_type::GVISOR;
+        return config->m_engine_mode == engine_kind_t::GVISOR;
     }
 
     inline bool is_source_enabled(const std::string& src) const 
@@ -163,15 +163,15 @@ struct state
     inline bool is_driver_drop_failed_exit_enabled() const
     {
 	bool drop_failed;
-	switch (config->m_driver_mode)
+	switch (config->m_engine_mode)
 	{
-	case driver_mode_type::KMOD:
+	case engine_kind_t::KMOD:
 		drop_failed = config->m_kmod.m_drop_failed_exit;
 		break;
-	case driver_mode_type::EBPF:
+	case engine_kind_t::EBPF:
 		drop_failed = config->m_bpf.m_drop_failed_exit;
 		break;
-	case driver_mode_type::MODERN_EBPF:
+	case engine_kind_t::MODERN_EBPF:
 		drop_failed = config->m_modern_bpf.m_drop_failed_exit;
 		break;
 	default:
@@ -184,14 +184,14 @@ struct state
     inline int16_t driver_buf_size_preset() const
     {
 	int16_t index;
-	switch (config->m_driver_mode) {
-	case driver_mode_type::KMOD:
+	switch (config->m_engine_mode) {
+	case engine_kind_t::KMOD:
 		index = config->m_kmod.m_buf_size_preset;
 		break;
-	case driver_mode_type::EBPF:
+	case engine_kind_t::EBPF:
 		index = config->m_bpf.m_buf_size_preset;
 		break;
-	case driver_mode_type::MODERN_EBPF:
+	case engine_kind_t::MODERN_EBPF:
 		index = config->m_modern_bpf.m_buf_size_preset;
 		break;
 	default:

diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -41,7 +41,7 @@ namespace fs = std::filesystem;
 static re2::RE2 ip_address_re("((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))");
 
 falco_configuration::falco_configuration():
-	m_driver_mode(driver_mode_type::KMOD),
+	m_engine_mode(engine_kind_t::KMOD),
 	m_json_output(false),
 	m_json_include_output_property(true),
 	m_json_include_tags_property(true),
@@ -104,71 +104,71 @@ void falco_configuration::init(const std::string& conf_filename, const std::vect
 	load_yaml(conf_filename, config);
 }
 
-void falco_configuration::load_driver_config(const std::string& config_name, const yaml_helper& config)
+void falco_configuration::load_engine_config(const std::string& config_name, const yaml_helper& config)
 {
 	// Set driver mode if not already set.
-	const std::unordered_map<std::string, driver_mode_type> driver_mode_lut = {
-		{"kmod",driver_mode_type::KMOD},
-		{"ebpf",driver_mode_type::EBPF},
-		{"modern-ebpf",driver_mode_type::MODERN_EBPF},
-		{"replay",driver_mode_type::REPLAY},
-		{"gvisor",driver_mode_type::GVISOR},
-		{"none",driver_mode_type::NONE},
+	const std::unordered_map<std::string, engine_kind_t> engine_mode_lut = {
+		{"kmod",engine_kind_t::KMOD},
+		{"ebpf",engine_kind_t::EBPF},
+		{"modern-ebpf",engine_kind_t::MODERN_EBPF},
+		{"replay",engine_kind_t::REPLAY},
+		{"gvisor",engine_kind_t::GVISOR},
+		{"none",engine_kind_t::NONE},
 	};
 
-	auto driver_mode_str = config.get_scalar<std::string>("driver.kind", "kmod");
-	if (driver_mode_lut.find(driver_mode_str) != driver_mode_lut.end())
+	auto driver_mode_str = config.get_scalar<std::string>("engine.kind", "kmod");
+	if (engine_mode_lut.find(driver_mode_str) != engine_mode_lut.end())
 	{
-		m_driver_mode = driver_mode_lut.at(driver_mode_str);
+		m_engine_mode = engine_mode_lut.at(driver_mode_str);
 	}
 	else
 	{
-		throw std::logic_error("Error reading config file (" + config_name + "): wrong driver.kind specified.");
+		throw std::logic_error("Error reading config file (" + config_name + "): wrong engine.kind specified.");
 	}
 
-	switch (m_driver_mode)
+	switch (m_engine_mode)
 	{
-	case driver_mode_type::KMOD:
-		m_kmod.m_buf_size_preset = config.get_scalar<int16_t>("driver.kmod.buf_size_preset", 4);
-		m_kmod.m_drop_failed_exit = config.get_scalar<bool>("driver.kmod.drop_failed", false);
+	case engine_kind_t::KMOD:
+		m_kmod.m_buf_size_preset = config.get_scalar<int16_t>("engine.kmod.buf_size_preset", 4);
+		m_kmod.m_drop_failed_exit = config.get_scalar<bool>("engine.kmod.drop_failed", false);
 		break;
-	case driver_mode_type::EBPF:
+	case engine_kind_t::EBPF:
 		// TODO: default value for `probe` should be $HOME/FALCO_PROBE_BPF_FILEPATH,
 		// to be done once we drop the CLI option otherwise we would need to make the check twice,
 		// once here, and once when we merge the CLI options in the config file.
-		m_bpf.m_probe_path = config.get_scalar<std::string>("driver.ebpf.probe", "");
-		m_bpf.m_buf_size_preset = config.get_scalar<int16_t>("driver.ebpf.buf_size_preset", 4);
-		m_bpf.m_drop_failed_exit = config.get_scalar<bool>("driver.ebpf.drop_failed", false);
+		m_bpf.m_probe_path = config.get_scalar<std::string>("engine.ebpf.probe", "");
+		m_bpf.m_buf_size_preset = config.get_scalar<int16_t>("engine.ebpf.buf_size_preset", 4);
+		m_bpf.m_drop_failed_exit = config.get_scalar<bool>("engine.ebpf.drop_failed", false);
 		break;
-	case driver_mode_type::MODERN_EBPF:
-		m_modern_bpf.m_cpus_for_each_syscall_buffer = config.get_scalar<uint16_t>("driver.modern-ebpf.cpus_for_each_syscall_buffer", 2);
-		m_modern_bpf.m_buf_size_preset = config.get_scalar<int16_t>("driver.modern-ebpf.buf_size_preset", 4);
-		m_modern_bpf.m_drop_failed_exit = config.get_scalar<bool>("driver.modern-ebpf.drop_failed", false);
+	case engine_kind_t::MODERN_EBPF:
+		m_modern_bpf.m_cpus_for_each_syscall_buffer = config.get_scalar<uint16_t>("engine.modern-ebpf.cpus_for_each_syscall_buffer", 2);
+		m_modern_bpf.m_buf_size_preset = config.get_scalar<int16_t>("engine.modern-ebpf.buf_size_preset", 4);
+		m_modern_bpf.m_drop_failed_exit = config.get_scalar<bool>("engine.modern-ebpf.drop_failed", false);
 		break;
-	case driver_mode_type::REPLAY:
-		m_replay.m_scap_file = config.get_scalar<std::string>("driver.replay.scap_file", "");
-		if (m_replay.m_scap_file.empty())
+	case engine_kind_t::REPLAY:
+		m_replay.m_trace_file = config.get_scalar<std::string>("engine.replay.trace_file", "");
+		if (m_replay.m_trace_file.empty())
 		{
-			throw std::logic_error("Error reading config file (" + config_name + "): driver.kind is 'replay' but no driver.replay.scap_file specified.");
+			throw std::logic_error("Error reading config file (" + config_name + "): engine.kind is 'replay' but no engine.replay.trace_file specified.");
 		}
 		break;
-	case driver_mode_type::GVISOR:
-		m_gvisor.m_config = config.get_scalar<std::string>("driver.gvisor.config", "");
+	case engine_kind_t::GVISOR:
+		m_gvisor.m_config = config.get_scalar<std::string>("engine.gvisor.config", "");
 		if (m_gvisor.m_config.empty())
 		{
-			throw std::logic_error("Error reading config file (" + config_name + "): driver.kind is 'gvisor' but no driver.gvisor.config specified.");
+			throw std::logic_error("Error reading config file (" + config_name + "): engine.kind is 'gvisor' but no engine.gvisor.config specified.");
 		}
-		m_gvisor.m_root = config.get_scalar<std::string>("driver.gvisor.root", "");
+		m_gvisor.m_root = config.get_scalar<std::string>("engine.gvisor.root", "");
 		break;
-	case driver_mode_type::NONE:
+	case engine_kind_t::NONE:
 	default:
 		break;
 	}
 }
 
 void falco_configuration::load_yaml(const std::string& config_name, const yaml_helper& config)
 {
-	load_driver_config(config_name, config);
+	load_engine_config(config_name, config);
 	m_log_level = config.get_scalar<std::string>("log_level", "info");
 
 	std::list<std::string> rules_files;

diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
@@ -37,7 +37,7 @@ limitations under the License.
 #include "event_drops.h"
 #include "falco_outputs.h"
 
-enum class driver_mode_type : uint8_t
+enum class engine_kind_t : uint8_t
 {
 	KMOD,
 	EBPF,
@@ -81,7 +81,7 @@ class falco_configuration
 
 	typedef struct {
 	public:
-		std::string m_scap_file;
+		std::string m_trace_file;
 	} replay_config;
 
 	typedef struct {
@@ -104,7 +104,7 @@ class falco_configuration
 	std::list<std::string> m_loaded_rules_filenames;
 	// List of loaded rule folders
 	std::list<std::string> m_loaded_rules_folders;
-	driver_mode_type m_driver_mode;
+	engine_kind_t m_engine_mode;
 	bool m_json_output;
 	bool m_json_include_output_property;
 	bool m_json_include_tags_property;
@@ -170,7 +170,7 @@ class falco_configuration
 private:
 	void load_yaml(const std::string& config_name, const yaml_helper& config);
 
-	void load_driver_config(const std::string& config_name, const yaml_helper& config);
+	void load_engine_config(const std::string& config_name, const yaml_helper& config);
 
 	void init_cmdline_options(yaml_helper& config, const std::vector<std::string>& cmdline_options);