libs
libs copied to clipboard
falcosecurity
Support for big endian capture files
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libscap
/area libsinsp
What this PR does / why we need it: Support for big endian capture files
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
feat: support for big endian capture files
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: deepskyblue86
To complete the pull request process, please assign ldegio after the PR has been reviewed.
You can assign the PR to them by writing /assign @ldegio in a comment when ready.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@deepskyblue86 plugin events are not parsed by sinsp, and their events are regular sinsp_evts. Contents of the plugin event blocks are just accessed through sinsp_evt::get_type() and sinsp_evt::get_param(), so as long as we have them adapted we should be good to go.
@jasondellaluce sinsp_evt::get_param doesn't know about the underlying type, so maybe the plugin owners will have to deal with the decoding themselves? :thinking:
As discussed privately with @deepskyblue86 , I don't think consumers of sinsp_evt should be aware of these changes. I think the endianess swap might be performed directly within sinsp_evt when decoding the parameters. The type of each parameter can be found by a simple array lookup to the g_event_info table.
This has the benefit of segregating all the logic in the same place from the perspective of libsinsp, and can potentially also be disabled while consuming events in live mode so that we don't add any overhead in that case.
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.
:memo: Please follow instructions in the contributing guide to update your commits with the DCO
Full details of the Developer Certificate of Origin can be found at developercertificate.org.
The list of commits missing DCO signoff:
- f35d6a4 fix: scap_get_swap_endian ptr check
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
A similar approach (using the event table and resolve endianess issues inside sinsp_evt) has been used in https://github.com/falcosecurity/libs/pull/551.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closed this PR.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.