libs
libs copied to clipboard
falcosecurity
[FEATURE] Add a new `validate` method to the `v-table` architecture
Motivation
I think we need a validation phase before initializing the specific scap engine. The v-table approach offers a init method to initialize the engine, and a match method to understand if this is the right engine, maybe before calling the init method we could call a possible validate method, where we check maybe some engine input parameters (like the buffer dimension)
Feature
Add a new method to the v-table architecture (something like validate) to check that we are confident to open the engine before initializing something.
WDYT? @gnosek @FedeDP @LucaGuerra
Big :+1: for me! We could check:
- opening bpf engine -> minimum version for each arch
- modern_bpf engine -> minimum version for each arch
- kmod -> if module is actually loaded
...etc etc. I think it is very good from a design perspective!
If you have a specific use for it, sure. But also, can this happen e.g. early in init() instead? We could make sure that nothing too complex happens before init() so there's not much to tear down if the validation fails
But also, can this happen e.g. early in init() instead?
@gnosek yeah this is exactly what we are doing today, let's consider the modern probe and its init method as an example:
/* Some checks to test if we can use the modern BPF probe
* - check the ring-buffer dimension in bytes.
* - check the minimum required kernel version.
*
* Please note the presence of BTF is directly checked by `libbpf` see `bpf_object__load_vmlinux_btf` method.
*/
if(check_buffer_bytes_dim(handle->m_lasterr, params->buffer_bytes_dim) != SCAP_SUCCESS)
{
return SCAP_FAILURE;
}
if(check_minimum_kernel_version(handle->m_lasterr) != SCAP_SUCCESS)
{
return SCAP_FAILURE;
}
Right now they are the beginning of the init method. I know that conceptually is almost the same calling them here or in a validate method, but it is also true that before calling
if((*rc = handle->m_vtable->init(handle, oargs)) != SCAP_SUCCESS)
{
snprintf(error, SCAP_LASTERR_SIZE, "%s", handle->m_lasterr);
scap_close(handle);
return NULL;
}
in the scap_open_live_int we perform some stuff... maybe with a validate method we can call it as soon as we have assigned the right v-table :thinking:
Let's say no a must-have feature but maybe we can think of it
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale