libs
libs copied to clipboard
falcosecurity
new(driver,userspace): automatically generate syscall_info_table entries at startup time
What type of PR is this?
/kind cleanup /kind feature
Any specific area of the project related to this PR?
/area driver-kmod /area driver-bpf /area driver-modern-bpf /area libscap /area libsinsp
Does this PR require a change in the driver versions?
I don't think so since we are using the automatic generic filler / event.
What this PR does / why we need it:
We use a lazy generation, ie: first time scap_get_syscall_info_table is called, we fill the table.
The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one).
Moreover, added generic event support for https://github.com/falcosecurity/falco/issues/1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them.
Only downside: we lost the ability to mark "generic" syscalls with a proper category. I don't think it is a huge downsie, yet i want to highlight it.
Which issue(s) this PR fixes:
We add string-support (through generic event) for all syscalls listed here: https://github.com/falcosecurity/falco/issues/1998
A proper specific filler where needed, will be introduced in subsequent PRs.
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NONE
LGTM label has been added.
LGTM label has been added.
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Andreagit97, FedeDP, leogr, Molter73
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [Andreagit97,FedeDP,Molter73,leogr]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment