Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 239 insertions, 0 deletions

diff --git a/plugins/epan/falco_bridge/sinsp-span.cpp b/plugins/epan/falco_bridge/sinsp-span.cpp
new file mode 100644
index 00000000..eb2fc7e7
--- /dev/null
+++ b/plugins/epan/falco_bridge/sinsp-span.cpp
@@ -0,0 +1,239 @@
+/* sinsp-span.cpp
+ *
+ * By Gerald Combs
+ * Copyright (C) 2022 Sysdig, Inc.
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "config.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <glib.h>
+
+#ifdef _MSC_VER
+#pragma warning(push)
+#pragma warning(disable:4100)
+#pragma warning(disable:4267)
+#endif
+
+// epan/address.h and driver/ppm_events_public.h both define PT_NONE, so
+// handle libsinsp calls here.
+
+typedef struct hf_register_info hf_register_info;
+
+typedef struct ss_plugin_info ss_plugin_info;
+
+#include "sinsp-span.h"
+
+#include <sinsp.h>
+
+typedef struct sinsp_source_info_t {
+    sinsp_plugin *source;
+    sinsp_evt *evt;
+    uint8_t *evt_storage;
+    size_t evt_storage_size;
+    const char *name;
+    const char *description;
+    char *last_error;
+    const char *fields;
+} sinsp_source_info_t;
+
+typedef struct sinsp_span_t {
+    sinsp inspector;
+} sinsp_span_t;
+
+sinsp_span_t *create_sinsp_span()
+{
+    return new(sinsp_span_t);
+}
+
+void destroy_sinsp_span(sinsp_span_t *sinsp_span) {
+    delete(sinsp_span);
+}
+
+/*
+ * Populate a source_plugin_info struct with the symbols coming from a library loaded via libsinsp
+ */
+char *
+create_sinsp_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr)
+{
+    char *err_str = NULL;
+    sinsp_source_info_t *ssi = new sinsp_source_info_t();
+
+    try {
+        auto sp = sinsp_span->inspector.register_plugin(libname);
+        if (sp->caps() & CAP_EXTRACTION) {
+            ssi->source = dynamic_cast<sinsp_plugin *>(sp.get());
+        } else {
+            err_str = g_strdup_printf("%s has unsupported plugin capabilities 0x%02x", libname, sp->caps());
+        }
+    } catch (const sinsp_exception& e) {
+        err_str = g_strdup_printf("Caught sinsp exception %s", e.what());
+    }
+
+    std::string init_err;
+    if (!err_str) {
+        if (!ssi->source->init("{}", init_err)) {
+            err_str = g_strdup_printf("Unable to initialize %s: %s", libname, init_err.c_str());
+        }
+    }
+
+    if (err_str) {
+        delete ssi;
+        return err_str;
+    }
+
+    ssi->evt = new sinsp_evt(&sinsp_span->inspector);
+    ssi->evt_storage_size = 4096;
+    ssi->evt_storage = (uint8_t *) g_malloc(ssi->evt_storage_size);
+    ssi->name = strdup(ssi->source->name().c_str());
+    ssi->description = strdup(ssi->source->description().c_str());
+    *ssi_ptr = ssi;
+    return NULL;
+}
+
+uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi)
+{
+    return ssi->source->id();
+}
+
+const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi)
+{
+    if (ssi->last_error) {
+        free(ssi->last_error);
+    }
+    ssi->last_error = strdup(ssi->source->get_last_error().c_str());
+    return ssi->last_error;
+}
+
+const char *get_sinsp_source_name(sinsp_source_info_t *ssi)
+{
+    return ssi->name;
+}
+
+const char *get_sinsp_source_description(sinsp_source_info_t *ssi)
+{
+    return ssi->description;
+}
+
+size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi)
+{
+    return ssi->source->fields().size();
+}
+
+bool get_sinsp_source_field_info(sinsp_source_info_t *ssi, size_t field_num, sinsp_field_info_t *field)
+{
+    if (field_num >= ssi->source->fields().size()) {
+        return false;
+    }
+
+    const filtercheck_field_info *ffi = &ssi->source->fields()[field_num];
+
+    switch (ffi->m_type) {
+    case PT_CHARBUF:
+        field->type = SFT_STRINGZ;
+        break;
+    case PT_UINT64:
+        field->type = SFT_UINT64;
+        break;
+    default:
+        field->type = SFT_UNKNOWN;
+    }
+
+    switch (ffi->m_print_format) {
+    case PF_DEC:
+        field->display_format = SFDF_DECIMAL;
+        break;
+    case PF_HEX:
+        field->display_format = SFDF_HEXADECIMAL;
+        break;
+    case PF_OCT:
+        field->display_format = SFDF_OCTAL;
+        break;
+    default:
+        field->display_format = SFDF_UNKNOWN;
+    }
+
+    g_strlcpy(field->abbrev, ffi->m_name, sizeof(ffi->m_name));
+    g_strlcpy(field->display, ffi->m_display, sizeof(ffi->m_display));
+    g_strlcpy(field->description, ffi->m_description, sizeof(ffi->m_description));
+
+    field->is_hidden = ffi->m_flags & EPF_TABLE_ONLY;
+    field->is_info = ffi->m_flags & EPF_INFO;
+    field->is_conversation = ffi->m_flags & EPF_CONVERSATION;
+
+    return true;
+}
+
+// The code below, falcosecurity/libs, and falcosecurity/plugins need to be in alignment.
+// The Makefile in /plugins defines FALCOSECURITY_LIBS_REVISION and uses that version of
+// plugin_info.h. We need to build against a compatible revision of /libs.
+bool extract_sisnp_source_fields(sinsp_source_info_t *ssi, uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, sinsp_field_extract_t *sinsp_fields, uint32_t sinsp_field_len)
+{
+    std::vector<ss_plugin_extract_field> fields;
+
+    // PPME_PLUGINEVENT_E events have the following format:
+    // | scap_evt header | uint32_t sizeof(id) = 4 | uint32_t evt_datalen | uint32_t id | uint8_t[] evt_data |
+
+    uint32_t payload_hdr[3] = {4, evt_datalen, ssi->source->id()};
+    uint32_t tot_evt_len = (uint32_t)sizeof(scap_evt) + sizeof(payload_hdr) +  evt_datalen;
+    if (ssi->evt_storage_size < tot_evt_len) {
+        while (ssi->evt_storage_size < tot_evt_len) {
+            ssi->evt_storage_size *= 2;
+        }
+        ssi->evt_storage = (uint8_t *) g_realloc(ssi->evt_storage, ssi->evt_storage_size);
+    }
+    scap_evt *sevt = (scap_evt *) ssi->evt_storage;
+
+    sevt->ts = -1;
+    sevt->tid = -1;
+    sevt->len = tot_evt_len;
+    sevt->type = PPME_PLUGINEVENT_E;
+    sevt->nparams = 2; // Plugin ID + evt_data
+
+    memcpy(ssi->evt_storage + sizeof(scap_evt), payload_hdr, sizeof(payload_hdr));
+    memcpy(ssi->evt_storage + sizeof(scap_evt) + sizeof(payload_hdr), evt_data, evt_datalen);
+    ssi->evt->init(ssi->evt_storage, 0);
+
+    fields.resize(sinsp_field_len);
+    // We must supply field_id, field, arg, and type.
+    for (size_t i = 0; i < sinsp_field_len; i++) {
+        fields.at(i).field_id = sinsp_fields[i].field_id;
+        fields.at(i).field = sinsp_fields[i].field_name;
+        if (sinsp_fields[i].type == SFT_STRINGZ) {
+            fields.at(i).ftype = FTYPE_STRING;
+        } else {
+            fields.at(i).ftype = FTYPE_UINT64;
+        }
+    }
+
+    bool status = true;
+    if (!ssi->source->extract_fields(ssi->evt, sinsp_field_len, fields.data())) {
+        status = false;
+    }
+
+    for (size_t i = 0; i < sinsp_field_len; i++) {
+        sinsp_fields[i].is_present = fields.at(i).res_len > 0;
+        if (sinsp_fields[i].is_present) {
+            if (fields.at(i).ftype == PT_CHARBUF) {
+                sinsp_fields[i].res_str = wmem_strdup(pool, *fields.at(i).res.str);
+            } else if (fields.at(i).ftype == PT_UINT64) {
+                sinsp_fields[i].res_u64 = *fields.at(i).res.u64;
+            } else {
+                status = false;
+            }
+        }
+    }
+    return status;
+}
+
+#ifdef _MSC_VER
+#pragma warning(pop)
+#endif