summaryrefslogtreecommitdiffstats
path: root/plugins/epan/falco_bridge/sinsp-span.h
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/epan/falco_bridge/sinsp-span.h')
-rw-r--r--plugins/epan/falco_bridge/sinsp-span.h95
1 files changed, 77 insertions, 18 deletions
diff --git a/plugins/epan/falco_bridge/sinsp-span.h b/plugins/epan/falco_bridge/sinsp-span.h
index 2a474714..84303340 100644
--- a/plugins/epan/falco_bridge/sinsp-span.h
+++ b/plugins/epan/falco_bridge/sinsp-span.h
@@ -15,21 +15,21 @@
#include <stdint.h>
+#include <epan/ftypes/ftypes.h>
#include <wsutil/wmem/wmem.h>
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
+#define FALCO_FIELD_NAME_PREFIX "falco."
+
+#define N_PROC_LINEAGE_ENTRIES 16
+#define N_PROC_LINEAGE_ENTRY_FIELDS 4
+
typedef struct sinsp_source_info_t sinsp_source_info_t;
typedef struct sinsp_span_t sinsp_span_t;
-typedef enum sinsp_field_type_e {
- SFT_UNKNOWN,
- SFT_STRINGZ,
- SFT_UINT64,
-} sinsp_field_type_e;
-
typedef enum sinsp_field_display_format_e {
SFDF_UNKNOWN,
SFDF_DECIMAL,
@@ -37,8 +37,26 @@ typedef enum sinsp_field_display_format_e {
SFDF_OCTAL
} sinsp_field_display_format_e;
+// Should match sinsp_filter_check_list in libsinsp as closely as possible.
+
+typedef enum sinsp_syscall_category_e {
+ SSC_EVENT, // gen_event, event
+ SSC_EVTARGS, // event arguments
+ SSC_PROCESS, // thread
+ SSC_PROCLINEAGE, // process lineage
+ SSC_USER, // user
+ SSC_GROUP, // group
+ SSC_CONTAINER, // container
+ SSC_FD, // fd
+ SSC_FS, // fs.path
+// SSC_SYSLOG, // syslog. Collides with syslog dissector so skip for now.
+ SSC_FDLIST, // fdlist
+ SSC_OTHER, // "falco.", catch-all
+ NUM_SINSP_SYSCALL_CATEGORIES
+} sinsp_syscall_category_e;
+
typedef struct sinsp_field_info_t {
- sinsp_field_type_e type;
+ enum ftenum type;
sinsp_field_display_format_e display_format;
char abbrev[64]; // filter name
char display[64]; // display name
@@ -46,31 +64,72 @@ typedef struct sinsp_field_info_t {
bool is_hidden;
bool is_conversation;
bool is_info;
+ bool is_numeric_address;
} sinsp_field_info_t;
+#define SFE_SMALL_BUF_SIZE 8
typedef struct sinsp_field_extract_t {
- uint32_t field_id; // in
+ union {
+ uint8_t *bytes;
+ const char *str;
+ int32_t i32;
+ int64_t i64;
+ uint32_t u32;
+ uint64_t u64;
+ double dbl;
+ bool boolean;
+ char small_str[SFE_SMALL_BUF_SIZE];
+ uint8_t small_bytes[SFE_SMALL_BUF_SIZE];
+ } res;
+ int res_len; // out
+ uint16_t field_idx; // out for syscalls
+} sinsp_field_extract_t;
+
+typedef struct plugin_field_extract_t {
+ uint32_t field_id; // out for syscalls, in for plugins
const char *field_name; // in
- sinsp_field_type_e type; // in, out
+ enum ftenum type; // in, out
bool is_present; // out
- const char *res_str; // out
- uint64_t res_u64; // out
-} sinsp_field_extract_t;
+ union {
+ uint8_t *bytes;
+ const char *str;
+ int32_t i32;
+ int64_t i64;
+ uint32_t u32;
+ uint64_t u64;
+ double dbl;
+ uint8_t ipv6[16];
+ bool boolean;
+ } res;
+ int res_len; // out
+// sinsp_syscall_category_e parent_category; // out
+} plugin_field_extract_t;
sinsp_span_t *create_sinsp_span(void);
void destroy_sinsp_span(sinsp_span_t *sinsp_span);
-char *create_sinsp_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr);
-
-// Extractor plugin routines.
-// These roughly match common_plugin_info
+// Common routines
uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi);
const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi);
const char *get_sinsp_source_name(sinsp_source_info_t *ssi);
const char* get_sinsp_source_description(sinsp_source_info_t *ssi);
-size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi);
bool get_sinsp_source_field_info(sinsp_source_info_t *ssi, size_t field_num, sinsp_field_info_t *field);
-bool extract_sisnp_source_fields(sinsp_source_info_t *ssi, uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, sinsp_field_extract_t *sinsp_fields, uint32_t sinsp_field_len);
+char* get_evt_arg_name(void* sinp_evt_info, uint32_t arg_num);
+
+// libsinsp builtin syscall routines.
+void create_sinsp_syscall_source(sinsp_span_t *sinsp_span, sinsp_source_info_t **ssi_ptr);
+void open_sinsp_capture(sinsp_span_t *sinsp_span, const char *filepath);
+//uint32_t process_syscall_capture(sinsp_span_t * sinsp_span, sinsp_source_info_t *ssi, uint32_t to_event);
+void close_sinsp_capture(sinsp_span_t *sinsp_span);
+bool extract_syscall_source_fields(sinsp_span_t *sinsp_span, sinsp_source_info_t *ssi, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinp_evt_info);
+sinsp_syscall_category_e get_syscall_parent_category(sinsp_source_info_t *ssi, size_t field_check_idx);
+bool get_extracted_syscall_source_fields(sinsp_span_t *sinsp_span, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinp_evt_info);
+
+// Extractor plugin routines.
+// These roughly match common_plugin_info
+char *create_sinsp_plugin_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr);
+size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi);
+bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num, uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, plugin_field_extract_t *sinsp_fields, uint32_t sinsp_field_len);
#ifdef __cplusplus
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 15:54:54 +0000