falcosecurity · poiana · Apr 11, 2022 · Apr 11, 2022 · Apr 11, 2022
diff --git a/userspace/engine/falco_common.cpp b/userspace/engine/falco_common.cpp
@@ -16,28 +16,26 @@ limitations under the License.
 
 #include "falco_common.h"
 
-vector<string> falco_common::priority_names = {
+static vector<string> priority_names = {
 	"Emergency",
 	"Alert",
 	"Critical",
 	"Error",
 	"Warning",
 	"Notice",
-	"Info",
+	"Informational",
 	"Debug"
 };
 
 bool falco_common::parse_priority(string v, priority_type& out)
 {
-	transform(v.begin(), v.end(), v.begin(), [](int c){return tolower(c);});
 	for (size_t i = 0; i < priority_names.size(); i++)
 	{
-		auto p = priority_names[i];
-		transform(p.begin(), p.end(), p.begin(), [](int c){return tolower(c);});
 		// note: for legacy reasons, "Info" and "Informational" has been used
 		// interchangeably and ambiguously, so this is the only edge case for
 		// which we can't apply strict equality check
-		if (p == v || (v == "informational" && p == "info"))
+		if (!strcasecmp(v.c_str(), priority_names[i].c_str())
+			|| (i == PRIORITY_INFORMATIONAL && !strcasecmp(v.c_str(), "info")))
 		{
 			out = (priority_type) i;
 			return true;
@@ -46,12 +44,39 @@ bool falco_common::parse_priority(string v, priority_type& out)
 	return false;
 }
 
-bool falco_common::format_priority(priority_type v, string& out)
+falco_common::priority_type falco_common::parse_priority(string v)
+{
+	falco_common::priority_type out;
+	if (!parse_priority(v, out))
+	{
+		throw falco_exception("Unknown priority value: " + v);
+	}
+	return out;
+}
+
+bool falco_common::format_priority(priority_type v, string& out, bool shortfmt)
 {
 	if ((size_t) v < priority_names.size())
 	{
-		out = priority_names[(size_t) v];
+		if (v == PRIORITY_INFORMATIONAL && shortfmt)
+		{
+			out = "Info";
+		}
+		else
+		{
+			out = priority_names[(size_t) v];
+		}
 		return true;
 	}
 	return false;
 }
+
+string falco_common::format_priority(priority_type v, bool shortfmt)
+{
+	string out;
+	if(!format_priority(v, out, shortfmt))
+	{
+		throw falco_exception("Unknown priority enum value: " + to_string(v));
+	}
+	return out;
+}
diff --git a/userspace/engine/falco_common.h b/userspace/engine/falco_common.h
@@ -54,9 +54,6 @@ namespace falco_common
 {
 	const string syscall_source = "syscall";
 
-	// Priority levels, as a vector of strings
-	extern std::vector<std::string> priority_names;
-
 	// Same as numbers/indices into the above vector
 	enum priority_type
 	{
@@ -71,5 +68,7 @@ namespace falco_common
 	};
 
 	bool parse_priority(std::string v, priority_type& out);
-	bool format_priority(priority_type v, std::string& out);
+	priority_type parse_priority(std::string v);
+	bool format_priority(priority_type v, std::string& out, bool shortfmt=false);
+	std::string format_priority(priority_type v, bool shortfmt=false);
 };
diff --git a/userspace/engine/stats_manager.cpp b/userspace/engine/stats_manager.cpp
@@ -38,7 +38,8 @@ void stats_manager::format(
 	{
 		if (m_by_priority[i] > 0)
 		{
-			falco_common::format_priority((falco_common::priority_type) i, fmt);
+			falco_common::format_priority(
+				(falco_common::priority_type) i, fmt, true);
 			transform(fmt.begin(), fmt.end(), fmt.begin(), ::toupper);
 			out += "   " + fmt;
 			out += ": " + to_string(m_by_priority[i]) + "\n";

diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
@@ -190,17 +190,10 @@ void falco_configuration::init(string conf_filename, const vector<string> &cmdli
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs.max_burst", 1000);
 
 	string priority = m_config->get_scalar<string>("priority", "debug");
-	vector<string>::iterator it;
-
-	auto comp = [priority](string &s) {
-		return (strcasecmp(s.c_str(), priority.c_str()) == 0);
-	};
-
-	if((it = std::find_if(falco_common::priority_names.begin(), falco_common::priority_names.end(), comp)) == falco_common::priority_names.end())
+	if (!falco_common::parse_priority(priority, m_min_priority))
 	{
 		throw logic_error("Unknown priority \"" + priority + "\"--must be one of emergency, alert, critical, error, warning, notice, informational, debug");
 	}
-	m_min_priority = (falco_common::priority_type)(it - falco_common::priority_names.begin());
 
 	m_buffered_outputs = m_config->get_scalar<bool>("buffered_outputs", false);
 	m_time_format_iso_8601 = m_config->get_scalar<bool>("time_format_iso_8601", false);

diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp
@@ -61,7 +61,7 @@ bool g_reopen_outputs = false;
 bool g_restart = false;
 bool g_daemonized = false;
 
-static std::string syscall_source = "syscall";
+static std::string syscall_source = falco_common::syscall_source;
 static std::size_t syscall_source_idx;
 static std::string k8s_audit_source = "k8s_audit";
 static std::size_t k8s_audit_source_idx;

diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp
@@ -159,24 +159,25 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 	{
 		if(m_time_format_iso_8601)
 		{
-			sformat = "*%evt.time.iso8601: " + falco_common::priority_names[priority];
+			sformat = "*%evt.time.iso8601: ";
 		}
 		else
 		{
-			sformat = "*%evt.time: " + falco_common::priority_names[priority];
+			sformat = "*%evt.time: ";
 		}
 	}
 	else
 	{
 		if(m_time_format_iso_8601)
 		{
-			sformat = "*%jevt.time.iso8601: " + falco_common::priority_names[priority];
+			sformat = "*%jevt.time.iso8601: ";
 		}
 		else
 		{
-			sformat = "*%jevt.time: " + falco_common::priority_names[priority];
+			sformat = "*%jevt.time: ";
 		}
 	}
+	sformat += falco_common::format_priority(priority);
 
 	// if format starts with a *, remove it, as we added our own prefix
 	if(format[0] == '*')
@@ -188,7 +189,7 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 		sformat += " " + format;
 	}
 
-	cmsg.msg = m_formats->format_event(evt, rule, source, falco_common::priority_names[priority], sformat, tags);
+	cmsg.msg = m_formats->format_event(evt, rule, source, falco_common::format_priority(priority), sformat, tags);
 	cmsg.fields = m_formats->get_field_values(evt, source, sformat);
 	cmsg.tags.insert(tags.begin(), tags.end());
 
@@ -225,7 +226,7 @@ void falco_outputs::handle_msg(uint64_t ts,
 		iso8601evttime += time_ns;
 
 		jmsg["output"] = msg;
-		jmsg["priority"] = falco_common::priority_names[priority];
+		jmsg["priority"] = falco_common::format_priority(priority);
 		jmsg["rule"] = rule;
 		jmsg["time"] = iso8601evttime;
 		jmsg["output_fields"] = output_fields;
@@ -238,7 +239,7 @@ void falco_outputs::handle_msg(uint64_t ts,
 		bool first = true;
 
 		sinsp_utils::ts_to_string(ts, &timestr, false, true);
-		cmsg.msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
+		cmsg.msg = timestr + ": " + falco_common::format_priority(priority) + " " + msg + " (";
 		for(auto &pair : output_fields)
 		{
 			if(first)

diff --git a/userspace/falco/outputs_grpc.cpp b/userspace/falco/outputs_grpc.cpp
@@ -67,7 +67,7 @@ void falco::outputs::output_grpc::output(const message *msg)
 
 	// priority
 	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p))
+	if(!falco::schema::priority_Parse(falco_common::format_priority(msg->priority), &p))
 	{
 		throw falco_exception("Unknown priority passed to output_grpc::output()");
 	}