new(falco): add buffer_format_base64 option, deprecate -b

falco.yaml

@@ -492,6 +492,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified

userspace/falco/app/actions/init_inspectors.cpp

@@ -26,7 +26,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
-	inspector->set_buffer_format(s.options.event_buffer_format);
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	if(s.options.print_base64) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -b/--print-base64 option is deprecated and will be removed. Use -o "
+		                  "buffer_format_base64=true instead.");
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+	if(s.config->m_buffer_format_base64) {
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	inspector->set_buffer_format(event_buffer_format);
 
 	//
 	// Container engines

userspace/falco/app/options.cpp

@@ -74,7 +74,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 	}
 
 	if(m_cmdline_parsed.count("b") > 0) {
-		event_buffer_format = sinsp_evt::PF_BASE64;
+		print_base64 = true;
 	}
 
 	if(m_cmdline_parsed.count("r") > 0) {
@@ -105,7 +105,7 @@ void options::define(cxxopts::Options& opts)
 		("config-schema",            "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
 		("rule-schema",              "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
 		("A",                        "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
-		("b,print-base64",           "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
+		("b,print-base64",           "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
 		("disable-source",           "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
 		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))
 		("enable-source",            "Enable a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "<event_source>")

userspace/falco/app/options.h

@@ -47,6 +47,7 @@ class options {
 	std::string conf_filename;
 	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	bool print_base64 = false;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
 	std::string gvisor_generate_config_with_socket;

userspace/falco/config_json_schema.h

@@ -80,6 +80,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "time_format_iso_8601": {
                     "type": "boolean"
                 },
+                "buffer_format_base64": {
+                    "type": "boolean"
+                },
                 "priority": {
                     "type": "string"
                 },

userspace/falco/configuration.cpp

@@ -74,6 +74,7 @@ falco_configuration::falco_configuration():
         m_buffered_outputs(false),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
+        m_buffer_format_base64(false),
         m_output_timeout(2000),
         m_grpc_enabled(false),
         m_grpc_threadiness(0),
@@ -491,6 +492,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_time_format_iso_8601 = m_config.get_scalar<bool>("time_format_iso_8601", false);
+	m_buffer_format_base64 = m_config.get_scalar<bool>("buffer_format_base64", false);
 
 	m_webserver_enabled = m_config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_config.m_threadiness = m_config.get_scalar<uint32_t>("webserver.threadiness", 0);

userspace/falco/configuration.h

@@ -153,6 +153,7 @@ class falco_configuration {
 	bool m_buffered_outputs;
 	size_t m_outputs_queue_capacity;
 	bool m_time_format_iso_8601;
+	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;