falcosecurity · poiana · Dec 22, 2021 · Dec 6, 2021 · Dec 7, 2021 · Dec 8, 2021
diff --git a/userspace/libsinsp/fields_info.cpp b/userspace/libsinsp/fields_info.cpp
@@ -18,7 +18,6 @@ limitations under the License.
 //
 // Various helper functions to render stuff on the screen
 //
-#define __STDC_FORMAT_MACROS
 #include <stdio.h>
 #include <iostream>
 #include <assert.h>
@@ -27,111 +26,40 @@ limitations under the License.
 #include <sinsp.h>
 #include "fields_info.h"
 
-// Must match the value in the zsh tab completion
-#define DESCRIPTION_TEXT_START 16
-
-
-#define CONSOLE_LINE_LEN 79
-#define PRINTF_WRAP_CPROC(x)  #x
-#define PRINTF_WRAP(x) PRINTF_WRAP_CPROC(x)
-
-void list_fields(bool verbose, bool markdown, bool names_only)
+static void list_fields_markdown(std::list<gen_event_filter_factory::filter_fieldclass_info> &fld_classes)
 {
-	uint32_t j, l, m;
-	int32_t k;
-	vector<const filter_check_info*> fc_plugins;
-	sinsp::get_filtercheck_fields_info(fc_plugins);
-
-	for(j = 0; j < fc_plugins.size(); j++)
+	for(auto &fld_class : fld_classes)
 	{
-		const filter_check_info* fci = fc_plugins[j];
+		printf("\n## Field Class: %s\n\n", fld_class.name.c_str());
+		printf("%s\n\n", fld_class.desc.c_str());
+		printf("Name | Type | Description\n");
+		printf(":----|:-----|:-----------\n");
 
-		if(fci->m_flags & filter_check_info::FL_HIDDEN)
+		for(auto &fld_info : fld_class.fields)
 		{
-			continue;
-		}
-
-		if(!names_only)
-		{
-			if(markdown)
-			{
-				printf("\n## Field Class: %s\n\n", fci->m_name.c_str());
-				printf("%s\n\n", fci->m_desc.c_str());
-				printf("Name | Type | Description\n");
-				printf(":----|:-----|:-----------\n");
-			}
-			else
-			{
-				printf("\n----------------------\n");
-				printf("Field Class: %s\n\n", fci->m_name.c_str());
-				printf("%s\n\n", fci->m_desc.c_str());
-			}
+			printf("`%s` | %s | %s\n", fld_info.name.c_str(), fld_info.data_type.c_str(), fld_info.desc.c_str());
 		}
+	}
+}
 
-		for(k = 0; k < fci->m_nfields; k++)
-		{
-			const filtercheck_field_info* fld = &fci->m_fields[k];
-
-			if(fld->m_flags & EPF_TABLE_ONLY)
-			{
-				continue;
-			}
-
-			if(names_only)
-			{
-				printf("%s\n", fld->m_name);
-			}
-			else if(markdown)
-			{
-				printf("`%s` | %s | %s\n", fld->m_name, param_type_to_string(fld->m_type), fld->m_description);
-			}
-			else
-			{
-				printf("%s", fld->m_name);
-				uint32_t namelen = (uint32_t)strlen(fld->m_name);
-
-				if(namelen >= DESCRIPTION_TEXT_START)
-				{
-					printf("\n");
-					namelen = 0;
-				}
-
-				for(l = 0; l < DESCRIPTION_TEXT_START - namelen; l++)
-				{
-					printf(" ");
-				}
-
-				string desc(fld->m_description);
-
-				if(fld->m_flags & EPF_FILTER_ONLY)
-				{
-					desc = "(FILTER ONLY) " + desc;
-				}
-
-				if(verbose)
-				{
-					desc += string(" Type:") + param_type_to_string(fld->m_type) + ".";
-				}
-
-				size_t desclen = desc.size();
-
-				for(l = 0; l < desclen; l++)
-				{
-					if(l % (CONSOLE_LINE_LEN - DESCRIPTION_TEXT_START) == 0 && l != 0)
-					{
-						printf("\n");
+void list_fields(bool verbose, bool markdown)
+{
+	vector<const filter_check_info*> fc_plugins;
+	std::list<gen_event_filter_factory::filter_fieldclass_info> fld_classes;
 
-						for(m = 0; m < DESCRIPTION_TEXT_START; m++)
-						{
-							printf(" ");
-						}
-					}
+	sinsp::get_filtercheck_fields_info(fc_plugins);
 
-					printf("%c", desc[l]);
-				}
+	fld_classes = sinsp_filter_factory::check_infos_to_fieldclass_infos(fc_plugins);
 
-				printf("\n");
-			}
+	if(markdown)
+	{
+		list_fields_markdown(fld_classes);
+	}
+	else
+	{
+		for(auto &fld_class : fld_classes)
+		{
+			printf("%s\n", fld_class.as_string(verbose).c_str());
 		}
 	}
 }

diff --git a/userspace/libsinsp/fields_info.h b/userspace/libsinsp/fields_info.h
@@ -24,5 +24,5 @@ class sinsp;
 //
 // Printer functions
 //
-void list_fields(bool verbose, bool markdown, bool names_only=false);
+void list_fields(bool verbose, bool markdown=false);
 void list_events(sinsp* inspector, bool markdown=false);
diff --git a/userspace/libsinsp/filter.cpp b/userspace/libsinsp/filter.cpp
@@ -2346,11 +2346,17 @@ gen_event_filter_check *sinsp_filter_factory::new_filtercheck(const char *fldnam
 
 std::list<gen_event_filter_factory::filter_fieldclass_info> sinsp_filter_factory::get_fields()
 {
-	std::list<gen_event_filter_factory::filter_fieldclass_info> ret;
-
 	vector<const filter_check_info*> fc_plugins;
 	m_available_checks.get_all_fields(fc_plugins);
 
+	return check_infos_to_fieldclass_infos(fc_plugins);
+}
+
+std::list<gen_event_filter_factory::filter_fieldclass_info> sinsp_filter_factory::check_infos_to_fieldclass_infos(
+	const vector<const filter_check_info*> &fc_plugins)
+{
+	std::list<gen_event_filter_factory::filter_fieldclass_info> ret;
+
 	for(auto &fci : fc_plugins)
 	{
 		if(fci->m_flags & filter_check_info::FL_HIDDEN)
@@ -2360,8 +2366,8 @@ std::list<gen_event_filter_factory::filter_fieldclass_info> sinsp_filter_factory
 
 		gen_event_filter_factory::filter_fieldclass_info cinfo;
 		cinfo.name = fci->m_name;
-		cinfo.desc = "";
-		cinfo.class_info = "";
+		cinfo.desc = fci->m_desc;
+		cinfo.shortdesc = fci->m_shortdesc;
 
 		for(int32_t k = 0; k < fci->m_nfields; k++)
 		{
@@ -2380,6 +2386,12 @@ std::list<gen_event_filter_factory::filter_fieldclass_info> sinsp_filter_factory
 			gen_event_filter_factory::filter_field_info info;
 			info.name = fld->m_name;
 			info.desc = fld->m_description;
+			info.data_type =  param_type_to_string(fld->m_type);
+
+			if(fld->m_flags & EPF_FILTER_ONLY)
+			{
+				info.tags.insert("FILTER ONLY");
+			}
 
 			cinfo.fields.emplace_back(std::move(info));
 		}

diff --git a/userspace/libsinsp/filter.h b/userspace/libsinsp/filter.h
@@ -217,6 +217,13 @@ class sinsp_filter_factory : public gen_event_filter_factory
 
 	std::list<gen_event_filter_factory::filter_fieldclass_info> get_fields() override;
 
+	// Convienence method to convert a vector of
+	// filter_check_infos into a list of
+	// filter_fieldclass_infos. This is useful for programs that
+	// use filterchecks but not factories.
+	static std::list<filter_fieldclass_info> check_infos_to_fieldclass_infos(
+		const vector<const filter_check_info*> &fc_plugins);
+
 protected:
 	sinsp *m_inspector;
 	filter_check_list &m_available_checks;

diff --git a/userspace/libsinsp/filter_check_list.cpp b/userspace/libsinsp/filter_check_list.cpp
@@ -42,6 +42,21 @@ filter_check_list::~filter_check_list()
 
 void filter_check_list::add_filter_check(sinsp_filter_check* filter_check)
 {
+	// If a filtercheck already exists with this name and
+	// shortdesc, don't add it--this can occur when plugins are
+	// loaded and set up gen_event_filter_checks to handle plugin
+	// events.
+
+	for(auto *chk : m_check_list)
+	{
+		if(chk->m_info.m_name == filter_check->m_info.m_name &&
+		   chk->m_info.m_shortdesc == filter_check->m_info.m_shortdesc)
+		{
+			delete filter_check;
+			return;
+		}
+	}
+
 	m_check_list.push_back(filter_check);
 }
 
@@ -108,6 +123,7 @@ sinsp_filter_check_list::sinsp_filter_check_list()
 	//////////////////////////////////////////////////////////////////////////////
 	// ADD NEW FILTER CHECK CLASSES HERE
 	//////////////////////////////////////////////////////////////////////////////
+	add_filter_check(new sinsp_filter_check_gen_event());
 	add_filter_check(new sinsp_filter_check_event());
 	add_filter_check(new sinsp_filter_check_thread());
 	add_filter_check(new sinsp_filter_check_user());
@@ -123,7 +139,6 @@ sinsp_filter_check_list::sinsp_filter_check_list()
 #endif // !defined(CYGWING_AGENT) && !defined(MINIMAL_BUILD)
 	add_filter_check(new sinsp_filter_check_tracer());
 	add_filter_check(new sinsp_filter_check_evtin());
-	add_filter_check(new sinsp_filter_check_gen_event());
 }
 
 sinsp_filter_check_list::~sinsp_filter_check_list()

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -27,6 +27,7 @@ limitations under the License.
 #ifdef HAS_FILTERING
 #include "filter.h"
 #include "filterchecks.h"
+#include "plugin.h"
 #include "protodecoder.h"
 #include "tracers.h"
 #include "value_parser.h"
@@ -2805,11 +2806,15 @@ const filtercheck_field_info sinsp_filter_check_gen_event_fields[] =
 	{PT_RELTIME, EPF_NONE, PF_10_PADDED_DEC, "evt.reltime", "number of nanoseconds from the beginning of the capture."},
 	{PT_RELTIME, EPF_NONE, PF_DEC, "evt.reltime.s", "number of seconds from the beginning of the capture."},
 	{PT_RELTIME, EPF_NONE, PF_10_PADDED_DEC, "evt.reltime.ns", "fractional part (in ns) of the time from the beginning of the capture."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "evt.pluginname", "if the event comes from a plugin, the name of the plugin that generated it. The plugin must be currently loaded."},
+	{PT_CHARBUF, EPF_NONE, PF_NA, "evt.plugininfo", "if the event comes from a plugin, a summary of the event as formatted by the plugin. The plugin must be currently loaded."},
 };
 
 sinsp_filter_check_gen_event::sinsp_filter_check_gen_event()
 {
 	m_info.m_name = "evt";
+	m_info.m_shortdesc = "All event types";
+	m_info.m_desc = "These fields can be used for all event types";
 	m_info.m_fields = sinsp_filter_check_gen_event_fields;
 	m_info.m_nfields = sizeof(sinsp_filter_check_gen_event_fields) / sizeof(sinsp_filter_check_gen_event_fields[0]);
 	m_u64val = 0;
@@ -2851,6 +2856,11 @@ Json::Value sinsp_filter_check_gen_event::extract_as_js(sinsp_evt *evt, OUT uint
 
 uint8_t* sinsp_filter_check_gen_event::extract(sinsp_evt *evt, OUT uint32_t* len, bool sanitize_strings)
 {
+
+	std::shared_ptr<sinsp_plugin> plugin;
+	sinsp_source_plugin *splugin;
+	sinsp_evt_param *parinfo;
+
 	*len = 0;
 	switch(m_field_id)
 	{
@@ -2897,6 +2907,26 @@ uint8_t* sinsp_filter_check_gen_event::extract(sinsp_evt *evt, OUT uint32_t* len
 	case TYPE_NUMBER:
 		m_u64val = evt->get_num();
 		RETURN_EXTRACT_VAR(m_u64val);
+	case TYPE_PLUGINNAME:
+	case TYPE_PLUGININFO:
+		plugin = m_inspector->get_plugin_by_evt(*evt);
+		if (plugin == nullptr)
+		{
+			return NULL;
+		}
+
+		if(m_field_id == TYPE_PLUGINNAME)
+		{
+			m_strstorage = plugin->name();
+		}
+		else
+		{
+			parinfo = evt->get_param(1);
+			splugin = static_cast<sinsp_source_plugin *>(plugin.get());
+			m_strstorage = splugin->event_to_string((const uint8_t *) parinfo->m_val, parinfo->m_len);
+		}
+
+		RETURN_EXTRACT_STRING(m_strstorage);
 	default:
 		ASSERT(false);
 		return NULL;
@@ -2970,7 +3000,8 @@ sinsp_filter_check_event::sinsp_filter_check_event()
 {
 	m_is_compare = false;
 	m_info.m_name = "evt";
-	m_info.m_desc = "Generic event fields. Note that for syscall events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.";
+	m_info.m_shortdesc = "Syscall events only";
+	m_info.m_desc = "Event fields applicable to syscall events. Note that for most events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.";
 	m_info.m_fields = sinsp_filter_check_event_fields;
 	m_info.m_nfields = sizeof(sinsp_filter_check_event_fields) / sizeof(sinsp_filter_check_event_fields[0]);
 	m_u64val = 0;
@@ -7282,7 +7313,7 @@ const filtercheck_field_info sinsp_filter_check_k8s_fields[] =
 sinsp_filter_check_k8s::sinsp_filter_check_k8s()
 {
 	m_info.m_name = "k8s";
-	m_info.m_desc = "Kubernetes related context.";
+	m_info.m_desc = "Kubernetes related context. Available when configured to fetch k8s meta-data from API Server.";
 	m_info.m_fields = sinsp_filter_check_k8s_fields;
 	m_info.m_nfields = sizeof(sinsp_filter_check_k8s_fields) / sizeof(sinsp_filter_check_k8s_fields[0]);
 	m_info.m_flags = filter_check_info::FL_WORKS_ON_THREAD_TABLE;

diff --git a/userspace/libsinsp/filterchecks.h b/userspace/libsinsp/filterchecks.h
@@ -400,6 +400,8 @@ class sinsp_filter_check_gen_event : public sinsp_filter_check
 		TYPE_RELTS = 9,
 		TYPE_RELTS_S = 10,
 		TYPE_RELTS_NS = 11,
+		TYPE_PLUGINNAME = 12,
+		TYPE_PLUGININFO = 13,
 	};
 
 	sinsp_filter_check_gen_event();