plugins/epan/falco_bridge/sinsp-span.h

   1 /* sinsp-span.h
   2  *
   3  * By Gerald Combs
   4  * Copyright (C) 2022 Sysdig, Inc.
   5  *
   6  * Wireshark - Network traffic analyzer
   7  * By Gerald Combs <gerald@wireshark.org>
   8  * Copyright 1998 Gerald Combs
   9  *
  10  * SPDX-License-Identifier: GPL-2.0-or-later
  11  */
  12
  13 #ifndef __SINSP_SPAN_H__
  14 #define __SINSP_SPAN_H__
  15
  16 #include <stdint.h>
  17
  18 #include <epan/ftypes/ftypes.h>
  19 #include <wsutil/wmem/wmem.h>
  20
  21 #ifdef __cplusplus
  22 extern "C" {
  23 #endif // __cplusplus
  24
  25 #define FALCO_FIELD_NAME_PREFIX "falco."
  26
  27 #define N_PROC_LINEAGE_ENTRIES 16
  28 #define N_PROC_LINEAGE_ENTRY_FIELDS 4
  29
  30 typedef struct sinsp_source_info_t sinsp_source_info_t;
  31 typedef struct sinsp_span_t sinsp_span_t;
  32
  33 typedef enum sinsp_field_display_format_e {
  34     SFDF_UNKNOWN,
  35     SFDF_DECIMAL,
  36     SFDF_HEXADECIMAL,
  37     SFDF_OCTAL
  38 } sinsp_field_display_format_e;
  39
  40 // Should match sinsp_filter_check_list in libsinsp as closely as possible.
  41
  42 typedef enum sinsp_syscall_category_e {
  43     SSC_EVENT, // gen_event, event
  44     SSC_EVTARGS, // event arguments
  45     SSC_PROCESS, // thread
  46     SSC_PROCLINEAGE, // process lineage
  47     SSC_USER, // user
  48     SSC_GROUP, // group
  49     SSC_CONTAINER, // container
  50     SSC_FD, // fd
  51     SSC_FS, // fs.path
  52 //    SSC_SYSLOG, // syslog. Collides with syslog dissector so skip for now.
  53     SSC_FDLIST, // fdlist
  54     SSC_OTHER, // "falco.", catch-all
  55     NUM_SINSP_SYSCALL_CATEGORIES
  56 } sinsp_syscall_category_e;
  57
  58 typedef struct sinsp_field_info_t {
  59     enum ftenum type;
  60     sinsp_field_display_format_e display_format;
  61     char abbrev[64]; // filter name
  62     char display[64]; // display name
  63     char description[1024];
  64     bool is_hidden;
  65     bool is_conversation;
  66     bool is_info;
  67     bool is_numeric_address;
  68 } sinsp_field_info_t;
  69
  70 #define SFE_SMALL_BUF_SIZE 8
  71 typedef struct sinsp_field_extract_t {
  72     union {
  73         uint8_t *bytes;
  74         const char *str;
  75         int32_t i32;
  76         int64_t i64;
  77         uint32_t u32;
  78         uint64_t u64;
  79         double dbl;
  80         bool boolean;
  81         char small_str[SFE_SMALL_BUF_SIZE];
  82         uint8_t small_bytes[SFE_SMALL_BUF_SIZE];
  83     } res;
  84     int res_len;                // out
  85     uint16_t field_idx;          // out for syscalls
  86 } sinsp_field_extract_t;
  87
  88 typedef struct plugin_field_extract_t {
  89     uint32_t field_id;          // out for syscalls, in for plugins
  90     const char *field_name;     // in
  91     enum ftenum type;           // in, out
  92     bool is_present;            // out
  93     union {
  94         uint8_t *bytes;
  95         const char *str;
  96         int32_t i32;
  97         int64_t i64;
  98         uint32_t u32;
  99         uint64_t u64;
 100         double dbl;
 101         uint8_t ipv6[16];
 102         bool boolean;
 103     } res;
 104     int res_len;                // out
 105 //    sinsp_syscall_category_e parent_category;     // out
 106 } plugin_field_extract_t;
 107
 108 sinsp_span_t *create_sinsp_span(void);
 109 void destroy_sinsp_span(sinsp_span_t *sinsp_span);
 110
 111 // Common routines
 112 uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi);
 113 const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi);
 114 const char *get_sinsp_source_name(sinsp_source_info_t *ssi);
 115 const char* get_sinsp_source_description(sinsp_source_info_t *ssi);
 116 bool get_sinsp_source_field_info(sinsp_source_info_t *ssi, size_t field_num, sinsp_field_info_t *field);
 117 char* get_evt_arg_name(void* sinp_evt_info, uint32_t arg_num);
 118
 119 // libsinsp builtin syscall routines.
 120 void create_sinsp_syscall_source(sinsp_span_t *sinsp_span, sinsp_source_info_t **ssi_ptr);
 121 void open_sinsp_capture(sinsp_span_t *sinsp_span, const char *filepath);
 122 //uint32_t process_syscall_capture(sinsp_span_t * sinsp_span, sinsp_source_info_t *ssi, uint32_t to_event);
 123 void close_sinsp_capture(sinsp_span_t *sinsp_span);
 124 bool extract_syscall_source_fields(sinsp_span_t *sinsp_span, sinsp_source_info_t *ssi, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinp_evt_info);
 125 sinsp_syscall_category_e get_syscall_parent_category(sinsp_source_info_t *ssi, size_t field_check_idx);
 126 bool get_extracted_syscall_source_fields(sinsp_span_t *sinsp_span, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinp_evt_info);
 127
 128 // Extractor plugin routines.
 129 // These roughly match common_plugin_info
 130 char *create_sinsp_plugin_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr);
 131 size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi);
 132 bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num, uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, plugin_field_extract_t *sinsp_fields, uint32_t sinsp_field_len);
 133
 134
 135 #ifdef __cplusplus
 136 }
 137 #endif // __cplusplus
 138
 139 #endif // __SINSP_SPAN_H__