Update Falco libs to 0.21.0

collector/lib/ContainerMetadata.cpp

@@ -11,28 +11,15 @@ ContainerMetadata::ContainerMetadata(sinsp* inspector) : event_extractor_(std::m
 }
 
 std::string ContainerMetadata::GetNamespace(sinsp_evt* event) {
-  const char* ns = event_extractor_->get_k8s_namespace(event);
-  return ns != nullptr ? ns : "";
+  return "";
 }
 
 std::string ContainerMetadata::GetNamespace(const std::string& container_id) {
   return GetContainerLabel(container_id, "io.kubernetes.pod.namespace");
 }
 
 std::string ContainerMetadata::GetContainerLabel(const std::string& container_id, const std::string& label) {
-  auto containers = inspector_->m_container_manager.get_containers();
-  const auto& container = containers->find(container_id);
-  if (container == containers->end()) {
-    return "";
-  }
-
-  const auto& labels = container->second->m_labels;
-  const auto& label_it = labels.find(label);
-  if (label_it == labels.end()) {
-    return "";
-  }
-
-  return label_it->second;
+  return "";
 }
 
-}  // namespace collector
+}  // namespace collector

collector/lib/NetworkConnection.h

@@ -380,8 +380,8 @@ std::ostream& operator<<(std::ostream& os, const ContainerEndpoint& container_en
 class Connection {
  public:
   Connection() : flags_(0) {}
-  Connection(std::string container, const Endpoint& local, const Endpoint& remote, L4Proto l4proto, bool is_server)
-      : container_(std::move(container)), local_(local), remote_(remote), flags_((static_cast<uint8_t>(l4proto) << 1) | ((is_server) ? 1 : 0)) {}
+  Connection(std::string_view container, const Endpoint& local, const Endpoint& remote, L4Proto l4proto, bool is_server)
+      : container_(container), local_(local), remote_(remote), flags_((static_cast<uint8_t>(l4proto) << 1) | ((is_server) ? 1 : 0)) {}
 
   const std::string& container() const { return container_; }
   const Endpoint& local() const { return local_; }

collector/lib/NetworkSignalHandler.cpp

@@ -133,7 +133,7 @@ std::optional<Connection> NetworkSignalHandler::GetConnection(sinsp_evt* evt) {
   const Endpoint* local = is_server ? &server : &client;
   const Endpoint* remote = is_server ? &client : &server;
 
-  const std::string* container_id = event_extractor_->get_container_id(evt);
+  auto container_id = event_extractor_->get_container_id(evt);
   if (!container_id) {
     return std::nullopt;
   }

collector/lib/Process.cpp

@@ -5,6 +5,7 @@
 #include <libsinsp/sinsp.h>
 
 #include "CollectorStats.h"
+#include "system-inspector/EventExtractor.h"
 #include "system-inspector/Service.h"
 
 namespace collector {
@@ -32,7 +33,10 @@ std::string Process::container_id() const {
   WaitForProcessInfo();
 
   if (system_inspector_threadinfo_) {
-    return system_inspector_threadinfo_->m_container_id;
+    auto container_id = system_inspector::EventExtractor::get_container_id(system_inspector_threadinfo_.get());
+    if (container_id) {
+      return std::string{*container_id};
+    }
   }
 
   return NOT_AVAILABLE;

collector/lib/ProcessSignalFormatter.cpp

@@ -22,6 +22,8 @@ using LineageInfo = ProcessSignalFormatter::LineageInfo;
 using Timestamp = google::protobuf::Timestamp;
 using TimeUtil = google::protobuf::util::TimeUtil;
 
+using EventExtractor = system_inspector::EventExtractor;
+
 namespace {
 
 enum ProcessSignalType {
@@ -59,7 +61,7 @@ std::string extract_proc_args(sinsp_threadinfo* tinfo) {
 ProcessSignalFormatter::ProcessSignalFormatter(
     sinsp* inspector,
     const CollectorConfig& config) : event_names_(EventNames::GetInstance()),
-                                     event_extractor_(std::make_unique<system_inspector::EventExtractor>()),
+                                     event_extractor_(std::make_unique<EventExtractor>()),
                                      container_metadata_(inspector),
                                      config_(config) {
   event_extractor_->Init(inspector);
@@ -166,7 +168,7 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
   if (const uint32_t* uid = event_extractor_->get_uid(event)) {
     signal->set_uid(*uid);
   }
-  if (const uint32_t* gid = event_extractor_->get_gid(event)) {
+  if (const uint32_t* gid = event_extractor_->get_uid(event)) {
     signal->set_gid(*gid);
   }
 
@@ -176,7 +178,7 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
   signal->set_allocated_time(timestamp);
 
   // set container_id
-  if (const std::string* container_id = event_extractor_->get_container_id(event)) {
+  if (auto container_id = EventExtractor::get_container_id(event)) {
     signal->set_container_id(*container_id);
   }
 
@@ -232,16 +234,19 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_threadinfo* tin
   signal->set_pid(tinfo->m_pid);
 
   // set user and group id credentials
-  signal->set_uid(tinfo->m_user.uid());
-  signal->set_gid(tinfo->m_group.gid());
+  signal->set_uid(tinfo->m_uid);
+  signal->set_gid(tinfo->m_gid);
 
   // set time
   auto timestamp = Allocate<Timestamp>();
   *timestamp = TimeUtil::NanosecondsToTimestamp(tinfo->m_clone_ts);
   signal->set_allocated_time(timestamp);
 
   // set container_id
-  signal->set_container_id(tinfo->m_container_id);
+  auto container_id = EventExtractor::get_container_id(tinfo);
+  if (container_id) {
+    signal->set_container_id(*container_id);
+  }
 
   // set process lineage
   std::vector<LineageInfo> lineage;
@@ -265,7 +270,7 @@ std::string ProcessSignalFormatter::ProcessDetails(sinsp_evt* event) {
   std::stringstream ss;
   const std::string* path = event_extractor_->get_exepath(event);
   const std::string* name = event_extractor_->get_comm(event);
-  const std::string* container_id = event_extractor_->get_container_id(event);
+  auto container_id = EventExtractor::get_container_id(event);
   const char* args = event_extractor_->get_proc_args(event);
   const int64_t* pid = event_extractor_->get_pid(event);
 
@@ -347,7 +352,7 @@ void ProcessSignalFormatter::GetProcessLineage(sinsp_threadinfo* tinfo,
     // all platforms.
     //
     if (pt->m_vpid == 0) {
-      if (pt->m_container_id.empty()) {
+      if (!EventExtractor::get_container_id(pt)) {
         return false;
       }
     } else if (pt->m_pid == pt->m_vpid) {
@@ -361,7 +366,7 @@ void ProcessSignalFormatter::GetProcessLineage(sinsp_threadinfo* tinfo,
     // Collapse parent child processes that have the same path
     if (lineage.empty() || (lineage.back().parent_exec_file_path() != pt->m_exepath)) {
       LineageInfo info;
-      info.set_parent_uid(pt->m_user.uid());
+      info.set_parent_uid(pt->m_uid);
       info.set_parent_exec_file_path(pt->m_exepath);
       lineage.push_back(info);
     }

collector/lib/Utility.cpp

@@ -57,15 +57,6 @@ const char* SignalName(int signum) {
   }
 }
 
-std::ostream& operator<<(std::ostream& os, const sinsp_threadinfo* t) {
-  if (t) {
-    os << "Container: \"" << t->m_container_id << "\", Name: " << t->m_comm << ", PID: " << t->m_pid << ", Args: " << t->m_exe;
-  } else {
-    os << "NULL\n";
-  }
-  return os;
-}
-
 const char* UUIDStr() {
   uuid_t uuid;
   constexpr int kUuidStringLength = 36;  // uuid_unparse manpage says so.

collector/lib/Utility.h

@@ -63,8 +63,6 @@ std::string Str(Args&&... args) {
   return string_stream.str();
 }
 
-std::ostream& operator<<(std::ostream& os, const sinsp_threadinfo* t);
-
 // UUIDStr returns UUID in string format.
 const char* UUIDStr();
 

collector/lib/system-inspector/EventExtractor.h

@@ -7,6 +7,8 @@
 #include "libsinsp/sinsp.h"
 
 #include "Logging.h"
+#include "Utility.h"
+#include "threadinfo.h"
 
 namespace collector::system_inspector {
 
@@ -129,16 +131,13 @@ class EventExtractor {
   //
   // ADD ANY NEW FIELDS BELOW THIS LINE
 
-  // Container related fields
-  TINFO_FIELD(container_id);
-
   // Process related fields
   TINFO_FIELD(comm);
   TINFO_FIELD(exe);
   TINFO_FIELD(exepath);
   TINFO_FIELD(pid);
-  TINFO_FIELD_RAW_GETTER(uid, m_user.uid, uint32_t);
-  TINFO_FIELD_RAW_GETTER(gid, m_group.gid, uint32_t);
+  TINFO_FIELD_RAW(uid, m_uid, uint32_t);
+  TINFO_FIELD_RAW(gid, m_gid, uint32_t);
   FIELD_CSTR(proc_args, "proc.args");
 
   // General event information
@@ -148,15 +147,33 @@ class EventExtractor {
   FIELD_RAW_SAFE(client_port, "fd.cport", uint16_t);
   FIELD_RAW_SAFE(server_port, "fd.sport", uint16_t);
 
-  // k8s metadata
-  FIELD_CSTR(k8s_namespace, "k8s.ns.name");
-
 #undef TINFO_FIELD
 #undef FIELD_RAW
 #undef FIELD_CSTR
 #undef EVT_ARG
 #undef EVT_ARG_RAW
 #undef DECLARE_FILTER_CHECK
+
+ public:
+  static std::optional<std::string_view> get_container_id(const sinsp_threadinfo* tinfo) {
+    for (const auto& [_, cgroup] : tinfo->cgroups()) {
+      auto container_id = ExtractContainerIDFromCgroup(cgroup);
+      if (container_id) {
+        return container_id;
+      }
+    }
+
+    return {};
+  }
+
+  static std::optional<std::string_view> get_container_id(const sinsp_evt* evt) {
+    const auto* tinfo = evt->get_tinfo();
+    if (tinfo == nullptr) {
+      return {};
+    }
+
+    return get_container_id(tinfo);
+  }
 };
 
 }  // namespace collector::system_inspector

collector/lib/system-inspector/Service.cpp

@@ -6,7 +6,6 @@
 
 #include <linux/ioctl.h>
 
-#include "libsinsp/container_engine/sinsp_container_type.h"
 #include "libsinsp/parsers.h"
 #include "libsinsp/sinsp.h"
 
@@ -15,7 +14,6 @@
 #include "CollectionMethod.h"
 #include "CollectorException.h"
 #include "CollectorStats.h"
-#include "ContainerEngine.h"
 #include "ContainerMetadata.h"
 #include "EventExtractor.h"
 #include "EventNames.h"
@@ -50,7 +48,7 @@ Service::Service(const CollectorConfig& config)
   inspector_->disable_log_timestamps();
   inspector_->set_log_callback(logging::InspectorLogCallback);
 
-  inspector_->set_import_users(config.ImportUsers(), false);
+  inspector_->set_import_users(config.ImportUsers());
   inspector_->set_thread_timeout_s(30);
   inspector_->set_auto_threads_purging_interval_s(60);
   inspector_->m_thread_manager->set_max_thread_table_size(config.GetSinspThreadCacheSize());
@@ -62,6 +60,7 @@ Service::Service(const CollectorConfig& config)
     inspector_->get_parser()->set_track_connection_status(true);
   }
 
+  /*
   if (config.EnableRuntimeConfig()) {
     uint64_t mask = 1 << CT_CRI |
                     1 << CT_CRIO |
@@ -87,6 +86,7 @@ Service::Service(const CollectorConfig& config)
   }
 
   inspector_->set_filter("container.id != 'host'");
+  */
 
   // The self-check handlers should only operate during start up,
   // so they are added to the handler list first, so they have access
@@ -160,6 +160,12 @@ sinsp_evt* Service::GetNext() {
     return nullptr;
   }
 
+  // If there is no container id, this is an event from the host.
+  // We ignore these for now.
+  if (!EventExtractor::get_container_id(event)) {
+    return nullptr;
+  }
+
   userspace_stats_.event_parse_micros[event->get_type()] += (NowMicros() - parse_start);
   ++userspace_stats_.nUserspaceEvents[event->get_type()];
 
@@ -296,7 +302,8 @@ bool Service::SendExistingProcesses(SignalHandler* handler) {
   }
 
   return threads->loop([&](sinsp_threadinfo& tinfo) {
-    if (!tinfo.m_container_id.empty() && tinfo.is_main_thread()) {
+    auto container_id = EventExtractor::get_container_id(&tinfo);
+    if (container_id && tinfo.is_main_thread()) {
       auto result = handler->HandleExistingProcess(&tinfo);
       if (result == SignalHandler::ERROR || result == SignalHandler::NEEDS_REFRESH) {
         CLOG(WARNING) << "Failed to write existing process signal: " << &tinfo;