new: bump plugin API to 3.8.0.

Support new `addOutput` extractor plugin `field_info` field.

Signed-off-by: Federico Di Pierro <[email protected]>

Makefile

@@ -19,7 +19,7 @@
 CURL ?= curl
 PATCH ?= patch
 
-FALCOSECURITY_LIBS_REVISION ?= 0.18.1
+FALCOSECURITY_LIBS_REVISION ?= d87c96b50545bb192fa2a517afce76383877cab5
 FALCOSECURITY_LIBS_REPO     ?= falcosecurity/libs
 DEPS_INCLUDEDIR             := include/falcosecurity/internal/deps
 DEPS_PLUGIN_LIB_URL         := https://raw.githubusercontent.com/${FALCOSECURITY_LIBS_REPO}/${FALCOSECURITY_LIBS_REVISION}/userspace/plugin

examples/syscall_extract/plugin.cpp

@@ -58,7 +58,8 @@ class my_plugin
         using ft = falcosecurity::field_value_type;
         return {
                 {ft::FTYPE_BOOL, "sample.is_open", "Is Open Type",
-                 "Value is true if event is of open family"},
+                 "Value is true if event is of open family",
+                 {}, false, {}, true}, // use as suggested output format
                 {ft::FTYPE_UINT64, "sample.open_count", "Open Type Count",
                  "Counter for all the events of open family in the event's "
                  "thread thread"},

include/falcosecurity/internal/deps/plugin_api.h

@@ -29,7 +29,7 @@ extern "C" {
 //
 // todo(jasondellaluce): when/if major changes to v4, check and solve all todos
 #define PLUGIN_API_VERSION_MAJOR 3
-#define PLUGIN_API_VERSION_MINOR 7
+#define PLUGIN_API_VERSION_MINOR 8
 #define PLUGIN_API_VERSION_PATCH 0
 
 //
@@ -843,7 +843,7 @@ typedef struct {
 		//     "name": a string with a name for the field
 		//     "type": one of "string", "uint64", "bool", "reltime", "abstime",
 		//             "ipaddr", "ipnet"
-		//     "isList: (optional) If present and set to true, notes
+		//     "isList: (optional) if present and set to true, notes
 		//              that the field extracts a list of values.
 		//     "arg": (optional) if present, notes that the field can accept
 		//             an argument e.g. field[arg]. More precisely, the following
@@ -860,9 +860,11 @@ typedef struct {
 		//                display the field instead of the name. Used in tools
 		//                like wireshark.
 		//     "desc": a string with a description of the field
+		//     "addOutput": (optional) if true, suggest this field to be appended to the
+		//				  output string for compatible event sources.
 		// Example return value:
 		// [
-		//    {"type": "uint64", "name": "field1", "desc": "Describing field 1"},
+		//    {"type": "uint64", "name": "field1", "desc": "Describing field 1", "addOutput": true},
 		//    {"type": "string", "name": "field2", "arg": {"isRequired": true, "isIndex": true},
 		//    "desc": "Describing field 2"},
 		// ]

include/falcosecurity/internal/plugin_mixin_extraction.h

@@ -95,6 +95,7 @@ template<class Plugin, class Base> class plugin_mixin_extraction : public Base
             entry["name"] = f.name;
             entry["type"] = falcosecurity::to_string(f.type);
             entry["isList"] = f.list;
+            entry["addOutput"] = f.addOutput;
             entry["display"] = f.display;
             entry["desc"] = f.description;
             entry["arg"]["isKey"] = f.arg.key;

include/falcosecurity/types.h

@@ -154,10 +154,11 @@ struct field_info
     FALCOSECURITY_INLINE
     field_info(field_value_type t, const std::string& n, const std::string& di,
                const std::string& de, const field_arg& a = field_arg(),
-               bool l = false, const std::vector<std::string>& p = {}):
+               bool l = false, const std::vector<std::string>& p = {}, bool o = false):
             type(t),
             name(n), list(l), arg(a), display(di), description(de),
-            properties(p)
+            properties(p),
+            addOutput(o)
     {
     }
     FALCOSECURITY_INLINE
@@ -176,6 +177,7 @@ struct field_info
     std::string display;
     std::string description;
     std::vector<std::string> properties;
+    bool addOutput = false;
 };
 
 struct open_param