github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-21 09:59:40 +00:00
Code Issues Projects Releases Wiki Activity

Add ability to check if field is defined

Browse Source 
Add a function is_defined_field(source, fldname) that returns whether
a field with name fldname exists for the given event source. This uses
the filter factory to create a filtercheck, and returns true if an
object was created.

This prevents having to push down the entire set of defined fields
before calling load_rules().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2021-08-25 17:58:54 -07:00 committed by poiana
parent 84d7020e3e
commit 04f3cc503c
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
userspace/engine/rules.cpp
View File

@ -35,6 +35,7 @@ const static struct luaL_Reg ll_falco_rules[] =
{"enable_rule", &falco_rules::enable_rule}, {"enable_rule", &falco_rules::enable_rule},
{"engine_version", &falco_rules::engine_version}, {"engine_version", &falco_rules::engine_version},
{"is_format_valid", &falco_rules::is_format_valid}, {"is_format_valid", &falco_rules::is_format_valid},
{"is_defined_field", &falco_rules::is_defined_field},
{NULL, NULL}}; {NULL, NULL}};
falco_rules::falco_rules(falco_engine *engine, falco_rules::falco_rules(falco_engine *engine,
@ -260,6 +261,48 @@ bool falco_rules::is_format_valid(const std::string &source, const std::string &
return ret; return ret;
} }
int falco_rules::is_defined_field(lua_State *ls)
{
if (! lua_islightuserdata(ls, -3) ||
! lua_isstring(ls, -2) ||
! lua_isstring(ls, -1))
{
lua_pushstring(ls, "Invalid arguments passed to is_defined_field");
lua_error(ls);
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
string source = luaL_checkstring(ls, -2);
string fldname = luaL_checkstring(ls, -1);
bool ret = rules->is_defined_field(source, fldname);
lua_pushboolean(ls, (ret ? 1 : 0));
return 1;
}
bool falco_rules::is_defined_field(const std::string &source, const std::string &fldname)
{
auto it = m_filter_factories.find(source);
if(it == m_filter_factories.end())
{
return false;
}
auto *chk = it->second->new_filtercheck(fldname.c_str());
if (chk == NULL)
{
return false;
}
delete(chk);
return true;
}
static std::list<std::string> get_lua_table_values(lua_State *ls, int idx) static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
{ {
std::list<std::string> ret; std::list<std::string> ret;

5
userspace/engine/rules.h
View File

@ -47,6 +47,8 @@ class falco_rules
bool is_format_valid(const std::string &source, const std::string &format, std::string &errstr); bool is_format_valid(const std::string &source, const std::string &format, std::string &errstr);
bool is_defined_field(const std::string &source, const std::string &field);
static void init(lua_State *ls); static void init(lua_State *ls);
static int clear_filters(lua_State *ls); static int clear_filters(lua_State *ls);
static int create_lua_parser(lua_State *ls); static int create_lua_parser(lua_State *ls);
@ -57,6 +59,9 @@ class falco_rules
// err = falco_rules.is_format_valid(source, format_string) // err = falco_rules.is_format_valid(source, format_string)
static int is_format_valid(lua_State *ls); static int is_format_valid(lua_State *ls);
// err = falco_rules.is_defined_field(source, field)
static int is_defined_field(lua_State *ls);
private: private:
void clear_filters(); void clear_filters();
// XXX/mstemm can I make this a shared_ptr? // XXX/mstemm can I make this a shared_ptr?