github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-05 02:47:05 +00:00
Code Issues Projects Releases Wiki Activity

Inline find_source() as it can be called in the event path

Browse Source 
Inline find_source as it can be called in the event processing path.

Also take the cached variant that assigns/uses m_syscall_source_idx
and put it in find_source() instead of process_event().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2023-12-01 14:12:29 -08:00 committed by poiana
parent 70ce7b936b
commit 07d7b9a57a
2 changed files with 39 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
userspace/engine/falco_engine.cpp
View File

@ -79,26 +79,6 @@ sinsp_version falco_engine::engine_version()
return sinsp_version(FALCO_ENGINE_VERSION); return sinsp_version(FALCO_ENGINE_VERSION);
} }
const falco_source* falco_engine::find_source(const std::string& name) const
{
auto ret = m_sources.at(name);
if(!ret)
{
throw falco_exception("Unknown event source " + name);
}
return ret;
}
const falco_source* falco_engine::find_source(std::size_t index) const
{
auto ret = m_sources.at(index);
if(!ret)
{
throw falco_exception("Unknown event source index " + std::to_string(index));
}
return ret;
}
// Return a key that uniquely represents a field class. // Return a key that uniquely represents a field class.
// For now, we assume name + shortdesc is unique. // For now, we assume name + shortdesc is unique.
static std::string fieldclass_key(const gen_event_filter_factory::filter_fieldclass_info &fld_info) static std::string fieldclass_key(const gen_event_filter_factory::filter_fieldclass_info &fld_info)
@ -422,21 +402,7 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
// source_idx, which means that at any time each filter_ruleset will only // source_idx, which means that at any time each filter_ruleset will only
// be accessed by a single thread. // be accessed by a single thread.
const falco_source *source; const falco_source *source = find_source(source_idx);
if(source_idx == m_syscall_source_idx)
{
if(m_syscall_source == NULL)
{
m_syscall_source = find_source(m_syscall_source_idx);
}
source = m_syscall_source;
}
else
{
source = find_source(source_idx);
}
if(should_drop_evt() || !source) if(should_drop_evt() || !source)
{ {

40
userspace/engine/falco_engine.h
View File

@ -305,8 +305,44 @@ private:
indexed_vector<falco_source> m_sources; indexed_vector<falco_source> m_sources;
const falco_source* find_source(std::size_t index) const; inline const falco_source* find_source(std::size_t index)
const falco_source* find_source(const std::string& name) const; {
const falco_source *source;
if(index == m_syscall_source_idx)
{
if(m_syscall_source == NULL)
{
m_syscall_source = m_sources.at(m_syscall_source_idx);
if(!m_syscall_source)
{
throw falco_exception("Unknown event source index " + std::to_string(index));
}
}
source = m_syscall_source;
}
else
{
source = m_sources.at(index);
if(!source)
{
throw falco_exception("Unknown event source index " + std::to_string(index));
}
}
return source;
}
inline const falco_source* find_source(const std::string& name) const
{
auto ret = m_sources.at(name);
if(!ret)
{
throw falco_exception("Unknown event source " + name);
}
return ret;
}
// To allow the engine to be extremely fast for syscalls (can // To allow the engine to be extremely fast for syscalls (can
// be > 1M events/sec), we save the syscall source/source_idx // be > 1M events/sec), we save the syscall source/source_idx