github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 14:20:04 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(app_acions): fine-tune base_syscalls.repair behavior

Browse Source 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby
2023-03-29 14:50:11 +00:00
committed by poiana
parent e178174a93
commit 0b6e243582
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
userspace/falco/app/actions/configure_interesting_sets.cpp
View File

@@ -112,6 +112,19 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// base events set (either the default or the user-defined one)
s.selected_sc_set = rules_sc_set.merge(base_sc_set);
/* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
if (s.config->m_base_syscalls_repair && user_positive_sc_set.empty())
{
/* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing
* the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`.
* This approach only activates additional syscalls Falco needs beyond the
* syscalls defined in each Falco rule that are absolutely necessary based
* on the current rules configuration. */
// returned set already has rules_sc_set merged
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
}
if (!user_negative_sc_set.empty())
{
/* Remove negative base_syscalls events. */
@@ -131,19 +144,6 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
}
}
/* REPLACE DEFAULT STATE, nothing else. */
if (s.config->m_base_syscalls_repair && s.config->m_base_syscalls_custom_set.empty())
{
/* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing
* the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`.
* This approach only activates additional syscalls Falco needs beyond the
* syscalls defined in each Falco rule that are absolutely necessary based
* on the current rules configuration. */
// returned set already has rules_sc_set merged
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
}
/* Derive the diff between the additional syscalls added via libsinsp state
enforcement and the syscalls from each Falco rule. We avoid printing
this in case the user specified a custom set of base syscalls */