github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-05 08:40:52 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(app_acions): fine-tune base_syscalls.repair behavior

Browse Source 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby
2023-03-29 14:50:11 +00:00
committed by poiana
parent e178174a93
commit 0b6e243582
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
userspace/falco/app/actions/configure_interesting_sets.cpp
View File

@@ -112,6 +112,19 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
// base events set (either the default or the user-defined one) // base events set (either the default or the user-defined one)
s.selected_sc_set = rules_sc_set.merge(base_sc_set); s.selected_sc_set = rules_sc_set.merge(base_sc_set);
/* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
if (s.config->m_base_syscalls_repair && user_positive_sc_set.empty())
{
/* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing
* the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`.
* This approach only activates additional syscalls Falco needs beyond the
* syscalls defined in each Falco rule that are absolutely necessary based
* on the current rules configuration. */
// returned set already has rules_sc_set merged
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
}
if (!user_negative_sc_set.empty()) if (!user_negative_sc_set.empty())
{ {
/* Remove negative base_syscalls events. */ /* Remove negative base_syscalls events. */
@@ -131,19 +144,6 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
} }
} }
/* REPLACE DEFAULT STATE, nothing else. */
if (s.config->m_base_syscalls_repair && s.config->m_base_syscalls_custom_set.empty())
{
/* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing
* the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`.
* This approach only activates additional syscalls Falco needs beyond the
* syscalls defined in each Falco rule that are absolutely necessary based
* on the current rules configuration. */
// returned set already has rules_sc_set merged
s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
}
/* Derive the diff between the additional syscalls added via libsinsp state /* Derive the diff between the additional syscalls added via libsinsp state
enforcement and the syscalls from each Falco rule. We avoid printing enforcement and the syscalls from each Falco rule. We avoid printing
this in case the user specified a custom set of base syscalls */ this in case the user specified a custom set of base syscalls */