Update automated tests to reflect evttypes behavior

With the changes in https://github.com/falcosecurity/libs/pull/74, there isn't any need to warn about the order of operators and the evt.type field--the set of event types for a filter should be exact now regardless of the order of operators. So update tests that were logging those warnings to note that the warnings won't occur any more. Also, some tests more accurately *do* note that they have an overly permissive evttype (e.g. ones related to syscalls, which are uncommon and are evaluated for all event types) to reflect the new behavior. Finally, in unit tests create an actual sinsp filter instead of a gen_event_filter, which is the base class and shouldn't be created directly. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-10-21 19:44:57 +00:00 · 2021-10-04 17:29:06 -07:00
parent 204892816b
commit 10d47cb1f5
3 changed files with 34 additions and 30 deletions
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -32,20 +32,10 @@ trace_files: !mux
      - leading_not
      - not_equals_at_end
      - not_at_end
-      - not_before_trailing_evttype
-      - not_equals_before_trailing_evttype
      - not_equals_and_not
-      - not_equals_before_in
-      - not_before_in
-      - not_in_before_in
-      - leading_in_not_equals_before_evttype
      - leading_in_not_equals_at_evttype
      - not_with_evttypes
      - not_with_evttypes_addl
-      - not_equals_before_evttype
-      - not_equals_before_in_evttype
-      - not_before_evttype
-      - not_before_evttype_using_in
    rules_events:
      - no_warnings: [execve]
      - no_evttype: [all]
@@ -1142,6 +1132,8 @@ trace_files: !mux
    detect_level: INFO
    rules_file:
      - rules/syscalls.yaml
+    rules_warning:
+      - detect_madvise
    detect_counts:
      - detect_madvise: 2
      - detect_open: 2
@@ -1160,7 +1152,8 @@ trace_files: !mux

  skip_unknown_noevt:
    detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
+    rules_warning:
+      - Contains Unknown Event And Skipping
    rules_file:
      - rules/skip_unknown_evt.yaml
    trace_file: trace_files/cat_write.scap
@@ -1175,7 +1168,7 @@ trace_files: !mux
    exit_status: 1
    stderr_contains: |+
      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
-      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
      ---
      - rule: Contains Unknown Event And Not Skipping
        desc: Contains an unknown event
@@ -1192,7 +1185,7 @@ trace_files: !mux
    exit_status: 1
    stderr_contains: |+
      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
-      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
      ---
      - rule: Contains Unknown Event And Unspecified
        desc: Contains an unknown event
--- a/test/rules/rule_append.yaml
+++ b/test/rules/rule_append.yaml
@@ -16,10 +16,10 @@
 #
 - rule: my_rule
  desc: A process named cat does an open
-  condition: evt.type=open and fd.name=not-a-real-file
+  condition: (evt.type=open and fd.name=not-a-real-file)
  output: "An open of /dev/null was seen (command=%proc.cmdline)"
  priority: WARNING

 - rule: my_rule
  append: true
-  condition: or fd.name=/dev/null
+  condition: or (evt.type=open and fd.name=/dev/null)
--- a/tests/engine/test_rulesets.cpp
+++ b/tests/engine/test_rulesets.cpp
@@ -26,10 +26,21 @@ static uint16_t non_default_ruleset = 3;
 static uint16_t other_non_default_ruleset = 2;
 static std::set<std::string> tags = {"some_tag", "some_other_tag"};

+static std::shared_ptr<gen_event_filter> create_filter()
+{
+	// The actual contents of the filters don't matter here.
+	sinsp_filter_compiler compiler(NULL, "evt.type=open");
+	sinsp_filter *f = compiler.compile();
+
+	std::shared_ptr<gen_event_filter> ret(f);
+
+	return ret;
+}
+
 TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -44,7 +55,7 @@ TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets
 TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -63,7 +74,7 @@ TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[ruleset
 TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -75,7 +86,7 @@ TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 TEST_CASE("Should enable/disable for exact match w/ substring and default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -90,7 +101,7 @@ TEST_CASE("Should enable/disable for exact match w/ substring and default rulese
 TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -102,7 +113,7 @@ TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -117,7 +128,7 @@ TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -132,7 +143,7 @@ TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -147,7 +158,7 @@ TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rule
 TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";

 	r.add(rule_name, tags, filter);
@@ -166,7 +177,7 @@ TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rul
 TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};

@@ -182,7 +193,7 @@ TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};

@@ -202,7 +213,7 @@ TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 TEST_CASE("Should not enable for different tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_different_tag"};

@@ -215,7 +226,7 @@ TEST_CASE("Should not enable for different tags", "[rulesets]")
 TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag", "some_different_tag"};

@@ -231,12 +242,12 @@ TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 TEST_CASE("Should enable/disable for incremental adding tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> rule1_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule1_filter = create_filter();
 	string rule1_name = "one_rule";
 	std::set<std::string> rule1_tags = {"rule1_tag"};
 	r.add(rule1_name, rule1_tags, rule1_filter);

-	std::shared_ptr<gen_event_filter> rule2_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule2_filter = create_filter();
 	string rule2_name = "two_rule";
 	std::set<std::string> rule2_tags = {"rule2_tag"};
 	r.add(rule2_name, rule2_tags, rule2_filter);