mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-18 22:27:52 +00:00
update(userspace/engine): support searching ppm_sc events in rulesets
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
poiana
parent
07980b7822
commit
19ffadc763
@ -65,14 +65,14 @@ void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wra
|
||||
|
||||
void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
|
||||
{
|
||||
if(wrap->evttypes.empty())
|
||||
if(wrap->event_codes.empty())
|
||||
{
|
||||
// Should run for all event types
|
||||
add_wrapper_to_list(m_filter_all_event_types, wrap);
|
||||
}
|
||||
else
|
||||
{
|
||||
for(auto &etype : wrap->evttypes)
|
||||
for(auto &etype : wrap->event_codes)
|
||||
{
|
||||
if(m_filter_by_event_type.size() <= etype)
|
||||
{
|
||||
@ -88,13 +88,13 @@ void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_w
|
||||
|
||||
void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
|
||||
{
|
||||
if(wrap->evttypes.empty())
|
||||
if(wrap->event_codes.empty())
|
||||
{
|
||||
remove_wrapper_from_list(m_filter_all_event_types, wrap);
|
||||
}
|
||||
else
|
||||
{
|
||||
for(auto &etype : wrap->evttypes)
|
||||
for(auto &etype : wrap->event_codes)
|
||||
{
|
||||
if( etype < m_filter_by_event_type.size() )
|
||||
{
|
||||
@ -138,17 +138,24 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
|
||||
return false;
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &evttypes)
|
||||
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
|
||||
{
|
||||
evttypes.clear();
|
||||
|
||||
libsinsp::events::set<ppm_sc_code> res;
|
||||
for(auto &wrap : m_filters)
|
||||
{
|
||||
for (const auto& e : wrap->evttypes)
|
||||
{
|
||||
evttypes.insert((uint16_t) e);
|
||||
}
|
||||
res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
|
||||
{
|
||||
libsinsp::events::set<ppm_event_code> res;
|
||||
for(auto &wrap : m_filters)
|
||||
{
|
||||
res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
void evttype_index_ruleset::add(
|
||||
@ -163,11 +170,15 @@ void evttype_index_ruleset::add(
|
||||
wrap->filter = filter;
|
||||
if(rule.source == falco_common::syscall_source)
|
||||
{
|
||||
wrap->evttypes = libsinsp::filter::ast::ppm_event_codes(condition.get());
|
||||
wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
|
||||
// todo(jasondellaluce): once libsinsp has its fixes, optimize this
|
||||
// by using libsinsp::events::ppm_set_to_event_set(wrap->sc_codes)
|
||||
wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
|
||||
}
|
||||
else
|
||||
{
|
||||
wrap->evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
|
||||
wrap->sc_codes = { };
|
||||
wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
|
||||
}
|
||||
m_filters.insert(wrap);
|
||||
}
|
||||
@ -300,10 +311,27 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
|
||||
|
||||
void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
|
||||
{
|
||||
if(m_rulesets.size() < (size_t)ruleset_id + 1)
|
||||
evttypes.clear();
|
||||
for (const auto& e : enabled_event_codes(ruleset_id))
|
||||
{
|
||||
return;
|
||||
evttypes.insert((uint16_t) e);
|
||||
}
|
||||
|
||||
return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
|
||||
}
|
||||
|
||||
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
|
||||
{
|
||||
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
{
|
||||
return {};
|
||||
}
|
||||
return m_rulesets[ruleset]->sc_codes();
|
||||
}
|
||||
|
||||
libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
|
||||
{
|
||||
if(m_rulesets.size() < (size_t)ruleset + 1)
|
||||
{
|
||||
return {};
|
||||
}
|
||||
return m_rulesets[ruleset]->event_codes();
|
||||
}
|
||||
|
||||
@ -70,11 +70,17 @@ public:
|
||||
const std::set<std::string> &tags,
|
||||
uint16_t rulset_id) override;
|
||||
|
||||
// evttypes for a ruleset
|
||||
// note(jasondellaluce): this is deprecated, must use the new
|
||||
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
|
||||
// todo(jasondellaluce): remove this in future code refactors
|
||||
void enabled_evttypes(
|
||||
std::set<uint16_t> &evttypes,
|
||||
uint16_t ruleset) override;
|
||||
|
||||
libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;
|
||||
|
||||
libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;
|
||||
|
||||
private:
|
||||
|
||||
// Helper used by enable()/disable()
|
||||
@ -93,7 +99,8 @@ private:
|
||||
struct filter_wrapper
|
||||
{
|
||||
falco_rule rule;
|
||||
libsinsp::events::set<ppm_event_code> evttypes;
|
||||
libsinsp::events::set<ppm_sc_code> sc_codes;
|
||||
libsinsp::events::set<ppm_event_code> event_codes;
|
||||
std::shared_ptr<gen_event_filter> filter;
|
||||
};
|
||||
|
||||
@ -113,7 +120,9 @@ private:
|
||||
|
||||
bool run(gen_event *evt, falco_rule& match);
|
||||
|
||||
void evttypes_for_ruleset(std::set<uint16_t> &evttypes);
|
||||
libsinsp::events::set<ppm_sc_code> sc_codes();
|
||||
|
||||
libsinsp::events::set<ppm_event_code> event_codes();
|
||||
|
||||
private:
|
||||
void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
|
||||
|
||||
@ -327,6 +327,16 @@ void falco_engine::evttypes_for_ruleset(std::string &source, std::set<uint16_t>
|
||||
find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
|
||||
}
|
||||
|
||||
libsinsp::events::set<ppm_sc_code> falco_engine::sc_codes_for_ruleset(const std::string &source, const std::string &ruleset)
|
||||
{
|
||||
return find_source(source)->ruleset->enabled_sc_codes(find_ruleset_id(ruleset));
|
||||
}
|
||||
|
||||
libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(const std::string &source, const std::string &ruleset)
|
||||
{
|
||||
return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
|
||||
}
|
||||
|
||||
std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
|
||||
const std::string &output) const
|
||||
{
|
||||
|
||||
@ -222,11 +222,30 @@ public:
|
||||
//
|
||||
// Given an event source and ruleset, fill in a bitset
|
||||
// containing the event types for which this ruleset can run.
|
||||
// note(jasondellaluce): this is deprecated, must use the new
|
||||
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
|
||||
// todo(jasondellaluce): remove this in future code refactors
|
||||
//
|
||||
void evttypes_for_ruleset(std::string &source,
|
||||
std::set<uint16_t> &evttypes,
|
||||
const std::string &ruleset = s_default_ruleset);
|
||||
|
||||
//
|
||||
// Given an event source and ruleset, return the set of ppm_sc_codes
|
||||
// for which this ruleset can run and match events.
|
||||
//
|
||||
libsinsp::events::set<ppm_sc_code> sc_codes_for_ruleset(
|
||||
const std::string &source,
|
||||
const std::string &ruleset = s_default_ruleset);
|
||||
|
||||
//
|
||||
// Given an event source and ruleset, return the set of ppm_event_codes
|
||||
// for which this ruleset can run and match events.
|
||||
//
|
||||
libsinsp::events::set<ppm_event_code> event_codes_for_ruleset(
|
||||
const std::string &source,
|
||||
const std::string &ruleset = s_default_ruleset);
|
||||
|
||||
//
|
||||
// Given a source and output string, return an
|
||||
// gen_event_formatter that can format output strings for an
|
||||
|
||||
@ -21,6 +21,7 @@ limitations under the License.
|
||||
#include <filter.h>
|
||||
#include <event.h>
|
||||
#include <gen_filter.h>
|
||||
#include <events/sinsp_events.h>
|
||||
|
||||
/*!
|
||||
\brief Manages a set of rulesets. A ruleset is a set of
|
||||
@ -83,10 +84,29 @@ public:
|
||||
\brief Returns the union of the evttypes of all the rules enabled
|
||||
in a given ruleset
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
\deprecated Must use the new typing-improved `enabled_event_codes`
|
||||
and `enabled_sc_codes` instead
|
||||
\note todo(jasondellaluce): remove this in future refactors
|
||||
*/
|
||||
virtual void enabled_evttypes(
|
||||
std::set<uint16_t> &evttypes,
|
||||
uint16_t ruleset) = 0;
|
||||
|
||||
/*!
|
||||
\brief Returns the all the ppm_sc_codes matching the rules
|
||||
enabled in a given ruleset.
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
|
||||
uint16_t ruleset) = 0;
|
||||
|
||||
/*!
|
||||
\brief Returns the all the ppm_event_codes matching the rules
|
||||
enabled in a given ruleset.
|
||||
\param ruleset_id The id of the ruleset to be used
|
||||
*/
|
||||
virtual libsinsp::events::set<ppm_event_code> enabled_event_codes(
|
||||
uint16_t ruleset) = 0;
|
||||
|
||||
/*!
|
||||
\brief Find those rules matching the provided substring and enable
|
||||
|
||||
Loading…
Reference in New Issue
Block a user