Allow append of new exceptions to rules

Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>

Return warnings after validation of rule exceptions

Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>

Update FALCO_ENGINE_VERSION

Signed-off-by: Sai Arigeli <saiharisharigeli@gmail.com>

test/falco_tests_exceptions.yaml

@@ -177,10 +177,18 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
 
   rule_exception_append_item_not_in_rule:
-    exit_status: 0
+    exit_status: 1
-    stderr_contains: |+
+    stdout_is: |+
-      1 warnings:
+      1 errors:
-      Rule My Rule with append=true: no set of fields matching name ex2
+      Rule exception new item ex2: must have fields property with a list of fields
+      ---
+      - rule: My Rule
+        exceptions:
+          - name: ex2
+            values:
+              - [apache, /tmp]
+        append: true
+      ---
     validate_rules_file:
       - rules/exceptions/append_item_not_in_rule.yaml
     trace_file: trace_files/cat_write.scap
@@ -311,4 +319,35 @@ trace_files: !mux
       - rules/exceptions/rule_exception_single_field_append.yaml
     trace_file: trace_files/cat_write.scap
 
+  rule_exception_new_single_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_new_single_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+  
+  rule_exception_new_second_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_new_second_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_new_append_no_field:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception new item proc_cmdline: must have fields property with a list of fields
+      ---
+      - rule: Open From Cat
+        exceptions:
+          - name: proc_cmdline
+            comps: in
+            values:
+              - "cat /dev/null"
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/rule_exception_new_no_field_append.yaml
+    trace_file: trace_files/cat_write.scap
 

test/rules/exceptions/rule_exception_new_no_field_append.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_cmdline
+      comps: in
+      values:
+        - "cat /dev/null"
+  append: true
+

test/rules/exceptions/rule_exception_new_second_field_append.yaml

@@ -0,0 +1,39 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_cmdline
+      fields: proc.cmdline
+      comps: in
+      values:
+        - cat /dev/zero
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_cmdline_2
+      fields: proc.cmdline
+      comps: in
+      values:
+        - "cat /dev/null"
+  append: true
+
+

test/rules/exceptions/rule_exception_new_single_field_append.yaml

@@ -0,0 +1,33 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_cmdline
+      fields: proc.cmdline
+      comps: in
+      values:
+        - "cat /dev/null"
+  append: true
+
+

userspace/engine/falco_engine_version.h

@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this Falco
 // engine.
-#define FALCO_ENGINE_VERSION (10)
+#define FALCO_ENGINE_VERSION (11)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of Falco. It's used

userspace/engine/lua/rule_loader.lua

@@ -614,41 +614,75 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	       if next(v['exceptions']) ~= nil then
 
 		  for _, eitem in ipairs(v['exceptions']) do
-		     local name = eitem['name']
-		     local fields = eitem['fields']
-		     local comps = eitem['comps']
 
-		     if name == nil then
+		     if eitem['name'] == nil then
 			return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
 		     end
 
-		     -- You can't append exception fields or comps to a rule
+		     -- Seperate case when a exception name is not found
-		     if fields ~= nil then
+		     -- This means that a new exception is being appended
-			return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
+
+		     local new_exception = true
+		     for _, rex_item in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
+			if rex_item['name'] == eitem['name'] then
+			   new_exception = false
+			   break
+			end
 		     end
 
-		     if comps ~= nil then
+		     if new_exception then
-			return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
+			local exceptions = state.rules_by_name[v['rule']]['exceptions']
-		     end
 			
-		     -- You can append values. They are added to the
+			if eitem['fields'] == nil then
-		     -- corresponding name, if it exists. If no
+			   return false, build_error_with_context(v['context'], "Rule exception new item "..eitem['name']..": must have fields property with a list of fields"), warnings
-		     -- exception with that name exists, add a
+			end
-		     -- warning.
+			if eitem['values'] == nil then
-		     if eitem['values'] ~= nil then
+			   return false, build_error_with_context(v['context'], "Rule exception new item "..eitem['name']..": must have values property with a list of values"), warnings
-			local found=false
+			end
-			for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
+			
-			   if reitem['name'] == eitem['name'] then
+			local valid, err
-			      found=true
+			if type(eitem['fields']) == "table" then
-			      for _, values in ipairs(eitem['values']) do
+			   valid, err = validate_exception_item_multi_fields(rules_mgr, v['source'], eitem, v['context'])
-				 reitem['values'][#reitem['values'] + 1] = values
+			else
+			   valid, err = validate_exception_item_single_field(rules_mgr, v['source'], eitem, v['context'])
+			end
+			
+			if valid == false then
+			   return valid, err, warnings
+			end
+
+			-- Insert the complete exception object
+			exceptions[#exceptions+1] = eitem
+		     else
+			-- Appends to existing exception here
+		   	-- You can't append exception fields or comps to an existing rule exception
+                        if eitem['fields'] ~= nil then
+			   return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
+                        end
+
+                        if eitem['comps'] ~= nil then
+                           return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
+                        end
+
+		     	-- You can append values. They are added to the
+		     	-- corresponding name, if it exists. If no
+		     	-- exception with that name exists, add a
+		     	-- warning.
+		     	if eitem['values'] ~= nil then
+			   local found=false
+			   for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
+			      if reitem['name'] == eitem['name'] then
+			         found=true
+			         for _, values in ipairs(eitem['values']) do
+				    reitem['values'][#reitem['values'] + 1] = values
+			         end
 			      end
 			   end
-			end
 
-			if found == false then
+			   if found == false then
-			   warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
+			      warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
-			end
+			   end
+		        end
 		     end
 		  end
 	       end