Merge pull request #264 from draios/mergable-lists

Mergable lists
2025-07-13 14:34:33 +00:00 · 2017-08-10 11:08:36 -07:00 · 2017-08-10 11:08:36 -07:00 · 240a8ffffa
commit 240a8ffffa
parent d1265ff520 0bc2d4f162
5 changed files with 65 additions and 1 deletions
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@ -579,3 +579,23 @@ trace_files: !mux
      - open_11: 1
      - open_12: 0
      - open_13: 0
+
+  list_append_failure:
+    exit_status: 1
+    stderr_contains: "List my_list has 'append' key but no list by that name already exists. Exiting"
+    rules_file:
+      - rules/list_append_failure.yaml
+    trace_file: trace_files/cat_write.scap
+
+  list_append:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/list_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  list_append_false:
+    detect: False
+    rules_file:
+      - rules/list_append_false.yaml
+    trace_file: trace_files/cat_write.scap
--- a/test/rules/list_append.yaml
+++ b/test/rules/list_append.yaml
@ -0,0 +1,12 @@
+- list: my_list
+  items: [not-cat]
+
+- list: my_list
+  append: true
+  items: [cat]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name in (my_list)
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
--- a/test/rules/list_append_failure.yaml
+++ b/test/rules/list_append_failure.yaml
@ -0,0 +1,3 @@
+- list: my_list
+  items: [not-cat]
+  append: true
--- a/test/rules/list_append_false.yaml
+++ b/test/rules/list_append_false.yaml
@ -0,0 +1,12 @@
+- list: my_list
+  items: [cat]
+
+- list: my_list
+  append: false
+  items: [not-cat]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name in (my_list)
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@ -222,7 +222,24 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 	    end
 	 end

-	 state.lists_by_name[v['list']] = v
+	 -- Possibly append to an existing list
+	 append = false
+
+	 if v['append'] then
+	    append = v['append']
+	 end
+
+	 if append then
+	    if state.lists_by_name[v['list']] == nil then
+	       error ("List " ..v['list'].. " has 'append' key but no list by that name already exists")
+	    end
+
+	    for i, elem in ipairs(v['items']) do
+	       table.insert(state.lists_by_name[v['list']]['items'], elem)
+	    end
+	 else
+	    state.lists_by_name[v['list']] = v
+	 end

      elseif (v['rule']) then