Enable/disable rules using substrings not regexes

Given the compiler we currently use, you can't actually enable/disable regexes in falco_engine::enable_rule using a regex pattern. The regex either will fail to compile or will compile but not actually match strings. This is noted on the c++11 compatibility notes for gcc 4.8.2: https://gcc.gnu.org/onlinedocs/gcc-4.8.2/libstdc++/manual/manual/status.html#status.iso.2011. The only use of using enable_rule was treating the regex pattern as a substring match anyway, so we can change the engine to treat the pattern as a substring. So change the method/supporting sub-classes to note that the argument is a substring match, and change falco itself to refer to substrings instead of patterns. This fixes https://github.com/falcosecurity/falco/issues/742. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-09-05 16:50:34 +00:00 · 2019-07-29 12:10:58 -07:00
parent 4a4701b4fd
commit 3fedd00cfc
5 changed files with 26 additions and 42 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -206,17 +206,17 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
 	load_rules(rules_content, verbose, all_events, required_engine_version);
 }

-void falco_engine::enable_rule(const string &pattern, bool enabled, const string &ruleset)
+void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);

-	m_sinsp_rules->enable(pattern, enabled, ruleset_id);
-	m_k8s_audit_rules->enable(pattern, enabled, ruleset_id);
+	m_sinsp_rules->enable(substring, enabled, ruleset_id);
+	m_k8s_audit_rules->enable(substring, enabled, ruleset_id);
 }

-void falco_engine::enable_rule(const string &pattern, bool enabled)
+void falco_engine::enable_rule(const string &substring, bool enabled)
 {
-	enable_rule(pattern, enabled, m_default_ruleset);
+	enable_rule(substring, enabled, m_default_ruleset);
 }

 void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
--- a/userspace/engine/falco_engine.h
+++ b/userspace/engine/falco_engine.h
@@ -76,16 +76,17 @@ public:
 	void load_rules(const std::string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version);

 	//
-	// Enable/Disable any rules matching the provided pattern
-	// (regex). When provided, enable/disable these rules in the
+	// Enable/Disable any rules matching the provided substring.
+	// If the substring is "", all rules are enabled/disabled.
+	// When provided, enable/disable these rules in the
 	// context of the provided ruleset. The ruleset (id) can later
 	// be passed as an argument to process_event(). This allows
 	// for different sets of rules being active at once.
 	//
-	void enable_rule(const std::string &pattern, bool enabled, const std::string &ruleset);
+	void enable_rule(const std::string &substring, bool enabled, const std::string &ruleset);

 	// Wrapper that assumes the default ruleset
-	void enable_rule(const std::string &pattern, bool enabled);
+	void enable_rule(const std::string &substring, bool enabled);

 	//
 	// Enable/Disable any rules with any of the provided tags (set, exact matches only)
--- a/userspace/engine/ruleset.cpp
+++ b/userspace/engine/ruleset.cpp
@@ -202,19 +202,8 @@ void falco_ruleset::add(string &name,
 	}
 }

-void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset)
+void falco_ruleset::enable(const string &substring, bool enabled, uint16_t ruleset)
 {
-	regex re;
-	bool match_using_regex = true;
-
-	try {
-		re.assign(pattern);
-	}
-	catch (std::regex_error e)
-	{
-		match_using_regex = false;
-	}
-
 	while (m_rulesets.size() < (size_t) ruleset + 1)
 	{
 		m_rulesets.push_back(new ruleset_filters());
@@ -223,14 +212,9 @@ void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset
 	for(const auto &val : m_filters)
 	{
 		bool matches;
-		if(match_using_regex)
-		{
-			matches = regex_match(val.first, re);
-		}
-		else
-		{
-			matches = (val.first.find(pattern) != string::npos);
-		}
+
+		matches = (substring == "" || (val.first.find(substring) != string::npos));
+
 		if (matches)
 		{
 			if(enabled)
--- a/userspace/engine/ruleset.h
+++ b/userspace/engine/ruleset.h
@@ -24,7 +24,6 @@ limitations under the License.
 #include <vector>
 #include <list>
 #include <map>
-#include <regex>

 #include "sinsp.h"
 #include "filter.h"
@@ -48,9 +47,9 @@ public:
        // specifying unnecessarily large rulesets will result in
        // unnecessarily large vectors.

-	// Find those rules matching the provided pattern and set
+	// Find those rules matching the provided substring and set
 	// their enabled status to enabled.
-	void enable(const std::string &pattern, bool enabled, uint16_t ruleset = 0);
+	void enable(const std::string &substring, bool enabled, uint16_t ruleset = 0);

 	// Find those rules that have a tag in the set of tags and set
 	// their enabled status to enabled. Note that the enabled
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -87,7 +87,7 @@ static void usage()
 	   " --cri <path>                  Path to CRI socket for container metadata\n"
 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime\n"
 	   " -d, --daemon                  Run as a daemon\n"
-	   " -D <pattern>                  Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
+	   " -D <substring>                Disable any rules with names having the substring <substring>. Can be specified multiple times.\n"
 	   "                               Can not be specified with -t.\n"
 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
 	   "                               k8s audit events) instead of tapping into live.\n"
@@ -471,9 +471,9 @@ int falco_init(int argc, char **argv)

 	try
 	{
-		set<string> disabled_rule_patterns;
-		string pattern;
-		string all_rules = ".*";
+		set<string> disabled_rule_substrings;
+		string substring;
+		string all_rules = "";
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;

@@ -502,8 +502,8 @@ int falco_init(int argc, char **argv)
 				daemon = true;
 				break;
 			case 'D':
-				pattern = optarg;
-				disabled_rule_patterns.insert(pattern);
+				substring = optarg;
+				disabled_rule_substrings.insert(substring);
 				break;
 			case 'e':
 				trace_filename = optarg;
@@ -781,15 +781,15 @@ int falco_init(int argc, char **argv)
 		}

 		// You can't both disable and enable rules
-		if((disabled_rule_patterns.size() + disabled_rule_tags.size() > 0) &&
+		if((disabled_rule_substrings.size() + disabled_rule_tags.size() > 0) &&
 		    enabled_rule_tags.size() > 0) {
 			throw std::invalid_argument("You can not specify both disabled (-D/-T) and enabled (-t) rules");
 		}

-		for (auto pattern : disabled_rule_patterns)
+		for (auto substring : disabled_rule_substrings)
 		{
-			falco_logger::log(LOG_INFO, "Disabling rules matching pattern: " + pattern + "\n");
-			engine->enable_rule(pattern, false);
+			falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
+			engine->enable_rule(substring, false);
 		}

 		if(disabled_rule_tags.size() > 0)