mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-07 17:54:07 +00:00
update(userspace/engine): make rule_matching strategy stateless in falco engine
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
This commit is contained in:
Lorenzo Susini
poiana
@@ -56,7 +56,6 @@ falco_engine::falco_engine(bool seed_rng)
|
||||
m_syscall_source_idx(SIZE_MAX),
|
||||
m_next_ruleset_id(0),
|
||||
m_min_priority(falco_common::PRIORITY_DEBUG),
|
||||
m_rule_matching(falco_common::FIRST),
|
||||
m_sampling_ratio(1), m_sampling_multiplier(0),
|
||||
m_replace_container_info(false)
|
||||
{
|
||||
@@ -311,11 +310,6 @@ void falco_engine::set_min_priority(falco_common::priority_type priority)
|
||||
m_min_priority = priority;
|
||||
}
|
||||
|
||||
void falco_engine::set_rule_matching(falco_common::rule_matching rule_matching)
|
||||
{
|
||||
m_rule_matching = rule_matching;
|
||||
}
|
||||
|
||||
uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
|
||||
{
|
||||
auto it = m_known_rulesets.lower_bound(ruleset);
|
||||
@@ -359,7 +353,8 @@ std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::s
|
||||
return find_source(source)->formatter_factory->create_formatter(output);
|
||||
}
|
||||
|
||||
std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
|
||||
std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
|
||||
gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
|
||||
{
|
||||
// note: there are no thread-safety guarantees on the filter_ruleset::run()
|
||||
// method, but the thread-safety assumptions of falco_engine::process_event()
|
||||
@@ -388,7 +383,7 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
switch (m_rule_matching)
|
||||
switch (strategy)
|
||||
{
|
||||
case falco_common::rule_matching::ALL:
|
||||
if (source->m_rules.size() > 0)
|
||||
@@ -430,9 +425,10 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
|
||||
return res;
|
||||
}
|
||||
|
||||
std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx, gen_event *ev)
|
||||
std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
|
||||
gen_event *ev, falco_common::rule_matching strategy)
|
||||
{
|
||||
return process_event(source_idx, ev, m_default_ruleset_id);
|
||||
return process_event(source_idx, ev, m_default_ruleset_id, strategy);
|
||||
}
|
||||
|
||||
std::size_t falco_engine::add_source(const std::string &source,
|
||||
|
||||
@@ -106,11 +106,6 @@ public:
|
||||
// Only load rules having this priority or more severe.
|
||||
void set_min_priority(falco_common::priority_type priority);
|
||||
|
||||
// Whether or not continuing to evaluate rules for other potential matches
|
||||
// even if a match already occurred. This option can be set to avoid shadowing
|
||||
// of rules.
|
||||
void set_rule_matching(falco_common::rule_matching rule_matching);
|
||||
|
||||
//
|
||||
// Return the ruleset id corresponding to this ruleset name,
|
||||
// creating a new one if necessary. If you provide any ruleset
|
||||
@@ -194,14 +189,16 @@ public:
|
||||
// event source is not thread-safe of its own, so invoking this method
|
||||
// concurrently with the same source_idx would inherently cause data races
|
||||
// and lead to undefined behavior.
|
||||
std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id);
|
||||
std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
|
||||
gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy);
|
||||
|
||||
//
|
||||
// Wrapper assuming the default ruleset.
|
||||
//
|
||||
// This inherits the same thread-safety guarantees.
|
||||
//
|
||||
std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx, gen_event *ev);
|
||||
std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
|
||||
gen_event *ev, falco_common::rule_matching strategy);
|
||||
|
||||
//
|
||||
// Configure the engine to support events with the provided
|
||||
@@ -325,7 +322,6 @@ private:
|
||||
uint16_t m_next_ruleset_id;
|
||||
std::map<std::string, uint16_t> m_known_rulesets;
|
||||
falco_common::priority_type m_min_priority;
|
||||
falco_common::rule_matching m_rule_matching;
|
||||
|
||||
//
|
||||
// Here's how the sampling ratio and multiplier influence
|
||||
|
||||
@@ -120,7 +120,6 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
|
||||
|
||||
configure_output_format(s);
|
||||
s.engine->set_min_priority(s.config->m_min_priority);
|
||||
s.engine->set_rule_matching(s.config->m_rule_matching);
|
||||
|
||||
return run_result::ok();
|
||||
}
|
||||
|
||||
@@ -330,7 +330,7 @@ static falco::app::run_result do_inspect(
|
||||
// engine, which will match the event against the set
|
||||
// of rules. If a match is found, pass the event to
|
||||
// the outputs.
|
||||
auto res = s.engine->process_event(source_engine_idx, ev);
|
||||
auto res = s.engine->process_event(source_engine_idx, ev, s.config->m_rule_matching);
|
||||
if(res != nullptr)
|
||||
{
|
||||
for(auto& rule_res : *res.get())
|
||||
|
||||
Reference in New Issue
Block a user