github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-06 09:12:20 +00:00
Code Issues Projects Releases Wiki Activity

chore(falco): apply code formatting

Browse Source 
Signed-off-by: Poiana <poiana.bot@gmail.com>
This commit is contained in:
Poiana
2024-09-30 10:53:51 +02:00
committed by poiana
parent 11bac9dbd2
commit 50b98b30e5
169 changed files with 8681 additions and 9539 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
userspace/engine/indexable_ruleset.h
View File

@@ -43,139 +43,98 @@ limitations under the License.
// const libsinsp::events::set<ppm_event_code> &filter_wrapper::event_codes();
template<class filter_wrapper>
class indexable_ruleset : public filter_ruleset
{
class indexable_ruleset : public filter_ruleset {
public:
indexable_ruleset() = default;
virtual ~indexable_ruleset() = default;
// Required to implement filter_ruleset
void clear() override
{
for(size_t i = 0; i < m_rulesets.size(); i++)
{
void clear() override {
for(size_t i = 0; i < m_rulesets.size(); i++) {
m_rulesets[i] = std::make_shared<ruleset_filters>(i);
}
m_filters.clear();
}
uint64_t enabled_count(uint16_t ruleset_id) override
{
while(m_rulesets.size() < (size_t)ruleset_id + 1)
{
uint64_t enabled_count(uint16_t ruleset_id) override {
while(m_rulesets.size() < (size_t)ruleset_id + 1) {
m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
}
return m_rulesets[ruleset_id]->num_filters();
}
void enabled_evttypes(
std::set<uint16_t> &evttypes,
uint16_t ruleset_id) override
{
void enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id) override {
evttypes.clear();
for(const auto &e : enabled_event_codes(ruleset_id))
{
for(const auto &e : enabled_event_codes(ruleset_id)) {
evttypes.insert((uint16_t)e);
}
}
libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
uint16_t ruleset_id) override
{
if(m_rulesets.size() < (size_t)ruleset_id + 1)
{
libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset_id) override {
if(m_rulesets.size() < (size_t)ruleset_id + 1) {
return {};
}
return m_rulesets[ruleset_id]->sc_codes();
}
libsinsp::events::set<ppm_event_code> enabled_event_codes(
uint16_t ruleset_id) override
{
if(m_rulesets.size() < (size_t)ruleset_id + 1)
{
libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset_id) override {
if(m_rulesets.size() < (size_t)ruleset_id + 1) {
return {};
}
return m_rulesets[ruleset_id]->event_codes();
}
void enable(
const std::string &pattern,
match_type match,
uint16_t ruleset_id) override
{
void enable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
enable_disable(pattern, match, true, ruleset_id);
}
void disable(
const std::string &pattern,
match_type match,
uint16_t ruleset_id) override
{
void disable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
enable_disable(pattern, match, false, ruleset_id);
}
void enable_tags(
const std::set<std::string> &tags,
uint16_t ruleset_id) override
{
void enable_tags(const std::set<std::string> &tags, uint16_t ruleset_id) override {
enable_disable_tags(tags, true, ruleset_id);
}
void disable_tags(
const std::set<std::string> &tags,
uint16_t ruleset_id) override
{
void disable_tags(const std::set<std::string> &tags, uint16_t ruleset_id) override {
enable_disable_tags(tags, false, ruleset_id);
}
// Note that subclasses do *not* implement run. Instead, they
// implement run_wrappers.
bool run(sinsp_evt *evt, falco_rule &match, uint16_t ruleset_id) override
{
if(m_rulesets.size() < (size_t)ruleset_id + 1)
{
bool run(sinsp_evt *evt, falco_rule &match, uint16_t ruleset_id) override {
if(m_rulesets.size() < (size_t)ruleset_id + 1) {
return false;
}
return m_rulesets[ruleset_id]->run(*this, evt, match);
}
bool run(sinsp_evt *evt, std::vector<falco_rule> &matches, uint16_t ruleset_id) override
{
if(m_rulesets.size() < (size_t)ruleset_id + 1)
{
bool run(sinsp_evt *evt, std::vector<falco_rule> &matches, uint16_t ruleset_id) override {
if(m_rulesets.size() < (size_t)ruleset_id + 1) {
return false;
}
return m_rulesets[ruleset_id]->run(*this, evt, matches);
}
typedef std::list<std::shared_ptr<filter_wrapper>>
filter_wrapper_list;
typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;
// Subclasses should call add_wrapper (most likely from
// filter_ruleset::add or ::add_compile_output) to add filters.
void add_wrapper(std::shared_ptr<filter_wrapper> wrap)
{
m_filters.insert(wrap);
}
void add_wrapper(std::shared_ptr<filter_wrapper> wrap) { m_filters.insert(wrap); }
// If a subclass needs to iterate over all filters, they can
// call iterate with this function, which will be called for
// all filters.
typedef std::function<void(const std::shared_ptr<filter_wrapper> &wrap)> filter_wrapper_func;
uint64_t iterate(filter_wrapper_func func)
{
uint64_t iterate(filter_wrapper_func func) {
uint64_t num_filters = 0;
for(const auto &ruleset_ptr : m_rulesets)
{
if(ruleset_ptr)
{
for(const auto &wrap : ruleset_ptr->get_filters())
{
for(const auto &ruleset_ptr : m_rulesets) {
if(ruleset_ptr) {
for(const auto &wrap : ruleset_ptr->get_filters()) {
num_filters++;
func(wrap);
}
@@ -188,34 +147,34 @@ public:
// A subclass must implement these methods. They are analogous
// to run() but take care of selecting filters that match a
// ruleset and possibly an event type.
virtual bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, std::vector<falco_rule> &matches) = 0;
virtual bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, falco_rule &match) = 0;
virtual bool run_wrappers(sinsp_evt *evt,
filter_wrapper_list &wrappers,
uint16_t ruleset_id,
std::vector<falco_rule> &matches) = 0;
virtual bool run_wrappers(sinsp_evt *evt,
filter_wrapper_list &wrappers,
uint16_t ruleset_id,
falco_rule &match) = 0;
private:
// Helper used by enable()/disable()
void enable_disable(
const std::string &pattern,
match_type match,
bool enabled,
uint16_t ruleset_id)
{
while(m_rulesets.size() < (size_t)ruleset_id + 1)
{
void enable_disable(const std::string &pattern,
match_type match,
bool enabled,
uint16_t ruleset_id) {
while(m_rulesets.size() < (size_t)ruleset_id + 1) {
m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
}
for(const auto &wrap : m_filters)
{
for(const auto &wrap : m_filters) {
bool matches;
std::string::size_type pos;
switch(match)
{
switch(match) {
case match_type::exact:
pos = wrap->name().find(pattern);
matches = (pattern == "" || (pos == 0 &&
pattern.size() == wrap->name().size()));
matches = (pattern == "" || (pos == 0 && pattern.size() == wrap->name().size()));
break;
case match_type::substring:
matches = (pattern == "" || (wrap->name().find(pattern) != std::string::npos));
@@ -228,14 +187,10 @@ private:
matches = false;
}
if(matches)
{
if(enabled)
{
if(matches) {
if(enabled) {
m_rulesets[ruleset_id]->add_filter(wrap);
}
else
{
} else {
m_rulesets[ruleset_id]->remove_filter(wrap);
}
}
@@ -243,32 +198,24 @@ private:
}
// Helper used by enable_tags()/disable_tags()
void enable_disable_tags(
const std::set<std::string> &tags,
bool enabled,
uint16_t ruleset_id)
{
while(m_rulesets.size() < (size_t)ruleset_id + 1)
{
void enable_disable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset_id) {
while(m_rulesets.size() < (size_t)ruleset_id + 1) {
m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
}
for(const auto &wrap : m_filters)
{
for(const auto &wrap : m_filters) {
std::set<std::string> intersect;
set_intersection(tags.begin(), tags.end(),
wrap->tags().begin(), wrap->tags().end(),
inserter(intersect, intersect.begin()));
set_intersection(tags.begin(),
tags.end(),
wrap->tags().begin(),
wrap->tags().end(),
inserter(intersect, intersect.begin()));
if(!intersect.empty())
{
if(enabled)
{
if(!intersect.empty()) {
if(enabled) {
m_rulesets[ruleset_id]->add_filter(wrap);
}
else
{
} else {
m_rulesets[ruleset_id]->remove_filter(wrap);
}
}
@@ -276,27 +223,19 @@ private:
}
// A group of filters all having the same ruleset
class ruleset_filters
{
class ruleset_filters {
public:
ruleset_filters(uint16_t ruleset_id):
m_ruleset_id(ruleset_id) {}
ruleset_filters(uint16_t ruleset_id): m_ruleset_id(ruleset_id) {}
virtual ~ruleset_filters(){};
virtual ~ruleset_filters() {};
void add_filter(std::shared_ptr<filter_wrapper> wrap)
{
if(wrap->event_codes().empty())
{
void add_filter(std::shared_ptr<filter_wrapper> wrap) {
if(wrap->event_codes().empty()) {
// Should run for all event types
add_wrapper_to_list(m_filter_all_event_types, wrap);
}
else
{
for(auto &etype : wrap->event_codes())
{
if(m_filter_by_event_type.size() <= etype)
{
} else {
for(auto &etype : wrap->event_codes()) {
if(m_filter_by_event_type.size() <= etype) {
m_filter_by_event_type.resize(etype + 1);
}
@@ -307,18 +246,12 @@ private:
m_filters.insert(wrap);
}
void remove_filter(std::shared_ptr<filter_wrapper> wrap)
{
if(wrap->event_codes().empty())
{
void remove_filter(std::shared_ptr<filter_wrapper> wrap) {
if(wrap->event_codes().empty()) {
remove_wrapper_from_list(m_filter_all_event_types, wrap);
}
else
{
for(auto &etype : wrap->event_codes())
{
if(etype < m_filter_by_event_type.size())
{
} else {
for(auto &etype : wrap->event_codes()) {
if(etype < m_filter_by_event_type.size()) {
remove_wrapper_from_list(m_filter_by_event_type[etype], wrap);
}
}
@@ -327,34 +260,28 @@ private:
m_filters.erase(wrap);
}
uint64_t num_filters()
{
return m_filters.size();
}
uint64_t num_filters() { return m_filters.size(); }
inline const std::set<std::shared_ptr<filter_wrapper>> &get_filters() const
{
inline const std::set<std::shared_ptr<filter_wrapper>> &get_filters() const {
return m_filters;
}
// Evaluate an event against the ruleset and return the first rule
// that matched.
bool run(indexable_ruleset &ruleset, sinsp_evt *evt, falco_rule &match)
{
bool run(indexable_ruleset &ruleset, sinsp_evt *evt, falco_rule &match) {
if(evt->get_type() < m_filter_by_event_type.size() &&
m_filter_by_event_type[evt->get_type()].size() > 0)
{
if(ruleset.run_wrappers(evt, m_filter_by_event_type[evt->get_type()], m_ruleset_id, match))
{
m_filter_by_event_type[evt->get_type()].size() > 0) {
if(ruleset.run_wrappers(evt,
m_filter_by_event_type[evt->get_type()],
m_ruleset_id,
match)) {
return true;
}
}
// Finally, try filters that are not specific to an event type.
if(m_filter_all_event_types.size() > 0)
{
if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, match))
{
if(m_filter_all_event_types.size() > 0) {
if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, match)) {
return true;
}
}
@@ -364,22 +291,20 @@ private:
// Evaluate an event against the ruleset and return all the
// matching rules.
bool run(indexable_ruleset &ruleset, sinsp_evt *evt, std::vector<falco_rule> &matches)
{
bool run(indexable_ruleset &ruleset, sinsp_evt *evt, std::vector<falco_rule> &matches) {
if(evt->get_type() < m_filter_by_event_type.size() &&
m_filter_by_event_type[evt->get_type()].size() > 0)
{
if(ruleset.run_wrappers(evt, m_filter_by_event_type[evt->get_type()], m_ruleset_id, matches))
{
m_filter_by_event_type[evt->get_type()].size() > 0) {
if(ruleset.run_wrappers(evt,
m_filter_by_event_type[evt->get_type()],
m_ruleset_id,
matches)) {
return true;
}
}
// Finally, try filters that are not specific to an event type.
if(m_filter_all_event_types.size() > 0)
{
if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, matches))
{
if(m_filter_all_event_types.size() > 0) {
if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, matches)) {
return true;
}
}
@@ -387,49 +312,39 @@ private:
return false;
}
libsinsp::events::set<ppm_sc_code> sc_codes()
{
libsinsp::events::set<ppm_sc_code> sc_codes() {
libsinsp::events::set<ppm_sc_code> res;
for(const auto &wrap : m_filters)
{
for(const auto &wrap : m_filters) {
res.insert(wrap->sc_codes().begin(), wrap->sc_codes().end());
}
return res;
}
libsinsp::events::set<ppm_event_code> event_codes()
{
libsinsp::events::set<ppm_event_code> event_codes() {
libsinsp::events::set<ppm_event_code> res;
for(const auto &wrap : m_filters)
{
for(const auto &wrap : m_filters) {
res.insert(wrap->event_codes().begin(), wrap->event_codes().end());
}
return res;
}
private:
void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
{
void add_wrapper_to_list(filter_wrapper_list &wrappers,
std::shared_ptr<filter_wrapper> wrap) {
// This is O(n) but it's also uncommon
// (when loading rules only).
auto pos = std::find(wrappers.begin(),
wrappers.end(),
wrap);
auto pos = std::find(wrappers.begin(), wrappers.end(), wrap);
if(pos == wrappers.end())
{
if(pos == wrappers.end()) {
wrappers.push_back(wrap);
}
}
void remove_wrapper_from_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
{
void remove_wrapper_from_list(filter_wrapper_list &wrappers,
std::shared_ptr<filter_wrapper> wrap) {
// This is O(n) but it's also uncommon
// (when loading rules only).
auto pos = std::find(wrappers.begin(),
wrappers.end(),
wrap);
if(pos != wrappers.end())
{
auto pos = std::find(wrappers.begin(), wrappers.end(), wrap);
if(pos != wrappers.end()) {
wrappers.erase(pos);
}
}