diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index 56e83f43..db021675 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -420,7 +420,7 @@ void falco_engine::add_filter(std::shared_ptr filter, throw falco_exception(err); } - it->second->add(rule, tags, filter); + it->second->add(source, rule, tags, filter); } bool falco_engine::is_source_valid(const std::string &source) diff --git a/userspace/engine/rules.cpp b/userspace/engine/rules.cpp index b67f8f8d..112ec4a5 100644 --- a/userspace/engine/rules.cpp +++ b/userspace/engine/rules.cpp @@ -145,11 +145,19 @@ int falco_rules::add_filter(lua_State *ls) lua_pop(ls, 1); } - size_t num_evttypes = lp->filter()->evttypes().size(); + // todo(jasondellaluce,leogr,fededp): temp workaround, remove when fixed in libs + size_t num_evttypes = 1; // assume plugin + if(source == "syscall" || source == "k8s_audit") + { + num_evttypes = lp->filter()->evttypes().size(); + } - try { + try + { rules->add_filter(lp->filter(), rule, source, tags); - } catch (exception &e) { + } + catch (exception &e) + { std::string errstr = string("Could not add rule to falco engine: ") + e.what(); lua_pushstring(ls, errstr.c_str()); lua_error(ls); diff --git a/userspace/engine/ruleset.cpp b/userspace/engine/ruleset.cpp index 16eef124..d3aad9e4 100644 --- a/userspace/engine/ruleset.cpp +++ b/userspace/engine/ruleset.cpp @@ -66,7 +66,7 @@ void falco_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wrapper_lis void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr wrap) { - std::set fevttypes = wrap->filter->evttypes(); + std::set fevttypes = wrap->evttypes(); if(fevttypes.empty()) { @@ -91,7 +91,7 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr void falco_ruleset::ruleset_filters::remove_filter(std::shared_ptr wrap) { - std::set fevttypes = wrap->filter->evttypes(); + std::set fevttypes = wrap->evttypes(); if(fevttypes.empty()) { @@ -147,16 +147,18 @@ void falco_ruleset::ruleset_filters::evttypes_for_ruleset(std::set &ev for(auto &wrap : m_filters) { - auto fevttypes = wrap->filter->evttypes(); + auto fevttypes = wrap->evttypes(); evttypes.insert(fevttypes.begin(), fevttypes.end()); } } -void falco_ruleset::add(string &name, +void falco_ruleset::add(string &source, + string &name, set &tags, std::shared_ptr filter) { std::shared_ptr wrap(new filter_wrapper()); + wrap->source = source; wrap->name = name; wrap->tags = tags; wrap->filter = filter; diff --git a/userspace/engine/ruleset.h b/userspace/engine/ruleset.h index 732d94db..7df643e7 100644 --- a/userspace/engine/ruleset.h +++ b/userspace/engine/ruleset.h @@ -34,7 +34,8 @@ public: falco_ruleset(); virtual ~falco_ruleset(); - void add(std::string &name, + void add(string &source, + std::string &name, std::set &tags, std::shared_ptr filter); @@ -73,9 +74,21 @@ private: class filter_wrapper { public: + std::string source; std::string name; std::set tags; std::shared_ptr filter; + std::set evttypes() + { + // todo(jasondellaluce,leogr): temp workarond, remove when fixed in libs + if(source == "syscall" || source == "k8s_audit") + { + return filter->evttypes(); + } + // else assume plugins + return {ppm_event_type::PPME_PLUGINEVENT_E}; + // workaround end + } }; typedef std::list> filter_wrapper_list;