github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-16 05:13:50 +00:00
Code Issues Projects Releases Wiki Activity

Add ability to clear loaded rules.

Browse Source 
Add the ability to clear the set of loaded rules from lua. It simply
recreates the sinsp_evttype_filter instance m_evttype_filter, which is
now a unique_ptr.
This commit is contained in:
Mark Stemm 2016-12-28 15:06:46 -08:00
parent 3cbf641ded
commit 767f2d5bb4
4 changed files with 36 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
userspace/engine/falco_engine.cpp
View File

@ -49,6 +49,8 @@ falco_engine::falco_engine(bool seed_rng)
falco_common::init(m_lua_main_filename.c_str(), FALCO_ENGINE_SOURCE_LUA_DIR); falco_common::init(m_lua_main_filename.c_str(), FALCO_ENGINE_SOURCE_LUA_DIR);
falco_rules::init(m_ls); falco_rules::init(m_ls);
m_evttype_filter.reset(new sinsp_evttype_filter());
if(seed_rng) if(seed_rng)
{ {
srandom((unsigned) getpid()); srandom((unsigned) getpid());
@ -107,7 +109,7 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
void falco_engine::enable_rule(string &pattern, bool enabled) void falco_engine::enable_rule(string &pattern, bool enabled)
{ {
m_evttype_filter.enable(pattern, enabled); m_evttype_filter->enable(pattern, enabled);
} }
unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev) unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
@ -118,7 +120,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
return unique_ptr<struct rule_result>(); return unique_ptr<struct rule_result>();
} }
if(!m_evttype_filter.run(ev)) if(!m_evttype_filter->run(ev))
{ {
return unique_ptr<struct rule_result>(); return unique_ptr<struct rule_result>();
} }
@ -183,7 +185,12 @@ void falco_engine::add_evttype_filter(string &rule,
list<uint32_t> &evttypes, list<uint32_t> &evttypes,
sinsp_filter* filter) sinsp_filter* filter)
{ {
m_evttype_filter.add(rule, evttypes, filter); m_evttype_filter->add(rule, evttypes, filter);
}
void falco_engine::clear_filters()
{
m_evttype_filter.reset(new sinsp_evttype_filter());
} }
void falco_engine::set_sampling_ratio(uint32_t sampling_ratio) void falco_engine::set_sampling_ratio(uint32_t sampling_ratio)

6
userspace/engine/falco_engine.h
View File

@ -19,6 +19,7 @@ along with falco. If not, see <http://www.gnu.org/licenses/>.
#pragma once #pragma once
#include <string> #include <string>
#include <memory>
#include "sinsp.h" #include "sinsp.h"
#include "filter.h" #include "filter.h"
@ -84,6 +85,9 @@ public:
list<uint32_t> &evttypes, list<uint32_t> &evttypes,
sinsp_filter* filter); sinsp_filter* filter);
// Clear all existing filters.
void clear_filters();
// //
// Set the sampling ratio, which can affect which events are // Set the sampling ratio, which can affect which events are
// matched against the set of rules. // matched against the set of rules.
@ -116,7 +120,7 @@ private:
inline bool should_drop_evt(); inline bool should_drop_evt();
falco_rules *m_rules; falco_rules *m_rules;
sinsp_evttype_filter m_evttype_filter; std::unique_ptr<sinsp_evttype_filter> m_evttype_filter;
// //
// Here's how the sampling ratio and multiplier influence // Here's how the sampling ratio and multiplier influence

19
userspace/engine/rules.cpp
View File

@ -28,6 +28,7 @@ extern "C" {
#include "falco_engine.h" #include "falco_engine.h"
const static struct luaL_reg ll_falco_rules [] = const static struct luaL_reg ll_falco_rules [] =
{ {
{"clear_filters", &falco_rules::clear_filters},
{"add_filter", &falco_rules::add_filter}, {"add_filter", &falco_rules::add_filter},
{"enable_rule", &falco_rules::enable_rule}, {"enable_rule", &falco_rules::enable_rule},
{NULL,NULL} {NULL,NULL}
@ -44,6 +45,24 @@ void falco_rules::init(lua_State *ls)
luaL_openlib(ls, "falco_rules", ll_falco_rules, 0); luaL_openlib(ls, "falco_rules", ll_falco_rules, 0);
} }
int falco_rules::clear_filters(lua_State *ls)
{
if (! lua_islightuserdata(ls, -1))
{
throw falco_exception("Invalid arguments passed to clear_filters()\n");
}
falco_rules *rules = (falco_rules *) lua_topointer(ls, -1);
rules->clear_filters();
return 0;
}
void falco_rules::clear_filters()
{
m_engine->clear_filters();
}
int falco_rules::add_filter(lua_State *ls) int falco_rules::add_filter(lua_State *ls)
{ {
if (! lua_islightuserdata(ls, -3) || if (! lua_islightuserdata(ls, -3) ||

2
userspace/engine/rules.h
View File

@ -36,10 +36,12 @@ class falco_rules
void describe_rule(string *rule); void describe_rule(string *rule);
static void init(lua_State *ls); static void init(lua_State *ls);
static int clear_filters(lua_State *ls);
static int add_filter(lua_State *ls); static int add_filter(lua_State *ls);
static int enable_rule(lua_State *ls); static int enable_rule(lua_State *ls);
private: private:
void clear_filters();
void add_filter(string &rule, list<uint32_t> &evttypes); void add_filter(string &rule, list<uint32_t> &evttypes);
void enable_rule(string &rule, bool enabled); void enable_rule(string &rule, bool enabled);